[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
    CYBERSECURITY: AN EXAMINATION OF THE COMMUNICATIONS SUPPLY CHAIN

=======================================================================

                                HEARING

                               BEFORE THE

             SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 21, 2013

                               __________

                           Serial No. 113-46


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov



                                 ______

                   U.S. GOVERNMENT PRINTING OFFICE 
85-436                     WASHINGTON : 2014
____________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman
RALPH M. HALL, Texas                 HENRY A. WAXMAN, California
JOE BARTON, Texas                      Ranking Member
  Chairman Emeritus                  JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
TIM MURPHY, Pennsylvania             GENE GREEN, Texas
MICHAEL C. BURGESS, Texas            DIANA DeGETTE, Colorado
MARSHA BLACKBURN, Tennessee          LOIS CAPPS, California
  Vice Chairman                      MICHAEL F. DOYLE, Pennsylvania
PHIL GINGREY, Georgia                JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana             JIM MATHESON, Utah
ROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina
CATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia
GREGG HARPER, Mississippi            DORIS O. MATSUI, California
LEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin 
BILL CASSIDY, Louisiana                  Islands
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas                    JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California
CORY GARDNER, Colorado               BRUCE L. BRALEY, Iowa
MIKE POMPEO, Kansas                  PETER WELCH, Vermont
ADAM KINZINGER, Illinois             BEN RAY LUJAN, New Mexico
H. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York
GUS M. BILIRAKIS, Florida
BILL JOHNSON, Missouri
BILLY LONG, Missouri
RENEE L. ELLMERS, North Carolina
             Subcommittee on Communications and Technology

                          GREG WALDEN, Oregon
                                 Chairman
ROBERT E. LATTA, Ohio                ANNA G. ESHOO, California
  Vice Chairman                        Ranking Member
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
LEE TERRY, Nebraska                  MICHAEL F. DOYLE, Pennsylvania
MIKE ROGERS, Michigan                DORIS O. MATSUI, California
MARSHA BLACKBURN, Tennessee          BRUCE L. BRALEY, Iowa
STEVE SCALISE, Louisiana             PETER WELCH, Vermont
LEONARD LANCE, New Jersey            BEN RAY LUJAN, New Mexico
BRETT GUTHRIE, Kentucky              JOHN D. DINGELL, Michigan
CORY GARDNER, Colorado               FRANK PALLONE, Jr., New Jersey
MIKE POMPEO, Kansas                  BOBBY L. RUSH, Illinois
ADAM KINZINGER, Illinois             DIANA DeGETTE, Colorado
BILLY LONG, Missouri                 JIM MATHESON, Utah
RENEE L. ELLMERS, North Carolina     HENRY A. WAXMAN, California, ex 
JOE BARTON, Texas                        officio
FRED UPTON, Michigan, ex officio
  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, opening statement......................................     1
    Prepared statement...........................................     2
Hon. Anna G. Eshoo, a Representative in Congress from the State 
  of California, opening statement...............................     3
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................     5
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, opening statement....................................   137

                               Witnesses

Mark L. Goldstein, Director, Physical Infrastructure Issues, 
  Government Accountability Office...............................     6
    Prepared statement...........................................     9
    Answers to submitted questions...............................   139
Stewart A. Baker, Partner, Steptoe and Johnson, LLP, Former 
  Assistant Secretary for Policy, Department of Homeland Security    62
    Prepared statement...........................................  6473
    Answers to submitted questions...............................   142
Jennifer Bisceglie, President and CEO, Interos Solutions, Inc....    71
    Prepared statement...........................................    73
    Answers to submitted questions...............................   145
Robert B. Dix, Jr., Vice President, Government Affairs and 
  Critical Infrastructure Protection, Juniper Networks, Inc......    82
    Prepared statement...........................................    85
    Answers to submitted questions...............................   147
David Rothenstein, Senior Vice President, General Counsel and 
  Secretary, Ciena...............................................    99
    Prepared statement...........................................   101
    Answers to submitted questions...............................   150
John Lindquist, President and CEO, Electronic Warfare Associates.   111
    Prepared statement...........................................   113
    Answers to submitted questions...............................   153
Dean Garfield, President and CEO, Information Technology Industry 
  Council........................................................   118
    Prepared statement...........................................   120
    Answers to submitted questions...............................   156


    CYBERSECURITY: AN EXAMINATION OF THE COMMUNICATIONS SUPPLY CHAIN

                              ----------                              


                         TUESDAY, MAY 21, 2013

                  House of Representatives,
     Subcommittee on Communications and Technology,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:02 p.m., in 
room 2123 of the Rayburn House Office Building, Hon. Greg 
Walden (chairman of the subcommittee) presiding.
    Members present: Representatives Walden, Latta, Shimkus, 
Terry, Blackburn, Lance, Guthrie, Gardner, Long, Ellmers, 
Eshoo, Matsui, Welch, and Waxman (ex officio).
    Staff present: Carl Anderson, Counsel, Oversight; Ray Baum, 
Senior Policy Advisor/Director of Coalitions; Neil Fried, Chief 
Counsel, C&T Debbee Hancock, Press Secretary; David Redl, 
Counsel, Telecom; Charlotte Savercool, Executive Assistant, 
Legislative Clerk; Kelsey Guyselman, Telecom; Roger Sherman, 
Democratic Chief Counsel; Shawn Chang, Democratic Senior 
Counsel; Margaret McCarthy, Democratic Staff; Patrick Donovan, 
Democratic FCC Detail; and Kara Van Stralen, Democratic Policy 
Analyst.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. We are going to call to order the Subcommittee 
on Communications and Technology for our hearing on 
``Cybersecurity: an Examination of the Communications Supply 
Chain.'' And just for the benefit of our witnesses--I don't 
know if benefit is the right word--but in about 10 minutes we 
are probably going to get called to the House Floor for votes. 
So don't flee when we do. We will plan to return and be sure 
and get your testimony in and our questions. But we will begin 
with our opening statements and, as you know, things around 
here aren't always certain so, who knows, we may get everything 
done, but I doubt it. So we will go ahead and get started, but 
we want to thank you all for being here and for submitting your 
testimony.
    Our communications networks strengths--its ubiquity and 
interconnected nature--may actually also be a weakness. Those 
who wish to harm our Nation, to steal money or intellectual 
property, or merely to cause mischief can focus on myriad 
hardware and software components that make up the 
communications infrastructure. And they can do so anywhere in 
the design, the delivery, the installation, or the operation of 
those components. So today's hearing will focus on securing 
that communications supply chain.
    We are fortunate to have as a member of this subcommittee 
the full chairman of the House Intelligence Committee, Chairman 
Mike Rogers. The experience and resources he brings were 
invaluable to the bipartisan Cyber Security Working Group last 
Congress, as well as to this subcommittee's three prior cyber 
hearings.
    Many of us have concluded that promoting information-
sharing through the Cyber Intelligence Sharing and Protection 
Act, CISPA, that he and Representative Ruppersberger have now 
twice assured through the House with large bipartisan votes, is 
pivotal to better securing our networks. It was also in large 
part this committee's 2012 report on the communications supply 
chain that prompted this hearing. Supply chain risk management 
is essential if we are to guard against those that would 
compromise network equipment or exploit the software that runs 
over and through it.
    Understanding that you can never eliminate these risks, how 
do you minimize them without compromising the interconnectivity 
that makes networks useful? How secure is the communications 
supply chain? Where are the vulnerabilities? How much should we 
focus on securing physical access to components as they make 
their way from design to installation? How much on the internal 
workings of the components themselves? How do the risks and 
responses differ for hardware and software? What about for 
internationally sourced products as opposed to domestically 
sourced products? What progress has been made through the 
public-private partnerships, standards organization, and the 
development of best practices, and what role should the 
government play?
    These are among the questions we will examine in this 
hearing, as well as through the bipartisan Supply Chain Working 
Group that we launch today. Representative Mike Rogers and my 
colleague and friend from California, Anna Eshoo, will co-chair 
this group, which will also include Representatives Latta, 
Doyle, Terry, Lujan, Kinzinger, and Matheson.
    As I did last Congress, I will urge that we abide by a 
cyber Hippocratic Oath and first do no harm as we consider the 
tools available to the public and private sectors in making our 
communications supply chain secure.
    With that, I would yield to the vice chair of the 
subcommittee, Mr. Latta.
    [The prepared statement of Mr. Walden follows:]

                 Prepared statement of Hon. Greg Walden

    Our communications network's strengths--its ubiquity and 
interconnected nature--may also be weaknesses. Those who wish 
to harm our nation, to steal money or intellectual property, or 
merely to cause mischief, can focus on myriad hardware and 
software components that make up the communications 
infrastructure. And they can do so anywhere in the design, 
delivery, installation or operation of those components. 
Today's hearing will focus on securing that communications 
supply chain.
    We are fortunate to have as a member of this subcommittee 
House Intelligence Committee Chairman Mike Rogers. The 
experience and resources he brings were invaluable to the 
bipartisan cybersecurity working group last Congress as well as 
this subcommittee's three prior cyber hearings. Many of us have 
concluded that promoting information sharing through the Cyber 
Intelligence Sharing and Protection Act that he and Rep. 
Ruppersberger have now twice ushered through the House is 
pivotal to better securing our networks. It was also in large 
part his committee's 2012 report on the communications supply 
chain that prompted this hearing. Supply chain risk management 
is essential if we are to guard against those that would 
compromise network equipment or exploit the software that runs 
over and through it.
    Understanding that you can never eliminate these risks, how 
do you minimize them without compromising the interconnectivity 
that makes networks useful? How secure is the communications 
supply chain? Where are the vulnerabilities? How much should we 
focus on securing physical access to components as they make 
their way from design to installation? How much on the internal 
workings of the components themselves? How do the risks and 
responses differ for hardware and software? What about for 
internationally sourced products as opposed to domestic ones? 
What progress has been made through public-private 
partnerships, standards organizations and the development of 
best practices? What role should the government play?
    These are among the questions we will examine in this 
hearing, as well as through the bipartisan supply chain working 
group we launch today. Reps. Mike Rogers and Anna Eshoo will 
co-chair the group, which will also include Reps. Latta, Doyle, 
Terry, Lujan, Kinzinger, and Matheson. As I did last Congress, 
I will urge that we abide by a cyber Hippocratic Oath and first 
do no harm as we consider the tools available to the public and 
private sectors in making our communications supply chain 
secure.

                                #  #  #

    Mr. Latta. Thank you, Mr. Chairman, and I appreciate you 
yielding and holding this hearing today on a very critical and 
important topic. I want to thank our witnesses for being here 
and I look forward to your testimony today.
    Not a day goes by that I don't seem to pick up a newspaper 
and read about a cyber attack or the vulnerability on the front 
page of a newspaper. Cyber crime and cyber warfare can affect 
any individual or business since we all depend on our 
interconnected communication networks. This is an issue not 
just of national security but economic security.
    Again, I thank our witnesses for being here. I look forward 
to your comments on the communications supply chain. I also 
thank the Chairman for convening a bipartisan working group on 
this topic and I look forward to being part of the start of a 
very thoughtful and serious discussion on the threats of the 
supply chain and possible solutions. And with that, Mr. 
Chairman, I yield back.
    Mr. Walden. Anyone else on the Republican side seeking to 
make a comment on the final minute-and-a-half of my time? If 
not, I yield back the balance and recognize my friend, the 
ranking member of this subcommittee, Ms. Eshoo, for 5 minutes.

 OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Eshoo. Thank you, Mr. Chairman, and thank you for 
holding this very important hearing. Welcome to all of our 
witnesses.
    Mr. Chairman, the implications of foreign-controlled 
telecommunications infrastructure companies providing equipment 
to the U.S. market, I think, really presents a very real threat 
to our country. As the Office of the National 
Counterintelligence Executive has noted, ``the globalization of 
the world economy has placed critical links in the 
manufacturing supply chain under the direct control of U.S. 
adversaries.''
    Just last month, despite press reports suggesting that 
Huawei was leaving the U.S. market, the company now denies such 
reports and has stated that, ``Huawei has no connection to the 
cyber security issues the U.S. has encountered in the past, 
current, and future.'' That is quite a statement.
    These are not new threats. It in fact, more than 3 years 
ago as a member of the House Intelligence Committee, I wrote to 
the director of National Intelligence asking for an assessment 
of the national security implications of Chinese-origin 
telecommunications equipment on our law enforcement and 
intelligence efforts, as well as on our switch 
telecommunications infrastructure. While I can't discuss, 
obviously, the results of that assessment in an unclassified 
hearing, suffice it to say, the answers were troubling.
    Since that time, I have reiterated my concerns with the FCC 
Chairman Genachowski and in late 2011 I joined colleagues in 
requesting that the GAO study the potential security risks of 
foreign manufactured equipment. The newly released GAO study 
recognizes that multiple points within the supply chain can 
create vulnerabilities for threat actors to exploit. But a 
combination of initiatives by both the public and private 
sector are being established to fight back.
    The President's Executive Order issued in February is an 
example. NIST has been tasked with developing a framework to 
reduce cyber attacks to critical infrastructure, and as NIST 
undertakes the development of this framework, supply chain 
security should be a component. In fact, this morning, Chairman 
Walden and myself raised this very issue with Dr. Gallagher.
    Moving forward, I am very pleased to co-chair, at the 
chairman's request, the subcommittee's newest working group 
focusing on supply chain security and integrity with 
Representative Mike Rogers, who chairs the House Intelligence 
Committee. And through stakeholder meetings, I think we will be 
able to better understand what additional steps can be taken to 
protect U.S. telecommunications infrastructure from 
inappropriate foreign control or influence.
    So again, I thank each one of our witnesses that are here 
today for your important testimony that you are going to give, 
the important answers that you are going to give to our 
questions, and for your steadfast commitment to securing the 
communications equipment supply chain for our Nation.
    And I yield back, Mr. Chairman.
    Mr. Walden. If you want to yield to----
    Ms. Eshoo. Does anyone want me to yield my remaining time 
to them? Ms. Matsui or--OK. Sure.
    Ms. Matsui. Thank you very much, Ms. Eshoo. I would like to 
also thank the chairman for holding today's hearing.
    This year alone, we have seen significant cyber breaches to 
our economy. We know rogue states and skilled hackers are 
relentless and continue to pose a real threat breaching 
sensitive information stored by both the private and public 
sectors, as well as the American consumer.
    To address the cyber threats I believe industry and 
government must be partners. It is not a one-way street. We 
live in a digital world where information is readily available 
on the internet and can be accessed from just about anywhere. 
We also live in an innovative economy where America's 
innovative spirit has led to new devices, equipment, and 
communications that penetrate the global marketplace.
    This has also created an international supply chain of 
technology components. Today, it is not surprising if a product 
and its components originate from several different countries. 
That is why it is critical for industry to continue to be 
vigilant in assuring their manufacturing and distribution 
processes are not compromised. We should also be mindful of 
hackers trying to circumvent the supply chain by infecting 
botnets and malware onto popular mobile apps.
    Addressing mobile security should be a priority moving 
forward, particularly as millions of Americans download their 
favorite apps, which in some cases includes personal 
information.
    Again, I thank the chairman for holding today's hearing and 
I yield back the remainder of my time.
    Mr. Walden. The gentlelady yields back the remainder of her 
time. And seeing no one on our side seeking time, I would yield 
now to the gentleman from California, Mr. Waxman, for 5 
minutes.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Thank you very much, Mr. Chairman, for holding 
today's hearing on cyber security risks in the communications 
supply chain.
    This morning, our full committee heard a wide range of 
perspectives on the cyber threats to our critical 
infrastructure, including broadband networks.
    While the Executive Order on cyber security protections for 
critical infrastructure was an important step forward, this 
morning's hearing demonstrated that there is much more work to 
be done to protect the networks that undergird the American 
economy.
    One key area of vulnerability--the long supply chains for 
communications network equipment--is the subject of this 
afternoon's hearing. The globalization of the supply market for 
information and communications technology has undoubtedly 
created many benefits for our economy and coincided with 
incredible investment, competition, and innovation in the 
communications marketplace.
    But it has also made it possible for our adversaries to 
exploit weaknesses during the design, production, delivery, and 
post-installation servicing of communications network 
equipment.
    Industry and the federal government are working to respond 
to these threats.
    As several of our witnesses this afternoon will discuss, 
companies are taking action to respond to supply chain risks. 
Voluntary industry consortia and public-private partnerships 
are also seeking to minimize these cyber exposures and I 
applaud these efforts.
    But we should consider all options that could help minimize 
the cyber threats in the supply chain.
    I look forward to hearing from GAO about its analysis of 
what other countries are doing in this area, as well as the 
potential benefits and drawbacks of adopting new review 
processes for purchases of foreign-manufactured communications 
equipment.
    And I am pleased, Mr. Chairman, that the Subcommittee is 
convening a working group to examine supply chain security in 
more depth. The co-chairs of the working group--Representative 
Mike Rogers, who is the chairman of the House Intelligence 
Committee, and Representative Anna Eshoo, who has served on 
that committee, as well as the ranking member on this 
subcommittee--have great expertise from their service, as well 
as on both committees.
    I look forward to our continued bipartisan work in this 
area. I thank all of the witnesses for being here and for their 
testimony. I want to apologize in advance that the conflict in 
schedule will keep me from being here to hear everything that 
is said, but I have staff listening in, I have got the 
testimony that I can review, and when the questions are asked 
and answered, I will be able to get a sense from those as well 
of the views that this very distinguished group will be giving 
to our subcommittee.
    Thank you for this opportunity to give an opening 
statement. I thank all of you for being here today.
    Mr. Walden. And the gentleman yields back the balance of 
his time. The good news is the votes now aren't going to come 
until 2:25 to 2:30, so we may actually get to hear from some of 
our witnesses.
    And so we are going to start with Mr. Goldstein, who is the 
director of Physical Infrastructure Issues for the Government 
Accountability Office. Turn on your microphone, pull it close, 
and the next 5 minutes are yours, sir. Thank you for your work.

      STATEMENTS OF MARK L. GOLDSTEIN, DIRECTOR, PHYSICAL 
   INFRASTRUCTURE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; 
  STEWART A. BAKER, PARTNER, STEPTOE AND JOHNSON, LLP, FORMER 
    ASSISTANT SECRETARY FOR POLICY, DEPARTMENT OF HOMELAND 
   SECURITY; JENNIFER BISCEGLIE, PRESIDENT AND CEO, INTEROS 
SOLUTIONS, INC.; ROBERT B. DIX, JR., VICE PRESIDENT, GOVERNMENT 
    AFFAIRS AND CRITICAL INFRASTRUCTURE PROTECTION, JUNIPER 
   NETWORKS, INC.; DAVID ROTHENSTEIN, SENIOR VICE PRESIDENT, 
GENERAL COUNSEL AND SECRETARY, CIENA; JOHN LINDQUIST, PRESIDENT 
  AND CEO, ELECTRONIC WARFARE ASSOCIATES; AND DEAN GARFIELD, 
   PRESIDENT AND CEO, INFORMATION TECHNOLOGY INDUSTRY COUNCIL

                 STATEMENT OF MARK L. GOLDSTEIN

    Mr. Goldstein. I will try not to take all of it.
    Thank you, Mr. Chairman and members of the subcommittee. I 
am pleased to be here this afternoon to discuss issues 
surrounding the communications supply chain.
    The United States is increasingly reliant on commercial 
communications networks for matters of national and economic 
security. These networks, which are primarily owned by the 
private sector, are highly dependent on equipment manufacturers 
in foreign countries. Certain entities in the Federal 
Government view this dependence as an emerging threat that 
introduces risks to the networks. GAO has requested review 
actions taken to respond to security risks from foreign 
manufactured equipment.
    This testimony addresses how network providers and 
equipment manufacturers help ensure the security of foreign 
manufactured equipment used in commercial communications 
networks, how the Federal Government is addressing the risks of 
such equipment, and other approaches for addressing those risks 
and issues related to these approaches.
    My testimony today is the public version of a national 
security sensitive report that GAO issued in May 2013. 
Information that the Department of Defense deemed sensitive has 
been omitted.
    Let me briefly discuss the findings of the report that I 
may talk about today. First, the network providers and 
equipment manufacturers GAO spoke with reported taking steps in 
their security plans and procurement processes to ensure the 
integrity of parts and equipment obtained from foreign sources. 
Although these companies do not consider foreign manufactured 
equipment to be their most pressing security threat, their 
brand image and profitability depend on providing secure, 
reliable service.
    In the absence of industry or government standards on the 
use of this equipment, companies have adopted a range of 
voluntary risk management practices. These practices span the 
lifecycle of equipment and cover areas such as selecting 
vendors, establishing vendor security requirements, and testing 
and monitoring equipment. Equipment that is considered critical 
to the functioning of the network is likely to be subject to 
more stringent security requirements according to these 
companies.
    In addition to these efforts, companies are collaborating 
on the development of industry security standards and best 
practices and participating in information-sharing efforts 
within industry and with the Federal Government.
    Second, the Federal Government has begun efforts to address 
the security of the supply chain for commercial networks. In 
2013 the President issued an Executive Order to create a 
framework to reduce cyber risks to critical infrastructure, the 
National Institutes of Standards and Technologies, responsible 
for leading this effort, which is to provide technology-neutral 
guidance to critical infrastructure owners and operators.
    NIST published a request for information, which it is 
conducting using a comprehensive review to obtain stakeholder 
input and develop the framework. You heard testimony on this 
effort this morning. NIST officials said the extent to which 
supply chain security of commercial communication networks will 
be incorporated into the framework is dependant in part on the 
input that they receive from stakeholders.
    The Department of Defense considered the other federal 
efforts GAO identified to be sensitive to national security, 
and I cannot talk about them in a public forum.
    And third, there are a variety of other approaches for 
addressing potential risks posed by foreign manufactured 
equipment and commercial communications networks. For example, 
the Australian government is considering a proposal to 
establish a risk-based regulatory framework that requires 
network providers to be able to demonstrate competent 
supervision and effective controls over their networks. The 
government would also have the authority to use enforcement 
measures to address noncompliance.
    In the United Kingdom, the government requires network and 
service providers to manage risks and network security and can 
impose financial penalties for security breaches.
    While these approaches are intended to improve supply chain 
security of communications networks, they may also create the 
potential for trade barriers and additional costs which the 
Federal Government would have to take into account if it chose 
to pursue such efforts.
    Mr. Chairman, this concludes my oral statement. I would be 
happy to respond to comments. Thank you.
    [The prepared statement of Mr. Goldstein follows:]

    [GRAPHIC] [TIFF OMITTED] T5436.001
    
    [GRAPHIC] [TIFF OMITTED] T5436.002
    
    [GRAPHIC] [TIFF OMITTED] T5436.003
    
    [GRAPHIC] [TIFF OMITTED] T5436.004
    
    [GRAPHIC] [TIFF OMITTED] T5436.005
    
    [GRAPHIC] [TIFF OMITTED] T5436.006
    
    [GRAPHIC] [TIFF OMITTED] T5436.007
    
    [GRAPHIC] [TIFF OMITTED] T5436.008
    
    [GRAPHIC] [TIFF OMITTED] T5436.009
    
    [GRAPHIC] [TIFF OMITTED] T5436.010
    
    [GRAPHIC] [TIFF OMITTED] T5436.011
    
    [GRAPHIC] [TIFF OMITTED] T5436.012
    
    [GRAPHIC] [TIFF OMITTED] T5436.013
    
    [GRAPHIC] [TIFF OMITTED] T5436.014
    
    [GRAPHIC] [TIFF OMITTED] T5436.015
    
    [GRAPHIC] [TIFF OMITTED] T5436.016
    
    [GRAPHIC] [TIFF OMITTED] T5436.017
    
    [GRAPHIC] [TIFF OMITTED] T5436.018
    
    [GRAPHIC] [TIFF OMITTED] T5436.019
    
    [GRAPHIC] [TIFF OMITTED] T5436.020
    
    [GRAPHIC] [TIFF OMITTED] T5436.021
    
    [GRAPHIC] [TIFF OMITTED] T5436.022
    
    [GRAPHIC] [TIFF OMITTED] T5436.023
    
    [GRAPHIC] [TIFF OMITTED] T5436.024
    
    [GRAPHIC] [TIFF OMITTED] T5436.025
    
    [GRAPHIC] [TIFF OMITTED] T5436.026
    
    [GRAPHIC] [TIFF OMITTED] T5436.027
    
    [GRAPHIC] [TIFF OMITTED] T5436.028
    
    [GRAPHIC] [TIFF OMITTED] T5436.029
    
    [GRAPHIC] [TIFF OMITTED] T5436.030
    
    [GRAPHIC] [TIFF OMITTED] T5436.031
    
    [GRAPHIC] [TIFF OMITTED] T5436.032
    
    [GRAPHIC] [TIFF OMITTED] T5436.033
    
    [GRAPHIC] [TIFF OMITTED] T5436.034
    
    [GRAPHIC] [TIFF OMITTED] T5436.035
    
    [GRAPHIC] [TIFF OMITTED] T5436.036
    
    [GRAPHIC] [TIFF OMITTED] T5436.037
    
    [GRAPHIC] [TIFF OMITTED] T5436.038
    
    [GRAPHIC] [TIFF OMITTED] T5436.039
    
    [GRAPHIC] [TIFF OMITTED] T5436.040
    
    [GRAPHIC] [TIFF OMITTED] T5436.041
    
    [GRAPHIC] [TIFF OMITTED] T5436.042
    
    [GRAPHIC] [TIFF OMITTED] T5436.043
    
    [GRAPHIC] [TIFF OMITTED] T5436.044
    
    [GRAPHIC] [TIFF OMITTED] T5436.045
    
    [GRAPHIC] [TIFF OMITTED] T5436.046
    
    [GRAPHIC] [TIFF OMITTED] T5436.047
    
    [GRAPHIC] [TIFF OMITTED] T5436.048
    
    [GRAPHIC] [TIFF OMITTED] T5436.049
    
    [GRAPHIC] [TIFF OMITTED] T5436.050
    
    [GRAPHIC] [TIFF OMITTED] T5436.051
    
    [GRAPHIC] [TIFF OMITTED] T5436.052
    
    [GRAPHIC] [TIFF OMITTED] T5436.053
    
    Mr. Walden. Thank you, Mr. Goldstein. We appreciate the 
work of your team and you----
    Mr. Goldstein. Thank you.
    Mr. Walden [continuing]. And we appreciate your being here.
    I will now go to Mr. Stewart A. Baker who is a partner in 
Steptoe & Johnson, LLP, and we appreciate your being here and 
look forward to your comments, sir. Go ahead.

                 STATEMENT OF STEWART A. BAKER

    Mr. Baker. Chairman Walden, Ranking Member Eshoo, members 
of the committee, it is a pleasure to be before you again. I 
was at the Department of Homeland Security and in charge of the 
CFIUS process until 2009, so I have been here before to talk 
about that.
    I would like to start with the problem that we have. We are 
under massive cyber espionage attacks. There is no one who is 
immune against these attacks. I am willing to bet that 
everybody on this panel and everybody on the committee has 
already been the subject of intrusions aimed at stealing 
secrets on behalf of the People's Liberation Army or some other 
foreign government.
    We do not know how to keep people out of our systems 
effectively. And that is despite the fact that we have, by and 
large, an IT infrastructure that is designed by U.S. companies 
who are doing their best to give us security. We simply have 
not been able to find all of the holes in the code or all of 
the flaws that can be exploited. That is with the best will in 
the world.
    At the same time, in the last 20 years, I think, as the 
President's efforts to name and shame China and other attackers 
have demonstrated, there is plenty of name but not a lot of 
shame on the other side. This has been an enormously productive 
intelligence source and it is an enormous weapon that can be 
used against the United States if we get into a shooting war 
that our adversaries would like to get us out of. Everything 
that can be exploited for espionage purposes can be exploited 
for sabotage purposes.
    Our systems can be made to break causing great harm to 
Americans, including potentially deaths here. And we will have 
to face that prospect in the next serious conflict that we face 
internationally because the ability to cause that harm is 
moving down the food chain to the point where Iran and North 
Korea are significant powers in causing this harm.
    So that is the situation that we face. The question is we 
are deep in a hole. Are we going to stop digging? And here is 
the question that we need to face as we look at our supply 
chain. If American companies looking at their own code and 
trying to give us security can't find a way to do that, how 
comfortable are we having companies from countries that are not 
our friends provide the code, provide the hardware? We are not 
going to find those problems. We can't even find all of them in 
the products that we make ourselves here in the United States, 
as witnessed through all of the exploitable vulnerabilities we 
face.
    And so we face the prospect that some of this equipment 
simply is not going to be safe. As we have asked ourselves, how 
do we deal with that problem? It turns out that our tools for 
dealing with it are remarkably limited. I ran the CFIUS 
process; I ran the team telecom process for DHS. Those are very 
limited tools. CFIUS only applies if somebody buys something. 
If they want to sell something here, there is no restriction 
whatsoever. So telecommunications gear can be sold in the 
United States without any review whatsoever.
    We got to the point, I think, actually in the stimulus bill 
where we had provided subsidies to buy telecommunications 
equipment to carriers and they were buying, with our money, 
Huawei and ZTE gear because we had no way to prevent that, but 
at the same time that the U.S. Government was telling Verizon 
and AT&T don't you buy that stuff. So we clearly lack an 
ability to address the problem of infrastructure equipment 
being sold to the United States that we don't think is secure. 
That is the first thing that I think the committee should 
examine.
    Beyond that, I think we have also discovered as we have 
begun looking at this problem that our procurement laws do not 
take into account sufficiently supply chain risk, do not 
require that our contractors take enough account of supply 
chain risk. So if there were two things that I would urge the 
committee to address, it is, one, the limited nature of team 
telecom and CFIUS remedies and the still remarkably limited 
ability of government procurement officers to take account of 
this risk.
    [The prepared statement of Mr. Baker follows:]

    [GRAPHIC] [TIFF OMITTED] T5436.054
    
    [GRAPHIC] [TIFF OMITTED] T5436.055
    
    [GRAPHIC] [TIFF OMITTED] T5436.056
    
    [GRAPHIC] [TIFF OMITTED] T5436.057
    
    [GRAPHIC] [TIFF OMITTED] T5436.058
    
    [GRAPHIC] [TIFF OMITTED] T5436.059
    
    [GRAPHIC] [TIFF OMITTED] T5436.060
    
    Mr. Walden. Mr. Baker, thank you for your testimony.
    We are going to go now to Jennifer Bisceglie, who is 
President and CEO of Interos Solutions, Incorporated. We 
welcome you and look forward to your comments.

                STATEMENT OF JENNIFER BISCEGLIE

    Ms. Bisceglie. Thank you. Good afternoon, Mr. Chairman and 
members of the subcommittee.
    Mr. Walden. I am going to have you move that microphone a 
little closer and make sure the light is on.
    Ms. Bisceglie. It was on.
    Mr. Walden. OK.
    Ms. Bisceglie. Can you hear me now? Good afternoon, Mr. 
Chairman and members of the subcommittee. My name is Jennifer 
Bisceglie, President of Interos solutions. Thank you for 
inviting me to testify on behalf of our industry peers focused 
on supply chain risk management, or SCRM, as we like to call 
it.
    My company Interos is built on 20 years of global supply 
chain and IT implementation experience. Over the past 6 years, 
we have seen the discussions turn from simple compliance to 
resiliency, which is ensuring business operations would 
continue even if the supply chains were interrupted; and now to 
product integrity, which is caused by a manmade malicious 
attack.
    In response to this, Interos has set up a SCRM global 
threat information Center, which offers capabilities to help 
both the public and private sector organizations implement SCRM 
frameworks, conduct supplier audits, and conduct open-source 
research to identify potential threats with current or future 
suppliers.
    I will first share some of our observations and then follow 
those with some recommendations. First, a common definition for 
supply chain risk management and cyber security does not exist, 
nor is there a standard way to measure either challenge. To us, 
the definition of cyber security extends deep into the supply 
chain as cyber capabilities are increasingly reliant on 
globally sourced, commercially produced information technology 
and communications hardware, software, and services.
    To us, cyber security means transparency of where things 
are coming from, where they are going to, and who has access to 
them along the way. That is also the definition of supply chain 
risk management.
    Our second observation is that supply chain risk management 
must be viewed as an investment versus an expense. Interos is 
working with the Department of Energy on their enterprise SCRM 
program. With only three Interos team members supporting the 
entire Department of Energy enterprise, they have an 
infrastructure they can share resources and information 
throughout their entire enterprise now.
    In this case, it is a relatively low-cost investment and 
yields tremendous benefits. Much of the success of this program 
can be attributed to a strong DOE leadership, as well as having 
the ability to work with the Department of Defense's trusted 
systems and network SCRM roundtable and their interagency 
working groups.
    Third, we feel supply chain risk management is successful 
when it is a cultural shift that supports current business 
process and reduces the need to develop new stovepipe processes 
that increase costs and create additional work for the risk 
owner. It is not an issue of being too expensive to do it. It 
is an issue of being too expensive to ignore it.
    Now to our recommendations: from our perspective, Congress 
can take four steps to better protect our Nation's critical 
infrastructure. First, awareness and education has to start at 
the top in order to be adopted by those actually executing the 
mission. In our experience, the level of awareness of the 
challenge varies across federal agencies, as does their level 
of attention to managing their supply chain risk. Awareness and 
education is critical to communicate that supply chain risk 
impacts everyone within the federal infrastructure.
    Second, fund the program, assign someone within each agency 
to own the issue, and measure the success. We have seen SCRM 
focal points, as directed by the Bush and the Obama 
Administrations, being implemented in different areas within 
the agencies. Without the top-down support within the agency, 
without an owner of the concern, and without funding, these 
programs are being bootstrapped and implemented in various 
fashions, not conducive to effective protection.
    Three, the low-cost, low-price technically acceptable 
environment is in direct opposition to a safe and secure 
critical infrastructure unless we are able to accurately define 
our acceptable supply chain risk tolerance at the beginning of 
an acquisition cycle. While we understand the federal budget 
constraints and the temptation to fund program objectives with 
simply the lowest bid, when it comes to cyber security, it is 
not a good strategy. Failure to protect our critical 
infrastructure and educate risk owners on the threats that are 
brought into an organization by buying from unverified sources 
will result in continued and increasingly harmful attacks.
    Last, implement contractual language that works. We 
understand that as part of Executive Order 13636, GSA, NIST, 
and DOD are working with potential recommendations to update 
the FAR language. In addition, there are multiple industry 
associations working on standards for supply chain risk 
management. Doing as much as possible via internal policy 
changes and contractual language as a way to inform suppliers 
of how to do business with you and to mitigate risks coming 
into your organization is a much less expensive way to approach 
the problem than regulation and legislation.
    In conclusion, the solution needs to be viewed as an 
investment in national security, not just another expense. The 
key for industry and government is to work separately on their 
internal enterprise risk tolerance levels through good business 
practices, including awareness training and contractual 
agreements. This will enable each to meet collaboratively and 
have informed discussions about where vulnerabilities lie and 
what it will take to protect our country.
    Thank you for the opportunity to present our views. I look 
forward to answering any questions.
    [The prepared statement of Ms. Bisceglie follows:]

    [GRAPHIC] [TIFF OMITTED] T5436.061
    
    [GRAPHIC] [TIFF OMITTED] T5436.062
    
    [GRAPHIC] [TIFF OMITTED] T5436.063
    
    [GRAPHIC] [TIFF OMITTED] T5436.064
    
    [GRAPHIC] [TIFF OMITTED] T5436.065
    
    [GRAPHIC] [TIFF OMITTED] T5436.066
    
    [GRAPHIC] [TIFF OMITTED] T5436.067
    
    [GRAPHIC] [TIFF OMITTED] T5436.068
    
    [GRAPHIC] [TIFF OMITTED] T5436.069
    
    Mr. Walden. Thank you very much for your testimony.
    We will now go to Mr. Robert B. Dix, Jr., Vice President of 
Government Affairs and Critical Infrastructure Protection, 
Juniper Networks, Incorporated. Mr. Dix, pull that microphone 
right up and thanks for being with us today. We look forward to 
your testimony.

                STATEMENT OF ROBERT B. DIX, JR.

    Mr. Dix. Good afternoon, Chairman Walden, Ranking Member 
Eshoo, and members of the subcommittee. Thank you for inviting 
me to be a participant in today's hearing on the security of 
the communication supply chain.
    As indicated, my name is Bob Dix and I serve as the Vice 
President of Government Affairs and Critical Infrastructure 
Protection for Juniper Networks, a publicly held private 
corporation headquartered in Sunnyvale, California, in 
Congresswoman Eshoo's district.
    I will attempt to address three aspects of this important 
subject of security and integrity of the communication supply 
chain: first, the risk created by government procurement 
practices utilizing unauthorized equipment providers; second, 
supply chain integrity initiatives by industry; and third, 
several recommendations where the government can help improve 
both government and private sector supply chain integrity.
    The government views its commercial supply chain rightly as 
a major element in its risk profile, but many of its risk 
management efforts are not coordinated and were not developed 
in collaboration with industries that share legitimate concerns 
about supply chain security. Today, there are more than 100 
different initiatives around supply chain in the government.
    Also as we sit here today, the government continues to make 
purchases from untrusted and unauthorized sources. The urge to 
save money pushes agencies to brokers and other gray market 
suppliers that are not part of the authorized or trusted supply 
chain for original equipment manufacturers. This is in also an 
area where much mischief takes place for both counterfeiters 
and those attempting to penetrate the government supply chain 
with malicious intent.
    Interestingly, when the government purchases equipment and 
then identifies it as counterfeit, it often assumes the OEM has 
a gap in its supply chain, pointing fingers at the private 
sector when in many cases they need to be looking in the 
mirror. The government does not instead ask why it bought 
sensitive ICT products from an untrusted source.
    I have included in my written statement several real-life 
examples just that Juniper Networks has experienced which are 
illustrative of this challenge, but time today does not permit 
me to go through each one of those. But I hope you will take a 
chance to look at those.
    While Juniper understands the importance of improving 
supply chain assurance for the Federal Government, it often 
appears that the government itself does not understand the 
enormous investment that many in the private sector make to 
protect the integrity of their supply chain. It is in our 
business interest. It is a market differentiator. Juniper, like 
many companies, has a supply chain assurance and brand 
integrity program for securing our products and supply chain. 
We employ best practices for security from organizations 
including the Open Groups, Trusted Technology Forum, AGMA, and 
Safeco to name a few. This includes component integrity, 
traceability of products, anti-counterfeit measures, and much 
more.
    As is clear from the variety and breadth of the standards, 
bodies, and organizations that industry relies on, many 
companies believe that a variety of standards and best 
practices contribute to supply chain integrity. But as 
discussed earlier, there is also compelling evidence that there 
are gaps and contradictions in the government's policies and 
practices that contribute to supply chain risk. Here are a 
couple of proposals that, if addressed, could have immediate 
impact on securing the communication supply chain. First, the 
Executive Branch, at the urging of this committee, of course, 
should issue a directive requiring federal departments and 
agencies to purchase only from trusted and authorized sources, 
especially for mission-essential functions, unless there is 
some compelling reason to go outside of that channel. If there 
is such a compelling reason, the purchaser should be required 
to put a justification and authorization in writing. It is low-
hanging fruit; we should do it immediately.
    Second, the government should require that small business 
vendors be certified as authorized resellers and partners. 
Requirements pertaining to small business set-asides also have 
the secondary impact of causing procurement officers to pursue 
acquisitions through providers who are not part of the 
authorized and trusted supply chain.
    We all understand the importance of small businesses to the 
government's industrial base and to the economy in general. It 
is important to recognize that bad actors also exploit our 
reliance on small business as a means of entry. Counterfeiters 
and others attempt to introduce their tainted equipment into 
our critical infrastructure through small business enterprises.
    Third, members of this committee have been involved in 
attempting to pursue better information-sharing. We support 
CISPA and we appreciate all the good work here and hope that 
you will support moving that bill through the Senate.
    While we are working on legislation to break down barriers 
to improve timely, reliable, and actionable situation 
awareness, there is a step we could take immediately. We 
continue to hear that the government has significant concerns 
about supply chain and the threat to national and economic 
security. The government has access to case studies of 
successful, unsuccessful, interrupted, or disrupted attempts to 
perpetrate network intrusions through the supply chain. We 
should take those lessons learned from those experiences and 
share the tactics, techniques, and procedures, not sources and 
methods that cross over into the classified space that we can 
learn from and better inform the community in their own risk 
management decision-making.
    There are a couple of others in my testimony I hope that we 
will get to in the questions. But on behalf of the 9,000 proud 
employees of Juniper Networks, I thank you again for the 
opportunity to participate in this important discussion. 
Industry looks forward to continuing the collaborative 
relationship with Congress and the Administration on this 
important issue. I welcome your questions.
    [The prepared statement of Mr. Dix follows:]

    [GRAPHIC] [TIFF OMITTED] T5436.070
    
    [GRAPHIC] [TIFF OMITTED] T5436.071
    
    [GRAPHIC] [TIFF OMITTED] T5436.072
    
    [GRAPHIC] [TIFF OMITTED] T5436.073
    
    [GRAPHIC] [TIFF OMITTED] T5436.074
    
    [GRAPHIC] [TIFF OMITTED] T5436.075
    
    [GRAPHIC] [TIFF OMITTED] T5436.076
    
    [GRAPHIC] [TIFF OMITTED] T5436.077
    
    [GRAPHIC] [TIFF OMITTED] T5436.078
    
    [GRAPHIC] [TIFF OMITTED] T5436.079
    
    [GRAPHIC] [TIFF OMITTED] T5436.080
    
    [GRAPHIC] [TIFF OMITTED] T5436.081
    
    [GRAPHIC] [TIFF OMITTED] T5436.082
    
    [GRAPHIC] [TIFF OMITTED] T5436.083
    
    Mr. Walden. Mr. Dix, thank you very much.
    They have called the votes. I believe they have, right? And 
so we will recess at this point. So close, Mr. Rothenstein, so 
close. And then we will come back and start with you and get to 
our other two witnesses, and then Q&A. So thank you for your 
patience and we will be back shortly.
    [Recess.]
    Mr. Latta [presiding]. I would like to call the 
subcommittee back to order. And I believe next in order of our 
witnesses is Mr. Rothenstein, and thanks very much for being 
here today. We appreciate your testimony.

                 STATEMENT OF DAVID ROTHENSTEIN

    Mr. Rothenstein. My pleasure. I hope that delay only served 
to build anticipation of my testimony.
    Vice Chairman Latta, Ranking Member Eshoo, members of the 
subcommittee, my name is David Rothenstein and it is my 
pleasure to appear before you today. I serve as senior vice 
president and general counsel of Ciena Corporation, a publicly 
held Maryland-based provider of equipment software and services 
that support transport and switching, aggregation management 
and voice, video, and data traffic on communications networks. 
Our products are used by communications network service 
providers, cable operators, governments, and enterprises across 
the globe.
    Today, a number of current market trends, including the 
proliferation of smartphones, tablets, and mobile devices, are 
substantially increasing the demand on networks. This means 
that Ciena must deliver faster, more efficient, and more secure 
equipment to our customers to help them meet their end-user 
requirements.
    As with most technology companies, our success is largely 
driven by our innovation. Our global patent portfolio is our 
lifeblood and it enables us to develop leading-edge solutions 
and get new products to market quickly. In order to support 
this continuous innovation and because our equipment sits in 
critical infrastructure networks around the world, Ciena's 
executive team spends a lot of time looking at the intersection 
of cyber security and supply chain.
    Because our customers demand best-in-class product delivery 
lead times, quality and performance, security of supply, and 
product security and integrity, we have taken steps during the 
past few years to transform and optimize our supply chain 
operations. These changes have enabled us to use our supply 
chain as a differentiator in the market.
    One example of these changes has been our focus in 
designing and manufacturing equipment and software that meets 
or exceeds the security needs of our customers. For years, our 
customers have generally inquired with us about the security, 
integrity, and assurance of their networks. With this in mind, 
in 2011 we performed a detailed analysis of our supply chain 
that considered a range of factors.
    As a result of this analysis, we decided at that time to 
begin a gradual exit from China of key elements of our supply 
chain. This was not an easy decision. China represents one of 
the largest and fastest-growing markets for communications 
equipment in the world. And the country is home to the 
fabrication facilities that produce many of the components that 
go into our products. However, based on what we knew about our 
products, our customers, and the business and security 
environment in China, we decided to make this change.
    In contrast to some of our peers, we weren't as concerned 
about the potential adverse impact of this decision on our 
sales opportunities in China. Several years ago, because of the 
significant barriers to entry and the technology transfer 
requirements to do business in China, we decided not to pursue 
a go-to-market sales strategy in that country. We are now 
almost 2 years into our supply chain transformation. By the end 
of 2013, we will have transitioned all of the manufacture and 
assembly of our products and a sizable portion of our global 
spend on finished and semi-finished assemblies from China to 
other jurisdictions, primarily Mexico and Thailand. In so 
doing, we have increased the velocity of our supply chain, 
solidified our security of supply, and insured the security and 
assuredness of our products. At the same time we have remained 
very competitive in the market from a cost standpoint.
    There are some parts that we continue to source from China. 
We are in active discussions with our major vendors as to their 
plans for transitioning out of China, largely to address issues 
relating to counterfeit goods and intellectual property 
infringement. We are less concerned about the security 
vulnerabilities of these products even if they are primarily 
passive products that are neither programmable nor capable of 
being embedded with damaging computer code or malware.
    At the same time, we have taken extensive steps to ensure 
the integrity of the active or programmable components in our 
products. We require now that these components are sourced from 
outside of China. We maintain rigorous and internal practices 
and capabilities that enable us to identify any issues with 
respect to the security of our components. And by implementing 
strict controls over our own software developments and by 
ourselves performing the final testing and validation of the 
software loaded on to our products, we ensure the integrity of 
our software, which is the critical element that controls and 
manages our products and our customer's networks.
    In conclusion, Ciena applauds the Subcommittee for taking 
on this issue. In our case, we proactively elected to make 
changes to our supply chain and not to wait for legislation, 
regulation, or the Administration's implementation of the 
recent Executive Order on cyber security. Instead, we talked to 
our customers, conducted a thorough business analysis and risk 
assessment, and made a decision that we continue to implement 
today. While this strategy may not necessarily work for others, 
it has worked effectively for us. It makes good business sense 
and delivers additional security for our customers and for 
their networks.
    With that, I conclude my remarks and am pleased to take any 
questions.
    [The prepared statement of Mr. Rothenstein follows:]

    [GRAPHIC] [TIFF OMITTED] T5436.084
    
    [GRAPHIC] [TIFF OMITTED] T5436.085
    
    [GRAPHIC] [TIFF OMITTED] T5436.086
    
    [GRAPHIC] [TIFF OMITTED] T5436.087
    
    [GRAPHIC] [TIFF OMITTED] T5436.088
    
    [GRAPHIC] [TIFF OMITTED] T5436.089
    
    [GRAPHIC] [TIFF OMITTED] T5436.090
    
    [GRAPHIC] [TIFF OMITTED] T5436.091
    
    [GRAPHIC] [TIFF OMITTED] T5436.092
    
    [GRAPHIC] [TIFF OMITTED] T5436.093
    
    Mr. Latta. Well, thank you for your testimony.
    And our next witness is Mr. John Lindquist, President and 
CEO of EWA Information and Infrastructure Technologies, Inc. 
Good afternoon and thanks for testifying.

                  STATEMENT OF JOHN LINDQUIST

    Mr. Lindquist. Thank you, Mr. Vice Chairman, members of the 
committee. Thank you very much for the opportunity to testify.
    As we all know, the security of our telecom systems is in 
fact very critical. We are aware of the myriad threats to the 
U.S. and the threat is real but is not limited to a single 
country, geographic area, or organization. Protection is made 
difficult because the supply chain for electronic systems and 
devices in general and specifically telecommunication systems 
is truly global. Most of the telecom system vendors have very 
large footprints in China and elsewhere around the globe, and 
many of these worldwide locations are easily and directly 
accessible by the various threat nations and organizations.
    Furthermore, it is the nature of the system development to 
make use of software routines and hardware components that are 
generally available in the market, and it is virtually 
impossible to determine the pedigree of all of the hardware and 
the software that goes into a telecommunications system. Our 
adversaries are professional, highly technically capable 
intelligence organizations or sophisticated criminals, neither 
of which would have any difficulty circumventing a trusted 
supplier system.
    To address the security dilemma effectively, an evidence-
based security process should be applied, that enables an 
informed judgment that an adequate level of assurance has been 
provided that the system is free of malicious features and does 
not contain serious security defects; and that is without 
regard to origin of the system.
    IIT had been selected by several telecommunications 
carriers as an independent evaluator to implement such a 
process. The process we are implementing is comprised of two 
major phases. The first is an in-depth security assessment of 
the system software, hardware, and firmware to include all 
patches, upgrades, and modifications as they occur.
    The second phase is a delivery process that ensures that 
the deployed system and all patches, upgrades, and 
modifications are exactly the ones that were evaluated and 
determined to be suitable and acceptable. The key features of 
the process include: willing participation of the developer and 
vendor; a trusted independent evaluator; direct coordination 
between and among the stakeholders, particularly the telecoms 
and the concerned government agencies and the evaluator without 
interference or necessarily knowledge of the vendor; correction 
of unintentional defects before deployment; immediate 
involvement of law enforcement if evidence of malicious intent 
is discovered; and a delivery system that ensures that the 
system delivered matches the evaluated system and prevents the 
vendor or any other un-presented party from accessing the 
system during or after delivery; and finally, a scheme for 
monitoring the system after deployment.
    In our case, the vendors have been very willing to comply 
because compliance was a condition of the sale to the 
telecommunications carrier. Under those contracts, they provide 
us the design documentation, source code, the complete set of 
sample components, replication of the compilation environment 
for their software and firmware, advance notice of all design 
changes, patches, and modifications, and access to their 
development facilities to provide us the understanding of their 
process.
    We were selected because of our intimate knowledge of the 
threat. We have a comprehensive process with clear analytical 
and reporting criteria that explicitly addresses the evolving 
threat. We have secure facilities. We use exclusively U.S. 
personnel, who have been vetted through the U.S. security 
clearance process, and we have a staff fully qualified and 
equipped to perform the evaluations.
    The contracts in each case specifically provide for the 
direct private communication between the evaluator and 
stakeholders. Telecommunication carriers, by contractual 
mandate, are the primary beneficiary of our work. A condition 
of acceptance is a report from us describing what we did, the 
faults found, the correction implemented, and any residual 
risk, and we are free to discuss any issues directly with the 
telecom and the government.
    In our lab, we subject the system to a detailed analysis, 
both a static analysis of the software and a dynamic testing of 
the software and hardware. There have been thousands of defects 
found and mitigated, not all of these in Chinese systems; as a 
matter fact, many of them in systems that currently exist in 
the telecommunication system.
    The software is delivered directly from us to the networks. 
The hardware is subjected to a random sampling process, and the 
firmware is either delivered directly from us or the boards are 
re-flashed by us, all again to make sure that the delivered 
software is what we evaluated. Our recommendation is that some 
evidence-based security process like this is included in the 
government's approaches, including the NIST security framework 
and other programs across the government.
    Thank you very much.
    [The prepared statement of Mr. Lindquist follows:]

    [GRAPHIC] [TIFF OMITTED] T5436.094
    
    [GRAPHIC] [TIFF OMITTED] T5436.095
    
    [GRAPHIC] [TIFF OMITTED] T5436.096
    
    [GRAPHIC] [TIFF OMITTED] T5436.097
    
    [GRAPHIC] [TIFF OMITTED] T5436.098
    
    Mr. Latta. And thank you very much for your testimony.
    Our next witness will be Dean Garfield, President and CEO, 
Information Technology Industry Council. And Mr. Garfield, you 
are recognized for 5 minutes.

                   STATEMENT OF DEAN GARFIELD

    Mr. Garfield. Thank you, Mr. Chairman, since I see him 
walking back in, Mr. Vice Chairman, and Ranking Member Eshoo. 
On behalf of the world's most dynamic and innovative companies, 
I would like to thank you for all that this subcommittee and 
committee does on the issues that are most important to us and 
for spotlighting this issue today.
    Supply chain integrity and assurance is core to who we are 
and what we do. It is a business imperative. And so we are 
encouraged to see the formation of a bipartisan working group 
and look forward to working with you. Your first principle, 
which is do no harm, is a good credo for all of the work that 
we do in this area.
    I submitted testimony for the record and so I will focus my 
oral testimony today on three areas: one, providing a window 
into our supply chains; two is sharing some of the things we do 
both as individual companies and as a sector to ensure supply 
chain integrity; and then, third, to make some recommendations 
where Congress can be helpful.
    I have the privilege of working for companies that are 
truly transforming the world. The products and mobile devices 
that we all walk around with every day are more powerful today 
than ever before. In fact, the mobile device that we all carry 
around has more processing power than the Apollo 11, or even 
more recently, the Mars rover. Those mobile devices are 
presented under a singular brand but they include hundreds, and 
in some cases, thousands of components.
    To ensure that we are providing our consumers with the best 
products at the best prices, those components are sourced in 
the United States and in fact around the world as well to 
ensure that the services and the products that we deliver are 
consistently of the highest quality and that our global supply 
chains are highly integrated.
    With that in mind, any change, risk mitigation, or 
otherwise around supply chain assurance is carefully calibrated 
and we would highly encourage that any advocacy or policy 
advance in this area be carefully calibrated as well.
    The industry engages--both as individual companies and as 
well as a sector--in a number of steps to both manage and 
mitigate risk. As individual companies, they adopt and 
integrate best practices on a continuous and systemic basis 
that includes instilling and teaching secure sourcing, 
instilling and teaching secure coding, instilling and teaching 
identification authentication among a host of steps that are 
taken, some of which have been talked about by the other 
panelists generally.
    As well, those individual steps that are taken by specific 
companies are complemented by industry-wide, sector-wide 
activities both through standards activities, and also through 
consensus-based voluntary global standard-setting 
organizations, such as ISO and IEC, which have advanced a 
number of standards that are quite relevant in this area, 
including the common criteria which is focused on product 
assurance or through standards that are focused on not products 
but the processes as well that complement those products, 
including the Open Group Trusted Technology Forum.
    It is important to note that in both instances our 
government and other governments have an important role to play 
and do engage in those consensus-based voluntary global 
standards-setting organizations. In fact, over 26 countries 
have adopted the common criteria as a part of their government 
procurement practices. And so while eliminating or not 
mandating requirements on the private sector, which we strongly 
discourage, they are able to ensure that the government 
procurement processes benefit from the best practices of the 
private sector.
    So where are the gaps and what can government do? We would 
recommend four things: one is ensuring that where you are and 
we are creating the proper incentives for the effective 
implementation of the cyber security Executive Order from the 
White House that was issued earlier this year. That Executive 
Order charges the DOD and the General Service Administration, 
GSA, to look at ways of integrating best practices and 
standards from the private sector into the government 
procurement practices. It would be useful to create incentives 
to make sure that happens appropriately.
    Second is your oversight power. As Mr. Dix pointed out, 
there are hundreds of initiatives within the public sector 
focused on product assurance, gaining some order and ensuring 
that the private sector input is integrated into those efforts 
is critically important.
    Third is through sourcing. Ensuring that through government 
procurement, the government is sourcing from original equipment 
manufacturers and their authenticated suppliers is critical in 
order to have the kind of products assurance that we all have 
in mind.
    And then fifth and final is making sure that we get an 
information-sharing bill similar to the one that has made its 
way through the House passed through the Senate as well.
    Thank you very much.
    [The prepared statement of Mr. Garfield follows:]

    [GRAPHIC] [TIFF OMITTED] T5436.099
    
    [GRAPHIC] [TIFF OMITTED] T5436.100
    
    [GRAPHIC] [TIFF OMITTED] T5436.101
    
    [GRAPHIC] [TIFF OMITTED] T5436.102
    
    [GRAPHIC] [TIFF OMITTED] T5436.103
    
    [GRAPHIC] [TIFF OMITTED] T5436.104
    
    [GRAPHIC] [TIFF OMITTED] T5436.105
    
    Mr. Latta. Thank you, Mr. Garfield, for your testimony. 
And, Mr. Chair, do you want to resume the chair?
    Mr. Walden. Or I can just ask questions from here if you 
want to wield that big gavel there.
    Mr. Latta. Yes. Well, with that then the vice chair will 
recognize the chairman of the subcommittee for his 5 minutes of 
questions.
    Mr. Walden. Thank you, sir, and thanks for filling in and 
getting the hearing going back from the votes. I got detained, 
as occasionally happens on the floor.
    Mr. Garfield--first of all, thank you to all of our 
witnesses--but I appreciated your comments. Our networks and 
the threats they face are varied, as you know, and they are 
ever-changing, as you reference in your testimony. So how do we 
secure our supply chain without losing the flexibility that is 
critical to both how our communication networks function and 
then how to defend them? What do you recommend here?
    Mr. Garfield. You put your finger on the idea of the point 
of drawing balance. I think building on the best practices that 
are being developed in the private sector and integrating those 
into the government procurement efforts. There are a number of 
standards-based initiatives that are moving forward, 
specifically focused on product assurance in supply chains. And 
so I would strongly encourage taking advantage of those best 
practices and integrating them into our government procurement 
practice.
    Mr. Walden. You know, I have another question here that 
plays on this a bit for Ms. Bisceglie and Mr. Baker and you, 
Mr. Garfield. Sometimes it appears the government sort of has 
an ad hoc process if you will when it comes to protecting the 
supply chain. A high-ranking official will place a call or 
write a little letter to a company suggesting that the company 
not do business with a particular vendor or a particular piece 
of equipment. I have actually had experience with that with a 
constituent. So do we need a more formalized process, which 
raises all kinds of questions as to who is making those 
decisions and all, but both as a matter of good process for 
equipment buyers and sellers to ensure that the measures are 
effective? And then how would you formalize that process?
    And I don't want to hobble, you know, the fast-paced 
communications industry with a lot of bureaucracy, and red 
tape, and approval processes either. We fight that in other 
sectors and you certainly don't want it here. And it gets back 
to the hearings that we held that said, you know, first do no 
harm in this area. Bad guys will get ahead of us and we will be 
locked into old laws and rules. So is there a way to strike a 
balance here? And what do you recommend?
    Ms. Bisceglie. I am happy to go first.
    So I do agree we need to have--I think it is a separate 
slippery slope----
    Mr. Walden. Yes.
    Ms. Bisceglie [continuing]. As you just mentioned. And I 
think that there are different levels. There is a varied way to 
put in a formalized process and I personally believe or we 
personally believe there is no one-size-fits-all, but we like 
to talk about frameworks.
    Mr. Walden. Right.
    Ms. Bisceglie. And that framework consists of training and 
awareness, which I talked about earlier----
    Mr. Walden. Right.
    Ms. Bisceglie [continuing]. Which is a very big thing. 
Folks need to understand what the risk is that we are all 
talking about.
    Mr. Walden. Right.
    Ms. Bisceglie. Additionally, I think that the thing that we 
have seen over the last 6 years is that organizations, both 
public and private, really struggle with understanding their 
internal risk tolerance. So how much risk can I actually accept 
into my organization----
    Mr. Walden. Like anything else.
    Ms. Bisceglie [continuing]. And that is not necessarily a 
single risk number of 1 to 5. It can be based on the essential 
function of that organization and if it has multiple functions, 
then it gets prioritized, if you will, into the different 
programs that that organization conducts as well as the systems 
that support that. And then underneath that, I think you do 
have some sort of a formal process. It gets really simple to us 
and that it really goes back to just really good business 
practices and understanding who you are buying from.
    Mr. Walden. Right.
    Ms. Bisceglie. But unless you can look at an organization 
and understand where their vulnerabilities exist and have a 
process to go through that, I think it is a very difficult 
place to go. I do think that that last-minute, that 3:00 a.m. 
phone call is again a very dangerous place to be.
    Mr. Walden. Mr. Baker?
    Mr. Baker. So I completely agree we can't just start 
regulating----
    Mr. Walden. Right.
    Mr. Baker [continuing]. The private sector and tell them 
how to do this. At the same time, if we rely exclusively on the 
government communicating informally about its concerns, you run 
the risk that the people who want to make these sales will just 
keep lowering the price and lowering the price.
    Mr. Walden. Right, we have seen that.
    Mr. Baker. Hard to resist. And so I would suggest that 
there needs to be authority for the government at a minimum to 
ask questions. What is in your supply chain?
    Mr. Walden. Right.
    Mr. Baker. You know, what products are you buying? And to 
communicate where they have a strong basis, that is not 
acceptable. We know enough to know that that is a risky place 
to buy your equipment, so don't do it.
    Mr. Walden. I will show a little ignorance here, but is 
there sort of a range of equipment in the system that there is 
some that is more important to make sure you get right than 
others, or is it just everything matters?
    Mr. Baker. There is a view abroad and in the industry as 
well in telecommunications that the core is your most important 
product----
    Mr. Walden. Right.
    Mr. Baker [continuing]. And you cannot compromise the core 
and that the edge is less risky because fewer people are----
    Mr. Walden. Do you agree with that?
    Mr. Baker [continuing]. For any particular system. I am not 
sure in an internet world as the edge gets smarter and smarter 
that that is a distinction that holds up as well as we would 
like it to. But that is certainly something that we have seen 
in other telecommunications decision-making.
    Mr. Walden. I know Mr. Garfield didn't get a chance to 
respond but I also know my time has run out so--yes, you have 
got to watch this vice chair. He is mean with that gavel. Do 
you have anything to add to that, Mr. Garfield?
    Mr. Garfield. I do. I think there are two specific 
processes----
    Mr. Walden. Yes.
    Mr. Garfield [continuing]. That would be useful. One is a 
process that is being set up through CISPA if it is passed 
through the Senate----
    Mr. Walden. Right.
    Mr. Garfield [continuing]. Which is a formal process for 
information-sharing through the government with the protections 
necessary to make sure that information-sharing takes place.
    The second is that the Executive Order sets up a process 
through the Department of Defense and General Service 
Administration. And so creating ways to incentivize the success 
of that, which Congress can still do, I think is critically 
important.
    Mr. Walden. All right. Thank you very much and I yield back 
the deficit balance of my time.
    Mr. Latta. The chairman is so recognized. The chair now 
recognizes the gentlelady from California and the ranking 
member, Ms. Eshoo, for 5 minutes.
    Ms. Eshoo. Thank you, Mr. Chairman. It is nice to see you 
in the chairman seat, and you are always a gentleman and I 
appreciate that.
    Mr. Walden. Reserving the right to object.
    Ms. Eshoo. Well, the same applies to you Mr. Chairman. The 
same applies to you. Not to worry, not to worry. Thank you to 
all the witnesses. Let's see, two, four, six, seven people 
have, you know, each in your own way have come in with 
something that has some refinement to it that helps to not 
necessarily bring closure but get us to focus on the areas that 
are really important for us to focus on when it comes to a 
public role of national security and the integrity of the 
supply chain. So I thank you.
    I have a lot of questions. Let me start with--and Mr. 
Lindquist is probably not going to be surprised with the 
Electronic Warfare Associates, that is quite a name. Warfare 
Associates. How about Peace-fare Associates? But I guess that 
doesn't work as well. Now, I understand that your company 
vetted Huawei's equipment and you gave it your seal of 
approval. I might add that the more I have heard witnesses 
speak, the more I think the government really needs to have 
some kind of list of essentially a good housekeeping seal of 
approval on it because small companies especially really need 
to have some help and direction so that they are not caught in 
some kind of seamless web.
    But can you explain the service you provided Huawei and 
what ongoing monitoring you have conducted to maintain your 
certainty that their equipment is safe to use? And did Huawei 
pay you for this? And, I mean, if they did, you know, I don't 
know where that places the veracity of the report. I mean, it 
could be--I am not saying that is--but it could be the 
equivalent of what happened on Wall Street when the rating 
agencies were paid to give some of these, you know, too-big-to-
fail great, great ratings. But they paid for them. And so, you 
know, in the aftermath and the rubble of the aftermath, that 
didn't sound so good. It didn't feel so good and really wreaked 
a lot of havoc. Did Huawei pay you for the report? And then the 
rest of my question.
    Mr. Lindquist. First of all no, Huawei did not pay for----
    Ms. Eshoo. You did this voluntarily for them?
    Mr. Lindquist. No, the telecommunications carrier paid for 
it.
    Ms. Eshoo. And who was that?
    Mr. Lindquist. I am not at liberty to disclose that because 
we have an NDA with them. If I get their permission, I can tell 
you easily who it is.
    Ms. Eshoo. I see. That is interesting.
    Mr. Lindquist. But it is one of the major----
    Ms. Eshoo. Yes.
    Mr. Lindquist [continuing]. Telecommunications companies. 
And----
    Ms. Eshoo. An American telecommunications company?
    Mr. Lindquist. American telecommunications company.
    Ms. Eshoo. Yes.
    Mr. Lindquist. Secondly----
    Ms. Eshoo. Can you tell us this? Is it an American 
telecommunications company that buys equipment from Huawei?
    Mr. Lindquist. They are in the process of doing that. The 
equipment, in answer the second part of your question----
    Ms. Eshoo. Yes.
    Mr. Lindquist [continuing]. We are in the process of 
evaluating their system. The evaluation is by no means complete 
and we are only evaluating the radio area network portion of 
it. There are numerous reports. We do not give a seal of 
approval. What we do is take the known threats and we have very 
good access through some of our work within the government to 
the agreed list of cyber threats and what----
    Ms. Eshoo. Well, do you get your information from the 
intelligence community or Homeland Security?
    Mr. Lindquist. The intelligence community.
    Ms. Eshoo. This is so interesting. So you do a report that 
vets Huawei, who wants to more than get a toehold which have 
for years and it is very public and deeply concerned about. You 
are paid by an American major telecommunications corporation 
that is looking to buy Huawei's equipment and you work with the 
intelligence community to see with the shortfalls are and vet 
it and say that the equipment is terrific for the American 
market. Have I gotten that straight?
    Mr. Lindquist. Well, except that we don't say it is 
terrific or----
    Ms. Eshoo. What did you say?
    Mr. Lindquist. What we do say is what we looked at and what 
we found, and if we found things, what corrections were made.
    Ms. Eshoo. I see. See, my issue on all of this is not 
whether their equipment is good or not. That is not the point. 
The point is that our infrastructure is so precious to this 
country and it is a part of our national security. There is no 
question about it. And so does it pose a threat? If so, how? 
You know, maybe they make some of the best equipment in the 
world but that is not my point. That is not my point at all. So 
it is interesting what you just said.
    And let me ask all the witnesses and you can just give me a 
yes or no. Should there be transparency requirements, including 
divestments in state ownership placed on companies seeking to 
sell telecommunications infrastructure equipment to U.S. 
network providers? And should this be a U.S. or an 
international standard? Maybe it is hard to answer yes or no 
but----
    Mr. Goldstein. I don't think I can give you a yes or no, 
ma'am. I think, particularly from our perspective, we didn't 
look at those issues specifically. It is something we are happy 
to talk to staff about.
    Ms. Eshoo. I want to thank you for your work, too.
    Mr. Goldstein. Thank you.
    Ms. Eshoo. Yes.
    Mr. Baker. I do think that as we adjust to a world where 
there really are no telecommunications integrators in the 
United States, we need authority to ask for quite a bit of 
information from the people----
    Ms. Eshoo. Yes.
    Mr. Baker [continuing]. Who are supplying that technology.
    Ms. Eshoo. Thank you.
    Ms. Bisceglie. I absolutely agree. I think transparency is 
the key and you liken it to--if you look at what is happening 
with the pharmaceutical agencies within your actual State----
    Ms. Eshoo. Yes.
    Ms. Bisceglie [continuing]. That the pharmaceutical law, 
the E-Pedigree law of 2015 that has everybody looking at 
transparency, I think there are lessons to be learned there.
    Ms. Eshoo. Yes. OK.
    Mr. Dix. Transparency is important and having a standard 
that provides certification and accreditation like a 
whitelisting type of opportunity would be very valuable to this 
process.
    Ms. Eshoo. Thank you.
    Mr. Rothenstein. Yes, we would agree. We would support some 
level of transparency and I think, frankly, Ranking Member 
Eshoo, you hit the nail on the head. It is less about the U.S. 
Government and about the large service providers who have a lot 
of know-how----
    Ms. Eshoo. Yes.
    Mr. Rothenstein [continuing]. The resources, and are 
knowing smart buyers of telecom equipment understand the risks. 
It is more about other critical infrastructure owners and 
operators, the alternative operators, the enterprises who may 
not have the same level of understanding and resources where 
the transparency really is going to be important.
    Ms. Eshoo. It is helpful. Yes.
    Mr. Lindquist. As I said earlier, I would reiterate 
transparency is important. That is why in the process that we 
implement we are looking at all the design documentation behind 
the various systems to ensure that there is no inexplicable 
capability or functionality within the system.
    Mr. Garfield. I work in the tech sector so, of course, we 
believe in transparency. I don't have an answer as it relates 
specifically to this issue.
    Ms. Eshoo. Thank you. Thank you, Mr. Chairman, for your 
patience. Thank you to all the witnesses.
    Mr. Latta. Thank you very much. The gentlelady yields back 
and the chair recognizes himself now for 5 minutes.
    And if I could start with Mr. Goldstein, I found it kind of 
interesting in your testimony on page 5 where you state that 
other countries such as Australia, India, and the United 
Kingdom are similarly concerned about emerging threats to the 
commercial communication networks posed by the global supply 
chain, have taken actions to improve their ability to address 
this security challenge. What exactly have those three 
countries done?
    Mr. Goldstein. There are three countries--there are many 
others----
    Mr. Latta. Right.
    Mr. Goldstein [continuing]. That we don't get into here. 
But Australia has developed a regulatory reform proposal that 
they expect to put in place shortly that would allow the 
government to have more authority to examine what companies are 
doing, what they are buying, how they document their purchases, 
take a look to make sure that those companies are competent in 
putting networks together, and if the government does not feel 
that they are doing it in a way that can be secured, that they 
can ask them to do more. They can require them to do more than 
they are doing and it has enforcement powers and potential to 
find those companies that don't do it. That is a proposal that 
is likely to pass soon.
    India has a very similar reform program in place. Where it 
differs is that they have also proposed requiring--certainly 
encouraging and in many cases requiring much of their equipment 
to be made and tested in the country and could not be obtained 
elsewhere. That particular part of the proposal has been put on 
hold because the United States and some other countries have 
objected because of potential barriers to trade.
    And the United Kingdom has put in place a very similar 
program to the one that Australia is now contemplating to have 
a greater regulatory review over the practices and actions of 
companies putting networks in place, which also has authorities 
for them to go in and look very specifically at what they have 
done and how they are going to get assurance that those are 
secure networks, as well as to be able to enforce actions that 
they feel would be necessary if those companies did not do as 
much as they probably should be doing.
    Mr. Latta. Thank you.
    Mr. Rothenstein, if I could turn to your written testimony. 
I thought it kind of interesting where you had also had 
mentioned that in 2011 your company had made a conscious 
decision to gradually exit key elements of your supply chain 
from China. And at the time over 1/5 of your global chain at 
that time originated in China. You go on to state that, you 
know, you are looking at other jurisdictions that you are 
moving into now in Mexico and Thailand. I am just curious. How 
is that working out, and what have you found so far with that 
transition?
    Mr. Rothenstein. So in terms of the actual specific--so you 
are right. About 20 percent at the time of our manufacturing 
assembly of our supply chain originated in China and it is now 
down to less than 1 percent. And in terms of the procurement to 
finished to semi-finished assemblies, that was about 65 to 70 
percent of the supply chain 2 years ago. That is now below 50 
percent. The part that we attacked, as I mentioned in my 
testimony, was that relating to active or programmable 
components.
    In terms of how it has gone, it has gone very, very well. 
We have partnered effectively with two of our long-standing 
contract manufacturers in Mexico and one in Thailand. We have 
improved the velocity of our supply chain. It is a lot quicker 
to get equipment to our key North American market when you are 
driving it by truck over the border as opposed to the slow boat 
from China. We have been able to essentially achieve cost 
parity in terms of labor rates and landed cost rates largely 
because those contract manufacturers had existing facilities in 
those locations.
    And as a result of that, we have been able to, in addition 
to velocity maintaining cost parity, we have gotten tremendous 
positive feedback from our customer base in terms of that 
supply chain strategy. They viewed very positively our thought 
process, our decision, and they have given us direct feedback 
that they view with a greater level of comfort, security, and 
assuredness of the risk profile of our equipment to their 
networks.
    Mr. Latta. And in the balance of my last 27 seconds if I 
could turn to Mr. Lindquist, what are the different challenges 
in protecting the software and hardware supply chain and is one 
more vulnerable than the other?
    Mr. Lindquist. What are the different challenges in 
protecting it?
    Mr. Latta. In protecting the software and hardware supply 
chains and is one more vulnerable than the other?
    Mr. Lindquist. I think the current state of affairs--and it 
is referring to the second question first--I think the software 
is more vulnerable. I think there are more people who have 
perfected techniques for exploiting software than in the 
hardware. It is also easier to do at any stage in the process.
    And what we are endeavoring to do is to separate the vendor 
from the products so that once the system has been determined 
to be secure enough, and there is always some residual risk, 
that the vendor no longer has access to that system to 
introduce any new malicious capability into the system.
    Mr. Latta. Well, thank you very much. And my time has 
expired.
    And the chair would now recognize the gentleman from 
Illinois, Mr. Shimkus, for 5 minutes.
    Mr. Shimkus. Thank you, Mr. Chairman. Thank you all for 
being here. It is a great committee with high-tech things. I 
always joke that for my colleagues who don't have teenagers, 
then the government ought to issue them one because that helps 
you figure out how this stuff works.
    The hearing this morning was on cyber security, too, with 
the electric grid and the like. So we had a little debate about 
the cloud, which I understand are server farms and that brings 
some, especially when the government is contracting. And my son 
and I are together on concerns about the cloud. You know, 
everybody thinks it is--but, you know, there are some issues 
there, cyber security and especially if the government is being 
involved and really contracting that space.
    We differ on CISPA and we have had numerous debates. So the 
last time we cast the vote I was home that next morning and he 
comes into the room and he is all grouchy and he is reading all 
of his internet stuff. And he says I don't have to ask how you 
voted on CISPA, Dad. I know how you voted--which I supported. 
And he was none too pleased.
    But my debate or discussion with him is information-
sharing, really on the code system so you could have firewalls. 
And if our intel communities or you guys know something is 
crazy going on out there, you can build a firewall. At least 
you have an idea of what you might expect.
    So, Mr. Garfield, I don't know if it was in your statement 
but in question-and-answers you also talked about information-
sharing. And were you referring to that in the supply chain 
debate that we are having here, that there ought to be 
information-sharing like we would have in firewall protection a 
la like CISPA?
    Mr. Garfield. Yes is the simple answer. Information-sharing 
and passing of risk mitigation information is critical to 
protecting our cyber security generally but also for risk 
assurance in the context of supply chains as well. And so, I 
think, moving CISPA and the information components of that was 
critically important and getting it through the Senate is 
critically important----
    Mr. Shimkus. But the CISPA bill that we are passing--you 
know, correct me if I am wrong--I thought it was just on code. 
Was it also on the supply chain? It could be?
    Mr. Garfield. Yes, it is around sharing actionable 
intelligence----
    Mr. Shimkus. Here on----
    Mr. Garfield [continuing]. On threats and mitigating 
threats.
    Mr. Shimkus. I got another good point for my son then, 
right? I got another good point.
    Mr. Garfield. You can give him my phone number.
    Mr. Shimkus. Good. Great. Good, I always need a little 
help.
    And Ms. Bisceglie, SCRM, now, I have got a new acronym. 
Just what we need, another acronym here in Washington, SCRM, 
which was supply chain----
    Ms. Bisceglie. Risk management.
    Mr. Shimkus [continuing]. Risk management, which is all 
tied into this. I want to follow up with you on this cost 
pressure issue that you raised and how do you think we can 
really address it? I mean if you really want to make sure that 
your equipment is secure, you are willing to pay for it, but if 
you are in a competitive, very fast-moving technological field 
and you want to get market entry and you want to have a low-
cost provider, there is risk involved in that, correct?
    Ms. Bisceglie. There is, and actually, that is when the 
chairman asked his question earlier when we talked about 
putting a framework in place, something that is repeatable and 
scalable. I personally think that is the key, an effort to keep 
the acquisition costs down, because I totally understand the 
need to get procurements done faster, technology to the street 
faster, and into users' hands faster. But unless we have ways 
of understanding what our organizational risk tolerance is so 
that we know what protectionisms we already have in place, it 
is going to be very difficult to really take risky endeavors 
like you are mentioning.
    Mr. Shimkus. And I was also caught by the whole debate. 
There was a pharmaceutical reference which we are involved with 
and the Track-and-Trace legislation----
    Ms. Bisceglie. Yes.
    Mr. Shimkus [continuing]. In maybe some States. Just for 
the record, when some States move to a very controlled system, 
they have to then postpone the enactment date because they 
can't do it----
    Ms. Bisceglie. Yes.
    Mr. Shimkus [continuing]. In that time, which then would 
affect the market in delivery of goods and services. So the 
question is--because what the chairman said to begin with was, 
first do no harm.
    Ms. Bisceglie. Yes.
    Mr. Shimkus. So does the Executive Order and its process 
have the opportunity to do harm in this process? Does anyone 
want to comment? Is there a concern that the Executive Order 
and this rollout and their involvement has an opportunity to do 
harm? Mr. Garfield?
    Mr. Garfield. Yes, there is always risk, right? We are in 
the business of risk mitigation but overall our view is that 
the Executive Order actually creates a framework that advances 
the ball in a very positive way. The fundamental question for 
us is how can Congress complement that and that is what I tried 
to articulate in talking about the things that Congress can do 
to ensure it continues to move in a positive direction.
    Mr. Shimkus. Mr. Chairman, my time is up but I think there 
are a couple more that want to comment.
    Mr. Dix. I would just add many of us want to approach the 
answer to that question with an open mind, but we are taking a 
wait-and-see approach because it is not at the endgame yet and 
there are opportunities along the way for this not to be as 
good as it might be.
    Mr. Shimkus. Always good to trust but verify.
    Mr. Dix. Yes, sir.
    Mr. Shimkus. If no one else wants to jump in, I yield back 
my time. Thank you, Mr. Chairman.
    Mr. Walden. Thank you. Now, I will turn to the gentleman 
from Colorado, Mr. Gardner, for 5 minutes.
    Mr. Gardner. Thank you, Mr. Chairman, and thank you to the 
witnesses for joining us today.
    And, Mr. Baker, I will direct this question to you. 
Questions raised by foreign-directed cyber attacks on U.S. 
institutions suggest that the United States Government must 
give careful consideration to how the national security 
interests are controlled, monitored, and regulated. How 
concerned should we be by the prospect that any critical 
infrastructure provider that serves the core of our national 
security interests could come under foreign control and 
therefore outside the supervision of the U.S. Government?
    Mr. Baker. We have to be concerned about that. It is not 
likely that we will be able to stop globalization of this 
industry so the idea that we can simply say no I think is not 
realistic. But we have to then put in place transparency and 
regulatory authority that makes sure that those companies do 
not serve other nations' interests when they supply us with 
that equipment.
    Mr. Gardner. And in keeping those kinds of concerns in 
mind--and we have seen in the past the mergers of U.S. 
companies with foreign companies--what are some of the national 
security implications of such a purchase then?
    Mr. Baker. So I did this a lot when I was at DHS and indeed 
when I was at NSA. In the telecommunications industry we have a 
well-developed set of rules in which we negotiate a mitigation 
agreement with the buyer if the buyer is a foreign buyer, which 
gives us some control. It is not perfect by any means, and I am 
often unenthusiastic about the results. But it is the tool that 
we have.
    In the context of companies selling products to the United 
States, we have none of those controls unless they actually buy 
a U.S. company so that any company can sell products into our 
critical infrastructure without any regulation or transparency. 
It is only when they try to buy a U.S. company that we have any 
authority at all.
    Mr. Gardner. Reports of stories of foreign-directed cyber 
attacks against U.S. institutions provoke difficult questions 
about the control reaching oversight of the United States 
national security interests. Do you agree that the idea of 
surrendering control of a critical infrastructure provider like 
Sprint to a foreign entity Softbank beyond full U.S. oversight 
deserves very careful consideration and should not be hurried?
    Mr. Baker. It certainly deserves careful consideration. I 
would point out, as I answered to the last question, for many 
the security agencies there will be a temptation to say the 
only way we will be able to tell Sprint the products they can 
buy, what they can have in their infrastructure, is if we enter 
into a negotiated agreement. That is a negotiated agreement 
with a foreign buyer. They have no authority at all in the 
other context so it is an odd set, currently, of incentives for 
the U.S. Government in which they might actually have more 
regulatory authority if they let the transaction go through.
    Mr. Gardner. You mentioned in your testimony a little bit 
about CFIUS, whether it is adequate or not. That is relied on 
by Congress, by the FCC. Where are the pitfalls? What are the 
problems?
    Mr. Baker. The problem is that if you want to introduce 
products that are not reliable into the U.S. market, you can 
just walk in and start taking orders. Even if it is going right 
into the core of the telecommunications industry, there is no 
authority anywhere in the U.S. Government to say no to that 
today. Only if an unreliable buyer or seller actually tries to 
acquire a U.S. company is there any authority at all.
    Team Telecom at the FCC has some authority over foreign 
carriers but not over foreign suppliers of equipment. CFIUS 
gives authority only over buyers of U.S. companies. So there is 
a real regulatory gap there with respect to some of this 
equipment that we have not yet found a solution for.
    Mr. Garfield. May I weigh in on this?
    Mr. Gardner. Please.
    Mr. Garfield. I think we have to be exceptionally careful 
about developing prophylactic rules around private sector 
agreements as it relates to supply chain assurances. India was 
used as a reference earlier in talking about an example of 
countries moving in a particular direction. There are a whole 
host of companies that I represent in the technology sector 
that are being foreclosed from the Indian market because of 
those types of rules. And so I just think that those types of 
rules have to be carefully calibrated and, from my perspective, 
discouraged.
    Mr. Gardner. Thank you. I yield back my time.
    Mr. Walden. I thank the gentleman. I thank all of our 
witnesses and committee members for their participation today, 
really a superb panel of witnesses. Your information that you 
shared has been very, very valuable. Your written testimony is 
helpful to us and to our staffs as we wrestle with this issue 
going forward in protecting the country and trying also not to 
stifle innovation and technology being developed in America. So 
we have got to get this right. And your depths of experience 
and your willingness to come here and share that with us is a 
great benefit to the American people. And so we thank you for 
your participation; we thank you for your assistance.
    And the record will remain open for additional questions, I 
am sure. And we hope that you will accept our invitation to 
work with us even further as we go forward. We want to get this 
right. So thank you very much. With that, the Subcommittee 
stands adjourned.
    [Whereupon, at 4:12 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

                 Prepared statement of Hon. Fred Upton

    Wired and wireless technologies are increasingly becoming 
the medium over which we manage our lives, our government, and 
our country. As a result, national security, economic security, 
and personal security are now also matters of communications 
security. Where once it may have been sufficient to guard the 
doors to our homes, our banks, our offices, our factories, and 
our utilities, today we must also guard the virtual doors to 
our networks.
    This hearing will look at the locks we place on those 
networks throughout the communications supply chain. Just as 
the networks and the cyber threats they confront are varied and 
ever evolving, so too must be our defenses. A one-size-fits-all 
solution is likely to be as successful as fitting every lock 
with the same key.
    What means are at the disposal of the private sector and 
government to secure our networks? What's working? What isn't? 
Where are the threats coming from? What kind of risk and cost-
benefit analyses should we be engaging in to find the right 
solutions? I ask the witnesses to help frame the issues for us 
today so we can determine where we-and the nation-should focus 
attention. If no one watches the door, surely someone will walk 
in who shouldn't.

                                #  #  #

                              ----------                              

[GRAPHIC] [TIFF OMITTED] T5436.106

[GRAPHIC] [TIFF OMITTED] T5436.107

[GRAPHIC] [TIFF OMITTED] T5436.108

[GRAPHIC] [TIFF OMITTED] T5436.109

[GRAPHIC] [TIFF OMITTED] T5436.110

[GRAPHIC] [TIFF OMITTED] T5436.111

[GRAPHIC] [TIFF OMITTED] T5436.112

[GRAPHIC] [TIFF OMITTED] T5436.113

[GRAPHIC] [TIFF OMITTED] T5436.114

[GRAPHIC] [TIFF OMITTED] T5436.115

[GRAPHIC] [TIFF OMITTED] T5436.116

[GRAPHIC] [TIFF OMITTED] T5436.117

[GRAPHIC] [TIFF OMITTED] T5436.118

[GRAPHIC] [TIFF OMITTED] T5436.119

[GRAPHIC] [TIFF OMITTED] T5436.120

[GRAPHIC] [TIFF OMITTED] T5436.121

[GRAPHIC] [TIFF OMITTED] T5436.122

[GRAPHIC] [TIFF OMITTED] T5436.123

[GRAPHIC] [TIFF OMITTED] T5436.124

[GRAPHIC] [TIFF OMITTED] T5436.125

[GRAPHIC] [TIFF OMITTED] T5436.126

[GRAPHIC] [TIFF OMITTED] T5436.127


                                 
