Home

Transcript: Senate Hearing on Threats to Cyberspace from Authoritarianism and Global Competition

Justin Hendrix / Sep 27, 2024

September 24, 2024: United States Senate Foreign Relations Subcommittee on East Asia, The Pacific, and International Cybersecurity Policy hearing on Cyberspace Under Threat in the Era of Rising Authoritarianism and Global Competition. Source

On Tuesday, September 24, the United States Senate Foreign Relations Committee Subcommittee on East Asia, The Pacific, and International Cybersecurity Policy hosted a hearing titled "Cyberspace Under Threat in the Era of Rising Authoritarianism and Global Competition."

  • Laura Cunningham, President, Open Technology Fund (written testimony)
  • David Kaye, Clinical Professor of Law, University of California, Irvine (written testimony)
  • Jamil N. Jaffer, Founder and Executive Director, National Security Institute (written testimony)

The discussion focused on a range of issues, including:

1. The threat of digital authoritarianism and the need to counter it.

"Worldwide, more governments are substituting repressive technical shortcuts for the hard work of good governance to control their populations in ways that were previously unimaginable. This is the greatest danger to democracy of our time, with profound implications for our democratic principles, national security and global economic competitiveness." -Laura Cunningham

2. The importance of both technology and norms/policy in combating digital authoritarianism.

"I think we've debated a lot about technology and norms today, and I think it's critical we do both. I think to try and choose one of the two would ultimately mean that we fail in this endeavor." -Laura Cunningham

3. The challenge of commercial spyware and need for global cooperation to address it.

"We are careening towards a highly-destabilized world where no one is safe from cheap, sophisticated spyware. So what is to be done about it?" -David Kaye

What follows is a lightly edited transcript of the hearing.

Sen. Chris Van Hollen (D-MD):

This meeting of the Senate Foreign Relations Subcommittee on East Asia, the Pacific and International Cybersecurity Policy will come to order. I'd like to begin by thanking Ranking Member Romney, Senator Romney, for your partnership in convening this hearing to discuss threats to cyberspace and internet freedom in an era of rising authoritarianism and global competition. We're grateful to be joined by an experienced panel, including Laura Cunningham, the president of the Open Technology Fund, David Kaye, a clinical professor of law at UC Irvine and Jamil Jaffer, the executive director of the National Security Initiative, all of whom I will introduce a little more fully in a moment.

At the beginning of this century, there was optimism about the democratizing power of the internet. Technologies that we now take for granted, such as the internet itself, social media and smartphones were revolutionary, helping connect humankind in unprecedented ways and creating opportunities for people to challenge authoritarian and repressive governments. We saw these technologies used by the 2009 Green Movement in Iran and then the Arab Spring, as well as other digitally organized demonstrations around the world. And these technologies continue to hold that promise.

But the use of these technologies to enable protest movements and dissent prompted a backlash from authoritarian governments who recognize that digital connectivity in the hands of their peoples could pose a threat to their grip on power. As a result, these regimes and repressive governments quickly sought to develop methods to restrict the free flow of information, to limit political discourse online and to suppress freedom of expression, including in many cases seeking to silence their expat and diaspora communities abroad. To do so, these governments turn to a host of technologies to track and disrupt dissent.

Fast-forward to today and we have witnessed an explosion of new technologies and practices such as internet shutdowns, censorship techniques, mass surveillance and racial recognition technologies, commercial spyware, and other tools that are used to suppress public dissent.

And sadly, in many ways, repressive regimes are succeeding in this space. According to Freedom House's 2023 Freedom on the Net report, global internet freedom has declined for the 13th consecutive year in a row. The commercial spyware marketplace where shady private companies sell hack-for-higher technologies used against human rights defenders is booming. Some estimates suggest it is a $12 billion industry. The proliferation of AI enhanced mass surveillance spread by nations like the PRC and others is accelerating as regimes seek to engage in the mass surveillance of their citizens. This alarming trend presents significant challenges not only to individual privacy, but also to global security, to democratic governance and freedom of expression. The tools designed to empower citizens are being weaponized against them, and we must take decisive action to counter this trend. Furthermore, countries like the People's Republic of China are capitalizing on this trend by exporting mass surveillance technologies globally, offering tools that enable oppressive regimes to monitor and control their populations.

Meanwhile, according to our recent report from the The Atlantic Council's Digital Forensic Research Lab, companies in India, Israel, Italy and other countries have been marketing their spyware to oppressive governments. This proliferation of surveillance capabilities in spyware not only exacerbates human rights abuses, but also sets a dangerous precedent for how technology can be used to undermine democratic movements worldwide. These threats are already being keenly felt by civil society organizations who seek greater transparency and accountability from those in power. And if left unchecked, they will continue to have a chilling effect on dissent and undermine privacy and democracy movements worldwide.

While predominantly used by authoritarian governments, the last decade has seen aspects of digital authoritarianism creep into democratic states, accelerating global trends of democratic backsliding. Democracies are not immune to the allure of these technologies, and while there are legitimate law enforcement uses for many of them, we should ensure that our democratic partners and allies respect human rights and remain true to the values that bind us together.

As authoritarian and repressive governments deploy technologies to suppress dissent, we need to find ways to counter their efforts so technologies can be used in a way that sustain and support democratic values and norms rather than undermine them. This includes initiatives to strengthen internet freedom and combat internet censorship, better protect activists, journalists and human rights defenders from cyber threats, harassment and abuse, sanctioning companies that sell spyware to authoritarian regimes that use it to prey on their citizens, and shaping emergency technologies like AI-powered mass surveillance technologies so they deliver services that are in line with our values.

I want to applaud the Biden administration for taking a series of actions in this space designed to stem the tide of digital authoritarianism. On internet freedom, the administration has worked closely with the Open Technology Fund to provide tens of millions of dollars to enable tens of millions of people living in autocracies to use virtual private networks and other technologies to circumvent government censorship. And on commercial spyware, the administration has used many of the tools in the executive branch's toolkit including executive orders, sanctions, visa restrictions, export controls and diplomatic agreements to tackle an industry that is out of control. These efforts to protect the free flow of information are crucial to keeping pace with the rapid advancement of technologies designed to crack down on political dissent.

We must continually assess the effectiveness of government action and adapt our strategies to combat these threats to democracy and human rights. Congress should also consider how we can best direct and empower the executive branch to tackle these issues every year. The State Foreign Operations Appropriations Bill funds internet freedom programs at the State Department, as well as the Open Technology Fund, but we must think creatively about what other legislative tools we can deploy to counter these growing threats.

As we navigate the challenges of digital authoritarianism, we must remain vigilant for the technologies designed to connect us can easily become instruments of oppression. If we do not act now, we risk descending into an Orwellian nightmare where surveillance and control overshadow our fundamental freedoms. I'm glad that we have an excellent panel here today to help us think through these issues and what Congress could potentially do about it.

Before I turn it over to the panel, let me turn it over to Ranking Member Romney. I do want to take this opportunity to again thank him for his partnership on this subcommittee. It's been good to team up with him on a number of pieces of legislation, some which have passed already, some which have not yet. But thank you Senator Romney for your leadership and your service, and with that, let me turn it over to you.

Sen. Mitt Romney (R-UT):

Thank you, Senator Van Hollen and witnesses for being here today. I likewise am disturbed by the threat posed by technology and particularly in the area of cyber intrusion, warfare, oversight, spying, and so forth. I guess it's no surprise that systems that are in conflict, free nations versus authoritarian nations, would find that the competition goes beyond air, land, and sea and is now also in cyber. You have to count me, however, as skeptical that there's something we can do to prevent the bad guys from doing bad things. It strikes me that they will use every tool available, and now there's a whole host of new tools associated with cyber and AI and quantum and so forth that they see as vehicles to do what they want to do.

I don't know if there's any way we can prevent them from doing that other than by developing tools ourselves that are superior to theirs and staying ahead. Telling them, "No, you can't spy on your people," is simply going to be laughed at because they will spy on their people. Telling them, no, they can't spy on us. No, they will laugh at that. They'll even use balloons to spy on us, but that's of course an outmoded technology. But the modern technologies they will use and abuse to the extent humanly possible, and I don't think there's anything we can do that will keep the authoritarians from doing awful things.

Look at Russia, they just invaded a sovereign nation and are killing and maiming hundreds of thousands of people. So sanctions by American businesses or by the American government or our calling for freedom of the airwaves and prevention of censorship strikes me as making us feel good that we're saying things, but they're going to keep doing things that are detrimental to the freedom and human rights that exist in our nation and in other free nations. So I'm very interested in hearing what you all have to say about what actions we can take to do a better job securing our freedoms and preventing the authoritarians from taking advantage of the technologies that are suddenly available to them.

I would note that particularly with the advent of AI and the leaps and bounds that it's predicted to take over the next four to five years, creating super intelligence as we heard Sam Altman say just yesterday, within the next thousand days, with the advent of that technology and potentially quantum computing, what do free nations do to secure the rights that we hold so dear? And again, it strikes me that the way that we secure those rights is by being superior and having technology which is able to combat theirs with its superiority and doing what America has always done, which is out innovate and out invest our adversaries and by holding aloft the flame of freedom. With that, Mr. Chairman, we'll turn to the panel and hear what their thoughts might be.

Sen. Chris Van Hollen (D-MD):

Thank you. Thank you, Senator Romney. I'm going to introduce each of you and then we'll have you go in turn.

Ms. Laura Cunningham is the president of the Open Technology Fund, which is a congressionally authorized and funded nonprofit that seeks to advance internet freedom in repressive environments. She has a decade of experience working on internet freedom, and prior to her time at OTF, she was at the State Department's Bureau of Democracy, Human Rights and Labor where she led the Department's internet freedom programs. Welcome.

We also have with us Mr. David Kaye, who is a professor of law at the University of California Irvine. From 2014 to 2020, he served as the United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. In this role, he focused particularly on issues related to freedom of expression and technology, and his book entitled, Speech Police, the Global Struggle to Govern the Internet, explores the ways in which companies, governments and activists struggle to define the rules for online expression.

We're also very pleased to be joined by Mr. Jamil Jaffer, who's an alumni of this committee. He is now the founder and the executive director of the National Security Institute at the Antonin Scalia Law School at George Mason University, where he also serves as an assistant professor of law. He's also a venture partner with Paladin Capital Group, and prior to his current work, he was a staff member, as I said here on the Senate Foreign Relations Committee and on the House Permanent Select Committee on Intelligence.

Thank all of you for being here. I respectfully ask that you try to keep your opening statements to the five minutes, and if you can't cover something there, we will certainly get to it in the questions. With that, let me turn it over to you, Ms. Cunningham.

Laura Cunningham:

Chairman Van Hollen, Ranking Member Romney, thank you for inviting me to testify today on the threat of digital authoritarianism.

Today, two-thirds of the world's population. Nearly five and a half billion people live in a country where the global internet is censored and this number is only increasing as authoritarians harness technological advances to increase the scale, scope, and efficiency of digital repression. But this is not merely a technical challenge. It is a normative contest to determine whether governments use technology to entrench authoritarian control or empower democratic freedoms. The Open Technology Fund was established over a decade ago with bipartisan support from Congress to combat digital authoritarianism. To do this, we support open source tools that provide secure and uncensored access to the internet. Today, over two billion people globally use OTF-funded technology.

OTF's primary focus is on the human rights abuses that result from the application of repressive technologies. However, the threat I want to focus on today is the digital authoritarian model that information control technologies have enabled and not merely the technologies themselves.

Worldwide, more governments are substituting repressive technical shortcuts for the hard work of good governance to control their populations in ways that were previously unimaginable. This is the greatest danger to democracy of our time, with profound implications for our democratic principles, national security and global economic competitiveness.

Online censorship has become the cornerstone of digital authoritarianism, facilitating easy and effective information control to eliminate government accountability and obfuscate the truth. We all know this is the case in China and Iran, but it is being normalized in dozens of countries around the world. And autocrats are forging ahead with even more blunt censorship techniques including total internet shutdowns. In fact, last year, 39 governments shut down the internet over 280 times.

To further enhance their control, authoritarians are also leveraging AI to increase censorship, scale, speed, and efficiency. Leading digital authoritarians have also normalized the use of sophisticated surveillance tools to intimidate, imprison and stifled domestic political opposition. In fact, research supported by OTF found that over the last decade more than 110 countries received information control technologies from China or Russia. In addition, Huawei has built over 70% of Africa's 4G networks. And with such powerful tools, few authoritarians are willing to stop at their own borders. Commercial spyware products which have been acquired by nearly 40% of all nations have now made it possible to surveil citizens anywhere in the world. This could convince some that technology is inherently oppressive, but nothing could be farther from the truth.

The internet offers extraordinary potential for global connection, inclusive democratic participation, and economic growth at a speed and scale unprecedented in human history. The reality is that a free and open internet meaningfully improves the lives of billions of citizens around the world. It is clear that the true appeal of the digital authoritarian model is not its supposed benefits to citizens, but its simplicity, it's cheap and easy to be a digital authoritarian.

To counter the spread of this model effectively we must raise the costs while also offering a positive democratic vision in exchange. Autocrats have purchased their hold on power by spending billions of dollars to control what people can say, share and access online. While the United States and our allies cannot match these investments dollar for dollar, we must proportionally increase our efforts to make digital authoritarianism more difficult, more expensive, and less effective.

First, we need to increase our investments in internet freedom technologies to reduce the efficacy of oppressive tools. People living under authoritarian regimes are our greatest ally in this cause, and we must ensure they have the tools to combat digital controls for themselves. This is why OTF supports technologies that counter even the most advanced forms of censorship and surveillance.

Second, we need to empower civil society coordination to bring it in line with the speed of authoritarian information sharing. In many countries, civil society organizations are working in isolation to identify and mitigate digital threats. There is an urgent need for better coordination. Beyond the tangible benefits to those under attack, this coordination significantly increased the cost of authoritarian control.

And the private sector must engage as well. They're often excluded from important markets unless they make unreasonable accommodations that conflict with their stated values. It's in all our best interest to keep global markets open and fair without sacrificing our principles.

Members of the Subcommittee, we must counter this challenge where it originates, in China, Iran and Russia. We must also advocate for a better model where it is spreading. The United States and its allies must advance a positive vision for a global internet that reinforces our democratic principles. We can show that it's possible to protect national security without undermining human rights and our democratic values. The challenges posed by digital authoritarianism are daunting, and the path to a competing model is hard, but it is unquestionably worthwhile.

If shown it is possible, most countries will opt for forms of digital governance that protect human rights, but we need to lead the way. If we don't, China and Russia certainly will. Thank you and I look forward to your questions.

Sen. Chris Van Hollen (D-MD):

Thank you. Mr Kaye.

David Kaye:

Chairman Van Hollen, Ranking Member Romney, distinguished members of the Subcommittee, thank you for the invitation to speak before you today. My written testimony explores how authoritarianism and global competition over cyberspace are putting extraordinary strains on human rights, democracy, and US national security, focusing on commercial mercenary spyware. Here I will limit myself to the following summary points.

First, the commercial spyware threat is real and deeply intrusive. With sophisticated exploits of device vulnerabilities, governments can buy a service that gives them access to text messages and calls, photos and files, contacts and locations, everything on your device and in real time. Proponents pitch spyware as necessary to control terrorism and crime, yet report after report has demonstrated that spyware is used to target the pillars of democratic society, journalists, opposition figures, human rights activists, even government officials and embassy personnel. Israel's NSO group may be most known for its widely reported Pegasus spyware, but a shadowy industry is manufacturing, marketing, selling, and servicing mercenary spyware.

Members of Congress and US government personnel have been in spyware's crosshairs. We are careening towards a highly-destabilized world where no one is safe from cheap, sophisticated spyware. So what is to be done about it?

In 2019, in a report to the UN Human Rights Council, I argued for limits on the uses of such surveillance technologies to manifestly lawful ones only subjected to the strictest sorts of oversight and authorization with private sector participation in the spyware market conditioned on human rights due diligence and a track record of compliance with human rights norms. At the time, I urged a moratorium on the industry pending the imposition of enforceable regulations and tighter export controls. Since then, Congress has enacted laws with a clear understanding that foreign commercial spyware poses national security and human rights threats. US agencies have sanctioned spyware companies for "activities that are contrary to the national security or foreign policy interests of the United States."

President Biden promulgated Executive Order 14093, constraining spyware's use and condemning its interference with fundamental rights and US national security. And the United States has led a growing coalition of 21 governments to pursue domestic and international controls on spyware. These and other efforts may in fact be having an impact with emerging evidence that the cost of undermining human rights and US national security is indeed high. Still, the threat persists. The demand remains. AI will indeed infuse the industry with an ever-deepening power to interfere with democratic life.

This subcommittee should thus encourage the development of global norms to counter it. Congress could, for example, codify the rules of Executive Order 14093. And it could go further. It could explore ways to limit the foreign sovereign immunity barrier in state hacking cases and enable remedies to spyware victims in US courts. It could explore conditioning US cooperation with other governments pending implementation of their commitments to prevent the export of spyware to end users likely to use it for malicious activity. It could even condition assistance to governments on their commitment to demonstrate that rule of law and human standards apply to their use of commercial spyware.

Congress could also have a near-term impact in related area. The UN General Assembly will consider adoption of a new cybercrime convention this fall. The convention and initiative pressed originally by Russia sends a contrary message on targeted surveillance, at the very moment that the United States is pushing for constraint. The Freedom Online Coalition Advisory Network has said it would enable and legitimize serious human rights violations, due to multiple flaws, and lack of safeguards, and fundamental rights protections. Senate expressions of concern could focus attention on the harm the convention would do, and urge abstention or a no vote. In short, democracies need not be sitting ducks. They have the tools to counter the rise of global authoritarianism in cyberspace. The US has begun to deploy those tools and to counter spyware's lawlessness, and I urge the subcommittee to continue its critical support in the legal fight for freedom online. Thank you very much.

Sen. Chris Van Hollen (D-MD):

And thank you. Mr. Jaffer?

Jamil Jaffer:

Chairman Van Hollen, ranking member Romney, thank you for holding this hearing. It's particularly important at a time, given the increasing drumbeat of threats that our nation and our allies face from countries like China, Russia, Iran, and North Korea, these countries are global oppressors. They repress their own people at home, then they export that repression abroad, not just in their own regions but across the globe.

They engage in this export through a variety of activities, whether it's surveillance technology, their influence on online platforms, their cyber attacks and hacks against our nation, and its allies, and the like. They are engaged in a constant day-in, day-out attack on America, our allies, and free and open societies around the globe, and we must respond. Chairman Van Hollen, you've led on some of these efforts with the BRINK Act and your efforts to speak out against the CCP and its repressive activities in Hong Kong and abroad.

Ranking member Romney, you, for decades, have talked about the threat these countries pose to our nation and our allies. You spoke about Russia long before it was popular to speak out against Russia and its repressive activities, and long before they invaded Ukraine, not once, but twice. You've also talked about Iran and China's activities as well. So the members of this committee and the leadership of this committee knows all too well the threats these countries pose, but their threats are not just obvious on the surface. They're surreptitious. These countries spend hundreds of millions of dollars and billions of dollars investing in technology to embed that technology at the heart of our societies. Companies like Huawei and ZTE, supported by low- and no-interest loans from the Chinese government, and grants from the Chinese government, embed their core network capabilities in networks around the globe. By one measure, in Africa, 70% of 4G networks are controlled by Huawei.

Huawei sits at the heart of British Telecom. It sits at the heart of telecommunications networks inside of our country, in state and local networks. Congress has taken action to combat this, by providing funds to rip and replace some of this technology. More needs to be done, and faster. Our allies are slowly getting on board with this program, but are slow rolling it. Germany, just this month, announced that it'll slowly be removing Huawei technology from its networks, but not till 2026. And it's not just telecommunications capabilities, it's social media. Today, TikTok has 170 million Americans on its platform. It is the primary news source for Americans under the age of 30. A Chinese-influenced platform is the primary news source for Americans under the age of 30.

And it's not that we don't know that TikTok uses its capabilities to message to Americans. We know that in a variety of ways. Number one, we saw them push the Osama bin Laden narrative in the aftermath of the October 7th attacks. We saw them suppress talk about their suppression of Muslim Uyghurs and the genocide against Muslim Uyghurs. We saw them suppress discussion about Tibet, and we saw them press this Congress to have American young people call Senate and House offices to lobby against the TikTok legislation that was passed in the House and the Senate, and eventually signed into law. So we know that this platform is used for illicit activities by the CCP and its allies, and so it's so critical that we take action.

But it's not just cat videos and dancing videos on TikTok. It's also election messaging, and it's also the fact that the data that's collected on Americans using TikTok, the location of individuals, their voice prints, who they communicate with, when combined with the massive amounts of data that we know China and other nations have stolen from Americans, including healthcare data, financial data, and the like, and all that enhanced with AI technology to create targeting packages, not just for intelligence collection, but for covert messaging. The same way that AI enhances the ability of our candidates to speak to the American electorate, it enhances the ability of China, Russia, Iran, and North Korea to speak to Americans as well, and that is a very real danger.

And so that's why it's so critical that we have this hearing today, that we hear about the capabilities that the Open Technology Fund is putting to work, using Congressionally appropriated funds to bring freedom to these nations. But it's also important why we hear about commercial spyware and the like, and what our adversaries are using as well, because it's important that we factor in that American investors are investing in these technology capabilities. That's why it's important that Congress and the administration partner with American investors who are willing to speak out against this, and are willing to commit to not investing in adversary technology, and to investing in American and allied technology. We brought together a group of 20 investors. There are other groups as well, in NATO and the Quad that are bringing these groups together as well. And so I welcome the opportunity to be here today. Thank you for your time, and I look forward to any questions from the committee.

Sen. Chris Van Hollen (D-MD):

Well, thank you, and thank all of you for your testimony. And just picking up on one of the points you raised, we've had bipartisan support to try to provide substitutes, competitive substitutes to Huawei and ZTE, for the reasons that you explained, rip and replace here at home, but we need to continue to be vigilant on a bipartisan basis, and provide alternatives to these countries. Let me just focus first with you, Ms. Cunningham, because we are looking, we're trying to use this hearing to identify things that we can do to try to break through censorship, like the firewalls in China and other places.

And as Senator Romney said, in many cases, as you know, this is a race against technology, but there are also ways we can raise costs on both countries and companies that are engaged in this kind of activity or aiding and abetting this kind of activity. Back in the day, during the Cold War, we had Radio Free Europe, Radio of Liberty, to try to overcome censorship in the Soviet Union. There were always efforts to jam those radio signals. We're onto new technologies right now. So just focusing now on technology, if you could talk a little bit about how you all at the OTF are helping dissidents and others in countries that have extreme censorship, to try to use technologies so they can get good information about what's happening in their countries and elsewhere around the world.

Laura Cunningham:

Thank you. So the Open Technology Fund invests in two categories of technology, anti-censorship tools like VPNs that the chairman has already spoken about, as well as privacy- and security-enhancing technologies, to make sure that civil society and journalists around the world are able to stay safe and report safely doing their work. The challenge here is that we are just woefully outspent when it comes to innovating and supporting these technologies. In just the last two years, demand for OTF-supported VPNs has increased by over 500%, and we don't have the resources to support the VPN users around the world who are eager for these tools, who want to access free and independent information.

The challenge, frankly, on that front is not a technical one. We have VPNs that work well, that are secure and effective, but we just don't have the resources to be able to meet the demand for users around the world who are facing online censorship for the very first time. It's also critically important, to your point, Mr. Chairman, that these tools are there to help get free and independent news and information to citizens around the world. We actually work very closely with Radio Free Europe, Radio Farda, which works in Iran, and we know that our VPNs deliver 90% of their Farsi audience to Radio Farda.

So these tools are not only effective, they're being used to seek out and find the exact type of information that we want dissidents, that we want human rights defenders to find. However, as I said, the challenge right now is resources. When we're competing with China and Iran, who are spending billions of dollars on these technologies, it is hard, with only millions, to be able to meet the demand, the accelerating demand we see around the world.

Sen. Chris Van Hollen (D-MD):

So it sounds to me like your answer is we do have the technological wherewithal to break through some of these censorship walls, but it's a question of resources. Let me also ask you about the role of private internet service companies and others in these spaces. So for example, in China, US social media companies, they can't operate there to be consistent with the rules.

Of course, China has a wide open access to markets in the United States and elsewhere around the world, but there are, in many of these places, there are internet service providers and other private companies that are aiding and abetting authoritarian regimes. So maybe you could identify some of those examples and what we can do to raise the cost on those private sector companies that are essentially colluding with those foreign governments that are trying to oppress the people and deny them access to important information.

Laura Cunningham:

I think this is one of the most critical challenges that we face in China right now, in particular, is US private sector technology companies complicit with Chinese government censorship. An example that I think comes to mind for me is the Apple App Store. We know that, at the request of the Chinese government, Apple has removed independent news and information apps, like Radio Free Asia, for example, from the Apple App store in China, preventing Chinese citizens from accessing that information.

But they've gone further than that. They also remove, based on requests from the Chinese government, most internet freedom technologies. So if you are a Chinese citizen in China, you can't access the VPNs that I just described. You can't access the secure information and communication technologies that the US government is supporting, because Apple is actively removing them from the App Store. So finding ways to increase both the transparency and cost for those companies to remove US-funded internet freedom technologies, but also independent news and information, is critical in ensuring that Chinese citizens can continue to access this information.

Sen. Chris Van Hollen (D-MD):

I appreciate your raising that example, and we're looking at ways to address it. We need to also make sure that if, for example, another company comes in and just replaces Apple, that they don't get the benefit of that market share without being somehow penalized from their entry into other markets. So thank you for raising those issues. Senator Romney?

Sen. Mitt Romney (R-UT):

Thank you Mr. Chairman, and thank you to the individuals who've spoken with us this morning. I would imagine that if I were an authoritarian like Xi Jinping, I'd use these tools exactly the way he's doing them. I would use them to spy on people, to spy on the United States, to spy on my adversaries. I'd use them to censor the news, to make sure they only got what supported me and my continuation as the leader of China. So when I hear discussion of, "You know, we need to establish norms and let them know they're breaking norms," or an expression of, what was it, expression of concern by the United States Senate. If I was Xi Jinping, I'd laugh. It's like, "Who the heck cares about global norms or expressions of concern from the United States and the Senate?"

The only thing that will allow us to defeat the spread of authoritarianism and digital authoritarianism is by having the tools and capabilities to push back against it, and to exercising our own strength. Am I wrong in that assessment? I mean, it just strikes me, turn to you, Mr. Jaffer, it strikes me that the pathway for us is to lead in technology, to push back against the Huaweis, I mean, to eliminate the Huawei's from our systems and TikTok from our system, get them out, and then work to help replace them in other places. And to have the rest of the world recognize that this is a battle between freedom and authoritarianism, and they're going to do all these things, because our norms, they laugh at, and their norms, we find reprehensible, but that's where we are.

Am I wrong? And I applaud the work that you're doing to provide additional sources for information, but I look at what the Russians are doing, and the Chinese, but particularly the Russians, with all their bots overwhelming our systems. They're so far ahead of us in these things, that's one more that I take on, but Mr. Jaffer, help me on this. It strikes me that most of what we're talking about just doesn't make sense unless it's, "Hey, stay ahead of them, use our technology to identify them, and kick them out."

Jamil Jaffer:

No, Senator Romney, you're exactly right. The idea of sort of strongly-worded letters from the Senate, or from our diplomats, or the like, are not going to get this job done. What is going to get this job done is providing people who want freedom in those countries access to news and information the way that the Open Technology Fund is doing, and ensuring that we're investing here at home, that we're building the best and most awesome technology here at home. I mean, look, if you look around the world today, we are the leaders in AI, but that position is not guaranteed. In fact, if we adopt the approach that the Europeans have taken, which is regulate, regulate, and regulate, we're likely to lose that edge. So we need to avoid overregulation here. We need to incentivize investors here in the United States and innovators here in the United States.

There's a reason why the world wants to come here, to the United States. It's because we have the most productive system of the allocation of capital around the globe, and protecting and preserving that economic liberty is critical to the effort to fight authoritarianism around the globe. It's not just that we're going to have a free and open society. It's we've got to take advantage of it, double down on it, and that's why also ensuring that our investors are not investing in Russia, in China, in Iran and North Korea, all too many American investors take the benefit of investing in China and getting that advantage. But the truth is those investments are terrible. Those investments ultimately lose money, and in the long run, the right approach is to invest here, invest in our allies, and invest in trust, safety, and security. And so we believe that there actually is an investment thesis around investing in the US.

You know, Senator Ricketts, you're an innovator, you've worked in this space, you've helped develop start-ups. Senator Romney, you've done this at Bain for a decade. That is what it's about. It's about the allocation of capital. And until we recognize that all too many Europeans and the European system views us as the enemy, views our technology companies as the enemy, when in fact, we're actually the innovators who are creating this space and these opportunities, I think, at the end of the day, what we've got to do, to your point, Senator Romney, is double down on that and avoid the strongly-worded letters. And the last point I'll make is if we're worried about what's happening in the cyber domain, the best and most effective way to succeed in the cyber domain is to push back against what Russia, China, and Iran are doing. And until we respond to their activities here in our country and attacking us and our allies, they're not going to get the message.

Sen. Mitt Romney (R-UT):

Haven't got quite enough time to turn to the next question, but I got to try it, nonetheless. Please be brief, because I took a long time, and I guess I'll do ut in the second round. I'm looking, I've got 19 seconds, so that's not fair to you. Ms. Cunningham. We'll come back and address it in a moment. Thank you.

Jamil Jaffer:

I apologize. I think I used up too much your time, Senator, I apologize.

Sen. Mitt Romney (R-UT):

Very helpful.

Sen. Chris Van Hollen (D-MD):

To the newest member of our committee, Senator Helmy.

Sen. George Helmy (D-NJ):

Thank you, Chairman. I would start by thanking you and the ranking member in this committee for the work it's done and the legacy you both in this committee have. You've taken a global competitiveness and security issue, and from my experience in financial services, healthcare, and state government, the work that this committee does on the global level has had real impacts, as Mr. Jaffer mentioned, to the work that state governments do to better prepare for the global threat, and our critical institutions like healthcare, utilities and otherwise.

Mr. Jaffer, I'm going to pull on a string you left in your testimony there, if I may. And to the ranking member's question, it's clear that the US government has much ground to cover to compete with the PRC in technological innovation. You've mentioned the need for additional capital, which would include more robust funding for research and development to emerging technologies, cross-collaboration with the private tech sector, as a means of advancing our interest in national security in the cyber space. How do you envision the US cyber deterrence strategy, when the legal parameters and international norms do not address the current bad behavior of our adversaries, including the PRC and Russia?

Jamil Jaffer:

Thank you, Senator Helmy. Look, I think that, today, the level of activity we've seen on American systems is sufficient to enable us to push back if we wanted to. And that pushback can come in the form of cyber options, or it can also come in the form of other options, sanctions and the like. Today, America's intellectual properties has been stolen to the tune of billions of dollars a year, trillions total. And as a result, that damage alone to our economy and the threat it poses to our national security is enough to warrant more aggressive, active pushback in the cyber domain. I think the norms are there, we're choosing not to take advantage of them.

Sen. George Helmy (D-NJ):

Thank you. Mr. Kaye, in light of the upcoming election, the subcommittee's work obviously is going to pivot on the critical response to enduring the challenge of curtailing authoritarian regimes that seem to have no constraint on their digital oppression at home and their efforts abroad. What hopes do you have for future administrations to properly address the use of commercial spyware, particularly by authoritarian adversaries?

David Kaye:

Thank you for that question, Senator Helmy, and that also gives me an opportunity to respond in part to Senator Romney's point. So I'd want to make two points here. The first is that, although I share the concern very much about Chinese repression at home and its export of its repression abroad, I think it's important to see the moment that we're facing as a moment in which we have a very cheap availability of tools that are spreading well beyond the states that have that kind of power. And so there is a range of steps, actually, that the Congress has already been taking, actually at a normative and at an operational level, let's say, to deal with the threat of foreign commercial spyware. And I think that's actually important, and there's quite a bit to build on there.

The second point that I wanted to make is maybe to give a defense of norms for a moment, because I do think that, while there is a kind of battle in the trenches right now, that's a technology battle and is also a geopolitical battle, it is also a normative battle. And that normative battle is a vision of a free and open internet on the one side, the one that I think we all share, and a vision of one that is all about state control.

And it's not just a question of those norms being adopted by UN resolutions and so forth. It's a question of those norms being essentially embedded in our laws, and the Congress, and the State Department, and others pushing for those norms to be a part of our allies' laws, so that their own use of this technology and their own export of the technology is constrained by rules. So I see a connection between norms, which I agree in the abstract don't mean that much, but norms that are actually operationalized. I think there's quite a bit of room, and there's actually quite a bit to build on from both what Congress has done and what the Biden administration has done in recent years.

Sen. George Helmy (D-NJ):

Thank you, Mr. Kaye. That concludes my questions. Thank you, Chairman.

Sen. Chris Van Hollen (D-MD):

Thank you. Senator Ricketts?

Sen. Pete Ricketts (R-NE):

Thank you, Mr. Chairman. The use of cyber warfare, both in peacetime and armed conflict, has become a reality. Over the last 20 years, Russia has developed its capabilities, trained its hackers, advanced its capacity to undertake a wide range of cyber operations. Since Russia's illegal invasion of Ukraine, Russian hackers have breached Ukrainian telecom systems and executed multiple cyber attacks on the Ukrainian government. Despite these efforts, Ukraine has proven resilient. While the odds seem to favor Russia's dominance in cyberspace, they haven't prevailed against Ukraine, and Ukraine has largely maintained its presence online.

Banks remained operational, lights have remained on. Unlike the cyber attacks of 2015 and 2016 that caused blackouts. electricity and information continue to flow. While Russia possesses the means, and capabilities, and the intent to cripple Ukraine's cyberspace and critical infrastructure, the reality has been different. Their efforts have not been successful. So Mr. Jaffer, why hasn't Russia succeeded? Why haven't they been able to bring Ukraine to its knees from cyber attacks and turn off the power and so forth? What do you attribute Ukraine's success to?

Jamil Jaffer:

Well, I think a few things, Senator Ricketts. One, I think that we did do a lot of work ahead of time working with Ukraine to get it stronger, get it more defensible. A lot of the capabilities Ukrainians are deploying today are American technologies, built by American technology companies that have been hardened against these type of Russian attacks. So that's one, I think, answer to why Russia's been less successful than we would hope.

I think the second piece of it is, frankly, that the Russians have not embedded as deep as they might have in the Ukrainian networks and delivered the capabilities they could have delivered early on in this conflict. And so Ukraine was able to get their stuff out more rapidly than I think the Russians expected. It's true in the physical world, and it's been true in the cyber world as well. And I think there's a lesson for that for the United States. We rely so much on our technological networks that we can identify ahead of time if the individual, if the private sector, public sector are able to partner effectively, we too can defend ourselves against these types of threats in a more effective way than we are today.

Sen. Pete Ricketts (R-NE):

So do you think, I'm interested by what you said there about being embedded, is this something where Russia was not looking at Ukraine as much as maybe they're looking at the United States, or is there a lesson here for us with regard to what else we need to be doing with regard to rethinking our strategies, our cyber strategies, what's happening?

Jamil Jaffer:

Well, I think that we know how deep the Russians and the Chinese are in our networks. Just over the past year, we've heard a lot about how deep the Chinese have gotten, and the fact that they're deploying actual disruptive and destructive capabilities in American systems through this Volt Typhoon set of attacks. So we know that they're doing it. We know that they're getting in place. Now, whether the Russians deploy those kinds of capabilities, which we know they have, as deep in the Ukrainian networks or not, is unclear. They clearly didn't use them. We've seen the Russians use destructive attacks in the past. We know they have the ability to wipe out systems. So I think the answer here is twofold. One, when we identify these capabilities in our networks, we've got to get them out. We've got to deter them from putting them in the first place, which we're not doing effectively, because we're not really pushing back against Russian, Chinese, Iranian, North Korean attacks.

And then finally, I think what the Ukrainians did effectively, which we still need to do more of in this country, is to partner between the public and private sectors to ensure that their systems are more defensible. We want to do that here in the United States, we're just not very good at it. We've tried for a decade. We need to get better at that and fast.

Sen. Pete Ricketts (R-NE):

So we talked about what we can learn from this. What do you think our adversaries are learning from this based upon Russia and what they've done in Ukraine and what they've not actually been able to get done in Ukraine?

Jamil Jaffer:

Yeah, I think as we think about China and a potential Taiwan scenario, I think what they're looking at is, if you're going to go in, make sure you have the capabilities you need both on the ground and cyber-wise, and don't go in until you can finish that conflict in a week. We thought it would be over in a week when the Russians have invaded Ukraine. The Ukrainians were able to push back aggressively and hold the line and have held the line now for the better part of two years. So I think what our adversaries are learning is you got to get in, you got to get deep, you have to know your capabilities are there and then effectuate them. And I think that's why the Chinese are waiting, frankly, on Taiwan. They're not waiting because they're scared of us. We're not there. We can't get there in time to stop them. If we don't position stuff forward, we'll never win that fight and they know it. So they're not waiting for us. They're waiting because they're not ready to go in fully. And I think that's the lesson they're learning from Ukraine.

Sen. Pete Ricketts (R-NE):

But specifically on the cyber aspect of it, you think that what they're learning is they have to be deeper into the networks like Russia should have been deeper into Ukraine's networks before they launched this attack. And you think that that's what the PRC is learning about Taiwan, that maybe they don't feel like they're deep enough into Taiwan's networks before they could be successful in executing some of these cyber attacks?

Jamil Jaffer:

I think that's exactly it. Taiwan and our networks because they want to be able to push back against us so that if, in fact, we were to intervene on behalf of Taiwan, they could cripple us as well. They know that's their strategic advantage. That's what they're looking to do and that's why Volt Typhoon and the change in Chinese behavior that we've seen in the last six months is so critical to focus on.

Sen. Pete Ricketts (R-NE):

Great. So okay, I'm down to two seconds too, so I'm going to turn it back over to Chairman, but thank you very much, Mr. Jamil.

Sen. Chris Van Hollen (D-MD):

Thank you, Senator Ricketts. So in my initial questioning, I was focused on how we try to break through the censorship firewalls in places like China, places like Iran, Russia now. But if we look at the commercial spyware market, it's not necessarily those countries who are the most advanced in developing these technologies. So, Mr. Kaye, I would like to focus on that issue for a moment because groups like the University of Toronto Citizen Lab, Amnesty International and Access Now have documented the targeting of Russian and Belarusian-speaking civil society and media figures residing in exile in Europe, civil society figures in Jordan, journalists and human rights defenders in Mexico and El Salvador, and pro-democracy activists in Thailand just to note a few.

There is a report that just came out this month by the digital forensic research lab of the Atlantic Council entitled Mythical Beasts and Where to Find Them: Mapping the Global Spyware Market and its Threats to National Security and Human Rights. They identify companies in India and Italy and Israel as being some of the main sources of selling this spyware to regimes around the world. It also goes on to say that this is a very thriving market and there are a lot more actors joining this. I think the one that got early attention, of course, was when NSO technology was used by the Saudis to essentially track and monitor Khashoggi's fiance at the time, leading ultimately to his death.

The administration, the Biden administration, I give them credit, they've worked to try to raise the costs to these companies that are engaged in this commercial spyware, and selling it to these regimes, including by putting them on the entities list and other measures. You mentioned some of these in your opening statements. Could you elaborate a little more on your assessment of whether or not those penalties have been effective and then elaborate a little bit more on some of your suggestions on whether you think there are more things we should be doing right now to raise the costs on those companies.

David Kaye:

Mr. Chairman, thank you for that question. Let me answer in two ways. The first is on the raising the cost. I do think this isn't only the Biden administration, it's actually been on the basis of law that's been enacted by Congress in the last couple of years where you've had both the normative development against foreign commercial spyware and you've had the administration, through the Commerce Department and the Treasury Department's OFAC, imposing pretty strict restrictions, essentially sanctioning spyware companies from around the world. And the early evidence, and I stress that this is early evidence, but the early evidence is that these costs are actually having an impact on these companies. We see that in a number of areas. We see that in reporting. We see that in the change that some of the companies are undergoing. So I think there is a movement, although, again, it is early.

I think the next step is the United States cannot do this alone. This is a global problem. As the reporting by the Citizen Lab and Amnesty and Access Now have indicated, it's a global problem and it requires a global solution. Now, the Biden administration has pulled together a number of other states in order to push sort of the similar kinds of approaches that we have done at home. I think there's somewhat lagging behind. I think a bit of congressional pressure and support for those initiatives would be extremely valuable. I also think that it would be valuable for Congress to look at ensuring that those victims, particularly victims in a transnational repression context, those who are in the United States, because we have evidence of people in the United States being targeted by different forms of either mercenary spyware or other kinds of hacking, that those individuals can actually take action themselves, bring suits against states.

Now, those are barred often by the Foreign Sovereign Immunities Act, but there may be some room there, I think, for Congress to consider whether there might be a benefit to ensuring that some remedies are available. So I think there's a lot of room to increase those costs. There's a lot of global space to do that, and I think that, honestly, Congress and the Biden administration have been on the right track. There's a good trajectory there.

Sen. Chris Van Hollen (D-MD):

Thank you. Senator Romney.

Sen. Mitt Romney (R-UT):

You have each spoken about or, I think, almost everyone has spoken about a free and open internet, and I'm not sure entirely what that means. We would, obviously, believe that all of our information sources should be available, that Chinese and Russians and others would think all of their information should be available. There would also be massive disinformation. We're seeing that now. I wonder whether the day is coming when the American public stops looking at the internet for information because it's so overwhelmed with information coming from bots, made-up stories, made-up pictures. So when we talk about a free and open internet, I don't know precisely how you determine that. Are we going to, if you will, censor Russian bots? I guess, I think yes, but then it's no longer free and open.

How do you define a free and open internet? Because I'm sure Xi Jinping would say that's what we have. We've a free and open internet. All the information that people need to see, all the truth, as he wants people to see it, is there. And we disagree, we think what they have is false. So who determines and how do we assess what is a free and open internet and do we limit disinformation? And who decides if it's a disinformation? Obviously, it's something we're struggling with just here at home.

Mr. Kaye, you look like you have a comment on that.

David Kaye:

No. Thank you for that question, Senator Romney. It's a very good question and it's an important question that I think is actually quite complex. At the international level, we have basic rights to freedom of opinion and expression, and it is a robust right, actually. The international right is the right to seek, receive, and impart information and ideas of all kinds regardless of frontiers. So it's a right that it should enable us to access information. And when we think about subjects like disinformation and how you restrict that, once we start to go down that path, we actually start to give the authoritarians a kind of opening to censor, because their view of what's disinformation is not our view of what's disinformation. So there are a few things that I would sort of point to here that I think are valuable for us to think about.

First off, on the normative side, I hate to bring up norms, but the Human Rights Council, the UN General Assembly have very much pushed this idea that international human rights apply online as much as they do offline. And that is part of the normative shift that has happened within the international community. It is being pushed back against by China, by Russia, and by many others. I think we need to continue to push for the idea that individuals should have access to all kinds of information. I think we could also promote ideas that would essentially involve both the private sector and public actors in being involved in determining the security that's required for people to engage online. I think this is a big part of what OTF does.

Sen. Mitt Romney (R-UT):

I going to interrupt just because I have to go to another hearing and I wanted just follow-up a bit on this avenue of disinformation and open and free internet, what it means. Right now, an entity can publish an absolute lie and slander someone, libel someone, and there's no recourse for that individual because they don't know who did it. They don't know whether it's a bot or a person. And the internet company is free from liability as well, the social media company. And I don't know what the answer is to deal with this disinformation and slander and libel that occurs and wonder, should we insist that the social media companies determine that there is an individual or an entity that's actually posting something on the internet so that there is recourse if someone wants to bring an action against either a government or an institution or a person as opposed to right now when there is absolutely no awareness whatsoever of who's behind a post and who's responsible for it.

Ms. Cunningham, I'll turn to you. And Mr. Kaye and Mr. Jaffer, we haven't got much time, but any thoughts on that? All right.

Laura Cunningham:

More of a legal than …

Sen. Mitt Romney (R-UT):

All right. Kaye? Yeah, Mr. Kaye.

David Kaye:

Well, I would say that we ought to look to actually the European regulation, the Digital Services Act, which tries to address this problem in a way that we haven't. And their fundamental approach is transparency on the one hand, but also risk assessment, an actual requirement that the companies conduct the kind of risk assessment to prevent the kind of harms that you are describing and then requiring that there be some mechanisms of appeal for individual who face these kinds of harms. It is a very tricky and narrow path to walk, I think, between demanding transparency and recourse and promoting and protecting rights to free speech. I think that's exactly where you're suggesting there's a problem. And I think that we could learn something from what the European Union has done in this case and trying to address the problem.

Sen. Mitt Romney (R-UT):

We're in trouble if we got to learn from the Europeans. But maybe you're right. Mr. Jaffer, anything you want to say on that regard?

Jamil Jaffer:

No, I think that's exactly-

Sen. Mitt Romney (R-UT):

By the way, I agree. That was humor. I agree.

Jamil Jaffer:

Well, I actually do worry that when we look at the European regulatory approaches to the solution to America's problems on free speech. I actually think that that could actually have significant innovation challenges. I think at the end of the day, what we've got to figure out is how do we protect anonymous speech, which there's a long history of in this country-

Sen. Mitt Romney (R-UT):

Right.

Jamil Jaffer:

... while also addressing disinformation and misinformation, while also ensuring that we're providing capabilities to people who live in unfree societies to talk about the things they want to talk about and get the news from us. I have to say, I think the only solution to this challenging problem that you raise, Senator Romney, is recognize that there's not a more equivalence between what we do and what the Chinese do. When the Chinese or the Russians or the Iranians conduct surveillance, they do it in a one-party state with one control, no judges, no independent authorities. When we conduct surveillance, we've got to go to judges, we have to have review, Congress reviews it. There's a lot of oversight and, ultimately, a judge weighs in.

And so at the end of the day, I think that's the difference. It's not the same when we talk about their disinformation versus ours or our legitimate information versus theirs. There's a fundamental distinction. And when we all embrace that fundamental distinction, I think at the end of the day, it's fine to put in place rules that require disclosure of names, addresses if somebody who's violating American or, in the right case, European law. And it's okay to say no, China, Russia, you can't get that same thing because you're an authoritarian society. It's just a different system. And it's okay to say when they do it, it's different, and when we do it, it's okay.

Sen. Chris Van Hollen (D-MD):

Thank you, Senator Romney. Senator Ricketts.

Sen. Pete Ricketts (R-NE):

Thank you, Mr. Chairman. All right, Mr. Jaffer, I want to pick up our conversation. One of the things you said in our first round of questioning was we need to push back harder against Russia, China, Iran. Talk to me, what are some of the specific steps you think that we need to do to push back harder on these bad actors?

Jamil Jaffer:

Well, look, Senator Ricketts, we-

Sen. Pete Ricketts (R-NE):

Specifically talking about cyberspace…

Jamil Jaffer:

Yeah, fair enough. So the same theory, actually, applies to the real world as well. For all too long in the cyber domain, we've accepted that China steals billions of dollars a year, trillions of dollars in total of American intellectual property. We've accepted that the Iranians and North Koreans both conducted destructive attacks in the United States back in 2015, Las Vegas Sands and the Sony Corporation. We've accepted that and we haven't pushed back. We haven't hit their systems. We haven't taken other actions in the real world. You don't have to respond in cyber with a cyber activity, you can respond in the real world with cyber attack, but we haven't responded. We've taken it on the chin over and over again. And what that does is it creates more risk. It incentivizes bad actors to try and test where our boundaries are.

Now, it's clear that some of them know where some of our boundaries are. We haven't seen a major takedown of our energy grid or our banking system, even though we know some of the most capable actors, China, Russia have that capability. Although, it got close with Colonial pipeline, with Russian-supported ransomware actors. So we know there are some bounds that they recognize. The problem is that if we don't hit them back and we don't do it in a way that's public, then we can't effectively then deter our adversaries or their friends from coming back against us and we've just taken our weapons off the table. We don't talk about the red lines and we don't enforce them.

Sen. Pete Ricketts (R-NE):

So when you're talking about hitting them back, are you talking about we should conduct cyber attacks against them? And I think one of the reasons we don't do that is so we preserve our capabilities so they don't know what we can hit them with. But are you also talking about sanctions? I mean, what are the specific things? You say, hit them back? How do we hit them back?

Jamil Jaffer:

I think all of the above, but let's talk about cyber capabilities because I think that's a really good point. And you're exactly right. Too often we say we don't use cyber capabilities because we don't want them to know what weapons we have, but the same is true in the real world. There are a lot of weapons we keep secret, we keep classified, but there's a lot of weapons we talk about that we have and we use. If we're going to effectively deter, you got to talk about where your red lines are. You got to talk about what you're going to do if those red lines are crossed. You've got talk about the capabilities you have to enforce those red lines. And then, last piece, when those red lines are crossed, you got to enforce them. We don't do any of that. We don't talk about capabilities. We don't talk about red lines. We don't enforce them. And so it's no surprise that our adversaries are testing our boundaries. They don't know where they are, and they don't know what we're going to do. And then when it happens, we don't do anything.

Sen. Pete Ricketts (R-NE):

All right. I want to go back to this other thing too, because we talked about Ukraine and Russia attacking them and not being successful, and you said it was with American technology, American companies helping out. So why do you believe that our systems are so much more vulnerable than Ukraine from a Chinese attack or a Russian attack if they wanted to do that?

Jamil Jaffer:

I think a couple of reasons. One, we're innovating rapidly here in the United States. So as we deploy new capabilities, they're not necessarily built with trust, safety, and security in mind at all times. That's a key thing. We've got to incentivize that kind of behavior, and that comes both from investment, but also from light touch regulation. The government can use the way that it spends its money to get companies that sell to the government to build more trust, safety, and security in their systems. And then finally, I think that in the United States, it's harder for the public and private sectors to partner. There's a lot more challenges to it. The private industry is afraid of regulation. They're afraid of lawsuits. The government itself is afraid of giving classified information to the private sector and giving it at scale to the private sector. We've talked about it for decades. We haven't done it effectively. Those problems are a lot less true in other countries, including Ukraine, where the public and private sectors work a lot more closely together.

Sen. Pete Ricketts (R-NE):

And again, I'm kind of running out of time here, but can you just talk about what are some of the most critical steps that the US needs to do? And I'm looking for specific things we can do to be able to enhance our cyber capabilities to successfully be able to deter the PRC.

Jamil Jaffer:

Well, I think, one, we've got to spend a lot more on those cyber capabilities. We are underfunding our Defense Department across the board, including in the cyber domain. We've got to give them the best cutting-edge capabilities. We've got to get them to lean forward. They also, for their part, have to be willing to buy and build with the private sector effectively. All too often, the government says, we're going to build it ourselves internally, or we're going to buy from the five defense contractors we'll always buy from. We've got to break that mold when it comes to emerging technology. We're not going to be able to do this without cutting-edge startups. And as an investor who starts today, I can tell you it is very hard for a startup. And you know this, having done this in Nebraska. It's very hard for startups to sell to the government. It's a no-win. They want to do it, they can't do it.

And at the end of the day, I think that if we continue to overregulate, if we take the European Model Digital Services Act, Digital Markets Act, GDPR, which a lot of people think we're behind the Europeans, we're actually ahead of the Europeans. If we adopt European regulations, all that will do is harm the ability of the US to innovate and take our best players off the field. That is a terrible idea. The reason why Europeans don't have great innovation, they overregulate it right at the jump. We should not make that mistake, particularly not in the AI domain.

Sen. Pete Ricketts (R-NE):

Okay. Thank you very much, Mr. Jaffer.

Jamil Jaffer:

Thank you, Senator.

Sen. Pete Ricketts (R-NE):

Mr. Chairman.

Sen. Chris Van Hollen (D-MD):

Thank you, Senator Ricketts. So I just want to follow up on some of these particular issues. First of all, thank you, Mr. Jaffer, for mentioning the issue of protecting American IP. Years ago, I passed a bill, authored a bill called Protecting American Intellectual Property Act, along with former Senator Sasse, which is trying to get away from the fact that company's only recourse sometimes is to go to court in the United States against foreign actors, where even if you get a good decision, it's hard to actually enforce. The idea is to give the US government more tools where you have a pattern of theft of intellectual property, of strategic value that we can go after and sanction them. We need to use that tool more effectively.

I do just want to say with respect to international norms, I agree with you Mr. Kaye, they're important. I don't think anyone's under an illusion that we're going to convert China to our way of thinking or Iran, but what we can do is try to both raise the costs and increase the benefits to countries in the rest of the world to follow the norms of an open internet or not engaged in selling of commercial spyware or whatever it may be. And that has value. If we're talking about digital authoritarianism and our efforts to combat it, we've got to create these rules of the road, try our best to do that, and then work very hard to try to enforce them through both carrots and sticks around the world. So I think that's what we're really focused on here.

Before I leave the issue of commercial spyware, I do want to ask you about that because I think you referred to it, but the Biden administration through a White House statement, did try to get a bunch of countries, and I think they got 17 countries to sign on to a resolution, a document about adherence to rules about not allowing companies in their countries or discouraging companies from exporting commercial spyware to authoritarian states. Am I right about that?

David Kaye:

Yes. I think actually as of two days ago, there are 21 states that are part of this, including the United States. And the objective is not only to promote stricter export control so that spyware isn't allowed to proliferate the way it has, but also to ensure that there's conditions on relationships and on the sale of technology to states that are committed, and not just committed in a sort of paper-thin sort of way, but in an implementable sort of way that they're committed to observing human rights and the use of the technology. So that effort, I think, is part of what I was suggesting before, is that the United States can do a lot on its own, but most of this really does have to be multi-lateralized in this particular field.

Sen. Chris Van Hollen (D-MD):

Well, I don't know which additional countries just signed on, but I do know that the three I countries, as they say, India, Italy, and Israel, that were identified in this Atlantic Council report, were not part of the original 17. Are they part of the 21?

David Kaye:

I don't believe that any of those three are. I'd have to check the list. But you're right, when you look at the list, it's actually a very interesting list. And maybe one I could just identify to give a good example of both the threat and the response to it. So Poland has joined this effort, and of course, there's been a change of government in Poland. The previous government engaged in pretty massive spying on journalists and opposition figures within Poland. And the new government, the newly elected government from last year, has begun to sort of peel back what actually was taking place. And they found that there were literally hundreds of individuals who were targeted with Pegasus spyware, and they have taken the decision that there needs to be accountability for that use. In a sense, their modeling something that the United States is encouraging, and in a way they're modeling it to other states. They're not modeling it just to us because, as Jamil said, we have the rule of law in the United States and we need others to demonstrate that they have it too. So I think there's, it is really not just a question of having states sign up to this statement on its own, but it's having them sign up and do the things like Poland is doing to actually demonstrate that they mean business and they mean accountability.

Sen. Chris Van Hollen (D-MD):

And what would you suggest the United States do for countries that choose not to participate in this? We talked about some of the things we can do with respect to companies, right? By putting them on the entities list, or visa sanctions on individuals who work for companies. But how about at the country-to-country level?

David Kaye:

Yeah, I mean on the export side, I mean I think there's quite a bit that the United States can do to encourage compliance. It's difficult. It's difficult in part because as you noted earlier, the spyware industry is a massive industry that is incredibly remunerative and economically beneficial to the countries where they're headquartered. So we're sort of fighting against that. But I do think there are kinds of conditions that the United States can impose. I don't mean conditions on our entire relationships with countries, but conditions on certain kinds of support and cooperation that are related to the end user. In other words, the client country's use of technology should be based on fundamental human rights norms. And we can do some conditioning in terms of what we share, what our relationship looks like in order to move them. We have that power to move them in a positive direction. I think some of that, if it's embedded in law as well, could be also extremely valuable.

Sen. Chris Van Hollen (D-MD):

Thank you for that.

I want to turn briefly to the tools for mass surveillance, which we see in use in China. And China, of course, also making available for export to other countries that want to adopt a lot of these tools.

Now obviously facial recognition has some beneficial uses that can be used with proper guardrails and rules with respect to law enforcement, but the line gets very murky, as you all know. My colleague, Senator Merkley has been very focused on this. Now, when you go through TSA know have a picture taken, although you can opt out, but we are trying at least to, whether we can have a debate over what rules should apply. But obviously that debate's not happening in places like China or elsewhere where these technologies are being applied.

The Bureau of Industry and Security at the US Department of Commerce recently published a proposed rulemaking that creates a control for facial recognition. Could you talk about how this technology is developing very rapidly and what your thoughts are on what kind of guardrails we can put around those? And again, try to create global norms and, after Mr. Kaye, if any of you others want to answer that question, please feel free to jump in.

David Kaye:

Sure. Thank you, Mr. Chairman, for that question. I mean, I'll answer briefly.

I mean, first, I would say that we need to be thinking about what kind of society we want to live in and what we want to construct. And we, I think just have to recognize that some of these technologies are already in vast nefarious, authoritarian use in places like China. And we see that, for example, with respect to the Uyghur population in the west of China. The surveillance state that you have there is clearly not the kind of state that we, as Americans, deserve to live in.

And so I think that perhaps as a first order of business, we need privacy protection. We need nationally enforceable privacy law in the United States. We also need continuing strong commitment to fundamental digital security tools, in my view, including encryption technologies. I mean, these are the kinds of technologies that can protect us. But also I don't think that we want to put all of the onus for protection on the individual herself. I mean, the protections need to be legal protections. So my view is when we're talking about things like facial recognition, affect recognition, all of these tools that essentially interfere with our ability to be anonymous when we're out in the world, I think we need to be thinking about legal protections like a national privacy law.

Sen. Chris Van Hollen (D-MD):

Appreciate. Do either of the other two of you want to comment on that question?

Jamil Jaffer:

Senator Van Hollen, look, I think privacy laws are interesting, but GDPR in Europe hasn't stopped mass surveillance. Right? Encryption technology is important, hasn't stopped mass surveillance in the United States or anywhere in the globe. So I think the real way to do this is, the reason why these things are so lucrative is because people will buy them. And the reason why they can build them is because people will invest in them. If we can starve them of capital, right, that is one way to solve this problem.

Now, not all surveillance tools are built alike, right? There are surveillance tools that are used by democratic societies that are appropriate use under the rule of law, right? Our group of investors, our trusted capital group investors, 19 investors around the globe, including in Poland, has come together and committed to not selling or building technologies that will be used by our adversaries. We've committed to only building technology capabilities that are used by America and its allies.

Now, of course, right, that's because we believe in free and open societies. It is okay for the United States government and other governments that have the rule of law to use surveillance technologies in appropriate ways. So there's no upside to saying we're not going to invest in those. But we're not going to invest in capabilities, nor invest in companies that sell to these adversary nations. And so if you have investors making those kinds of commitments and saying, "We're going to bake trust, safety and security into our tools, we're going to follow the NIST framework, we're going to follow these AI frameworks and alike, and we're not going to invest in adversary technology," that's the way to starve some of these companies who build these technologies of capital.

Now, other capital providers will of course step in. China, Russia, Iran, sovereign wealth funds may step in, but then the government can take action against those. So there's an appropriate space for the government to act. There's an appropriate space for private capital to act. And the question then just becomes, can we convince other private capital actors to get in this and to ultimately build and buy technology that's actually protected, secure and capable?

Sen. Chris Van Hollen (D-MD):

Thank you.

I'd like to have you, starting with you, I think, Mr. Kaye, on this legal question, but again, if there are other witnesses want to answer it, please feel free to do so.

Last month, the UN ad hoc committee on cybercrime adopted the UN Convention Against Cybercrime, setting up a critical role, excuse me, a critical vote in the UN General Assembly, I believe later this year. I think we can all recognize that there would be benefits of having a common understanding across nations for what is considered a cybercrime. But critics of the draft text have raised concerns about this treaty that it would put at risk privacy and data and the safety of dissidents journalists and activists around the world.

I believe that it was Russia that first put forward this draft. I believe the United States and others have pushed back against certain provisions and changes have been made. But the question is whether the changes that have been made are adequate to address the concerns about privacy and continuing to expose dissidents around the world to unfair use of the terms of the draft treaty.

So first of all, as the Biden administration considers its ultimate position on the treaty, could you clarify for the committee what issues the current draft presents as it relates to potentially being used or, and abused by autocratic countries to legitimize digital repression?

David Kaye:

Thank you, Mr. Chairman, for that question. So you're absolutely correct. This was a Russian initiative originally to put forward a global cybercrime convention. Of course, there already is a cybercrime convention, the Budapest Convention on Cybercrime. And at a strategic level, I would say that because the Budapest Convention, which admittedly has some of its own sets of problems, has stronger protections for human rights, also for states that want to resist abusive uses of cross-border legal procedures that we should be encouraging states to join the Budapest Convention not to join this new UN Cybercrime Convention. And I think kind of the proof of the problems to a certain extent in the cybercrime convention is the array of industry, of companies, of civil society that have expressed really grave concerns and actually have expressed grave concerns about this convention as it was being negotiated for the past several years.

I would just give one little example, and the example is the convention defines something known as "serious crimes" according to how severe the penalty would be for that. But if a matter is identified as a serious crime, it provides a state with the ability to request data, including personal data, subscriber data, and others, across borders. And I think that is something that puts in the hands of authoritarians, including governments like Russia, the ability to seek information and to weaponize their law in a transnational sense that is just deeply, deeply problematic. And certainly it's problematic at this particular moment when, as the subject of this hearing indicates, there's a very serious rise of authoritarianism in cyberspace.

So my view is that at the very least the United States should abstain when this comes to a vote, but more generally, strategically, we should be encouraging states to join the Budapest Convention.

Sen. Chris Van Hollen (D-MD):

Thank you. Do either of the other witnesses want to comment on this? Ms. Cunningham?

Laura Cunningham:

I think to Ranking Member Romney's point about kind of norms versus technology, this goes back to that for me in that I think it's critical that we are investing in both of these areas. Certainly it's the case that we are not going to get China and Iran and Russia to start implementing a democratic internet. But my bigger concern from a technical perspective is that they are actively promoting their norms around the world. The Cyber Crime Convention is a great example of that, but we see it from a technical perspective as well. China Iran and Russia are engaging in technical standard-setting bodies as well to try and fundamentally even redefine what the internet looks like from the inside out, trying to undermine interoperability, trying to undermine security. It becomes even more critical that we're thinking about norms from a legal and policy perspective, but also a technical perspective when we know these other governments are investing time, money, energy, in terms of trying to redefine what the internet looks like itself.

Sen. Chris Van Hollen (D-MD):

Thank you.

Jamil Jaffer:

Yeah. Senator Van Hollen, I agree completely with what Mr. Kaye and Ms. Cunningham have said on this topic. I think the idea that the US spent the better part of three, four years actually creating a separate process to develop this treaty, have an existing convention that we're part of, and then now has sort of changed position is odd. And I'm hopeful that when it comes to the General Assembly here in the next few days, or next few weeks, that there'll be a different outcome.

And I think Ms. Cunningham's point's an excellent one, which is the role that these unfree countries, China in particular, but Russia, Iran, North Korea as well, are playing in some of these bodies, whether it's the UN Human Rights Council, or ITC, or the like, there are a lot of organizations that are setting standards and rules in key areas of technology where they're able to get the jump on us and then embed the kind of tools, the kind of rules that would then empower Chinese technology to get in. I think that's very problematic. That's why it's so critical that the US government's already on this issue. They're putting a lot more of our people in these spots, but it's also important to bring American industry in as well. American industry's so critical to these standard-setting bodies that it's got to be a partnership between the government and industry. Simply putting more government people in these seats is part of the answer, but it's not the only answer.

Sen. Chris Van Hollen (D-MD):

Thank you. So it's your view that if the United States had to vote today on this treaty, up or down, that you would at least abstain? Am I understanding your answer correctly?

Jamil Jaffer:

I'd vote against it.

Sen. Chris Van Hollen (D-MD):

Yeah. So we're coming toward the end of the hearing, but I do want to just give each of you a chance to cover any issues that you think that we've overlooked, both in terms of the issue itself, but most importantly recommendations that you can make to us as a Congress. Obviously, the administration can use the tools available through executive action. Mr. Kaye, you've already identified some additional legal changes that we might consider here, but I just want to give you all that opportunity.

I do also, if you could, this issue of standard-setting bodies, international bodies, is really important because it's part of the conversation about the normative battle. I mean, it's not disconnected from that. It's directly connected to that because that's actually where the rules get put into place that govern the international use of these technologies. So maybe as you answer this question, you could also just point out where you think at this particular moment, we need to be doing more with respect to those international standard-setting bodies. As you said, Mr. Jaffer, the administration has increased its focus on this, trying to deploy more people there, but this is an ongoing battleground.

So this is just an invitation really to make whatever sort of closing remarks you want to make. Ms. Cunningham, and then we'll just go down the line.

Laura Cunningham:

Great. I will start by saying I think we've debated a lot about technology and norms today, and I think it's critical we do both. I think to try and choose one of the two would ultimately mean that we fail in this endeavor.

I think when it comes to staunch authoritarians like China, Iran and Russia, we need to find ways to raise the cost by investing in novel technologies that can help protect the human rights and also provide anti-censorship and security capabilities to citizens domestically so that they can push back on authoritarianism where it's starting.

I think we also really do need to focus on the norms because the reality is that Russia and China are exporting these technologies, and not just the technologies, the training and the beliefs that come with them, to over a hundred countries around the world. And even if norms might not win the day in China and Iran, there are many countries across the Belt and Road, in Africa and Latin America that we still have a significant potential to influence. And I think if we are to lose focus on them, we'll lose the larger battle here in terms of defining what a Democratic internet could really look like.

I think to your question about standard-setting bodies, one of my concerns with this issue is that it is often seen very narrowly in kind of a human rights perspective when frankly it has huge implications, as we've talked about today, for national security, for our democratic principles. And so when we think about where we need to engage on this issue in standard-setting bodies, the first thing that I would encourage us to do is look across the board at all the places where cyberspace is being raised and make sure that we are engaging on this issue, not just from a human rights perspective, which is critical, but from all of our national security and foreign policy interests. One place that we engage particularly that I think could use more focus is the IETF. But there are a number of different places where China and Russia are raising these issues, and we are underrepresented.

Sen. Chris Van Hollen (D-MD):

Thank you. Mr. Kaye?

David Kaye:

Thank you, Mr. Chairman. I actually share everything that Laura just said and would only add a couple of additional points.

The first is, on her point that I think we've been all talking about, we're talking about a situation where human rights and national security actually align. In other words, our interests in a robust human rights approach to new technologies, to intrusive technologies, is very much also a question of US national security. And we can point to example after example, I think as we've all indicated, of where there's an alignment there. That the human rights abuse is also a national security threat. And so I think if we think in those terms, I think there's a way to think about how we engage in different international forums and why we do and what we invest in.

So to give just one example of a forum that I think is extremely under-resourced, also occasionally under serious criticism is the UN Human Rights Council, where the battles there are sometimes normative, but sometimes they also lead to change in law at domestic levels. And I think that's a space where the United States, as it has actually over the last few years, has increased its voice there could continue to do so. Also in the ITU, there's room to do that kind of work, where the head of the ITU is somebody who's well-known in Washington.

I think there's a lot of room to do that kind of work in those settings, including the other standard-setting bodies that were mentioned before. But I think that's the place that I would tend to focus on. I think that as we've discussed, all of those come together as a question of both national security and fundamental human rights.

Sen. Chris Van Hollen (D-MD):

Thank you. Mr. Jaffer?

Jamil Jaffer:

Thanks, Senator Van Hollen. The only thing I wanted to mention was we spent a lot of time today talking about a lot of the challenges that technology can pose to free and open societies, to Americans here at home, to repress peoples abroad. I want to focus on the fact that technology has actually benefited the globe tremendously. American technology has benefited free and open societies around the world. It's raised standards of living around the globe. It's provided opportunities for people in free and unfree societies to have access to information in ways that have been transformative. I feel the same way about AI. AI has its challenges, to be sure. It can empower authoritarians and alike, but writ large, I think artificial intelligence and the broad adoption of it will actually be a tide that raises all boats, that creates opportunities, creates new jobs, creates innovation, and creates economic benefits, not just here in the United States and in our allied countries, but around the globe.

And so I'm actually very heartened by the transformative power technology and the transformative power of systems like ours that allocate capital towards innovative capabilities and that drive us towards freedom and democracy. And so while we have our challenges in this country, and there are plenty, and our system is not perfect, it is the best the world has ever seen. And it's one both in the form of allocation of capital, economic liberty, but also in freedom of speech, freedom of thought and alike. And it's an idea that we've got to once again embrace.

All too often we focus in on the threats of the challenges we face, and there are tremendous ones, both in this country and abroad. But we also have to embrace the fact, I think as Americans and as folks in societies that are free and open, that we have responsibility to give that capability and that opportunity to others around the world. That's why the work that OTF is doing is so critically important. That's why setting these norms is important. But it's about once you set the norms, enforce them and living by them, which all too often we talk about them and they become aspirational and don't become practical.

And at the end of the day, I think that the opportunity that you've given us to talk about these issues, the work that you and the ranking member are doing on these issues to highlight them here in the Senate and that folks in the House are doing as well, is so critical. And thank you for the opportunity to be here. And thank you for your attention to these important matters.

Sen. Chris Van Hollen (D-MD):

Well, thank you all. And you're absolutely right. I mean, these new technologies have huge potential benefits. I mean, technologies are not in and of themselves good or bad. They can be put to good purposes, they can be put to bad purposes. And I think one of the things we want to do in this hearing, as you've all expressed, is maximize the good and the benefits and minimize the harm. It's not easily done. It requires, I think, thoughtful conversation. So thank all of you for being part of it. It's been a very engaging discussion. Thank you.

And with that, the record will be open until close of business of Wednesday, September 25th. And again, thanking all of our witnesses. The hearing's adjourned.

Authors

Justin Hendrix
Justin Hendrix is CEO and Editor of Tech Policy Press, a new nonprofit media venture concerned with the intersection of technology and democracy. Previously, he was Executive Director of NYC Media Lab. He spent over a decade at The Economist in roles including Vice President, Business Development & ...

Topics