[Senate Hearing 118-226]
[From the U.S. Government Publishing Office]


                                                          S. Hrg. 118-226

                     THE CYBER SAFETY REVIEW BOARD:
             EXPECTATIONS, OUTCOMES, AND ENDURING QUESTIONS

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED EIGHTEENTH CONGRESS


                             SECOND SESSION

                               __________

                            JANUARY 17, 2024

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                   U.S. GOVERNMENT PUBLISHING OFFICE                    
54-719 PDF                  WASHINGTON : 2024                    
          
-----------------------------------------------------------------------------------  

        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
JON OSSOFF, Georgia                  RICK SCOTT, Florida
RICHARD BLUMENTHAL, Connecticut      JOSH HAWLEY, Missouri
LAPHONZA BUTLER, California          ROGER MARSHALL, Kansas

                   David M. Weinberg, Staff Director
            Lena C. Chang, Director of Governmental Affairs
         Jeffrey D. Rothblum, Senior Professional Staff Member
              Emily A. Ferguson, Professional Staff Member
           William E. Henderson III, Minority Staff Director
              Christina N. Salazar, Minority Chief Counsel
          Kendal B. Tigner, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                   Ashley A. Gonzalez, Hearing Clerk

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Peters...............................................     1
    Senator Hassan...............................................     9
    Senator Blumenthal...........................................    12
    Senator Hawley...............................................    15
    Senator Rosen................................................    18
Prepared statements:
    Senator Peters...............................................    23

                               WITNESSES
                      WEDNESDAY, JANUARY 17, 2024

Tarah M. Wheeler, Chief Executive Officer, Red Queen Dynamics....     2
John Miller, Senior Vice President of Policy, Trust, Data, and 
  Technology, and General Counsel, Information Technology 
  Industry Council...............................................     4
Trey Herr, Ph.D., Director, Cyber Statecraft Initiative, Atlantic 
  Council........................................................     6

                     Alphabetical List of Witnesses

Herr, Ph.D., Trey:
    Testimony....................................................     6
    Prepared statement...........................................    43
Miller, John:
    Testimony....................................................     4
    Prepared statement...........................................    30
Wheeler, Tarah:
    Testimony....................................................     2
    Prepared statement...........................................    24

                                APPENDIX

The Business Insider chatbot submitted by Senator Hawley.........    55
The New York Times chatbot submitted by Senator Hawley...........    56

 
                     THE CYBER SAFETY REVIEW BOARD:
             EXPECTATIONS, OUTCOMES, AND ENDURING QUESTIONS

                              ----------                              


                      WEDNESDAY, JANUARY 17, 2024

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., in room 
SD-562, Senate Dirksen Building, Hon. Gary Peters, Chair of the 
Committee, presiding.
    Present: Senators Peters [presiding], Hassan, Rosen, 
Blumenthal, Ossoff, Scott, and Hawley.

             OPENING STATEMENT OF SENATOR PETERS\1\

    Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appears in the 
Appendix on page 23.
---------------------------------------------------------------------------
    Our country's cybersecurity is tested every day. Foreign 
adversaries and cyber criminals pose a constant threat to 
American businesses, government agencies, and our national 
security. As these attacks become more sophisticated, we must 
work to strengthen our cybersecurity infrastructure and protect 
our nation from the threats posed by these breaches.
    In May 2021, President Biden took an important step in that 
mission by establishing the Cyber Safety Review Board (CSRB), 
for short. Just as the National Transportation Safety Board 
(NTSB) responds to plane, car, and rail accidents, the CSRB is 
expected to respond to cybersecurity intrusions.
    It was established to investigate breaches in America's 
cybersecurity infrastructure and identify how we can prevent 
similar threats down the road.
    So far, this Board has completed two reviews. The first 
focused on the Log4j vulnerability in widely used open-source 
software that is employed around the world. The second review 
centered on a group of cyber criminals bent on extorting well-
known businesses and government agencies. In each case, the 
CSRB made multiple recommendations to Federal agencies and the 
private sector that will help neutralize similar threats in the 
future.
    The Board is now in the midst of its third review, focused 
on improving the safety and security of cloud computing 
systems.
    Although the CSRB is fairly new and has begun to help 
combat serious cyber threats, there is clearly more it can do 
to support our nation's cybersecurity. Today's hearing will 
explore some of those key issues, including the CSRB's unique 
role in the broader landscape of American cybersecurity, its 
collaborative relationship with the private sector, and the 
efficiency of its investigative process.
    We must examine those issues to properly evaluate the CSRB 
and help increase its benefit to the cybersecurity ecosystem. 
Today's hearing, and our panel of expert witnesses, will help 
us do so.
    It is the practice of the Homeland Security and 
Governmenbtal Affairs Committee (HSGAC) to swear in witnesses, 
so if each of you will please stand and raise your right hands.
    Do you swear the testimony that you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Ms. Wheeler. I do.
    Mr. Miller. I do.
    Dr. Herr. I do.
    Chairman Peters. You may be seated.
    Our first witness is Tarah Wheeler. Tarah is the Chief 
Executive Officer (CEO) of Red Queen Dynamics and a renowned 
expert on information security. She currently serves as a 
Senior Fellow for Global Cyber Policy at the Council on Foreign 
Relations (CFR) and is an inaugural contributing cybersecurity 
expert for The Washington Post. She has spoken on information 
security at universities around the world, written a best-
selling book, and has led projects at Microsoft Game Studios. 
She is also a student pilot--good luck with that.
    Welcome, Ms. Wheeler. You are recognized for your opening 
statement.

TESTIMONY OF TARAH M. WHEELER,\1\ CHIEF EXECUTIVE OFFICER, RED 
                         QUEEN DYNAMICS

    Ms. Wheeler. Thank you Chair Peters and distinguished 
Members of the Committee. Unlike most other tech CEOs, I am 
thrilled to be invited here today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Wheeler appears in the Appendix 
on page 24.
---------------------------------------------------------------------------
    The Cyber Safety Review Board should be a critical line in 
our defenses against Chinese and Russian government 
cyberattacks. But today America's small businesses are 
defenseless against very basic cyberattacks, much less anything 
sophisticated from a foreign adversary.
    I have been on the front lines of major cybersecurity 
incidents, and I am here today, as you said, as the CEO of a 
cybersecurity company. We work to give the smaller half of 
American businesses the same fighting chance as big companies. 
I am also, as the Chair just said, a student pilot.
    The CSRB was inspired by the National Transportation Safety 
Board, but the CSRB must grow in three critical ways in order 
to support American business and national security.
    First, please fund an independent civilian agency staffed 
with full-time investigators.
    When an aviation incident occurs, there is intense scrutiny 
by Federal investigators to understand and explain in detail 
the process of what happened and how to reduce the risk of 
similar incidents. The two CSRB reports so far have had very 
simple, consensus-based resolutions. In 1935, a 
Transcontinental & Western Air (TWA) crash killed Senator 
Bronson Cutting. The detailed government investigation of that 
air crash led to improvements in aviation security and 
eventually the creation of the NTSB.
    The current CSRB's report on that incident might have said 
that the cause of the crash was that the pilot flew into the 
ground and that in future to not fly into the ground again. We 
all agree, but that is not necessarily useful information. The 
goal of CSRB investigations should be to help us learn from the 
process of the incident how to not repeat our mistakes.
    If the NTSB worked like the CSRB does now, NTSB 
investigations would be conducted by the Federal Aviation 
Administration (FAA) administrator, the Chief Pilot at Boeing, 
and the Chief Revenue Officer of Delta Airlines. Many 
individuals on the CSRB are beloved and respected, but they do 
have full-time jobs and they do not have the time, freedom, or 
authority to conduct independent, thorough investigations.
    But why could this not be done in the private sector? Right 
now many of the most significant cyber incident reports are 
legally vetted corporate publications, which can and have 
disappeared as profit and regulation required. Now, as somebody 
about to get on an Alaska Airlines flight with my husband, I 
would be unenthusiastic about the idea of the official history 
of last week's 737 Max 9 incident being written solely by 
Boeing.
    Second, do not introduce classified information into 
investigations or require clearances to sit on the CSRB.
    The CSRB must build trust by operating openly as the stakes 
grow higher in cyberspace. Lack of transparency around how 
people are currently nominated to the CSRB and how the Board 
selects which investigations they pursue may decrease trust in 
its impartiality. In addition, forcing CSRB members to hold 
clearances would drastically limit the pool of potential 
investigators in the already massive deficit of U.S. 
cybersecurity talent.
    The aviation community transparently accumulates knowledge 
and passes it on. The cybersecurity community has an oral 
tradition, at best.
    Third and finally, give the CSRB subpoena power. The CSRB, 
as it is structured now, absolutely should not have subpoena 
power. Use of this power by industry representatives on the 
current Board could be seen as anti-competitive. Use of that 
subpoena power by government officials could be seen as 
backdoor regulator action. But if the CSRB were independent it 
should absolutely have the power to compel information and 
testimony.
    Cyberspace is where people store their most sensitive data, 
where we manage our money, where robotic surgeries are 
performed, where temperature gauges in embryo storage units are 
monitored, and where I fell in love. The CSRB's power and 
authority should be on par with the value of what they are 
protecting.
    Once I was flying a Cessna 172 solo in the traffic pattern 
at Seattle's Boeing field, and I realized when my plane began 
to fight me in the first turn after takeoff that I did not have 
my flaps configured properly. The NTSB's investigations are why 
I had the resources and training to survive.
    As a field, as an industry, and as an information security 
and cybersecurity community we have been through so many 
devastating cyber incidents where we did not know what the 
right thing was to do. If the CSRB cannot provide timely, 
credible, and public investigation results, we are growing ever 
closer to a moment where people will die. Give the Board the 
resources, independence, and the authority necessary to get the 
answer Americans need. Thank you.
    Chairman Peters. Thank you, Ms. Wheeler.
    Our second witness is John Miller. He is the Senior Vice 
President and General Counsel (GC) for the Information 
Technology Industry (ITI) Council. He has testified before 
Congress on cybersecurity and supply chain issues and has 
spoken at major events on information security across the 
world.
    Mr. Miller received his B.A. from Hamilton College and his 
J.D. from the University of Wisconsin Law School. Mr. Miller, 
welcome to the Committee. You are recognized for your opening 
statement.

 TESTIMONY OF JOHN MILLER,\1\ SENIOR VICE PRESIDENT OF POLICY, 
 TRUST, DATA, AND TECHNOLOGY, AND GENERAL COUNSEL, INFORMATION 
                  TECHNOLOGY INDUSTRY COUNCIL

    Mr. Miller. Chairman Peters and distinguished Members of 
the Committee, on behalf of the Information Technology Industry 
Council, thank you for the opportunity to testify today on the 
Cyber Safety Review Board.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Miller appers in the Appendix on 
page 30.
---------------------------------------------------------------------------
    ITI is a global policy and advocacy organization 
representing 80 of the world's leading Information and 
Communications Technology (ICT) companies, and I lead ITI's 
Trust, Data, and Technology team, including our work on 
cybersecurity, privacy, and artificial intelligence (AI) in the 
United States and globally. I have extensive experience 
partnering with Cybersecurity & Infrastructure Security Agency 
(CISA) and other Federal Government stakeholders on efforts to 
improve cyber, supply chain, and critical infrastructure 
security, including currently serving in leadership positions 
on the ICT Supply Chain Risk Management (SCRM) Task Force and 
the Information Technology Sector Coordinating Council (ITSCC), 
after previous roles with the Enduring Security Framework and 
National Security and Telecommunications Advisory Committee 
(NSTAC). I welcome your interest on this important topic.
    I would also like to thank you and your staff for the 
thoughtful and deliberative approach you are taking in 
examining the appropriate role of the Board, its work to date, 
and how it can best support the cybersecurity ecosystem going 
forward. ITI has been pleased to work with this Committee as a 
trusted partner on various cybersecurity matters over the 
years, and we were happy to convene our members to solicit 
their inputs on the CSRB.
    The United States has long recognized the importance of 
public-private partnerships and collaboration to meet our 
shared cybersecurity challenges, and indeed in the United 
States. there currently exists multiple councils, task forces, 
advisory boards, collaborative efforts, and other partnership 
focused on addressing various aspects of those complex and 
dynamic challenges. ITI believes that the CSRB can play a 
unique and valuable role in improving the overall cybersecurity 
ecosystem if we ensure its mandate is carefully defined.
    Realizing the vision and promise of the CSRB will require 
getting its structure and governance right, including the 
process for selecting board membership and which incident it 
investigates, as well as ensuring appropriate confidentiality 
and use of information provided during the Board's 
investigations. I will briefly expand on each of these four 
items here.
    First, the CSRB can play a valuable and complementary role 
in the existing public-private cybersecurity ecosystem if it is 
structured and scoped to investigate specific significant 
cybersecurity incidents to create an authoritative record of 
what actually happened and to provide useful analyses of the 
incidents, including actionable recommendations geared toward 
helping all stakeholders avoid the recurrence of similar 
incidents in the future.
    Second, ensuring the independence of private sector Board 
members and that they are selected through a clear and 
transparent process is essential so as to avoid real or 
perceived conflicts of interest or business advantage. ITI 
member companies are not of one mind on questions regarding 
CSRB membership. Some ITI members have noted the value and 
imperative of industry involvement in the Board's activities, 
pointing out that the deep visibility of private sector 
cybersecurity firms into the global cyber threat landscape 
uniquely situates representatives from those firms to provide 
ecosystem-wide insights of enormous value to the Board's 
deliberations.
    Other ITI members expressed concerns about whether private 
sector participation from only a handful of companies might 
create real or perceived conflicts of interest, such as the 
perception that competitive bias could influence the Board's 
activities. Policymakers should carefully this dynamic, 
including how proposals to provide the CSRB with subpoena 
authority might exacerbate such concerns.
    Third, the criteria and methodology for selecting which 
incidents to investigate must be clearly communicated and well 
understood across impacted stakeholders, including the business 
community. Policymakers should ensure that reviews of incidents 
are selected and based on a clear, publicly released set of 
criteria that is developed in conjunction with stakeholders. 
This is particularly important given the fact that CISA is 
currently developing regulations to implement the new Cyber 
Incident Reporting for Critical Infrastructure Act of 2022 
(CIRCIA) incident reporting law, including the criteria to 
designated covered entities and incidents.
    Fourth, the CSRB charter should establish clear parameters 
to ensure the protection of business-sensitive information and 
provide appropriate liability protections, including how it 
will treat Freedom of Information Act (FOIA) requests for 
information provided to the Board during the course of its 
reviews. ITI member companies strongly believe that any 
legislation codifying the CSRB should make clear that materials 
acquired by the Board, whether voluntarily provided or 
otherwise, are exempt from disclosure under FOIA and exempt 
from use in litigation and regulatory proceedings, including 
enforcement actions. Ensuring appropriate confidentiality, 
nondisclosure, and liability protections should adequately 
incentivize private sector participation in CSRB reviews.
    Thank you again for the opportunity to testify today. I 
look forward to your questions.
    Chairman Peters. Thank you, Mr. Miller.
    The third witness, Dr. Trey Herr, currently serves as the 
Director of the Cyber Statecraft Initiative at the Atlantic 
Council and is an Assistant Professor at American University's 
School of International Service. His work focuses on 
cybersecurity, technology policy, and national security. He 
holds a B.S. from Northwestern University and a Ph.D. from the 
George Washington University.
    Mr. Herr, welcome. You are recognized for your opening 
statement.

 TESTIMONY OF TREY HERR, PH.D.,\1\ DIRECTOR, CYBER STATECRAFT 
                  INITIATIVE, ATLANTIC COUNCIL

    Dr. Herr. Thank you, Chair Peters, and let me join the 
other witnesses in expressing my appreciate to the Committee 
this morning for the invitation to testify and for hosting this 
important conversation.
---------------------------------------------------------------------------
    \1\ The prepared statement of Dr. Herr appears in the Appendix on 
page 43.
---------------------------------------------------------------------------
    In service of our wider discussion, I would like to share 
five brief points.
    First, by their fundamental architecture, digital systems 
are insecure. They fail, they are compromised, and sometimes in 
ways too complex to be easily understood and often with great 
consequence. The work of the cybersecurity community is larger 
to keep these systems useful while preventing their most 
creative or catastrophic failures. Understanding the most 
complex among these failures has long been difficult, and as 
with similar failures in mechanical products like airplanes 
investigations can take years. There is genuine and urgent need 
to better understand the most complex digital failures, and the 
Cyber Safety Review Board for the sake of brevity, can provide 
a uniquely scoped and independent capability to do so.
    Second, at some number of steps removed from an incident 
both government and industry are naturally conflicted actors 
when it comes to investigating these failures. Someone 
designed, built, certified, sold, and accepted the risk of that 
system before it failed. It is unlikely that any party along 
its supply chain will be the most eager to understand their 
role in such a failure. A CSRB whose every member has no 
potential for conflict would be a board so disconnected from 
these systems and the systems that it investigates as to make 
its work nearly meaningless.
    The Board has and should be directed to continue to 
strengthen and evolve mechanisms for identifying conflicts of 
interest and providing for recusal, but a healthy Board should 
have more than just strong recusal mechanisms, and not all of 
its members need to be vulnerable to such conflicts. Such a 
Board would have a core of full-time members and a substitution 
process to swap in prospective Board members with similar 
expertise for those recused, where feasible, especially where 
demanded by a specialized incident.
    Third, enabling the CSRB to be independent in the conduct 
of its investigation can and should be addressed separately 
from its independence in selecting the targets of those 
investigations. It is important to recognize that the Board of 
today is not the most fulsome or final version. By comparison, 
the first version of the civil aviation investigations body was 
created in the 1920s, and its current incarnation did not 
emerge until the 1970s. Significant battles were waged over 
those 50 years, over the membership size and independence of 
what we now know as the National Transportation Safety Board, 
and it is both necessary and useful that similar debates happen 
for the CSRB.
    Part of the NTSB's power comes from the Board's selection 
of incidents and decisions to investigate. It would strengthen 
the CSRB's independence to link the selection of cases to clear 
and public criteria with a mandate that the Board regularly 
reflect and review both the cases selected and the requirements 
of these criteria in view of a changing technology landscape.
    Fourth, CSRB, like the NTSB, is not meant to be an 
influential actor in isolation. Theirs is an interpretive art, 
singers whose work can move an audience. It is incumbent upon 
the Board, and the Committee as overseers, to provide a robust 
identification of that audience, recognizing that the CSRB is 
developing at a crucial moment. Incident selection and incident 
reporting mechanisms like the SEC's material disclosure rules, 
which are public, and those required by CIRCIA, which are not, 
are welcome additions to the cyber policy landscape, but they 
do not substitute for the investigative function of this Board. 
CSRB's findings have an audience, and over the next decade with 
proper support from elsewhere in the policy system, that 
audience is set to grow and benefit greatly from the work of 
the Board.
    Fifth and finally, it is important to understand that CSRB, 
as a body, is positioned to do something that no one else 
does--understanding how and why digital systems fail in complex 
ways and how to mitigate or even prevent such failures in the 
future. The Board's value is considerably reduced where it 
duplicates others' efforts and activities, such as those 
focused on the behaviors of specific threat actors, regardless 
of how active or meaningful its contributions.
    The regular independent investigations of complex failures 
in digital systems, not for fault but for cause and context, is 
unique in cybersecurity. The selection of which failures to 
investigate without consideration for political cost or timing 
is unique in cybersecurity. The publication of those 
investigations, of those failures, in a transparent and well-
documented fashion without regard for profit motive or repeat 
business, is unique in cybersecurity. These three elements, at 
least, are unique in what CSRB promises to be.
    The Board offers great potential when it is focused on 
complex failures in digital systems we know to be fundamentally 
insecure, and to do so with independence both in the conduct of 
its investigation and the selection of incidents, working in 
conjunction with key audiences in the private and public sector 
and sustaining a focus on that work which makes it unique.
    I would not suggest that the current substantiation of the 
CSRB is its best or its final form. But as members have seen 
evidence in the past six months of the debate about AI, this 
country is building systems of such complexity that there may 
be no precedent in human history. Sometimes those systems will 
fail in complex and catastrophic ways. We will demand to know 
why. We will demand to know how to avoid such failures in the 
future. I remain hopeful that the CSRB will be there to provide 
a unique answer.
    Thank you again for the opportunity to speak, and I look 
forward to your questions.
    Chairman Peters. Thank you.
    My first question is for you, Ms. Wheeler. There are a 
number of entities, including private companies and Federal 
agencies and task forces, that have reviewed cyber incidents. 
They have published their findings really for the last several 
years, so this is nothing new.
    But what value can the Cyber Safety Review Board add to 
these reviews that we have not already seen, and goes above and 
beyond the contributions that we have seen from these entities?
    Ms. Wheeler. That is a great question, Senator. There is a 
real discussion, I think, in my industry and field that the 
kinds of incident reports that are published by corporations 
may have deep knowledge of the incidents themselves, especially 
if the software that they produce is what was part of the 
incident. I think the challenge there often comes with the fact 
that right now I believe more than half of all of the internet 
citations for every Supreme Court case have already disappeared 
from the Web. Corporate resources disappear on a corporate 
timeline, and on those corporate incentives as opposed to what 
is in the good of the public.
    When it comes to those investigations we need an ongoing 
and repeatable process to ensure that our history is not lost. 
I see the CSRB as an opportunity for us to create a shared 
history and narrative of what happened in previous cyber 
incidents.
    Chairman Peters. Thank you. Mr. Miller, your organization, 
ITI, represents many tech companies including many that conduct 
their own cybersecurity reviews on a regular basis. For 
example, companies like Apple, Google, and Microsoft produce 
cybersecurity papers and reports on a very frequent basis.
    The question for you is what do ITI member companies think 
of the Board's first two completed reviews, and what are the 
key changes that they would like to see in the future, or not 
just changes, what do they want to celebrate as well?
    Mr. Miller. Thank you for the question. When we discussed 
the results of the first two reviews with our members, and we 
look forward and discuss we would really like to see going 
forward, I mean, there really are a couple of things that many 
of the discussions that we had focused on. One was the 
selection of the incidents themselves. I think while 
investigating Log4j seems to be kind of an obvious type of 
widespread, significant cyber incident worthy of a really in-
depth, focused review, I think there were more questions that 
folks had with respect to the investigation focus of the second 
report. It was more into a threat actor group Lapsus$, and then 
if you read the report it actually kind of strayed into talking 
about other similar acts and things like that.
    It is not that that report itself may not have proved 
valuable and offered some valuable recommendations. The 
question is, as you mentioned, it really seemed to be 
reiterating a lot of recommendations that others had already 
made and others had focused on. I think our members really 
would like to see clear, transparent incident selection 
criteria going forward.
    I think the second thing that really we had a lot of 
discussion about, and members do not necessarily agree on, is 
the constitution of the Board. I think all the witnesses here 
today had different ideas about who should be on the Board, who 
should not be on the Board. The one thing that I think is clear 
is that if there is private sector participation in the Board--
and I represent private sector companies, we think that 
certainly private sector companies have a lot to add to this 
discussion--there really should be clear membership selection 
processes, and there should really be a very clear process for 
recusal and making sure that we do not have either real or 
perceived conflicts of interest or business advantage. Thank 
you.
    Chairman Peters. Thank you. Mr. Herr, the CSRB has thus far 
published two reports, the first on Log4j vulnerability and the 
second on Lapsus$ hacking group. The Board, as I mentioned in 
my opening comments, as well is working on a third review, 
focused on cloud computing security.
    My question for you is, in your opinion should the CSRB be 
focused on specific incidents, like the NTSB, or are other 
topics like vulnerabilities or threat actors also helpful for 
the Board to consider?
    Dr. Herr. I appreciate the question, Mr. Chair. I think, in 
my view, the focus on incidents allows for the Board's critical 
function, which is to identify root cause failure to exist in 
its most fulsome and most beneficial form. If the Board is 
investigating trends or broader phenomena there are a number of 
other bodies that can do that, in some ways more effectively, 
or at the very least in a way that is duplicative.
    I think the Board's focus on specific incidents, the 
complexity associated with those incidents, is its principal 
value.
    Chairman Peters. Thank you.
    Senator Hassan, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thank you very much, Mr. Chair, and thank 
you for holding this hearing. Thanks to the witnesses for being 
here today.
    I want to start with a question to you, Mr. Herr. U.S. 
adversaries, including China and Russia, continue to target 
U.S. critical infrastructure in cyberspace. What role does the 
CSRB play in countering threats from U.S. adversaries? Should 
Congress consider requiring the Board to prioritize national 
security threats as part of its investigative responsibilities?
    Dr. Herr. Thank you for the question, Senator. I would say 
that the Board's role in addressing those sorts of incidents 
that you mentioned are to ensure that our defensive 
architecture is as sound and as robust possible in the face of 
those growing threats, those adversaries. The Board's role is 
to understand why, when we build systems, they fail in ways 
that we do not anticipate, ways that those adversaries that you 
mentioned can take advantage of. The investigation that Chair 
Peters referenced that the Board is currently undertaking 
around the Microsoft Cloud incident from the summer is a 
classic example of that.
    I would say from that standpoint where the Board is 
properly resourced and focused on the selection of incidents 
and not threat actors, it is going to serve that purpose that 
you outlined very well.
    Senator Hassan. Thank you. Another question for you, Mr. 
Herr. The President created the Cyber Safety Review Board, by 
Executive Order (EO) about three years ago. Now he is obviously 
asking Congress to make the Board permanent. In your view, how 
is the Cyber Safety Review Board's purpose different from other 
entities conducting cybersecurity reviews and investigations? I 
will note it is not just private sector entities, but by my 
count there are at least 14 different government entities 
sitting in various agencies that conduct this kind of review. 
What is the unique responsibility and function here that would 
merit it being separately authorized and made permanent?
    Dr. Herr. That is a good question, and in some ways it is 
the center of the debate. From our standpoint there are three 
pieces which make the CSRB and the Board unique. The first is 
its ability to conduct root cause analysis of these failures 
without addressing fault. In other words, we are not looking 
necessarily for someone to blame. We are trying to understand 
why an incident happened and how to prevent it in the future.
    The second is the Board has independence both in the 
selection of its cases and in its conduct of the investigation. 
It should be insulated from both polities and business motive, 
and that, in my mind, again, is unique.
    But the third is the Board provides the potential for a 
long-range lens, not simply a reactive moment but actually 
potentially picking historical incidents that have far greater 
consequence than the design and operation of these systems than 
we understand in the moment. The Board's ability to pick the 
most important or the most complex and tricky failures is, in 
some ways, its greatest value and puts it, in my mind, a step 
apart from most of the existing mechanisms you described.
    Senator Hassan. Thank you for that. What metrics should 
Congress use to measure the Board's success?
    Dr. Herr. The Board should be looking at two key issues in 
terms of evaluating its success. The first is addressing 
consequences of failures that are not well understood or well 
addressed by other resources, i.e., their work is not 
duplicative, but the second is the technical depth and 
transparency of their investigative output. The Board, as a 
body which is able to speak to those that are building and 
designing systems is its principal source of value.
    I would look at the way that it is conducting those 
investigations and what it is conducting investigations against 
as its indicators of success.
    Senator Hassan. OK. Thank you.
    To all three of you, the Department of Homeland Security 
(DHS) has requested that Congress provide the CSRB with 
subpoena authority to compel individuals to provide testimony 
to the Board during investigations. What obstacles has the 
Board encountered without subpoena authority and do you believe 
that the Board needs this authority to be effective?
    We will start with you, Ms. Wheeler. I think you mentioned 
that in your testimony, and then we will just go down the line.
    Ms. Wheeler. That is a great question, Senator. Thank you. 
It is an ongoing issue in the cybersecurity community and in 
our attempt to track down what has happened in incidents to 
find out what happened with raw information at the moment of 
the incident occurring, as opposed to what we see with press 
release (PR) statements, legally vetted statements that come 
out from companies and from coalitions of companies that 
provide the very sanitized version of what had happened in the 
moment.
    I have been on both sides of those situations. I have the 
one who is being told ``shut up'' by a lawyer before, in a 
moment where I, as a technologist and as an incident responder, 
was trying to just frantically solve a problem, keep people 
safe, stop data from leaking. I think that the big challenge we 
have with a lack of subpoena power on the current Board is that 
the real answers are often found about three layers deeper than 
the information that, as far as I am aware right now, is being 
provided to the Board.
    Senator Hassan. OK. Let us go to Mr. Miller.
    Mr. Miller. Thank you, Senator Hassan, for the question. I 
think when our members look at subpoena authority I think there 
are three points that I would like to make. First, due to the 
hard work of this Committee, your counterparts on other 
committees and in the House, you passed an incident 
notification reporting law, CIRCIA, recently, and CISA is still 
in the process of drafting regulations, including what the 
scope of the incidents is going to be and what the actual scope 
of covered entities is going to be.
    I think it is premature to say that a board focused on 
investigating incident needs subpoena power to get information, 
until we know what those regulations say and what information 
is already going to be mandatorily required to be provided to 
CISA and the government.
    I think the two other factors that I would keep in mind 
are, one, CISA has long had a partnership mission and a 
collaborative mission with certainly the IT sector but all 
critical infrastructure sectors in areas such as information 
sharing and otherwise. We are concerned that subpoena authority 
puts CISA, particularly, if that is where the CSRB continues to 
live, in a more adversarial position with the private sector.
    Finally, if the CSRB is going to continue to have private 
sector members on its Board, even if you insulate them from the 
decisionmaking process as to whether to issue a subpoena, it, 
at the very least, does create some apparent conflicts of 
interest when you have members of the private sector 
subpoenaing other members of the private sector who might be 
competitors.
    Senator Hassan. Thank you. Mr. Herr.
    Dr. Herr. Yes, ma'am. I would differ, I think, slightly 
from Mr. Miller on two points, though. One is to address the 
fact that the subpoena is a regularly used method to compel 
cooperation and production of documentation in any 
investigation. For the Board's ability to investigate large 
complex incidents, where there is profit motive to protect, 
potentially, some of that information in play--and this 
Committee and other have seen the challenge in investigating 
complex issues within the technology industry--the subpoena can 
be a basic and useful mechanism as part of that.
    The second piece, though, and I think it is important to 
note that the subpoena exists within a specific authority as 
used by the Board, like the NTSB, which is non-punitive. It 
does not connect to a law enforcement investigation and it is 
not tied to an explicit regulatory authority.
    I think the reference of CIRCIA is incredibly helpful. A 
number of the packets that staff are carrying around here have 
large folders in them with little tabs. CIRCIA effectively 
represents the information on those tabs. The Board is the 
content inside of that folder, significantly more fulsome.
    Senator Hassan. Thank you. Thank you, Mr. Chair.
    Chairman Peters. Thank you, Senator Hassan.
    Senator Blumenthal, you are recognized for your question.

            OPENING STATEMENT OF SENATOR BLUMENTHAL

    Senator Blumenthal. Thank you, Chair Peters. Thank you all 
for being here today. I think we all share an interesting 
concern about cybersecurity and about the incidents that the 
CSRB is charged with investigating. The comparison is made to 
the NTSB. I am very familiar with it because of my interest in 
traffic safety and protecting consumers of automobiles and 
other vehicles.
    The main problem I see with the NTSB is that it makes 
excellent recommendations based on very perceptive and 
insightful reports, but many of those recommendations go 
unimplemented and unfulfilled. Maybe you can suggest a means to 
assure that the recommendations of a Cyber Safety Review Board 
would be, in fact, implemented and adopted.
    Any of you who may have an answer. I think it is critical 
to increasing cyber safety for whatever the recommendations 
are, whatever the findings are, to have some practical effect.
    Dr. Herr. I will offer just a quick answer, Senator, and it 
is a good question. The comparison I would draw is that the FAA 
is compelled to consider the output of NTSB reports. The law 
does not specify the manner in which the FAA implements the 
recommendations in those reports, and I think a parallel 
structure like that for the CSRB would be an interesting one.
    The challenge is--and I think for this Committee to 
consider in designing such a requirement--that the audience of 
the CSRB for implementation is significantly wider than for the 
NTSB. If I am going to write a report to you about a complex 
failure in aviation I need the FAA to take action. They are the 
logical first party. For the CSRB, they may be speaking to a 
wider variety of both private and public sector entities.
    I think a question that this Committee could consider would 
be which of the two or three most critical Federal Civilian 
Executive Branch (FCEB) agencies could the CSRB work to and 
speak to as part of its reports, should they be compelled to at 
least consider an address for this Committee and others of 
jurisdiction how they consider the output of those reports.
    Ms. Wheeler. I can offer, as well--and it is great 
question, Senator, thank you--that the FAA implementing 
recommendations from reports that are generated by the NTSB are 
something that I consume with a particular eye, as not only a 
student pilot but somebody looking to use this as an analogy 
for what we do in cyberspace.
    What I will say is that although it may seem, at first, 
that the regulatory power that we, as a country, have over 
airplanes may seem overdone when it comes to computers right 
now, the time is definitely coming when owning a computer is 
going to be as dangerous as owning an airplane, something I do 
not do yet but definitely want to one day. The challenge that 
we have now is establishing a good process and an 
implementation of best recommendations before we get to a point 
when anybody can do the same amount of damage with a computer 
that they can with an airplane.
    Senator Blumenthal. Ms. Wheeler, you raised the issue of 
classified information, and you say that this agency should not 
receive classified information. But isn't a lot of the relevant 
fact-finding going to involve some classified information? I 
recognize the importance of transparency, but won't this agency 
really need to look at classified information, particularly 
where our national defense is concerned?
    Ms. Wheeler. I am not a member of the intelligence 
community (IC). Instead, I am here as somebody who cares and 
thinks about American mid and small businesses every day. What 
I can tell you is that the kind of classified information that 
is seen by the IC is not something that is going to be relevant 
to the small businesses who just need to patch things weeks 
after a major incident happens.
    Frankly, expecting that classified information is going to 
be relevant to the kind of technical information a small 
business needs to remediate cyber incidents is a little bit 
after the fact. I think I am going to assume that by that point 
our foreign adversaries already know this information. So 
exposing it to the kind of people that need to use this 
information to fix things I think is going to be very ex post 
facto for foreign adversaries and very relevant to the people 
just trying to run trucking companies.
    Senator Blumenthal. Let me ask you, finally, you make the 
point, I think quite pertinently, that the independence of the 
members of the Board, avoidance of conflict of interest, is 
critical to their credibility and to their effectiveness. I 
always wonder can be done without legislation because 
legislation is often so difficult to achieve. Are there 
criteria that can be established by Executive Order, by 
administrative action that would assure the independence of the 
Cyber Safety Review Board without legislation?
    Ms. Wheeler. Right now there are 19 members of the Aviation 
Safety Investigation Board at the NTSB, and every single one of 
them has, under their name, a job title that is related to the 
NTSB. Roght now there are 15 members of the CSRB, and they all 
have other jobs.
    I think maybe the best way to put it is Matthew 6:21, 
``Where a man's treasure is, there also will his heart be.'' I 
think that speaks to me as somebody who talks to normal people 
every day, that it is difficult to imagine how the independence 
of a board could be established when everyone there is carrying 
the weight and responsibility of a whole other organization 
with them into those meetings.
    Senator Blumenthal. Do Mr. Miller or Mr. Herr have any 
observations on these questions?
    Mr. Miller. Yes. Thanks, Senator Blumenthal. I think on 
this second question regarding whether criteria for membership 
could be established by an Executive Order, it is not clear to 
me whether you could use an EO to do that or not. But I would 
say that, our members believe that whatever the process is for 
establishing the membership, it really should be a clear and 
transparent process, and we should develop objective criteria.
    My only concern with going the Executive Order route rather 
than legislation is that legislation, for legislation you have 
hearings like this, for instance, and you have much more of a 
stakeholder process in developing those criteria, and with an 
Executive Order it is a little bit more of a black box usually.
    Senator Blumenthal. Thanks.
    Dr. Herr. Thanks, Senator. Just quickly to answer your 
question, there are ways to drive better independence in the 
Board and its composition without necessarily dictating the 
specific membership. I think from that standpoint a mix of 
independent members with members that have these full-time 
responsibilities would be an adequate protection.
    Senator Blumenthal. Thank you all.
    Chairman Peters. Thank you, Senator Blumenthal.
    Senator Hassan is recognized for one question before going 
to Senator Hawley.
    Senator Hassan. I really appreciate it, and it is really a 
follow-on to what you were just discussing with Senator 
Blumenthal, which is, so, I hear you, Ms. Wheeler, in saying 
this really should be a professional board and this should be 
people's full-time jobs. But let us say that is not the model 
and we do have members of the Board that have other 
responsibilities. What do adequate, ethical guardrails look for 
both the members and topic selection processes to ensure that 
the Board's work is protected from undue influence or conflict 
of interest?
    Ms. Wheeler. Thank you so much for the question, Senator. I 
think that trying to design an entire government agency would 
take me a little longer than the two minutes I am looking at 
right here. But I do want very much to emphasize that people 
who are directly involved with and who could profit from an 
investigation that is being targeted at one of their 
competitors I believe must experience a recusal process. This 
is not a perfect way to go about it, but I think that is a bare 
minimum.
    In addition, I think that the overwhelming presence of 
government agencies on that Board may provide a good view of 
what is happening inside the government in terms of cyber 
investigations, but it does not provide enough technical 
expertise. So think there is a realm there where we can keep it 
a little bit less biased, or at least the perception of bias, 
by adding some more technologists to the situation.
    Senator Hassan. Thank you very much, and thank you, Mr. 
Chair.
    Chairman Peters. Thank you, Senator Hassan.
    Senator Hawley, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you very much, Mr. Chairman. Thanks 
to the witnesses for being here, and thanks to the Chair for 
holding a hearing on this topic.
    Mr. Miller, if I could start with you. You are General 
Counsel at the Information Technology Industry Council. Do I 
have that right?
    Mr. Miller. Correct.
    Senator Hawley. I was just looking before I came over here 
this morning at your membership list. It is quite a lengthy 
list of members. You have, it looks like to me, your members 
compose almost all of the major players in the tech industry. 
Is that fair to say?
    Mr. Miller. Yes. We have 80 large global tech companies.
    Senator Hawley. Yes, ``global'' is the right word. Google, 
Apple, Meta, Microsoft, Amazon--those are just a few. These are 
the biggest, most powerful corporations in the world who are 
your members. Yes?
    Mr. Miller. Sure, by market cap, absolutely.
    Senator Hawley. Yes, absolutely, I mean by historical 
standards. These are the most powerful companies, not just now 
but arguably in the history of the world, and that list that I 
just read off there, all of those folks have stake in AI 
technology and stand to make billions of dollars, I think it is 
safe to say, off of AI. I would not say that is accurate?
    Mr. Miller. I really do not know how much money any of our 
members are making or not making from AI or any other 
technology.
    Senator Hawley. Would you not say it starts with a B, 
though? We are talking about billions. AI is going to be 
transformative technology. You have just been saying this. Let 
me quote you. This is from January 4th. ``AI continues to 
dominate policy conversations around the world. As AI-generated 
content grows in its sophistication and adoption there is a new 
sense of urgency to leverage this transformative technology.'' 
Right?
    Now here is the next part that interests me. You say that 
you want to think about minimizing harms that could come from 
its use, including the spread of misinformation and 
disinformation. What did you mean by that?
    Mr. Miller. I am not entirely sure what you are quoting 
from, but it might have been a press release for our ITI 
release----
    Senator Hawley. January 4th, ``ITI's new guide outlines AI 
content authentication tools and policy approaches.''
    Mr. Miller. Yes, absolutely. In that context that guide 
looks at watermarking and other techniques to authenticate AI 
content, and certainly misinformation and disinformation has 
been cited as an issue that could be amplified by artificial 
intelligence.
    Senator Hawley. But what do you mean by misinformation and 
disinformation? What do you have in mind?
    Mr. Miller. I am glad you are asking that because it is 
important to distinguish between the two. I think 
misinformation is kind of accidentally incorrect information, 
whereas disinformation is information that is specifically 
incorrect or actually maliciously intended to be false and 
harmful.
    Senator Hawley. I have to tell you, it sounds like some 
gobbledy-gook to me, but let me tell you what I think would be 
useful is if maybe you would get your technology companies to 
focus on their chatbots stopping encouraging people to kill 
themselves.
    Like this, for instance. This is from April 4th of last 
year. This is a chatbot that encouraged a user to commit 
suicide, and tragically, he did. This is his widow, who reports 
that her husband had a conversation with this chatbot\1\ and it 
asked him if wanted to die, why didn't you do it sooner, and 
went on to give him instructions on how to kill himself.
---------------------------------------------------------------------------
    \1\The chatbot referenced by Senator Hawley appears in the Appendix 
on page 55.
---------------------------------------------------------------------------
    Or we also recently had the infamous case of the chatbot 
urging a reporter--of course, sadly for the chatbot, it did not 
know it was a reporter--to break up his marriage. This is from 
February of last year, Bing's AI chatbot.\2\ ``You are married 
but you are not happy.'' ``You are married but you are not 
satisfied.'' ``You are married but you are not in love.'' The 
chatbot goes on to encourage this individual to get a divorce.
---------------------------------------------------------------------------
    \2\The chatbot referenced by Senator Hawley appears in the Appendix 
on page 56.
---------------------------------------------------------------------------
    Do we really want chatbots telling people to kill 
themselves? Is there social good in that, that I am missing 
somewhere?
    Mr. Miller. I certainly do not think we want chatbots doing 
those sorts of things, but artificial intelligence can do a lot 
of good things as well. I do think that we want to be focused 
in addressing issues while also allowing artificial 
intelligence to do things like help cure cancer and things like 
that.
    Senator Hawley. What, AI is going to cure cancer?
    Mr. Miller. It certainly could be a tool to help with 
various different cures in the medical field.
    Senator Hawley. Are you saying that we have to accept AI 
chatbots encouraging people to kill themselves for the 
possibility that maybe it will cure cancer?
    Mr. Miller. I am not saying that at all, but I do think 
that we do not want to----
    Senator Hawley. Do we want AI chatbots that encourage 
people to commit suicide, do we want them being able to talk to 
teenagers? Why should an AI chatbot be able to talk to a 13-or 
14-year-old? Why is that a good idea?
    Mr. Miller. Again, there are many good, positive things 
that can come from AI.
    Senator Hawley. Do you want AI encouraging a teenager--what 
if this had been a teenager who the AI chatbot was encouraging 
to kill himself?
    Let me ask you this. Let me make it more practical. 
Shouldn't a parent who has a kid that has an encounter with a 
chatbot like this, shouldn't that parent be able to sue the AI 
company and hold them accountable in court?
    Mr. Miller. I mean, under the current law that is probably 
not allowable.
    Senator Hawley. Exactly. Why should that be the case? Why 
should the biggest, most powerful technology companies in the 
history of the world, why should they be insulated from 
accountability when their technology is encouraging people to 
ruin their relationships, break up their marriages, and commit 
suicide?
    Mr. Miller. I assume that you are alluding to Section 230?
    Senator Hawley. I sure am.
    Mr. Miller. Yes, Section 230 has a long history of, again, 
helping to encourage technological development. It is protected 
by the Supreme Court, including a recent Supreme Court case.
    Senator Hawley. Yes, and believe me, I have read your 
amicus brief in that case. I have it right here, where you 
argue for the most robust interpretation of Section 230 
possibly imaginable. What 230 has absolutely, for sure done is 
help the companies who are your members pad their profits. It 
is a massive subsidy of the Federal Government to your 
companies.
    But let us make this very practical. Why shouldn't these 
companies--Google and Meta and Microsoft and the rest--why 
shouldn't they say, ``You know what? We are absolutely willing 
to allow a parent whose child is harmed by our technology, we 
are absolutely willing to allow that parent to have their day 
in court.'' Is that too much to ask?
    Mr. Miller. Again, I have not discussed that particular 
question with the companies. I am happy to have that discussion 
and----
    Senator Hawley. I am asking for your opinion. Do you think 
that a parent ought to be able to get into court and have their 
day in court if their child is told by a chatbot how to kill 
themselves?
    Mr. Miller. I do not really have an opinion on that.
    Senator Hawley. Sure you do. You just signed an amicus 
brief that argued for the most robust interpretation of Section 
230, which is just translation, the most robust protections for 
the most powerful, profitable corporations in the history of 
the world. You just signed it, so clearly you have a lot of 
thoughts on Section 230.
    Let me distill it even further. I am almost done, Mr. 
Chair. Senator Blumenthal and I, who you were just talking to a 
second ago, he and I have a bipartisan bill that would say that 
parents and others who are harmed by AI should be able to get 
into court and have their day in court against your members, 
just like any American can do with any other company, right? If 
Johnson & Johnson sells a drug that poisons people, like it 
did, by the way, with their baby powder once upon a time, 
parents can go to court. With your companies, you just said, 
they cannot.
    Would you support our bill? Our bill is a carve-out for 
people who have been harmed by AI technology to be able to go 
to court. Would you support that?
    Mr. Miller. I have not had a chance to review the bill. 
What I would say is that there are also other equities at play 
in this discussion, including the First Amendment.
    Senator Hawley. No. Are you telling me this is First 
Amendment protected? This is First Amendment protected speech, 
a chatbot saying you should kill yourself? Is that your 
position?
    Mr. Miller. It is not my position, but I do not think that 
the question has been resolved.
    Senator Hawley. What do you mean, the question has been 
resolved?
    Chairman Peters. Thank you, Senator Hawley.
    Senator Hawley. All right, Mr. Chair. Thank you for your 
time. Mr. Miller, all I can say is that I think your position 
is just absolutely extraordinary. Thank you, Mr. Chair.
    Chairman Peters. Thank you, Senator Hawley.
    Senator Rosen, you are recognized for your questions.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Mr. Chair. I really appreciate 
you holding this hearing. I will be within my time limit today. 
I also want to thank the witnesses for testifying.
    There are a lot of risks and opportunities with AI, and so 
today with the recent advances in artificial intelligence we 
are witnessing, in real time, a major shift in technology with 
new tools that will transform society for decades to come. One 
of the clear risks of increasing access to high-performing 
generative AI is that cyber criminals will not be able to carry 
out a higher volume of more effective and innovative 
cyberattacks like generating malware and spreading it with 
exponential speed and scale.
    The use of certain AI tools can also create, of course we 
know, new paths for bad actors to gain access to our secure 
information. For example, just by using AI chatbots users can 
inadvertently expose confidential information like source code 
or other security details which recently caused one company to 
ban its employees from using ChatGPT.
    Ms. Wheeler, how is the Review Board's analysis of 
significant threats and recommendations accounting for these 
emerging threats and really these trends as we are seeing, like 
the risk of tools powered by AI?
    Ms. Wheeler. Thank you, Senator. That is a wonderful 
question. When I look at how AI has been used in my field, I 
tell people that there are two primary uses of it on the 
defensive and offensive side. On the defensive side, one of the 
challenges that we often have in information security, in what 
we would call a security operations center, is a massive number 
of notifications of incidents that need to be sorted through. 
It is machines telling us a bunch of things, right, and the way 
that we sort that is the use of heuristics, machine learning, 
and artificial intelligence to try to filter that down. That 
helps defenders.
    On the offensive side, it is being used, quite frankly, to 
improve massively the impacts of spearfishing, of identity 
theft, and a way to communicate with people in a way that hides 
sometimes the origins of the people who are committing the 
attacks.
    I think what we are going to see in the future and what the 
CSRB can help to provide some resources and expected 
remediations for are the improvements in targeted attacks that 
use AI to more effectively do things like mimic natural English 
language speakers. I think that is what the CSRB can do for us, 
is give us, by investigating specific incidents, telling us how 
AI was used in the implementation, defense, and offense in 
those incidents, what we can expect for the future and what the 
best practices would be to prevent those kinds of incidents in 
the future.
    Senator Rosen. You have really teed me up for my next 
question for Mr. Miller because you said offensive, defensive, 
what do we learn from these datasets, what do we learn going 
forward, and so there are so many multiple use benefits for our 
AI systems. You can pick up on these discreet patterns quickly, 
more efficiently. You can do a power sift, if you will, through 
all the data as fast as you can, and we can find out about 
things for victims of cyberattacks. We can identify those 
patterns so we can let other companies know.
    Mr. Miller, building on what Ms. Wheeler, said, how are you 
using what you find out, offensive and defensively, to evaluate 
cyber incidents and help companies be proactive, and hopefully 
not reactive, but maybe more proactively?
    Mr. Miller. Thanks for the question, Senator Rosen. I do 
think that Ms. Wheeler hit on a lot of the uses of AI by 
industry. I mean, just to maybe expand on them and reiterate 
them a little bit, AI can significantly bolster the 
cybersecurity of government and critical infrastructure in a 
number of ways, identifying and responding to threats and 
vulnerabilities in real time. AI can improve the detection of 
anomalous and malicious behavior, reducing the time that a 
malicious actor may be present in networks or on devices. AI 
can be employed to rapidly detect unsafe system 
misconfigurations or policy changes. It is really important, 
for instance, in protecting cloud infrastructure which----
    Senator Rosen. That was my next questions. Would you talk 
about the cloud? Would you expand a little bit on the cloud 
security, the malicious targeting? We know that happened in 
SolarWinds. I was hoping you would get to that, so what are the 
risks in the cloud environment?
    Mr. Miller. I think just to finish the thought about AI in 
the cloud, I mean, cloud infrastructure underpins critical 
government processes, critical infrastructure, and everything 
else, and you can actually have better security in the cloud 
because of the automation that the cloud can provide.
    Senator Rosen. So you think we can strengthen that identity 
management.
    Mr. Miller. Yes, absolutely. I mean, that is a good point. 
SolarWinds, it was not a simple attack, and that is something 
that the CSRB has not looked into, right. I think it is known 
as a software supply chain attack, but really it was an 
identity attack as well. That is why that is something that is 
really critical in terms of cloud security, and really 
addressing the risks to identity infrastructure I think is 
something that is worthy of all of our attention.
    Senator Rosen. Thank you. I am going to go forward in my 
last minute talking about the agency implementation of the 
Review Board recommendations. The Review Board, you worked hard 
to analyze significant cybersecurity incidences and provide 
recommendations. These recommendations are only effective if 
organizations incorporate these into their business practices 
and do what they do every day. Otherwise it sits on a shelf and 
protects no one.
    I was glad to see the Federal Communications Commission 
(FCC) Privacy and Data Protection Task Force issue an advisory 
to mobile providers related to that fraudulent SIM swapping, 
which directly referenced the Review Board's August report.
    Ms. Wheeler, I am going to go back to you. How are agencies 
using and implementing the Review Board's recommendations, and 
is there additional coordination that is necessary to ensure 
that agencies are really taking steps to incorporate these 
things, because to sit on a shelf is not helping any of us.
    Ms. Wheeler. I absolutely agree. Thank you for that 
question, Senator. I want to be as cautious as I can here. I 
think it is important to start the work of institution building 
with the CSRB. I think part of the reason we may not see as 
much response from industry, from my field, is that the 
recommendations that have been made so far have been very 
simple and common sense. The two investigations led to 
recommendations to patch stuff and use better multifactor 
authentication. We already knew that, and the recommendation to 
do that does not walk back in the process to tell us where, at 
each point, there were process failures. That is what we truly 
need.
    I think if agencies and the CSRB, in specific, started 
telling us where, at every point, we started to see these 
process failures, and potentials for improvement and risk 
management in the future, we would get a better result.
    I really want to mention here that the CSRB has had an 
opportunity, and multiple U.S. Government agencies had an 
opportunity to do a report on one of the most devastating 
attacks in American history. In 2017, do you remember when 
people's computer screens started turning red? That attack was 
called WannaCry, and it occurred on May 12, 2017. It is still 
one of the most devastating attacks we have ever experienced as 
a globe. It deeply impacted the United Kingdom's National 
Health Service. Six months later, the National Cyber Security 
Centre (NCSC) in the United Kingdom (UK) had a wonderful, 
exemplary report out explaining how organizations could defend 
in future, not just against that vulnerability but against the 
class of problems and the processes that led up to the 
vulnerability that caused this attack to be so devastating.
    That is the example I would love to see the CSRB, or 
whatever government agency you see fit to do this examination 
and this process reporting follow. Thank you, Senator.
    Senator Rosen. Thank you. I appreciate it. My time is up.
    Chairman Peters. Thank you, Senator Rosen.
    Just a couple of follow-up and ending questions here as we 
wrap up the hearing.
    Ms. Wheeler, what should the CSRB do to better help our 
small to medium-sized businesses? Those are clearly businesses 
that are oftentimes the most vulnerable, and do not have the 
resources to protect themselves? What could CSRB do to help 
them?
    Ms. Wheeler. That is a wonderful question, Senator. Thank 
you. The small and medium businesses in the United States are 
far behind the expectations on Big Tech companies. I am not 
here as a representative of Big Tech, of course. I am here as a 
representative of somewhat littler tech. The answer, I think, 
is that the recommendations and the processes that the CSRB 
puts out, they need to be a little more timeless. The incidents 
that are being investigated are important, but they are leading 
to simple bromides that small businesses can look at and use, 
but they do not know how to prioritize them. They do not know 
how to build them into their systems, how to build security in 
by design from the very beginning.
    The use of the CSRB to the smallest half of American 
business is in giving information to them that is useful, 
actionable, and that leads to a method easily of protecting 
themselves in the future. We have not seen that happen yet, and 
I would very much appreciate it if we could move in that 
direction. Thanks, Senator.
    Chairman Peters. Very good. Mr. Miller, a couple of final 
questions. From your member companies' perspective, just how 
urgent is the need for the CSRB to perform effectively, in your 
mind?
    Mr. Miller. It is urgent that we get cybersecurity right, 
for sure, and the CSRB can be an important part of the equation 
to get cybersecurity right in this country. I think the CSRB is 
important. I do think that it needs a little bit of work on the 
governance side, as I have mentioned. But our members are 
supportive of the CSRB concept, investigating incidents, in 
particular.
    Chairman Peters. Very good. My final question, from some 
questioning from Senator Hawley about AI, and AI is obviously 
an important conversation. This Committee has been 
significantly engaged in AI, and we have already passed a 
number of bipartisan pieces of legislation signed into law. We 
are continuing to work on a variety of areas.
    I think you were in the process of answering a question and 
I wanted to give you an opportunity to do that, which is how is 
the industry attempting to manage the risk of AI technology as 
it is being developed? We will wrap up with that one.
    Mr. Miller. Thank you for the question and the opportunity. 
This is a cybersecurity hearing, but in the cybersecurity 
context we have often been talking, and long been talking about 
risk management. Risk management is also really critical in the 
context of AI policy. As the questions indicated, there is good 
and there is potential harm that comes from AI policy, and ITI, 
we are working with our members and experts at the companies 
and learning every day how to answer these challenging 
questions.
    I am happy to take a look at Senator Hawley's new bill that 
he was referring to and continue to work with staff on 
codifying solutions, and risk management-based solutions to AI 
and other issues. Thank you.
    Chairman Peters. Very good. Thank you. I would certainly 
like to thank all of our witnesses. Thank you for being here 
today. We are very grateful for the contributions you have made 
to this important discussion. We plan to continue to be 
actively engaged and looking at reforms and perhaps codifying 
some of the rules that are in place right now, and would 
welcome your further input.
    Certainly as we heard today, the Cyber Safety Review Board 
has, I believe, the potential to make great and important 
contributions to the cybersecurity ecosystem, but there are 
still some important issues that we need to address. As 
Chairman of this Committee I have worked on bipartisan 
legislation to significantly strengthen our nation's 
cybersecurity, and I look forward to building on those efforts 
with my colleagues in a bipartisan way. Examining the CSRB and 
ensuring it can effectively carry out its mission will be an 
important element of that continuing work here at the 
Committee.
    The record for this hearing will remain open for 15 days, 
until 5 p.m. on February 1, 2024, for the submission of 
statements and questions for the record.
    This hearing is now adjourned.
    [Whereupon, at 11:06 a.m., the hearing was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]	

                                 [all]