In today’s Senate Judiciary Committee hearing, the Committee dug into what it called “China’s non-traditional espionage against the United States.” During the hearing, senators heard from cybersecurity, and intelligence experts about China’s attempts to use cybersecurity attacks and intellectual property theft to advance its global standing.
The hearing, which was over two hours long, involved from experts from the Departments of Justice (DoJ) and Homeland Security, the Federal Bureau of Investigations (FBI).
While much of the hearing centered around China’s use of non-traditional espionage to engage in intellectual property theft, Sen. Amy Klobuchar, D-Minn., zeroed in on the importance of cybersecurity. Specifically, Klobuchar referenced the letter she and other leaders in the party sent to John Bolton, President Trump’s national security advisor, in May, urging him to reverse course on his decision to eliminate the White House cybersecurity coordinator position. She argued that while the United States is seemingly deemphasizing the importance of cybersecurity, China is growing its investment in the area.
Klobuchar wasn’t just speaking to China’s desire to fortify itself against attack, but also its use of malicious cyberattacks. Specifically, Klobuchar referenced the recent Marriott data breach, which exposed potentially 500 million individuals personal data. This morning, Secretary of State Mike Pompeo publicly confirmed that the attack was spearheaded by the Chinese intelligence community.
She asked Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA), what the United States could do to “keep pace” with China in the cybersecurity arena, whether he believed additional cybersecurity leadership is needed, and finally whether the National Security Council should have a dedicated cybersecurity leader.
“I would not mistake the lack of a coordinator for the lack of coordination,” Krebs responded, rebuffing Klobuchar’s implication that the coordinator position is essential.
Klobuchar then returned the Marriott data breach and asked all witnesses about what outreach is done between agencies and companies, and if there are any limitations on the government’s ability to share information.
Bill Priestap, assistant director of the Counterintelligence Division for the FBI, said that while the government is at times limited in what information it can share due to classification requirements, he reassured Klobuchar that the FBI and other agencies are “leaning forward” and sharing more information than they ever have before.
Later in the hearing, Sen. Diane Feinstein, D-Calif., returned to the Marriott data breach, stressing the severity of the breach given that Marriott is a frequent provider for government and military officials, and asked the witness what they take away from the incident. Krebs said that while his role isn’t attribution, he looks at what can be done to prevent another similar breach. Specifically, he zeroed in on data retention policies as being key–what information are companies retaining, how are they securing it, how long are they retaining it for, and how do they dispose of it. He also said that the Federal government needs to examine mergers and acquisitions, given that Marriott acquired the Starwood brand of hotels, which was the group that was attacked. He suggested that there needs to be a careful examination of security policies during the acquisition process.
After referencing her work with Sen. Kamala Harris, D-Calif., on the Secure Elections Act, Klobuchar then prompted John Demers, Assistant Attorney General in the National Security Division at the DoJ, to discuss how China is working to influence U.S. elections. Demers led by saying that the way China behaves is very different to how Russia behaves in its attempts to interfere with U.S. elections. Demers said that the DoJ is looking to leverage existing regulations to ensure that any attempts on China’s part to interfere with elections is transparent and visible.
When Harris had her turn at the bat, she questioned Krebs on a report he issued with the Office of Management and Budget in May regarding a cybersecurity workforce shortage in the Federal government. She asked Krebs if the Federal government still lacked the personnel they need to defend themselves against malicious cyberattacks, and Krebs acknowledged that it did. When asked by Harris about what can be done to help agencies hire the talent they need, Krebs discussed needing to provide “more opportunity” and referenced the “perceived pay gap” between government work and the private sector. Krebs also discussed needing a policy that doesn’t just focus on “getting people into jobs,” but also addresses “reskilling and upskilling” existing personnel. On top of getting more personnel, he also stressed the importance of consolidating IT services across the government and better leveraging surge personnel during times of increased workload. Harris pushed Krebs to follow up with the Committee after the hearing to further discuss how CISA’s plan is “coming along” and what Congress can do to support its efforts.
Harris then turned to another section of the report from Krebs’ team, which found that 71 out of 96 Federal agencies have cybersecurity programs that are either “at risk” or at “high risk.” Harris questioned whether the agencies in the report have embraced the report’s recommendations. Krebs said that there has been significant interest from CIOs and said that he “cannot think of a single agency that has not embraced what needs to be done.” Harris then urged Krebs to follow up on the timeline and deadlines for when agencies need to comply with the report’s recommendations.
Sen. Sheldon Whitehouse, D-R.I., discussed criminal prosecution of Chinese cybercriminals with Demers, who said the hardest part of bringing a cybercrime to court is attribution. Whitehouse then switched to botnets and asked Demers to submit a written answer about the status and the structure within the DoJ about the operation within the Department to tear down botnets.
Sen. Ted Cruz, R-Texas, turned to Chinese telecommunications company Huawei, whose CFO Meng Wanzhou was arrested in Canada at the request of the United States for violating Iran sanctions. Cruz was specifically concerned that Huawei provides telecom services for allies, including Canada, and that the services may be compromised by China’s influence over the company. Krebs acknowledged that China’s global influence through Huawei and similar companies is broad, but said that is shifting. Priestap said bluntly that China doesn’t share our countries values, and pointed to China’s cybersecurity and data management laws, which give them nearly unfettered access to data. He alleged that the data possessed by Chinese companies can be used by the Chinese government however it wants, which he said was a major issue and concern.