Foreign Press Center Briefing on “Cyber Successes: Highlights of 2019 and Look Ahead to 2020,” January 10, 2020.
Thanks a lot for that introduction. Thank you all for coming, and those who are online, I look forward to engaging with you. I wanted to give some opening remarks about what we’ve done in 2019, and looking forward to in 2020. So I lead of the office of the State Department responsible for cyber policy, as well as international communications policy and securing digital technologies. As the world has seen tremendous growth from the internet and connected digital technologies, we now have increasing numbers of people having access to information they never had access to before. They’re able to access this information as well as participate in commerce, ecommerce. Especially small and medium-sized businesses take tremendous advantage of that. The internet and being connected really adds trillions of dollars to the global economy every year. But with that kind of tremendous gain and tremendous potential future gains, we also have significant challenges in cyberspace. Those come in the form of cyber threats in unsecure technologies. So, as we look to connect the next three billion people around the world, we need to face these challenges head-on. And because the internet is inherently borderless and we’ve become more interconnected, we need to do greater work to cooperate among nations and to seek collaboration on addressing these significant challenges in cyberspace. For that reason, cyber security and cyber policy issues are very important to the State Department, and it’s really becoming one of the top foreign policy imperatives of our time. In this last year, we’ve worked very closely following the work we’ve actually been undertaking for more than a decade to establish a framework of responsible state behavior in cyberspace. That is, establishing the rules of the road for how nations should interact with one another in cyberspace. We’ve had the UN endorse a set of 11 voluntary norms of responsible state behavior. On the sidelines of the UN General Assembly high-level week in September of this year, Deputy Secretary Sullivan, along with the foreign ministers of the Netherlands and Australia, had a statement signed, along with 26 other countries in addition to the United States, on responsible state behavior in cyberspace. Those endorsed the applicability of international law to cyberspace, so international law applies in cyberspace just as it does in the physical world. Also established that countries should adhere to these voluntary norms of responsible state behavior that have been previously endorsed by the United Nations, and key among those is the norm that one nation should not attack another nation’s critical infrastructure. This joint statement also said that, unfortunately, countries will still likely act inconsistent with this framework of responsible state behavior, and therefore it’s necessary that those states that are likeminded about the importance of these norms act to hold those other nations accountable for those transgressions against norms of responsible state behavior, and in some cases, impose consequences against those actors. So it was a very significant statement that we had pulled together with 27 countries in total in late September. Through the State Department, we are leading the U.S. Government’s efforts to establish what is known as a cyber deterrence strategy. This was previously announced in the September 2018 National Cyber Strategy. The international component referring to deterrence is something that the Department of State has been leading the interagency implementation of. Our goal there is to establish a set of consequences that are swift, costly, and transparent. Those can be used in an effort to respond to those countries who do not act in ways that are responsible, who act inconsistently with responsible norms of state behavior. We are continuing to implement those, and we will be doing so in the new year, in 2020, and we’re also working closely with a number of other governments out there to find ways that we can work together to impose consequences against those state actors who are acting in malicious ways. Another major line of effort that we’ve undertaken for more than a year now has been to educate and discuss with other countries about the importance and the transformational nature of 5G wireless technologies. That’s the fifth generation of wireless technology. 5G is gonna be so different than 4G and previous generation of wireless technology because it’s going to empower the internet of things and all types of new critical infrastructure. That new critical infrastructure will ride on the backbone of 5G, the ability of devices to communicate at roughly 100 times the speeds they do today and with very low latency, that is, the time it takes to connect between a device and a server and back to the device. Those types of new applications include autonomous vehicles, telemedicine, automated manufacturing, and just massive amounts of data that were not previously carried by communications networks. Having that much data also will empower artificial intelligence and other very vital services to the government and to the public. So it’s very important that technology be secure. Our view is that you need to, of course, have the best of cyber security best practices deployed on these 5G networks, but the inherent ability of updates to networks to contain a potential compromise, a compromise to software or the firmware, which is software that rides on hardware systems, that, because it can be compromised means that there is no ability for any testing regime to be certain that these updates do not contain some type of vulnerability in millions of lines of code. So what you really need is a trust relationship between the vendors of this technology and the telecom operator and the government where that technology is going to be deployed. Over the last year we’ve worked very closely with a large number of countries, in particular worked closely with Europe as they’re working on security measures for 5G. We saw the European Union adopt a risk assessment in early October that said that they need to be concerned about these trust factors and to look at the ability of a foreign government to influence the vendor that’s providing their 5G technology; and in particular, they should also look at the ownership structure of that company and whether that company is subject to coercion, and finally, whether that company is subject to, in a legal environment where there are democratic checks and balances. The United States, we’ve shared this… From the United States perspective, we’ve shared our concern that in China the national intelligence law from 2017 requires all entities to comply with the mandates of the security intelligence services in China, and to do so secretly, and there is no way to appeal to an independent judiciary or a rule of law system as a check on that power from those intelligence security services. So we’re pleased to see that the European Union recognized that risk in their risk assessment. We also saw the European Union’s Council develop a statement that was released on December 3rd that said that they also recognize the importance of looking at non-technical measures, and in particular looking at the legal and policy framework of where a vendor is headquartered, so in a country where the vendor for 5G technology is headquartered. So, in the new year we’re likely to see a European Union security toolbox for 5G, that is, particular measures that address the security risks that they’ve already assessed to exist. We’re gonna work very closely in the new year with European allies in addition to partners and allies around the world that we’ve already been working with on 5G security measures. In July of 2018, Secretary Pompeo announced that we were going to begin a strategic down payment on digital cooperation in developing countries around the world. We call this our Digital Connectivity and Cybersecurity Partnership. It’s a way of us to provide technical assistance as well as capacity building to countries as they’re looking to help connect the next three billion people around the world. We want that to be done in a way that’s going to ensure that there is sustainable development in the digital space as well as protecting the individual liberties of people in those countries, and that way they can continue to see the benefits of the internet and see even greater improvements in their standards of living and ability to access information. In 2019, we were able to commit to $50 million of technical assistance both in the form of cyber security capacity building, cyber security training, as well as regulatory and other training assistance for regulators in countries around the world. In this next year, we’re looking to expand to, our previous focus having been, our previous focus having been on the Indo-Pacific region, in the new year we’re looking to expand to Latin America with at least $10 million pending approval from Congress on this new initiative to expand to Latin America as well. So, we have a lot on our plate for the new year. We’re very enthused about the ability for new technologies to present many new opportunities for people, improve standards of living, improve quality of life, but we know that we need to do so securely. So, our overall message to the world is that we want to help them promote technologies that are open, interoperable, reliable, and secure. And with that, I’d love to take any questions you have.
All right, we’ll start in the front here.
Dmitry Kirsanov with TASS. Mr. Secretary, there was a boatload of speculations about Iran potentially retaliating using all sorts of cyber attacks immediately following General Soleimani’s death, so I wanted to ask you if the U.S. administration, if those fears have materialized, if the U.S. administration is seeing any significant cyber attacks emanating from Iran that you can contribute to the Iranian state.
So, I can’t comment on anything that we know from a classified sense. I will just say that as you’re probably aware, senior officials, including at the Department of Homeland Security, have encouraged our private sector and individuals to be vigilant about the potential threats that would emanate potentially from Iran in recent days. But I can’t today comment on what we’re seeing as specific activity there.
[Moderator] For our next question we’ll go here, and then we’ll go to New York.
Emel Akan, the Epoch Times. My question is about China, China’s cyber security rules. China passed a new encryption law that took effect on January 1. I’m wondering if you have any comments on this new rule, which potentially has a lot of implications for foreign companies operating in China.
Yeah. We’re very concerned about laws like we’re seeing, like that one in China, and in general, the requirements that are being placed on companies to share data with governments that are not based on rule-of-law protections, that don’t involve the potential to go to an independent judiciary. We think it’s important that there be careful, there be narrow constraints around government access to information that would be for specific purposes. I think what we’re seeing in China as far as their requirement that companies provide the government access to all sorts of data on all types of companies and all, in very broad sectors of the economy should also give telecom operators in countries around the world concern about the ability for a Chinese company to then provide their telecom services and be able to actually resist a mandate from the government in Beijing to provide access to the data that’s residing on the networks that would be then in a third country, say in Europe or somewhere else. That kind of extraterritorial ability for the Chinese Government to reach out is certainly in the realm of the possible. It’s not something that would be, again, able to be resisted by gonna an independent judiciary or appealing to rule-of-law institutions to stop that kind of extraterritorial reach to acquire data around the world.
[Moderator] Okay, for our next question we’ll go to New York, and then we’ll come back. Please, go ahead, New York.
Paolo Mastrolilli, U.S. bureau chief for the Italian daily newspaper La Stampa. Thank you very much for the briefing. You were mentioning the discussion ongoing with the European allies concerning the construction of the 5G network in Europe. Some of these countries, like Italy, are still considering the possibility to let a Chinese company build their own 5G network. I would like to ask you if there is any update you could share in terms of the dialogue with Italy concerning the construction of its 5G network.
Consultations with the Italian Government. We think that a lot of countries in Europe are probably looking to Brussels and the European Union security toolkit that’s going to be likely released this month or in the next couple months on 5G security, but the same points that I made just a few minutes ago we’re making to the Italian Government and others, that is, our concern that we not just look at technical measures of cybersecurity competence, but also look at non-technical measures that relate to a trusted vendor, that is, the ability of a vendor to be commanded by a government in a third country to take actions that are not in the interests of the citizens in Italy or the citizens of other parts of Europe, and that really what we’re looking at is not just what’s at stake in a 4G network, but with a 5G network and critical infrastructure and vast exponential increases really in the amount of personal data on those networks, we need to be that much more secure, and there will be that much more temptation for authoritarian governments to try to access the data that will be on 5G networks. So, the discussions are ongoing with European countries, including Italy.
[Moderator] We’ll go here and then to you, sir.
I’m Mounzer Sleiman, Al Mayadeen TV, based in Beirut, Lebanon. To follow up on the previous question, can you just, without identifying a target of cyber warfare, can you confirm that there was any cyber attacks originated by Iranians since the killing of Soleimani? And the other question I want to ask you is, can you categorize or rank the adversaries of United States in cyber warfare, and also the friends of United States? Can you rank who is on the top or give us some idea who has the capability? And what kind of international law, additional articles of international law you would like to apply to cyber security?
Great questions. I’ll do my best to answer them as best I can. Let me just start with our Director of National Intelligence through our Worldwide Threat Assessment annually has articulated there’s four countries that we see as strategic competitors or adversaries in cyberspace, and those are China, Russia, North Korea, and Iran. We don’t put any particular order on them, but there is a little bit of definition within that report about how we see the threats being posed by each one of those actors. And shortly, like later this month or early next month, there will be another threat assessment along those lines. I just can’t characterize the nature of cyber attacks in general. I mean, there’s always things going on in cyberspace. We make a concerted decision within the U.S. Government about whether we want to attribute an attack or activity in cyberspace and how we want to respond. So, I’m not able to sort of give you the full lay of the land. That is a classified endeavor that we undertake, and I’m not able to characterize Iranian activity at that level at this time.
[Mounzer] Sorry, I ask about whether you can confirm without saying anything that there was an increase of Iranian activities after the killing of Soleimani.
I’m not in a position to characterize—
The type of activity. Sorry.
I would say that in cyberspace, there is a lot of things happening very often, and there’s further decision not just of what’s happening on private networks but what’s being attributed to a government as well. So there’s a lot of activity in cyberspace that requires very careful consideration, which is what we do in the U.S. Government. We are very careful before we attribute an attack or attribute activity that we don’t like to see. So, I’m not here going to make any announcements today, or even to characterize in any way the Iranian activity.
My apologies. I just wanna remind you of the international law issue, and ranking the friends—
Yeah, yeah. So, I’m not gonna rank friends, but I will say that, uh… So, on the international front, we think that we already have the applicability of international law to cyberspace well established at the UN. We also have these 11 norms of responsible state behavior. What we wanna see is the further universal acceptance of those norms and countries to better understand how they can live by those norms, in particular that norm about one nation not attacking another nation’s critical infrastructure that’s providing services to the public. We’ve seen that norm violated multiple times. In particular, in 2018 we saw North Korea do that, we saw Russia do that through the NotPetya attack, and we also saw Russia attack the Organization for the Prohibition of Chemical Weapons. Those violate norms of responsible state behavior. So we wanna see a further understanding by nations of what these norms mean, and we would like to see more nations sign on to our statement that we signed, that we jointly promulgated with the Netherlands and Australia in September about advancing this framework of responsible state behavior in cyberspace. We don’t need additional international tools necessarily to push forward these understandings, so we think that just having a better understanding of what the norms mean in particular countries and particular contexts is what we should be pushing for in the near term.
[Moderator] All right. For our next question we’ll go to Alex.
Yeah, Alex Raufoglu from Turan News Agency of Azerbaijan. I have two questions, but before I would like to take another chance on Iran and the U.S. issue. Just so we understand the state of alert in Washington, there are threat of, let’s say, targets that Iran might target in its immediate neighborhood, in Azerbaijan, in its infrastructures. Is this something that you feel that the red lights are blinking red after Soleimani’s killing? And is it something that Washington is discussing with its allies in the region? And I have another question.
Well, as I said earlier, we were concerned enough that we told our general public, and we share that with our international partners, that we were concerned that there could be attacks on industrial control systems, on critical infrastructure. We, of course, saw the attacks that occurred on Saudi Arabia in 2016 and into early 2017, including against Saudi Aramco, which were deletions of data that wiped out many computers at once that can be debilitating to critical infrastructure. We’ve also seen Iran active on media platforms seeking to influence the U.S. population. So, we talked about that before and then we made that further effort to make sure our public and both our private sector and individuals were well aware of the threats that could emanate from Iran. But I can’t characterize, again, the nature of… How we’re seeing things change. It’s an internal decision.
My other question: we see more and more countries in the region are turning to internet blackout or digital attacks on its citizens to control domestic politics. Is this something that in your scope, are you covering this issue? Has Washington been worried about this kind of behavior in the region?
Sorry, in the—
About this attacking, using in a blackout and digital attacks against their own citizens. Like in Russia, in Azerbaijan, we have heard, like, lot of social media activities, and activities have become aimed at that, their profiles are being stolen or they’re being attacked by government forces. Is this something in your scope and have you been raising these cases with the countries that have engaged in this kind of behavior?
Absolutely, we’re very concerned about any time that the internet is used or being manipulated in ways that restrict individuals’ ability to speak or that interfere with their freedom of expression and their individual liberties. As you may know, when Iran recently caused the internet to be taken down for the availability of the public, we sanctioned their communications minister to show that we think that is the wrong type of thing to be doing. There’s no legitimate reason for disabling the internet when it’s an effort to interfere with people’s ability to communicate. And so, around the world we see that all the time. When we see that countries are seeking to use internet blackouts or restrictions as a way to suppress people’s rights, we speak out against that.
[Moderator] All right. For our next question we’ll go to New York and then we’ll go to you.
Hi. Hi, my name is Ali Cinar from Turk of America. During NATO Leaders Meeting in UK, Secretary General also touched based on more investment on cyber security. So, is there any plan against mostly China? As an example, Huawei, since they invest and gain market share in some NATO countries, including Turkey. So, we’d like to know what’s the role between NATO and U.S. on this issue. Thank you.
So, we continue to work closely with NATO and other institutions in Europe because we need to have secure communications capabilities, particularly when it relates to having the ability to do joint operations together and to do troop mobilization. So, we continue to talk very closely with NATO as an institution, NATO countries about the importance of them having trusted technology vendors for their fifth generation of wireless technology.
[Moderator] Great. We’ll go to here.
Thank you for the briefing. My name is Yan Zhang from Initium Media, Hong Kong. I have a question about Huawei. So, I heard Washington is trying to put some pressure on the foreign countries who use Huawei network. So, can you confirm that, or is there any comments from you?
So, at the end of the day, we know that each country will make its own decisions about the security measures that it wants to have in place for the deployment of 5G technology, that is, the regulations it wants to have in place and the laws it will have in place. We’re not seeking to put any undue pressure on countries. We wanna have an open dialogue at this point to share our security concerns, first of all, to understand the transformational nature and the tremendous benefits from 5G, but also understand that that also means that you need to have that technology secure because so much more is at stake than was previously at stake with regard to earlier generations of technology. So, we’re sharing our views about… The supply chains need to be secured and you can’t just look at having technical tests done of the technology, that the ability to upgrade and update millions of lines of code at once is a whole new set of potential vulnerabilities to the network that need to be dealt with by only using trusted vendors, that is, vendors who are subject to a rule-of-law system and an independent judiciary. And we think it’s also important to look at the trust related to the companies’ long-term compliance with laws around the world, including corruption, intellectual property rights, as well as looking at the ownership of a company. Who is really in charge? Is there a role for something like the Chinese Communist Party in the company? We think that when you’re not sure who’s running the company, you can’t really hold them accountable or know who’s really calling the shots related to the security of your data.
[Moderator] All right. We’ll go to the back and then to you.
Hi, Mr. Strayer. Thank you for speaking to us. Ben Marks with NHK Japan Broadcasting. Earlier this week, Senator Tom Cotton introduced the bill that would prohibit the United States from sharing information with countries who use Huawei products, (clears throat) excuse me, in their 5G networks. I’d like to ask, is that something you think is necessary? And in your conversations with other countries, have you brought up that the United States might not be able to share intelligence with them if they use Huawei in their 5G network?
Yeah. Thanks for that question. As we talk to other countries, we’re cognizant of the very robust information-sharing relationships that we have with many of them. That information-sharing relationship allows us to do military operations, allows us to do law enforcement operations, allows us to facilitate trade. We’ve told countries around the world that if we find it difficult to share information with them, it might impede that very robust relationship that we have of information sharing in these other vectors if we think it’s subject to compromise with untrusted telecom vendors. So, we’re not saying that we’re gonna take any specific measure, but we will at least have to reassess how we’re sharing information. We wanna maintain that operational tempo of sharing information to facilitate all these important relationships and operations and cooperation that we have ongoing. We don’t wanna see that degraded by untrusted telecom vendors. So, we’re certainly sharing that with countries around the world. I can’t specifically comment on any congressional legislation. That’s something that would be decided by the entire interagency and the President, but I will say that there was something, a provision that passed into law at the end of last year that requires our intelligence community to at least assess the security of the communications infrastructure of countries that they’re seeking to implement new agreements with. So, there is some effort already underway along that line as a legal matter, but as I mentioned, we’re talking to our partners about how we maintain our close relationships and not potentially degrading them because they’re using untrusted telecom vendors.
Next, to you.
Yeah, hi. Thanks for coming to Foreign Press Center. My name is Kanwal Abidi. I report for AZB Daily from Pakistani media. I have three questions if you allow me. In May 2018, a top DHS official, Christopher, wrote a letter to Senator Ron that nation’s capital has a lot of surveillance devices. So, what has State Department done about that? And, like, a lot of times New York Times have reported that President Trump’s phone is not secure; Chinese spies listen to him. And so, do you think… Are you confident, like, what do you think about President Trump’s cell phone being secure? How secure it is? And my third question is about Edward Snowden. On his website, Edward Snowden says that recently he has developed an app, Haven app, which he refers to as even police dogs can’t sniff it. So, do you think that Haven app is a threat to U.S. cybersecurity? And in June 2013, the, you know, whatever happened, like, on the Russia airport, the U.S. Government seized his passport. So, what is his current status of passport? Do you consider him to be an American? Is he a U.S. citizen? Thank you.
Sorry, in the very first question, was that surveillance network in what city?
[Kanwal] Yeah, no, DHS official Christopher wrote a letter to Senator Ron Wyden that the nation capital has a lot of surveillance devices.
Which nation? Is that the United States?
Yeah, Washington, D.C. has lot of surveillance devices and spies and StingRays. So, what has State Department done on that?
That was a letter from, uh…
[Kanwal] Christopher Kreb—
To Senator Ron.
It’s on, uh…
Yeah, and so I would just say I haven’t read that letter and you’d have to talk to the Department of Homeland Security and Chris Krebs about that letter then. With regard to the President’s cell phone communications, that’s the responsibility of the Secret Service, and I’d have to refer you to them on that point. On whatever application that Edward Snowden’s been ginning up, I can’t really comment on it. I haven’t seen the technology myself. He is a scofflaw from justice. Because of his actions, people died, so I think we take that matter very seriously and I can’t comment on the status of his passport.
And with that, I think we’re gonna conclude our briefing. I wanna thank Deputy Assistant Strayer (mumbles). Thank you.