Jack Dorsey and Sheryl Sandberg relentlessly practiced before taking hot seats on Capitol Hill, engaging in role play and panels of questioning with colleagues and consultants. But the tech executives weren’t the only ones who came prepared for class on Wednesday.
Senators on the Intelligence Committee clearly did their homework on a wide range of technical topics, and they peppered the executives with questions on issues ranging from doctored videos known as “deepfakes” to encryption.
The grilling marked a stark departure from hearings earlier this year with Facebook Chief Executive Mark Zuckerberg, when senators on the Judiciary and Commerce committees were panned for their technical illiteracy.
Sen. Hatch: "If [a version of Facebook will always be free], how do you sustain a business model in which users don't pay for your service?"— CBS News (@CBSNews) April 10, 2018
Mark Zuckerberg: "Senator, we run ads." https://t.co/CbFO899XlU pic.twitter.com/bGKWks7zIk
Continued foreign interference on the platforms has ratcheted up pressure on lawmakers to better assess not only how these platforms were exploited ahead of the 2016 election, but also what threats could emerge next.
And it’s evident they are putting in the work: Over the last year, Intelligence Committee senators have been working with advisers to better understand the rise of disinformation on social networks. They’ve met with tech executives behind closed doors and in open hearings, as well as third-party experts such as Renee DiResta, director of research for social media threat detection company New Knowledge.
DiResta has been battling disinformation campaigns online for years -- and she has been helping lawmakers from both parties understand technical topics and develop questions ahead of hearings for the last year. “They’ve worked with external experts as advisers throughout that time, reaching out to make sure they fully understand all of the technical facets of the problems as they come up,” she said.
After working with the committee behind-the-scenes, she publicly testified in August – and told me she was pleased to see the questions she got back were “similarly high caliber to what we heard” on Wednesday.
The senators' display of technical knowledge also comes as they grapple with potential next steps to rein in big tech.
Even as lawmakers and technology executives struck a conciliatory tone during Wednesday’s hearing – stressing the importance of cooperation between government and the companies – they are also considering legislative action. Intelligence Committee Chairman Richard Burr (R-N.C.) laid out some options in his opening remarks, including regulation of the social media platforms and legislation that facilitates information sharing on cyberthreats between companies and the government.
“There are no unsolvable problems,” he said.
The top Democrat on the committee, Virginia Sen. Mark Warner, set the tone at Wednesday’s hearing in his opening remarks, warning that the threats to discourse, privacy and democracy will only intensify with new advances in technology and artificial intelligence. Warner cautioned deepfakes, or doctored videos, could amplify the fake news dilemma the technology giants are grappling with today.
“We’re on the cusp of a new generation of exploitation and, potentially harnessing hacked personal information to enable tailored and targeted disinformation and social engineering efforts,” he said. “That should frighten us all.”
Warner and Florida Republican Marco Rubio began ringing the alarm about deepfakes earlier this year. Warner floated the idea of holding the companies liable for failing to take them down in a policy paper, and Rubio called them a national security threat in a speech.
Maine Sen. Angus King pressed on deepfakes later in the hearing, asking Sandberg if Facebook could tag videos that have been manipulated and warn consumers that they may be misleading. “Deepfakes is a new area, and we know people are going to continue to find new ones,” Sandberg said. “As always, we’re going to do a combination of investing in technology and investing in people so that people can see the most authentic information on our service.”
Deepfakes were just one of many emerging technologies discussed as lawmakers attempted to address concerns ranging from election interference to censorship in a hearing that highlighted the complicated relationship that exists between Silicon Valley and Washington. As the technology companies continue to grow, they are increasingly treading into the crosshairs of regulators. As Wednesday’s hearing was wrapping up, the Justice Department warned that leading technology companies may be “intentionally stifling the free exchange of ideas” and hurting competition. And lawmakers’ interest is unlikely to wane: Less than two hours after the Senate Intelligence Committee hearing finished, Dorsey was testifying again in front of the House Energy and Commerce.
Though senators were intent on determining whether the social networks have taken adequate steps to address election security, past points of contention between Silicon Valley and the government reemerged during the hearing. As law enforcement leaders warn that the spread of encryption is hindering critical investigations, Sandberg made a point to stress Facebook’s commitment to consumer security and privacy. “We are strong believers in encryption,” Sandberg said. "Encryption helps keep people safe, it’s what secures our banking system, it’s what secures the security of private messages, and consumers rely on it and depend on it."
There was one thing both lawmakers and executives seemed to agree on: That private-public cooperation was necessary to address disinformation at the hands of foreign adversaries.
And it’s clear lawmakers expect the companies to engage. Google drew bipartisan criticism for not sending an executive that lawmakers deemed senior enough to testify at the hearing. Lawmakers left an empty chair for Google next to the other witnesses to draw attention to the company’s absence.
Rubio lashed out at the company for not sending an executive. “Maybe it’s cause they’re arrogant,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “Cyberweapons and sophisticated hacking pose a greater threat to the United States than the risk of physical attacks, Homeland Security Secretary Kirstjen Nielsen said Wednesday while urging state election officials to add more safeguards to their voting systems,” The Washington Post's Nick Miroff reported. “In a speech timed to next week’s anniversary of the 9/11 terrorist attacks, and amid worries about interference in coming U.S. elections, Nielsen said the Department of Homeland Security is facing down an array of cyberthreats from hostile foreign governments, extremist groups and transnational criminals.”
In her speech at George Washington University, Nielsen called election security “one of my highest and continuous priorities” and said states should include paper trails and audits in their election systems. “Today I am calling on every state in the Union to ensure that by the 2020 election, they have redundant, auditable election systems,” she said. “The best way to do that is with a physical paper trail and effective audits so that Americans everywhere can be assured that — no matter what — their vote is counted, and it is counted correctly.” The Trump administration also intends to “hold cyberattackers accountable,” according to Nielsen. “We will no longer naively assume that a nation state with cyber capabilities chooses not to use them. We will no longer tolerate the theft of our data. We will no longer stand idly by as our networks are penetrated, exploited, or held hostage,” Nielsen said. “Instead, we will respond, and we will respond decisively.”
Nielsen also delivered a message for Congress. “‘Threats to the U.S. from foreign adversaries are at the highest levels since the Cold War,’ she said, calling on lawmakers to elevate Homeland Security’s cybersecurity division — the National Protection and Programs Directorate — to a ‘full-fledged operational agency,’ on par with other major DHS agencies such as U.S. Customs and Border Protection or the Transportation Security Administration,” Nick wrote.
PATCHED: Cybersecurity deserves its own federal agency as DHS already has a lot on its plate, according to former CIA director David H. Petraeus and Kiran Sridhar, a Stanford University student. “We need to acknowledge that cyberthreats have reached a new level, and that they need to be addressed in a new way,” Petraeus, a retired Army general, and Sridhar wrote in Politico on Wednesday. “The time has come to establish an independent National Cybersecurity Agency to take the lead in protecting our critical infrastructure.” Creating a single agency would allow the federal government to tackle cybersecurity issues in a more effective way, the authors argued.
“A standalone agency would be much more focused, capable and empowered than the current grab bag of governmental initiatives,” Petraeus and Sridhar said. “As the head of an independent agency, the director would report directly to the president and have the ears of members of Congress to get much needed legislation. The prestige of a new agency and the cultural shift it would drive would also allow it and, hopefully, the rest of government to build the public-sector talent base we need.”
Such an agency would also allow the executive branch of the federal government to speak in one voice in its interactions with lawmakers. “An NCA likely would find a receptive audience among Washington policymakers: Members of both parties agree that the government needs to do more to shore up cyber defenses, but without a coordinating agency, it’s hard for them to know how to help,” according to Petraeus and Sridhar.
PWNED: The House on Wednesday passed a bill introduced by Rep. Ted Yoho (R-Fla.) that aims to deter cyberattacks sponsored by foreign states. Under the bill, titled Cyber Deterrence and Response Act of 2018, the federal government may label as “critical cyber threat actor” people or organizations that carry out state-sponsored cyberattacks against the United States. The bill also lists several punitive measures — such as financial and travel sanctions — that federal authorities may enact in response to cyberattacks.
In a statement issued after the bill's passage, Yoho mentioned China, North Korea, Iran and Russia as examples of foreign states that direct cyberattacks “on a daily basis” against the United States. “The Cyber Deterrence and Response Act will bring these aggressors out of the shadows and create a framework that deters and provides the proper response for their actions,” Yoho said. “It is vital that when these attacks happen, they are exposed and punished quickly and accordingly. I encourage the Senate to pass their companion bill and send this legislation to the President to be signed into law.”
— Rep. Justin Amash (R-Mich.) on Wednesday criticized the Trump administration after the U.S. government issued a statement alongside Britain, Canada, Australia and New Zealand last week calling on tech companies to allow back-door access to their products so that public authorities may access encrypted data. “By demanding backdoors to encrypted data, the Trump administration is putting everyone’s security and privacy at risk,” Amash said in a tweet. “The government should be encouraging the use of strong encryption instead of fighting to weaken it.” (The Cybersecurity 202 yesterday analyzed the statement issued last week by the Five Eyes countries.)
— More cybersecurity news from the public sector:
— Here's more bad news for Facebook, this time from a Pew Research Center survey. “Nearly three-quarters of American Facebook users have changed how they use the social media app in the past year, following a barrage of scandals involving the abuse of personal data, foreign interference in U.S. elections and the spread of hateful or harassing content on the platform,” The Post's Hamza Shaban reported on Wednesday. Pew conducted the survey from May 29 to June 11. “Pew found that more than 1 in 4 Americans have deleted the app from their phones,” Hamza wrote. “Fifty-four percent tweaked their privacy settings, and 42 percent stopped using the app for several weeks or longer. Those interventions were also much more likely to have been taken by younger people, who outpaced older users in each of the three actions.”
— More cybersecurity news from the private sector:
— “Chinese cyberespionage costs U.S. companies an estimated $300 billion annually and comprises the ‘single greatest threat to U.S. technology,’ according to a new report by the Washington, D.C-based think tank Foundation for Defense of Democracies,” Newsweek's Cristina Maza reported Wednesday. “China is using its vast cyberespionage capabilities to steal intellectual property from U.S. businesses, gain the upper hand in economic negotiations, and put pressure on foreign governments, according to the report. These activities have allowed China to advance rapidly, overtake the U.S. in certain key industries and even gain some military advantages.”
- Two House Homeland Security subcommittees hold a joint hearing on cybersecurity threats to the U.S. aviation sector.
- Senate Banking Committee hearing on Russia sanctions.
- 9th annual Billington CyberSecurity Summit in Washington.
Key moments from day 2 of Brett Kavanaugh's confirmation hearing:
Congressman “auctions” protester out of hearing room:
Late-night laughs: The scathing NYT op-ed about Trump