[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
TELECOMMUNICATIONS, GLOBAL COMPETITIVENESS, AND NATIONAL SECURITY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMUNICATIONS AND
TECHNOLOGY
OF THE
COMMITTEE ON ENERGY AND
COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
MAY 16, 2018
__________
Serial No. 115-128
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
32-796 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
GREG WALDEN, Oregon
Chairman
JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey
Vice Chairman Ranking Member
FRED UPTON, Michigan BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
MICHAEL C. BURGESS, Texas ELIOT L. ENGEL, New York
MARSHA BLACKBURN, Tennessee GENE GREEN, Texas
STEVE SCALISE, Louisiana DIANA DeGETTE, Colorado
ROBERT E. LATTA, Ohio MICHAEL F. DOYLE, Pennsylvania
CATHY McMORRIS RODGERS, Washington JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi G.K. BUTTERFIELD, North Carolina
LEONARD LANCE, New Jersey DORIS O. MATSUI, California
BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida
PETE OLSON, Texas JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia JERRY McNERNEY, California
ADAM KINZINGER, Illinois PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida PAUL TONKO, New York
BILL JOHNSON, Ohio YVETTE D. CLARKE, New York
BILLY LONG, Missouri DAVID LOEBSACK, Iowa
LARRY BUCSHON, Indiana KURT SCHRADER, Oregon
BILL FLORES, Texas JOSEPH P. KENNEDY, III,
SUSAN W. BROOKS, Indiana Massachusetts
MARKWAYNE MULLIN, Oklahoma TONY CARDENAS, California
RICHARD HUDSON, North Carolina RAUL RUIZ, California
CHRIS COLLINS, New York SCOTT H. PETERS, California
KEVIN CRAMER, North Dakota DEBBIE DINGELL, Michigan
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
JEFF DUNCAN, South Carolina
______
Subcommittee on Communications and Technology
MARSHA BLACKBURN, Tennessee
Chairman
LEONARD LANCE, New Jersey MICHAEL F. DOYLE, Pennsylvania
Vice Chairman Ranking Member
JOHN SHIMKUS, Illinois PETER WELCH, Vermont
STEVE SCALISE, Louisiana YVETTE D. CLARKE, New York
ROBERT E. LATTA, Ohio DAVID LOEBSACK, Iowa
BRETT GUTHRIE, Kentucky RAUL RUIZ, California
PETE OLSON, Texas DEBBIE DINGELL, Michigan
ADAM KINZINGER, Illinois BOBBY L. RUSH, Illinois
GUS M. BILIRAKIS, Florida ANNA G. ESHOO, California
BILL JOHNSON, Ohio ELIOT L. ENGEL, New York
BILLY LONG, Missouri G.K. BUTTERFIELD, North Carolina
BILL FLORES, Texas DORIS O. MATSUI, California
SUSAN W. BROOKS, Tennessee JERRY McNERNEY, California
CHRIS COLLINS, New York FRANK PALLONE, Jr., New Jersey (ex
KEVIN CRAMER, North Dakota officio)
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
GREG WALDEN, Oregon (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 1
Prepared statement........................................... 3
Hon. Leonard Lance, a Representative in Congress from the State
of New Jersey, opening statement............................... 3
Prepared statement........................................... 4
Hon. Yvette D. Clarke, a Representative in Congress from the
State of New York, opening statement........................... 4
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 5
Prepared statement........................................... 7
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, opening statement......................... 8
Prepared statement........................................... 9
Hon. Anna G. Eshoo, a Representative in Congress from the State
of California, prepared statement.............................. 62
Witnesses
Charles Clancy, Professor of Electrical and Computer Engineering
and Director, Hume Center for National Security and Technology,
Virginia Tech.................................................. 11
Prepared statement........................................... 13
Answers to submitted questions............................... 105
Samm Sacks, Senior Fellow, Technology Policy Program, Center for
Strategic and International Studies............................ 16
Prepared statement........................................... 18
Answers to submitted questions............................... 111
Clete D. Johnson, Partner, Wilkinson Barker Knauer, LLP.......... 29
Prepared statement........................................... 31
Answers to submitted questions............................... 116
Submitted Material
Letter of May 16, 2018, from Nicholas J. Pisciotta, Chief
Executive Officer, Sicuro Innovations LLC, to Mrs. Blackburn
and Mr. Doyle, submitted by Mrs. Blackburn..................... 63
Letter of May 16, 2018, from Michael O'Rielly, Commissioner,
Federal Communications Commission, to Mrs. Blackburn and Mr.
Doyle, submitted by Mrs. Blackburn............................. 65
Report on behalf of the U.S.-China Economic and Security Review
Commission, ``Supply Chain Vulnerabilities from China in U.S.
Federal Information and Communications Technology,'' April
2018, \1\ submitted by Mrs. Blackburn
Article, ``A U.S. Investment Strategy for Defense,'' by Andrew P.
Hunger, CSIS, submitted by Mrs. Blackburn...................... 68
Article, ``Beijing's Cyber Governance System,'' by Samm Sacks,
CSIS, submitted by Mrs. Blackburn, submitted by Mrs. Blackburn. 74
Article of March 27, 2018, ``In U.S. Brawl With Huawei, Rural
Cable Firms Are an Unlikely Loser,'' by Drew FitzGerald and Stu
Woo, The Wall Street Journal, submitted by Mrs. Blackburn...... 82
----------
\1\ The information has been retained in committee files and also
is available at https://docs.house.gov/Committee/Calendar/
ByEvent.aspx?EventID=108301.
Article of January 8, 2018, ``Huawei, Seen as Possible Spy
Threat, Boomed Despite U.S. Warnings,'' by Stu Woo, Dan
Strumpf, and Betsy Morris, The Wall Street Journal, submitted
by Mrs. Blackburn.............................................. 84
Order issued April 15, 2018, by Richard R. Majauskas, Acting
Assistant Secretary of Commerce for Export Enforcement,
submitted by Mrs. Blackburn.................................... 89
Article of January 12, 2018, ``US Army base removes Chinese-made
surveillance cameras,'' by Max Greenwood, The Hill, submitted
by Mr. Long.................................................... 103
TELECOMMUNICATIONS, GLOBAL COMPETITIVENESS, AND NATIONAL SECURITY
----------
WEDNESDAY, MAY 16, 2018
House of Representatives,
Subcommittee on Communications and Technology,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:00 a.m., in
room 2123, Rayburn House Office Building, Hon. Marsha Blackburn
(chairman of the subcommittee) presiding.
Members present: Representatives Blackburn, Lance, Shimkus,
Latta, Guthrie, Kinzinger, Bilirakis, Johnson, Long, Flores,
Brooks, Collins, Walters, Costello, Walden (ex officio), Welch,
Clarke, Loebsack, Ruiz, Dingell, Eshoo, Butterfield, Matsui,
and Pallone (ex officio).
Also present: Representative Walberg.
Staff present: Jon Adame, Policy Coordinator,
Communications and Technology; Samantha Bopp, Staff Assistant;
Daniel Butler, Staff Assistant; Kristine Fargotstein, Detailee,
Communications and Technology; Sean Farrell, Professional Staff
Member, Communications and Technology; Margaret Tucker Fogarty,
Staff Assistant; Adam Fromm, Director of Outreach and
Coalitions; Elena Hernandez, Press Secretary; Tim Kurth, Deputy
Chief Counsel, Communications and Technology; Lauren McCarty,
Counsel, Communications and Technology; Austin Stonebraker,
Press Assistant; Evan Viau, Legislative Clerk, Communications
and Technology; Everett Winnick, Director of Information
Technology; Jeff Carroll, Minority Staff Director; Jennifer
Epperson, Minority FCC Detailee; David Goldman, Minority Chief
Counsel, Communications and Technology; Tiffany Guarascio,
Minority Deputy Staff Director and Chief Health Advisor; Jerry
Leverich III, Minority Counsel; Dan Miller, Minority Policy
Analyst; Andrew Souvall, Minority Director of Communications,
Member Services, and Outreach; and C.J. Young, Minority Press
Secretary.
Mrs. Blackburn. The Subcommittee on Communications and
Technology will now come to order. And I recognize myself 5
minutes for an opening statement.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
I want to welcome each of you to today's hearing. It is
entitled ``Telecommunications, Global Competitiveness, and
National Security.''
Our country's information technology sector is one of the
best economic growth engines the world has ever seen. It allows
people to communicate, be entrepreneurs, pursue educational
opportunities. It fosters a greater efficiency across every
single sector of the economy.
As I have said before, information is power, and history
makes clear that countries with the best communications have
the best advantage. Moreover, our Nation's defense, the men and
women in uniform who serve our Nation depend on communications.
U.S. military superiority is built upon intelligence,
surveillance, and reconnaissance, and the communication of this
information to outmaneuver potential adversaries.
The purpose of today's hearing is to understand the nexus
between telecommunications and national security in the global
context. These are issues the subcommittee and the Energy and
Commerce Committee more generally understand well.
In 2013, I authored a bill, H.R. 1468, SECURE IT, to
promote greater voluntary sharing of cyber threats between the
Government and the private sector, as well as among private
sector companies. I was pleased that many of the provisions I
authored were signed into law in 2015. Additionally, the
National Institute of Standards and Technology, or NIST as we
term it, has taken great strides to collaborate with the
private sector on developing a voluntary framework of
cybersecurity best practices.
Last month, NIST published the latest version of its
framework to be even more informative and useful to a broader
array of stakeholders. In today's world where information
literally travels at the speed of light and new innovations are
brought to market at a dizzying pace, it is critically
important to leverage robust information sharing about threats
and vulnerabilities. This should include greater information
sharing about the supply chain of hardware and software that
make up our communications networks.
When it comes to the supply chain, we must think about it
over the long term. We are fully aware of the issues that the
President has raised regarding China, Huawei, and ZTE. We are
aware that the Commerce Department has serious concerns. These
points merit discussion, and it is the reason our hearing is so
timely.
The quick and easy route would simply ban foreign vendors
of vulnerable hardware and software from accessing our markets,
but the marketplace for hardware and software is global, and a
hallmark of the communications industry is scale. In time, it
will be difficult for our domestic communications providers to
obtain their network infrastructure from trusted sources when
vulnerable foreign vendors acquire more and more global market
share.
What are the implications of all this to our Nation's
cybersecurity? What are the implications in the race to 5G?
What are the broader implications to our Nation's economy? And
most importantly, what are thoughtful solutions to such a
complex problem? These are some of the questions for today's
hearing that we will seek to address.
[The prepared statement of Mrs. Blackburn follows:]
Prepared statement of Hon. Marsha Blackburn
Welcome to today's subcommittee hearing entitled:
``Telecommunications, Global Competitiveness, and National
Security.''
Our country's information technology sector is one of the
best economic growth engines the world has ever seen. It allows
people to communicate, be entrepreneurs, and pursue educational
opportunities; it fosters greater efficiency across every
sector of the economy. As I've said before, information is
power, and history makes clear that countries with the best
communications have a competitive advantage.
Moreover, our Nation's defense--the men and women in
uniform who serve our country--depend on communications. U.S.
military superiority is built upon intelligence, surveillance,
and reconnaissance, and the communication of this information
to outmaneuver potential adversaries.
The purpose of today's hearing is to understand the nexus
between telecommunications and national security in a global
context.
These are issues this subcommittee, and the Energy and
Commerce Committee more generally, understand well. In 2013, I
authored a bill--H.R. 1468, SECURE IT--to promote greater
voluntary sharing of cyber threats between the Government and
the private sector, as well as among private sector companies.
I was pleased that many of the provisions I authored were
signed into law in 2015.
Additionally, the National Institute of Standards and
Technology, or ``NIST,'' has also taken great strides to
collaborate with the private sector on developing a voluntary
Framework of cybersecurity best practices. Last month, NIST
published the latest version of its Framework to be even more
informative and useful to a broader array of stakeholders.
In today's world, where information literally travels at
the speed of light, and new innovations are brought to market
at a dizzying pace, it is critically important to leverage
robust information sharing about threats and vulnerabilities.
This should include greater information sharing about the
supply chain of hardware and software that make up our
communications networks.
When it comes to the supply chain, we must think about it
over the long-term. We are fully aware of the issues that the
President has raised regarding China, Huawei, and ZTE. We are
also aware that the Department of Commerce has serious
concerns. This point merits discussion, and it is the reason
our hearing is so timely.
The quick and easy route would simply ban foreign vendors
of vulnerable hardware and software from accessing our markets.
But the marketplace for hardware and software is global,
and a hallmark of the communication industry is scale.
In time, it will be difficult for our domestic
communications providers to obtain their network infrastructure
from trusted sources when vulnerable foreign vendors acquire
more and more global market share.
What are the implications of all this to our Nation's
cybersecurity?
What are the implications for the race to 5G?
What are the broader implications to our economy?
And, most importantly, what are thoughtful solutions to
such a complex problem?
These are some of the questions today's hearing seeks to
address.
I am pleased to convene this hearing.
I look forward to the testimony of our witnesses.
And I yield 1 minute to the subcommittee's vice chairman,
Mr. Lance.
Mrs. Blackburn. And at this time, I yield my remainder of
time to Mr. Lance.
OPENING STATEMENT OF HON. LEONARD LANCE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Lance. Thank you, Madam Chairman.
This is a particularly timely hearing on an important
topic. The security of our next generation networks is an issue
that has come to the forefront. Earlier this year, a leaked
memo from the White House recommended we nationalize our 5G
network for national security reasons. While an extremely
misguided and unrealistic approach, it is important that we
secure our networks.
Just last month, the FCC voted unanimously to move a
proposal forward to ban Federal funds from being used to
purchase telecommunications equipment from companies deemed a
security threat, such as Chinese manufacturers Huawei and ZTE.
I commend Chairman Pai and the rest of the Commission for
taking this important step.
ZTE has been deemed a security threat by our intelligence
agencies and has been criticized by the Departments of Justice
and Commerce for doing business in Iran and North Korea. Just
yesterday, the nominee to head the National Counterintelligence
and Security Center testified that Chinese intelligence uses
Chinese firms such as ZTE as a resource, and he would never use
a ZTE phone.
I am concerned about the national security implications of
lessening the punishments against ZTE in a trade deal with
China. National security and the security of our networks are
primary concerns here, and the administration must consider
that above all else in dealing with China.
I look forward to discussing this and other important
issues surrounding the security of our telecommunications
networks and the global supply chain with you today. Thank you.
[The prepared statement of Mr. Lance follows:]
Prepared statement of Hon. Leonard Lance
Thank you, Chairman Blackburn and welcome to our
distinguished panel.
This is a particularly timely hearing on a very important
topic. The security of our next generation networks is an issue
that has come to the forefront recently. Earlier this year a
leaked memo from the White House recommended we nationalize our
5G networks for national security reasons. While an extremely
misguided and unrealistic approach, it is important we secure
out networks. Just last month the FCC voted unanimously move a
proposal forward to ban Federal funds from being used to
purchase telecommunications equipment from companies deemed a
security threat, such as Chinese manufacturers Huawei (wah-way)
and ZTE. I commend Chairman Pai and the rest of the Commission
for taking this important step.
ZTE has been deemed as a security threat by our
intelligence agencies and has been punished by the Departments
of Treasury and Commerce for doing business in Iran and North
Korea. Just yesterday, the nominee to head the National
Counterintelligence and Security Center testified that Chinese
Intelligence uses Chinese firms such as ZTE as a resource and
he would never use a ZTE phone.
I am concerned about the national security implications of
lessening the punishments against ZTE in a trade deal with
China. National security and the security of our networks is
the primary concern here and the administration must consider
that above all else in their dealings with China.
I look forward to discussing this and other important
issues surrounding the security of our telecommunications
networks and the global supply chain with you today.
Mr. Lance. Madame Chair, I yield back the balance of my
time.
Mrs. Blackburn. The gentleman yields back.
At this time, Ms. Clarke, you are recognized for 5 minutes.
OPENING STATEMENT OF HON. YVETTE D. CLARKE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEW YORK
Ms. Clarke. I thank you, Madam Chair, and I thank our
witnesses for coming with their expert testimony this morning.
Communication networks in the United States increasingly
rely on equipment and services manufactured and provided by
foreign companies. According to the Government Accountability
Office, more than 100 foreign countries imported communications
network equipment into the U.S. market between 2007 and 2011.
While the globalization of commerce and trade has created
many benefits, these long supply chains have made it possible
for bad actors to exploit vulnerabilities during design,
production, delivery, and postinstallation servicing. The
National Counterintelligence executive has noted that, quote,
``The globalization of the economy has placed critical links in
manufacturing supply chain under the direct control of U.S.
adversaries,'' end quote.
Some examples of the communications supply chain threats
include attempts to disrupt the ability of an organization to
operate on the internet; attempts to infiltrate a computer
system to view, delete, and modify data; and attempts to use
viruses or worms to extract data for use or sale. Some experts
have even expressed concerns about the use of a kill switch,
which could cause widespread communication outages and
interruption in the power grid. And with the recent
pronouncements of ZTE and Huawei, we know that this concern has
been elevated to a national concern.
And so, today, we look forward to hearing from you your
views and your insights into what we can do to make sure that
the United States is well protected.
And I don't know if I have any colleagues that are seeking
any time.
Well, then, Madam Chair, I yield back.
Mrs. Blackburn. The gentlelady yields back at this time.
Mr. Walden, you are recognized.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Mr. Walden. Thank you, Madam Chair, and thanks for holding
this hearing on telecommunications, global competitiveness, and
national security. These are really, really important topics
this committee has dealt with before and will continue to deal
with. As chairman of this very subcommittee back in 2013, I
held a hearing on this same topic.
These are challenges that vex us, as demonstrated by our
Subcommittee on Digital Commerce and Consumer Protection
subcommittee's hearing on CFIUS legislation last month.
Discussion on these topics usually happens in a classified
setting, so there will be limits to the conversations we can
have today, and we understand that. But as I mentioned, the
Energy and Commerce Committee has the expertise on
communications technology and a key oversight role in this
debate.
For years, concerns have been raised about the supply chain
and potential vulnerabilities that could be introduced into our
communications networks. Of concern are foreign vendors that
integrate seemingly private companies with their military and
political institutions. There are also concerns about
counterfeit equipment and fraud.
In more recent months, there have been alarm bells going
off at all levels of Government about the potential threats to
our communications networks. As startling as these threats are,
some of the proposed solutions can, frankly, be even more
distressing. Mr. Lance talked about that, I think, when that
comment emerged from the White House about nationalizing the
system, I pointed out we are not Venezuela.
Before committees in Congress and different Federal
agencies launch solutions to this complex challenge without
proper coordination and investigation, I argue that we take a
more thorough and thoughtful approach. Any net assessment of a
serious challenge requires some fundamental questions be asked
at the outset. These would include: How significant is this
problem? Is it getting better or is it getting worse? What are
the potential solutions and potential unintended consequences?
And most importantly, in a resource constrained environment,
how do you prioritize the solutions?
In the second half of the 20th century, we faced similar
questions as our adversaries appeared to outpace us in
strategic areas. In response, the United States invested
heavily in research and development of cutting edge information
and communications technologies. It is estimated the Government
share of R&D at that time was two-thirds of the total U.S. R&D
investment, and this laid the groundwork for both U.S. military
superiority and unprecedented economic growth in America. But
today, the ratio of Government to private R&D investments is
completely reversed. Moreover, the barriers to entry in advance
technology have been substantially reduced as costs have come
down, research has globalized, and formally advanced
technologies are now readily available.
So our competitors are more sophisticated than before, and
some use their understanding of market dynamics to manipulate
the market in their favor. And we simply can't replicate 20th
century strategies for a 21st century economy. We have to be
very wary of protectionist policies. As the chairman pointed
out in her opening statement, the marketplace for technology is
global. Nor can we rely on Government-centric approaches to
simply spend our way out of this problem. Simply reacting to
our competitors in symmetric tit-for-tat responses is never a
winning strategy. If you are reacting, you are probably losing.
A better approach is to find and exploit the asymmetries
that benefit us, the core competencies that define our economy
and our society more broadly. This means development and early
adoption of next generation disruptive technologies and doing
that here. It means strengthening our private sector through
greater information sharing about threats. It means better
coordination among Government agencies so the private sector
knows where to go when they encounter vulnerabilities in
networks and not burdening them with redundant, conflicting
regulations or unnecessary costs. It means greater
dissemination of best practices and empowering the
inclusiveness and transparency of standard setting bodies. We
can either lead the world in these areas or we will have to
follow it.
Today's hearing is a very important step in leadership. I
appreciate the chairwoman's holding this hearing and her
leadership on all of these issues, and I look forward to the
testimony of our witnesses. I would tell you in advance we have
two hearings going on simultaneously, no surprise for this full
committee, so I will be coming and going, as will some other
Members, but we do appreciate your contribution to our better
understanding of the threats we face and the solutions that
make sense in a global competitive environment.
[The prepared statement of Mr. Walden follows:]
Prepared statement of Hon. Greg Walden
Thank you, Madame Chairman. I want to welcome our witnesses
to this hearing on ``Telecommunications, Global
Competitiveness, and National Security.''
These topics are not just timely, but ones which we have
long set aside partisan differences, as we counter national
security threats and empower our innovators to compete around
the world. As chairman of this subcommittee in 2013, I held a
hearing on this very same topic. These are challenges that
still vex us, as demonstrated by our Subcommittee on Digital
Commerce and Consumer Protection subcommittee's hearing on
CFIUS legislation just last month
Discussion on these topics usually happens in a classified
setting, so there will be limits on our conversation today.
But, as I mentioned, the Energy and Commerce Committee has the
expertise on communications technology and a key oversight role
in this debate.
For years, concerns have been raised about the supply
chain, and potential vulnerabilities that may be introduced in
our networks. Of concern are foreign vendors that integrate
seemingly private companies with their military and political
institutions.
There are also concerns about counterfeit equipment and
fraud.
In more recent months, there have been alarm bells going
off at all levels of Government about the potential threats to
our communication networks.
As startling as these threats are, some of the proposed
solutions can be even more distressing.
Before committees in Congress, and different Federal
agencies, launch solutions to this complex challenge without
proper coordination and investigation, I argue that we take a
more thorough approach.
Any net assessment of a serious challenge requires some
fundamental questions be asked at the outset:
How significant is the problem?
Is it getting worse?
What are the potential solutions and potential unintended
consequences?
Most importantly, in a resource constrained environment,
how do you prioritize solutions?
In the second half of the twentieth century, we faced
similar questions as our adversaries appeared to out-pace us in
strategic areas.
In response, the United States invested heavily in the
research and development of cutting-edge information and
communications technology.
It's estimated the Government's share of R&D at that time
was two-thirds of total U.S. R&D investment. This laid the
ground work for both U.S. military superiority, and
unprecedented economic growth.
But today, the ratio of Government-to-private R&D
investment is completely reversed. Moreover, the barriers to
entry in advanced technology have been substantially reduced as
costs have come down, research is globalized, and formerly
advanced technologies are now readily available.
Our competitors are more sophisticated than before, and
some use their understanding of market dynamics to manipulate
the market in their favor.
We cannot simply replicate 20th century strategies for the
21st century economy, and we must be wary of protectionist
policies. As the chairman pointed out in her opening
statement--the marketplace for technology is global.
Nor can we rely on Government-centric approaches to simply
``spend'' our way out of this problem.
Simply reacting to our competitors in symmetric, tit-for-
tat responses is never a winning strategy.
If you are reacting, then you are losing.
A better approach is to find and exploit the asymmetries
that benefit us--the core competencies that define our economy,
and our society more broadly.
This means development and early adoption of the next
generation of disruptive technologies.
It means strengthening our private sector through greater
information sharing about threats.
It means better coordination among Government agencies, so
the private sector knows where to go when they encounter
vulnerabilities in networks, and not burdening them with
redundant, conflicting regulations or unnecessary costs.
It means greater dissemination of best practices and
empowering the inclusiveness and transparency of standards-
setting bodies.
We can either lead the world in these areas, or we can
follow it.
Today's hearing is a step in the direction of leadership,
and I look forward to the captains of industry in technology
and telecommunications heeding our call.
I thank the chairman for convening this hearing, and I look
forward to the testimony of the witnesses.
Mr. Walden. Madame Chair, I yield back the balance of my
time.With that, Madam Chair, unless any Members on the
Republican side want the remainder of my time, I would be happy
to yield back.
Mrs. Blackburn. The gentleman yields back.
Mr. Pallone, you are recognized for 5 minutes.
OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Pallone. Thank you, Madam Chairman.
American broadband providers spend tens of billions of
dollars every year to improve and extend our communications
networks. The return on this investment is that our networks
are fast, powerful, and global, but these benefits can be
turned against us in an instant if the networks are not also
secure. Every day, we hear about hackers cracking our systems
and stealing our data, but another risk lurking in our networks
may be even more dangerous: other nations quietly watching
everything that we do online.
Unfortunately, a vast majority of our network equipment is
now manufactured overseas by foreign companies. Most of this
equipment works well and causes no problems, but our
intelligence agencies have identified certain companies like
Huawei and ZTE from China as posing specific threats to our
national security. This equipment may have built in back doors
that allow other countries to vacuum up all of our data. Once
installed, these back doors can be nearly impossible to detect.
And these risks are so serious that it led the Trump
administration to float the idea of just building a federalized
wireless network. While this solution was widely panned, the
underlying threat that led to this proposal is real.
On the other hand, U.S. networks depend on equipment from
foreign companies as they race to build next generation
networks, like 5G wireless technologies. For many broadband
providers, less expensive Chinese equipment may be the only
option. And these issues are complex. But rather than crafting
a coherent plan forward, the Trump administration has made this
problem significantly more difficult.
With a tweet, the President muddled his own foreign policy,
if he even had one, after the Commerce Department announced
strong sanctions against ZTE for risking our national security.
This weekend, the President tweeted that he is now worried
these sanctions will cost jobs in China. And this makes
absolutely no sense, in my opinion. That is why we need to hold
more hearings like this one.
The public needs to hear more about the national security
risks at play, and Congress needs to spend more time
understanding potential options. The worst thing we can do is
to rush to act without evaluating unintended consequences and
whether certain proposals can even solve the problem.
But, unfortunately, some of our colleagues on the Armed
Services Committee are suggesting we do just that. A proposal
has been put forward as part of the National Defense
Authorization Act that would cut off access to a wide array of
network equipment without considering how to manage the risk to
Americans. Worse, these provisions in the bill have been
specifically crafted to circumvent our jurisdiction, and
maneuvers like this rarely result in good policy.
Rather than take rash action, Congress must carefully craft
a coherent plan subject to the rigors of regular order in the
committees of expertise like ours. Our plan should make our
networks both more robust and more secure. We are dealing with
a complicated relationship between the future of our
communications networks and national security, and these issues
should not be taken lightly. So I urge my colleagues to oppose
these efforts. We must find a proper balance that keeps our
country safe, while ensuring that every American has access to
powerful next generation broadband networks.
And finally today, Madam Chairman, I wanted to make a
bittersweet announcement. Unfortunately, David Goldman, our
chief counsel on this subcommittee, will be leaving at the end
of this month to pursue an opportunity in the private sector,
so this is actually his last hearing. He is over there on my
left. And I say this is bittersweet because over the last 3
years, David has been an invaluable part of our committee team.
He has provided us not only critical policy expertise, but also
strong strategic guidance that helped lead to the passage of
the bipartisan RAY BAUM's Act, for example, which included a
lot of important Democratic priorities, including the SANDy
Act.
And David, I think many of you know, has a long career of
public service, including time at the FCC and in the Senate,
God forbid, but, David, you will be missed, and we wish you
nothing but the best in your future endeavors. Thank you so
much. Thank you, David.
[The prepared statement of Mr. Pallone follows:]
Prepared statement of Hon. Frank Pallone, Jr.
American broadband providers spend tens of billions of
dollars every year to improve and extend our communications
networks. The return on this investment is that our networks
are fast, powerful, and global. But these benefits can be
turned against us in an instant if the networks are not also
secure.
Every day we hear about hackers cracking our systems and
stealing our data. But another risk lurking in our networks may
be even more dangerous: other nations quietly watching
everything we do online.
Unfortunately, a vast majority of our network equipment is
now manufactured overseas by foreign companies. Most of this
equipment works well and causes no problems. But our
intelligence agencies have identified certain companies like
Huawei and ZTE from China as posing specific threats to our
national security.
This equipment may have built-in backdoors that allow other
countries to vacuum up all of our data. Once installed, these
backdoors can be nearly impossible to detect.
These risks are so serious that it led the Trump
administration to float the idea of just building a federalized
wireless network. While this solution was widely panned, the
underlying threat that led to this proposal is real.
On the other hand, U.S. networks depend on equipment from
foreign companies as they race to build next-generation
networks, like 5G wireless technology. For many broadband
providers, less expensive Chinese equipment may be the only
option.
These issues are complex. But rather than crafting a
coherent plan forward, the Trump administration has made this
problem significantly more difficult. With a tweet, the
President muddled his own foreign policy--if he had one. After
the Commerce Department announced strong sanctions against ZTE
for risking our national security, this weekend the President
tweeted that he is now worried these sanctions will cost jobs
in China. This makes absolutely no sense.
That's why we need to hold more hearings like this one. The
public needs to hear more about the national security risks at
play. And Congress needs to spend more time understanding
potential options. The worst thing we can do is to rush to act
without evaluating unintended consequences and whether certain
proposals can even solve the problem.
Unfortunately, some of our colleagues on the Armed Services
Committee are suggesting we do just that. A proposal has been
put forward as part of the National Defense Authorization Act
that would cut-off access to a wide array of network equipment
without considering how to manage the risks to Americans.
Worse, these provisions in the bill have been specifically
crafted to circumvent our jurisdiction. Maneuvers like this
rarely result in good policy.
Rather than take rash action, Congress must carefully craft
a coherent plan subject to the rigors of regular order in the
committees of expertise like ours. Our plan should make our
networks both more robust and more secure. We are dealing with
a complicated relationship between the future of our
communications networks and national security. These issues
should not be taken lightly.
I urge my colleagues to oppose these efforts. We must find
a proper balance that keeps our country safe while still
ensuring that every American has access to powerful next-
generation broadband networks.
Finally today, a bittersweet announcement, David Goldman,
our chief counsel on this subcommittee, will be leaving at the
end of this month to pursue an opportunity in the private
sector. This is his last hearing. I say this is bittersweet
because, over the last 3 years, he's been an invaluable part of
the committee team. David has provided us not only critical
policy expertise but also strong strategic guidance that helped
lead to the passage of the bipartisan RAY BAUM Act, which
included a lot of important Democratic priorities, including
the SANDy Act. David has a long career of public service--
including time at the FCC and in the Senate.
David, you'll be missed, and we wish you nothing but the
best in your future endeavors.
Thank you, I yield back.
Mr. Pallone. I don't think anybody wants my time, so I will
yield back, Madam Chair.
Mrs. Blackburn. The gentleman yields back.
And we add our well wishes to those that we are sending to
David for a job well done and hope for the future.
At this time, this concludes our Member opening statements.
All Members are reminded that, pursuant to committee rules,
your statements will be made a part of the permanent record.
And to our witnesses, we welcome you. We appreciate that
you are here today. As you see, this is something that has
bipartisan concern and attention from our committee.
And for our panel for today's hearing: Dr. Charles Clancy,
director and professor at the Hume Center for National Security
and Technology at Virginia Tech; Ms. Samm Sacks, senior fellow
at the Technology Policy Program at CSIS; and Mr. Clete
Johnson, a partner at Wilkinson Barker Knauer.
You all are welcome. We appreciate that you are here today.
We are going to begin the testimony today with you, Dr.
Clancy. You are now recognized for 5 minutes for your
statement.
STATEMENT OF CHARLES CLANCY, PROFESSOR OF ELECTRICAL AND
COMPUTER ENGINEERING AND DIRECTOR, HUME CENTER FOR NATIONAL
SECURITY AND TECHNOLOGY, VIRGINIA TECH; SAMM SACKS, SENIOR
FELLOW, TECHNOLOGY POLICY PROGRAM, CENTER FOR STRATEGIC AND
INTERNATIONAL STUDIES; AND CLETE D. JOHNSON, PARTNER, WILKINSON
BARKER KNAUER, LLP
STATEMENT OF CHARLES CLANCY
Dr. Clancy. Thank you.
Chairman Blackburn, subcommittee members, my name is
Charles Clancy. I am a professor of electrical and computer
engineering at Virginia Tech. I am a recognized expert in
wireless security, have held various leadership roles within
international standards and technology organizations. And at
Virginia Tech, I lead a major university program focused on the
intersection of telecommunications, cybersecurity, and national
security.
Prior to joining Virginia Tech in 2010, I served as a
research leader in emerging mobile technologies at the National
Security Agency.
It is my distinct pleasure to address this committee again
on topics of critical national importance.
For the past 20 years, major forces have reshaped the
telecommunications industry here in the United States and
globally. Titans of the 20th century like Motorola and Lucent
have faded and given rise to innovators of the 21st century
like Apple and Cisco. These shifts have given birth to a global
marketplace, which in turn has resulted in a global supply
chain, a topic of interest in the hearing today.
Supply chains for telecommunications are complex, as has
been noted. They include development of intellectual property,
standards; fabrication of components and chips; assembly and
test of devices; development of software and firmware;
acquisition, installation, management of devices and
operational networks; and the data and services that operate
over those global networks. Competing in a global marketplace
drives where and how each portion of the supply chain is
executed.
An example I think that is pertinent is the modern supply
chain of the Apple iPhone. Over 700 individual suppliers from
30 countries provide equipment and components into the Apple
iPhone. It is one of the most sophisticated and complicated
supply chains of any consumer electronic device, while the
ultimate manufacturing happens in China where there are cameras
from Japan, displays from Korea, and computer processors from
Taiwan.
Only about 7 percent of the suppliers for the Apple iPhone
are U.S.-based companies, to include chip manufacturers like
Qualcomm and Intel, although their chips are actually
manufactured in Korea and Taiwan. I think of note is the fact
that much of the chip manufacturing industry is now offshore,
with two-thirds of that industry operating out of China and
Taiwan, and the United States only accounting for 8 percent.
Another interesting statistic to look at is standards. I
personally have observed the rise of Chinese participation in
standards bodies grow from almost nothing in 2005 to a
commanding presence by 2010. By 2023, if current trajectories
hold, Huawei will be the number one filer of intellectual
property and the number one author of international standards
within the Internet Engineering Task Force, outpacing Cisco in
the next few years, based on current trends.
They have accomplished this not by buying American
companies, but by buying American innovators with rigorous and
competitive bonus packages for those who compete in these
standards organizations. And this has happened completely--is
invisible to the CFIUS process because it doesn't involve
mergers and acquisitions.
So while several Chinese companies, as has been noted so
far, have clearly taken shortcuts from theft of intellectual
property to product sales to embargoed countries, China is
undeniably part of the supply chain. So as mentioned, it is a
complex ecosystem, and securing it requires, I think, a nuanced
approach.
So as we look at securing the supply chain, I think the
number one piece of advice is that really it needs to be an
approach based on risk management. The supply chain threat--the
cyber threat to the United States is real and tangible. Supply
chain operations are among the most pernicious and difficult to
detect. So a supply chain risk management approach that cuts
across different technologies, sectors, and components of the
supply chain I think is important.
One critical aspect of that is to look at the criticality
of individual components. The criticality of a cell phone, for
example, is very different than that of a core internet router.
And so the risk management approach that goes along with that,
I think, needs to reflect criticality of the component that is
being considered.
I think that the NIST cybersecurity framework provides a
great starting point for formulating such a strategy. It
represents a shift away from a compliance-based approach, such
as banning particular companies I think would be representative
of a compliance-based approach to solving the problem, and more
towards a risk management approach where the risks associated
with the each component are quantified.
So recommendations moving forward. I think that we need a
thorough assessment of supply chains for critical
infrastructure. I think this needs to happen on a recurring
basis. And where there are gaps, those gaps need to be
identified and prioritized. Those priorities can then help
inform how we foster a competitive domestic industry to fill
those gaps in a way that those actions can be done in a
globally competitive way.
Thank you.
[The prepared statement of Dr. Clancy follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mrs. Blackburn. The gentleman yields back.
Ms. Sacks, you are recognized.
STATEMENT OF SAMM SACKS
Ms. Sacks. Madam Chairman Blackburn, Ranking Member
Pallone, members of the committee, thank you for the
opportunity to testify today.
My testimony reflects my experience as an analyst of
Chinese technology policy for more than a decade. I have not
only worked with the U.S. Government, but also in the
commercial sector with leading multinational companies in
China. These complex structural challenges require a deep
understanding of the commercial and the national security
dimensions of our trade and investment relationship with China.
The Chinese leadership is in the midst of building the most
extensive Governance system for information communications
technology of any in the world. This is part of President Xi
Jinping's vision of building China into what he has referred to
as a cyber superpower.
Today, I would like to discuss three implications for U.S.
ICT companies doing business with China. First, companies face
at least seven different kinds of security reviews of ICT
products and services. These are essentially black box reviews.
We have no idea what they will entail, in some cases, who will
conduct them. They can cover network products and services,
data that has to be exported, internet technologies. The list
is broad, and it gives the Government discretion to do as it
wants using these reviews as channels to review source code and
also delay or block market access.
Second, many U.S. companies and China assume that data
localization will be a reality of their operations in China,
despite these rules still being in draft. Data localization is
not only a market access barrier, but it is another tool for
the Government to gain visibility into networks and digital
information.
Third, U.S. companies face informal pressures in China,
even in the absence of specific regulation. This is
particularly in the case in areas referred to as core
technologies where the Government has decided to double down on
reducing reliance on foreign suppliers. This could include
advanced semiconductors, certain kinds of software, the
hardware and algorithms behind artificial intelligence systems.
So in short, the aperture for ICT companies doing business
with China is rapidly closing. So what should be done?
We are correct to address areas where we have leverage with
Beijing. We have seen that Beijing does not respond absent of
external pressure. But the challenge is that U.S. Chinese and
technology development, supply chains, commercial markets are
tightly intertwined. Unilateral actions that isolate the United
States will undermine U.S. economic prosperity, our
technological leadership, and our capacity for innovation.
In confronting China, we must have a clear understanding
about the consequences of our actions and where there will be
costs to ourselves. I have three recommendations.
First, we should coordinate with allies and partners to
create multilateral pressure. We have seen this work in the
past. In 2009, a coalition of U.S., Japanese, European business
and policy leaders created pressure that convinced China to
suspend rules that would have required a type of surveillance
screening software on computers in China. Unilateral action
will compel China to retaliate against U.S. companies, leading
Beijing to double down on the very structural problems that we
are trying to address.
Second, we need channels to work with Chinese private
sector players whose interests in some cases actually are more
aligned with ours than some might think. Chinese companies need
to compete globally in commercial markets and are often
hindered by their own government.
Third, we must play offense by investing in our own R&D,
infrastructure, STEM education, and a capital market that
rewards investment. China will continue to invest in closing
the technology gap with the United States regardless of U.S.
actions, so we must be able to compete through our own
technological and economic leadership.
Thank you. I look forward to your questions.
[The prepared statement of Ms. Sacks follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mrs. Blackburn. The gentlelady yields back.
Mr. Johnson, you are recognized for 5 minutes.
STATEMENT OF CLETE D. JOHNSON
Mr. Johnson. Thank you for the opportunity to share my
perspective with you on this critical, bipartisan issue. My
testimony today reflects lessons from my experience with supply
chain security issues, multiple Government-private sector
positions, including as a logistics officer in the U.S. Army
and as counsel for the Senate Intelligence Committee, the FCC,
and the Department of Commerce.
Now at Wilkinson Barker and Knauer, I advise clients
navigating this complex security and market environment,
particularly through partnership with the Federal Government.
My advice to clients also draws on these experiences, but the
views I express today are my own.
This committee well knows that the global supply chains for
hardware-software services that make up the world's internet
and communications technology ecosystem raise complex national
security, strategic, economic, business, and technological
concerns. The United States has long played the leading role in
advancing these world changing tech developments, and
addressing security concerns in a way that further advances
these innovations is absolutely crucial to maintaining that
U.S. leadership.
As we advance to a thoroughly connected 5G world, the
capability of bad actors to use these technologies and to
leverage their supply chains for IP theft, cyber espionage,
sabotage, and even warfare presents acute threats. These are
well-funded, purposeful, sophisticated nation-state
adversaries, spies, criminals, other malicious actors, and they
are working hard to find openings for their nefarious purposes.
And many such openings are there to be found.
The threats and vulnerabilities are real and they manifest
in different ways at all levels of the global supply chain,
beginning with the Chinese and Russian companies identified in
recent Government actions. The actions that Congress and the
administration have taken in recent months to address these
concerns constitute a significant and welcome intensification
of policy activity. We are at an inflection point on these
issues for good reason, and we need to do this right. The
issues are highly complex, as has been noted, and solutions
must take root in a global market in which rapid business
developments and the practical realities of the supply chain
challenge traditional boundaries and legal jurisdictions. The
challenges call for private sector leadership in close
collaborative engagement with Government partners through clear
and effective processes.
In recent months, there have been more than a dozen new
Government actions on these issues, and perhaps the most
important is the FCC proposal championed by Chairman Pai and
unanimously adopted last month to prevent Government funds from
purchasing technology or services from companies that pose a
national security threat to U.S. communications infrastructure.
This process will significantly advance this policy
discourse and can be a lever to move the whole Government and
the market in the right direction. The market needs clear,
practical guidance that derives from well-informed processes
with input from experts from throughout the Government as well
as from the private sector stakeholders who know the market
best.
Restrictions on the three companies identified in last
year's defense authorization act are really the easy step. The
more difficult questions have to do with how these policies
will be implemented, how they will be updated, possibly
expanded in the future.
So a few high level thoughts on the FCC proposal, which is
targeted to address supply chain security for networks
supported by public funds but has implications that are
precedent setting and potentially much more far reaching.
Identifying national security threats is a function of our
intelligence, law enforcement, defense, and homeland security
agencies, so as the FCC implements this rule, there will need
to be thorough coordination through the Government to ensure
that new requirements are fully aligned with national security
decisions by the administration and Congress and that they
derive from broader interagency policy processes or statutory
requirements.
DHS, as the sector-specific agency for the communications
and IT sectors should coordinate these efforts with lots of
input from the Department of Commerce as well as input from the
Departments of State, Justice, Defense and, yes, the FCC. To
promote a collaborative partnership with industry, sensitive
private sector information should be formally protected under
the Protected Critical Infrastructure Information Act, which
prohibits disclosure of protected information under FOIA and
use in litigation or regulatory enforcement actions.
In short, the FCC's actions in the month and years ahead
should derive from and they should further advance processes
that are built on principles of industry leadership and
Government-industry partnership.
I look forward to further fleshing out these thoughts in
answers to your questions. Thank you.
[The prepared statement of Mr. Johnson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mrs. Blackburn. The gentleman yields back.
And we thank you all for your statements. I will begin the
questioning and recognize myself for 5 minutes.
Mr. Johnson, I want to come to you first. You talked about
in your testimony how complex this challenge is and the need
for collaboration, and I think we all agree with that. And we
appreciate your background and the holistic view that you bring
to looking at this and you know how and are familiar with the
legislation passed in 2015 and how that looks at a clear and
effective process for the public-private collaboration in the
cyber realm. But the law was not designed for threats to the
supply chain. And Ms. Sacks mentioned data transfer and things
of that nature in her testimony.
So let's look at and talk about a formalized process for
information sharing for the supply chain between the public and
the private sectors, and I would like to hear you weigh in on
that.
Mr. Johnson. Absolutely. And, Madam Chairman, you and your
colleagues on both sides of the aisle and both sides of this
Hill should be commended for the landmark legislation, the
Cyber Information Sharing Act. What it provided were paths and
legal clarity on the types of cyber threat information that can
be shared between industry and the Government, and Government
back to industry, and also between industry players, along with
privacy protections and other protections.
And what that--that was a landmark effort because it
created protections for that sharing that provide general
counsels and companies across the country certainty that if
they are engaging in this type of sharing, they are not--they
are actually helping their legal risk posture as opposed to
contributing to it or taking risk.
What it did is it focuses on tactical and operational
information sharing. It is basically sharing ones and zeros
digitally and by machines. So it is about the here and now
threat environment and what is happening on the network in this
instance. And it is about diagnostic type information.
What we need in this supply chain arena, and I mentioned
the protected critical--excuse me, Protected Critical
Infrastructure Information Act, and we will talk about that a
little bit more, what we need is more of an operational and
strategic. So as opposed to tactical and operational, you start
with operational, but it is also a strategic engagement between
private sector entities and the expert Government agencies
about candid assessments of what they are doing, what is
working, what is not working, and in the area of supply chain,
what they have, what they are seeing, what they are worried
about, and what the Government is worried about.
Mrs. Blackburn. OK. Let me ask you about that. We have done
a lot of work in this committee on rural broadband, and Ms.
Clarke and I have done a lot of work together on unserved
areas. Whether it is urban, as in her district, or rural, as in
my district. So when you look at that, how do you ensure that
supply chain information sharing is disseminated to those
smaller broadband providers, whether they be urban, as in her
district, or rural, as in mine? Because they really do lack the
staff and the sophistication to handle that.
Mr. Johnson. That is a great way to look at that question
because it speaks to what is the value to the company of this
engagement. Are they doing it as a service to the Government?
Are they taking extra time to do it? Or is it something that
adds value to their bottom line because it creates efficiencies
and an information environment that they need but they don't
have other ways to get?
So the best way to provide value to those low-margin rural
and urban smaller providers is to make it worth their while to
come in and talk to the Government about what they see, what
they have got, and how the Government can help them, including
by giving them clear guidance about it is not a good idea to go
in this direction.
Mrs. Blackburn. I thank you for that.
I have only got 30 seconds left. And, Ms. Sacks, I have
got, let's see, three questions that I wanted to come to you
on, but I tell you what I am going to do. I am going to submit
them for the record for you to answer back to us. Because I
appreciate your testimony and how you laid out what you think
the challenges are and then laid out the three steps, and I
wanted to drill down on that a little bit further, but I will
submit this.
I yield to Ms. Clarke 5 minutes for her questions.
Ms. Clarke. I thank you, Madam Chairwoman.
As American companies continue to work through preparations
for 5G, we often focus on domestic issues. And I think that
taking such a narrow approach can cause people to overlook the
issues with making foreign components so integral to our supply
chain. For instance, small businesses can often only get access
to foreign-made equipment, which is often less expensive. But
this equipment is also more likely to be subject to sanctions.
For all the steps the FCC is taking to eliminate deployment
regulations, it won't matter if providers can't get access to
equipment made by other manufacturers.
So, Mr. Johnson, just drilling down on the practical
applications, what does the landscape look like for small
businesses who use Huawei and ZTE equipment?
Mr. Johnson. It depends company by company. I think looking
across the country, there are a number of providers of the
various types of equipment and services that Huawei and ZTE
provide, and I think that will be the case regardless of their
status in the U.S. market. They have a relatively small share
of the U.S. market. I think in Huawei's case, I think their
U.S. revenue is less than 1 percent of their global revenue.
And in each of the areas that they lead various types of
equipment, various types of devices, various types of services,
there are robust competitors in each of those arenas, as well
as, you know, both in the case of global companies and also in
the case of smaller startups that are trying to break into the
market.
So the record that is being created at the FCC, this is one
of the reasons why this is such an important proceeding. For
the first time, on June 1, with all the comments due on that
proceeding, there will be a public record to answer this
question, what is the effect, and then there will be another
reply round. And I think we are going to get a lot of
information out of that that will help illuminate how this
affects individual companies and how it affects certain parts
of the market.
Ms. Clarke. So do you think that the domestic manufacturing
market is capable of filling those gaps left by Huawei and ZTE?
Mr. Johnson. I think that the--as Dr. Clancy mentioned, the
market has changed in pretty significant ways in recent years,
and it might be better to say it as opposed to domestic
manufacturing, there certainly is domestic manufacturing in
some areas, but it may be better to look at it as a trusted
supplier manufacturing, which can take--can span continents and
often does touch China. And the competition among trusted
suppliers is robust and dynamic, and I think that if there is a
small vacuum that is created by any prohibition or restriction
pertaining to Huawei or ZTE, that market will probably respond
to that pretty quickly.
Ms. Clarke. So to the panel, given that many small
businesses serving low-income communities rely heavily on ZTE
handsets, I am particularly concerned about the fallout of the
sanctions on Lifeline subscribers. What role can Congress play
in easing some of the burdens small businesses will encounter
in replacing ZTE handsets with secure alternatives? Any ideas
out there?
Dr. Clancy. I would say that we need to differentiate a
handset from a core internet router. There are very different
risks associated with that. The risks associated with a ZTE
handset, in my opinion, are much lower to national security
than, for example, having core internet routers or core
cellular network or 5G equipment from ZTE. So I think, in
particular, as you look at the NDAA language, the ability to
clarify the difference between core infrastructure and edge
devices is important and would help, I think, address your
concern.
Ms. Sacks. I would like to add to Dr. Clancy's comments
that we leave it to the security experts to differentiate among
the specific risks and design mitigation strategies around
that, particularly as Chairman Walden mentioned, we need to
prioritize resources accordingly. I think it is important that
the United States does not take a sweeping approach to banning
companies based on national origin, but instead, looks at the
specific threats posed by equipment. And policies need to also
take into account the fallout, the repercussions for U.S.
companies and the U.S. economy to those approaches.
Mr. Johnson. Ma'am, I would add to that that the threat
based on handsets and individual devices is narrower. It does
pertain potentially to the holder of that device, but probably
only to that person. And so there is an issue of if you are a
sensitive person, you probably want to be careful about what
device you hold. And I think as we move forward through this
process, we want to make sure that low-income people are not
are not the subject of lesser security than sensitive personnel
are.
Ms. Clarke. I yield back, Madam Chair. Thank you very much.
Mrs. Blackburn. The gentlelady yields back.
Mr. Latta, 5 minutes.
Mr. Latta. Well, thank you, Madam Chair. Thanks very much
for having this hearing today. It is very, very important.
I want to thank our panelists for being with us today,
because we have talked about this issue in many hearings and a
lot of outside discussions as to how critical this is.
And if I--Dr. Clancy, if I can start with you. In your
testimony, you talk about the risk management that comes down
to telecommunications companies need to consider. You say the
criticality of each component in their network and the entire
supply chain for each product, and you also say it is
financially impossible to eliminate that risk. And at the same
time, in your testimony, you talk about the over 700 suppliers
from 30 countries that provide components, and you are talking
about the Apple iPhone, with only 7 percent of that coming from
U.S. companies.
How do we give confidence to the consumers out there
through the companies that, you know, these products that they
are using are secure, when we see from your testimony at the
same time that, you know, it is impossible to eliminate all
that risk at that time?
Dr. Clancy. So my comments with respect to the iPhone were
merely to illustrate how complex supply chains are and how many
different parts of the world they touch, not necessarily
indicating that that particular supply chain posture is good or
bad. I think that from a consumer perspective, there needs to
be confidence that the products and services that they are
using meet their security thresholds. I think you also need to
consider the motivations of hackers and adversaries.
The specific comment about being financially and feasible
to eliminate all risk, any determined adversary with enough
time and resources is going to be able to penetrate a target
network. So as you look at a risk management approach, you need
to be able to identify what the most sensitive parts of your
network are, be able to fortify those as much as possible
against those risks, whether it be a supply chain risk or it be
an active cyber attack risk, and then make sure you are
prioritizing those investments based on the criticality of the
individual components.
So I think that would be--again, my view, again, supply
chain risk management looking at criticality of the devices,
how the devices are used in the network, and the supply chains
associated with each one I think is really, I think, the best
strategy.
Mr. Latta. Let me follow up with another question to you.
As the FCC, Congress, and other Federal agencies look at ways
to prevent public funds from supporting suppliers that pose a
threat to national security, who should be making the
determinations as to which suppliers pose a real threat?
Dr. Clancy. So that is an excellent question. Obviously, we
have seen either regulatory or legislative approaches to
selecting those companies. I think that that process is, I
think, perishable, and there needs to be a more modular way of
identifying risks in the supply chain. While companies like
Huawei, ZTE, and Kaspersky as well may represent specific
examples of supply chain risk, there are many component vendors
as well that may present supply chain risk, depending on the
type of equipment they are being integrated into.
So I think there needs to be a role within the Federal
Government for assessing and understanding the entire supply
chain and assessing the risk of specific vendors in that supply
chain. And then, as the chairwoman and Mr. Chairman mentioned,
was the ability for that information to be shared with industry
as they look to construct and manage the risk associated with
their supply chain.
Mr. Latta. One more question, and I am not picking on you
here. Is there sufficient competition in the vendor markets to
even allow a telecommunications provider to have realistic
options to purchase economical and secure equipment?
Dr. Clancy. I believe so. I think that, as was pointed out,
the Huawei market share and ZTE market share, for example, is
very small, and there are a number of other vendors of similar
price point equipment that could be selected as an alternative.
I think that we may need investment in U.S. industry, identify
where the gaps are in U.S. supply chain in particularly
critically important aspects in order to foster domestic
competitiveness on a global market in order to expand options.
Mr. Latta. Let me ask, how do we foster that to get that
more competitiveness than in the U.S. market?
Dr. Clancy. So depending on precisely where the risk is,
you could look at research and development investments, you
could look at economic investments to try and bolster
particular industries. Let's say, for example, there was an
effort to--there was a determination that the fact that we have
all of the chip manufacturing is happening offshore, right, I
think that could be an area where if you want to foster a chip
fabrication industry in the United States, there are a wide
range of incentives that you can put together to try and
accomplish that. Now, whether or not that makes economic sense,
I don't know, but I think there are levers there.
Mr. Latta. Thank you. Madam Chair, my time has expired, and
I yield back.
Mrs. Blackburn. Mr. Pallone, you are recognized for 5
minutes.
Mr. Pallone. Thank you, Madam Chairman.
The threats to our network supply chain pose a serious
national security risk, and I don't think forcing through
provisions as part of the National Defense Authorization Act is
the best process. So I ask Chairman Walden and Chairman
Blackburn and the rest of my colleagues on our committee to
work together to pursue thoughtful legislation. Because these
security risks pose an urgent threat, I hope we can work
together to quickly pass a bipartisan proposal. My questions
will therefore focus on how to craft the right policies for our
country.
Mr. Johnson, in your written testimony, you suggest using
the interagency process to reach a better informed result, and
some may believe that an interagency process is too slow,
however, to deal with the immediacy of this threat. So let me
start with Mr. Johnson. If Congress were to pass legislation
setting out an interagency process to address supply chain
risks, what is the fastest you think the executive branch could
act to protect our supply chain? Is 180 days possible, for
example?
Mr. Johnson. Congressman, I think the executive branch is
already taking steps in that direction, and also already has
models for interagency collaboration, particularly through a
partnership of the Department of Homeland Security and Commerce
leading this botnet reduction initiative under the executive
order, for instance. So I think the muscle memory is there, and
with apologies to former overworked colleagues in the executive
branch, I think some pretty big steps could be taken in 180
days. And the only thing I would add is that it would need to
continue on day 181 and beyond. So this process will never be
finished. Kind of like the NIST framework, it will always be
being improved.
Mr. Pallone. Well, thank you. I said that I was concerned
that the proposals being considered as part of the National
Defense Authorization Act are static and would not evolve with
the changing threats to our supply chain. A solution that only
addresses the risks we face today I think could simply give
foreign actors a blueprint for avoiding our protections for
tomorrow.
So again, Mr. Johnson, if we are actually going to create
lasting protections for our supply chain, how should we craft
laws so they can respond to new and emerging threats?
Mr. Johnson. I think the answer to that is that continuous
process, and it should include those two departments that I
have mentioned. It should include the FCC, as well as possibly
other regulatory agencies, as well as State, Justice, FBI,
Defense, potentially other agencies. And crucially it should
include the opportunity for private sector entities who know
the market best and know the corners that the Government
doesn't necessarily see. It should provide opportunities for
them to come in in a candid, collaborative way, say hereis what
we are seeing, hereis what I am picking up, and hereis what my
concerns are, and hereis what the market bears. All of that is
relevant to this.
And as Dr. Clancy and Ms. Sacks noted, distinguishing
between different components and parts of this market is
crucial and complex, and you really can't do that without this
holistic look of all the elements of Government and relevant
players in the private sector.
Mr. Pallone. All right. Thanks. And my last question, which
I can get--any of you could answer, is I believe, as I said,
the committee should work together to produce informed and
well-reasoned bipartisan legislation to secure our supply
chain. So with that in mind, could each of you tell me what you
believe is the one thing we should include in a bill to protect
our critical networks? And we have only got a minute and a
half, but let me start with Dr. Clancy and we will go down.
Dr. Clancy. I think this--just generally, this notion of
not--any focus on specific companies will have perishable
impact, so there needs to be a modular approach to identifying
what particular components of the supply chain are of the most
risk.
Mr. Pallone. Ms. Sacks. Thank you.
Ms. Sacks. We need to be careful not to replicate the China
model in terms of picking winners and losers and using a state-
led approach that doesn't enable the industry and investment to
do as it should. So we have an opportunity for technological
leadership by enabling R&D, enabling more STEM education in a
way that shows a U.S. versus a state capitalist model in
technological development.
Mr. Pallone. Thank you. Thirty seconds. Mr. Johnson, 30
seconds left.
Mr. Johnson. I agree that the private sector perspective is
crucial to not be eclipsed by the Government perspective. And
so I think clarity in the process in making clear what the--who
is in the lead, who is putting in what inputs from the
interagency so that private sector companies can navigate that
is crucial, as well as legal mechanisms that allow them to feel
protected in candid collaboration with the Government.
Mr. Pallone. Thank you. I yield back, Madam Chair.
Mrs. Blackburn. The gentleman yields back.
Mr. Johnson, you are recognized.
Mr. Johnson of Ohio. Thank you, Madam Chair.
I would like to--Mr. Pallone, most Johnsons can't even say
their name within 30 seconds. He did a really good job of
staying in that timeframe there. So thank you.
Dr. Clancy, you know, some of the more concerning threats
arise from the ongoing access that vendors have. What is the
scope of this access? Are the threats limited to software or
firmware updates, or could the ability of a technician to
replace and repair parts also introduce risks?
Dr. Clancy. So as you look at many of these vendors'
networks, Huawei would be a good example, they have deployed
telecommunications infrastructure globally, core switches and
routers throughout many countries all over the globe. And as
was mentioned, that market share here in the U.S. is fairly
small. Part of that involves a service agreement where the
operator has reach back in order to get service and support
that they need as part of that purchase of equipment. So
whether it is these devices doing software updates and getting
new firmware loaded or its vendors who are working under a
support contract are able to log in and access those systems,
both of those represent operational security risks associated
with use of that equipment in the environment.
Mr. Johnson of Ohio. Well, using a risk management
approach, how would a smaller rural provider that relies on
these kinds of services manage these kinds of threats?
Dr. Clancy. That is a great question. I think that the--I
think the NDAA language suggests that in certain situations if
the equipment is used, that any remote access be blocked. That
also has challenges because if you are now blocking software
updates, you may be blocking the ability to address
vulnerabilities in the product that anyone could take advantage
of, not just the vendor.
So I think, again, if you are looking at what equipment
should be deployed in a small rural internet service provider,
I think that I would steer away from those that would have
risks, such as the companies that have been identified. But
that list should not be static, and there needs to be a way to
continually provide industry with best practices about what
products to use, which products potentially to avoid, and the
risks associated with that.
Mr. Johnson of Ohio. I guess it raises another question
what the alternatives might be. I am a software engineer by
trade. I spent 30-plus years developing and implementing
software both within the Government and without. And, I mean,
the way we used to do it, there used to be a third-party
organization, a black hat organization if you will, that tested
everything and had the security and access and the security
privileges to be able to do that. The providers themselves, the
vendors themselves weren't allowed to put their hands on the
operational system. What alternatives do you see for the
situation?
Dr. Clancy. So I think there has been a fundamental shift
in the market in the last probably decade towards managed
services. With the growth of the cloud and everything as a
service, people want telecom equipment as a service, and who
better to provide that service than the vendor of that
equipment.
I think it might be very interesting for a managed service
ecosystem to grow here in the United States that could be a
third party to provision and manage those devices on behalf of
some of the smaller operators. I don't know the extent to which
that industry is mature right now because the vendors, for the
most part, are providing that as a benefit of buying their
products.
Mr. Johnson of Ohio. Well, thank you.
Mr. Johnson, DHS recently announced that they are kicking
off two investigations into the security of our Nation's
telecommunications supply chain, both from a general
perspective and with regard to specific vulnerabilities. Can
you think of anything else that DHS, FCC, or other Federal
agencies can examine to better address the holistic set of
threats that our telecommunications infrastructure faces?
Mr. Johnson. Yes, sir. And I think that that initiative----
Mr. Johnson of Ohio. You have got 30 seconds.
Mr. Johnson. I will do it quickly again. I am from Georgia,
but I will try to talk fast.
That particular initiative that has just kicked off I think
can be the beginning and the foundation of the broader
interagency and public-private look at these issues and inquiry
that we need to have. The FCC process that is going on will
conclude a comment period on July 2, will add a lot of value to
that, and there is some other processes going along, and I
think the importance is to integrate all of that learning into
a navigable set of processes.
Mr. Johnson of Ohio. OK. Well, thank you. Madam Chair, my
time has expired. I yield back.
Mrs. Blackburn. The gentleman yields back.
Mr. Loebsack, 5 minutes.
Mr. Loebsack. Thank you, Madam Chair.
This has been absolutely fascinating. Very complex stuff,
very difficult for the average person. A lot of--and those of
us up here on the dais who deal with these issues, very
difficult to deal with on a day-to-day basis and to understand
the issues. I am going to have a couple of questions in just a
second having to do with that, but I do appreciate the
different approaches that have been taken here.
You know, the more technical issues, not to call you a
Pollyanna or something, Mr. Johnson, but this whole idea of
interagency cooperation sounds really great. I don't know how
likely it is that we are going to be very successful in that
front, but I think it is great. Keep pushing that as hard as
you possibly can, that what good Government is all about often
is the agencies trying to cooperate with one another, even if
it doesn't happen very often.
And, Ms. Sacks, I appreciate your comments about policy. I
don't think any of us wants to be, you know, a mercantilistic
nation either, the way China and a number of others are, but at
the same time, for security reasons, we have to be very
careful. We have to have industries in America that build these
components, that are part of the supply chain, and it has got
to be, I think, much more than it is at the moment.
We are still going to have national security concerns,
there is no doubt about that. But the whole idea of risk
management makes a lot of sense but, you know, how we are going
to be able to identify all these different companies and all
the different components and all the rest to go through that,
it is going to be a huge challenge, there's no doubt about it.
To me, I just--for me, I just want to know what my
constituents can do on a day-to-day basis to deal with all
this. Because very few of them are watching this, if we are
being covered on any of the C-SPAN channels. And even if they
are, it is hard for them to decipher all of the information
that we are hearing today.
You know, average folks out there, they have got something
in their pocket that they have to worry about when it comes to
cybersecurity. And all the information that they have, they
have stored and that is available to the bad guys out there. I
do----
Before I ask you this, sir, what they ought to do, I do
want to say this one more thing, and that is, I was on the
Armed Services Committee for 8 years, so--and dealt a lot with
sort of how we stay ahead of the bad guys in other countries.
And this kind of reminds me of dealing with folks who were
working on IEDs on a regular basis, trying to stay ahead of the
game. That is what they are trying to do is stay ahead of the
bad guys so that they didn't hurt our soldiers, our troops in
the field. This is kind of the same sort of thing, how do we
stay ahead of the game? You know, because there are a lot of
bad guys out there trying to do terrible things to our country
when it comes to cybersecurity.
But to bring it down to the level of my constituents, what
can these folks do right now who have a concern about this
issue, someone who has got an iPhone in their pocket or
whatever? What would you recommend that they do today to try to
deal with this situation? All of you, please.
Dr. Clancy. Sir, my perspective is you have to look at the
risks that they face. For the most part, the average citizen is
facing a criminal, an aspect of organized crime looking to
steal their credit card number's identity. They are probably
not the target of advanced persistent threats developed by
nation-state actors or complex supply chain operations against
their personal electronic devices.
Mr. Loebsack. Although they may be collateral damage from
that.
Dr. Clancy. They could be, but you have to then look at how
those actors would take advantage of that information. So best
advice for the average citizen is really to focus on cyber
hygiene. The biggest risk to their security is clicking that
link in an email that takes them to a Web site where they type
in their credit card number. So basic education and cyber
hygiene is, I think, the most important thing that the average
citizen can do in this space.
Mr. Loebsack. Ms. Sacks, I know you deal with the macro
policy issues, but----
Ms. Sacks. I agree with Dr. Clancy's remarks. I defer to
the security experts on this.
Mr. Loebsack. Thank you.
And, Mr. Johnson.
Mr. Johnson. And I think simple awareness is a very big
first step, whether it is online activity or purchasing
devices. Asking the question of whether I am doing this in a
secure way actually will usually lead you to the right secure
step.
Mr. Loebsack. Where can they find information to help
educate them about this? Where can they go?
Mr. Johnson. There are a number of resources through the
Government, through NIST publications, NTIA, FTC, FCC, DHS. And
I think we are at a point now, and this is where the imperative
of a coordinated, integrated Government operation is so
important, because consumers need to know where do I look. They
shouldn't have to look in a variety of different places.
Mr. Loebsack. I think it is our job too as Members of
Congress to get that information out to our constituents as
well. So thanks to all of you. My time is up. I appreciate it.
And I yield back. Thank you, Madam Chair.
Mrs. Blackburn. Mr. Kinzinger, you are recognized.
Mr. Kinzinger. Thank you, Madam Chair, for this important
hearing, and thank you all for being here. I think it is an
important nexus between national security and E&C that,
unfortunately, I don't think a lot of people see. So I
appreciate it.
Dr. Clancy, I appreciate your service at the NSA. I fly for
the Air National Guard. I do mostly ISR missions, so you can
make that link there. I have become concerned recently about
these reports of Stingrays and cell-site simulators popping up
around Washington, DC, which has made it into the open source.
Are you aware of reports that DHS has detected the presence of
these devices in the greater DC area?
Dr. Clancy. I certainly have seen the volley of letters
back and forth between Congress and the FCC on the topic. There
have been a number of academic studies as well that have
identified the likely presence of such devices in the area as
well.
Mr. Kinzinger. So DHS has confirmed that they have detected
their presence, but they said they can't physically locate the
Stingrays. We have consulted with industry to figure out, you
know, what industry can do to help.
In the initial meeting, they told us they had met with the
National Protection and Programs Directorate on the matter and
they confirmed their awareness of Stingrays, but NPPD doesn't
seem to know everything they need to know to actually do
something about them. While protecting, of course, sources and
methods, do you think they are obligated to share some of this
intelligence with industry under the Cybersecurity Act of 2015?
Dr. Clancy. I think that there are a variety of ways to
detect Stingrays. I think--and I am using Stingrays as a
generic term to reflect NG capture technology in general. I
think that 5G standards have introduced new portions within the
standards that will allow carriers to be able to detect the
presence of rogue-based stations. And I think we are all
excited about that capability as a way for sort of a network-
centric approach to addressing that problem.
I think that there are a lot of sensitivities around the
technology, given its origins, and that has made it difficult
for effective information sharing between people that might
seek to police this activity and those that are technical
experts on the underlying technology, although I am not in a
position to, I guess, have an opinion about whether the
Cybersecurity Information Sharing Act is the appropriate form
for that information exchange.
Mr. Kinzinger. And my concern is, you know, not from a
certain use perspective, but from, you know, this idea that
there may be intelligence agencies in the United States or in
DC specifically, which we have read about in open source, that
are actually doing this. And that is a big concern, because I
would think if in fact there are foreign intelligence agencies
using this technology, that should be a high priority for us in
terms of determining that.
Like you, I understand, you know, the sensitivity of
talking about it, because, you know, it is what it is. We have
reached out for more information, so we will follow through on
that.
To Mr. Johnson, the House Armed Services Committee marked
up the fiscal year 2019 National Defense Authorization Act. It
included a blanket ban on Huawei and ZTE equipment by
Government agencies. I was very surprised and, frankly,
concerned by the President's comments recently, in fact,
showing somehow a loosening up of that concern with ZTE. And I
hope they were comments that were misinterpreted or at least
there is some other thought given to that, because national
security is my top priority in Congress. In a perfect world, I
would like to see a strong security posture on this front with
zero industry impact, but I feel like that is fairly
unrealistic.
Is there a way to achieve a strong national security
posture, including removal of corrupted equipment, with a
relatively low impact on industry? And could any impact be
distributed over the long term to minimize industry compliance
costs?
Mr. Johnson. I do--I think so. And I think the way to do
this is sort of there are three issues that are key to keep in
mind. One is these issues are very, very complex and they touch
a number of different areas. And so it is very important to get
this right and that we use precise instruments instead of blunt
instruments where possible.
Two is that three companies have been identified in statute
and in other Government actions--one Russian company and two
Chinese companies--and they have been identified for a number
of reasons that we could just--the number of public reasons and
a number of reasons that we could discuss in a SCIF. And the
FCC proposal on these issues is going to be an important
beginning in fleshing this out.
The third thing is that we need a process that I would say
is much like how after World War II the Goldwater-Nichols Act
brought together all the different services and created a joint
interoperable military, and is something I know you can
appreciate. And that type of approach, it is very difficult to
do. In the case of the military, it took a long time. We need
that type of effort for not only the Federal interagency, not
only the Federal interagency and the independent regulatory
agencies, but also the Government and the private sector. It is
going to take a long time, but we are a lot further along than
we were I would say 10 years ago when we first started looking
at these issues and literally none of the players knew what the
other ones were doing or how to do it.
So we need to get to the point where we can act quickly and
deliberately and know that we are taking sure-footed steps that
consider all the holistic elements.
Mr. Kinzinger. Thank you all for being here.
And I thank the Chair for her latitude. I yield back.
Mrs. Blackburn. Absolutely.
Ms. Eshoo, you are recognized for 5 minutes.
Ms. Eshoo. Thank you, Madam Chairwoman, for having this
important hearing. And thank you to the witnesses for your
testimony.
This is an issue that I go way back on. I was a member of
the House Intelligence Committee for almost a decade, and the
issue of Huawei and the challenges that it represented I took
very, very seriously. And as a matter of fact, when I was
leaving the committee, and Mike Rogers, a former colleague and
then chairman of HPSCI, I made him swear on a stack of Bibles
that he would pick up the baton and keep going on this. Why?
Because when our country was attacked on September 11, there
was one thing that we had that worked an aided us in our
national security, and that was our telecommunications sector.
That is where the gold was.
And, you know, for us to be examining this now is very
important, but we are not starting from scratch. It is a
completely different picture now in terms of sophistication in
our systems, what is manufactured, what companies know, what
other companies have, what they do, how effective they are, who
they buy from. And so I think that the Congress has the tools
to make a very strong decision. Mr. Kinzinger said that he
takes national security as his top issue. It is the top
responsibility for every single Member of Congress. We take our
oath of office to protect and defend, enemies external or
internal. So we cannot afford, the United States of America
cannot afford to play footsie with these companies. They
represent a direct challenge to our national security.
So what I want to ask you is, have any of you done an
analysis of the costs of whatever it takes in terms of the--you
know, a trusted supply chain so that we can make the shift and
we don't have to bother or be bothered with ZTE or Huawei or
anyone else that presents themselves down the road? Whomever
wants to answer. Has there been any kind of cost analysis of
this?
Ms. Sacks. I say this having worked in the national
security and the Department of Defense community, there has not
been public information released about the specific problems
associated with Huawei and ZTE. I am not saying they doesn't
exist, but in order to conduct exactly that kind of assessment,
to do the kind of----
Ms. Eshoo. But we know--let me interrupt you just a second.
Ms. Sacks [continuing]. Needs to have public information,
it cannot be classified----
Ms. Eshoo. Just a second. I know from classified briefings
what the challenges are. I am not asking you to tell me about
that. I already know that. The challenge is, we want to have a
system where we are not reliant on them for anything, for
anything. And I think in different ways, you all have maybe
touched on it or gone around it. So would you like to say
something on this?
Mr. Johnson. Yes, ma'am. I think we need to urgently start
that process. And all the pieces are in place now, we know a
lot more about what needs to be done.
Ms. Eshoo. So there has not been this examination, as far
as you know?
Mr. Johnson. I think we are behind in doing that analysis,
but these processes that are underway right now are--will flesh
this information out. But, no, I think we don't know enough
about--we need a record on this. And that is what is so
valuable about this FCC process. It is focusing on one element
of the problem, but it is the very first public record that
will exist on this issue.
Ms. Eshoo. I thank you.
Madam Chairwoman, I think that our committee needs to do a
letter to the administration. I am not saying this to be
political. This is a national security issue, and Republicans
and Democrats have taken, both at this committee, at the House
Intelligence Committee, for years have weighed in relative to
these companies and the national security threat. I don't know
what is happening. I think that the Secretary of Commerce
certainly did the right thing. We should do this on a
bipartisan basis. I don't know what is taking the President in
whatever direction. I am not going to make any political hits
on it. Overall, it is wrong and it is dangerous for us. And I
think that the Congress, coequal branch of Government, should
weigh in with the administration formally and say, ``This is
not the way to go.''
So I would just request that and have you consider it. I
think there would be support from this side of the aisle, and I
think there would be from yours, as well.
So I want to thank the witnesses and for your patience. I
have gone over my time. Thank you for your testimony on this
most important topic.
Mrs. Blackburn. The gentlelady yields back. And I look
forward to discussing with her how we can continue to work in a
bipartisan manner on this.
Mr. Bilirakis, you are recognized for 5 minutes.
Mr. Bilirakis. Thank you. Thank you, Madam Chair. I
appreciate it very much.
Dr. Clancy, one of your recommendations to strengthen the
supply chain is a collaboration between industry and Government
to identify at-risk products. That information can then be
shared with developers and suppliers. The Department of Defense
uses a software process standard called common criteria in
which software is penetration tested for vulnerabilities and
then assigned a certification grade. The FAA has a similar
process for its flight control systems.
I recently met with a software company with a cybersecurity
research facility in my district. The company suggested a
similar process at risk management--of risk management for
medical devices and other sensitive IoT devices. The results
could be used to identify and mitigate security threats.
Interestingly, because it is a process and not a regulatory
standard, it can evolve with new technologies and threats.
So, Dr. Clancy, is this something that aligns with your
thoughts on Government collaboration? And can you expand on any
other ideas you have for Government participation in this space
that does not involve quickly outdated standards?
Dr. Clancy. Certainly. I think the common criteria is a
great example of a framework that looks at cybersecurity risks,
specifically with software as you point out. There are--I think
you could more broadly look at the NIST cybersecurity framework
as capturing kind of a superset of those objectives. I don't
know that any of them are necessarily well suited or have been
applied in the supply chain space yet. I think that is
something that is a study that would need to be undertaken.
I think in terms of managing and governing that process, I
think the interagency approach that Mr. Johnson proposed is a
great starting point for that. The knowledge of the threat is
distributed across many different Government agencies. And I
think they would need to come together in order to bring
together that complete picture in order to collaborate with
industry effectively.
Mr. Bilirakis. Thank you.
Mr. Johnson and Dr. Clancy, this question is for both of
you. There may be times where specific telecom suppliers raise
truly serious concerns which warrant action, but we cannot
avoid the reality of today's global supply chain. Where do we
stand if we cannot adequately respond to threats that arise out
of such a global supply chain? We will go with Mr. Johnson
first, please.
Mr. Johnson. I understand your question is, given the
interconnected complex nature of the global supply chain, how
do we identify particular threats?
Mr. Bilirakis. Yes.
Mr. Johnson. I think just borrowing on some of my fellow
witnesses' testimony, taking a risk management approach is
crucial, as is clear guidance to the market about where the
risks are, and that could include individual companies, it
could include individual products of individual companies, or
it include other things that we haven't identified yet. And I
think the most important thing is to look at this through--not
through a stovepipe of a certain agency or a certain industry
sector, but holistically through the entire market in all its
complexity, and clearly provide private sector advice or
guidance about where the risks are. And this process needs to
include their take on it, where do they see the risk and where
do they see--what do they see as how to do supply chain risk
management and trust its suppliers, and then create the
positive feedback loop that continues to inform the market
about what is good and what is trusted and what is not.
Mr. Bilirakis. Dr. Clancy, please.
Dr. Clancy. As I pointed out in my testimony, I think it is
going to be impossible to eliminate all risk from the supply
chain. It is too global and there is too many different ways
that every product touches that global supply chain. So, again,
risk management is critical. You have to pick the areas where
there is the most risk in terms of bad actor behavior and the
areas where there is the most criticality in terms of our
critical infrastructure and start there and then work your way
down.
Mr. Bilirakis. Thank you. Very good.
I yield back, Madam Chair. I appreciate it.
Mrs. Blackburn. Mrs. Dingell, you are recognized.
Mrs. Dingell. Thank you, Madam Chairman.
Much of the confusion surrounding this issue relates to the
simple truths that we don't know the full scope of the problem.
And although it is helpful to hear different ideas for
mitigating risk across networks, I believe it is difficult to
create effective policy without knowing what we are up against.
It is difficult to change, or in this case, protect what you
can't measure.
These questions are all going to be for Mr. Johnson.
Mr. Johnson, you say in your testimony that you advise
companies trying to navigate these threats. Can you tell us,
generally, whether companies in the private sector are
beginning to take some sort of inventory of the risks that they
are facing?
Mr. Johnson. I do think--and I have worked with a number of
the companies in this sector speaking broadly throughout in the
communication sector device, cloud, and internet
infrastructure. For about a dozen years in, I don't know if I
can't hold a job, but I think this is now my fifth different
job that I have worked with a number of these companies in both
in Government and now in private practice. And I can say two
things: Number one, it is core to their business to--to their
business imperatives as a bottom line institution to advance
supply chain security.
And number two, we as a collective Government and industry
partnership have advanced pretty significantly in those dozen
years in terms of situational awareness. We are not where we
need to be, and I don't think any individual company or any
individual agency is, but we have come a long way and the
trajectory is where it needs--is headed in the right direction.
And I think now we just need to step on the gas with some
urgency to fill out the data that we don't have.
Mrs. Dingell. So are there models for conducting this sort
of dynamic threat assessment that stakeholders should be
looking to?
Mr. Johnson. I mentioned this briefly earlier. There is a
model in the last year that has--of a process that has just
been completed that I really think is a model of cybersecurity
policymaking. It was conducted under the executive order to
reduce botnets and other distributed automated threats. It was
led by the Commerce Department and the Department of Homeland
Security, but included input from a whole host of other
agencies and the FTC and the FCC and most crucially was driven
by private sector input.
So the companies that are out on the front lines were
helping drive this process that was convened by the Government.
And I think that model, it was very robust, it was very busy,
there was lots of activity, there were lots of threads that
were being followed, but it was navigable and it was clear. And
I think that type of model could be replicated on the supply
chain side, along with legal mechanisms to ensure the
confidentiality of sensitive data that is exchanged.
Mrs. Dingell. So on the Government side, how could Federal
agencies best situate themselves to be effective partners for
the private sector? Do you think that the FCC, the Department
of Homeland Security, Commerce, each have a role to play?
Mr. Johnson. I do. I think they and as well as a number of
others do. In the case of these issues, I think the Department
of Homeland Security is the sector-specific agency for the
communications sector and the IT sector so they can--they
should probably--and they also administer the statutory
protections for protecting confidentiality. I think they can
sort of be the lead cat herder in the interagency and in
convening this process, but certainly the Department of
Commerce, both through NIST and NTIA, and the International
Trade Administration and the Bureau of Industry and Security,
have very important perspectives to add, as does the
intelligence community, Department of Defense, and other
regulatory agencies.
Mrs. Dingell. So, finally, what should the Federal
Government be doing to incentivize research here at home so
that many of these emerging technologies are built here and
developed here?
Mr. Johnson. I think really the--that is a--that is maybe
the most difficult question of all, because we don't--here we
don't do State-directed, industrial policy like China does, and
I don't think we want to do that. But we also want to send a
very clear message to the market that the future is secure. The
future of the market needs to be trusted suppliers and secure
products and services.
And I think that maybe the biggest benefit of these
processes that are taking place right now is it sends a pretty
clear message that security is--needs to be the future of the
market. And if you build it secure, you are going to benefit in
the market.
Mrs. Dingell. Thank you, Madam Chair.
Mrs. Blackburn. The gentlelady yields back.
Mr. Lance, you are recognized.
Mr. Lance. Thank you, Chairman. To the entire panel,
ensuring a secure supply chain is a priority for all of us, but
the real question, from my perspective, is how do we as
policymakers, and we certainly don't have your expertise,
ensure that we get it right and avoid unintended consequences?
For instance, we saw the Department of Commerce crack down
on ZTE and rightfully so for violating sanctions in Iran and
North Korea, and it is essentially an arm of Chinese
intelligence. However, Commerce's penalties again ZTE also
meant companies are not sending security updates to those
phones. While we are trying to protect ourselves, we are also
potentially leaving ourselves vulnerable.
In your judgment, the expertise of the panel, how do we
strike a balance and protect ourselves from bad actors like ZTE
without opening up other security gaps? I will start with you,
Dr. Clancy.
Dr. Clancy. So I think your example around software updates
is a great one. If we look at--again, if we look at the problem
holistically and you seek to manage cyber risk for an entire
industry, that includes both the selection of equipment and the
configuration, provisioning, and management of that equipment.
So, for example, you can trade off whether or not the relative
risk associated with a low-cost component that is--perhaps has
its software update patch path blocked because of some of these
requirements, and compare that to potentially a more expensive
piece of equipment that doesn't have that.
So, again, if you are looking at the overall risk
management, I think you would be able to make those trades and
be able to make the best decision for overall security of, in
this case, telecommunications critical infrastructure sector.
Mr. Lance. Thank you.
Ms. Sacks.
Ms. Sacks. I agree with Dr. Clancy. I think this needs to
be a risk-based approach that is granular, that looks at
specific equipment and components going into systems not just
for companies of certain countries, but for all equipment
providers.
Mr. Lance. Thank you.
Mr. Johnson.
Mr. Johnson. Yes, sir. I think we need to find maybe not
the balance, but the combination between deliberate action and
expeditious action. And I think there is a way to do that even
in this scenario. It needs to be clear. It needs to be--the
steps and timeframes or their phaseout periods, that all needs
to be determined and it needs to be clear to the consumer and
the companies who are out on the front lines about what is
going to happen and when.
Mr. Lance. Thank you.
Ms. Sacks, in your testimony, you recommended that the
United States look for leverage to change Beijing's behavior
and its ICT policies, and that it is not in our best interest
to act unilaterally.
Have other countries taken action against ZTE and Huawei?
And should the U.S. be looking to leverage the ZTE situation to
pressure China on its ICT policies instead of as a trade
bargaining chip?
Ms. Sacks. Two points on that: One model that is worth
considering is the U.K., which has incorporated Huawei into
their systems, has set up a security testing center which they
use to test Huawei equipment that goes into the network. It is
independently audited and the results are reported directly to
the National Security Adviser.
So that is one model that should be considered, although we
need to take a number of things into consideration to
strengthen it. That center is staffed entirely by Huawei
employees. I think we would need a much more strengthened
version in the United States. And particularly if we are
thinking about 5G and the complexities around massive software
involved with 5G, would that kind of model be adequate for the
new security challenges posed by that.
So that is just one example of another country that we
might want to take into consideration.
Mr. Lance. In your professional judgment, is the U.K. the
best at this in the world?
Ms. Sacks. I don't know if they are the best, but they are
the one--I think that their model is one which is worth
studying.
Mr. Lance. Thank you. This has been a very interesting
panel, and I thank all of you for participating.
And, Chairman, I yield back half a minute.
Mrs. Blackburn. The gentleman yields back.
Ms. Matsui, you are recognized.
Ms. Matsui. Thank you, Madam Chairman, and thank the
witnesses for being here today.
Virtual private networks assist companies and businesses in
preventing foreign governments from monitoring traffic between
providers and their devices. There seems to be ongoing
uncertainty surrounding whether and how rules blocking the use
of VPNs in China not approved by Chinese government will be
implemented.
Ms. Sacks, as you note, this review requirement has a
practical effect of allowing the Chinese government to approve
the channels companies use for international connectivity. What
security threats arise in China monitoring, reviewing, and
approving VPNs, especially communications using VPNs where
Huawei and ZTE have installed network equipment?
Ms. Sacks. One of the most important areas that we should
watch are restrictions around corporate VPNs in China, not just
for consumers, but also for companies in terms of sending
information across borders to conduct HR baseline financial
operations needed to conduct business there. I think that there
are a number of channels that the Chinese government is using
to increase their ability to monitor and control networks, the
data, the information that flows across that. The VPNs is one.
There are multiple different kinds of security reviews that
are all in process. The scope of them is not clear, and there
is competing jurisdictions, even within these different kinds
of reviews. So you have the multilevel protection scheme, which
has been in place for several years, but now you have a new
review of network products and services connected with critical
information infrastructure operators in China. We don't know
what is going to follow the scope of that.
Ms. Matsui. OK. Well, thank you.
Back doors into hardware and network components are
designed to avoid detection, and vulnerabilities introduced at
the beginning of the development process in the supply chain
are particularly hard to detect. I echo the concerns of my
colleagues over the national security threats posed by
equipment providers to the integrity of the communication
supply chain. I understand inherent difficulty approving where
there isn't a back door into our networks.
I want to ask this of each of you. Do you believe
sufficient work is going towards a process to ensure when there
is or is not a back door in switches, routers, or other
networking equipment? Dr. Clancy?
Dr. Clancy. As you point out that such back doors or
intentional vulnerabilities in software are extremely difficult
to detect, particularly if they are specifically seeking to be
hidden. I think that it would be very challenging to do a
thorough assessment, for example, without access to source code
for the presence of such vulnerabilities in equipment purchased
from foreign vendors. I think that that, though, is--the bigger
threat, at least immediately though, is the more front door
access, which is the managed vendor access where they are
explicitly given access to the license for the purpose of
management.
So I think we need to tackle the front door first. The back
door is I think something that will only be effectively tackled
through a risk-based approach, because guaranteeing that there
are no back doors is virtually impossible.
Ms. Matsui. OK. Ms. Sacks, do you agree?
Ms. Sacks. I don't have anything to add to that.
Ms. Matsui. OK. Mr. Johnson.
Mr. Johnson. Yes, ma'am. I agree with what Dr. Clancy said
about the difficulty of finding the purposely in place back
door and also the threat of the front door that we see right
now through vendor management.
And Ms. Sacks had a really great example of an innovative
approach to this that the U.K. is taking with regard to Huawei.
The only thing I would add to that is that at the same time
that the U.K. decided to that, we in the United States were--
those proposals were being made in the United States as well.
Let us do this, we will do an independent testing, et cetera,
and the United States decided not to do that. And I think that
is probably--while I think it is correct that the U.K. model is
a very valuable reference point for testing, I am very weary of
the capabilities of testing to be able to find the real
problems when you have such a sophisticated actor. So I might--
I just think testing can be an important part of it, but it is
never going to be a wholly sufficient answer. And I think we
need testing along with a holistic approach to trusted
suppliers.
Ms. Matsui. All right, OK. It looks like I don't have
enough time. So anyway, I yield back the balance of my time.
Thank you.
Mrs. Blackburn. The gentlelady yields back.
Mr. Guthrie.
Mr. Guthrie. Thank you, Madam Chairman.
I appreciate the opportunity to be here and for our
witnesses to be here today for a timely issue.
My first question is for Ms. Sacks. It appears the response
to network threats so far have been tactical with regard to
specific threats and strategic with regard to competition in
the supply chain. So what can we do to ensure our response is
proactive and coordinated across the Federal Government? And do
we need to formalize this approach? And if so, what sort of
framework is needed?
Ms. Sacks. I think that there has been a conflation of a
lot of different kinds of challenges and problems connected to
Chinese security and industrial policy threats, and we need to
be much clearer. Are we talking about export controls, national
security risks, IP theft, FCPA, and that will help enhance
coordination, better coordination among these different actors
given the different types of issues at hand. And once we are
able to do that, I think that we can work more effectively with
our allies and partners in other parts of the world to exert
the kind of leverage needed to change behavior.
Mr. Guthrie. Do you have any thoughts of what agencies,
timelines, and what scope, and how we balance agility with
thoroughness?
Ms. Sacks. Here I think I would defer to Mr. Johnson.
Mr. Guthrie. That is fine. I was going to ask him next. I
was going to ask him next, so there we go.
Mr. Johnson. I spend a lot of time pushing that boulder
over the mountain in the interagency. As I said a little bit
earlier----
Mr. Guthrie. Didn't roll back down, did it?
Mr. Johnson. It rolls back down, and you push it a little
bit further and it rolls back down again.
But there has been a lot of progress made in the past
decade or so in terms of getting the team to be more of a well-
oiled machine. It is not that yet. But I think we have ways
to--we don't need to find ways, we have ways to have a
coherent, holistic process that includes input from all the
relevant stakeholders in Government and also in the private
sector. That is what we need to do as--it needs to be--we need
to be in a big hurry about it, and it needs to be urgent, and
it also needs to be deliberative and continuous. We are not
going to finish this project. It is going to go on for as long
as we have these capabilities.
Mr. Guthrie. OK. So Mr. Johnson talked about the agencies.
So, Dr. Clancy, or any of you, actually--and you did mention it
has got to have input from the private sector. So what road
should the private sector--I will ask Dr. Clancy first, then we
can move on, what road should the private sector play in
collaboration with the Federal Government to address the
telecom supply chain risk assessment from the manufacturing
perspective?
Dr. Clancy. Well, I think I will highlight a point I think
that is been made earlier in this hearing, is that the
Cybersecurity Information Sharing Act, landmark legislation,
really enables tactical sharing of operational cyber threat
data between the Federal Government and industry. I think over
the last 3 years as that has been operationalized, we have seen
a lot of industries come together and effectively use those
instruments.
Mr. Guthrie. Well, passing that was actually kind of
controversial. I mean, some people really opposed that, and
Members. I mean, so how has that been effective? I didn't think
about that, you just said it, but----
Dr. Clancy. So I think it has--we have seen many of the
ISACs, the industry specific information sharing entities adopt
various technology standards, like STIX and TAXII, protocols
that are specifically designed to share real-time threat
information. I think there is still lots of hurdles to go. I
think there are lots of parts of industry that are still
nervous about sharing information that might be negatively
viewed by their regulators, and so I think there is still some
caution from an industry perspective. I think they are enjoying
the ability to consume information from the Federal Government,
though. So we haven't, I think, seen full bidirectional sharing
between industry and Government, but we are getting a lot
closer to that, in my personal opinion.
But as you project that forward and you look at supply
chains, supply chains are a very different type of threat. It
is not an operational tactical threat. It is a much more
strategic threat where the long game is being played by
adversaries in this space. And so it is less about tactical
information sharing but more about understanding the bigger
picture and being able to share risk assessments associated
with that with industry and among members of industry and with
Government. I think we haven't gotten that far yet. And I think
that would be, again, whether it is the interagency framework
that Mr. Johnson has proposed or other mechanisms, I think that
is really the next frontier.
Mr. Guthrie. I see you nodding, Mr. Johnson. Any comment
you want to add to that?
Mr. Johnson. I think that is right. The next step--we
talked about this right in the beginning, the next step beyond
the tactical real-time information sharing of the Cyber
Information Sharing Act is a more deliberative, in many cases,
human interface about longer term strategic threats, and
companies will need to have certainty that going into talk to
the Government about what they are worried about doesn't come
back and hit them. You might call it a reverse Miranda
protection where nothing I say here will be used against me.
And we really need to build this team and pull it together, and
it has to be a trusted environment. There are some--the PCII
protections are statutory protections that provide that. And I
would be delighted to talk with you more about that when I am
not over time.
Mr. Guthrie. My time has expired. I appreciate it. Thank
you.
Mrs. Blackburn. The gentleman yields back.
Mr. Butterfield, you are recognized.
Mr. Butterfield. Thank you very much, Madam Chair.
Good morning to our witnesses today, and thank you for your
testimony.
Madam Chair, in thinking about the hearing today and trying
to get a few notes ready to talk to these witnesses, it became
pretty clear to me how difficult securing our supply chain will
be. This seems not to just be a national security issue, but a
technological issue, an economic development issue, a consumer
issue, and even a trade issue. And so I appreciate that our
colleagues on the Armed Services Committee understand how to
approach the national security portion, but we must also strive
to better grasp the broader ramifications.
And so, Mr. Johnson, in your written testimony, you note
that securing our chain raises complex national security,
strategic, economic, business, and technological concerns. So
my question, sir, to you is, to ensure that we have developed
the right policy to manage the risk to our chain, supply chain,
do you think that we, Congress, should take steps to ensure we
are adequately thinking through each of these complexities?
Mr. Johnson. Absolutely, yes.
Mr. Butterfield. In their interrelationships.
Mr. Johnson. Absolutely, yes. This is a very big deal and
we need to get it right.
Mr. Butterfield. What are some of the economic, business,
and technological concerns that we should be focused on in
their intersectionality?
Mr. Johnson. Well, just to take the example of 5G
deployment, the issues that pertain to 5G deployment moving to
an almost entirely connected world, really have--in some ways
they have all the elements of what our country went through in
the fifties and sixties with regard to the space race. The
implications of what types of companies and what types of
countries are ahead in deploying 5G have geostrategic
implications, they have economic competitiveness implications,
they have espionage and sabotage and warfare implications. And
so we certainly want the United States and other rule of law
based market democracies and those companies to be in the lead
in order to maintain the interests that we--and values that we
hold dear.
Mr. Butterfield. Now, there are some conversations that we
have heard about outright banning equipment from China, and I
am paraphrasing some of that. I don't suspect that is your
view. But what impact would outright banning equipment from
China have on low-income consumers?
Mr. Johnson. I think this has been expressed earlier by my
fellow witnesses, but I think a country-of-origin ban of any
kind is too blunt of an instrument, and it is not necessarily
feasible in the world we live in now, particularly with regard
to China. There are a lot of trusted suppliers that have
elements of China in their supply chains. And so we need to
take more of a scalpel and identify bad actors.
With regard to the bad actors that have been identified
from China, and certainly there are some China-specific
concerns that we need to raise, but with regard to the two
Chinese companies that have been identified, the record that is
being built in the FCC through the proposal to prevent USF
funds from going to companies like that is going to flesh out
what the effect in the market is and, very importantly, what
the effect in the lower income and rural markets are where
companies like Huawei and ZTE have most of their U.S. presence.
Mr. Butterfield. Let me ask you this, does the draft
defense authorization legislation that has been put forward
accurately take each of your concerns into account?
Mr. Johnson. I think that--any proposal, particularly one
that is embedded in statute, needs to have a very significant
vetting, tire kicking, and make sure that, you know, through
hearings like this, that all of the important elements and
considerations are embedded in whatever statute becomes law.
Mr. Butterfield. Dr. Clancy, you have 30 seconds, my last
30 seconds. Any comments on any of this?
Dr. Clancy. So specifically with respect to your last
question, I think the--while certainly the actors that have
been identified so far represent, I think, substantiated risks
to national security, they may not be the only ones, so
focusing only on those two is I think one challenge. I think
the other aspect that needs to be addressed is, again, the
criticality. There is a difference between a phone and a core
network router, and that is not adequately reflected in the
current draft legislation, in my opinion.
Mr. Butterfield. Thank you.
Sorry, Ms. Sacks, but we ran out of time.
I yield back, Madam Chair.
Mrs. Blackburn. The gentleman yields back.
Mr. Long, you are recognized.
Mr. Long. Thank you, Chairman.
Dr. Clancy, due to the interconnected nature of
telecommunications networks, operators don't always have
visibility into other parts of the network to know whether
there may be vulnerabilities. In some cases, information may be
carried over the network that has ridden over foreign networks.
Can you speak to the global nature of the internet and how we
should address vulnerabilities given these threats?
Dr. Clancy. So there are a whole range of potential global
threats to the internet itself. The internet, from a
government's perspective, is really a series of bilateral
contracts between internet service providers that stitch
together to form the fabric of what we know the internet to be.
And any of the components of that core infrastructure have the
ability to influence things like control playing aspects of the
internet, routing tables being the most notable example, or any
major internet service provider can cause major damage to the
internet by virtue of how the internet is constructed. So I
think that there are a whole range of threats.
I think the larger the market share of any one particular
vendor, particularly vendors that we deem as a national
security risk, increases the global exposure to that risk, to
that threat.
Mr. Long. OK, thank you.
And, Ms. Sacks, the Department of Commerce denial order
issued against ZTE is commonly cited as one of the reasons ZTE
sought to cease operations in the United States. This order, a
law enforcement action resulting from the violation of
sanctions terms, was very disruptive. If this disruption serves
as a model for future bans on specific network or device
equipment providers, what is the impact on our ability to
remain globally competitive?
Ms. Sacks. ZTE clearly violated export controls, and this
is an export control issue rather than a trade issue, although
there are also separate national security implications. It has
not been usual for bans on sanctions to be lifted, but the
timing and the process involved with ZTE was highly unusual. We
need to see what comes out of this. U.S. companies are
definitely going to have impact from that ban. We need to see
what happens in terms of the President's moves as he works to
negotiate with the Chinese, but the conflation of an export
control issue with a trade issue is worrisome in my mind.
Mr. Long. Are these sorts of bans effective or are there
other proactive measures that we can take to protect our
networks and compete globally?
Ms. Sacks. We have seen with Beijing that access to global
markets is a point of leverage that has brought them to the
negotiating table in 2015, so ahead of Xi Jingping's visit
where they came with up the cyber agreement. So we see that
access to global markets is a point of leverage. However, we
need to also consider the ramifications on the follow-on
effects in terms of retaliation against U.S. companies. That is
why it is important to work in a multilateral fashion on this.
Mr. Long. OK, thank you.
And, Madam Chairman, I would like to submit an article for
the record, ``US Army base removes Chinese made surveillance
cameras.'' This is Fort Leonard Wood in my home State of
Missouri.
And with that, I yield.
Mrs. Blackburn. Without objection. The gentleman yields
back.
[The information appears at the conclusion of the hearing.]
Mrs. Blackburn. Mr. Costello, you are recognized.
Mr. Costello. Thank you, Madam Chair.
Mr. Johnson, how would you advise a telecommunications
provider when it is making plans to expand its network? Of
course, providers want to be cost conscious and purchase
economical equipment, but they also want to make sure they are
not introducing vulnerabilities into their network. How do
these providers weigh the tradeoffs in making these decisions?
Mr. Johnson. I think that is one of the central questions,
sir. And it depends on who the provider is. I think most of the
large providers are aware of and can take other options than
some of the companies that have been identified as particular
concern.
With smaller providers who operate on much smaller margins,
it becomes a much more difficult question. And I think
according to our--you know, according to the public record from
our Government and the intelligence community, that has been
part of the reason why we are concerned about Huawei and ZTE in
particular, because the Chinese government knows that, the
companies knows that, and so they can undercut the price. And
you hear anecdotes about the company sales approach is
essentially tell me what your lowest competitor's price is and
I will undercut it.
Mr. Costello. And let's talk about rural providers. How do
we mitigate the risk to come along with that equipment,
equipment obviously purchased at below market rates? Is there a
risk that if we ban certain types of equipment, it will
increase the cost or time for expanding broadband access?
Mr. Johnson. I think there is a risk of a disruption, and
that is why I think this process needs to take place very
deliberately and expeditiously. It needs to have clear guidance
to the players about what is going to happen when, what they
need to do, what they need to be aware of. And any disruption
should be dealt with through that process. But I do think--I
have got some faith in the fact that there are lots of other
competitors who would love to keep competing in a competitive
market and not essentially be frozen out of certain parts of
the market by uncompetitive, undercutting of prices.
So I think that if those two companies are restricted in
some way from certain parts of the market, I am very confident
that the market will respond, it will send a signal to other
players in the market that, hey, there is reason to play here,
because you are not going to be undercut in an uncompetitive
way. And if there are any vacuums, they will be quickly filled.
Mr. Costello. So far we have been able to successfully
limit our risk by managing the standards bodies. Is this method
sustainable? And I will ask an ancillary question, is
leveraging the transparency aspect of standards bodies enough
or can nefarious actors still engineer proprietary technologies
but introduce threats to the networks while still complying
with the agreed-upon standard?
Mr. Johnson. That is a great question. I will say a piece
and then defer to Dr. Clancy, who is an expert on these issues.
But the sort of soft power of shaping the standards environment
is something that is very important, something that the United
States has really led through its standards approach over the
past several decades. And the Chinese have recognized that, and
now they are throwing a lot of resources at these standards
discussions and standards bodies to help shape the field in
such a way that it benefits their products and gives them
intellectual property benefits that last a lot longer.
But I will defer to Dr. Clancy because I think he's
participated in this process.
Dr. Clancy. I would agree. I believe that--my observation
of China's role on standards bodies has been primarily that
they are looking to move their role into the innovation and IP
creation, and that is critical to the standards process, away
from simply manufacturing devices. And so as they look to sort
of professionalize their telecom ecosystem and be out in front,
standards is one of the ways that they are leveraging that.
I do believe in the open and transparent processes in
standards, so I am not worried about sort of slipping in back
doors in the standards, but there is, as Mr. Johnson noted,
sort of this soft power influence in which companies
technologies end up getting preferred and written into the
standards.
Mr. Costello. Semiconductors and microelectronics have
comparative advantage, I think, in standard setting focus. From
a securities standpoint, are network operators left at a
competitive disadvantage?
Dr. Clancy. Specifically with respect to their use of----
Mr. Costello. In terms of power in the standard setting
bodies.
Dr. Clancy. So, I mean, in the standard bodies that I have
been involved in, it has been basically the more internet
Ciscos and Qualcomms and those sorts of companies that are
really leading those standards efforts here from the United
States. I think that that then translates down into silicon
when you go to manufacture the product. I am not sure if quite
I understand your question, though.
Mr. Costello. Well, I am out of time, so we will follow up
afterwards.
Thank you. I yield back.
Mrs. Blackburn. Mr. Walberg, you are recognized.
Mr. Walberg. Madam Chairman, I thank you for waving me on
this subcommittee. It is of real interest, the subject today.
Ms. Sacks, one of the challenges we are talking about in
our discussions on domestic manufacturing capability, we are
also talking about our ability to identify emerging
technologies and bring them to commercialization for both U.S.
and global markets. My colleagues today have expressed a need
for a national strategy that addresses threats to our
telecommunications networks to competition in the supply chain
and to national security.
Can you elaborate a bit more on how human capital, those
people who know how to do this stuff and can be creative with
integrity, plays into such a national strategy?
Ms. Sacks. Human capital is one of the areas in which our
technology development process is actually very interconnected
with China. We work closely with engineers in China, there are
a lot of very highly skilled, talented engineers coming out of
China. We have research centers that are highly interconnected.
And so this is an area where there are possible national
security risks that need to be examined, but we also need to
examine what are the economic and the innovation benefits that
come from some of that interconnection on human capital. So we
should incorporate that into the discussion as well because I
think that there are potential downsides and upsides to that
level of interconnection.
Mr. Walberg. What can Congress do to help to lead on this
part of the puzzle?
Ms. Sacks. Let me get back to you on that one.
Mr. Walberg. OK. I take that as an interesting answer and
look forward to the answer.
One of the challenges when confronting threats to our
supply chain is the truly global nature of today's ICT supply
chains. As vendors that provide potentially vulnerable
equipment continue to improve the quality of their products and
services and gain global market share, the question is, what
can we do to ensure our domestic providers are left with no
other option than to procure equipment from these vendors?
Ms. Sacks.
Ms. Sacks. I think that there are three main options, all
of which, again, have downsides and are challenging. One is we
need to think about investing in ourselves but in a way that
doesn't replicate the China model so that we are not leaving it
up to the Government to pick winners and losers but enabling
R&D and enabling education; an investment in our own companies
to be leaders in areas like 5G. We also have to think about
what are the software solutions from a mitigation standpoint
that we can use, given the fact that there likely are going to
be companies like Huawei and ZTE in the global supply chain.
And an isolationist approach is not necessarily going to be to
our advantage either and could put us in a backwards technology
position. So there is a mitigation perspective as well as an
investment perspective on our own side.
Mr. Walberg. So it is not just us building better stuff
then, as some would say would be in our best interest.
How does our ability to domestically source our own
equipment, though, work in a world where the ICT supply chain
is increasingly globalized? And then second question I would
ask with that, can you explain how we should take a risk
management approach to examining our domestic manufacturing
capability?
Ms. Sacks. I think Dr. Clancy has outlined a very effective
risk management approach. I will let him elaborate on that.
Dr. Clancy. Certainly. I mean, I think if you look at
domestic products, again, the iPhone which I brought up in my
opening statement, the majority of that is sourced
internationally. So while we view that as domestic product,
very little of the components and the manufacturing itself are
domestic. So I think that we need to be cautious to not just
look at the company that is selling it to us, selling the end
product, but also look at all the pieces behind the curtain
that went into manufacturing that as part of an overall risk
management approach to supply chain. And that should apply not
only to acquisition of Huawei and ZTE equipment from--as part
of some network, but also look at the components that would go
into the production of a U.S. device as well.
Mr. Walberg. Thank you. Good advice.
And, Madam Chairman, thank you for letting me wave on, but
it is important to understand what assistance we are using, all
the parts that are there, but to sure do our level best to make
sure that we are secure for all sorts of reasons. So thank you.
I yield back.
Mrs. Blackburn. The gentleman yields back.
And as you can see, there are no additional Members who are
present and ready to ask questions. So we thank you all for
being here.
As we conclude today, I ask unanimous consent to enter the
following documents: a letter from Sicuro Innovations, a letter
from Commissioner O'Rielly, a U.S.-China Commission report,
articles by Samm Sacks and Andrew Hunter of CSIS, two Wall
Street Journal articles, and the ZTE denial order, and one
article from The Hill.\1\
---------------------------------------------------------------------------
\1\ The U.S.-China Commission report has been retained in committee
files and also is available at https://docs.house.gov/Committee/
Calendar/ByEvent.aspx?EventID=108301. The other information appears at
the conclusion of the hearing.
---------------------------------------------------------------------------
Without objection, so ordered.
Pursuant to committee rules, I remind Members that they
have 10 business days to submit additional questions for the
record, and I ask each of you witnesses to respond to those
within 10 days of receipt of the questions.
Seeing no further business to come before the subcommittee
today, without objection, the subcommittee is adjourned.
[Whereupon, at 12:01 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
Prepared statement of Hon. Anna G. Eshoo
Today's hearing on supply chains is about an issue I go
very far back on. I served on the House Permanent Select
Committee on Intelligence for nearly a decade, and during that
time we had close examinations of supply chain manufacturers,
including Huawei and other foreign manufacturers, and the
serious challenges they represented.
I took these issues seriously more than a decade ago, and I
still do today. When my term on HPSCI was ending, I
specifically asked the then-chairman, Mike Rogers, to commit to
pressing on the threats to our national security that Huawei
presented.
When our country was attacked on Sept. 11, 2001, we
possessed something that was essential in the age of
terrorism--our telecommunications systems. They were and they
still are part of the backbone of our national security and
intelligence operations.
Fast forward to 2018, when the sophistication of what these
technologies can do has increased exponentially, as well as
what is manufactured. There is far more that today's companies
in this sector on whom we rely for our communications can know,
what other companies have access to, and whom they buy from.
And we know for a fact, based on years of scrutiny which I was
a part of, that certain companies, particularly foreign
enterprises, do not have our national interests at heart. Thus,
we have no business doing business with them. Period.
Congress can prevent this infiltration of our critical
communucations systems. The number one responsibility of every
Member of Congress is contained in our Oath of Office, `protect
and defend' our citizens from enemies external and internal. We
cannot allow foreign entities to compromise our
telecommunications sector, because it would create a direct
challenge to our national security. I'm bewildered that after
so many years of hearings and investigations that we continue
to consider whether we should use parts from companies whom we
know have adversarial intentions against our country. The
answer to this consideration is NO.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]