Skip to main content

tv   Internet Governance  CSPAN  August 1, 2018 8:01am-10:01am EDT

8:01 am
>> this august on american history tv on c-span3 watched our nine part series 1968, america in turmoil for each night will look back 50 years to the tumultuous year marked with war, political assassinations, and the rise of the political left and right.
8:02 am
>> i sit and look at how the internet is regulated by governments around the world. witnesses including former homeland security secretary michael chertoff discussed how other countries standards for internet access, security and privacy could be a model for u.s. regulators. the senate commerce subcommittee is two hours. >> good morning. today's subcommittee meets examine international internet policies and their impact on u.s. businesses domestically and
8:03 am
abroad. i am glad to convene this hearing with my good friend and colleague, ranking member schatz. the internet as we know it has become one of the most important inventions in our nation's history. we use it for just about everything. thanks to infrastructure investments and ingenuity, the internet is now an economic engine driving job creation and unprecedented access to information and opportunities. in a short time, the world wide web has transformed into a global, interconnected information superhighway facilitating growth, freedom, and economic prosperity. the multi-stakeholder governing model has been key to the internet's development across the world. this model has fostered the creation of a dynamic internet economy that promotes investment and innovation. we owe many of the cutting-edge products and services we enjoy today to the internet economy.
8:04 am
underpinning this economy is internet data. as the internet grows and more people, and things, become connected, the volume, quality, and variety of internet data increases. this is driving the development of new businesses and services, and it is enhancing online experiences for consumers. internet data is an essential commodity for businesses to compete and grow in the global digital market. the importance of internet data has not gone unnoticed internationally. in fact, it has expanded the focus of the conventional internet governing agenda. traditionally, internet governance has centered on the formation of policies and rules dedicated to the internet's technical development across jurisdictions. while this remains an important function and primary focus, the increasing value of data has
8:05 am
shifted attention to the collection, use, movement, and overall treatment of internet data. the rise of data localization rules, involving how data can be processed in a certain territory or jurisdiction, along with local content requirements, internet censorship policies, and cybersecurity laws are a few examples of this growing trend. policies targeting data and networks often stem from a country's interest in fostering its own innovation or protecting its people from possible data misuse. but here's a new problem, the global nature of the internet means that the impact and power of these laws goes beyond a jurisdiction's borders. u.s. companies compelled to
8:06 am
change business models or alter operations to achieve compliance in foreign markets, and they are experiencing disruptions in their own domestic operations as well. the result is less job creation, less investment, and less innovation in the united states. consumers are feeling the effects of international internet policies, also. overly restrictive limitations on data movement or inconsistencies across jurisdictions ultimately deliver an internet experience to consumers that is less personalized and more expensive to access. today, we look forward to examining the impact of global internet policies on u.s. businesses and consumers as well as the continued development of the internet around the world. i would mention that i am chairman of the helsinki commission, and as part of the
8:07 am
commission's mission, we promote economic cooperation overseas, and so i also look forward to discussing the appropriate role that congress should play in enhancing international coordination on the future of internet policies and empowering u.s. businesses to prosper in today's global internet marketplace. this is critically important to maintaining u.s. leadership in data-driven innovation and internet technologies for years to come. i welcome the witnesses here today and will introduce them in a moment after we have heard an opening statement from senator schatz. >> thank you, mr. chairman. thank you for holding this hearing. we are here today to talk about governing an internet that is truly international. it serves billions of people of different culture, cultural and economic values and ideas of how it should work, and that presents a challenge. but we also have more specific
8:08 am
challenges such as online terrorism, foreign propaganda, interfering in elections, state sanctioned surveillance and misinformation that can lead to violence. and as we consider them, we have to ask how they can be addressed without compromising basic human rights, such as free speech or privacy. approaching any one of these challenges would require a long and technical conversation, and so it's unrealistic to think that we can solve all of these weighty policy issues with hearing or two. but what we can do here is highlight and demonstrate support for the forums where these discussions can happen any more comprehensive manner. the transition from intake to icann is a good example of how technical governance of the internet is best served by a process in which all stakeholders participate. these include industries, civil society, academia, users and governments the government driven forums like oecd, g7 come
8:09 am
g20 and debbie gao allow people to come together to address important internet policy issues including security, economic development and trade but russia, china and iran use these forums to push for agendas that speech, restrict free markets. that's why the us and our allies need to maintain our leadership to preserve and defense democratic principles. free and open internet is in our common interest. the internet started in the united states. it is intertwined with the fabric of our daily lives from basic activities like checking the weather to exercising our fundamental civic rights and democratic values. that's why we have to show up and lead these forums, and to continue to be the indispensable nation. this is generally true for international policy issues that is especially true for the governance of the global internet. unfortunately, our leadership is being jeopardized by this administration. master secretary tillerson's
8:10 am
eliminated the cybersecurity coordinator role and demoted its responsibilities, putting it under the peer of economic affairs earlier this year national security adviser john bolton limited the white house cyber coordinator role for congress is working to reinstate the office of cyber coordinator at the state department, and we hope to persuade the white house to reestablish the cyber coordinator role in the nsc. the u.s. government needs to play an active role in helping to set reasonable rules of the road for internet governance. this means protecting the existing international and multi-stakeholder processes and in this context our standing down will create a vacuum for authoritarian regimes. i look forward to hearing from the witnesses about how we can better engage with the international community to address the many challenges facing the internet today. thank you, mr. chairman. >> thank you, senator schatz. we are delighted to date of the honorable michael chertoff, form
8:11 am
effective homeland security and cofounder and executive chairman of the chertoff group, washington, d.c. mr. james bladel, vice president of policy at go daddy of scottsdale arizona. dr. roslyn layton, visiting scholar, the american enterprise institute in washington, d.c. ms. denise zheng, , vice presidt policy, the business roundtable washington. and mr. christopher painter, commissioner, global commission on the stability of cyberspace, washington, d.c. let's take 25 minutes evenly divided between, among our witnesses for opening statement statements. and secretary chertoff, we will begin with you and just go down the table. >> thank you, mr. chairman and ranking member schatz, and members of the committee for holding this hearing which is very timely. i submitted a written statement which i request him a part of
8:12 am
the record. >> all the statements will be made a part of the record. >> and i should just point out that i check with chris painter, so we interact quite a bit on this issue. let me try to make a few breakpoints. as both the chairman and the ranking member indicated, obviously the value proposition of the internet in many respects rests upon its global nature of a fact it connects up networks all around the world and, therefore, when you have the prospect of fragmentation or localization, you run the risk of undermining the fundamental value of the internet because you would wind up with a number of different networks. this is important not only because we value freedom and the ability to communicate with others around the world and to have discourse about matters of public importance, but because this is critical to our economy.
8:13 am
the reality is the internet has transformed the nature of our economic activity. it allows us to promote exports. it allows us -- if i can use the phrase this intermediate between buyers and sellers so we now have the ability people to sell directly whether it's auctioning on ebay or sign up to look for drivers under uber or lyft or other ridesharing programs and in many respects this is part what is fueling global growth around the world. it's also true that much of the innovation and ingenuity behind the internet which is part of the market value of many of our most prominent companies depends upon having a global market, and that means a global internet. without a global internet that market dries up. we have a very strong interest in dealing with this issue. it also means that no one country can control the outcome. we have to work with our partners.
8:14 am
the russians and the chinese have a different view, and in many cases to the russians and the chinese, information they don't want the public to read is what they regard as cybersecurity, and that is the opposite of what we view as important. so i would make i think three points about what we ought to address. one is, i do think we need to continue to promote what has been described as multi-stakeholder model of internet governance. that means making sure we get not just government but civil society, business and consumers into the mix in deciding how the internet is going to be operated. the russians and the chinese often look to put the governance in bodies like the u.n., which would politicize and give them in many cases control over the outcomes for their own purposes. and i would emphasize that often rules that appear to be merely
8:15 am
technical action have a great deal of real substance. because your ability to control the domain name registry system and to decide who controls basically the traffic flow, in many cases is the key to when you censor the internet or you have it be wide open. a second issue is we do have conflicting laws in different jurisdictions. the internet is borderless but the loss have borders and were often do wind up with complex. congress has passed the cloud act which is open the door to our resolving some of the complex about lawful access by the authorities to data that may be held in and of the country that's a good step forward, and we need to continue to work on resolving these disputes among legal jurisdictions about who gets to access information and what the substantive rules are. in particular because we price
8:16 am
the first amendment will to make sure of the countries don't use their power over multinational global internet companies to drive a vision of censorship that would fundamentally undermine our constitutional values. and finally i would say in full disclosure is in a book i have just written recently, that we need to talk about what privacies like when we're generating so much of data globally that the idea of keeping it all hidden is a ship that has failed. and now becomes an issue of how do we control the data and what rights do we as citizens and consumers had to make sure that our data is not being used in ways we don't agree to or that will hurt us. so these are very meaty topics and i look for to answering questions from the committee on any and all of these. thank you very much. >> thank you, mr. secretary. mr. bladel. >> thank you. good morning, chairman wicker, ranking member schatz, and
8:17 am
subcommittee members. my names is james bladel. we appreciate the opportunity to testify before you today. go daddy is the world's largest web platform dedicated to independent ventures. we provide the tools, insights and people necessary to enable small businesses, aspiring entrepreneurs, or anyone with an idea to get that i get up and running online. every idea starts with a domain name. a domain name, whether it is a dot com,.org mac or new extension like dot app or dot blog is essential to create an online identity. godaddy, manages over 76 million domain names for 18 million customers worldwide. whether that customer is a florida and mississippi or baker in london or a web designer in mumbai, our mission is to provide an excellent customer experience that is uniform around the world. folks -- folks incident is in national policies and relations on end-user expenses and global competition online.
8:18 am
today i i would like to discuss the following three issues, first, the adoption of laws and regulations by countries designed to exclude american companies. second, the patchwork of privacy laws and regulations, and third, the agreement between ntia and verisign which underpins the global internet domain system. internationally we're seeing an increasing number of countries adopt laws and the galatians that make it difficult to serve our customers in those markets. we have encountered numerous examples of foreign regulations on a net providers that would require us to establish a local presence or use local banks or even hire a local workforce, all in order to gain access to that market. some nations aggressively regulate content and censor political or religious views. taken together all of these regulations stand in way of godaddy reaching your customers, competing in new markets and developing innovative products. laws like these are harmful to providers and consumers alike, and are a barrier to free trade.
8:19 am
there's also an increasing number of new privacy regulations such as the european union is a new general data protection regulation, gdpr, and these have greater patchwork of laws with which companies must comply in order to operate globally. gdpr compliance a major undertaking for go daddy. gdpr touch every aspect of her industry but most only it a significantly disrupted the whois service which is a directory of contact information for domain name registrant. whois is a two-edged sword. it serves an important tool for law enforcement and other stakeholders but it's also a a gold mine for personal data for spammers. currently we engage with representatives of law enforcement agencies and our colleagues at icann to strike the right balance between providing access to whois for legitimate purposes while protecting the private information of our customers. also crucial to the health of the unit is a a 20 euros cooperative agreement between ntia verisign. as your web dot com makes up
8:20 am
about 80% of domain names and the popular grievant holds the wholesale price of dot com domain names at $7.85 per year. this is still the to expire in november and it's our extend that ntia and verisign are currently in talks to renew and possibly amend this agreement which could potentially raise prices. go daddy service millions of small customers and in our experience of their sensitive to price increase. we believe it's important to preserve icecaps and any renewal of a cooperative agreement. eventually would leave our industry all consumers benefit from this full dot com agreement being put up for competitive bid. the internet has matured and while with no complaints about their science performance of the contract there are several companies that could capably operate the dot com registry cleaners on perhaps lower cost. so thank you again for the opportunity to testify here today. we believe the united states must continue to push back on protections policies imposed by
8:21 am
other countries and help mitigate a global patchwork of inconsistent and unclear privacy laws. further were hopeful ntia will increase in severity and extend the current dot com pricing the so-so at any renewal of the cooperative agreement and a gate with icann and others to put that agreement for cooperative, for competitive bid. thank you for your time and i look forward to your questions. >> thank you very much. dr. layton. >> thank you, chairman wicker and ranking member schatz. chairman wicker, thank you for your leadership of helsinki commission on security and cooperation and joint defense of human rights. it reminds me how americans of every part of our nation can label and internet policy. for example, mississippi is innovating in telemedicine and precision agriculture. as a unified g erick our economy will broaden with sport applications for cities, carson sold. it's not just search engines and social networks. we want to export these platforms and services and this
8:22 am
underscores the importance of today's hearing. our conscious practice international technology policy for at least 230 years. alexander hamilton's report on the subject of manufactured some 1791 advocate for modernizing the american economy to break depends on slavery and supersede england and manufacturing. we revere hamilton for his enlightening contribution on the importance of central government. equally, we revere thomas jefferson for championing of individual freedoms. our policy legacy is to hold the balance of the rule of law with individual rights, and the salaries should underpin our approach to internet governance. the united states is one-third of the global tech economy, and we should shape the international bible with our values. but we won't have any credibility it are policies just about american companies making money. he must export about system that legitimately empowers and rewards other nations to participate in a free market economy to respect the rule of
8:23 am
law and individual rights, to limit regulatory distortions, ,o protect property and to improve quality of life. this is how we ensure our preaching is most error, rational and humane. a popular misconception is that the global data protection regulation, or gdpr, protects privacy. it does not. the gdpr is about data regulation, specifically 173 rules on data regulation. europe is the destination of two-thirds of america's digital goods and services, and juice companies are suffering because of its cost and complexity. i live in copenhagen so i can experience this. i can no longer look at a newspaper such as the "l.a. times," fisher "chicago tribune," the new daily news, the hartford courant or baltimore sun. additionally, 60 additional newspapers in illinois, indiana, minnesota, missouri, montana, nebraska, nevada, washington and wisconsin are not available. this reduction in content has
8:24 am
reduced visibility for u.s. advertisers and to shut them out of independent ad exchanges. retailers williams and sonoma and pottery barn no longer sell in the eu. in companies from washington state that down the online communities. a nevada provider of i.t. service no longer take european customers. in mobile mercantile from company with six office in the united states as close its eu operations or even the website of the association of national advertisers is not available. if we adopted such a measure in the united states it would likely violate our freedom of speech as a government requirements are so onerous that the reduced expression. indeed, california's gdpr inspired legislation should be preempted federally for this reason. the eu parliament is using the gdpr as a pretext to torpedo are faithfully negotiated privacy shield agreement. these actions violate international law and we need to challenge them in court. the gdpr is a global standard.
8:25 am
the eu tried this before with the 3g mobile standard hoping we would get on the platform if we didn't copy them but we leapfrogged to 4g lte. we need the same strategy with the gdpr. not to copy but to make a better and different alternative for data protection. we can do that by meaningfully empowering consumers for digital competence education and incentivizing privacy enhancing technologies. i want to upload senator klobuchar for her leadership on a proposed bill. in closing we must walk the talk. for rational predictable and consistent framework of broad, we need to start at home. therefore, the right policy should be consistent framework with the same rules for all players grounded modern evidence-based standards of antitrust delivered by the federal trade commission. this also requires addressing the regular prejudice that has deterred flexible pricing and innovation to business models and platforms. for example, the cooperative agreement the between verisignd
8:26 am
u.s. department of commerce on the capstone suppressive dot com domains for less arbitrage in the secondary markets. just as jefferson has secured the mediterranean sea lanes for free trade in the 19th century, we have to secure the information lanes with the free flow of data today. this is now our leadership challenge. >> thank you very much, dr. layton. ms. zheng. >> chairman wicker, ranking member schatz, members of the subcommittee, thank you for the opportunity to testify on behalf of the business roundtable. today, you companies can compete and succeed without making extensive use of data and digital systems. recently, there's been a rapid increase in number policies around the world that undermined digital innovation, trade i creating fragmentation, uncertainty, significant compliance costs and other unintended consequences. the complaints environment is increasingly cumbersome for large companies and simply
8:27 am
impossible for small companies and startups to comply. the eu and china are the most active players and volley of digital regulations. but india, russia, south korea and other asian and latin american countries are ramping up efforts to develop and enforce a wide range of cybersecurity, privacy, and data localization policies. china has the most aggressive regime in place mandating all important information and personal information be stored locally in china. it is going to find the law would require any entity that owns and operates a computer network and applies to a vast assortment of different types of data. india, russia, nigeria, south korea all have enacted laws that prohibit transferring various types of business and consumer data. in fact, the least 34 different countries have data localization requirements that can raise the cost of posting paid by an estimated 30-60%. approximately 120 countries currently have data privacy laws
8:28 am
and many more are considering legislation in this very. some decided to discontinue offering products and services in the eu because a gdpr compliance costs which are so high that they can no longer justify being in the market. for example, some friends are blocking eu-based users from the products and services including from visiting the website to avoid facing steep fines of 20 million euros, or 4% of annual revenue, whichever is higher. the gdpr of is costing a fortune, global fortune 500 companies the combined total of $7.8 billion this year to comply. fragmentation of domestic policy regulations in the united states is also on the rise. in addition to several existing sector specific federal and state privacy regulations, california recently passed a a privacy bill that applies broadly across many sectors. numerous other privacy proposals are pending in state
8:29 am
legislatures that if passed would further increase the complexity privacy regulations across the u.s. cybersecurity regulations are also expanding globally. the financial service industry is an example of a sector faces an expanding number of international cybersecurity requirements with more than 40 different policies including overlapping mandatory risk assessments, incident reporting to multiple authorities in each country. don't get me wrong, cybersecurity is a serious matter. it should have mechanisms in place to ensure adequate protection but i'm corrugated policies across means companies must reconcile competing regulations that divert resources way from security toward compliance. a fragmented international digital policy landscape likely the most significant impact on startups and small and medium-size compass with limited resources. to comply with ambiguous requirements and opaque reviews in countries like china where accepted paperwork associate with eu policies.
8:30 am
an emerging technology like artificial intelligence and blockchain are handed by regulatory uncertainty. for example, the data minimization, automated decision-making and provision of the gdpr could create barriers to the commercial development of these important technologies. in light of these trends i would like to invite outlining four area for congressional consideration. establish all answers. particularly with like-minded countries to counter technology restrictions as as a conditiono accessing foreign markets. we are more effective with strong partners and allies. second, the u.s. would lead and the development of international norms, s practices and standards for cybersecurity, privacy and cross-border data flows as well as emerging technologies such as aim blockchain because rules for those did not yet exist. third, the u.s. must work to align and harmonize policies to avoid global fragmentation. we cannot be missing an
8:31 am
important international forum on digital policy issues as china and other countries are actively seeking to rewrite the rules of the internet that are fundamentally at odds with open markets and democratic values. and finally and perhaps most immediately, congress should act to protect transatlantic cross-border data flows but make the ombudsman a permanent position within the state department. it should also act swiftly to confirm the nominees for the privacy and civil liberties oversight board which plays a critical role in the fully requirements under the privacy shield. mr. chairman,, thank you for leadership and holds hearing and for encouraging a dialogue of the 42 taking questions. >> thank you very, very much. mr. painter. >> chairman wicker, ranking member schatz, members of the subcommittee it is a pleasure to be here today to discuss the impact of global and in that governments on american businesses, end-users and u.s. policy of promoting and maintaining an open
8:32 am
interoperable and secure internet. for over 26 years i devoted my life to cyber and internet issues including most recently serving as first cornet courtnr cyber issues at the department estate. i worked with components across the department, in agency and outside stakeholders to advance the use vision of cyberspace both technical and policy challenges. my focus today we will address them. first it's important note the policy threats we face the distinct are often in a related and of economic human rights and security elements. when china claims sovereignty over it cyberspace it directs a digital wall around its territory, that has profound economic and human rights implications that it is vital that our response to the judges not be that siloed but courtney to bring together the four ranger department agencies and other stakeholders to defensive end to credit u.s. policy. i think of us have internet issues are being debated in virtually every country and every international regional organization. i believe we've reached an
8:33 am
inflection point with issues discussed in useful if of a major impact on the future of the internet and cyberspace. accordingly advancing use patient cyberspace including u.s. commercial interest requires unprecedented u.s. international engagement and strategic leadership. among the many policy challenges we face are threats by machines replace this is a multi-stakeholder in that conference with one that should my government only multilateral bodies in part to control content and curtail the free flow of information. threats posed by china russia and others to online freedom to have negative human rights economic impact, mandatory data localization requirements that are not scalable or economically practical and are often used by repressive governments to monitor and control their citizens and countries a multilateral bodies around the world and acting or considering regulatory policy or legal regimes fill in some aspect of sources including online privacy, cybersecurity, market access and emerging technology complex with your salads and interest or risk rate
8:34 am
conflicting regimes that fragment in it. widely threats by nationstates organized criminal groups and other bad actors threat to undermine our confidence in the internet and network technologies and strike at the very core of our economy and democracy. my overarching recommendation to address these challenges is what used to step up its international engagement on these issues and make them a true national priority. this requires enhanced structure, resources and whole of government strategy. on structure plot the continued efforts of a former colleagues at stake, commerce and other agencies but i believe those efforts have been hampered with the lack of sufficient high-level office of the state department and the recent abolition of the cyber coordinator position in the white house. i commend the house and senate to restore strengthen and institutionalize my former office. i'm particularly please these efforts were bipartisan reflecting the a bipartisan nae of most of these issues. in the past necessary whole of government coordination on this crosscutting issues has been boosted by the cyber coordinator position, the national security
8:35 am
council. the loss of the high-level position coupled with a least a tapered motion of my prior office complicates coordination and sends an unfortunate signal to both our friends and adversaries that the administration does not prioritizing these issues. resources are vital. this includes funding for capacity building that was cut last year. capacity building codes working with foreign governments on aspects of internet governments or regulatory policy, helping countries enact laws and strategies, working with countries to boost the ability to combat cybercrime and have strong cybersecurity king abdullah's. it helps when the sport of different countries for our vision of the internet and cyberspace. it's important the private sector and civil society and others to continue to engage in these efforts to enhance their participation. many companies and some society groups are making valuable contributions in a variety of international forums, given what is at stake we must find ways to
8:36 am
increase participation. it's important the use has high-level cost cutting innovation strategy, outside stakeholders and like-minded countries to do with the many challenges we face internationally and help direct and prioritize our engagement. i make a number of suggestions in my written testimony including strengthening multi-stakeholder institutions including the internet of governance forum, short leadership on privacy and other policies, addressing data localization through the cloud act and supporting cybersecurity, cybercrime stability efforts but all are dependent on international engagement plan. i look forward to your question questions. >> well, thank you all for this very, very fine testimony. it sounds like we got some challenges, and in that regard, secretary chertoff, the ntia recently issued a notice of inquiry soliciting public comment on its international internet policy priorities.
8:37 am
in your testimony you mentioned house of much of the internet's value is in its global nature. so how do we balance the business needs for the free flow of data with the point you make about the need to protect our freedom of action which requires that we take greater ownership and control of our data, even when it is accessible to others? [inaudible] >> is it on? >> i think so. >> now it is. i think, mr. chairman, you referring to something in my book there. >> page four of your testimony. >> right. so here's what i think in terms of speed how is your book doing? here it is. >> there it is. i think it's doing well. you are reading it. >> hundreds of people are watching right now. [laughing] >> i do think that people do
8:38 am
need to take ownership of their data and the need to have more control of the data, take a because so much is being generated now that really if we don't have some mechanism to assure them have a say in what is done with it, we really risk our freedom. at the same time i'm nervous based on the test when we've heard up to note that the european message tends to be a little bit overly bureaucratic and overly heavy-handed in terms of regulation. to me the solution is to recognize that certainly with most of the world that shares western values, we have a common general approach in the ports of freedom and individual privacy. and we should acknowledge that and work in a cooperative way to develop a system of rules that honors that fundamental objective but doesn't get so particular risk and some of the hand that action creates barriers to the free flow of information. we have succeeded in doing this
8:39 am
in other areas, particularly with the europeans, and after what might other, my call witnesses have said, this does require consistent engagement by u.s. government and by u.s. civil society with counterparts in other parts of the world. [inaudible] >> dr. layton, you specifically testified quote a popular misconception about the eu's general data protection regulation is that it protects privacy. it does not. talk about that, and if we're going to try to negotiate with the eu on tariffs and preferences, shouldn't the gdpr be part of our negotiation? >> short answer yes, absolutely. just so you know, the word privacy only appears about three times in the entirety of the
8:40 am
gdpr, and it's specifically their version of data protection and i think it's, so our, for example, you can go to many countries in europe where peoples mobilephone numbers are publicly available. the tax returns are publicly available. people swim naked in public places. so we have very different conceptions of privacy. what i would like to underscore is that the gdpr is actually geopolitical, not a humanitarian, move. it is, after ten years of economic malaise in the european union. there's a deep dissatisfaction with brussels. less than 40% of europeans vote in the election, so this is a reaction to that. and i would say the europeans the i know, they want prosperity. they want to move forward. the public opinion was not important with heavy-handed aph that the eu took. >> and i believe you say it is not evidence-based. >> that is correct.
8:41 am
the idea of an evidence-based process would include a process of data and outcome. so in the 173 provisions, you that something over a decade of gdpr kinds of rules that have been in place. and after a decade what we can see is that only 20% of europeans even shop outside their own country. and only 20% of businesses are online. so the rules have that worked to increase trust in own online system. that was the whole idea that there would have a single market the way we do in the united states. and these rules have not helped them to achieve those goals. >> so your position is not good for europeans, not good for americans it? >> absolutely. just to share one less thing that just happen. now the european soccer league have adopted a policy that they will not trade the soccer players and they cannot disclose information on their injuries. so if you want to have, by f particular soccer player or trade them to your team, you are
8:42 am
not about to no injuries they have. this is hurtling back on them. governments as well. the european governments are also liable and there is abuse. >> very good. we will probably take another round, if we can. senator schatz. >> thank you, mr. chairman. thanks to all the test of fires. i will start with mr. painter get you the state department cyber coordinator for six years and you describe the importance of the position, kind of as policy and then awakened at stake there i'm wondering if you can give me some specific examples of what you did that made a difference in terms of the governance of the internet? >> sure. among other things, i think really central to all this is showing his leadership and building alliances of other like-minded countries so that we can push back on a lot of the things we talked about today, particularly attempts by russia, china, other countries to take over the internet or to impose internet or multilateral control
8:43 am
over it in venues like the itu, u.n. and other places, getting a coalition of countries and having that interaction with them whiskey to do that and i was u.s. taking the lead. we're not sitting on the back bench and i think those are important. also incorporate issued a internet governance, economic issues, human rights issues and every dollar we have with every country. we have dialogues with number of other countries and that raise these issues so they were not stovepipe in one area or another. we also helped on the freedom online coalition which is a group about 30 countries to promote freedom online and also working all these different international venues. we created advance the framework for cyber stability that included the application of international law, norms of behavior in cyberspace, confidence building measures which addresses some of the instability issues of the internet because it's a platform needs to be secured to relate underlie all the commerce that we're hoping that happens there. >> so -- >> and a number of other things.
8:44 am
>> so we should reestablish the position. what else? >> i think there's a number of other things we can be doing to promote this. one is to step up this whole of government level engagement across the board and work with companies, and that involves forming coalitions again with like-minded countries who would supporters, who at the same basic view and engaging in that level. another thing is to provide concrete alternatives. we don't like some of the things that are going on. i think we all agree that if the u.s. is not providing concrete alternatives when you're trying to export their laws, for instance, china, or even you with gdpr, don't have i.t. or an alternative that is undetectable attractive to others, they will adopt those standards. having things like there was in the obama administration privacy bill of rights that was some websites to try to bring them forward, if we concrete alternate that really balance all the issues the panelist
8:45 am
talked about to provide alternatives, i think that helps. and i think those are really some of the key things we could do. and many others but those are two of the important ones. >> secretary chertoff, i think a lot of us struggle with the desire to look what happened in 2016 2016 in terms of election interference especially on social media platforms and to what our national security agencies and the platforms themselves and even voters to be more engaged so that we are not as vulnerable in the future. what we don't talk about as often is that we have to be pretty careful and precise in terms of what model we establish for working with the government to push back against constitutionally protected speech. and that's the difficulty because those tools that we establish will be an example not
8:46 am
just for our allies and our like-minded friends around the world, but some of our adversaries and authoritarian regimes. and i'm wondering, you know, , n a minute or so remaining you could talk about how we strike the balance, and i'm not sure get into that in a minute, so when we work on striking the balance to me is the fundamental question. >> well, senator, i think that's exactly the right question. briefly i would say this. i do think we have to be very protective of the first amendment and, therefore, be extremely cautious about proposals to regulate content or say certain content is off limits. the first amendment basically gives us freedom of speech except in a very narrow category think. where i do think there's more room for action taking from affirmative action is an area of disclosure of identity about who is posting things. so, for example, i know there's legislation pending about requiring foreign entities that by ads or otherwise pay for
8:47 am
space in social media platforms, i think that's consistent with what we do off-line and there's a reason not to do that. likewise, i don't think there's any first amendment protection for impersonating americans or for botnets or for automated trolling or other ways of manipulating search engines. those are areas i think a quite usefully focused on working together with social media companies. >> thank you. >> thank you, senator schatz. senator fischer. >> thank you, mr. chairman. dr. layton, you had mentioned that in europe there some different expectation when it comes to privacy. i would be interested to know how you define privacy in the digital era, and how do we manage the privacy expectations of consumers? >> well, i'm going to give you the research that the european,
8:48 am
the agents for network security actually develop and said that private interest is a function of or mac things. it's a level of education of the consumer or the user. it is the level and type of technology, the business practices and institutions. when you look at something like gdpr it only focuses on two of the four things. so what i would see is if we only get one thing, we as a nation, individuals, we have to do more to have people be digitally competent and digitally aware. and maybe not necessarily something that congress defines exactly what it is but we have a tremendous amount of information and ability to communicate. so, for example, i want to recommend mr. chertoff book which i just read. he talked about the first thing by her beware. the number one thing cybersecurity jeff to take responsibility for the platforms, the networks that use. >> so to define privacy in the air that we are in now, this digital -- the first thing would
8:49 am
be by her beware? >> taking -- >> it's up to each of us? >> so there's a gap right now, a gap in what, we need to close the gap in terms of the idea of digital literacy or a what of the ten things i need to know before you go online to protect myself? and so that is the gap which is missing in the gdpr today. with the scientific research shows that's important, and we need to to make legislation to do that. we can actually each and every person can take a step up and take responsibility for what we do online. >> so the expectation is that each individual is responsible, and the is a space we take your chance. >> with no, that's not what i'm saying. the four factors i mentioned were missing, two out of four right now. so with lots of regulations. we have lots of rules on businesses. lots of institutions where missing education were missing
8:50 am
and since the privacy enhancing technologies. so i'm trying to promote as individuals we take more responsibility for what we do. >> mr. secretary, do you feel that lack of any kind of unified data privacy policy could lead the united states becoming more isolated? [inaudible] i do, senator. i think that, first of all even within the country, california as i passed a law that is with the issue of control of data. we could wind up with multistate laws that a conflicting with each other, at least inconsistent, and sort it would be helpful at least to smooth it out here. but beyond that to come back to the fundamental point, i recognize that a country like russia or china will be fundamentally different in their attitude to issues like controlling data and controlling information. and so, therefore, there may be limited scope for agreement. but i do think with western
8:51 am
countries, although their particular approach tends to be different than ours, tends to be much more regulatory, micromanaging, i think the basic value system is a very compatible and that's where i think and the ability reached an agreement is as to what our overall objective is, would open the door to them or get some of the differences which have created barriers for our businesses as well as some confusion about what the rules are. so to me this is about ultimately how do we protect peoples rights to make sure the date isn't being used in a way that's contrary to the interests but that invades an enemy that we think they ought to be in control of. >> many of us on this committee also serve on armed services committee, and we worry about the security of the information that agencies have and that agencies also share. a lot of times civilian agencies
8:52 am
don't have the security, say, as the department of defense would have. how can we ensure that that information that's out there is more secure? in your role as head of the secretary of dhs, you were very involved in that. what do we as policymakers need to look for? >> i think the challenge here is unity of effort among a lot of different agencies, many of them don't regard secured as a core mission. unfortunate exhibit pays off as a personal management which probably everybody in this room was a little bit a victim of that hack. i do think the administration has made the right decision in designating in terms of government security dhs playing a lead role and i think it's important to make sure that the department has the authorities necessary to make sure that all the agencies that up to the
8:53 am
requirements of basic cyber hygiene and cybersecurity, including continuous diagnosis and monitoring, response plans, and deadly cancer elements of elements of a layered defense. so that set of the first making sure that is firmly lodged in one accountable agency and that is a privately funded i think would be a big step. >> thank you. thank you, mr. chairman. >> thank you, senator fischer. senator inhofe. >> thank you, mr. chairman. i'm glad senator fischer brought up the situation on the defense authorization bill because i see a lot of similarities here. in fact, we will be voting on that, ask the conference, past the house last week and we would probably have it on thursday my guess is. but watching, and this does change with administration, we went to and administration ages, the obama administration, you know, , in all fairness didn't
8:54 am
have the priority on domestic defense, a lot of us believe it should have. as a result we have some areas, i'm getting at trying to determine where russia and china are now relative to us in the subject at hand in this committee. because i can tell you right now there are a lot of areas in defense, one being areas of artillery is measured by rapidfire in range, and actually russia and china are ahead of us in both areas. they are ahead of us in our nuclear activities, triad in this hypersonic hypersonic is a big thing that's come into the defense system because it's a system that operates at five times the speed of sound. so it's very significant. so i'd like to start out by
8:55 am
maybe, i would ask anyone, i keep hearing, i know you folks are experts but i keep hearing that yes, we are still in her areas although the ahead of china and russia but they're catching up. is that an accurate characterization? >> senator, thank you for the question. i think, i i probably shouldn't speak to the capabilities as state actors. i can see from our perspective as a private sector company we see that the largest and most frequent attacks, cyber attacks of our systems are originate from russia and from china, and our cooperation is primarily through private sector industry coalitions and coordination, both vertically and horizontally throughout the technology industry. >> you mention also, it wasn't in your written statement but when you're speaking a moment ago, that there are now 120
8:56 am
countries that have a data processing law. that means there are a lot of them that don't have those, and we should have adequate protection, i think everyone agrees with that. and we are more effective with partners. now, the question i i would ask you is, we all agree that's right. how do we see meant these relationships with the partners that should be doing the job with us -- see meant? what's effects good thing we go out and attract partners would also agree that we are more effective if we do as a group? >> senator, i think that point was made by one of the other panelists i'll go ahead and build on that that the proliferation of different privacy regulations is creating confusion, creating friction and it is growing issue as another one of the witnesses testimony noticed that the gdpr is gaining
8:57 am
momentum orgy party for the type frameworks are gaining momentum outside your. i think the answer is that we continue to show u.s. leadership by helping to push back on the differences and the inconsistencies between the various frameworks and focus on those areas of commonality and try to rally around those core principles of what we believe to be the protection of data but allowing the free flow of information and the conduct of comes across borders. >> that's good. secretary chertoff, you made a statement that this is ghost talk about the role of the united nations and russia and china want to enhance that role. i think we all understand and agree with that, but what's the most, how effectively could we try to accomplish that? >> i think that the u.s. is generally consistent -- having
8:58 am
trouble with this. i think the u.s. is generally consistent in saying we don't believe that u.n. is the right form for dealing with these issues, partly because, take the with the security council. that would essentially politicize the process of dealing with technical aspects of the internet, which is why the russians and the chinese want to do that. i think we need to continue to look, again, this multi-stakeholder model where we go forward, engages a private sector, the business community and consumers in coming up with proposals for how to reconcile various interests that are part of the internet. and just a follow up a little bit on the prior question, a lot of, a lot is dealing with these issues showing up by being present, by dealing with your counterparts and other countries. my experience is you often find there's a greater degree of fundamental agreement that might
8:59 am
be evident at first, but in order to build up the impact you have to play. >> all right. very good. thank you very much. thank you, mr. chairman. >> thank you, senator inhofe. senator capito. >> thank you, mr. chairman. thank all of you for being here today. i would like to see at the onset that the department of homeland security is in new york today announcing i think a really great move on the part which is a new cyber have to protect our clinical u.s. infrastructure conservatives a little bit into what we're saying or a lot of what we're saying today. but to be that nexus point of the nation's banks, energy compass and other industries to help protect them from major cyber attacks, some want to say thank you to the secretary. i know that you probably asked for your advice as they are moving forts i think it's a very good thing. on the come all of you talk about the gdpr and the regulations that come from the
9:00 am
eu. some of you interested in a problematic way. i think mr. bladel, you talk about how it's causing you to divert assets into figure out how to do this. i think dr. layton, you said interestingly in yours, popular misconception is that it protects privacy piggies that it does not, it is about data protection or more accurately, data governance. your last statement in your written statement says data protection is a technical issue whereas data privacy is a legal issue. so do you think as a look at governance we need to look at both of these issues together? ..
9:01 am
>> the-- versus the european approaches, it's making requests and requirements of others in order to do those things. so, our understanding of privacy is fundamentally different. the other aspect is, amongst this 173 provisions, it's really a hodgepodge of essentially a laundry list of a set of stakeholders that want to have certain regulations to be able to go after american companies, to achieve outcomes that they could not achieve in the courts or through anti-trust and the gdpr itself reverse engineers a number to create a class action lawsuit culture, so that people can have standing in courts to be able to bring lawsuits they couldn't before. to date, the europeans didn't want to have this sort of u.s. style class action lawsuit culture for better or worse and that's changed now, so that we
9:02 am
have now the abuse of complaints. you could get a million complaints in a day, that's just automatically generated. there's 62 data protections in the eu. they don't have training how to do this. then format will be very disjointed, it's primarily focused on u.s.-- >> i guess if we're looking at this in terms. future, we need to look at lessons learned as they've been trying to implement theirs. so, you say that the gdpr enshrines the right to be forgotten, that mandates eu individuals can force service providers to remove certain information about themselves. when i asked mark zuckerberg when he was in front of our committee, do individuals have the right to remove their individual information, in other words, remove themselves from facebook. personal
9:03 am
personally, i feel that they should have the right. he says they do have that right, but i'm not sure that they-- >> there are positive aspects, i agree you should have control of your data and have transparency of your data and privacy things we should be looking at. what this does is create intention with the first amendment and human rights. what it says, you can delete your data everywhere, public figures or news worthy stories that people have the right to consume and the first amendment rights. the trick is making sure you're doing this in the right way. and the approach taken to the eu, i think, is too broad. i totally agree with you for providers with facebook and other providers like that, it's your data and you should have a chance to edit it and have access. >> in the general sense if we're going to figure out how
9:04 am
to move forward internationally on privacy, there are so many conflicts and then we haven't even-- in my questioning, gotten into what russia and china think your right to privacy is, which is vastly different. thank you all very much. >> before i recognize senator peters, was the gdpr a statute enacted by the european parliament or was it written by regulatory agency? i know it just went into effect in may. who can anticipate that? dr. layton? >> sure, so, if you'll ask john phillip albrecht, the european union-- there will be parliamentary laws and then an eu-- >> who issued it? >> the parliament. so that's their congress, if you will. the eu congress.
9:05 am
>> i mean, i think it's important. as i understand eu regulation making or law making, it's the parliament, it's the council, which is the member states and the commission, which is essentially the bureaucracy and they come together. in fact, they're looking at something around certification for cyber security products right now, which the u.s. has been engaging in. so perhaps a cumbersome process, but there's chances for the u.s. to intervene, to have input and we need to make sure that that's happened. >> would it take an act. parliament to amend or change the gdpr? >> okay. senator peters, thank you for allowing me to interject there. >> thank you, mr. chairman and ranking member, appreciate the discussion. as we talk about the gdpr going into effect, the united states if we're going to show some leadership, we probably should
9:06 am
have some comprehensive policy regime ourselves which we are still lacking in this country. it's hard to show leadership to the rest of the world if we can't get our act together here in this country. and as all of you know, our largest tech companies are under some pretty intense global scrutiny right now for mistreatment of data and all the countries are beginning to levy fines against these companies. we're now beginning to ask the question, are they too big and perhaps in need of being reeled in somewhat? so amid some of these anti-trust discussions, mark zuckerberg and other tech giants are recognizing that perhaps some privacy regulation may be necessary. however, there still seems to be a lack of will to participate in productive discussions about where these-- what these regulations should basically look like. so my question to the panel, as we talk about gdpr as relates to global e-commerce and the impact on u.s. companies, from your perspective, were companies that were affected by
9:07 am
this regulation, were they at the table as part of the discussion or was the lack of participation resulting in why we're in the position that we're in today and the concerns that you've raised? we'll start down here, mr. chertoff. >> well, you know, i was not involved in these discussions, but my understanding and impression is a lot of these companies do have a significant preps in brus -- presence in brussels and did have an attempt to interact. i think that some of that is diminished if the u.s. government is not engaged for obvious reasons. >>. >> our company was not engaged in the development of gdpr, however, we were engaged as the multi-stakeholders and how it affected the industry. >> did you see it coming? >> we probably had less notice than we would have liked, mr. chairman, probably about a
9:08 am
year to 18 months in advance was all we received. >> dr. layton? >> well, first of all, i would say i'm very pleased pie the response of congress to look at these issues. i found it has been bipartisan. i think that there has been a good faith effort on both sides of the aisle to address the issue and i'm very encouraged by that. what i would just say about our american approach, the merit of it, we have focused traditionally on sensitive information. we know there are things inherently sensitive, health, financial, things about children. we've focused our resources where we know there was a threat. under a gdpr world, me as an academic, i have the same liability as a major company. so there are concerns about small entities being unduly burdened and so i think there is real value to the american approach that we've taken. >> so, the business round table represents some of the largest american companies, not just the technology sector, but
9:09 am
across all sectors of the economy and i would say that our member companies were definitely engaged in gdpr, they have a presence on the ground in europe. however, you know, the european union is going to take their opinions with a grain of salt, right? because it's ultimately, these are american companies, headquartered in the united states, american jobs, these are-- you know, it's about the growth of american companies. they're willing to hear, you know, our concerns about you i don't know how interested they are in addressing them. that said, i think that companies, you know, are very much willing to come to the table now and have an honest discussion about national standards for data privacy in the united states and how to engage with the european union and countries in asia as well to promote an interoperable frame work. so, we look forward to working with numbers on that. >> you know, i emphasize that
9:10 am
word, interoperability, it's important that we have regimes that are interoperable. and with the government with the eu to try to push back or guide this, like we do in a lot of other areas, i think that can be stepped up. i'll use the recent example and it reflects, i think, a view in europe for many in european that the u.s. doesn't care about privacy which is just wrong. the ftc does more to enforce privacy and most of the european entities. however, we need to fill that void and show leadership so there are alternatives and this doesn't become a global standard. the regime i was talking about earlier. i was in europe talking to parliamentarians about that and a lot of europeans talking about that, and there have been changes in draft law that require u.s. steakholders and global stakeholders, making
9:11 am
sure they're voluntary and risk based approach. that level of engagement needs to be continued. >> thank you for all of your thoughts. appreciate it. >> thank you, senator peters. senator gardner. >> thank you the witnesses for your time and testimony today. had had the opportunity a month or so ago to visit some nations in out east asia, visited vietnam about, i think, it was the same week that we were considering legislation requiring data localization, and what that would mean for vietnam, i was trying to understand and explain. miss zheng, when you talk to businesses, your businesses interact with you, do they talk about the need to share with foreign governments democratic values, ideals, things that we believe in in america? >> yes, absolutely. and i would say that there are various forums where we could be pushing that agenda more aggressive. so, for example, in our negotiations on nafta, digital trade should be a part of that,
9:12 am
negotiation, a lot of sort of underlying, open-market, open data flows, priority should be included as part of that. there are also other forums that we should be actively engaged in such as the apex cbbpr. oecd is also, i think, taking another look at their privacy prir principles next year. not only companies, but also the american department of the or the-- we're fully engaged in those forums. >> dr. layton, what does a country like vietnam, what does it do with data localization policies? >> i'm not sure what vietnam has in mind. it's certainly of concern to me. i want to posit that question to another person on the panel. >> mr. bladel and mr. chertoff.
9:13 am
>> china, there are various reasons countries have done this. one is to limit market access, which is a concern and a concern for data for law enforcement purposes. that's access to the cloud. i think we need to do more bilateral agreements. and russia is a good example, and china is the good example. if you have all the data there, it's easier to see your citizens and monitor and mandatory turnover legislation to make sure intelligence and other sir services have access to it. and that's often what the goal is and push back on the human rights agenda. >> i think you're right. secretary chertoff, what role should you as business withes play, because a lot of telecom companies will be involved-- because me, technology companies will be involved in the buildup of a localization or data center. so how does -- what responsibility does u.s. business have. how do you balance the need for economic opportunity and growth and market access with the fact
9:14 am
that a government that may be using it to target individuals within its own country? >> you know, i think that's a challenging ethical problem for companies. it's a little by the like the issue whether you furnish surveillance technology to press on their own citizens. as long as we're talking about china's desire to have data about chinese citizens helping china, that that's really a matter for the chinese and they're agnostic. others view that as enabling, something they see with the culture of openness and they withdraw. so, i do think that we need to think very carefully about the extent to which we enable the kind of behavior on the internet that's really fundamentally inconsistent with our values. >> you mentioned in your testimony a cyber nato. could you talk a little more about that? >> yeah, i think that we have a regular nato, which i do think has a cyber dimension, but i
9:15 am
think the former president of stone talked about having a community of like-minded nations that would defend our cyber assets against attacks, and not necessarily rising to the level of war that would get into article 5, but even something less, something that attempts to manipulate the political process or engages in systematic espionage or something of that sort. >> and when there was legislation with a cyber diplomacy, you were there and there were conversations at the time. give the need for this idea cyber nato kind of approach, given the idea to have more like-minded nations as relates to cyber behavior data issues, are we on the right strategy? do we need to pass a right strategy? do we need a new strategy or where are we? >> i very much worry it's not privateized.
9:16 am
we're not showing the kind of leadership from the top that we need to do. there was a lot of work that we did, starting this issue from the ground up, because of what was a diplomatic issue before and a number of years ago, establishes one. we're the first office that did this and six other countries including china and russia have the offices and it's important to revise the strategy that we have and make it stronger and that strategy not only helps direct the particular agency, but really across the government and other stake holders so we know where they are in other countries. there were a number of things that were ordered as part of an executive order, we haven't seen a strategy out of that. we haven't seen a strategy how to pull all of these agencies together. the 2011 strategy was a good document, but that was 2011. things have advanced. we need to be sure we're prioritizing. in the state department we had every bureau engaged and we had
9:17 am
two versions that fine tuned the efforts. that need to be done, too. do we need a cyber an ambassador at the state department? >> i think we do. the diplomacy act, i testified in the house about it. it's an approach and i hope it passes this chamber as well. i think it will help elevate our game and that's important. it's not just the ambassador position, it's really the struck that gives this heft and priority. >> are the panelists all in agreement of the concept of a cyber nato? does anyone wish to take issue with that? >> no one's stepping forward. >> i think it depends on how it's formed. i know, tom tillis is a friend of mine as well. it's like-minded countries coming together in the face of shared threats. >> based on that description, it's something that would be interested, but we haven't
9:18 am
formed a position on that. we're just hearing that. >> mr. chairman, you just asked it. it surprises me we don't have that. what's the closest that we have to such an agreement? >> nato does work together and has center of excellence and they do address this issue. now, the issue becomes at what part do you actually reach invoking article 5 and whether that needs to be somehow adjusted in the context of cyber activity. i would say that in 2007 when i was secretary, we did would, with astona when there was a service attack. i don't think it's a big threat, but formalizing what has been operating for a while. >> and it may be updating nato's game on this. cyber is one of the key concepts of nato and that was now back seven, eight years ago and the last few communiques of
9:19 am
nato, cyber has played a key role. there's defending nato countries' assets and then responding to the threats and part of this is beyond nato. if we're going to impose costs on adversaries like russia, that's us, not necessarily all of nato, but a subset of us and we need to be able to do that. >> important testimony. thank you, senator gardner. we now have senator hassan. >> well, thank you, mr. chair and thank you ranking member for the hearing and thank you for the panelists for the being here today. i wanted to start with a question, secretary chertoff. on the topic of cybersecurity, i want to address russia's ongoing attacks on our electrical system and our electrical grid. last week the wall street journal published a story that stated that russia's military and intelligence had had consistently sought to hack u.s. utilities and critical infrastructure. in a few instances, russia state sponsored hackers gained
9:20 am
access to the control systems. as one dhs official stated, a quote, the russian hackers got to the point where they could have thrown switches. the russian's penetrations of one of our most important utilities conjures up fears of a cyber attack that would leave the u.s. would yous service for days, weeks, months. and mr. chertoff in homeland security, which is charged with defending against cyber attacks and strengthening the security around our nation's critical infrastructure. given your history with this mission. could you please ask us how dhs could better defend against attacks on the facilities and what tools are needed to stop these attacks. there were discussion about a new hub and that sounds to me like a good first step, but what should we be doing? >> i agree, i think this hub is
9:21 am
a good first step. you know, when i was in office, we actually talked about co-locating the principal actors in the private sector, critical infrastructure together with our government officials so we could really work in real-time in identifying threats. we're not there yet, but i think this is a good step forward. i would continue to press that as well as giving clarity to some of the elements of critical infrastructure about exactly what they need to do. one of my recommendations has been to take the safety act, which applies in giving liability protection for certain commentaries of technologies and extend that to cybersecurity to create an incentive for companies to invest in processes and technologies that would lower their risk of cyber so i think that's one area we need to be focused on. the second, con did--
9:22 am
cand candidly, how we respond to intrusions by enemy or adversaries in our critical infrastructure. and as with cuba, what happens when it's critical infrastructure. do we treed it as recon danckocr treat as an a weapon? we need responses to varying levels of threat. in ndaa there's a provision for project solarium in cyber, which would be the equivalent what we did after the invention of the atomic bomb to develop a doctrine. and i think having a doctrine and having a strategy and a set of rules of engagement would go a long way in creating some element of deterrence to what right now, i think, is a very ambiguous and challenging environment.
9:23 am
>> well-- >> let's say one more thing. i think that's a critically important part that's missing. we don't have a declaratory statement that things like russian interfering in our election, that causes repositioning is something we are going to take action on and impose costs on. we need to do that and do that now. >> that's very helpful and on the issue of the private-public, not only interaction and partnership being important, it's something that i agree with you on and that's why today senator portman and i are introducing a bill that would establish the cyber response response team act and it would authorize in law, dhs's cyber hunt and incidence response team and allow select private sector cyber experts to participate in these teams. so, we're trying to move this forward. i appreciate that insight very much and i also take to heart the point about having a doctrine and really treating cyber attacks as the threats
9:24 am
that they are and the attack on our country that they are. mr. chairman, i'm just about out of time so i will yield it backment thank you very much and thank you all to the panelists again. >>, but we didn't have a doctrine in 1963 until it happened, did we, secretary chertoff? >> [inaudible] >> that essentially positioning missiles very close to the united states was sufficiently a war-like act that we could engage in a blockade. i think we quoted a quarantine to kind of have it up a little bit. and i think in the war relatively accepted. it's much more complicated in cyber. people firstly, loosely use the word attack, sometimes it means espionage, we've never looked at as an act of war. sometimes it could cause loss
9:25 am
of life that is an act of war. and sometimes there's a middle position. this is a much more ambiguous set of circumstances than a physical world. >> thank you very much. senator udall, you've been very patient. senators have come and gone and you've stayed here. >> thank you, chairman wicker. >> recognize for five and a half minutes. [laughter] >> thank you. thank you, senator. appreciate the panel being here today. as a member of the foreign relations committee, i'm particularly concerned about how powerful tech savvy countries like russia and china, banning and controlling any dissent on-line. while simultaneously using the same ban platforms like facebook to sponsor and promote disinformation in the west and in the u.s. we are now all too aware of russia's pervasive misuse of
9:26 am
social media in our 2016 election and the brexit vote in the u.k. the u.s. had as a critical role, i think as all of you have been talking about, ensuring that we are deterring this kind of state-sponsored disinformation campaign while promoting an open and global internet. russia's-- and i guess this first question, but others can comment, mr. chertoff and mr. painter. russia's-- russian militia cyber activity remains a national security threat, no doubt. they' they've been 2016 election and malware. what activity should be taken to deter russian activity, and focus on one or two or three like that, i think would be good. >> when you deal with ransomware, particularly that can effect industrial control systems and have an impact on
9:27 am
human life, i think that deserves the kind of response that we would do with respect to a physical attack that might have a threat to human life, which means we have to have the ability to respond either in kind or another way to deter that. when it comes to information operations, which to be honest go back a hundred years to the common term when the soviet union existed, i don't regard that as an act of war. i think it's a matter where there are things we can do in terms of calling out who is really responsible for putting posts up or things like the internet research agency in st. petersburg where they use armies or trolls to drive stories. i think legally, as well as in terms of our general set of values, we don't want to actually sens actually censor consent, in falsity and truth, once you go
9:28 am
down the role of censorship, it doesn't stamp. >> we've seen malicious activity from rush -- russia, and russia, north korea and iran and russia at the time. including the election interference and repositioning. and yet, we haven't really done anything to affect russia's calculus in any of that. so, we obviously don't want to be overly escalatory, we're not going to shut off the lights in moscow. but we do something to affect putin and decision making in the future. there's been an effort to call out things. there have been a number of countries that went together and build alliance and come together and say that russia is responsibility. great, you're not going to name and shame russia. you have to do something and that goes to the doctrine question. in the u.s. other things to be doing, having a high level tax
9:29 am
force to deal with election interference. as a cyber guy, i don't think that we saw this coming. we saw threats to infrastructure. we saw espionage. but this hybrid attack is a concerted approach. and the declaratory process is important, too. we can do sanctions and others. if we don't have high, consistent messages from the top that undercuts the efforts. if you send a message this is unacceptable and send a message, well, maybe it's okay, that undercuts everything we're doing. >> mr. chertoff, or any of the other panelists want to weigh in on that? >> i wanted to say thank you for bringing up this concern and i certainly agree with the panelists. one thing to emphasize, think about the strength of our security nmaybe not just from military, but threats. if i have any bit of advice from congress, he think we haven't paid attention to the rise of chinese platforms.
9:30 am
two years ago the chinese ad market exceeded the u.s. in downloads. and i know many people use the chinese versions of amazon and google and so on. they don't want to open their markets to the united states, they want an indigenous technology strategy and, but they want to come and take our market. so, i would like to put up that the threat of china for an economic perspective for our digital economy is just as great as the cyber security threat from russia. >> do i have my 30 seconds? yeah, okay. >> i could add one other thing i think we need to focus on. the chinese have indicated in the next few years they want to become global leaders in artificial intelligence. the way you build artificial intelligence from machine learning is from data. it's not a surprise that we've seen some incredibly large data thefts in the last few years, like the opm theft, yahoo! not
9:31 am
expedia -- one of the other credit companies, but i think that we need to be mindful that these kinds of data thefts, while they may not seem that critical actually can be feeding a very significant growth in artificial intelligence capability, which may be what we're talking about in a committee like this in five years. >> yeah. the-- you mentioned, mr. chertoff, on the misinformation and the answers truth, that we should be mindful because the frustrating thing is there's an old saying in the west, a lie gets halfway around the world before the truth puts on its boots. so we need to realize by being open like that, we're also taking a hit at the front end, but we have faith that it will prevail in the end, that the truth will prevail. thank you very much. thanks to the panel. >> well, do you want to talk?
9:32 am
>> senator, are you ready? >> read to go. >> jump in front of senator cantwell. >> it's a privilege to be at such an important hearing today and mr. painter, if your written testimony, you state that the future viability of the internet as a platform for commerce and social good depends upon that platform's security and the long-term stability of cyberspace. i share your belief in the importance of cyber security and i'm particularly concerned about cyber threats of the iot, the internet of things, or the internet of threats, which it is simultaneously, where devices, our appliances, our machines now connect with one another. mr. painter, the eu is currently considering a cybersecurity act which would create a single cybersecurity
9:33 am
for technology devices. i've introduced similar legislation in congress. the cyber shield act. my bill would establish an advisory committee of cybersecurity experts from community advocacy communities and cyber security benchmarks for iot of devices such as baby monitors, laptops. >> they are voluntarily certify that their products meet those industry leading cybersecurity benchmarks and display this certification to the public. mr. painter, are you in favor of voluntary standards like this for consumers and catalyze investment in cybersecurity? >> i think that the u.s. has a history of advancing things and this for the critical infrastructure and this framework. this is a lot like a ul, the
9:34 am
ul-- >> ul? >> underwriters laboratories, you see on electric things and say this is safe. i think it has merit and makes a lot of sense particularly if you look at a couple of things. one volume voluntary, it's not a one size fits all. i don't read your bill that way, i see it with the advisory committee. i think it needs to be risk based, you're not prescribing a particular technology, but looking at the risks involved. those are all good things. i think there's a lot of comments that the u.s. stakeholders had and the eu cybersecurity act they've taken. one i think i would take caution, making sure it's not a conflicting regime with what's being done in the eu, but at the same time show u.s. leadership, a lot of countries are thinking about this, i think is po-- singapore looking at regulation.
9:35 am
i know dhs and commerce put out principles on this about a year and a half ago. but i think this kind of voluntary regime with industry has a lot of merit. >> do any of you agree that a voluntary regime could work in the united states using that kind of a framework? yes, mr. secretary. >> i agree with that and something i suggested earlier might also be relevant here, which is to take the safety aspect using to counter technologies and apply that as well. because your critics economic incentive to get security since the safety act caps liabilities. i think that would be worthwhile. >> thank you. >> i was just going to add and reiterate chris painter's point, which is interoperability is a dething here. one concern, if there's a voluntary regime in the united states for iot that dictates
9:36 am
how iot products are designed, developed or maintained that other countries would also feel that gives them license to develop their own national approach and there again, you have tremendous fragmenttation. so, i'm happy to hear that the approach that you're thinking is inclusive of industry and developing it, but i think that fragmenttation concern is real. >> and mr. painter, if i may, secretary tillerson chose to downgrade the cyber coordinator position, last year, even though there's intensification of cyber attacks on our country. we know there is malicious cyber activity coming from north korea, from russia, from china, from other places. what's your recommendation as to what our government should be doing in order to elevate rather than downgrade this role? >> so, i think the threats are only increasing.
9:37 am
the policy threats are increasing and cyber threats, criminal groups and nations. we have to look at that-- issues only dealt with cyber people. this has to be ingrained national priority from this administration and every administration. i think that downgrading these roles and roles at the white house sends the wrong message to our friends and adversaries. >> i agree. i think the trump administration made a mistake. we'll put the laws on the books that we need. i'm afraid it's going to come after a catastrophic event in the country and everyone is going to say who knew this could happen? we know this could happen and that's what you're testifying today. we should put preventative laws on the books. thank you, mr. chairman. >> thank you, mr. markey. senator cantwell. thank you for having an important hearing and i appreciate the testimony of the
9:38 am
witnesses and you've said illuminating things about the challenges of our nation both on the commercial side of working together on tightening up where we are and certainly, mr. chertoff, you talking about the attacks to the grid and the large scale efforts on things like ukraine can be very devastating to the united states and mr. painter, thank you for articulating that we needed to be doing much, much more than we're currently doing. that's why last week my colleague and i, senator graham, sent a letter to the president saying please step up both on the assessment side and the resource side because this is a pretty big issue. one thing i wanted to ask about rit large, given all of your testimony because i agree, i don't think that provocation comes anymore with a foreign sub sticking its, you know, nose in u.s. waters or a plane flying over. i think provocation comes from this kind of hacking of a power plant or a pipeline or something of that nature that
9:39 am
we are seeing in other parts of the world. so i think that the debate has gotten a little off course as it relates to what we do and what other people do, and i just wanted to be clear, since you're all articulating an international focus. should it be clear, and should the united states lead such an effort, that any attack on an election system, that is the actual system itself, to interfere with election, should be something that we should unite the entire world that that is a cyber crime and should be prosecuted? >> yeah, well, very much so. i think we saw two aspects of this. one, the attempted attack on the election infrastructure itself and also the influence operation, so we meet those in two different ways, but absolutely, if you look at critical infrastructure. yes, we're worried about pre positioning on power grids and other things, but if there's
9:40 am
attack that undermines the democratic foundation of our system, that's a huge deal and we need to take that seriously. and this commission that both secretary chertoff and i are on, in cyberspace, we just recently release add proposed norm for governments and others to take up, which is exactly that, you should not attack the systems, the devices, the mechanisms that are used for elections for democratic and other elections and i think that's a key thing. so, absolutely. and i think that's one of the things that we should continue to have discussions with other countries on. we know that the dutch, we know that the germans, the french and others, astonions and other countries see this. it's a big deal. >> is everybody else in agreement with that? i would just like to add, i really welcome that congress is taking the concern, taking this up, but what i think is important to say, that there has been desire by other countries to influence our election for decades. so, you know, it isn't-- this isn't the first time it's
9:41 am
happened. it's great that congress responds now, but it's been going on. to the point, that congress is looking at areas of cybersecurity. >> i'm not asking whether you believe in an international-- that we should be leading the charge internationally to say that anybody who tries to influence with the electoral, election process in a cyber way, is a cyber crime and that we should unite the world against that. that's what i'm asking. >> what i would like to express to you, i think that the cyber concern has been maybe for 25 years now and we have been slow to fully integrate it into the military. so, i don't think we need to make the silo. i think it should be part of the military from the ground up. we don't need to have to call it that and so, there's been some resistance to-- because of maybe the way established defense departments are. they have their turf and reluctant to bring cyber
9:42 am
integrated. >> trust me, that's why i'm working with senator graham. mr. chertoff? >> i agree, we have to work with all of our like-minded colleagues overseas to say that interfering with the actual infrastructure of elections is completely off limits and unacceptable. the information operations gets challenging because while we should resist them, we need to be careful how we articulate it. if you go to moscow, this he'll say, great, let's get rid of the national endowment of democracies and you know-- >> i agree, that's why i'm bringing this up, mr. chertoff, because i do not want to lose action on the first part. >> correct. >> we should be leading the charge. no government should be involved in interfering with the actual election operations, end of story. we should be leading the charge, but there are some people running around this town, basically saying, well there's other stuff and we should let this go. no, we should not let this go,
9:43 am
so-- >> i agree with you, it's totally different. we should not blur the lines in a way that blunts our response. >> thank you. >> thank you, senator cantwell. senator cruz. thank you to the witnesses for each of you being here. dr. layton, this past january, as you know, a memo leaked from the national security council which called for nationalizing the 5-g mobile broadband networks and since then the administration has been less than clear in rejecting that idea. i and many members of the senate consider that to be a profoundly bad idea, that's why senator cortez, masto and i together introduced the e-frontier legislation last week which would prohibit the the national communications network without authorization
9:44 am
from congress. dr. layton, in your judgment, what would it mean if we were to nationallize the 5-g networks. >> that would be a disaster. thank you and senator cortez and masto for your leadership. it helps me sleep at night. if there's one thing in telecommunications policy we have witnessed over and over again, governments should not be running the telecommunications network. it has been a colassel waste of money, colassel waste of energy and it's not where we should put our resources particularly when we have private companies willing to put up $300 billion to have all kinds of competitive 5-g networks, it's not where we should put our money. >> in your opinion, is the frontier act the right way for this committee and congress go? >> agree. >> does anybody think that nationallizing 5-g is a good
9:45 am
idea? >> secretary chertoff, what are your thoughts on the implications if the government were to try to nationallize 5-g? >> again, exactly was-- [inaudible] i'm not sure what that would look like-- >> i think your microphone is off. >> in general, i think that nationalization of a function like that stifles innovation and puts the government in a position which evoverreaches in terms of what its proper roll is. >> mr. bladel. there has been considerable attention in congress and the national discussion to the role of tech companies and social media companies, engaging in political censorship. what do you think the role and what does go daddy think the role should be of tech companies censoring the speech of others? >> thank you, senator. i can't speak for the entire
9:46 am
industry, but from go daddy's perspective we don't want to be an arbiter of free speech. we don't think that's a role for us as a private sector km. we're supporter of internet that supports free expression and welcomes all views. that said, we do have terms of service for using our platform for communication and there's some very specific cases that would cause us to suspend or terminate service. illegal activities, threats of violence, and pharmaceutical sales and things called out in our terms of service. so, we-- any content complaints that we receive are subject to a case by case review and then we decide, according to our terms of service, but, as a private sector company, we do not want that role. >> so, i think you would not find disagreement when it comes to shutting down criminal enterprises, conduct, that
9:47 am
clearly violates criminal law. what does, obviously, raise questions is when it's not criminal contact, it's simply content that may be offensive, that may be wrong, but that it's not illegal. and then the question becomes, who should be the gate keeper? who decides what speech is permissible? and what speech is not? have there been instances in your company's history where, because of disagreement with content, you have shut down access to a website? >> so, typically, that as part of that review, the content would have to contain illegal materials or rise to the level of direct call for or threats of violence for us to take action. >> you obviously operate within the tech space. should social media companies
9:48 am
in your judgment be neutral public forums? should they respect first amendment principles and allow, as jon stewart mill put it, the cure for bad speech to be more speech rather than censorship? >> in my view, and i think this is shared by godaddy and other countries in our space, we want the internet to be as open and welcoming as possible for free expression and it's not the role of the platform to judge content on whether it's offensive or whether it's allowable, it should only be on those narrow cases of the legal materials. >> thank you. >> thank you very much, senator cruz. senator clo. >> i've worked because of my
9:49 am
role because of judiciary on rules i've worked hard on this issue and i see this issue on cyber attack and issues raised about the power grid and i want to focus on this. i'll start with you, mr. chertoff. i know you mentioned the bill that i have with senator lankford, the secure elections act which would streamline information sharing between federal and state agencies. it was an outrage that 21 states that were hacked into, many didn't find out for a year and that way they can't protect themselves because they don't know what other hack as going on in another state. so my first question, do you think our states are adequately prepared? you know we got the $380 million out in the last budget agreement and what else should we be doing to protect our voting equipment? >> well, i think there's greater understanding that they have to get engaged and get
9:50 am
engaged with dhs. when i was at aspen a couple of weeks ago, the word we got from dhs. all the states to some degree are engaging now, but to be honest, this ship is going to take a while to turn around. you've got an aging infrastructure in many places. i think some states are not even fully aware of how much they're connected to the internet. >> you don't have 14 states that have either no paper ballot or partial paper ballot. >> that's going to require a change in equipment and a change in protocol. so the short answer is, we're not where we need to be. we're moving in the right direction. we ought to press the accelerator on this. i don't know that we're going to have this problem fixed by 2018, i would be very doubtful, but certainly we are going to have elections in 2020 and by then we should have had the problem fixed. so, we've got to step it up. >> and what's microsoft defending democracy issue doing
9:51 am
to defend state and local issues. >> they work with a lot of different groups to both help people understand what the threats are. i think at a public forum we had in aspen, they indicated they identified some candidates whose data bases had been hacked. i think raising awareness, sharing the information about technical solutions, and working both in terms of raising the game on infrastructure protection and more generally, on information operations, so, looking at kind of support of all of these efforts. >> okay, and also on the front of the political ads, as you know, it wasn't just about elections and candidates, it was also disrupting democracy with issue ads and that's why i've introduced that act with senators mccain and warner. do you agree it's important we have uniform standards across platforms for these ads? >> absolutely. it's crazy to say that we can require for television ads, or newspaper ads, but not to do it
9:52 am
for platforms. and let me just add one other thing, this is not just about elections. i think that we are seeing and we'll continue to see russian efforts to motivate people, to have civil disorder, where they get both groups on the right and the left to come to the same place and they try to gin of violence. >> thank you, and those are the issues that are included in our bill, but some of the platforms are saying, well, we should just do candidate ads, which is not the standard for radio, tv or newspaper. and we've seen what they were doing, energy issues and other things, where they actually had a financial interest, russia did. and i think they've been overlooked because of the obvious focus on the 2016 election. >> and that's exactly right. >> okay, dr. layton, my last question here. over the last few years we've seen personal information be disclosed. we are proud of our social media and internet companies in the u.s. they're incredibly innovative and a lot of smart people are working there.
9:53 am
but, yet, even mr. zuckerberg at his hearing has said, that we need to put some rules of the road in place. they don't have to be exactly what europe did. we can do our own. could you comment on the social media privacy protection and consumer rights act that senator kennedy and i introduced? >> well, you know, i want to applaud you for your leadership and i think if nobody thinks that congress is not up to task, you've proven them wrong. you guys were quick to turn something around and i'm grateful for that. i think in this hearing, this is exactly the steps that we need to take. in terms of-- and this is a conversation, it would be wrong it say, oh, you know, europe did this, let's hurry up and get our version, that's a mistake. i think this committee is going through the necessary steps, it's taking in the input from all the stakeholders, and you know, i think my particular feedback today is the two important components that we haven't included, that's very important, is the consumer
9:54 am
education component, as well as we need incentives for privacy enhancing technologies, and that's why a safe harbor that would allow a company to innovate new technology, the first time you make an errings ha have-- version of your product, it may not work of the we need a safe harbor for that provisional set, i think your bill had a provision for that and i thank you for that. i think ultimately we'll win through innovation, science and technology. thank you very much and the rest of the questions i will do on the record because i'm out of down, but miss zheng, you had a problem with downloads and problems it creates and we'll do that off the record and mr. painter, i have cyber attack questions to ask you about. thank you very much. >> thank you, senator klobuchar. i have a letter dated today to senator schotts and me from pat
9:55 am
cain? are vice-president of ver assign incorporated and i ask unanimous content to place it in the record at this point. without objection, this will be done. we're told that another distinguished member of the committee may be on his way. senator schotts, i think this has been a very excellent heari hearing. perhaps we could filibuster for another moment or two. of course, there are dozens of questions we could ask. you know, dr. layton, are you speaking for aei or on your own behalf? >> no, thank you for giving me
9:56 am
the opportunity to clarify. as my submitted testimony shows, that i do not represent the positions of aei or any other entity. i'm speaking purely in my own capacity. i'm a visiting research in copenhagen, denmark. we work on privacy and security research. so i'm not speaking for that center, but it is informed by the research we do. >> and ms. zheng, you're speaking on above of-- >> yes, sir. >> you published an article a few days ago with regard to the $5 billion eu finding against google and the state of the eu's record $5 billion for anti-trust involving android operating system, protectionism masquerading as consumerism. it strikes me that aei's got a
9:57 am
point there, dr. layton. >> well, aei doesn't make any official positions. we have many-- we have over 200 scholars. we all have different views. we have major debates within our organization. sometimes we have more anger against each other than people outside the aei so we actually take disparate positions because we believe in the competition of ideas. very good. would anyone else like to comment on that? >> senator, thank you. yes. i think from our perspective it shows what we're up against in terms of the eu's willingness to impose fines on u.s. tech firms and whether that's coming in this particular instance involving a mobile operating system or whether that's coming from something like gdpr. it's one of the reasons we're proceeding cautiously in our compliance efforts with regard to those european regulations. >> it seems that all is not well between our government and the eu. the hearing record will remain
9:58 am
open for two weeks, during this time senators will be asked to submit any questions for the record. upon receipt the witnesses are requested to submit their written answers to the committee as soon as possible. thank you all and this hearing is now adjourned. [inaudible conversations] [inaudible conversations] [inaudible conversations]
9:59 am
[inaudible conversations] . [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations]
10:00 am
>> the u.s. senate is about to gavel in on this wednesday morning. senate lawmakers expected to wrap up work on four federal spending bills for 2019 and the defense programs and policy bill. a series of votes will get underway at 11 a.m. eastern this morning. and now to live coverage of the u.s. senate here on c-span2. the presiding officer: the senate will come to order. the chaplain, dr. barry black, will lead the senate in prayer. the chaplain: let us pray.


info Stream Only

Uploaded by TV Archive on