On Friday, U.S. Senator Mike Rounds voted to confirm General Lloyd Austin is the next secretary of defense. Does that mean anything different as to how cybersecurity is approached in the U.S.?
SDPB's Lori Walsh talks big tech companies and antitrust implications with the Senator.
Lori Walsh:
Senator Rounds. Welcome. Thanks for being here.
Senator Mike Rounds:
Thank you, Lori. And I do appreciate the opportunity to visit with you this afternoon.
Lori Walsh:
I'm hoping we can start with cybersecurity because, before Christmas and around the election time, some of that news got buried with other things that were happening about cyber attacks on the U.S. And you were hoping to learn more and really share more after the holidays with people. What can you tell us today about some of those cyber attacks, what we know about them now?
Senator Mike Rounds:
I think a lot of it has been identified as the Solar Winds Cyber Attack. What we do know, and at least what we believe, and we have pretty good evidence of it, is Russia and Russia associated actors were behind it. And what they were doing was trying to gather information. As near as we can tell, they were not trying to damage things. They were in looking. They did not intend to be caught. They were in trying to get into as many different systems as possible. And they focused a lot of their attention on government systems.
Now, we have different kinds of government systems. We have classified systems that are private, that are not accessible. And then, you also have the systems such as what we call the DODN or the Defense Department Network, very similar to what you find in other agencies of government. The Department of Transportation has a system. The Department of Commerce has a system. Secretary of State has got a system. All of those different locations that most of us can just simply go with the .gov on it, you can get in and you can look around. Well, it's pretty obvious they were into a lot of those.
What has not been discussed publicly is whether or not they were into any of the classified sections. And, at this point, it does not appear, from what I'm aware of, or at least that what I've learned, it doesn't appear that they got into, at least they haven't been found any of the classified ones. But that doesn't mean that they weren't trying. And once again, you always have to be careful about suggesting that you know everything about what they're doing.
And so, I guess the message is, they were in. They were looking around. They were not trying to destroy things. They were trying to gather information and figure out ways to get deeper into those networks. They did it using outside software, that has relied upon software. And it was caught by another outside software firm. And it was shared fairly quickly. They didn't keep it quiet. They immediately shared it, which allowed for patches to be put into place, to stop it from happening again. That's about as far as I can really go on it right now. And I suspect that a lot of that information is probably not new information to anybody that's been following it.
Lori Walsh:
Tell me a little bit about the new Secretary of Defense and a new Biden administration and whether or not they will focus on cybersecurity in ways that are different or more expansive or less expensive than the Trump administration. What are you seeing so far in the early days of Biden's administration?
Senator Mike Rounds:
Well, yeah. Let me go back a little bit farther, and let me go into the Obama administration to begin with. And remember, as cyber is being developed, we learn as we move through. And so, I don't mean this to be derogatory towards the Obama administration, but we learned some lessons about what happened during the time period as we became more adept at cyber. And what we had discovered was that, during the time in which the Obama administration was in, they had created classified documents that gave directions about how cyber could be utilized. And it was called PPD-20 Presidential Policy Directive 20. That particular one was their best effort at trying to regulate and to separate out, so that we weren't stepping on each other, the different agencies of government and approval processes for allowing us to get outside of a war zone and to get in and to do offensive cyber operations.
It did not work. And what we discovered was is that, over a period of five years, the individuals within the Department of Defense that were responsible for doing offensive cyber operations to slow down the guys who are out there trying to get into our stuff, that are literally throwing the arrows at us, shooting the arrows at us, we didn't have one single offensive cyber operation successfully attempted during that five-year period of time because of the approval process, and how difficult it was, and how many different areas of government could negate or veto the operation, and the timeframe it took to actually work through. I do give credit to John Bolton and to members of the Trump team who listened to us when we went in and sat down and explained to them what we were discovering in our oversight capacity as a subcommittee on the Armed Services Committee, specifically with regard to cybersecurity. And our recommendation in conversations with them was, "You need to change and streamline this process."
A new classified document was prepared, and that was called NSPM-13, National Security Policy Memorandum 13, which has since been amended by NSPM-21, just to be clear. But it classified. But I can share with you what it does in essence is, it lays out a process in which we are allowed to do offensive cyber operations and to do it in such a fashion that, while the whole of government, other people are aware of it, their ability to get in and to restrict it or to stop it without having a good reason and one that could be basically overcome or change, this process that we have in place now actually allows us to do offensive cyber operations. It has been successful.
And the best example I can give you is that, even though Russians and others were able to manipulate information and get into the United States, into our platforms, our software, our social media platforms, and so forth with misinformation, when they tried and started to prepare to do that in the 2018 elections, it is not an accident that they were unable to get into the 2018 election cycle and manipulate and provide misinformation and circulate it. It was a significant success for our offensive cyber capabilities. And it was basically proof of concept that doing what we call defending forward was a success. And it is part of what we do right now, which is we engage on a daily basis with cyber operations and those actors that are out there. So, they know that we are engaged and that we are doing it forward in other areas outside of the United States so that they know that we're watching them and that we are interacting with them to delay their capabilities.
Lori Walsh:
So, to my question then, with a Joe Biden presidency, is that going to continue the way that has been successful in the past? Or is he looking at making changes that would be more in line with when he was in office with the President Obama?
Senator Mike Rounds:
Remember that so far the individuals that have been approved, such as general Austin, who will now become the Secretary of Defense. I've had good conversations with him. He will follow what the president actually directs, but he clearly understands the need to be able to react quickly within cyber. I've had good conversations with him. And now, the issue is whether or not, in an arbitrary move, those in the upper levels of the administration would somehow decide that they want to go back anyway.
I think the most significant places that we have to watch are the Department of State, where in some cases they believe that diplomacy versus military activity is the best approach. And we want both, but the one cannot conflict with the other. And so, at this point, I think we're in pretty good shape, but we're going to keep our eyes open. We're going to keep our ears open. We continue to ask, as each of these deputy secretaries are confirmed, what their opinion is and whether or not they have a clear understanding of how critical it is that we continue to defend forward and we continue the persistent engagement policies that we have been engaged in for the last three years.
Lori Walsh:
Is it, and I hate the word paradigm shift, but there I am using it. Is it kind of a shift that people have to sort of figure out that we are living in a new world of cyber threat, and therefore, some of those policies have to really... you have to get your mind around them in different ways. Are you finding that? Are you finding people are having to rethink how they came up in an area and as some of the philosophies that they had, now that cybersecurity is the threat that it is in the world?
Senator Mike Rounds:
The professionals who work in it clearly understand it. The challenge is to transfer that into and to gain political acceptance by those political leaders who will be responsible for a lot of the policy determinations, the strategic policy determinations. At this time, I think, because of the broad support we've had in the Armed Services Committee from Republicans and Democrats alike for this policy, I think we're in pretty good shape. And yes, it is true that there is a paradigm shift here. But it's bigger than just cyber. Excuse me.
See, it used to be that, when we fought and when we had to defend ourselves, we did it based on the domains of air, land, and sea. But now, we not only have air, land, and sea, which are domains on their own, but you also have the domain of space and the domain of cyberspace. Both of those are in flux today. They are our adversaries. And then, we have them. They are near-peer competitors, Russia and China. Russia has lots of capabilities. China is rapidly developing their capabilities. And they don't have, in many cases, the same concerns that we have about militarizing those other domains.
And so, we find clear evidence that our assets that are in space are at risk. And we have to do everything we can to defend those assets. GPS systems are just one example. But we have to defend them from multiple adversaries who recognize our dominance in air, land, and sea, and the fact that we need to defend. And they know that it's less expensive to use cyberweapons than it is to have to build aircraft carriers and stealth bombers. And, if they could reduce our ability to be effective by manipulating or reducing our capabilities by using cyber or cyberattacks, then they're going to do it.
And so, what it amounts to is we just have more to defend. But they in their capacity are nearly as dependent as we are on cyber as well. So, it's just more area to cover and more places that we are at risk. And remember, a lot of this goes back to what we have to defend in the United States to keep our people safe. And that is we've got energy systems, we've got communication systems, we have financial systems, all of which are critically dependent on cyber. And our adversaries know that. We are the place where huge amounts of assets are found. And, because of that, we're the place that they look in terms of trying to either reduce our capabilities or to steal our capabilities.
Lori Walsh:
I want to pivot a little bit and expand on something you just said, but include this conversation about big tech companies. And one of the things that we're seeing even now is the power. You've spoken about concerns about power and dominance of Facebook, and Twitter, and Apple, and Amazon with data privacy, and unfair competition, and user agreements that you've said border on censorship or risk being tools of censorship. Now, we're also seeing social media used very effectively to impact the stock market in ways that perhaps some people are surprised with. What is your focus right now, Senator Rounds, on big tech when there's so much to really look at. Are all those things connected? Or are they separate entities that you need to sort of look at one at a time? Tell us what your focus is.
Senator Mike Rounds:
Let me put it in a different perspective for just a second. In South Dakota, we've got lots of farmers and ranchers. They're Ag producers. They produce beef. They produce pork and so forth. Today, we have, I think, serious issues with regard to antitrust regarding our packing facilities. You've got four major packers for beef processing. I think the investigations that I believe are going on right now by the Justice Department are very appropriate as to whether or not they are controlling, manipulating the market. They control, those four packers control over 81% of the entire market. And I don't think that's good. I think we have to do things in which to break that up or at least to separate out and provide for other alternatives, such as smaller meat processing facilities, to be able to sell across state lines. So, we're trying to do that with legislation, but we've also asked the Justice Department, and President Trump did too. He asked the Justice Department if they would investigate the possibility of price-fixing by packers. To the best of my knowledge, that is an ongoing investigation today.
Now, move that over to the services that we have when it comes to our internet connections. You have got, and you named a number of them, you've got lots of different organizations that provide services over the internet, but there's just a couple of major ones. And they have, in some cases, vertically integrated themselves, whether you're talking about the host for a lot of our computer processes, where they have huge systems in the cloud itself. Amazon web services, Azure web apps, Google Cloud, Microsoft, basically, these are all companies that they have huge hardware capabilities that we refer to as the cloud, huge systems.
Now, they might very well lease space to other organizations, such as their social media companies, Facebook, or Twitter, and others. But then, you've also got just a series of browsers as well, such as Google Chrome, Safari, Opera, Firefox, Internet Explorer. Well, each of those, there's a limited number of them. And the question is, do they have, any one of them or a couple of them, have they created an oligarchy to where there's a limited number and they control the social media market or access to it?
Great example was, most recently, President Trump was taken off of his Facebook and Twitter. And the question is, should they have the ability to do that? Well, that goes back to the authorities they have to operate in the first place and whether or not, in doing so, we've created an oligopoly where there's just a few of them that can talk back and forth and make decisions about who they allow on, and who they take off, and what their obligations are.
And so, I mean, we're really getting into some stuff that the committee on commerce, the Commerce Committee really is going to have their hands full in determining whether or not the laws that are in place, including what they call section 230. Everybody is talking about section 230.
Lori Walsh:
Mm-hmm (affirmative).
Senator Mike Rounds:
Whether or not that is still applicable to these major companies, in some cases have already vertically integrated, and whether or not, my concern, is it time to look at whether or not we should be questioning whether or not there are antitrust activities going on.
Lori Walsh:
So, these are connected, but I'm also wondering if they're also separate. And here's what my question is. President Trump's behavior on Twitter was seen as a violation of their user agreement. That is something that there needs to be accountability and responsibility too. But the question that we're also asking is, should they have such a dominance of the marketplace that, when somebody violates a user agreement, which none of us read, because they're changing all the time and they're updating, then are they silenced permanently? Are they two separate, in some ways, but also connected issues to you? Because we can't disregard someone's behavior on social media either. And you need to be accountable for your words. But is this the right way to hold people accountable for the violations of user agreements?
Senator Mike Rounds:
Here's the deal, and we've got to remember... let me just run by this a little bit, because I think it'll make some sense.
Section 230 is a provision of the 1996 Communications Decency Act. Now, what it says is that companies that operate internet platforms like Facebook, Instagram, Reddit, Twitter, Yelp, they cannot be held liable for what users post to these sites. Now, these platforms have grown, as you've indicated, over the years. And they've relied on their ability to not be held reliable for the language used in users' posts in order to grow. Now, when these platforms decide to moderate posts, and that's what they've done here, they are even further protected by section 230's clause, which is called the Good Samaritan Clause, which allows internet platforms to censor, moderate, or edit content so long as it's done in good faith. Now, not surprisingly, there is no clear definition of what good faith is in section 230. But, by moderating posts, companies like Facebook and Twitter are taking on more of a publisher role. And they need to be able to explain their methods and their reasoning for moderating certain posts.
So, what they've really done here is, granted they're private companies. So, this is not a First Amendment issue when it's a private company. But, when they do this and they actually take somebody off and more than one of them does it, is it collusion on their part where they speak with one another? Are they following one another? Or should there be other alternatives out there that are available for someone who is on one and who might move to another? Or do they have to explain in advance what they consider to be their actions in good faith to moderate? And, if they do that, should they not be holding other leaders around the world to the same standard? And that really is the issue. What are those standards? And are they playing fair on this? Or have they arbitrarily decided to pick on one leader versus another?
Lori Walsh:
Senator Mike Rounds, I know you have a busy day, and you have given us a good chunk of your time. So, we appreciate that. We hope you'll come back to us again, as we have more conversations about this in the future. Thanks so much for your time.
Senator Mike Rounds:
Thank you for the opportunity. Bye, bye.