Good afternoon everybody. I would like to begin by thanking my friend the Ranking Member for helping plan and hold this hearing today and i would like to thin thank the expert witnesses on the first panels. In the interest of time we are going to dispense with Opening Statements first of all thank you for this hearing. From the department of justice fbi Homeland Security as well as a separate panel of experts to speak about the Data Security threats in the nation. The title of this hearing in my view doesnt quite capture the nature and scope of the threats. Threat. The problem is bigger than beijing and broader than anyone in the industry. The nation faces an onslaught of cybercrime to b baby internet ce can be a co Complaint Center received 170,000 complaints leading to over 3. 5 billion in losses a 20 increase since just 2018. These threats come not just from criminals but from nation states russia, china, iran and north korea particularly have sanctioned Cyber Attacks against the enterprises. A lot more than our personal data is at risk. That doctors caby doctors can pe hospitals and government with rand somewhere attacks and disable thousands of computers to the denial of service attacks and gain Remote Access to the Water Treatment plants. International criminal syndicates make the business of this often seemingly with license from the nationstates. The federal government must lead the way in deterring the cyber threats. Todays hearing gives the opportunity to look at what we know facing the country and considering what more we should be doing. Here are a few places we could start. By long advocating the fbi to investigate aggressively prosecute cyber criminals and im pleased to see the indictment of the statesponsored hackers. We need to make sure the agencies have the Technical Expertise and resources and Legal Authority to pursue these cases. We need to build our defense capacities in the framework laying out voluntary best practices and industry standards for the energy to operate and maintain vertical infrastructure with a groundbreaking idea in 2014. But we still dont know if it is working. It ought to be stress tested and updated. We can only defend ourselves against threats we know are out there. The president should designate a cybersecurity disclose any power to declassify the government information and share with state and local governments and the general public. Ive been happy to see the dhs living to share more information about the recent Cyber Attacks faster. Finally they need not act alone and International Coalitions of the willing to agree to Common International norms against cyber crimes and intellectual property theft and hold accountable those that transgress. We cannot let the benefactors frustrate efforts to reach the consensus with our allies about the state behavior in cyberspace any more than we would allow the burglars to advise us on defending our Home Security measures. I look forward to discussing these issues and i think the chairman for calling the hearing. Deputy assistant directothe r of the fbi where he oversees Cyber Division operations and the National CyberInvestigative Joint Task force. In the leadership position in the criminal investigative position, Human Resource division in many different fbi offices. Thank you for being with us. Assistant director for cybersecurity at the cybersecurity and Infrastructure Security Agency where he needs to Department Policy development in support of department with efforts to National Risk and he focuses on Critical Infrastructure federal network security, counter cyber crime and improving the security and resilience of the global cyber ecosystem. And the Deputy Assistant attorney general at the National Security division of the department of justice where he oversees the counterintelligence export control section and for an investment review section. One of the things he supervises across the foregoing statesponsored computer attacks as well as enforcement of Foreign Investment security reviews thank you for being with us and now i will swear in all of the members please stand and raise your right hand. Do you affirm the testimony youre about to give us the truth and nothing but the truth so help you god. Very good. Lets begin the questions and enter your statement at the record let me say as we begin that we face a major Security Threat from china this includes the economic security, the military security and cybersecurity in our own personal Data Security. We now know the chinese officials were behind the breach from three years ago that exposed the personal Financial Information of 148 million requires businesses that operate in the country to share data with the government and we know the Chinese Companies are actively trying to scoop up the personal data of american citizens in on tha and on that s talk for a second adult tiktok the most downloaded app more than any other in the country. More teenagers are on now than use facebook. Millions and millions as users but its owned by a Chinese Company that includes Chinese CommunistParty Members in leadership and its required to share the user data with beijing and it has admitted that it sent user data to china to put it blunt this is a major Security Risk for the American People and what kind of data is tiktok collecting, image is of course that the users post but also collects information about the messages that you send about the apps that you use. It collects the sites that you visit and your Search History and your keystrokes and location data. It stores all of this and maybe lots more. I can tell you is the father of two small children i find this absolutely horrifying and we know it is a National Security risk. Since the last hearing on the subject, the pentagon, the department of state, the department of Homeland Security and the tsa all band of air Service Members from using tiktok on government devices. The pentagon went so far as to say and he is should have their children to uninstal on installm their personal devices. Thats pretty extraordinary but its only prudent and thats why today im announcing i will introduce legislation to ban the use of tiktok by all federal employees on all federal government devices. This is a necessary step to protect the security of the United States and the Data Security of every american to so let me ask the panel why are all these Government Agencies banning the use of tiktok, what are the threats that company and others like it goes. Mr. Wallis, we will start with you and then go down the line to anyone that wants to contribute. Go ahead, sir. Absolutely. I couldnt agree more with your points on the holistic approach to how they are getting their data. Its one example of the application to the average citizen doesnt understand the implications of what is behind it and what can flow is basically controlled. I think that is a bigger threat in the Holistic Society approach to the United States not just tiktok but the Data Warehouse whether they are here in the United States or the borders themselves with the overall objective into the holistic database that can be utilized for many purposes. Why is the Chinese Government so interested in all of this data, why were they interested in tiktok . It produces vulnerabilities from u. S. Citizen, companies, proprietary information from the corporations operating by domestically and overseas that creates a massive vulnerability that can be data mined to give a competitive advantage. Do you want to add anything to this . The kind of information that are described presents a lot of risks and advantages to the adversary. We trade that for convenience and i wish we were all aware of what they were giving up when we did that. There is certainly no place for applications like tiktok. Why do you say that, what is the particular threat on the government devices and Service Members . Theres way theres ways we can find alternatives alternatives beyond that, china has amazing programs in the collection of data and developing artificial against the data for the purposes we do not fully know that its our face and voice and location as things are tied very closely that should give us great concern. It makes it easier to target people in for an Intelligence Service to recruit or hack into the systems used by government employeesentities, ceo and other highvalue targets and you cant just protect the important data so when we look at the acquisition we are looking at what is collected by the company and what is made available to the inquirer and adopted by the committee is precisely this data they are concerned with because it enables and it might make china a better artificial and was shown intelligence. I would like to come back to the point about before you might need. Senator white house. Thank you all for being here. There i was a time not long agoe were elected to prosecute International Hackers for fear of diplomatic and business blowback after considerable delay. In order to more effectively prosecute these cases are you able to work around the delays in the process is there something the committee can do to be useful to focus the efforts more effectively for you let me start with that question and then go to the second. I very much appreciate the question. Ive been identified in a number of legislative priority is they want to prioritize three of them. First is a nationwide requirement. It would have a number of advantages including standardized reporting standards for companies and the like. But i would urge to include the notification to all enforcement as part of that because we cannot respond to what we cannot see. And there are significant disincentives to reporting to Law Enforcement. We think about the data breach standards and the notification. Its not the only type of data that we ought to be concerned with. We ought to be thinking about the threats to the infrastructure information and the like and doj is working on a proposal for the legislation now. But a whole variety of potential threats that come when americans and other countries take an application that may come with a payload of some kind that we dont want them to have. It has always struck me because in the Previous Administration there was effort to negotiate cybersecurity standards. And the relative persistent efforts to include russia and china and those negotiations thats like letting the burglars negotiate what your alarm system would look like and between other countries that are not actors in this space it would seem there is Critical Mass out there to develop some standards so that the down side of apps and even others like tik tok there is much broader curtain of defense around a coalition im wondering with the current status is of Homeland Security with that coalition of the willing with that strategy of loading up the apps with the payload. There is a lot to that. Measure the standards are the flexible mechanism to do that. They play a role. We do work very closely with our allies and may be why we should be doing is the eit supply chain we have 20 Largest Telecommunication Companies in the us 20 largest it services and to Work Together to share information on our supply chain risks and more broadly to be software the things we are buying and Government Networks that body has been effective to communicate on risks any one of those industries are seeing those practices together that supports the National Center to give us the mechanisms that we need from governor on government network. I will interrupt because my time is running out. I would like to encourage you to do that in the same way you cannot buy a packet of cigarettes because its dangerous without reading the Surgeon Generals warning on the side the same way you cannot buy a mattress without that consumer tag attached to it. There is a way that the wellintentioned of the world colon surveilled these various apps particularly those that become rapidly popular to put a warning label and then make the public know. I would encourage us to pursue that effort i know that requires the department of state as well and fbi but it seems to me there is a coalition willing to be assembled. Things liked tik tok to give us the hazardous product you dont have to have big standards to know the 100 worst ones after that so we did the garden a little bit so at the moment in my view it is an International Strategy to get them out. Thank you. Thank you mr. Chair i appreciate the conversation we are having this afternoon it is very fascinating so thank you for doing this. All of this state we talk about fees into to try to one china more than being stored in china they are using it to build up to that the United States has privacy law and china doesnt china is collecting their own data and encroaching on our right to privacy. So the entire panel how do we prevent us companies from unknowingly or voluntarily contributing to chinas rise with ai . We have fairly specific authorities so we do think about where data goes with Foreign Investment generally we take the laissezfaire approach that has worked out very well for us. I dont assume all Data Collected by American Companies is going to china but generally there isnt much regulation just please store it someplace safe so our recommendation is the Budapest Convention that senator white house has a good list of countries that adhere to basic norms of cyberspace and as opposed to the authoritarian. Im not the only one. And how Many Companies store data and china . Of american citizens . I dont know that. Look at the terms of service. Moving beyond we are saving unprecedented level of Foreign Investment from china i think many countries are experiencing this around the world but to stifle chinese intent there are some unknowns within implementing reforms with the vetting process so if they did not include Venture Capital investment chinese Investors Associated with the military could have shortcuts and fly under the radar and for those with sensitive and Critical Technology for the entire panel harry working with the Treasury Department to identify those bad actors . Fortunately the 2018 legislation broadened the jurisdiction so we can Reach Investments that are nonpassive and controlling giving us access to personal data in and the regulations we lay that out so just by doing that we identify for lawmakers and policymakers what categories we should be most concerned with and that gives the regime even these noncontrolling investments for personal privacy and security. From the investigative standpoint, looking at the wholesale china threat with that indispensable partner with the criminal branch and the joint task force with over 30 agencies that are co located including treasury so if we come across the supply chain with the Defense Industrial base we set sidebyside with those agencies and is not just those specific indictments against those individuals but the whole of government approach. Absolutely we appreciate that collaboration. We do have a number of American Companies out there and the chinese espionage is more than a threat to our personal liberty as that harms our National Defense what industries do you think are most susceptible to espionage . I would start with the industries where china says they want to achieve dominance i will look like in the made in china 2025 initiative and say if thats what they want to be ahead if you make products within those sectors you are more likely candidate for it theft then talk about different motivation behind that and then