[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
AI AND THE EVOLUTION OF CLOUD.
COMPUTING: EVALUATING HOW
FINANCIAL DATA IS STORED,
PROTECTED, AND MAINTAINED
BY CLOUD PROVIDERS
=======================================================================
HEARING
BEFORE THE
TASK FORCE ON ARTIFICIAL INTELLIGENCE
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 18, 2019
__________
Printed for the use of the Committee on Financial Services
Serial No. 116-60
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PUBLISHING OFFICE
42-363 PDF WASHINGTON : 2020
--------------------------------------------------------------------------------------
HOUSE COMMITTEE ON FINANCIAL SERVICES
MAXINE WATERS, California, Chairwoman
CAROLYN B. MALONEY, New York PATRICK McHENRY, North Carolina,
NYDIA M. VELAZQUEZ, New York Ranking Member
BRAD SHERMAN, California ANN WAGNER, Missouri
GREGORY W. MEEKS, New York PETER T. KING, New York
WM. LACY CLAY, Missouri FRANK D. LUCAS, Oklahoma
DAVID SCOTT, Georgia BILL POSEY, Florida
AL GREEN, Texas BLAINE LUETKEMEYER, Missouri
EMANUEL CLEAVER, Missouri BILL HUIZENGA, Michigan
ED PERLMUTTER, Colorado STEVE STIVERS, Ohio
JIM A. HIMES, Connecticut ANDY BARR, Kentucky
BILL FOSTER, Illinois SCOTT TIPTON, Colorado
JOYCE BEATTY, Ohio ROGER WILLIAMS, Texas
DENNY HECK, Washington FRENCH HILL, Arkansas
JUAN VARGAS, California TOM EMMER, Minnesota
JOSH GOTTHEIMER, New Jersey LEE M. ZELDIN, New York
VICENTE GONZALEZ, Texas BARRY LOUDERMILK, Georgia
AL LAWSON, Florida ALEXANDER X. MOONEY, West Virginia
MICHAEL SAN NICOLAS, Guam WARREN DAVIDSON, Ohio
RASHIDA TLAIB, Michigan TED BUDD, North Carolina
KATIE PORTER, California DAVID KUSTOFF, Tennessee
CINDY AXNE, Iowa TREY HOLLINGSWORTH, Indiana
SEAN CASTEN, Illinois ANTHONY GONZALEZ, Ohio
AYANNA PRESSLEY, Massachusetts JOHN ROSE, Tennessee
BEN McADAMS, Utah BRYAN STEIL, Wisconsin
ALEXANDRIA OCASIO-CORTEZ, New York LANCE GOODEN, Texas
JENNIFER WEXTON, Virginia DENVER RIGGLEMAN, Virginia
STEPHEN F. LYNCH, Massachusetts WILLIAM TIMMONS, South Carolina
TULSI GABBARD, Hawaii
ALMA ADAMS, North Carolina
MADELEINE DEAN, Pennsylvania
JESUS ``CHUY'' GARCIA, Illinois
SYLVIA GARCIA, Texas
DEAN PHILLIPS, Minnesota
Charla Ouertatani, Staff Director
TASK FORCE ON ARTIFICIAL INTELLIGENCE
BILL FOSTER, Illinois, Chairman
EMANUEL CLEAVER, Missouri FRENCH HILL, Arkansas, Ranking
KATIE PORTER, California Member
SEAN CASTEN, Illinois BARRY LOUDERMILK, Georgia,
ALMA ADAMS, North Carolina TED BUDD, North Carolina
SYLVIA GARCIA, Texas ANTHONY GONZALEZ, Ohio
DEAN PHILLIPS, Minnesota DENVER RIGGLEMAN, Virginia
TREY HOLLINGSWORTH, Indiana
C O N T E N T S
----------
Page
Hearing held on:
October 18, 2019............................................. 1
Appendix:
October 18, 2019............................................. 23
WITNESSES
Friday, October 18, 2019
Benda, Paul, Senior Vice President, Risk and Cybersecurity
Policy, American Bankers Association........................... 11
Brandt, Jordan, CEO and Cofounder, Inpher, Inc................... 9
Broussard, Meredith, Associate Professor, NYU, and Affiliate
Faculty Member, NYU Center for Data Science.................... 4
Grobman, Steve, Senior Vice President and Chief Technology
Officer, McAfee................................................ 7
Seiffert, Alla, Director, Cloud Policy and Counsel, Internet
Association.................................................... 6
APPENDIX
Prepared statements:
Benda, Paul.................................................. 24
Brandt, Jordan............................................... 36
Broussard, Meredith.......................................... 39
Grobman, Steve............................................... 51
Seiffert, Alla............................................... 58
Additional Material Submitted for the Record
Foster, Hon. Bill:
Written responses to questions submitted to Alla Seiffert.... 65
AI AND THE EVOLUTION OF CLOUD
COMPUTING: EVALUATING HOW
FINANCIAL DATA IS STORED,
PROTECTED, AND MAINTAINED
BY CLOUD PROVIDERS
----------
Friday, October 18, 2019
U.S. House of Representatives,
Task Force on Artificial Intelligence,
Committee on Financial Services,
Washington, D.C.
The task force met, pursuant to notice, at 9:33 a.m., in
room 2128, Rayburn House Office Building, Hon. Bill Foster
[chairman of the task force] presiding.
Members present: Representatives Foster, Cleaver, Porter,
Casten, Garcia of Texas; Budd, Gonzalez of Ohio, Riggleman, and
Hollingsworth.
Chairman Foster. The Task Force on Artificial Intelligence
will now come to order. Without objection, the Chair is
authorized to declare a recess of the task force at any time.
Also, without objection, members of the full Financial Services
Committee who are not members of the task force are allowed to
participate in today's hearing, consistent with the committee's
practice.
Today's hearing is entitled, ``AI and the Evolution of
Cloud Computing: Evaluating How Financial Data is Stored,
Protected, and Maintained by Cloud Providers.''
The Chair now recognizes himself for 5 minutes for an
opening statement.
First off, thanks, everyone, for joining us today on what
should be a very interesting hearing of the task force. Today,
we are looking to explore the rise of cloud computing in the
financial services sector, including the opportunities and
risks of companies' migration to the cloud, as well as the
regulatory framework for protecting sensitive financial
information that is stored in the cloud.
And I should also mention that it seems possible that we
are going to have votes called, Floor votes in the House called
part way through the hearing, and in that case, we will have a
game-time decision about which Members might be interested in
reconvening. And if not, we can just convene for a private
discussion among the Members, if that turns out to be what is
feasible.
The transition to cloud computing is something that is a
double-edged sword. I have faced that personally where, several
years ago when I couldn't stand it anymore, what was happening
in politics, and I went and downloaded TensorFlow to my laptop
and worked through the various--this is Google's open-source AI
engine. And so the tradeoffs there were pretty obvious to me,
that the data set I wanted to be working on fit on my laptop,
but it just wasn't reasonable. The problems of having to
reconfigure your system for the latest version of Python,
everything like that, so that the advantages of going to a
cloud-based system just for a small-scale user are enormous.
Not to mention all of the defensive things that you get when
you go to a competent cloud provider where the first lines of
defense are actually provided by the cloud service.
But then, when you talk about the policy implications, we
are always struggling with data privacy and the basic fact that
AI works much better with large data sets, and that has huge
policy implications with which we are struggling. If we are not
careful, it is going to encourage the consolidation that is
already a natural feature of any digital enterprise, which is
essentially a natural monopoly, and this AI has a good chance
of amplifying this. If you don't have access to the large data
sets, it is hard for a startup to compete. And if they do have
access, then there are huge potential--a privacy breach, for
example, can cause economic damage massively in excess of the
market capitalization of some little startup. And so, we have
to be very careful that the AI policies that we apply to the
cloud don't further force consolidation in an already
consolidated industry.
The second thing is just the way that AI will be a
continuing attack on privacy. Some of the most competent spear-
phishing attacks now involve multifactor attacks where you are
using an AI voice synthesizer in concert with a spear-phishing
attack to make it very likely that an ordinary person will
click on the enclosure. And so we are seeing, I think it was
within the last year, that for the first time, an AI engine
competed on a level playing field with teams of hackers in
terms of finding software vulnerabilities.
We are talking about a future that is now, where both cyber
offense and cyber defense are going to be best employed by AI.
These sorts of efforts are out of the scale where a small
person holding their own computer can actually hope to compete
in this world, so you are going to be increasingly dependent on
large cloud vendors and companies that deploy on the cloud for
the defensive work that you will have to do. So, that is
another huge issue.
I don't want to take up a lot of time here. I would like to
get to the witnesses' testimony as much as possible, and I just
want to thank you all for appearing, and I will turn it over to
the acting ranking member, Mr. Riggleman.
Mr. Riggleman. Thank you, Mr. Chairman, for convening this
hearing today, and generally, for pulling this task force
together. If I had known a task force on artificial
intelligence was a possibility, someone like myself might have
run for Congress much sooner in life, so it is great to be
here.
And to our witnesses, I look forward to hearing each of
your testimonies, and I appreciate you being here.
Cloud services offer many benefits, both to financial
institutions and consumers. And as been discussed by Ranking
Member Hill and others, the work this committee is doing
through both the FinTech and AI Task Forces is exploring ways
to streamline compliance, lower regulatory costs, and also
deliver an overall better, more affordable experience for
American consumers. By utilizing the cloud, companies can do
just that, help the consumer.
Financial institutions are able to innovate and thrive in
an environment that affords both scaleability and flexibility.
There are, however, some risks when dealing with anything new,
including technology and operations, which we look forward to
discussing further in today's hearing.
In less than a century, computing has revolutionized the
banking industry, along with the types and delivery of
financial products and services that can be offered. Today, we
all know that a majority of banking and personal finance is
handled either on your phone or on a computer, but it hasn't
always been that way.
Banks first started using computers in the 1950s,
predominantly to process checks, and later, electronic funds
transfers. Since banks first began to use computers, they have
relied on the secure information technology infrastructure run
by nonbank companies or third-party service providers (TSPs).
In the 1980s and 1990s, banks started to use personal
computers for their employees. By the end of the 20th Century,
a greater proportion of workers in finance used computers than
in any other industry. Then came the internet and everything
changed, especially in banking.
I say all of this to show that the financial industry has a
long history of utilizing computers, and now they are
outsourcing many of those responsibilities to the cloud, which
is why I am glad we are having this hearing today. It is of the
utmost importance to ensure that all of these operations
supported by the cloud are safe, secure, and private for its
customers.
We have all heard about the Capital One breach that
happened this past summer, and that breach was connected to
AWS, the bank's cloud service provider. Our job in Congress is
to ensure that financial institutions of all sizes, their
third-party service providers, and every other entity involved
in the chain has legislative or regulatory certainty to do what
is needed to protect consumers' data.
If you look at the Treasury's FinTech report last year on
nonbanks and FinTechs, you will see a recommendation that
Federal regulators ease the adoption of new technologies, such
as cloud computing, with the aim of reducing barriers to the
migration of activities to the cloud. I agree we need to ensure
innovation is not stifled, because innovation is ultimately
what protects consumers while also providing more options and
more choices.
All that to say, I look forward to constructive dialogue
today. I hope we can find solutions that promote innovation
while also ensuring consumer safety. Today's hearing is the
start of what I expect will be a longer conversation involving
identity, privacy, and consumer safety. I look forward to
ongoing discussions as our world only becomes more connected.
Thank you, and I yield back.
Chairman Foster. Thank you.
Today, we welcome the testimony of Meredith Broussard,
associate professor at NYU, and affiliate faculty member at the
NYU Center for Data Science; Alla Seiffert, director of cloud
policy and counsel at the Internet Association; Steve Grobman,
senior vice president and chief technology officer at McAfee;
Dr. Jordan Brandt, CEO and cofounder of Inpher; and Paul Benda,
senior vice president for risk and cybersecurity policy at the
American Bankers Association.
Witnesses are reminded that your oral testimony will be
limited to 5 minutes, and without objection, your written
statements will be made a part of the record.
Ms. Broussard, you are now recognized for 5 minutes.
STATEMENT OF MEREDITH BROUSSARD, ASSOCIATE PROFESSOR, NYU, AND
AFFILIATE FACULTY MEMBER, NYU CENTER FOR DATA SCIENCE
Ms. Broussard. Chairman Foster, Acting Ranking Member
Riggleman, and members of the task force, thank you very much.
It is an honor to be asked to testify today. I am a professor
at NYU, a computer scientist turned journalist, and the author
of a book called, ``Artificial Unintelligence: How Computers
Misunderstand the World.''
I would like to speak today about the realities of AI and
cloud computing as a way of thinking through the human-scale
issues with running bank operations in the cloud.
Computer scientists like to say, the cloud is someone
else's computer, and we know exactly where those computers are.
Amazon Web Services controls 48 percent of the cloud computing
market, and it has 4 major data centers, or server farms, in
the United States. They are large, usually windowless buildings
in Northern Virginia, Ohio, Oregon, and northern California.
Worldwide, 76 percent of the cloud market is controlled by
a few big firms: Amazon; Google; Microsoft; and Alibaba. Inside
their server farm buildings, these companies maintain thousands
of physical computers that anyone can rent space on, including
banks.
The U.S. Government is a cloud client. The AWS GovCloud is
a secure set of servers that host data and programs for DHS,
Treasury, DOD, cloud.gov, and other agencies. The computers
that power the AWS GovCloud are physically located in Amazon's
building in Virginia and backed up on the West Coast. Running
bank operations in the cloud means moving bank operations to
one of these buildings, which are vulnerable to a variety of
physical or cybersecurity threats.
Again, the reality there is market dominance. We should
ask, does it make sense to have all of the defense programs and
all of the Citibank and Chase and SoftBank data stored in the
same Amazon building in Northern Virginia?
Let's also think about the people in the banking and cloud
computing ecosystem. It helps to hear from the IT professionals
who manage local and cloud computers. A 2014 Ponemon Institute
survey asked IT professionals to rate their organization's
effectiveness in securing data and applications used in the
cloud. Fifty-one percent rated their organizations as low in
effectiveness. They said the likelihood of a data breach in the
cloud has increased. Sixty-nine percent believe that their
organizations failed to be proactive in assessing information
that was too sensitive to be stored in the cloud.
If IT professionals have so little faith in their own
organizations, and we know there is a high demand but low
supply of IT professionals who are experts in cybersecurity, it
seems that more regulation and oversight will help protect bank
operations in the cloud.
I want to talk now about artificial intelligence (AI).
Artificial intelligence is widely misunderstood. Hollywood
images of AI like The Terminator or Commander Data from Star
Trek are what most people think of when they think of AI. And
these Hollywood images are delightful, but they are not real.
AI is best understood as a branch of computer science, the same
way that algebra is a branch of mathematics.
Inside AI, there are other branches, including: machine
learning; expert systems; and natural language processing.
These are just a few of them, but machine learning is the most
popular kind of AI in business right now. And it is so popular
that there has been linguistic confusion. When people say, ``I
am using AI for my business,'' usually what they mean is, ``I
am using machine learning for my business.''
And ``machine learning'' is another misleading name. It
sounds like the computer has sentience, or learning like a
human being, and it does not. Machine learning is math. It is
computational statistics on steroids.
Banks are using machine learning to help make business
decisions about things like who qualifies for a mortgage. But
one problem is that machine learning models discriminate by
default. Let's say that I have a data set of people who have
gotten mortgages in the past. The data will be tainted by the
history of red-lining and residential segregation in the United
States. If I build a machine-learning model based on this data,
the model will discriminate against citizens.
We need to audit the AI algorithms and machine-learning
models used by banks and other types of companies for fairness
and to prevent discrimination. The issue here is not where
these AI programs run or whether the data is stored on bank
computers or on Amazon's computers. Instead, we should ask what
the AI is used for, plus, how it is used, what kind of AI is
used, what specific data is used to train a machine-learning
model, and what specific data is used to make decisions after
the model is trained.
One option is that these kinds of questions could be
answered in plain language, and this information could be
communicated as part of the regulatory examination.
The final thing I will mention is the cultural conflict
between tech and finance. In the tech world, nobody talks about
regulatory compliance or teaches it much in schools. The move-
fast-and-break-things ethos is diametrically opposed to the
mindset of compliance. It doesn't surprise me that in April
2019, when Federal examiners visited the AWS site in Virginia,
they didn't notice the Capital One data breach. The Amazon--
Chairman Foster. Thank you. And at this point, we are on a
tight time schedule.
Ms. Broussard. Okay. Sorry.
Chairman Foster. The Members can read your full written
testimony.
Ms. Broussard. Thank you for the opportunity to contribute,
and I look forward to answering your questions.
[The prepared statement of Ms. Broussard can be found on
page 39 of the appendix.]
Chairman Foster. Thank you.
Ms. Seiffert, you are now recognized for 5 minutes.
STATEMENT OF ALLA SEIFFERT, DIRECTOR, CLOUD POLICY AND COUNSEL,
INTERNET ASSOCIATION
Ms. Seiffert. Chairman Foster, Acting Ranking Member
Riggleman, and distinguished members of the task force, thank
you for the opportunity to appear before you today to discuss
the use of the cloud in financial services. My name is Alla
Seiffert, and I am the director of cloud policy and counsel at
Internet Association.
Internet Association, or IA, represents over 40 of the
world's leading internet companies. Our members are global
leaders in the drive to develop lower-cost, more secure,
scaleable, elastic, efficient, resilient, and innovative cloud
services to customers in both the private and public sectors.
All of the major U.S.-based hyperscale cloud service providers
are members of IA.
I would like to thank Chairman Foster, the task force
leadership, and your staff for your continued commitment to
exploring emerging areas around cloud computing and AI within
financial services. I would like to start with a background on
cloud computing.
NIST defines cloud computing as a model for enabling
ubiquitous, convenient, on-demand network access to a shared
pool of configureable computing resources that can be rapidly
provisioned and released with minimal management effort or
service provider interaction. Cloud service providers, or CSPs,
make available to customers a wide range of services that
function as IT building blocks that customers can use to build
applications to meet their IT goals and be more secure,
innovative, and responsive to their customers. The cloud is
flexible enough to be used for everything, from storing
national security data to managing my PayPal balance.
Security is a top priority for CSPs, and they invest a
tremendous amount to make their services secure. By using cloud
services, customers such as financial institutions can focus on
carrying out their core business functions and benefit from the
security measures that CSPs have in place. In that way, the
cloud is kind of like an office building landlord. It will rent
you space and make sure you have doors that lock, but it is
ultimately your responsibility to decide whom you let into your
office for meetings. Consequently, financial institutions
remain accountable for managing the risk of their IT
environments, whether they are run in-house, through a third-
party-managed service provider, or a CSP.
Today, financial institutions use the cloud for a wide
range of applications, from storing publicly available data or
running test environments, to creating digital channels,
storing sensitive records, or running critical workloads. We
have the following three major themes to discuss with the task
force today.
First, cloud implementation is a shared responsibility
between CSPs and customers. Financial institutions that use
cloud computing operate in an environment where they manage
certain aspects of their IT resources and are responsible for
configuring those resources, but they rely on the CSP to manage
the cloud itself. This division of labor means that both the
CSP and the customer bear responsibility for making sure
services are run efficiently and securely. Because each party
is responsible for securing the resources they control,
security in the cloud is something we call a shared
responsibility. Simply put, CSPs are responsible for security
of the cloud, while the customer is responsible for security in
the cloud. CSPs provide a broad range of information, tools,
and assistance to help customers with these responsibilities.
Second, cloud adoption increases cybersecurity. This is
because embracing cloud technology helps banks increase overall
security by modernizing applications and gaining better
visibility into their networks, traffic, and vulnerabilities.
The opportunities offered by cloud computing enable enterprises
to level out their IT security posture and implement best-in-
class cybersecurity solutions.
Large cloud providers have the resources and expertise to
invest in and maintain state-of-the-art and comprehensive IT
security and deploy it on a global basis across all of their
platforms. Financial institutions, particularly small and
midsized firms, could find it economically infeasible to
achieve similar levels of security on their own.
Third, the cloud increases the resilience of our nation's
financial institutions. Specifically, it allows firms of all
sizes to leverage a suite of best-in-class tools for backup,
security, and continuity of operations. CSPs design their
infrastructure to be resilient to outages and incidents, and
customers can take advantage of this infrastructure to
architect for enhanced operational resilience. Since CSPs can
rapidly redistribute data across geographically diverse storage
regions, cloud environments can enhance firms' strategies for
business continuity and operational resilience.
In conclusion, I would like to reiterate IA's gratitude for
being included in discussions with the Financial Services
Committee's Task Force on Artificial Intelligence, and for the
opportunity to testify today. IA, along with our member
companies, stands ready to support the task force and the
committee in helping financial services companies adopt the
cloud in a secure way.
Thank you, and I look forward to your questions.
[The prepared statement of Ms. Seiffert can be found on
page 58 of the appendix.]
Chairman Foster. Beautifully timed. Thank you.
Mr. Grobman, you are now recognized for 5 minutes.
STATEMENT OF STEVE GROBMAN, SENIOR VICE PRESIDENT AND CHIEF
TECHNOLOGY OFFICER, MCAFEE
Mr. Grobman. Good morning, Chairman Foster, Acting Ranking
Member Riggleman, and members of the task force. Thank you for
the opportunity to testify about two important issues for the
financial services sector: the cloud; and artificial
intelligence. Both have advantages to the industry and raise
security concerns.
Financial services organizations are migrating to the cloud
to reduce complexity, cut costs, and focus their capabilities
on delivering financial services to their customers. By using
the cloud, both large and small institutions benefit from
advanced technology that normally is available only to those
who can invest significantly in highly technical workforce.
Cloud providers also generally practice strong cyber hygiene,
enabling a quick response to vulnerabilities and issues.
Yet, there are also security challenges in moving to the
cloud. As cloud providers service many clients, a breach can
place multiple organizations' data at risk. An analogy I like
to use is that traditional, on-premise computing is like an
automobile, and cloud computing is a lot like an airplane.
While an airplane is safer than an automobile, given its more
advanced technology, when a failure does occur, the impact can
be catastrophic.
Today, almost all organizations, including financial
services, use multiple cloud providers, a trend that is leaving
organizations with less visibility to their operations. To
remediate the situation, organizations need solutions to manage
visibility and monitor security between cloud service consumers
and providers. Known as CASB, this function is a critical new
class of application that is rapidly being adopted to manage
and secure diverse cloud environments.
Another security issue is the use of unauthorized cloud
applications by employees, what we call shadow IT. This creates
risk for both the technology and the data. Like cloud, we must
understand the capabilities, limitations, and risks of AI.
Financial services organizations are using AI and machine
learning to enable advanced analytics that allow them to better
service and protect customers and better manage overall costs.
AI is also the new foundation of cyber defense, enabling us
to better detect threats and find the so-called needle in a
haystack of needles. AI-based automation is helping us
alleviate the cybersecurity talent shortage, enabling us to
free up human security professionals to focus on the most
critical aspects of cyber defense.
But AI is actually quite fragile. In many industries that
use AI, such as meteorology, where an adversary does not exist,
the fragility is not an issue. In cybersecurity, adversaries
are building techniques to confuse AI models and evade
detection. To mitigate these risks, McAfee is investing in
understanding the adversarial techniques and researching ways
to make AI more resilient against attacks.
AI can also be used as a tool by the adversaries. Bad
actors can use AI to identify the most vulnerable victims,
automate phishing, and evade detection. AI improves their
ability to execute attacks and enables content creation for use
in social engineering and information warfare such as deepfake
videos.
These and many other adversarial uses of AI can and will
occur, putting our financial services sector, as well as our
democracy and civil society, at increased risk. Most major
financial institutions are prepared for major cyber attacks, in
part due to the regulatory oversight of the Bank Service
Company Act, and the Gramm-Leach-Bliley Act. Financial service
organizations also actively engage in cyber sharing groups in
collaboration with DHS, the OCC, and the Federal Reserve.
Likewise, overall, the largest third-party cloud providers
also have strong cybersecurity records. They have solid plans
in place to respond to cyber attacks, they are committed to
aligning with the NIST cybersecurity framework, and they are
active in public-private partnerships.
Cloud providers are less regulated than their counterparts
in the financial services sector, as many policymakers know
that overly prescriptive regulation would stifle innovation in
technology companies and could quickly be outdated as
technology advances. Yet, Federal regulators do have a
legitimate interest in seeing that IT and cybersecurity
services provided by cloud providers to financial institutions
are robust.
To best secure cloud and AI technology in the financial
services sector, we recommend voluntary collaboration and the
use of industry-supported standards and best practices, such as
the NIST cybersecurity framework. When appropriate, existing
cybersecurity rules for highly regulated critical
infrastructure industries should be updated to reflect the
rapid speed of innovation.
Thank you for the opportunity to discuss these issues, and
I look forward to answering your questions.
[The prepared statement of Mr. Grobman can be found on page
51 of the appendix.]
Chairman Foster. Thank you. Again, beautifully timed.
Dr. Brandt, you are now recognized for 5 minutes.
STATEMENT OF JORDAN BRANDT, CEO AND COFOUNDER, INPHER, INC.
Mr. Brandt. Thank you, Chairman Foster, Acting Ranking
Member Riggleman, and members of the task force. And, Chairman
Foster, I have to say, it is impressive that you have
experimented with TensorFlow. So, thank you for your efforts.
Cloud computing and AI are distinct and complementary
technologies that offer tremendous economic and consumer
benefits. The cloud reduces cost and democratizes access to
computational resources which, in turn, powers AI to streamline
business functions and provide new insights that improve
consumer welfare.
The committee has correctly identified that these benefits
must be harnessed with proper legislative and technological
safeguards for both data security and privacy. Whereas cloud
computing and AI pose distinct risks, a common theme applies to
both: Don't put all of your eggs into one basket. The
consolidation of sensitive personal information into any
individual entity, to be mined by data-hungry AI algorithms,
poses significant economic risks and an existential threat to
the privacy of our citizens. Fortunately, the emergence of
privacy enhancing technologies, or PETs, and specifically
encryption in-use capabilities, can address the concerns of
both cloud data security and privacy in AI.
As banks move more of their data and information processing
to the cloud, they are effectively consolidating risk into a
select few providers of cloud computing infrastructure. The
magnitude of this risk was underscored by the recent Capital
One hack. The breach could have been prevented by securely
computing across distributed data in a multi-cloud
architecture, in which data is processed without exposing the
underlying personal information. This would have eliminated a
single point of failure.
To illustrate how this works, it is important to firstly
define the three pillars of encryption, which is the best
mathematical safeguard of data. First, we have encryption in
transit, which secures the transmission between the sender and
the receiver. Second, encryption at rest, which secures data
storage while it is sitting on a hard disk. And third, we have
encryption in use, such as homomorphic encryption and
multiparty computation, which secures data in memory while it
is being processed.
In-transit and at-rest encryption are already ubiquitous.
Encryption in-use is rapidly evolving from academic research
into practical applications today, as its computing performance
for large data sets quantifiably improves.
For example, at Inpher, we have made multiple order-of-
magnitude improvements in the performance of both homomorphic
encryption and multiparty computation without compromising
accuracy. We are currently deploying this technology to solve
real-world privacy and security challenges in banking, defense,
healthcare, and other industries.
Our platform keeps data private, secure, and resident,
precluding the need to centralize information into a single
repository. This proactive safeguard enables financial
institutions to minimize risk and leverage the full benefits of
AI without a privacy tradeoff. PETs thus internalize the letter
and the spirit of U.S. and international data privacy regimes
which jointly emphasize privacy by design.
Specifically, in the financial services sector, we are
witnessing the application of PETs in fraud and anti-money-
laundering, credit scoring, trade surveillance, and all forms
of predictive modeling where compliant data sharing is
critical. PETs safely overcome data silos and increase data
utility.
Regulators and law enforcement also benefit from privacy-
preserving computing, as they are able to run forensics and
surveillance on encrypted data for pattern matching and event
detection without compromising individual privacy or inviting
potential liability. They can find the bad guys without
compromising on its citizens. To this end, we have briefed many
domestic and international regulators about these capabilities
over the last year, and we are encouraged by their enthusiastic
support.
To conclude, as a nation, we are in a technology arms race
with countries like China that do not share our views on
individual rights. We must not accept the false dichotomy
between AI and our privacy. We can have both. Privacy-
preserving computing not only champions and achieves this
outcome, but also fosters new innovation and economic expansion
that benefits our government, industry, and every American
citizen.
We truly appreciate your interest and desire to learn more
about this very complex topic, and we remain at your disposal
for any further questions that you may have.
[The prepared statement of Dr. Brandt can be found on page
36 of the appendix.]
Chairman Foster. Thank you.
And, Mr. Benda, you are now recognized for 5 minutes.
STATEMENT OF PAUL BENDA, SENIOR VICE PRESIDENT, RISK AND
CYBERSECURITY POLICY, AMERICAN BANKERS ASSOCIATION
Mr. Benda. Thank you.
Good morning, Chairman Foster, Acting Ranking Member
Riggleman, and distinguished members of the task force. I
appreciate the opportunity to come before you today to discuss
how financial data is stored, protected, and maintained by
cloud providers. My name is Paul Benda, and I am a senior vice
president for risk and cybersecurity policy at the American
Bankers Association (ABA).
Prior to joining the ABA, I served in the government, both
in the Air Force and as a civilian in the Departments of
Defense and Homeland Security, where I focused on research and
development of new technologies to protect against kinetic and
cyber threats. After I transitioned to the private sector, I
focused on assessing physical and cybersecurity practices of
businesses and recommended improvements to make them more
secure.
At the ABA, my portfolio is on physical and cybersecurity
policy, helping our members understand emerging threats, new
technologies, and the political and legislative environments
surrounding their use. The ABA believes the flexibility,
scaleability, and advanced technologies available in the cloud
make it a valuable tool for financial institutions to consider
using. We appreciate the opportunity to share our thoughts on
how financial data is stored and protected in the cloud, and we
would like to highlight four main points.
First, banks are responsible for their data. Title V of the
Gramm-Leach-Bliley Act (GLBA) has long-established standards
that require a bank to take meaningful steps designed to ensure
the security and confidentiality of its customers' information.
These requirements are in place regardless of whether that
information is stored on premise, by a third party, or in the
cloud. Regardless of the location, banks are responsible for
ensuring that data is protected.
Second, the cloud offers benefits, but risks must be
managed. It is clear that there are potential benefits as well
as risks regarding use of the cloud. But the decision on its
use should be left to each individual bank, as each bank is
different and is most capable of performing an overall risk-
benefit calculation for their environment. If done
appropriately, use of the cloud is likely to have no adverse
effect on the overall risk profile of a bank and would most
likely improve their resiliency.
Third, all parties should collaborate to improve cloud
security and efficiency. Banks inhabit a unique regulatory
space. No other industry has the level of regulator guidance,
oversight, or examination structure in place to ensure that
financial data is protected. The baseline shared responsibility
model of security used by CSPs attempts to shift all
responsibility for information security to its customers,
although many CSPs do offer to manage certain IT controls on
behalf of their customers, which can blur the lines of
responsibility.
We believe it would be helpful, especially for financial
data deployments, that a transparent set of unified security
controls be developed, that security control responsibilities
are clearly delineated for each deployment, and that a process
for CSPs to notify customers of potential security
misconfigurations in their cloud deployments be instituted.
This cooperative approach to security would increase overall
security of the data and aid in the management of this critical
data as it resides in the public cloud.
We would welcome a discussion between banks, cloud service
providers, and regulators that will allow us to work in a
collaborative manner to ensure that the right frameworks,
processes, and programs are in place to allow adoption of these
new technologies, while maintaining the safety and soundness of
the financial institution.
Fourth, regulatory clarity is important. From a financial
services perspective, the GLBA, the Bank Service Company Act,
and banking agency guidance already provide a robust regulatory
framework to oversee bank utilization of their cloud. But
additional clarity would be helpful on the roles and
responsibilities of regulators with respect to their direct
oversight of cloud service providers. We believe that the
oversight authorities in the Bank Service Company Act could be
aligned and coordinated with the proposed set of unified
security controls for financial data deployed in the cloud so
that banks could clearly understand those areas where they
could depend on regulators to provide oversight of the cloud
service providers, and where banks must utilize private-sector
methods to ensure that appropriate due diligence is done.
A clear delineation of roles and responsibilities that is
arrived at in a collaborative manner would improve overall
security as well as efficiency into the oversight process for
banks of all sizes.
The challenges in the space are complex. We believe that
every stakeholder wants to ensure that security of these
critical systems is maintained, and at the same time,
innovation is not hindered. A collaborative approach that
merges the best of the safety and soundness culture of banks
and regulators with the entrepreneurial spirit of cloud service
providers is likely to achieve a lasting outcome that is
acceptable to all parties.
Thank you for the opportunity to testify, and I look
forward to your questions.
[The prepared statement of Mr. Benda can be found on page
24 of the appendix.]
Chairman Foster. Thank you.
I will now recognize myself for 5 minutes for questions.
Our witnesses here seem to have identified four lines of
defense here. The first line of defense that Ms. Seiffert
mentioned was just that cloud service providers have multiple
physical locations. And so, when you are talking about physical
attacks, that is a pretty solid strategy.
The second one that, I guess, Mr. Grobman mentioned, is the
use of multiple cloud providers. And I would be interested, I
will be asking questions on whether that is--how realistic a
possibility that is.
The third one is advanced encryption techniques as a way to
be able to survive even a significant cyber breach.
And the fourth general thing is just the future of AI as
the main tool that will be used for real-time cyber defense.
And so starting with the first point, Ms. Seiffert, to what
extent is having multiple physical locations a real protection,
and to what extent could it be illusory, if you have a shared
hardware vulnerability? For example, if you lose your hardware
root of trust, the key used to download software updates, for
example, and if that gets corrupted or lost or the bad guys get
their whole--you could be in a situation where, yes, we have
multiple locations, but because of a shared hardware
vulnerability or a silicon bug that is discovered.
Can you say little bit about that, whether that is going to
prove illusory or not?
Ms. Seiffert. Thank you for your question. That is without
a doubt a possibility, but nevertheless, the multiple
availability zone architecture of cloud computing really does
lead to significant increases in resiliency. There are a number
of ways to configure cloud-native applications with respect to
the failover mechanism. I think your point is incredibly valid,
what if a vulnerability exists upon multiple availability
zones, but it is my understanding that there is a way to
architect applications such that in order to have backup and
redundancy storage, and essentially seamless failover, in the
event of issues in one location.
Chairman Foster. Let's see. The question of whether
multiple cloud providers are also a realistic useful defense,
that is something that Congress, for example, could mandate for
too-big-to-fail banks, that they simply maintain a hot spare
provider, in addition to the hot spares that are provided
internal to each cloud service provider. And I was wondering if
anyone, Mr. Grobman or Mr. Benda, might have a comment on that,
where obviously that would impose costs.
Mr. Grobman. Sure.
Chairman Foster. And we struggle with this all the time in
this committee, the tradeoff between short-term profitability
and reducing tail risk.
Mr. Grobman. I think, in general, having diverse
implementations can add some additional levels of security, but
we also need to recognize that a lot of the issues here are not
new. In your last question, you pointed out that a single
technical vulnerability could impact multiple physical
locations. That is true regardless of whether it is a cloud or
a traditional on-premise implementation. I think similarly, if
you look at multiple cloud providers, there are going to be
some issues that are cloud provider-specific and some that
would be at an application level or really not matter whether
or not it had multiple providers. So, I think it is going to
add some help but not be the silver bullet solution.
Chairman Foster. Yes, like the meltdown inspector bugs, for
example, applied to multiple processor architectures, so that
even having a separate set of processes your cloud is running
on was not necessarily a defense.
Mr. Grobman. Correct. I do think that particular issue is
illustrative of how effective the large cloud providers are at
remediating vulnerabilities. All of the large cloud providers
patched their hardware with new firmware literally within days,
whereas we have seen private data centers usually take many
weeks, if not months, to get those same patches.
Chairman Foster. Okay. Now, in terms of advanced encryption
techniques, Dr. Brandt, you said that you had made big
improvements in the speed, and I guess you probably have
competitors in this. If you look at the overall trajectory of
performance of privacy-preserving computing, is there a way to
estimate the point at which it might be a pretty small overhead
for things like training neural networks and so on?
Mr. Brandt. Yes. Thank you for the question. Indeed, there
have been drastic improvements over the last several years,
orders-of-magnitude improvements that we have seen in the
performance of encryption and use specifically. Again, keeping
data encrypted while it is being processed, which can also help
protect against these hardware vulnerabilities. If you focus on
the data itself, even if the hardware is compromised, the data
itself would be secure.
Of course, the tradeoff has been higher computational
overhead to achieve this. With the current trajectory, we are
seeing that large data sets to be used for training neural
networks or training AI models in general is becoming quite
practical. This is especially because that is an offline
process. It doesn't need to be done necessarily in real time.
Even if you are talking about an order of magnitude higher
compute overhead than you would have in plain text, it still
can be--
Chairman Foster. Okay. Now, unfortunately, I must bring the
gavel down on myself and recognize my colleague, Mr. Riggleman,
for 5 minutes.
Mr. Riggleman. Thank you, Mr. Chairman. And thank you again
to the witnesses.
And I first want to thank Ms. Broussard for your definition
on AI and ML. That is an argument I have had in the DOD, I
think, for the past 5 years. So, I appreciate that before we
get started.
We have had a few hearings here in Congress, and we have a
lot of things here. I want to make sure we get to our
colleagues. I have written down, you were talking about--the
chairman was talking about the four issues that he saw here. I
have some specific questions just based on my background in,
not really cloud computing, but trying to do the governance and
security, overseeing cloud computing in the DOD, specifically
the challenges with competition amongst cloud computing and the
fun that we have had there with security, but also the
regulatory issues.
I want to start with Mr. Grobman, and then I want to go to
Mr. Benda. We were talking about continuity of operations, I
think, a little bit earlier is how I would look at it, and this
is something that I am looking at as we are going forward. Do
you think continuity of operations (COOP) would be less
expensive with cloud applications, even based on scaleability--
which I will go to Mr. Benda about--but do you think actually
when you are looking at the cloud and where we are going right
now, do you believe that would be less expensive for continuity
of operations going forward rather than staying on premise?
Mr. Grobman. Yes. And the reason is, cloud operators are
able to execute at scale and be able to have expertise in
specific areas that would not be practical at the typical
institutions that use them. So, for the financial services
sector or the DOD to have the same level of competence in the
low-level capabilities a CSP has would not be practical. I
think it does make things work a lot faster.
Mr. Riggleman. It is interesting because we talked about
data stovepipes beforehand, before cloud computing became a
thing, right? And my worry is creating funnel clouds of
excellence also, which we called them. But talking about that,
we talked about cost and scaleability, and talking about
continuity of operations--and going to Mr. Benda--and sorry, I
am off script right now, so we are having fun right now--so
talking about scaleability, would you say maybe that it
improves--and going on, Mr. Grobman, would you say it would
improve our security posture based on the fact it could be less
expensive, based on cloud computing, to have more continuity of
operations as far as cost and scaleability?
Mr. Benda. I think that the value of the cloud is certainly
the pay-as-you-go model. You pay for what you use. The
scaleability is there, in that the cloud has several server
farms that you can access and provide you failover capabilities
that are in there. I think the cost process or the cost model
is that you are not--the way I have heard it described is that
it is an operational expense versus capital expense. So, the
clouds take on that capital expense. It should reduce costs
overall and provide a better resilience capability because that
scaleability is there on an instant and that is when you pay
for it.
Mr. Riggleman. If we are becoming increasingly reliant on
technologies, why do you think at this time anybody would wait
to adopt them?
Mr. Benda. I think if you look at it from a financial
services perspective, there are multiple reasons. One, the
cloud is new. You have to learn a whole new set of things on
how to secure it. It can be more secure, or it can be less
secure, depending on how well you know it.
The other thing is, I think there is a lack of regulatory
clarity in how the cloud is treated and how it is examined. It
is a real issue for banks, and I think the Treasury report that
you referenced, sir, makes some really good recommendations.
Mr. Riggleman. Thank you very much.
Ms. Seiffert, the same question to you, do you think there
is an ability for any scaleable pricing that targets smaller
institutions? And this is what I get excited about a little
bit, is that when we are looking at smaller institutions trying
to enter into the cloud computing space, do you think that
scaleable pricing is there based on the fact that we have a
better way of doing business than on premise?
Ms. Seiffert. Thank you for the question. Small and
midsized institution absolutely have the ability to really
leverage the power of the cloud to save money, as well as
really piggyback on a fair amount of cybersecurity know-how
that the cloud service providers bring to the table. A small or
midsized institution, a credit union in Texas, a small bank in
Missouri, they are really not able to retain the level of staff
or technical know-how to keep their systems as secure as the
cloud service providers are able to keep their infrastructure.
And so, in that respect, the consumption-based pricing
model really favors smaller institutions because their compute
spend is just going to be less. It is also going to be more
predictable than needing to not only buy a data center, but
also patch it to include with the vulnerabilities that were
mentioned earlier.
Mr. Riggleman. This allows me to mention to everybody, so
piggybacking off Dr. Brandt, and then going to Mr. Benda, when
you are talking about technology, and advances that we had, and
going to Mr. Benda and seeing everything that is happening, in
the last 25 seconds here--yes, sir, I see the gavel ready--in
the last 25 seconds, are we to a point where really it isn't
about location anymore, it is about access, right? If we are to
that point right now, should we be more aggressive in making
sure that our regulatory structure supports that?
Mr. Benda. I would agree, I think it is about access, but
we have to make sure that those physical security controls are
in place, and I think that is really where regulators can help.
Mr. Riggleman. Thank you, and I yield back. The witnesses
were wonderful. Thank you.
Chairman Foster. Thank you.
The gentlewoman from Texas, Ms. Garcia, is now recognized
for 5 minutes.
Ms. Garcia of Texas. Thank you, Mr. Chairman. And thank you
to all the witnesses today.
First, let me say that I still don't have clarity. I think
it is a little cloudy in my head as to exactly what the real
challenges are here. And I am concerned more about the
consumer, perhaps a consumer like myself, who still keeps a
checkbook, who doesn't trust a lot of online banking or online
shopping because I find a lot of mistakes, even in some of my
credit card statements. The very idea that somewhere in never-
never land, there is a cloud taking care of my financial
information, has made me even more nervous today than I was
before.
Ms. Seiffert, you said there was a shared responsibility,
that security in the cloud was the responsibility of the
customer financial institution, and security of the cloud was
the CSP. What does that really mean?
Ms. Seiffert. Sure. Thank you very much for the question.
What that means is there are a variety of services that are
available for banks to configure--
Ms. Garcia of Texas. No, I know that, but can you give me
an example of what you mean by the difference between ``of''
the cloud and ``in'' the cloud? So that a person like me who is
watching this today can really understand.
Ms. Seiffert. Absolutely. When it comes to the software, so
whereas you pull up your phone and you have your banking
application there, when it is your time to log in, you enter
your user name and your password, maybe there is a two-factor
authentication. The security of the application as it
communicates with the data that is possibly stored in the
cloud, it is your bank's responsibility to make sure that
application is secure.
So you as a consumer, you are seeing an application, that
is all the financial services--
Ms. Garcia of Texas. So if I don't use my phone for
banking, I don't have to worry about this cloud business?
Ms. Seiffert. Not quite.
Ms. Garcia of Texas. Okay.
Ms. Seiffert. It depends on what your--
Ms. Garcia of Texas. Again, remember you are talking to a
consumer who doesn't do online banking.
Ms. Seiffert. So, let's say you are--
Ms. Garcia of Texas. But you have my data over there in
West Virginia in the same place where the FBI has a data
center, and that makes me nervous too.
Ms. Seiffert. It is a very secure data center.
But sort of the physical security of the data center, who
is allowed to get in, you and I probably can't just walk into
some data center and have a look around just because we would
like to. And the physical security of data centers is a cloud
service provider's responsibility. The specific application
data that is stored there, let's say that you are accessing a
loan through a bank. Let's say you go in person to a bank
branch in order to apply for a loan. The security of the
application, let's say they take down your data on a website or
on some sort of document, and they e-mail it for processing.
The security of that is the bank's responsibility.
Ms. Garcia of Texas. Okay. Well, it is a little cloudy,
okay? But I will move on to Ms. Broussard.
Do you agree with this shared responsibility? Because I
think you said that no one in tech thinks about regulatory
issues, and instead, they want to move fast and break things.
And so if my data as a consumer is stolen or misused, should
the liability fall on the CSP or on the financial institution
that is using the CSP?
Ms. Broussard. Thank you for the question. The issue of
liability is a really good one. We can think about shared
responsibility and we can think about shared liability. For
example, if you go to a hotel and you are injured at a hotel
because of something that the hotel did, then the hotel bears
some responsibility, right? The best way to think about
cybersecurity issues and issues of liability in the
computational world is to think about the equivalence in the
real world and think through how things would proceed in that
way.
And specifically in this case, we do have a communication
issue, a really major communication issue around compliance and
around tech, because AI issues are very difficult to
understand, and bank regulatory issues are pretty hard to
understand if you are not trained in it.
One of the things that I think we need is we need better
training for cloud computing staff about bank regulatory
issues. And we need better communication by both parties about
what are the regulations and what is actually happening on the
digital side and how is everybody staying protected.
Ms. Garcia of Texas. All right. Thank you.
Ms. Broussard. Thank you.
Ms. Garcia of Texas. I yield back. Thank you, Mr. Chairman.
Chairman Foster. Thank you.
The gentleman from Ohio, Mr. Gonzalez, is recognized for 5
minutes.
Mr. Gonzalez of Ohio. Thank you, Mr. Chairman. And thank
you, everybody, for being here today for this important task
force hearing.
I want to start with some questions for Mr. Benda. You
spoke about a collaborative approach between the CSPs, the
regulators, and the banks to provide clarity and guidance on
rules and responsibilities. I agree, that makes total sense. We
need to have this sort of collaboration. Right now, there is
sort of this finger-pointing thing going on, which I think
everybody really loves.
Not to put you on the spot here, but as you think through
that, from your perspective, what do you think the right roles
and responsibilities for each of those three entities should
be? It is a big question, I know.
Mr. Benda. That is a big question.
Mr. Gonzalez of Ohio. Give me some broad brush strokes, if
you could?
Mr. Benda. The one thing I would say on that is that banks
are comfortable and understand the requirements of GLBA and
their responsibility to be, overall, the caretaker of that
customer's data. We spend hundreds of millions of dollars every
year to make sure that happens. We are not interested in
offloading that responsibility.
When we look at the different roles, we think there is a a
clash of culture between safety and soundness, regulatory
compliance culture that banks have, versus move-fast-break-
things on the tech side. We would love to see a more efficient
examination process that allows banks to operate and utilize
and take advantage of all the wonderful things that the cloud
can provide.
But then the regulators have their role of, instead of
having 5,000 banks go and hit Amazon for a certain thing, we
rely on the regulators to look at the physical security access
point. We look at them for those things where there is a multi-
tenant cloud, the regulators have access that they need to
ensure that the banks' due diligence for that third-party
oversight is done and that the banks do their appropriate role.
I think working in a collaborative manner, we can make
things better for everyone and make things more secure.
Mr. Gonzalez of Ohio. And then as a followup, what is the
barrier to having that sort of collaboration, and how can we as
Congress make sure that that actually occurs? Because it
strikes me that would be a more effective means than what we
are doing now.
Mr. Benda. I think the Treasury report that Congressman
Riggleman mentioned actually has this exact recommendation in
it. I would just ask for an update from Treasury on where they
stand on that, and we are happy to work together with the
regulators to make that happen.
Mr. Gonzalez of Ohio. Great.
And then, Ms. Broussard, so your analogy of the hotel--and
this could be for anybody--but the analogy of the hotel
suggests that or implies that it is easy to make attribution,
right? If something at the hotel was deficient, and I get hurt,
that is on the hotel. If it is something that I am doing
myself, that is probably on me. And that makes sense.
My question with respect to security in the cloud is, how
easy is it to make those attributions and does that prevent any
sort of barrier?
Ms. Broussard. Thank you for the question. I used the
analogy of the hotel because when you go into a hotel, you are
renting space.
Mr. Gonzalez of Ohio. Right.
Ms. Broussard. And in the cloud environment, you are also
renting space from one of the cloud providers.
As far as how easy it is to figure out what went wrong, it
really depends on the individual situation. Sometimes, it is
quite obvious, for example, somebody forgot to patch a security
hole, and a hacker got in through that security hole, and it is
a well-understood breach. Other times, we have folks who are
really, really creative about finding ways in, and so we have a
new kind of breach, an unknown unknown, if you will--
Mr. Gonzalez of Ohio. Right.
Ms. Broussard. --and we don't have ways to predict that
because it hasn't happened yet. And AI is especially not
helpful in that regard, because AI can help us protect against
things that have already happened, that are known, but it can't
be creative in the same way that humans are creative. That is
one of the things that is hard about cybersecurity, is you
always have to keep up.
Mr. Gonzalez of Ohio. Thank you.
Mr. Grobman?
Mr. Grobman. Representative, I really think it is very
similar to in the physical world, that in order to have safe
use of technology, it is a combination of the technology and
the use. For example, in order to safely drive a car, having
safety features in the car is a critical component, but as a
driver, you also need to apply the rules of the road. So if you
are in a auto accident, it could be either because of a failure
of the automobile or because you did something improper as a
driver.
And it is very much the same in the world of the cloud, in
that we do need to recognize that the underlying technology can
have vulnerabilities, but also, the users of that technology
can have misconfigurations or make other mistakes that would
lead to issues.
Mr. Gonzalez of Ohio. Yes, and I agree. I guess the point I
am trying to drive home is, so we get the clear rules of the
road, we get the guidelines, we make sure that everything is
right, I still think we have this attribution question that I
am not sure that we have a great answer for right now.
With that, I yield back.
Chairman Foster. Thank you.
The gentleman from Illinois, Mr. Casten, is now recognized
for 5 minutes.
Mr. Casten. Thank you, Mr. Chairman. And thank you all so
much.
It strikes me that the thing that makes cloud computing so
awesome is that its strength is its weakness, right? You have
all of this organized data that you can access remotely, which
means that if I am going to wear a black hat and find a place
to target, that is a lot more attractive than getting onto my
little laptop. The issues, and as Congresswoman Garcia raised,
is this gap between who bears the liability for that, and then
there is separately, who bears the cost, which is not always
the same, and sometimes don't tie out.
My first question for Mr. Benda is, let's say you are a
major U.S. bank. You have customer data from all 50 States
within your system. Jurisdictionally, how many different
jurisdictions constrain how you regulate the data? Is it 51? Is
there one overarching jurisdiction that sets what kind of
constraints you have to impose or liabilities you have to
manage to?
Mr. Benda. There can be. A national bank like that is
chartered by the OCC. That is the primary regulator. They would
have the overarching control or regulation of that. What we
would like to see is a harmonization of those regulations. We
would like to see that we don't have to answer to 51 different
masters, that we harmonize those regulations through a Federal
regulator.
Mr. Casten. Are the obligations substantively different
between the State and the Federal, and between the States?
Mr. Benda. They can be, sir.
Mr. Casten. What if you have international clients, or one
of your clients has a London account in addition to your U.S.
account that is managed in your same system?
Mr. Benda. Large banks have a lot of regulatory oversight
and a lot of different challenges they have to face. Those are
real issues that we work through every day, and we do our best
to address them as best we can.
Mr. Casten. Given different liabilities for those different
jurisdictions, to what degree do the banks segment the data? In
other words, if I have data that is only subject to my London
account, is that on the same network and the same accessible
server as the one that is my Arkansas account?
Mr. Benda. That is a great question, sir. I would have to
get back to you on that. I don't know a specific implementation
on how they would handle that.
Mr. Casten. Is it even possible to do that segmentation if
your customer in Arkansas also has a London account?
Mr. Benda. Per customer, that is a great question, sir. I
don't know the ins and outs of that. I would have to get back
to you on that.
Mr. Casten. Ms. Broussard, you seem like a nice person, but
I am going to pretend you have on a black hat now.
Ms. Broussard. Okay.
Mr. Casten. If you have all of these different regulations
and you have a gap between the liability and the cost of--who
bears liability and who bears cost between the cloud provider
and the bank and the customer whose data is stored, and
different international and State and Federal rules, where are
the regulatory gaps? If you are going to hack into that system
and say, where would I exploit the vulnerabilities? Because,
given your brain power, if you can say with a black hat and
then we can think about where we ought to be, where we ought to
be bolstering the defenses, I am going to put you on the spot,
but I would love your thoughts.
Ms. Broussard. Sure. I actually think about this a lot. As
a data journalist, one of the things you do is you look for
where can things go wrong and you look for the things that go
wrong, so thank you for the question.
I would say that cybersecurity is very important to
consider holistically. We need to consider the attack surfaces
in the real world as well as the virtual world. As far as who
bears the responsibility, this is such a complicated question,
and I have talked about it with a lot of lawyers, and it is
hard to find a consensus. I would go back to your earlier
question about how easy is it to write code against all of
these different regulations.
One of the problems with making banking technology is that,
as a programmer, you want to write once and run anywhere, but
if we have 50 different States with different rules
individually, and the computer is considered to be in
cyberspace, well, I could just shrug and say, oh, well, it is
in cyberspace, it doesn't matter. Or I could say, I need the
rules to adhere to the rules of the real world. These are
individual decisions, and I think that is one of the cultural
differences between computer scientists and regulators.
Mr. Casten. Thank you. I yield back.
Chairman Foster. Thank you.
And Members are advised that votes have been called. The
time is currently at 6 minutes and 25 seconds.
The gentleman from Missouri, Mr. Cleaver, who is also the
Chair of our Subcommittee on National Security, International
Development and Monetary Policy, is recognized for 5 minutes.
Mr. Cleaver. Thank you, Mr. Chairman. I am going to try to
roll three questions into one because of the votes.
My favorite time of the year is October because of
Halloween and all of the movies, the horror movies that come
on. I know probably all of you are watching them at night with
me. And I am on the Committee on Homeland Security as well, and
I chair the Subcommittee on National Security. So I don't know
if I am being troglodytic in my thinking, but a lot of this
scares me more than Dracula does, and Dracula is real. I just
want to make sure you know that.
But, we have this plan, this financial plan to create a
financial ecosystem by Facebook. They are calling it
stablecoin. I call it scary. At Homeland Security, we are
always looking at what you said, Ms. Broussard, what can go
wrong? What can happen? I am thinking power lines, water
treatment facilities, and then on top of that, human error.
We have a situation that is quite threatening, and we know
for a fact that the Chinese, the Iranians, and the Russians are
all daily, daily messing with us, and you probably know about
some of them, and a lot of them you don't know about. Tell me
it is going to be okay or tell me it is not.
Mr. Brandt. I think all of these discussions and some of
the lack of clarity around liability, if we just focused on
what is the precious asset here, it is the data. And if we look
at the poll of what the banks are worried about, it is the data
privacy, the data security. And regardless of what happens, if
there is a breach, if there is a vulnerability in the hardware
or the physical location, if the data itself is protected, then
we are good. There are other bad things that can happen, of
course, interruption of service, but at least people's data and
their privacy are secured in that.
If we just focus on the life cycle of the data security
itself, then it helps to, I think, simplify a lot of these
questions that we are having.
Mr. Grobman. Representative, I agree with your point that
the threat landscape is extremely broad. But one of the things
that we have to recognize is we can't put a priority on the
most important thing to worry about is energy or water or our
financial system, because if any one of those systems had a
major cyber breach, it would be catastrophic, which is why we
need to really have a comprehensive cyber defense approach
across all of our critical systems.
Mr. Cleaver. But we are not even close to that, are we?
Mr. Grobman. No, we are not.
Mr. Cleaver. I yield back, Mr. Chairman.
Chairman Foster. Thank you.
I would like to thank our witnesses for their testimony
today.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
Thank you, and this task force hearing is adjourned.
[Whereupon, at 10:35 a.m., the hearing was adjourned.]
A P P E N D I X
October 18, 2019
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]