[House Hearing, 116 Congress] [From the U.S. Government Publishing Office] PREPARING FOR THE FUTURE: AN ASSESSMENT OF EMERGING CYBER THREATS ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND INNOVATION of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTEENTH CONGRESS FIRST SESSION __________ OCTOBER 22, 2019 __________ Serial No. 116-44 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 40-460 PDF WASHINGTON : 2020 COMMITTEE ON HOMELAND SECURITY Bennie G. Thompson, Mississippi, Chairman Sheila Jackson Lee, Texas Mike Rogers, Alabama James R. Langevin, Rhode Island Peter T. King, New York Cedric L. Richmond, Louisiana Michael T. McCaul, Texas Donald M. Payne, Jr., New Jersey John Katko, New York Kathleen M. Rice, New York Mark Walker, North Carolina J. Luis Correa, California Clay Higgins, Louisiana Xochitl Torres Small, New Mexico Debbie Lesko, Arizona Max Rose, New York Mark Green, Tennessee Lauren Underwood, Illinois Van Taylor, Texas Elissa Slotkin, Michigan John Joyce, Pennsylvania Emanuel Cleaver, Missouri Dan Crenshaw, Texas Al Green, Texas Michael Guest, Mississippi Yvette D. Clarke, New York Dan Bishop, North Carolina Dina Titus, Nevada Bonnie Watson Coleman, New Jersey Nanette Diaz Barragan, California Val Butler Demings, Florida Hope Goins, Staff Director Chris Vieson, Minority Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND INNOVATION Cedric L. Richmond, Louisiana, Chairman Sheila Jackson Lee, Texas John Katko, New York, Ranking James R. Langevin, Rhode Island Member Kathleen M. Rice, New York Mark Walker, North Carolina Lauren Underwood, Illinois Van Taylor, Texas Elissa Slotkin, Michigan John Joyce, Pennsylvania Bennie G. Thompson, Mississippi (ex Mike Rogers, Alabama (ex officio) officio) Moira Bergin, Subcommittee Staff Director Sarah Moxley, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable Cedric L. Richmond, a Representative in Congress From the State of Louisiana, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation: Oral Statement................................................. 1 Prepared Statement............................................. 2 The Honorable John Katko, a Representative in Congress From the State of New York, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation: Oral Statement................................................. 3 Prepared Statement............................................. 4 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Chairman, Committee on Homeland Security: Oral Statement................................................. 5 Prepared Statement............................................. 6 Witnesses Mr. Ken Durbin, CISSP, Senior Strategist, Symantec Corporation: Oral Statement................................................. 8 Prepared Statement............................................. 9 Mr. Robert K. Knake, Senior Research Scientist, Global Resilience Institute, Northeastern University, Senior Fellow, The Council on Foreign Relations: Oral Statement................................................. 14 Prepared Statement............................................. 15 Ms. Niloofar Razi Howe, Senior Fellow, Cybersecurity Initiative, New America: Oral Statement................................................. 20 Prepared Statement............................................. 22 Mr. Ben Buchanan, PhD, Senior Faculty Fellow, Center for Security and Emerging Technology, Mortara Center, Assistant Teaching Professor, Georgetown University: Oral Statement................................................. 28 Prepared Statement............................................. 30 PREPARING FOR THE FUTURE: AN ASSESSMENT OF EMERGING CYBER THREATS ---------- Tuesday, October 22, 2019 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, Washington, DC. The subcommittee met, pursuant to notice, at 2:11 p.m., in room 310, Cannon House Office Building, Hon. Cedric L. Richmond [Chairman of the subcommittee] presiding. Present: Representatives Richmond, Jackson Lee, Langevin, Rice, Slotkin, Thompson; Katko, Walker, and Taylor. Also present: Representative Joyce. Mr. Richmond. The Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation will come to order. The subcommittee is meeting today to receive testimony on preparing for the future, an assessment of emerging cyber threats. Mr. Katko. Mr. Chairman, I ask unanimous consent that our colleague from Pennsylvania, Mr. Joyce, be able to fully participate in today's hearing. Mr. Richmond. Hearing no objection, so ordered. Good afternoon. I want to welcome the witnesses to today's hearing on how we seek to balance the benefits of technical innovation with the security vulnerabilities that it may bring. The rapid proliferation of new technology is changing the world. Advancements in artificial intelligence, AI, and quantum computing will equip us with new tools to defend ourselves and break down barriers to new research that could improve the way we live and save lives. Unfortunately, one man's tool is another man's weapon. Sophisticated nation-state actors like Russia, China, Iran, and North Korea have already weaponized new technologies to disrupt our democracy, compromise our National security, and undermine our economy. As technology improves, so will their ability to use it against us. I am particularly concerned about the impact of new technologies on our elections. In the lead-up to the 2016 Presidential election, Russia mounted an unprecedented influence and disinformation campaign. They use bots to automatically tweet divisive messages from fake accounts. As we move into the heart of the 2020 election cycle, we must be prepared for our adversaries to use AI-generated deepfakes to create a false history, sow discord, and inject skepticism into our National elections. To start, on-line platforms must learn to identify deepfakes and publish policies about how they will handle them. At the same time, we need to educate the public to ensure that they are informed consumers of information. More broadly, ensuring that emerging technologies are developed and deployed responsibly requires U.S. leadership, and I am concerned that we are not demonstrating that now. For years the Federal Government has cut research and development dollars to meet budget caps, and I am worried that countries like China are outpacing our investment. Our failure to put money into R&D may cost us not only our strategic advantage as the world's leader in technology, but the global influence that stems from it. What is most alarming, however, is the lack of attention that this administration is giving to this important National security issue. Despite the fact that our intelligence agencies have confirmed that nation-state actors are utilizing their emerging technology for their strategic advantage, the administration annually slashes R&D funding under the false premise that the private sector will make up the difference. Maintaining U.S. leadership in this space will require direction, coordination, and money from the Federal Government. Before I close, I want to address a final issue that is causing concern in my district and others like it: How AI and automation will affect the work force. Automation has already decreased availability of jobs in the labor market, and I worry about the National and economic security consequences that could result if we do not adequately plan for this transition. I look forward to our witnesses' thoughts on this important issue today. The success of our Nation and economic security rests on whether the Federal Government can effectively partner with its allies, State and local partners, and the private sector to develop policies that both incentivize investment in emerging technology, and manage the risk associated with it when it falls into the hands of our adversaries. I look forward to understanding how this committee can assist in the development of safe, secure, and responsible technologies. [The statement of Chairman Richmond follows:] Statement of Chairman Cedric Richmond October 22, 2019 The rapid proliferation of new technology is changing the world. Advancements in artificial intelligence (AI) and quantum computing will equip us with new tools to defend ourselves and break down barriers to new research that could improve the way we live and save lives. Unfortunately, one man's tool is another man's weapon. Sophisticated nation-state actors like Russia, China, Iran, and North Korea have already weaponized new technologies to disrupt our democracy, compromise our National security, and undermine our economy. As technology improves, so will their ability to use it against us. I am particularly concerned about the impact of new technologies on our elections. In the lead-up to the 2016 Presidential election, Russia mounted an unprecedented influence and disinformation campaign that used bots to automatically tweet divisive messages from fake accounts. As we move into the heart of the 2020 election cycle, we must be prepared for our adversaries to use AI-generated ``deepfakes'' to create a false history, sow discord, and inject skepticism into our National elections. To start, on-line platforms must learn to identify ``deepfakes'' and publish policies about how they will handle them. At the same time, we need to educate the public to ensure that they are informed consumers of information. More broadly, ensuring that emerging technologies are developed and deployed responsibly requires U.S. leadership, and I am concerned that we are not demonstrating that now. For years, the Federal Government has cut research and development dollars to meet budget caps, and I am worried that countries like China are outpacing our investment. Our failure to put money into R&D may cost us not only our strategic advantage as the world's leader in technology development, but the global influence that stems from it. What is most alarming, however, is the lack of attention that this administration is giving to this important National security issue. Despite the fact that our intelligence agencies have confirmed that nation-state actors are utilizing the emerging technology for their strategic advantage, the administration annually slashes R&D funding under the false promise that the private sector will make up the difference. Maintaining U.S. leadership in this space will require direction, coordination, and money from the Federal Government. Before I close, I want to address a final issue that is causing concern in my district and others like it: How AI and automation will affect the workforce. Automation has already decreased the availability of jobs in the labor market, and I worry about the National and economic security consequences that could result if we do not adequately plan for this transition. I look forward to our witness' thoughts on this important issue today. The success of our National and economic security rests on whether the Federal Government can effectively partner with its allies, State and local partners, and the private sector to develop policies that both incentivize investment in emerging technology and manage the risks associated with it when it falls into the hands of our adversaries. I look forward to understanding how this committee can assist in the development of safe, secure, and responsible technologies. Mr. Richmond. I will now recognize the Ranking Member of the subcommittee, the gentleman from New York, Mr. Katko, for an opening statement. Mr. Katko. Thank you, Mr. Chairman, and thank you for having me here today, and thank you for the witnesses. I appreciate you coming today. During my time as a Federal prosecutor over 2 decades I saw first-hand how criminals evolved and adapted to changes. As I have learned about the cyber landscape as Ranking Member of this subcommittee, I have been amazed at the number and diversity of the cyber threats we face today. These threats are always evolving and adapting to new obstacles, new protections, new tactics, and new technologies. All levels of government, Federal, State and local, as well as our allies around the globe, the private sector, academia, and nonprofits must work together in order to protect against emerging cyber threats. Today's technologies have a number of vulnerabilities that must be protected from bad actors. In the first 6 months of this year more than 4 million records have been exposed due to data breaches. Ransomware attacks have doubled in 2019 in my district. Syracuse School District, for example, and the Onondaga County Library System both suffered ransomware attacks from unknown threat actors in the last month. More citizens than ever are falling victim to phishing attacks and malware. Cyber crime made up 61 percent of the attacks that cybersecurity firm CrowdStrike saw between January and June of this year. These are just the attacks and statistics that we are aware of. Many experts believe incidents to be vastly under-reported. These threats are persistent, complex, and on the rise. Cybersecurity must constantly evolve in order to provide protection. As evidenced by the number of incidents this year alone, this is a difficult endeavor that cannot be done without help. As I heard from my constituents in my district, companies and local government entities need assistance and guidance to identify, protect against, and recover from certain current cyber threats. These are just the threats we see with our current technology. Our cyber landscape is becoming increasingly sophisticated, and new innovations are being introduced every day. These advances have put cybersecurity out of reach for even more small, medium, and large businesses, as well as State and local governments who simply cannot afford it. It is estimated that 22 million internet of things devices will be on-line by 2025. 5G deployment is just around the corner. Artificial intelligence and machine learning, while making impacts today, are projected to have even more of an enormous effect on our lives in the years ahead. Quantum computing, which is a huge concern, is on the horizon. These emerging technologies will undoubtedly present new and evolving cyber threats. While we are staying vigilant and working to protect against current hazards, we must also be preparing for our future ones. Our first step is to better understand these new threats, and this hearing is a very good start. I am also working to educate my colleagues on the challenges and opportunities of the internet of things. I am the co-chair of the Internet of Things Caucus, and have spent time learning from Syracuse University about the quantum research they are working on in partnership with the Air Force Research Lab. I will do more to seek out opportunities to improve our cybersecurity against current and emerging threats. I want to thank the Chairman for holding this important hearing today, and to our witnesses here to help us understand the emerging threat landscape. In closing, I would like to note that I view the cyber advancements much differently than I view other products in our commodity market. A lot of products, like in the automobile arena, they consider the safety aspects along with emerging technology in the cars. They are--they don't always do that with cyber technology, and we are constantly playing catch up. That is why it is really important that the Chairman and myself and others on this committee work diligently to get the information we need to try and catch up to the advancements in technology, which always seem a couple of steps ahead. [The statement of Ranking Member Katko follows:] Statement of Ranking Member John Katko Oct. 22, 2019 During my time as a Federal prosecutor, I saw first-hand how criminals evolved and adapted to changes. As I have learned about the cyber landscape as Ranking Member of this subcommittee, I have been amazed at the number and diversity of the cyber threats we face. These threats are always evolving and adapting to new obstacles, new protections, new tactics, and new technologies. All levels of Government--Federal, State, and local, as well as, our allies around the globe--the private sector, academia, and non-profits must work together in order to protect against emerging cyber threats. Today's technologies have a number of vulnerabilities that must be protected from bad actors. In the first 6 months of this year, more than 4 million records have been exposed due to data breaches. Ransomware attacks have doubled in 2019--in my district, Syracuse City School District and the Onondaga County Library System both suffered ransomware attacks from unknown threat actors last month. More citizens than ever are falling victim to phishing attacks and malware. Cyber crime made up 61 percent of the attacks that cybersecurity firm, Crowdstrike, saw between January and June of this year. These are just the attacks and statistics that we are aware of; many experts believe incidents to be under-reported. These threats are persistent, complex and on the rise, and cybersecurity must constantly evolve in order to provide protection. As evidenced by the number of incidents in this year alone, this is a difficult endeavor that cannot be done without help. As I heard from constituents in my district, companies and the local government entities need assistance and guidance to identify, protect against, and recover from current cyber threats. And these are just the threats we see with our current technology. Our cyber landscape is becoming increasingly sophisticated and new innovations are being introduced every day. These advances could put cybersecurity out of reach for even more small, medium, and large businesses as well as State and local governments. It is estimated that 22 million internet of things devices will be on-line by 2025. 5G deployment is just around the corner. Artificial intelligence and machine learning, while making impacts today, is projected to have even more of an enormous effect on our lives in the years ahead. Quantum computing is on the horizon. These emerging technologies will undoubtedly present new and evolving cyber threats. While we are staying vigilant and working to protect against current hazards, we must also be preparing for future ones. Our first step is to better understand these new threats and this hearing is a good start. I am also working to educate my colleagues on the challenges and opportunities of the internet of things and the co- chair of the IOT Caucus and have spent time learning from Syracuse University about the quantum research they are working on in partnership with the Air Force Research Lab. And I will do more to seek out opportunities to improve our cybersecurity against current and emerging threats. I thank the Chairman for holding this important hearing today and to our witnesses here to help us understand the emerging threat landscape. I look forward to our discussion and yield back. Mr. Katko. So with that, I yield back, Mr. Chairman. Mr. Richmond. The gentleman yields back. I now recognize the Chairman of the full committee, the gentleman from Mississippi, Mr. Thompson, for an opening statement. Mr. Thompson. Thank you very much. Good afternoon. I would like to thank Chairman Richmond for holding today's hearing on emerging cyber threats. I have served on the Homeland Security Committee since its inception. Over that period of time I have watched the tactics our adversaries use against us evolve, and the threat landscape grow. As new network devices and information technologies enter the marketplace, many become so mesmerized by their potential for good that we fail to appreciate and plan for the security consequences. Although I am encouraged that we are having more conversations about the nexus between technology and security today, there is still much to be done. So I commend Chairman Richmond for holding today's hearing. When this committee was established a decade-and-a-half ago we focused our efforts on defending against physical attacks committed by terrorists who would readily claim responsibility. Now we are faced with cyber threats from state and non-state actors who use cyber tools to carry out attacks in secret, blur attribution, and complicate our ability to impose consequences. As technology continues to evolve, so too will the tools of our adversaries. Last December DHS, DoD, the State Department, and the Office of the Director of National Intelligence identified internet of things devices, artificial intelligence, and quantum technology as emerging dual-use technologies that pose a threat to our National security. A month later, then-director of national intelligence, Dan Coats, warned that our adversaries and strategic competitors will increasingly use cyber capabilities, including cyber espionage, attacks, and influence to seek political, economic, and military advantage over the United States and its allies and partners. Unfortunately, much of what DNI warned us about is, in fact, already happening. We know that Russia has relied on the cyber capabilities to carry out influence campaigns designed to divide Americans and swing elections. Efforts to manipulate Americans on social media platforms are wide-spread, but technologically simple. I worry about influence campaigns of the future, where Russia uses AI to create deepfakes that make it nearly impossible to discern fact from fiction. We know that China has engaged in intelligence gathering and economic espionage, and has successfully breached OPM, Navy contractors, and non- governmental entities, from hotels to research institutions. We also know that China is investing heavily in developing quantum computing capabilities, which could undermine the security value of encryption within the next decade. Over the past year the Department of Justice has indicated--indicted 2 Iranians for their role in the ransomware attack against the city of Atlanta. Microsoft recently revealed that Iran had attempted to breach a Presidential campaign. According to the U.N. Security Council, North Korea has used its cyber capabilities to evade sanctions, stealing $670 million in various foreign and cryptocurrencies between 2015 and 2018. The momentum Russia, China, Iran, and North Korea have demonstrated related to their use of cyber tools shows no sign of slowing. We must prepare ourselves to harness the security, economic, and health care benefits of emerging technologies like AI and quantum computing will yield, while defending ourselves against adversaries who will use technology against us. But the Government cannot do it alone. The private sector is a critical partner in this effort. I am eager to hear from our witnesses how the Federal Government can ensure the responsible deployment of emerging technologies. [The statement of Chairman Thompson follows:] Statement of Chairman Bennie G. Thompson October 22, 2019 I'd like to thank Chairman Richmond for holding today's hearing on emerging cyber threats. I have served on the Homeland Security Committee since its inception. Over that period of time, I have watched the tactics our adversaries use against us evolve and the threat landscape grow. As new networked devices and information technologies entered the market place, many became so mesmerized by their potential for good that we failed to appreciate and plan for the security consequences. Although I am encouraged that we are having more conversations about the nexus between technology and security today, there is still much to be done. So I commend Chairman Richmond for holding today's hearing. When this committee was established a decade- and-a-half ago, we once focused our efforts on defending against physical attacks committed by terrorists who would readily claim responsibility. Now, we are faced with cyber threats from state and non-state actors who use cyber tools to carry out attacks in secret, blur attribution, and complicate our ability to impose consequences. As technology continues to evolve, so too will the tools of our adversaries. Last December, DHS, DoD, the State Department, and the Office of the Director of National Intelligence identified internet of things (IOT) devices, artificial intelligence (AI), and quantum technologies as emerging, dual-use technologies that pose a threat to our National security. A month later, then-director of national intelligence Dan Coats warned that our ``adversaries and strategic competitors will increasingly use cyber capabilities--including cyber espionage, attack, and influence--to seek political, economic, and military advantage over the United States and its allies and partners.'' Unfortunately, much of what DNI's warning about is in fact already happening. We know that Russia has relied on its cyber capabilities to carry out influence campaigns designed to divide Americans and swing elections. Its efforts to manipulate Americans on social media platforms were wide-spread, but technologically simple. I worry about the influence campaign of the future, where Russia uses AI to create ``deepfakes'' that make it nearly impossible to discern fact from fiction. We know that China has engaged in intelligence-gathering and economic espionage, and has successfully breached OPM, navy contractors, and non-government entities from hotels to research institutions. We also know that China is investing heavily in developing quantum computing capabilities, which could undermine the security value of encryption within the next decade. Over the past year, the Department of Justice has indicted 2 Iranians for their role in the ransomware attack against the city of Atlanta, and Microsoft recently revealed that Iran had attempted to breach a Presidential campaign. And according to the U.N. Security Council, North Korea has used its cyber capabilities to evade sanctions, stealing $670 million in various foreign and crypto- currencies between 2015 and 2018. The momentum Russia, China, Iran, and North Korea have demonstrated related to their use of cyber tools show no signs of slowing. We must prepare ourselves to harness the security, economic, and health care benefits of emerging technologies like AI and quantum computing will yield while defending ourselves against adversaries who would use technology against us. But the Government cannot do it alone. The private sector is a critical partner in this effort. I am eager to hear from our witnesses how the Federal Government can ensure the responsible deployment of emerging technologies. Mr. Thompson. With that I thank the witnesses for being here today, and I look forward to the testimony, and yield back the balance of my time. Mr. Richmond. Thank you, Mr. Chairman. I want to welcome our panel of witnesses. First I am pleased to welcome Mr. Ken Durbin, senior strategist for global government affairs at Symantec, where he has provided solutions to the public sector for over 30 years. Next we have Mr. Robert Knake, who is a senior fellow at the Council of Foreign Relations and a senior research scientist at Northwestern University's Global Resilience Institute. Mr. Knake served as director for cybersecurity policy at the National Security Council from 2011 to 2015. Next Ms.--Niloofar, is that right?--Razi--which is the easy part, Howe is a fellow at New America's Cyber Security Initiative. Ms. Howe has been an investor, executive, and entrepreneur in the technology industry for the past 25 years, with a focus on cybersecurity for the past 10. Most recently Ms. Howe served as chief strategy officer and senior vice president of strategy and operations at RSA, a global cybersecurity company. Finally, Dr. Ben Buchanan is a senior faculty fellow at Georgetown's Center for Security and Emerging Technology. He has a--he has written journal articles and peer-reviewed papers on artificial intelligence, attributing cyber attacks, deterrence in cyber operations, cryptography, election cybersecurity, and the spread of malicious code between nations and non-state actors. Without objection, the witnesses' full statements will be inserted into the record. I now ask each witness to summarize his or her statement for 5 minutes, beginning with Mr. Durbin. STATEMENT OF KEN DURBIN, CISSP, SENIOR STRATEGIST, SYMANTEC CORPORATION Mr. Durbin. Chairman Richmond, Chairman Thompson, Ranking Member Katko, thank you for the opportunity to testify. Assessing emerging threats is important, but we can't forget about traditional threats that have been re-purposed; I will address both in my testimony. I will start with a couple key findings from our 2019 Internet Security Threat Report. Email has been a traditional threat vector cyber criminals constantly re-purpose. The latest exploit is the use of Microsoft Office attachments to deliver malicious payloads. Forty-eight percent of malicious email attachments were, in fact, Microsoft Office documents. Attacks on endpoints from the web continue to grow. We saw a 56 percent increase in web attacks in 2018. By the end of 2018 Symantec blocked more than 1.3 million unique web attacks on endpoints every day. As this committee well knows, supply chain attacks remain a persistent and serious threat. There was a 78 percent increase in supply chain attacks which exploit third-party services and software to compromise a target. Deepfakes, on the other hand, are an emerging threat. Deepfake are audios or videos created by artificial intelligence systems and used to make the public believe they are authentic. Deepfakes are new, and not typically viewed as a threat to enterprise security. Fake videos, photos, or audio recordings represent a serious risk to the enterprise, since, to create convincing deepfakes, you simply need the internet, a gaming PC, and the right software. A deepfake of a CEO announcing a layoff or used to order an employee to transfer funds or intellectual property could hurt their reputation and their stock price. Until we can identify or block deepfakes, organizations will be best served implementing rapid response plans that can be executed as soon as a deepfake is identified. Twitter bots have emerged as a threat hiding in plain sight. Symantec analyzed content released by Twitter originally posted on their service by the Russian-based Internet Research Agency. The IRA content was used as part of a Twitter bot campaign directed against the 2016 U.S. elections. The operation was carefully planned, with accounts often registered months before they were used. The data set consisted of 3,836 Twitter accounts and nearly 10 million tweets. They attracted almost 6.4 million followers and they, in turn, followed 3.2 million accounts. A core group of 123 main accounts was used to push out new content, while a larger pool of auxiliary accounts amplify messages pushed out by the main accounts. One main account only tweeted 10,794 times, but was retweeted over 6 million times. Targeted ransomware has been re-purposed to focus on the enterprise. During 2018 attacks against organizations rose by 12 percent, but represented 81 percent of all infections that year. State and local governments were hit hard. The city of Atlanta was attacked and chose not to pay the ransom. Clean-up is expected to exceed $10 million. The Colorado Department of Transportation spent $1.5 million to clean up after their attack. Two Florida cities took another direction and paid the ransom, which totaled $1 million between them. Targeted attacks have tools to infect a large number of computers simultaneously, maximizing the number of assets to improve the chances the victim will pay the ransom. Mobile is an example of a kind of self-inflicted threat. Mobile devices are susceptible to unwanted cyber threats and threats we allow via app permissions. We looked at apps on both the Google and Android platforms and found both requested personal information and access to similar device functions. Many of these requests were reasonable, but many were excessive and questionable. We looked at a flashlight app which has over 10 million installs that wanted access to the user's location, contacts, and permission to make calls. It is difficult to imagine why a flashlight app needs your contacts, call your friends, or know your exact location. Users are opening themselves up to potential threats, since they grant permission without understanding what the app developer will do with that data. Finally, stalkerware is a type of malware that is secretly loaded on an unsuspecting victim computing device, giving almost total control of the device to an ex-spouse, ex- boyfriend, or other stalker, who would then know the victim's exact location, be able to read their emails and texts, and even turn on their microphone or camera. So why is stalkerware commercially available? Publishers of stalkerware typically advertise their product as parental monitoring software to keep kids safe. This can certainly be true when it is used appropriately by a responsible parent. However, the features built into some of these apps give more control than parents would need, which make them ripe for abuse. In closing, emerging threats that try to influence beliefs or drive behavior need to be assessed along with the re-purpose traditional threats. The focus of this committee is vital for our Nation to understand these threats and ensure resources are allocated to defend against them. Thank you for the opportunity to testify, and I would be happy to take any questions you may have. [The prepared statement of Mr. Durbin follows:] Prepared Statement of Ken Durbin October 22, 2019 Chairman Richmond, Ranking Member Katko, my name is Ken Durbin, CISSP, and I am a senior strategist for Symantec Global Government Affairs and Cybersecurity. I have been providing solutions to the public sector for over 30 years. My focus on compliance and risk management (CRM) and its application in both the public and private sector has allowed me to gain insights into the challenge of balancing compliance with the implementation of Cybersecurity Solutions. Additionally, I focus on the standards, mandates, and best practices from NIST, OMB, DHS, etc. and their application to CRM. I spend a significant amount of my time on the NIST Cybersecurity Framework (CSF)\1\ and the emerging privacy framework, the DHS Continuous Diagnostics and Mitigation (CDM) Program and the EU Global Data Protection Regulation (GDPR.) --------------------------------------------------------------------------- \1\ NIST Cybersecurity Framework (CSF): Provides guidance to private companies on how best to prevent, detect, and respond to cyber attacks. --------------------------------------------------------------------------- Symantec Corporation is the world's leading cybersecurity company, allowing organizations, governments, and people to secure their most important data wherever it lives. Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud, and infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec's Norton and LifeLock product suites to help protect their digital lives at home and across their devices. Symantec operates one of the world's largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. In my testimony I will discuss the current Threat Landscape, to include:Key findings from the 2019 Symantec Internet Security Threat Report (ISTR); Mobile security privacy; Deepfakes risk to the enterprise; Twitterbots in the 2016 election; Targeted ransomware; and Stalkerware. the threat landscape A review of the current threat landscape shows there are challenging new attacks and threats that need to be addressed. However, it also shows that it would not be wise to ignore the traditional threats we have been dealing with for years. Bad actors are finding new ways to attack using well-established attack vectors. At the same time new technologies and campaigns are emerging to exert influence and drive behavior. I'll address both traditional and emerging threats in the following sections. The Internet Security Threat Report The Internet Security Threat Report (ISTR)\2\ analyzes data from Symantec's Global Intelligence Network, the largest civilian threat intelligence network in the world, which records events from 123 million attack sensors worldwide, blocks 142 million threats daily, and monitors threat activities in more than 157 countries. The analysis provides insight into a wide variety of threats and identifies trends that help inform the public with the goal of helping them avoid risk. Highlights from the ISTR include: --------------------------------------------------------------------------- \2\ https://www.symantec.com/security-center/threat-report. --------------------------------------------------------------------------- One out of 10 URLS are malicious. That is up from one in 16 in 2017. Clicking on a malicious URL continues to be a widely- used attack vector by attackers. There was a 56 percent increase in web attacks over 2017. By the end of 2018, we blocked more than 1.3 million unique web attacks on endpoint machines every day. On average, 4,800 websites are compromised with formjacking software each month. Formjacking is the use of malicious JavaScript code to steal payment card details and other information from payment forms on the checkout web pages of eCommerce sites. We blocked 3.7 million formjacking attempts on endpoint devices in 2018. Supply chain attacks increased 78 percent. Supply chain attacks, which exploit third-party services and software to compromise a final target, take many forms, including hijacking software updates and injecting malicious code into legitimate software. Forty-eight percent of malicious email attachments were MS Office documents, up from just 5 percent in 2017. Cyber crime groups continued to use macros in Office files as their preferred method to propagate malicious payloads in 2018, but also experimented with malicious XML files and Office files with Dynamic Data Exchange (DDE) payloads. The number of attack groups using destructive malware rose 25 percent. Destructive malware is designed to inflict physical damage to an organizations network or facility. While still a niche area, the use of destructive malware continued to grow. Eight percent of groups were known to use destructive tools, up from 6 percent at the end of 2017. Mobile Security The average smartphone user these days has between 60 and 90 apps on their device, and most of them request some sort of information about the user and the device. They may want to know your name, your email address, or your real-world address. But because smartphones are so powerful, they can also get quite a bit more than that, such as your exact location. Some apps will even request access to the device's camera or microphone despite having no legitimate need to use them. In order to find out what kind of data your apps may be looking for, we analyzed the top 100 free apps as listed on the Google Play Store and Apple App Store on May 3, 2018.\3\ For each we looked at 2 main things: How much personal information was the user sharing with the app and which smartphone permissions the app accessed. --------------------------------------------------------------------------- \3\ https://www.symantec.com/blogs/threat-intelligence/mobile- privacy-apps. --------------------------------------------------------------------------- Email addresses are the most common piece of personally identifiable information (PII) apps were accessing, as 48 percent of the iOS and 44 percent of the Android apps did so. Username was next, which was accessed by 33 percent of iOS and 30 percent of Android apps, followed by phone numbers, which were accessed by 12 percent of iOS and 9 percent of Android apps. Finally, 4 percent of iOS and 5 percent of Android apps accessed the user's physical address. It is often reasonable and necessary to grant apps permission to access various features on a smartphone. For example, if you want to take a picture using an app, the app will need permission to use your device's camera. However, not all permissions are the same. We took a closer look at permissions that could provide access to data or resources that involve the user's private information or could potentially affect the user's stored data or the operation of other apps. Camera access was the most requested permission, with 46 percent of Android and 25 percent of iOS apps seeking it. That was followed by location tracking, which was sought by 45 percent of Android and 25 percent of iOS apps. Twenty-five percent of Android apps requested permission to record audio, while 9 percent of iOS apps did so. Last, 15 percent of Android apps sought permission to read SMS messages and 10 percent sought access to phone call logs. Neither of these permissions are available in iOS. Apps have permissions because the user granted them by hitting an ``I Agree'' button--usually without considering if certain permissions make sense, and often without pausing to consider the request at all. For example: The Android flashlight app ``Brightest Flashlight LED-- Super Bright Torch'', which has 10 million installs, asks for permissions including precise user location, access to user's contacts, and permission to directly call phone numbers. It is hard to imagine why a flashlight app has a legitimate need to copy all of your contacts, call all of your friends, or know exactly where you are located. Consumers should pause before the agree to permissions--and app developers should be very clear about what permissions their app needs and why it needs them. Deepfakes ``Deepfakes'' are audio or video tracks created or altered by artificial intelligence (AI) systems and used to make the public believe they are authentic. Most of the popular examples of deepfakes show politicians or actors saying or doing things designed to embarrass or harm reputations. As a result, deepfakes are not typically viewed as a threat to Enterprise security. This is short-sighted. Enterprises do need to pay attention to deepfakes; fake content like videos, photos, audio recordings or emails represent a serious risk to individuals as well as the organization. The technology behind deepfakes has advanced to the point decisions might be made based on a deepfake, or decisions not made because an authentic video is thought to be a deepfake. Deepfakes are particularly dangerous because there is such a low barrier of entry and because they are difficult to detect. Until recently, altering videos was expensive and required significant resources, specialized equipment, and money. Today, if someone has access to the internet, a gaming PC and the right software they can produce convincing deepfakes. Specialized applications have reduced creating deepfakes to a point-and-click exercise, reducing the need for advanced skills. Deepfakes are created using a process based on Generative Adversarial Networks (GAN). Essentially, a GAN consists of 2 machine- learning networks that work in an on-going feedback loop where 1 network creates the deepfake and the second one tests the output. The networks pass the deepfake back and forth making alterations to make it as realistic as possible. Since the GAN is ``learning'' throughout the process, the deepfake becomes harder to spot with the naked eye. Given the low barrier of entry and that they are difficult to detect, Enterprises need to understand the risks deepfakes pose to their organization. For example: A deepfake of a CEO announcing a massive layoff could cause their stock price to sink. A deepfake could be used to order an employee to wire funds, or transfer intellectual property out of the company. Until a proven method to identify or block deepfakes is developed organizations will be best served educating employees about the danger of deepfakes and implementing rapid response plans that can be executed as soon as a deepfake is identified. Twitterbots In October 2018, Twitter released a massive dataset of content posted on its service by the Internet Research Agency (IRA) beginning in May 2014. The IRA is the Russian company behind the social media propaganda campaign directed against the 2016 U.S. elections. Symantec conducted an in-depth analysis of the dataset to learn more about how the campaign operated. The dataset consisted of 3,836 Twitter accounts and nearly 10 million tweets. These accounts amassed almost 6.4 million followers and followed 3.2 million accounts. The sheer volume of data was enormous, more than 275 GB. Our research \4\ led to a number of interesting findings: --------------------------------------------------------------------------- \4\ https://www.symantec.com/blogs/threat-intelligence/twitterbots- propaganda-disinformation. --------------------------------------------------------------------------- 1. The operation was carefully planned, with accounts often registered months before they were used. The average time between account creation and first tweet was 177 days. The average length of time an account remained active was 429 days. 2. A core group of main accounts was used to push out new content. These were often ``fake news'' outlets masquerading as regional news outlets or pretending to be political organizations. 3. A much larger pool of auxiliary accounts was used to amplify messages pushed out by the main accounts. These accounts usually pretended to be individuals. 4. Some operatives may have been making money on the side by using monetized URL shorteners to create links. If they did monetize the URLs one account in particular could have generated almost $1 million. We divided the accounts into two main categories; main accounts and auxiliary accounts. Each category had different characteristics and played a different role. We identified 123 main accounts, each having at least 10,000 followers. Main accounts tended to not be followers of other accounts. They were primarily used to publish new tweets. We identified 3,713 auxiliary accounts, each having less than 10,000 followers. Auxiliary accounts tended to be followers of thousands of other accounts. Their main purpose was to retweet messages from other accounts. Since auxiliary accounts were used to amplify targeted messages it makes sense they were the larger category. A particularly effective account in the dataset was called TEN-- GOP. Created in November 2015, the account masqueraded as a group of Republicans in Tennessee. It appears to have been manually operated. In less than 2 years TEN--GOP managed to rack up nearly 150,000 followers. Despite only tweeting 10,794 times, the account garnered over 6 million retweets. Only a small fraction (1,850) of those retweets came from other accounts within the dataset. In other words, almost all of its retweets came from accounts outside the dataset, meaning many could have been real Twitter users. The Twitterbot campaign is often referred to as the work of trolls, but the release of the dataset makes it obvious that it was far more than that--it was highly professional. It was planned months in advance and the operators had the resources to create and manage a vast disinformation network. And aside from the sheer volume of tweets generated over a period of years, its orchestrators developed a streamlined operation that automated the publication of new content and leveraged a network of auxiliary accounts to amplify its impact. Targeted Ransomware Ransomware continues to be one of the most dangerous cyber threats facing any organization. The threat has changed significantly over the past 2 years, as criminals are increasingly targeting enterprises. During 2018, while the overall number of ransomware infections was down 20 percent, attacks against organizations (as opposed to against individuals) rose by 12 percent. Alarmingly, Enterprises accounted for 81 percent of all ransomware infections in 2018. Targeted attacks have been particularly hard on State and local government organizations. In March 2018 the city of Atlanta was attacked and ransomware encrypted servers that made over a third of the 424 city-wide services inaccessible. The clean-up costs for the attack are expected to run to over $10 million. The Colorado Department of Transportation spent $1.5 million to clean up after they were attacked. Two Florida cities that were attacked took another route--they paid the ransom, which totaled $1 million between them. The number of targeted ransomware attacks has multiplied as new groups move into this sector. Although targeted ransomware attacks account for a small percentage of overall ransomware attacks, they present a far greater risk as a successful targeted ransomware attack can cripple an ill-prepared organization. These attacks also typically involve much higher ransom demands, ranging from $50,000 to over $1 million. Targeted attacks can result in hundreds of computers encrypted, backups destroyed, and business-critical data removed from the organization. Targeted attacks can shut down an organization, leading to loss of business, reputational damage, and multimillion-dollar clean-up bills. The number of organizations affected by targeted ransomware attacks has grown sharply over the past 2\1/2\ years. As recently as January 2017, Symantec observed just 2 organizations a month being attacked. However, recent months have seen that figure grow to above 50 organizations a month. The SamSam ransomware group was the original targeted ransomware threat, but was joined in 2018 by another highly-active targeted actor called Ryuk. In 2019 several additional groups were linked to a series of highly disruptive attacks in the United States and Europe. Current trends indicate that targeted ransomware is attracting a high degree of interest among cyber criminals, with new groups appearing at an accelerating pace, motivated no doubt by the success of some recent attacks. RobbinHood is another new family, first appearing in May 2019. It was reportedly used in the attack against the U.S. city of Baltimore that shut down several services, including municipal employees' emails, phone lines, and on-line bill payments. A group known as GoGalocker has used a new breed of targeted ransomware that appeared in early 2019. Traditional ransomware attackers cast a wide net using spam campaigns to improve their chances of finding a victim. GoGalocker selects targets and digs in deep. The attackers behind GoGalocker appear to be highly skilled, capable of breaking into the victim's network and deploying a wide array of tools in order to map the network, harvest credentials, elevate privileges, and turn off security software before deploying the ransomware. This process permits the attackers to identify and access a large number of computers in order to later simultaneously infect them with the ransomware. By maximizing the number of assets, the attacker compromises the better the chances are the victim will pay the ransom. Stalkerware Stalkerware is a type of malware that is secretly loaded on an unsuspecting victim computing device giving almost total control of the device to a bad actor. The bad actor--who can be an ex-spouse, ex- boyfriend, or other stalker--would then know the victims exact location, be able to read their emails and texts, and even turn on their microphone or camera. Due to the control Stalkerware gives a bad actor, it is classified as a type of malware--malicious software designed to gain access to or damage your computer, often without your knowledge. Stalkerware can affect PCs, Macs, and iOS or Android devices. Although Windows operating systems may be more susceptible to attacks, attackers are becoming better at infiltrating Apple's operating systems as well. Stalkerware typically infects a device when the victim accepts a prompt or pop-up without reading it first, downloads software from an unreliable source, opens email attachments from unknown senders, or pirate media such as movies, music, or games So why is Stalkerware available in app stores? Publishers of Stalkerware typically advertise their product as parental monitoring software to keep kids safe, and this can certainly be true when it is used appropriately by a responsible parent. However, any software surreptitiously loaded onto a device, no matter how well-meaning is malicious. Additionally, the features built into some of these apps give more total control of a device than parents would need and make it ripe for abuse. conclusion New threats are emerging every year--but that does not mean existing threats have gone away. We need to be vigilant in our defense against the traditional threats we have battled for years, while understanding emerging threats and planning defenses accordingly. Emails have been a persistent attack vector, yet attackers are finding new ways use the service against us. Ransomware is not new but the attacks are becoming more targeted and disruptive. Mobile security is a threat we allow by granting excessive permissions. Finally, deepfakes and twitterbots teach us that cyber can be utilized to influence and force actions from a distance. The focus of the Cybersecurity, Infrastructure Protection, and Innovation Committee is vital for our Nation to understand the current threat landscape and ensure resources are allocated to determine how to defend against them. Thank you for the opportunity to testify before this committee, and I would be happy to take any questions you may have. Mr. Richmond. Thank you, Mr. Durbin. Thank you for your testimony. I now recognize Mr. Knake to summarize his statement for 5 minutes. STATEMENT OF ROBERT K. KNAKE, SENIOR RESEARCH SCIENTIST, GLOBAL RESILIENCE INSTITUTE, NORTHEASTERN UNIVERSITY, SENIOR FELLOW, THE COUNCIL ON FOREIGN RELATIONS Mr. Knake. Thank you, Mr. Chairman. I want to break down my remarks into 3 categories. OK, thank you, Mr. Chairman. I want to break down my comments into 3 categories, what I will call the good, the bad, and the ugly. The good is that I think we are actually making progress in cybersecurity. Ten years ago, when I wrote my first book on cyber warfare, it was a dire prognosis for the patient. We concluded in that that the attacker had an overwhelming advantage, and that private companies could not possibly protect themselves from Russian, Chinese, or other state-based adversaries. I think the last 10 years have showed us that, in fact, some companies are able to manage the risk from even the most sophisticated adversaries, and they are able to do it day in and day out. In the last decade we have seen the development, not just of new technology, but new doctrine and new strategies and new tactics for defense. Most notably, I will call out the kill chain. Right? This is the basic concept that an adversary doesn't simply need to compromise a single host, they need to go through a series-- anywhere from 7 to 22 steps, depending on how you count--to achieve their objective. So, from that perspective, a defender only needs to detect them at one, and block them at one of those stages. This kind of thinking has allowed us to reverse the notion that the offense has an overwhelming advantage in this space. We now have tooling around that. Technology like endpoint detection and response, end-point protection program that can automatically identify malware. These technologies have really helped us turn a corner for the most sophisticated of cyber defense programs. That is the good news. What we need to do now, of course, is create the incentives and the structures and the Government enablement to drive these innovations down into the wider markets so that school districts and local governments and mom-and-pop businesses are able to achieve this level of cybersecurity. The bad news is, of course, the technology landscape, as you all know, is rapidly changing. This may mean that, by the time we get in place these secure systems, these secure concepts that will help protect the state of play today, the technical terrain is going to have changed. We have talked about IOT, we have talked about AI, and we have talked about quantum. Those, I think, are the 3 big changes out there. I would add, with IOT, 5G. Ubiquitous high- speed connectivity is going to enable so many millions of devices to be connected. What we have seen so far is that, for IOT, it is not really so much a new technology as a trend toward cheaper computers and ubiquitous connectivity that is enabling us to put computers everywhere. What we are not doing is learning the lessons from the past 20 years of enterprise security and applying those lessons into the IOT space. For artificial intelligence and quantum, the only thing I can say is we have got to make sure that this is a race between the United States of America and the Chinese, not a race between Silicon Valley and the Chinese. The capability that Silicon Valley is bring to this fight is immensely important, but they are acting in their commercial interests, as they should as private businesses. We need to ensure that we have the funding there. So finally, I would say the ugly of it is Government intervention in this space. We have got to make sure that Government is helping to align market interests in favor of security. That is going to require doing things that we haven't wanted to do in this space, like regulate, in part because we believe that the technology is moving too fast for Government regulation to keep up. I think, though, that there is an answer here, and I think it is fairly simple. Instead of Government setting requirements that we know adversaries will target to get around, our goal needs to be to require outcomes. We can do this through insurance. We can do this through other financial incentives. But we have models for this in other spaces that we can apply, so that the goal should not be to meet a list of Government requirements for what security looks like, but to achieve an objective that we know current technology can meet, and that the market can reinforce companies meeting that objective. Thank you very much. [The prepared statement of Mr. Knake follows:] Prepared Statement of Robert K. Knake Tuesday, October 22, 2019 introduction Thank you Chairman Richmond, Ranking Member Katko, and Members of the committee for the opportunity to testify on this important matter. While other witnesses will focus on how the capabilities of specific threat actors may change and evolve, I would like to focus my remarks on how the technology landscape may change in the next 5 years and what that may mean for emerging cyber threats. Before I begin, let me be clear that the views I represent here are my own and do not represent my employers or any supporters of my work. Looking back over the past decade, there are reasons to be hopeful for a secure cyber future. When my co-author Richard Clarke and I wrote Cyber War: The Next Threat to National Security and What to Do About It a decade ago, we predicted a dire future in cyber space. Early trends then indicated to us that our adversaries would develop sophisticated cyber offensive capabilities and would use these capabilities to undermine our dominance of conventional military domains. We predicted correctly that North Korea would emerge, somewhat surprisingly, as a capable adversary in the cyber domain and highlighted China's on-going campaign of economic espionage on behalf of its National champion companies. We of course failed to predict many of the key events that are top of mind today like Russia's use of the internet to interfere in elections and sow dissent; however, in my view, our greatest error was our failure to see the technology trends that have allowed the defensive community to be able to manage the threat posed by even the most determined nation-state adversaries. In Cyber War, we concluded that private companies could not defend themselves against determined adversaries because cyber space as a domain favors the attacker. Conventional wisdom at the time was that an attacker had all the advantages. An attacker only needed to find one vulnerable system to succeed whereas the Chief Information Security Officer (CISO) at a large enterprise had to defend thousands or hundreds of thousands of systems. This asymmetry was often captured as the idea that ``the attacker only needs to compromise one vulnerable system; the defender needs to be perfect.'' The good news is that technology trends and new doctrine for cybersecurity have dramatically changed the terrain of cyber space. Companies at the leading edge of cybersecurity have been able to manage the threat from even the most sophisticated actors. If these trends continue and if policy is put into place to correctly align incentives, it is possible that in 5 years we may view cybersecurity broadly as a manageable problem. The bad news is that emerging technologies may once again favor the attacker, erasing the defensive gains of the past decade. In my remarks below, I will review the ``good news'' of the last decade and how these trends can be accelerated and adoption of better cybersecurity practices encouraged by Congress. I then will discuss the ``bad news'' of how emerging technology trends like artificial intelligence, the internet of things and 5G, and quantum computing could favor the offense. I then provide some thoughts for how Congress can promote wider adoption of cybersecurity practices that are on the cutting edge today and shape the future of technology so that defenders are not left at a disadvantage tomorrow. Finally, I conclude with a brief review of the projects I am working on today that may help us build a more resilient cyber future. the good news: cybersecurity is possible There is an old joke in cybersecurity, attributed to Dmitri Alperovitch, now the Chief Technology Officer (CTO) of the cybersecurity firm Crowdstrike. The joke, retold in many formulations, is always along the lines of ``there are two types of companies: Those that have been hacked and know it and those that have been hacked and don't know it.'' That may have been true a decade ago, but today there are three types of companies: Those that have been hacked and know it, those that have been hacked and don't know it, and those that are actively and successfully managing the risk. In The Fifth Domain, Clarke and I conclude that the greatest advance in cybersecurity over the last decade was not a technology but a white paper. In ``Intelligence-Driven Security'' a group of researchers and practitioners at Lockheed Martin presented the processes they had developed for detecting and disrupting adversary activity along the ``Cyber Kill Chain''. Published in 2011, the paper showed how defenders could take the advantage away from adversaries by breaking down the process by which an adversary attempted to achieve an objective on a network and building a security program around each of those steps. Unlike in conventional thinking on cybersecurity where a network compromise is considered a failure, the Kill Chain methodology sees that as only one step in the chain. Before an adversary can exploit an initial host on a network, they must engage in reconnaissance of the target, weaponize what they have learned into a package capable of compromising the target and deliver it. After they have achieved the initial exploitation, they then need to gain administrative rights, move laterally across the network to find their target, and then carry out out their intended action. That action might be to exfiltrate data off the network or to destroy operational systems. Whatever their goal, it is not simply to compromise a single system. The concept of the kill chain has evolved and expanded since first published. MITRE Corporation has developed the ATT&CK Matrix to further breakdown the steps that happen after initial compromise into 22 discrete steps. However you break down the attackers progression, the key takeaway should be that detecting and stopping them is possible. Whether the adversary needs to go through 7 steps or 22, they have to successfully avoid detection at each stage; defenders only need to detect them at any one stage. Once the adversary is on the defender's system, the defender should have the advantage. Gaining that advantage requires knowing the topology of your system better than the adversary and being able to detect anomalous behavior within it. This ability to detect and respond rapidly is what Crowdstrike and other companies have specialized in. Endpoint Detection and Response (EDR) has been the technical capability that has enabled ``threat hunting'' along the kill chain to occur at scale within enterprises. Managed Detection and Response companies are rapidly bringing these capabilities to the middle market. Beyond detection and response, newer technologies have the potential to remove large swaths of risk. When properly deployed and managed with security in mind, cloud computing, containerization, and software defined networking, to name just three emerging technologies, can provide real advantages to defenders. Virtualization can allow new computing environments to be spun up and down for a specific purpose so rapidly that gaining a foothold in one of these new environments does an adversary no good because the environment itself does not persist. These technologies can also allow for deception campaigns on a massive scale to create new opportunities for detection and to increase the work factor of adversaries. All this adds up to the potential to make our country, our companies, and ourselves resilient to cyber attacks. Through the adoption of secure-by-default technologies we should be able to make it so that almost all attacks ``bounce off'' and that we can ``bounce back'' when attacks do succeed. From a policy perspective, what is needed now are the incentives and requirements to promote the adoption of these techniques and the technologies beyond the small handful of companies that are deploying them in a holistic way today. And of course, this transition needs to occur at a faster rate than adversaries can adopt new technologies that defeat them. the bad news: technology changes could erase these gains Just as we may be turning a corner on security, the technology landscape may change in ways that are not evolutionary but revolutionary. By that I mean that the technology coming on-line is not about the continuation of current trends or even the acceleration of trends but whole new classes of technology. Artificial intelligence, quantum computing, and 5G and the internet of things may not intrinsically favor attackers over defenders but the offense is likely to adopt technologies that can give them an advantage faster than defenders and their targets are likely to adopt new technologies in ways that open up new swaths of vulnerabilities. I would like to now discuss three such technologies: (1) Artificial intelligence; (2) 5G and the internet of things; and (3) quantum computing. Artificial Intelligence Arguably, artificial intelligence up until now has been a technology that has favored the defense. Many of the gains discussed above in the last decade are due to artificial intelligence applications within cybersecurity. For instance, the ability of advanced endpoint protection programs to identify never before seen malware using machine learning has made the work of adversaries much more difficult. The bad news is that as the state-of-the-art in artificial intelligence advances, attackers are likely to use it in ways that will upend the basis of today's security architectures. Deepfakes have made headlines recently in the political world. For public figures who have thousands of hours of voice and video recordings available on-line, artificial intelligence can now be used to piece together snippets of them talking to literally put words in their mouths. Deepfakes are likely to come into play heavily in the 2020 election and defenses against them are lagging. Use of AI for deepfake detection made news over the summer but in this arms race, adversaries look to have an advantage, tweaking their tools and testing against deepfake detection technology until they can defeat it. Initially, deepfakes required large libraries of voice and video but as the technology improves, the amount of source data required is rapidly coming down. That will mean that many of the fundamental controls we have in place today to combat cyber crime may no longer be trusted. The cybersecurity community has worked hard to educate companies about the dangers of wire transfer fraud--to train finance departments to be suspicious of emails from the CEO ordering them to wire funds on an emergency basis, for instance. But what if, instead of compromising the email system, adversaries compromise voice and video systems, and your boss in her natural speaking voice that you hear everyday, calls you to confirm that she does in fact need you to wire those funds right now? The ability to create deepfakes from smaller and smaller sets of source material will make that scenario possible for many companies in a short period of time. That will mean that the ultimate root of trust--believing what we see and hear--can no longer be trusted. 5G and the Internet of Things Internet of things (IOT) technology is rapidly being distributed within critical infrastructure and in homes and businesses in ways that appear to ignore the security lessons we learned over the last 20 years within enterprise systems. Coding practices are poor in the space, firmware is difficult to update, and systems are widely exposed to the public internet. What's more, with the advent of 5G, massive, ubiquitous wireless connectivity will mean that many of these devices will be directly connected to the public internet with no defense-in- depth built around them. Within the consumer market, we have seen a troubling trend of ``set and forget'' connected devices that, after being setup, are not monitored for security and do not receive updates to their software after problems are discovered. Unfortunately, this trend does not appear to be confined to the home IOT market. The same problem is occurring even within industrial control systems. Quantum Computing Far more than these other two technological shifts, quantum computing is likely to up-end computer security because it will up-end computing. A calculation that might take a classical computer several centuries to complete could be done by a quantum computer in the blink of an eye. Experimental systems today are showing a lot of promised toward achieving this kind of capability. Google may already have achieved what is known as ``Quantum Supremacy'', using a quantum computer to complete a mathematical equation faster than a conventional system could. Quantum computing has the potential to be extremely disruptive to security, allowing encryption protocols to be defeated; whether quantum resistant encryption will be deployed ubiquitously and will prove to defeat quantum computing is an open question. The combination of artificial intelligence technology with quantum computing open some scary possibilities. More than anything else, Government needs to ensure that the United States is a leader, not a follower, in the development of quantum computing. the ugly: government intervention in necessary For most of the last 20 years, U.S. Government policy across administrations has largely been about getting out of the way and hoping that markets would solve cybersecurity problems on their own. Where Government has intervened, intervention has been uneven and light touch. Today, I believe we are starting to recognize that markets alone will not solve our cybersecurity dilemma. I think it is fair to conclude that the industries that are doing the best at actively managing risk in cyber space are also actively regulated: Financial services and the defense industrial base. Many of the approaches to security that are working today were pioneered in these sectors. Driving these innovations to other markets will require creating the right set of incentives and requirements. I have been pleased to see that more so than in any previous administration, the current leadership of the Department of Homeland Security has recognized that regulation, smartly and carefully implemented, is necessary to drive the level of security required for our Nation. The Department's cybersecurity strategy is explicit on this point. In the IOT space, DHS should lead efforts to regulate the security of IOT devices in the sectors that it regulates including chemicals, pipelines, and the maritime industry. I believe that the Internet of Things Cybersecurity Improvement Act would be a good first step toward improving IOT security. The act would set standards that sellers of IOT technology to the Federal Government would need to meet as well as establish disclosure requirements when manufacturers discover vulnerabilities. The approach uses Government's massive purchasing power to improve security more broadly. Companies that develop technologies on a ``build once, sell everywhere'' model will likely meet the Government's requirement for all their commercial offerings rather than just for those sold to Government. These requirements, once set, could then be adopted to regulate the use of IOT in critical infrastructure sectors. Fundamentally, however, I believe that setting requirements is insufficient. We need to make device makers responsible for the full life cycle of security by making them liable for harm caused by their devices. I recognize that this notion is a radical departure from how we have approached liability within the information technology realm thus far but now that these devices are making their way into National security systems and life safety systems, I think it is critical that we create incentive structures that truly value security. In the next section, I discuss one effort we have undertaken at the Global Resilience Institute to create a model for liability for cybersecurity. Beyond IOT, the leadership of the Cybersecurity and Infrastructure Security Agency (CISA) has made election security the agencies No. 1 priority. CISA will need to build on its current efforts to counter- election interference to play a role in combating the proliferation of deepfakes in the political realm and for enterprise security. Crucial to this effort will be building strong, operational partnerships with social media companies that go well beyond today's arm length interactions. Steps must be taken to breakdown the reluctance by Facebook, Google, Twitter, and other social media companies to truly partner with Government on this problem. For quantum computing and artificial intelligence, Government's role should be less about managing the cybersecurity implications and more focused on ensuring that the United States competes and wins in these technologies. I tend to be skeptical of analogies to arms races or calls for Apollo Programs or Manhattan projects, but on the basic science in these fields, those kinds of approaches are warranted. Both China and Russia have made gaining an advantage in AI a National priority. China has also done that on quantum. I believe our market- based approach to technology development comes with real advantages but in the development of these core capabilities, I worry that a race that is the Chinese State vs. Silicon Valley is one that Silicon Valley will lose. We need a National effort to ensure that U.S. technology leadership continues into the next decade. Each of these lines of effort will take at least half a decade to produce meaningful results--thus it is crucial that the efforts begin now. what we are doing at gri The challenges we face are large, but they are not insurmountable. While much work remains to be done, let me take this opportunity to highlight four efforts under way at the Global Resilience Institute that may contribute to improving our National cyber resilience over the next 5 years. Creating a National Transportation Safety Board for Cyber Incidents Resilience is a concept that we have talked a lot about in the field of cybersecurity but it's a far better-developed idea in other fields like emergency management and psychology. One of the key components of resilience I have taken away from studying the concept in these other fields is the importance of adapting following a bad outcome. Learning from disasters or even from so-called ``near misses'' is critical to the development of resilience. To this end, as far back as 1991 practitioners in the field have suggested that Government should develop the equivalent of a National Transportation Safety Board (NTSB) for cybersecurity incidents, a ``Cyber NTSB''. Given that this idea was first suggested 3 decades ago but has yet to reach fruition, we are planning a workshop, sponsored by the National Science Foundation, to develop a prototype process for how such an organization would operate. We plan to hold the workshop in the spring of 2020. Building a High Assurance Network for Collaborative Defense Critical to building resilience is creating a model for Collaborative Defense. The ``partnership'' that has been the central tenet of our National cybersecurity policy for 2 decades needs to evolve to real-time, operational collaboration. In order for that to happen, we need collaboration platforms where the members of this partnership can trust each other. Government needs to be able to trust that the intelligence it shares will be protected and only shared appropriately and securely. But private companies need the same degree of assurance when they share with Government and with each other. Today, the platforms on which we collaborate, internet-connected, general purpose computers, are not trustworthy. Moreover, we often do not know whether we can trust our partners that are using those computers. When I testified before this committee 2 years ago, I discussed early thinking about how to develop such a network. Today I am pleased to say that, working with our partners at the Advanced Cybersecurity Center and with a generous grant from a private foundation, we have developed a prototype network. This network takes advantage of the trends in computing that have dramatically lowered cost: Inexpensive computing at endpoints and cloud computing to provide immense computing power for analytics and other services. For about $300 a year, we can provide a high assurance endpoint that can only be accessed by specified users to connect to a secured, private network for threat collaboration. This model provides the basis for addressing the issue of trust in the users and trust in the systems by replicating at far lower costs many of the design criteria of the Classified networks used by Government today. In my view, the model we have developed should be adopted by the Department of Homeland Security to create what we have dubbed CInet for Critical Infrastructure Network. Using existing authorities, the Secretary of Homeland Security should establish a new safeguarding standard for Confidential information, the existing level below Secret in the classification schema. The standard should be built around the prototype we have developed which eliminates the most common paths to compromise (spear-phishing, credential compromise, and watering hole attacks) and prevents end-users from unintentionally releasing information through a series of technical controls. Having vetted the concept with a handful of critical infrastructure companies, we believe that this model could fit into the current operating models within critical infrastructure security operating sectors. We also believe that by harnessing current best practices in the private sector for continuous monitoring of insider threats, the Secretary could also promulgate a different standard for granting of clearances at the Confidential level that would be better, faster, and cheaper. Then would come the hard part of convincing the intelligence community to target collection to provide relevant threat intelligence to participating companies and to downgrade it to the Confidential level. Designing a Darknet for the Electric Grid Many of the same technology trends that could provide attackers an advantage over the next 5 years can also be harnessed to increase security for critical infrastructure. Advances like software defined network (SDN), increased mobile bandwidth with 5G, and artificial intelligence can enable far higher degrees of assurance for critical infrastructure than can be attained today. This is the idea behind our Darknet project to create a separate network for the electric grid using ``dark'' or unlit fiber optic cables. GRI initially began work on this concept with a grant from a private foundation and is now partnering on it with Oak Ridge National Laboratory. Developing an Insurance Regime that Promotes Better Security Cyber insurance was supposed to help drive down risk. In theory, the insurance sector, in exchange for providing insurance coverage, would require companies to prove that the risk they underwrote was being managed. In practice, as the recent spate of ransomware attacks on city governments has demonstrated, cyber insurance is simply transferring the risk and enriching the criminal groups behind the attacks. Yet, in other sectors, insurance markets have proved remarkable mechanisms for encouraging risk reduction. Dr. Stephen E. Flynn, the director of Northeastern's Global Resilience Institute, and I have been developing a model for insurance that would promote risk reduction rather than just risk transference. Dr. Flynn, a retired Coast Guard officer, has posited that the regime put in place under the Oil Pollution Act of 1990 after the Exxon. Valdez oil spill could be ported over for data security. In other words, we should treat data spills like oil spills. Under that regime, ships entering U.S. waters must provide proof in the form of a Certificate of Financial Responsibility that their owners or their guarantors in the insurance industry have the financial resources to cover the cost of cleaning up an oil spill should containment on their vessel fail. Notionally, owners of data could be required to take out insurance policies to cover the full societal cost should they fail to protect the data that they hold. In this thinking, Congress could establish a dollar figure per record and then require holders of personal data to obtain insurance to cover those loses. From there, market mechanisms would take over to determine how to price risk. This model could also be adapted for critical infrastructure. For instance, if natural gas pipeline owners had to obtain private insurance to cover the costs of a disruption to service caused by malicious cyber activity, markets would likely require a far higher degree of assurance than would be required through a standard regulatory model. In the coming months, we will engage the insurance industry on further developing this concept. Mr. Richmond. Thank you, Mr. Knake. We will now recognize Ms. Howe to--five minutes to summarize your statement. STATEMENT OF NILOOFAR RAZI HOWE, SENIOR FELLOW, CYBERSECURITY INITIATIVE, NEW AMERICA Ms. Howe. Chairman Richmond, Chairman Thompson, Ranking Member Katko, distinguished committee Members, thank you so much for inviting me to speak today about emerging cyber threats. My name is Niloofar Razi Howe, and for over 2 decades I have worked in the technology sector, including cybersecurity, as an investor, as an entrepreneur, and as an executive. When I first started working in technology we had a Utopian vision for the internet, and cybersecurity was a dark art that lived in its own silo. But as the internet has matured, and every aspect of our lives has become operationalized in this domain, the threat it represents has grown in kind and in effect. From IP theft, to cyber crime, to espionage, hostile social manipulations, radicalization, and cyber war, the activity and malfeasance that takes place affects all of society. It affects all of our businesses, not just critical infrastructure. It affects our Government's ability to provide services. Most importantly, it affects all of us, the people. This same adversary that is infiltrating our defense industrial base is stealing intellectual property from our companies, probing our infrastructure, and manipulating individuals. As Dan Geer famously said, ``Every sociopath is now your next door neighbor.'' There are no more silos. The problem is only getting bigger as we embrace new waves of technology, innovations such as cloud computing, autonomous vehicle, small low-orbit satellites with advanced sensor platforms, the internet of things, drones, distributed ledger technology, augmented and virtual reality. On the horizon we see the emergence of 5G and microsensor proliferation, autonomous weapons for private and military use, quantum computing, AI, and synthetic biology, to just name a few. People and businesses will not wait for security laws and regulation to catch up before they embrace these technologies. They don't have a choice. The internet of things, which has the potential to change industries at their core and create over $11 trillion of economic gain, has security issues that are well understood. But these issues will not slow adoption down. Oddly, there is too much at stake to wait for security. For the first time in human history, the accelerating pace of technology innovation is outstripping our ability as human beings to adapt and adjust our policies in a time line that is relevant. Our adversaries have repeatedly shown that they can move faster than we do. They adapt and exploit technology while we grapple with its implications, emerging social norms, the uneven distribution of authorities and capabilities, and a political process that does not function at the speed of innovation. While we study the problem, our adversaries have infiltrated our systems, exploited an already polarized society, and undermined the very foundation of our democracy, the belief that there is such a thing as objective truth-- because where there is no objective truth, the biggest liar wins. We need a coordinated and collaborative whole-of-society approach to rise to the challenge of these emboldened adversaries that we are out of position to deal with. It is time for the United States to set a bold cyber agenda capable of restoring trust globally, trust in our technology, trust in our systems, trust in our infrastructure, and, through that, trust in our political system, our political process, and our leaders. To be effective our Government will have to do this in partnership across the Government and with private sector, and remove any barriers that prevent Government agencies that have relevant information from sharing that information and the context that goes with it with the entities that are most affected. This collaboration must extend to our cities, which are overwhelmed and under-resourced. Their vulnerabilities are a homeland security issue, especially as we look at our election infrastructure and ransomware. To have trust in our systems and infrastructure we must commit to regaining our innovation edge, and never again lose our seat at the standard-setting table. As we look to the next waves of technology, especially AI and quantum, falling behind is not about National pride. It is about National security. We must have a strong and consistent cyber deterrence policy, something only the Government can deliver on. Even the strongest walls will eventually succumb to a capable and determined adversary if there is no deterrence. Technology companies that are co-conspirators with our adversaries, that facilitate communications and propaganda networks enabling destructive and chaotic social manipulation must be regulated. To build resilience in society to social manipulation efforts, funding and incentivizing media literacy programs that teach the difference between fact, opinion, misdirection, and lies, as well as research into deepfakes must become a Homeland Security priority. Finally, our cybersecurity work force lacks diversity, lagging the technology sector by a significant margin. As we build programs to skill and re-skill individuals to address the massive skill shortage, we must put in place the right incentives for diversity. We need new perspectives and a new mental model for how we approach this threat. Our adversaries are agile, creative, and persistent. Our technology landscape is ever-shifting and our tax surface ever-expanding. Preparing for the future requires a new organizational and operating model focused on persistent cooperation and collaboration at cyber speed. Thank you. [The prepared statement of Ms. Howe follows:] Prepared Statement of Niloofar Razi Howe October 22, 2019 Chairman Richmond, Ranking Member Katko, distinguished committee Members, thank you for inviting me to testify on cybersecurity and emerging technologies. I am a senior fellow in the Cybersecurity Initiative at New America, a DC-based non-partisan think tank, and have spent close to 3 decades in the technology sector, the last 15 years focused on innovation in the National security and cybersecurity sectors. I have been a venture capitalist, an entrepreneur, and a corporate executive in the cybersecurity industry. I am also a member of a number of corporate and Government advisory boards. overview: where we stand today We must rethink our approach to cybersecurity and cyber defense. We are at an inflection point as enormous technological and societal shifts are converging to reshape the National security landscape and the underpinnings of our democracy. The world is changing dramatically with the speed, scope, and scale of nothing we have ever experienced. New, highly-advanced technology is being adopted at a blinding pace as we digitize business, economic, defense, and social infrastructures. We are embracing cloud computing, autonomous vehicles, small low-orbit satellites with advanced sensor platforms, the internet of things (IOT), drones, distributed ledger technology, augmented and virtual reality. On the horizon we see the emergence of 5G and microsensor proliferation, autonomous weapons (for both military and private use), quantum computing, artificial intelligence, and synthetic biology, to name a few. It's an exciting time, but there are consequences. Over time almost everything that we have experienced in the physical world--prosperity, democracy, corruption, and warfare-- will happen digitally but with a speed and severity that we are just starting to comprehend. This isn't about technology alone or something that takes place in a dark corner of the internet somewhere. It's happening every moment in our offices, our cars, our family rooms, and in our children's pockets. Every device is a supercomputer, every application an attack vector, and with the internet, ``every sociopath is now your next door neighbor.'' This is a defining moment for our society as we face emboldened groups of adversaries with complex motivations creating new social, political, and economic challenges that we are out of position to deal with and almost out of time. Good cyber hygiene is no longer sufficient as the path forward in the face of increasing sophistication and the volume of threats our society faces. In cyber space, we are certainly in conflict, and many believe we are at war every day. Our adversaries are committed, well- coordinated, persistent, and agile and they are growing in number, especially as we continue to digitize the world, including some of the world's most fragile societies. They are focused on using digital tactics to exploit weaknesses in our technology infrastructures and in our human nature. They are penetrating the seams that exist in society, sometimes for greed, sometimes for power, and sometimes for their National security imperatives. For decades, our Nation has played a critical global leadership role, providing vision, diplomacy, and stability to further our interests and our allies' interests, and this role is core to the trust and partnership required for a stable society and effective governance at home and around the world. We must do this in the digital world as well. To move us to a world of trustworthy systems and a resilient society, we must reclaim our technology innovation edge and set the standards for our digital infrastructure, which increasingly underpins every aspect of our existence. We must work together--individuals, businesses, innovators, technologists, educators, policy makers, and our Government and military leaders--to define this new world order in cyber space, or at least mitigate the risks that compound with every moment. And we must move fast. It took centuries for Gutenberg's invention, the printing press, to fundamentally change society by transforming information sharing and communication. The internet has transformed society on a fundamentally different, faster time line. Today, time is not on our side. Our starting point is a society that is polarized, a political system that is under attack, and a way of life that feels remarkably uncertain and fragile to many Americans. The accelerating pace of technology innovation for the first time in human history is outstripping our ability as humans to adapt, adjust our policies on a time line that is meaningful, and avoid the inevitable widening of the income divide in society that this acceleration will drive. Automation will diminish the importance of labor over time adding to income disparity between the highest earners and the low-wage labor force, reinforcing a belief for many in our society that the future will not be better for them or their children. In fact, an Oxford University study estimates that 47 percent of total U.S. employment is at risk with automation. It is these seams in society that our adversaries are exploiting. They are using cyber space to undermine the very foundation of our democracy. The amplification of polarization as a result of the structure of our technology platforms as well as exploitation of those platforms by our adversaries to sow discord and chaos in society has undermined the effectiveness, stability, and consistency of our Government leaders and policy makers to address these pressing problems and to find common ground to rally around as a society with shared values and a shared vision for the future. Not surprisingly, people's faith and trust in their leaders--government, business, and religious leaders--continues to decline, especially and most alarmingly, among our youth. We must also move fast because our people and our businesses will not wait for our policy makers to catch up or security to be designed in before they embrace new waves of technology innovation that can bring with them new disruptions to society. IOT, powered by 5G networks, will be embraced by businesses to take advantages of the $11 trillion of economic gain waiting to be captured. Many of these devices are inexpensive and rely on slim profit margins and with little to no regulation or liability they generally lack even the most basic security features we have come to expect in our connected devices. The result is that most IOT devices have known vulnerabilities, and they have already become a key component of adversary attack tactics such as botnets. IOT devices are proliferating in every corner of society from business-to-business applications in manufacturing, agriculture, health care, and transportation to consumer applications such as home automation. As a result, the vulnerabilities of these systems will also proliferate into every aspect of our corporate and personal lives. The growing market in low-orbit satellites, which gets little airtime from security and privacy experts, threatens to form the most ubiquitous surveillance platform ever built with no meaningful regulation to control what they are used for or by whom. These platforms can now be easily tasked by individuals at low cost with few limits, regulatory or technical, on what they can be tasked to track or what information they can obtain and sell. The privacy debate, which is a critical corollary to any discussion about cybersecurity, needs to take into account the implications of the 4,000 satellites that are being launched into orbit. The consequences of the digitization of fragile societies without thought to security ramifications poses a credible security risk both to those societies and possibly to the broader interconnected world. While over half of the world's population is on-line, many of the people who are now being brought on-line live in some of the world's most chaotic geographies. As these populations get connected via the internet, with few norms to truly govern their behavior or those who seek to destabilize and manipulate them, we must be prepared for new forms of malfeasance and exploitation. As more money pours into artificial intelligence from governments and technology firms, the ramifications are poised to be immense and by definition beyond what the human brain can comprehend. We can expect every industry and every aspect of society to be impacted by AI. What this impact will be exactly is yet to be fully understood and must be carefully researched and studied at every stage of development. Our adversaries have repeatedly shown in the past that they can move faster than we do in the United States. We have witnessed how quickly they can adapt and exploit technology while we grapple with emerging technologies, emerging social norms, and a political process that does not function at cyber speed. While we have been studying the problem of cybersecurity, cyber criminals have innovated and adapted. Cyber crime is now an industry, often protected by the governments of the geographies in which the cyber criminals operate, and has quickly grown to be the most lucrative form of crime, overshadowing the global illegal drug trade. The Hacker-Industrial Complex--networks of cyber criminal who crowdsource their tools and share their services-- continues to operate with little fear of prosecution or retribution. Just in the past few years, ransomware, which started out as a troublesome cyber crime issue for petty criminals to extract value from locking down access to data, has grown to represent a National and homeland security issue threatening the very ability of our Government to provide services to its citizens. This past year multiple jurisdictions in the United States were hit with ransomware attacks that crippled municipal services for prolonged periods of time. If this was a testing ground for a new attack vector, these incidents proved the vulnerability of our under-resourced State and local municipalities to ransomware attacks and the potentially disastrous effect on the communities they serve. Our adversaries over the past 3 years have developed a better understanding of, and therefore improved their use of, social manipulation through the internet. The growth and reliance on social media in the United States has enabled our adversaries, especially Russia and China, to engage in state on individual activities (manipulation) exploit vulnerabilities in our society, amplify polarization, radicalize our youth, and undermine any sense of objective truth in society. By definition, polarized societies are ineffective at governance as there is no common ground to build consensus to enact bipartisan policies, laws, and regulations that benefit all of society. As our ability to govern erodes, so does people's faith in the government leaders and their political system. A recent Pew Research study found that Republicans and Democrats are more divided along ideological lines--and partisan antipathy is deeper and more extensive--than at any point in the last 2 decades. The ``middle'' has literally disappeared. Underpinning all of these issues is the fact that human beings have a flawed operating system (OS) that relies on outdated mental models and cognitive biases that perhaps were useful when we lived in caves, surviving attacks from the wild, but do little to help us in the age of technology acceleration or protect us against our increasingly vulnerable digital existence. This flawed human OS sits at the intersection of our networks and devices and continues to be the weak link in our security programs and architecture. For example, 91 percent of all cyber attacks start with a phishing email, which still drives a better response rate than most marketing programs. This flawed human OS is also responsible for developing the policies, laws, and regulations to protect our people and our businesses from harm. The pace at which we have historically developed societal and Government solutions, adapted to new technologies, and built consensus with respect to our most pressing problems is too slow for the age of technology acceleration. It is time to change our perspective and mental model with respect to the time lines we must operate on, the agility with which we take action, and the collaborative model we employ. Our adversaries have. where we need to go It is critical to put in place the right policies to address our most existential threats in real time. It is time for the United States to set a bold cyber agenda capable of restoring trust globally trust in our technology, trust in our systems, trust in our infrastructure, and through that trust in our political system, our political process, and our leaders. To be effective, our Government will have to do this in partnership across the Government and with the private sector. There is no time for silos or provincialism as we turn into solving an existential crisis for our homeland, for the people, and for the world. A bold new cyber agenda should include the following elements: 1. Speed and transparency.--The U.S. Government must remove any barriers that prevent Government agencies that have threat and adversary information from sharing that information real-time and with context with the entities that are most affected. Sustained and real-time cooperation and collaboration between all relevant Government agencies and the private sector is the only way to rebuild trust and have a real impact on our adversaries. We now have multiple agencies with unique capabilities to help the private sector, including the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Protection Agency (CISA), United States Cyber Command, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and sector-specific agencies such as United States Treasury and Department and Energy (DOE) to name a few. Each plays a unique role in the Nation's cybersecurity mission, but only if they are working together and without barriers and provincial turf wars, can we actually change the landscape of cybersecurity for the country. The Russia Small Group, with a clear mandate to protect the 2018 elections, was a tremendous example of what happens when we bring the full power of multiple Government agencies to solve a problem, hand- in-hand with the private sector. We need to rethink our U.S. Government operating model to empower consistent and real-time coordination and collaboration. Many of the authorities for securing our systems were written long before there was a commercial internet. We need take a holistic look at these authorities through the lens of how we can most effectively defend the Nation, our enterprises, and our people, with the goal of enabling effective real-time consistent collaboration and coordination. 2. A relentless focus on unique value drivers and outcomes.-- a. Government's unique role.--Government must do what only the Government can do--deter malfeasance in cyber space, especially by nation-state adversaries, by using our tools of National power against those adversaries who are harming us. The private sector cannot defend itself alone against nation-state adversaries and criminals who are agile, persistent, and creative. Even the strongest walls will eventually succumb to a capable well-funded adversary if there is no deterrence. This is uniquely the Government's role. Peter Singer, a senior fellow at New America, wrote last year about the collapse of cyber deterrence: ``Less generously, these trends have created the opposite of deterrence: Incentives. The failure to clearly respond has taught not just Russia, but any other would-be attacker, that such operations are relatively no pain on the cost side, and all gain on the benefits side. Until this calculus is altered, the United States should expect to see not just Russia continue to target its citizens and institutions but also other nations and non-state groups looking for similar gains.'' Strong deterrence is the cornerstone of any security framework and the U.S. Government must take up this challenge in a decisive way, with a consistent policy and framework for imposing cost on those who do us harm. b. Private sector's unique expertise.--The private sector has developed deep technical expertise in certain domains and the U.S. Government must leverage the private sector better and not duplicate effort in areas where private-sector capabilities now surpass Government capabilities. In the threat intelligence market, while U.S. intelligence agencies can bring the full power of their capabilities to bear on a selected basis producing unique insights into foreign adversaries, the private sector has advanced capabilities across a broad group of actors (foreign and domestic), including insight into attacker behavior, tactics techniques and procedures (TTPs), and campaigns. Coordinating intelligence between private and public sector to understand adversary behavior and create a coordinated response to defend and defeat the adversary is critical. As we build and invest in Government capabilities, we must be careful not to duplicate or compete with private-sector capabilities. 3. Resilience to ransomware.--Ransomware is no longer just a cyber crime issue. Ransomware at the State and municipal level is a National security and homeland security issue. The single purpose of Government is to provide services (including protection) to its citizens. Ransomware at scale keeps that from happening as we saw in Baltimore, Atlanta, and the State of Texas. A ransomware attack during an election would have devastating affect not just on the election itself, but on people's trust in Government and the validity of our political process. State and municipal administrations need Federal help in the form of standards, grants, developing response plans, and tax incentives to invest in infrastructure that can be resilient to ransomware attacks and making Government systems resilient to ransomware attacks should be a high priority for Congress. It will take a coordinated effort across the whole of Government, but especially DHS CISA, NIST, FBI, and NSA's Cybersecurity Directorate, working hand-in-hand with State and local agencies, to make progress against this real threat and to stay ahead of the adversary. 4. Support secure smart cities.--As a corollary to the ransomware issue, Congress should provide more support to sub-Federal entities to collaborate on smart city modernization projects. Our cities do not have the expertise to defend themselves on their own nor the resources to do it. As our cities become smarter, they must do so with security in mind or these modernizations could unwittingly enable disruption of the Government's core function of providing services and security to its citizens, and given the criticality of municipal services, actually lead to loss of life. As Natasha Cohen and Brian Nussbaum write in their New America report Smart is not Enough, ``Despite increasing concern from the information security community, it is far from clear that even the smartest of U.S. cities are in a position to deal with the full range of new risks that the technology may bring. The required financial, social, security, operational, legal, and policy innovations needed for smart cities to deliver on their aforementioned promises do not appear to be moving at the pace of innovation of the technology.'' 5. Commit to regaining our innovation edge.--Government funding of innovation so that the United States can regain its edge in next generation technologies will be critical to ensuring that those technologies and the infrastructure that supports them is secure by design. While venture capitalists invest over $5 billion per year conservatively in cybersecurity companies and technologies, with a myriad of Innovation competitions such as the RSA Conference Innovation Sandbox and Launchpad Competitions held each year during the RSA Conference, which now boasts close to 45,000 attendees each year, private-sector investment is focused on building businesses based on proven technologies and established market demand. That is not where the funding gap exists. The United States must significantly increase (to the tune of multiple of current Federal R&D budgets) its funding in basic and applied research in the areas identified by the U.S. intelligence community such as artificial intelligence, 5G, and quantum computing in order to meet its declared National technology priorities. It is time for the Government to fund a bold innovation agenda that will carry us forward to 2030 and beyond, and commit to regaining our innovation edge in these critical next generation technologies. 6. Fund media literacy programs.--We live in a polarized, hyperconnected world of impatient digital citizens who are being continuously and creatively targeted with misinformation. Developing and funding a media literacy program that teaches individuals how to discern the difference between fact, opinion, misdirection and lies, is critical to a well- functioning society and should be a homeland security priority. IREX, a global development and education organization, developed a Learn to Discern education program for the Ukrainian Ministry of Education to combat Russian disinformation campaigns. Their program integrated information consumption skills into existing secondary school curricula and teacher training programs at pre- and in-service teacher training institutes. Working with the non-profit community as well as the private sector, the U.S. Government should fund the development of similar programs and curricula in the United States for our elementary, middle, and high-school students as well as for teacher training. With a broad media literacy campaign, we can build resilience to state-sponsored disinformation campaigns, help individuals recognize divisive narratives and hate speech, and improve our youth's ability to navigate increasingly polluted on-line spaces in a safe and responsible way. As we do this, we must pay close attention to misinformation innovations such as deepfakes, which present a unique challenge, and fund research aimed at identifying and mitigating the threat they pose to the very concept of objective truth. 7. Commit to building a diverse workforce in cybersecurity.--The Government is in a unique position to contribute and commit to purposefully reducing the skills shortage in the cybersecurity industry. While there are some great programs in place, including DHS's CyberPatriot competition, CyberCorps Scholarship for Service initiative, and the April 2019 Executive Order focused on reskilling and upskilling Federal employees, more needs to be done to recruit individuals from outside our typical skill sets (IT, law enforcement, and military) with a clear mandate of solving the diversity gap in the industry. The cybersecurity workforce today significantly lags behind the broader technology industry in terms of diversity and to solve our skills shortage we need all of society to be inspired by the mission to reclaim cyber space for good. Elizebeth Friedman, one of the most prolific codebreakers in U.S. history had no background or training in mathematics or linguistics and yet was able to break any code in any language during and after World War II. We need to inspire a new generation of Elizebeth Friedmans to consider a career in cyber. There are a number of good examples of reskilling efforts in both the public and private sector. The U.K. Cyber Retraining Academy is an effort by the U.K. government in partnership with the SANS Institute to reskill individuals with high natural aptitude, but no formal cyber background, to enroll in an intensive 10-week program preparing them for a career in cybersecurity. Google launched Google IT Support Professional Certification under its Grow with Google initiative through Coursera, offering a way for anyone from any educational background to get a start in the IT field where the average starting salary for IT support is $52,000 per year. The Homeland Security Act of 2002 envisioned the creation of a National Emergency Tech Guard program, a corps of volunteers whose training is funded by the Government and who can be deployed during periods of crisis to restore critical systems and services to their communities. Policy makers should support, fund, expand, and incentivize similar initiatives with a mandate of driving diversity in the industry. This commitment would not only help solve the industry's skills shortage, bolster our resilience during times of crisis, but would help address the ``digital divide'' of the haves and the have nots in our society. As we look to the future we will have to ultimately commit to completely rebuilding our digital infrastructure, cities, and nations to face the digital and social challenges of 2030 and beyond. Investment in building the talent base in the right way to tackle this challenge is a necessity for success. 8. Judicious implementation of regulation.--Regulation must be pursued in a focused and purposeful manner with a willingness to adjust and adapt as we evolve, as technology evolves and as our adversaries evolve. With those guiding principles, we should enact regulation targeted at very specific areas where we can have measurable impact. a. Setting minimum Security Standards for IOT is critical.-- Congress should enact basic regulation with respect to IOT. The U.S. Government can help protect the 5G ecosystem of billions of connected devices by setting basic security standards, requiring features such as auto update, and importantly providing the right incentives, including tax incentives for vendors to implement these standards and corporations (including critical infrastructure) to deploy secure products and the financial headroom and reason to make changes. b. It is time to enact regulations on big data and social platforms.--The aim is not to regulate ``Big Tech'' but rather those technology platforms that facilitate communications and propaganda networks, exploit human weakness for profit, are addictive by design, reward virality, not veracity, thereby enabling destructive and chaotic social manipulation by our adversaries, without providing clear benefits to their users that outweighs these costs. These social platforms have demonstrated an unwillingness to self-regulate or put the interests of their consumers or society at large ahead of their profit motivation. The scope of harm they have caused society includes not only the amplification of polarization, but also psychological harm as the amount of stress, anxiety, and depression caused by their platforms is on the rise in society and especially with our youth. They are out of time. conclusion All of the recommendations outlined above are intended to support empowering a society that is resilient to the unintended consequences of technology innovation and the inevitable exploitation and use of those technologies by adversaries to gain some form of advantage. This may only be a starting point of a long journey. If our ultimate goal is defending our Nation by defeating our adversaries in cyber space rather than accommodating them, then, in addition to establishing acceptable norms of behavior, developing and committing to a consistent policy of engagement, escalation and deterrence, we must have a working model for successful public-private collaboration and engagement. Defeating our adversaries presupposes our ability to harness the vast technical expertise and resources as well as the unique authorities of the Federal Government, the vast technical expertise and agility of the private sector, a collaborative intelligence gathering and sharing framework, and coordinated response planning. It presupposes a society where trust exists between the private sector and the public sector, where transparency and fact-based substantive conversation, discussion, and communication are the norm. We have a long way to go, time is not on our side, but we have not yet run out of time. Mr. Richmond. Thank you, Ms. Howe, for your testimony. I now recognize Dr. Buchanan to summarize his opening statement for 5 minutes. Thank you. STATEMENT OF BEN BUCHANAN, PH D, SENIOR FACULTY FELLOW, CENTER FOR SECURITY AND EMERGING TECHNOLOGY, MORTARA CENTER, ASSISTANT TEACHING PROFESSOR, GEORGETOWN UNIVERSITY Mr. Buchanan. Thank you, Chairman Richmond, Chairman Thompson, and Ranking Member Katko, for holding this important hearing and for inviting me to testify. My name is Ben Buchanan. I am an assistant teaching professor at the School of Foreign Service, and the senior faculty fellow at the Center for Security and Emerging Technology, both at Georgetown University. I am also a global fellow at the Woodrow Wilson Center for Scholars, where I teach introductory classes on artificial intelligence and cybersecurity for Congressional staff. My research specialty is examining how cybersecurity and AI shape international security. In this vein I co-authored recently a paper entitled, ``Machine Learning for Policymakers.'' I will confine my opening remarks to the impact of AI on cybersecurity, since I think it is the emerging technology poised to have the most significant effect in this area. While there is an enormous amount of hype and debate around AI in general, the intersection of AI and cybersecurity is understudied and underappreciated. At least 3 dimensions of this problem deserve our analysis. First and most significant is the cybersecurity of AI systems themselves. AI systems are just as likely to be susceptible to the kinds of software vulnerabilities that are present in other kinds of computer code. As we have seen for decades, hackers can exploit these vulnerabilities for their own ends. There is no reason to think that hackers will not try to do the same to AI systems, and there is no reason to think that they will not, at times, succeed. This possibility is particularly worrying, given the high stakes of some AI applications. This is not a reason to avoid using AI, but vigilance is imperative in order to improve cyber and National security. Yet to stop our analysis at just the traditional kinds of software vulnerabilities is to miss a great deal of the cybersecurity risk that AI systems pose. The neural network architecture that underpins a lot of modern AI is immensely powerful, but presents new classes of cybersecurity risk that we are only beginning to uncover and understand. We call this field adversarial learning. Using adversarial learning hackers can cause neural networks to make bizarre errors, causing systems that rely on those networks to fail or reveal confidential information. This is a field that requires a great deal more attention. A tiny fraction of the research in AI today goes to studying AI security and the risks of adversarial learning. Our second area of analysis is that AI can change traditional offensive cyber attacks against regular computer systems. Modern hackers in many cases do not need AI to achieve their ends. That said, I think it is noteworthy that some of the most potent cyber attacks we have seen, including last decade's Stuxnet, the 2006 black--2016 blackout in Ukraine, and the 2017 attack now is NotPetya, which caused $10 billion in damage, feature some forms of automation within them. I can imagine a world in which future cyber operations will use more sophisticated automated capabilities to achieve particular tasks such as vulnerability discovery, target selection, command and control, and attack execution. Mr. Knake mentioned the kill chain earlier, and suffice it to say that I think almost every aspect of the kill chain could be transformed by more powerful automated capabilities. I suspect that such automation could offer significant upsides to sophisticated hackers faced with complex targets and complex missions. In some respects, the possible upside to automation in attack is higher in the area of cyber operations than in physical warfare, since whether a plane is operated by a human or a machine, the laws of physics still apply. But it is likely that automated cyber capabilities, if sophisticated enough, could operate much faster than their human-directed counterparts. I stress, however, we have not seen this come to fruition yet. This leads to the third area of analysis, the possibility that AI might help on cyber defense. This idea is also the subject of a lot of hype and a lot of investment. There seems to be discreet ways in which AI can indeed help secure computer systems, both in discovering vulnerabilities before hackers do, and also in detecting the presence of malicious code. However, we must be careful not to let the hype outrun the reality on this front. In evaluating cybersecurity advances in this area, we should compare them to the baseline of technologies we already use, many of which already involve automation, and understand how, if at all, automation in our modern paradigm of machine learning actually improves our defenses. I do believe that AI-enabled tools are likely to be a fundamental part of modern and future cyber offense and defense. The scale, size, and speed of cyber operations will make this inevitable. It is imperative that we keep up with changing times. That said, we must not forget that cyber operations, no matter how sophisticated, are still fundamentally human operations. For as much as we will talk about technology today, we must remember that the people in our organizations, including Government, are key to addressing these threats. I look forward to your questions. [The prepared statement of Mr. Buchanan follows:] Prepared Statement of Ben Buchanan Thank you, Chairman Richmond and Ranking Member Katko, for holding this important hearing and for inviting me to testify. My name is Ben Buchanan. I am an assistant teaching professor at the School of Foreign Service and a senior faculty fellow at the Center for Security and Emerging Technology, both at Georgetown University. I am also a global fellow at the Woodrow Wilson International Center for Scholars, where I teach introductory classes on artificial intelligence and cybersecurity for Congressional staff. My research specialty is examining how cybersecurity and AI shape international security.--I co- authored a paper entitled ``Machine Learning for Policymakers.''\1\ --------------------------------------------------------------------------- \1\ Buchanan, Ben and Taylor Miller. ``Machine Learning for Policymakers.'' Belfer Center for Science and International Affairs (2017), https://www.belfercenter.org/sites/default/files/files/ publication/MachineLearningforPolicymakers.pdf. --------------------------------------------------------------------------- I will confine my opening remarks to the impact of artificial intelligence on cybersecurity, since I think it is the emerging technology poised to have the most significant effect in this area. While there is an enormous amount of hype and debate around AI in general, the intersection of AI and cybersecurity is understudied and underappreciated. At least 3 dimensions of this problem deserve analysis: First and most significant is the cybersecurity of AI systems themselves. AI systems are just as likely to be susceptible to the kinds of software vulnerabilities that are present in other kinds of computer code. As we have seen for decades, hackers can exploit these vulnerabilities for their own ends. There is no reason to think that hackers will not try to do the same to AI systems, and there is no reason to think that they will not at times succeed. This possibility is particularly worrying given the high stakes of some AI applications; it is not a reason to avoid using AI, but vigilance is imperative to preserve cybersecurity. But to stop our analysis at just the traditional kinds of software vulnerabilities is to miss a great deal of the cybersecurity risk that AI systems pose. The neural network architecture that underpins a lot of modern AI is immensely powerful but presents a new class of cybersecurity risks that we are only beginning to uncover. We call this field adversarial learning. Using adversarial learning, hackers can cause neural networks to make bizarre errors, causing systems that rely on those networks to fail or to reveal confidential information. This is a field that requires a great deal more attention. Second, AI can also change traditional offensive cyber attacks against regular computer systems. Modern hackers in many cases do not need artificial intelligence to achieve their ends. That said, I think it is noteworthy that some of the most potent cyber attacks we have seen--including Stuxnet, the 2016 blackout in Ukraine, and the 2017 attack known as NotPetya that caused at least $10 billion in damage-- feature some forms of automated propagation and attack capability. I can imagine a world in which future cyber operations will use more sophisticated automated capabilities to achieve particular tasks, such as vulnerability discovery, target selection, command and control, and attack execution. I suspect that such automation could offer significant upsides to sophisticated hackers faced with complex targets. In some respects, the possible upside to automation is higher in this area than in physical warfare; whether a plane is operated by a person or a human, the laws of physics still apply, but it is likely that automated cyber capabilities--if sophisticated enough--could operate much faster than their human-directed counterparts. I stress, however, that we have not seen this come to fruition yet. This leads to the third area of analysis: The possibility that AI might help on cyber defense. This idea is also the subject of a lot of hype and a lot of venture capital investment. There seem to be discrete ways in which AI can indeed help secure computer systems, both in discovering vulnerabilities before hackers do and also in detecting the presence of malicious code. However, we must be careful not to let the hype outrun the reality on this front. In evaluating cybersecurity advances in this area, we should be careful to compare them to the baseline of technologies we already use--many of which already involve automation--and understand how, if at all, artificial intelligence improves our defenses. I do believe that AI-enabled tools are likely to be a fundamental part of modern and future cyber defense; the scale, size, and speed of cyber operations will make this inevitable, and it is imperative that we develop these tools. That said, we must not forget that cyber operations, no matter how sophisticated, are still fundamentally human operations. For as much as we will talk about technology today, we must remember that the people in our organizations are key to addressing these threats. I look forward to your questions. Mr. Richmond. Thank you. Thank you for your testimony. I will now recognize myself for 5 minutes to ask questions. Let me just start with some of the things that you all talked about. Mr. Knake, you mentioned that there are examples where governments set the objectives or goals. Can you give me some of those, and your train of thought on how governments should do it, or what the goals should be? Mr. Knake. Yes, Mr. Chairman. The analogy that I like to use in this space is how we handle oil spills. We all remember the Exxon Valdez oil spill in 1989. In 1990, Congress passed bipartisan legislation, the Oil Pollution Act. What that act said was that, if you are going to bring oil into U.S. waters, you need to have insurance that would cover the full cost of cleaning up a loss of containment from that vessel. So the important thing that that act did is, it didn't say, ``Here are the requirements for safety of your vessels, here is what you must do,'' it said you will own the cost. The polluter will pay. Well, I think we can adapt that model very easily to areas like data spills. Treat data spills like oil spills. If you want to hold 140 million records of U.S. citizen data, then you probably should have to have an insurance bond that would pay out on the order of--back of the envelope math would suggest about a $1,000 per record. That would require the insurance industry to be able to measure risk in a way that they cannot measure today, and to measure security in a way they cannot measure today. But I am quite confident that, from that point on, markets would be able to adopt new strategies to be able to price that risk and enforce it, so they wouldn't have to pay out that kind of insurance payment. Mr. Richmond. Part of my thinking--and you mentioned Atlanta in your testimony, and other places--part of my concern--and I will pick a fictional place so that I don't offend any community, but let's think of Mayberry, North Carolina, where Barney Fife was the sheriff's deputy. [Laughter.] Mr. Richmond. It is made up. So how do we ensure that they are up with the times in terms of protecting their data, and their cyber hygiene, and all of those things? How do we get them to where they need to be? Mr. Knake. This is a very unpopular opinion, Mr. Chairman. The first thing I would do is I would ban ransomware payments. What we are doing at this point is handing hundreds of millions of dollars over to our adversaries. They are taking that money. They are spending some of it on Lamborghinis and leather jackets. The rest of the money they are reinvesting to up their capabilities. They are growing more sophisticated. They are building larger teams. They started out doing ransomware against individuals. They are now doing hospital systems and local governments. It is only a matter of time before they do the power grid. So from that perspective, we have got to stop funding them. Mr. Richmond. Let me stop asking you questions. [Laughter.] Mr. Richmond. Ms. Howe, you mentioned autonomous weapons. What is out there when you speak of that? Ms. Howe. Today the technology exists to have completely autonomous weapons. They are available, both for the military and also for private use, where you can set up sniper rifles to take down targets from great distances with very little human intervention. That exists out there, and when they are networked it creates an interesting dilemma, from a security perspective. Mr. Richmond. Thank you. Mr. Durbin, you mentioned stalker apps, or stalker--tell me how they--how it will get on a Member's phone or one of the panelists' phone. Mr. Durbin. Stalkerware is considered malicious software. Like most threats and malicious software packages, there are-- there is no difference in how they would end up on a device. So, like a phishing exercise, where you get an email and you are asked to click on a link that could execute a program to load it in, or even--you could do it via text. If since stalkerware in--sometimes involves somebody that the stalker knows, if they have physical access to the phone, then they would be able to, obviously, grab it and loaded it on. So it is like typical threats. You can be tricked into having that, the software load. Mr. Richmond. OK. I would imagine that you all sell software to detect it. Mr. Durbin. Yes, we do. Mr. Richmond. OK. With that I will recognize the Ranking Member of the subcommittee, Mr. Katko, for 5 minutes. Mr. Katko. Thank you, Mr. Chairman. Ms. Howe, during your testimony--well, all of you talked about the various threats that are out there, and I really, truly believe we are constantly playing catch-up, and that is a concern. But Ms. Howe, you mentioned that we need to study--we, being the Government--need to set a bold cyber agenda. Could you just drill down a little more and tell me what you envision would be good for us to do? Ms. Howe. Well, certainly, sir. Thank you for the question. From the outset, I think the Government--there are things only the Government can do that would have a tremendous impact on the threat landscape. Having a consistent cyber deterrence policy that imposes costs on the adversary is a great starting point. It is unfair to expect companies to be able to defend themselves against nation-state adversaries who are committed. We have done that in the past. We certainly wouldn't do that in the kinetic world, but we are doing that in the cyber world, where we expect companies to defend themselves. We also have to--some of the authorities that were written for defending our most critical systems were written before there was a commercial internet. As we take a holistic look and see what is happening in the dynamics of the market, we have to be willing to re-examine how we operate as a Government, the authorities and capabilities mismatch that we all talk about, and how we organize and how we collaborate at cyber speed. Mr. Katko. All right, thank you very much. Mr. Buchanan. You talked about a human element factor. You know, one common theme that I believe in is that, with emerging technologies and threats the way they are, the human element remains critical to the functionality of the attacks. So how do we make the human element of attacks less effective with emergent technologies? Or can we? Mr. Buchanan. Well, I think, again, as much as we talk about technology, it is important to recognize that, both on offense and defense, there are humans involved. One of the things I worry about quite a bit, as someone who teaches students who often go into Government, is the capacity to educate future policy makers and policy advisers to have Government-hiring authorities to bring people into Government so they can serve in this mission set on offense and on defense. As you can imagine, relating to compensation and other factors, often times many of these individuals go to the private sector and don't end up in Government working on these important missions. Mr. Katko. Thank you. Here is a question for everyone here. Mr. Durbin, we can start with you. It is about quantum computing. In my home town, Syracuse, New York, they have a robust quantum computing research operation under way. But it is, of course, not the only one in the country. I am vitally concerned about quantum computing in that--one of you said that if China gets it, basically, we are in big trouble. It should be something that we prioritize better than we are right now. I just want to, should we--just--it is a softball question, but it is--I want to hear what your answers are. Should we be making more of a concerted effort to develop our quantum capabilities on the Government level, given how much of an advantage fully-functional quantum computing can provide? Mr. Durbin. Yes, it is a serious threat. It is coming. The time frames are very debatable, but the time to come up with defenses are now, not when somebody does have the first functional working quantum computer. The algorithms that are used right--or the encryption rhythms for protecting data right now will not be sufficient with quantum, so we need to come up with the new problem that is hard for a quantum computer to solve. I am encouraged with the attention that NIST has been giving this topic, and so I encourage them to keep going with the research that they are doing. But yes, it is coming, and focus needs to be brought to bear. Mr. Katko. Yes, it seems to me that there is a bit--it is a bit diffused, the projects, and there is not, like, a centralization, if you will, of the--their overall goal. I mean, I view this as a modern-day moonshot, because if we--if the Chinese get it before us, then we really--our encryption data is--or our encryption capabilities are going to be severely hampered. We are already vulnerable, as it is. So Mr.--as you say, Knake--is that how you say it, or Knake? Yes. Well, what can we do, as a Government, from a prioritization standpoint? To me, it seems to me that we need to do more to make this a high priority within Government. It is not something that people can see and feel like the moonshot, if you will. But it is something that is critically important to us, going forward. How do we get the Government to prioritize this more? Mr. Knake. So I think the way that I would approach this problem is to say that we need to focus on it with the same energy and, really, the same level of resources as we would maybe a Manhattan project or a moonshot, but we need to harness the capabilities within our private sector. So instead of having one large Manhattan Project out in the Southwest desert, in this case we need to have dozens, if not hundreds, of companies working on various aspects of it. There are models for how we have done this in the past. I would call on SpaceX as a good example of a commercial-supported endeavor. But I think the key here is more research going to more teams to compete globally, and hope that one of those teams that is going to win is going to be a U.S.-based team. I think we can't really put all our eggs either in the hope that Silicon Valley is going to solve this problem for us, or that a Government research team singly funded and focused is going to beat the Chinese, who I view as the major adversary in this space. Mr. Katko. Thank you all. I wish I had more time to ask you a ton of questions, but I have to--I am out of time. I yield back. Mr. Richmond. The gentleman yields back. The Chairman of the full committee, Mr. Thompson, is recognized for 5 minutes. Mr. Thompson. Thank you very much, Mr. Richmond. As I heard the witnesses' testimony today, I became very suspect of something I can't do without. But the challenge for this committee and Members of Congress is how do we not overreact to a problem, so that Government, all of a sudden, is stifling innovation and a lot of other things with regulation. So--and one of the reasons hearings like this are held is to try to get the benefit of the talent that is out here, especially in the private sector. Some of us believe that there is a role for Government, but it is to encourage the development of the technologies and things that we need, while understanding that it is really the private sector and its talents that ultimately will get us to where we need to be. So--but a couple of things I heard. One is right now we are kind-of reacting to the problem, rather than getting ahead of it. Can you suggest a way forward for us to wait until the next attack occurs, in anticipation of whatever that is, that we could do, as Members of Congress, to get us to that point? Mr. Durbin, if you can, get us started with some idea. Mr. Durbin. It is tempting to react to the buzz word, what people are talking about in the press, like the deepfakes. I encourage that we also have to keep our eye on the threats that have been plaguing us for a long time. Email, for example, still tends to be the No. 1 threat vector out there that attackers use to do their malicious things. As soon as a bad guy figures out a way to utilize email, then companies like ourselves, we counter it. Then they come up with a new clever way. So we can always be prepared for what is coming by focusing on what is tried and true, and what we know that the adversaries aren't going to back away from. Ransomware. Today I talked about targeted ransomware. This is the first time since we have been tracking it where the shift has moved to the enterprise versus the individual. Why are they doing that? They are doing that because, when you target somebody and you really understand their network, you can get in there, get in there deep, compromise as many assets as possible, launch it at the same time, and it puts pressure on that company: ``We better pay the ransom, because we are tied up.'' So solving ransomware will help you to solve the next iteration, the next usage of it, and it is a way to kind-of stay ahead of the curve. Mr. Thompson. Mr. Knake. Mr. Knake. Thank you, Mr. Chairman. I would focus on 3 brief ideas. No. 1, I think we need to have a much higher degree of disclosure of cyber incidents. We really don't have a clear picture of how badly we are owned by Chinese or Russian or other adversaries. Companies tend to try and avoid disclosing publicly what has happened. So, on the one hand, we have the number that General Alexander has put out, which I believe to be accurate, of possibly as high as $400 billion in loss from economic espionage by the Chinese, but we have very few cases where we actually know of public incidents where that loss has happened. That puts investors at a disadvantage, it puts stakeholders at a disadvantage, and it keeps markets from inflicting pain on companies that don't have good security. With that, I would highly recommend the idea of creating one or more National Transportation Safety Board-like mechanisms to dig in and understand why these incidents happen once they are disclosed, so those lessons learned can get pushed out to the broader ecosystem. Finally, I think this is all about creating collaboration, defensive collaboration with Government and with the private sector. Today we don't have the system that we need to be able to do that to trust the end-users and to trust the systems over which information is shared. So that is why I have advocated for extending Classified connectivity out to critical infrastructure companies beyond the defense industrial base. I think that is essential. Mr. Thompson. Thank you. Ms. Howe. Ms. Howe. Chairman Thompson, you are exactly right that the attack surface is ever-shifting, the landscape moves on us, and the most important thing we can do is put in place a collaborative process that can be as agile as the threat landscape and as our adversaries are. We have had great examples of this. The Russia Small Group, which was--had a very specific goal of protecting the 2018 midterm elections, did their job. They did it. It was Cyber Command, NSA, FBI, DHS, working together with private sector. The Enduring Security framework was another example of this collaboration working. If we could systematize that kind of collaboration so that, no matter how our adversary adapts, no matter how our technology evolves, we can be as agile as they are--I don't think we can predict with precision how these attacks will take place in the future, but if we organize the right way, we can make a difference. The other thing I would put out there is today we want to have resilience and protect ourselves. The boldest thing we can do is to decide to defeat the adversary in cyber space, and to organize to actually defeat the adversary. That is something we are absolutely capable of doing. It takes a lot of resolve to do. But again, working society, Government, hand-in-hand with trust between the two, we can accomplish that. Mr. Thompson. Dr. Buchanan. Mr. Buchanan. Just in terms of concrete ideas, I think we need to do a lot more study of the cybersecurity vulnerabilities of emerging systems, ideally, before we employ them. This is something we, in many cases, did not do with old cyber systems. The good news, I think, is that the Government does have some capacity to do this that we could use as a foundation. I am thinking in particular of NIST, National Institute of Standards and Technology, which has very small effort, but a promising one, to study weaknesses in artificial intelligence systems. It seems to me that would be something that is ripe for expansion, where we could study the problems that many in the private sector, because of market interests, are not studying, but that will be quite impactful for broader society if they were to be targeted by adversaries. Mr. Thompson. Thank you very much. I ask the Chair--I have some follow-up questions we will submit to the witnesses in writing along this line. But I thank you very much. Mr. Richmond. The gentleman yields back. The gentleman from North Carolina, Mr. Walker, is recognized for 5 minutes. Mr. Walker. Thank you, Mr. Chairman. Dr. Buchanan, I would like to stay with you, if I could, please. In August, President Trump announced a rule restricting Government agencies from doing business with the Chinese telecommunications company Huawei due to National security threats. What was our exposure to Huawei when the decision was reached? Mr. Buchanan. Congressman, I don't know that I am in a position to judge U.S. Government's exposure to Huawei. I would imagine that what would concern me most would be exposure in Classified networks, and I am in no position to have visibility into that. Mr. Walker. So you don't necessarily have anything that is confirmed, but you do have some concerns. Is that fair to say, without having to get into detail? Mr. Buchanan. Sure. I think it is fair to say that telecommunications systems provide enormous access to the information and broader networks of which they are a part. In general, I worry about that as a significant threat, and---- Mr. Walker. Yes. Not everybody on the panel--technology still is an issue for, I am realizing, but that is a different story. [Laughter.] Mr. Walker. What has changed in the agency's contract acquisition since the ban, such as the type of contract signed, or how contractors are chosen? Mr. Buchanan. Again, I am not sure I have visibility into the contracting processes. Mr. Walker. OK, all right. So maybe my final question for you, then, may be the same thing. Are there alternatives to the covered ban telecom companies such as Huawei routers and other companies' data networks, or have agencies been struggling to fill their tasks because of the ban? Can you address that? Mr. Buchanan. Yes. Speaking generally, there is--there are other players in the telecommunications market. I think it is a smaller market than we would like. Huawei has a price advantage, why they are attractive, but they are not the only supplier in the world. Mr. Walker. OK. Do you see that changing in the foreseeable future, as far as these smaller companies having a little bit more access, or a little bit more stronger foothold? Mr. Buchanan. I think it is fair to say that I worry generally about competition in this space, because there are not that many players. Mr. Walker. OK. Mr. Buchanan. Yes. So, in general, I think there is reason why we would want more competition than we have right now, and particularly we might want more U.S. companies involved than is currently the case. Mr. Walker. Thanks. I appreciate you going there. Mr.--I believe it is Knake, is that correct? In your testimony you mentioned that in a race--and this struck me a little bit--in a race between Silicon Valley and China, I believe you said Silicon Valley would lose in respect to these emerging technologies. Is that correct? I am going to come back with a question. I just want to make sure I heard that correct. Right? Is that fair? Mr. Knake. Yes, I think it is fair. Mr. Walker. All right. There is no question that Huawei, in circumventing--is circumventing the U.S. export ban and experiencing success in becoming self-sufficient. So my question is this. If China becomes totally self- reliant in these technologies, such as the production of their own advanced chips, what impact do you think that is going to have on the U.S. economy 5, 10, 50 years down the road? Mr. Knake. So I am in a minority within the international relations community on this topic. But what I think is going to happen is we are largely going to see a split of the internet into 1, 2, or 3 parts, and with it a split of the underlying technologies, so that we are unlikely to see a situation barring massive political change in China, in which U.S. companies are able to compete there for that market. Therefore, I don't think we are going to continue to allow China to compete in our market. So I think we are going to have very different technology development and very different paths. Mr. Walker. Well, you just--you answered the second question, as far as, if there have--if they have the largest R&D funding in the sector, how would we expect companies in the United States to compete with the Chinese government-backed company from dominating the telecom market? You just answered that. It looks like it is going to be two independent sectors here. Mr. Knake. Yes, sir. I would say that I think that there is a--it is almost a dirty word within policy communities in Washington, but it is time that we re-look at the concept of industrial policy. How are we going to assure that 6G, however we decide to define that, is something that the United States can compete in, and isn't going to fall behind these other actors? Choices were made by leading telecommunications firms in the United States not to compete in this space. That clearly was not in our National security interest. So we have got to find ways to make sure they choose to compete in the next generation. Mr. Walker. A lot of my questions, a lot of the focus in the media and National security is on Huawei, but there are other companies that should cause major concern, as well, for the U.S. National security. Do you agree with that? Mr. Knake. Absolutely. Mr. Walker. Especially in the emerging technologies. In my closing few seconds, what should be done, in your opinion, to prevent these companies from posing a security risk, specifically, obviously, in our country? Mr. Knake. So I think one of the things that we need to look at, which is, again, a very unpopular opinion, is can we maintain global supply chains, or do we need to have trusted supply chains by trusting companies that are either manufactured in the United States or by our allies? Can we trust chips and devices and components that are manufactured abroad for critical systems? Mr. Walker. Thank you for your testimony. I yield back, Mr. Chairman. Mr. Richmond. The gentleman from North Carolina yields back. The gentleman from Rhode Island, Mr. Langevin, is recognized for 5 minutes. Mr. Langevin. Thank you. [Pause.] Mr. Langevin. Is that better? OK. Here we go. I just want to thank our panel of witnesses for your testimony today, and your contributions to raising our National security awareness, and providing steps forward to how we better protect the country in cyber. Mr. Knake, I would--first of all, I am not going to get into this question, but on the issue of--be able to discuss industrial policy, I couldn't agree with you more. We need to make sure that we can do that, and take the politics out of it, and really focus on the issue at hand. So I agree on that point. So this is a question, and it actually--one other point I want to make is how I completely would agree with you on what you talked about in terms of critical thinking. You know, this issue of our adversaries using our values and our commitment of free speech and using these social media platforms as weapons against us and undermining our democracy is something that I have worried about for a long time. Being able to think critically when you talk about media and issues that are raised, if the public can't do that, we are already losing. We need to build that resilience into our democracy, and that starts with our kids, and teaching civics in class, and also doing things like critical thinking. But this question is for all witnesses, and I would like to start with Mr. Knake. In your collective testimony you all focused on--significant attention on new tactics and techniques to achieve malign cyber goals. You do not, though, to a large extent focus on threat actors. So do you believe that the cyber threat actor environment is likely to remain largely static in the coming years, with major challenges coming from China, Russia, North Korea, and Iran, and lesser problems from organized crime and other non- state actors? Or are we likely to see major shifts? Mr. Knake. Thank you, Congressman. I would say that, from a nation-state perspective, the threats are largely determined by the geopolitics and the ability for any nation-state to rapidly acquire offensive cyber capability. It means that any of our adversaries are likely to confront us in cyber space if they deem it in their interests. You touched on organized crime. I think we are at the point where organized crime in cyber space really represents a danger, and a National security danger, a National security threat. The capabilities are only growing. Their interests in generating financial revenue are moving them out of purely the cyber realm and into the physical realm. So we have hybrid threats emerging from these criminal groups. They are operating out of safe havens. I think that they are, like the drug cartels in the 1990's, ever much a National security threat as certain nation-states. Mr. Langevin. How about in terms of mitigating our risk? How much would you focus on responding to threat actors vice (sic) technological steps that we can take to protect ourselves from emerging threats? Mr. Knake. What I have advocated is that there is a limited amount we can do to threat actors. I certainly agree with Ms. Howe that we want to engage them everywhere we can and in every way that we can. But really, our National strategy needs to be about building resilience. We need to be able to have most attacks bounce off of our infrastructure, and we need to be able to bounce back rapidly, should those protections fail. That kind of strategy, I think, is really in our National interest. That is where we want to focus on incentives and aligning technology around those incentives. Mr. Langevin. Thank you, Mr. Durbin, in your written testimony you make reference to something that we have been focusing a great deal on right now, and that is risk posed to ever-expanding supply chains, and the various accesses that they provide to networks. Can you expound upon the growth that you have seen in this type of threat? To our other witnesses, do you believe that intrusions through the supply chain will continue to rise in the future? Given that malicious actors often use software update mechanisms when attacking through supply chain, are you concerned that an uptick in supply chain attacks could actually undermine faith in this important hygiene measure? Mr. Durbin. So the supply chain is attractive because, if your main target has a sufficient enough cybersecurity budget, and has taken the--done the due diligence to protect themselves, instead of spending your resources trying to penetrate them, let's go down the supply chain and look for someone who is less diligent, attack there, and try to feed the attack back upstream into the main target. So that is always going to be an attractive vector that we are going to have to stay diligent with. I think the--using the supply chain and compromising software download sites and software patching sites is also going to be very attractive, because you are able to reach a large number of people, and you are doing it in a way where the victim thinks that they are interacting with a trusted site. So you are not going to be as cognizant, or you are not could be as concerned or suspicious. So it can be a very powerful threat vector. Mr. Langevin. Thank you. I know my time has expired. Thank you, Mr. Chairman. I yield back. Mr. Richmond. The gentleman from Rhode Island yields back. The gentleman, Mr. Taylor, is recognized for 5 minutes. Mr. Taylor. Thank you, Mr. Chairman. I appreciate this hearing. In 2017 I carried the cybersecurity package for the State of Texas, for the Texas legislature. In that package the attorney general of Texas asked for a limited defense of prosecution in the event that he wanted to take down a human trafficking website. So he would take down a human trafficking gang. The website with the victims' pictures would still be left on the internet. He wanted the ability to conduct a denial-of-service attack against that site to take it down and to eliminate that site on the internet. So that takes me to my question, my line of questioning, which is around offensive operations against cyber predators. Right? So we have got people out there that are conducting cyber attacks in the United States, whether it is denial-of-service, whether it is ransomware, et cetera. This is thorny legal ground. But I was just wondering, since we have some really smart people in the room, what are your thoughts on conducting offensive operations against those that are actually conducting attacks on us when--retaliating, in effect, doing a ransomware attack on people that are doing ransomware attacks on us? I will let you go in order. Mr. Durbin, do you want to---- Mr. Durbin. So there are a few issues. First is attribution. The attacker can hide who they really are. So it may appear as that they are coming from a hospital overseas, and then you are going to go attack this hospital that was innocent. If you do identify the correct attacker, and you attack them, you risk escalation, because they may come back at us again. But I think one thing that we often overlook, traditional warfare, if you throw a hand grenade at somebody, it blows up. They can't pick it up and throw it back at you. If we launch an attack, we are basically giving them that software that they can re-engineer and use against us, or use against others. I think there is a way to use a deterrence, maybe the threat of it, or to demonstrate what we could do. But I think hack attacks, or attack-backs are delicate. Mr. Taylor. Mr. Knake. Mr. Knake. Thank you, Congressman. I would say that I am all in favor of Cyber Command taking a more active role in defense of private industry and State and local government. I think that the idea of other entities than Cyber Command carrying out that offensive operation is scary and could put us into situations that we don't want to be in. But I do think, if we had the kind of capability where, for instance, a critical infrastructure company that was involved in a threat from a overseas actor was able to communicate that in real time with high assurance, with trust among the parties over a Classified network, that then Cyber Command could essentially be tipped off to that activity and target to shut it down. So we really just need tighter collaboration, rather than kind-of a go-it-alone approach by private companies. I think that is possible. Mr. Taylor. While I have got you, just one quick thing. You said you want to see greater clarity in cyber attacks. The problem that we have grappled with on this subcommittee is that, if we tell people where the attacks are, or what the effect--we are basically saying, hey, there is a vulnerability here. So, I mean, I appreciate the desire for transparency. I am for that. But then--but in this particular instance, if I give you transparency, I am basically telling you where you can attack me. Do you want to just quickly respond on that, and I will go back to the offensive question here with Ms. Howe? Mr. Knake. Yes, I think there is two pieces to it. I think, No. 1, the adversary has already exploited the vulnerability if they have created the incident. So, from that point of view, you are not going to be sharing information, assuming that you have patched that specific vulnerability and built protections around that specific threat. So I think that that can be addressed. I also think that, if we can build the kind of collaborative defense that we have been talking about, and the trust between partners, you don't necessarily need to share that information publicly or with the world. That disclosure could be made with partner, private-sector companies, and agencies. Mr. Taylor. Ms. Howe, going back to the offensive question---- Ms. Howe. I often tell my children I have escalation dominance so they should never take me on. [Laughter.] Ms. Howe. I think, when it comes to offensive cyber operations, you have to make sure you have escalation dominance, which means it is only the purview of the U.S. Government to conduct offensive cyber activity. I agree with Mr. Knake, that we have seen Cyber Command do that effectively. We need to have a very consistent policy of engagement if we are going to engage in offensive cyber. If we do, it essentially becomes part of the cyber deterrence policy. When it comes to attribution, I would say our Government is the best in the world at attribution. We haven't gotten it wrong. In fact, even last week, the NSA put out an advisory showing that the Russians were using Iranian tools and infrastructure, and hiding as Iranians when they were conducting their attacks. So this is one place where the U.S. Government is fantastic, knows what it is doing, and we have got the capabilities to launch offensive cyber the right way. We have to have the policies, and we need to be able to communicate them. I do not think this is something the private sector should do. Mr. Taylor. All right. I see my time has expired. Thank you, Mr. Chairman. I yield back. Mr. Richmond. The gentleman from Texas has yielded. I now recognize the gentlewoman from Illinois, Ms. Underwood. Ms. Underwood. Thank you, Chairman Richmond. Last week Members of this committee traveled to my district, the Illinois 14th district, to hold a hearing examining what steps the State of Illinois has taken, in coordination with the Federal Government, to prepare for the 2020 election. In Illinois foreign adversaries were able to exploit a vulnerability in our State's voter database to access the records of 76,000 Illinoisans. Since then Illinois has used Federal and State dollars to increase its cybersecurity posture by executing the Cyber Navigator Program. This model continues to be a valuable tool for election officials around the State who now have access to a sure internet system, and highly- trained cybersecurity personnel. We know that social media is an important source of information in communities like mine. A majority of Americans check social media at least once daily. So, Mr. Durbin, what advice can you offer to social media users about how to recognize the difference between a post from our neighbor and a post from a bot campaign? Mr. Durbin. That is a challenging ask. The people that are coming up with these posts, that are trying to deceive you, they are very good at them. So I think the platforms themselves are going to have to be involved in looking at the metadata of where these posts are coming from to help identify is this really a person, or is this a bot. But if it is not from somebody that you--you don't know, or that you are just hearing from, and it is on something that is topical, that could be--or topical to the election, that would be a flag for me. Ms. Underwood. What we often see is that, you know, people are in groups, and that they don't--they are not friends with the people in the group. So it just pops up on their feed. So if I am a mom in the 14th, what should I be looking for? Right? Because I don't have access to that metadata. Mr. Durbin. Again, I think if it is from someone that you don't know, and it seems awfully topical, it is a pretty good coincidence that around this election we are--which is--this is a hot topic for us--I am getting some--a social post from somebody I don't know, that would be, certainly, a red flag for me. Ms. Underwood. OK. But if they--``they,'' being the social media users--want to report a potential bot campaign, do social media companies currently have a timely and effective way for people to do that? Mr. Durbin. I don't know for sure what processes the social media companies have in place. Ms. Underwood. Anybody else can--can anybody else answer that? Mr. Durbin. I will speak from personal experience. The only way I was able to report a fake LinkedIn profile that had connected with me was to tweet at LinkedIn. That was the only way they responded. They did not respond to the abuse report I filed. Ms. Underwood. Interesting. Following the 2016 election, Symantec conducted extensive research on the use of Twitter bot campaigns to promote disinformation leading up to and during the 2016 election. Mr. Durbin, can you share any lessons or key findings from that research as we prepare for the 2020 election? Mr. Durbin. It was very well-planned. There is this impression that it was a bunch of trolls out there that were behind this. We found that not to be the case. They took their time in planning. They set accounts up months before they started using them. They were set up so that--it was kind of a main group that was responsible for the key content. Then there was a much larger group of the bots that were designed to get that fake messaging out. It was very effective with this kind of generate and amplify. The response to one of the accounts, which was in my testimony, only 10,000 tweets, but was retweeted over 6 million times. That is a clear indicator that that those 6 million were not bots. Those were actual people that were choosing to read a message that was generated from a fake account---- Ms. Underwood. Right. Mr. Durbin [continuing]. Believe it, and then re-tweet it out to other people. Ms. Underwood. Right. For years now, social media companies have been on record saying that they are working to combat the use of their platforms to spread disinformation, specifically during election times. But new reports emerge every day. Just yesterday we heard about 4 new disinformation campaigns backed by foreign states on Facebook. Do you believe that these companies are prepared today for the 2020 elections, Mr. Durbin? Mr. Durbin. They claim that they are. I believe that they have the tools and the resources inside that they--they could take action. Whether or not they are, I am not an expert, I am not inside those organizations. Ms. Underwood. OK. Thank you. We have done a lot to secure our elections, but there is a lot of work that needs to be done to secure our Nation's election infrastructure. As technology continues to advance, so must our resources and policies to combat foreign adversaries who would seek to exploit new technologies to do us harm. Moving forward, this is going to take a whole-of-Government approach to preserve the integrity of our democratic institutions. I look forward to working with all my colleagues on this committee and the House to address election security from all angles. I yield back. Mr. Richmond. The gentlelady from Illinois yields back. I want to thank the witnesses for their valuable testimony, and the Members for their questions. The Members of the committee may have additional questions for the witnesses, and we ask that you respond expeditiously in writing to those questions. Without objection, the committee record shall be kept open for 10 days. Hearing no further business, the committee stands adjourned. [Whereupon, at 3:28 p.m., the subcommittee was adjourned.]