b'<html>\n<title> - CYBERSECURITY: AN EXAMINATION OF THE COMMUNICATIONS SUPPLY CHAIN</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n    CYBERSECURITY: AN EXAMINATION OF THE COMMUNICATIONS SUPPLY CHAIN\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n             SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 21, 2013\n\n                               __________\n\n                           Serial No. 113-46\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n\n\n\n                                 ______\n\n                   U.S. GOVERNMENT PRINTING OFFICE \n85-436                     WASHINGTON : 2014\n____________________________________________________________________________ \nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3552455a75564046415d5059451b565a581b">[email&#160;protected]</a>  \n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\nRALPH M. HALL, Texas                 HENRY A. WAXMAN, California\nJOE BARTON, Texas                      Ranking Member\n  Chairman Emeritus                  JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky                 Chairman Emeritus\nJOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts\nJOSEPH R. PITTS, Pennsylvania        FRANK PALLONE, Jr., New Jersey\nGREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  ANNA G. ESHOO, California\nMIKE ROGERS, Michigan                ELIOT L. ENGEL, New York\nTIM MURPHY, Pennsylvania             GENE GREEN, Texas\nMICHAEL C. BURGESS, Texas            DIANA DeGETTE, Colorado\nMARSHA BLACKBURN, Tennessee          LOIS CAPPS, California\n  Vice Chairman                      MICHAEL F. DOYLE, Pennsylvania\nPHIL GINGREY, Georgia                JANICE D. SCHAKOWSKY, Illinois\nSTEVE SCALISE, Louisiana             JIM MATHESON, Utah\nROBERT E. LATTA, Ohio                G.K. BUTTERFIELD, North Carolina\nCATHY McMORRIS RODGERS, Washington   JOHN BARROW, Georgia\nGREGG HARPER, Mississippi            DORIS O. MATSUI, California\nLEONARD LANCE, New Jersey            DONNA M. CHRISTENSEN, Virgin \nBILL CASSIDY, Louisiana                  Islands\nBRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida\nPETE OLSON, Texas                    JOHN P. SARBANES, Maryland\nDAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California\nCORY GARDNER, Colorado               BRUCE L. BRALEY, Iowa\nMIKE POMPEO, Kansas                  PETER WELCH, Vermont\nADAM KINZINGER, Illinois             BEN RAY LUJAN, New Mexico\nH. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York\nGUS M. BILIRAKIS, Florida\nBILL JOHNSON, Missouri\nBILLY LONG, Missouri\nRENEE L. ELLMERS, North Carolina\n             Subcommittee on Communications and Technology\n\n                          GREG WALDEN, Oregon\n                                 Chairman\nROBERT E. LATTA, Ohio                ANNA G. ESHOO, California\n  Vice Chairman                        Ranking Member\nJOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts\nLEE TERRY, Nebraska                  MICHAEL F. DOYLE, Pennsylvania\nMIKE ROGERS, Michigan                DORIS O. MATSUI, California\nMARSHA BLACKBURN, Tennessee          BRUCE L. BRALEY, Iowa\nSTEVE SCALISE, Louisiana             PETER WELCH, Vermont\nLEONARD LANCE, New Jersey            BEN RAY LUJAN, New Mexico\nBRETT GUTHRIE, Kentucky              JOHN D. DINGELL, Michigan\nCORY GARDNER, Colorado               FRANK PALLONE, Jr., New Jersey\nMIKE POMPEO, Kansas                  BOBBY L. RUSH, Illinois\nADAM KINZINGER, Illinois             DIANA DeGETTE, Colorado\nBILLY LONG, Missouri                 JIM MATHESON, Utah\nRENEE L. ELLMERS, North Carolina     HENRY A. WAXMAN, California, ex \nJOE BARTON, Texas                        officio\nFRED UPTON, Michigan, ex officio\n  \n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Greg Walden, a Representative in Congress from the State of \n  Oregon, opening statement......................................     1\n    Prepared statement...........................................     2\nHon. Anna G. Eshoo, a Representative in Congress from the State \n  of California, opening statement...............................     3\nHon. Henry A. Waxman, a Representative in Congress from the State \n  of California, opening statement...............................     5\nHon. Fred Upton, a Representative in Congress from the State of \n  Michigan, opening statement....................................   137\n\n                               Witnesses\n\nMark L. Goldstein, Director, Physical Infrastructure Issues, \n  Government Accountability Office...............................     6\n    Prepared statement...........................................     9\n    Answers to submitted questions...............................   139\nStewart A. Baker, Partner, Steptoe and Johnson, LLP, Former \n  Assistant Secretary for Policy, Department of Homeland Security    62\n    Prepared statement...........................................  6473\n    Answers to submitted questions...............................   142\nJennifer Bisceglie, President and CEO, Interos Solutions, Inc....    71\n    Prepared statement...........................................    73\n    Answers to submitted questions...............................   145\nRobert B. Dix, Jr., Vice President, Government Affairs and \n  Critical Infrastructure Protection, Juniper Networks, Inc......    82\n    Prepared statement...........................................    85\n    Answers to submitted questions...............................   147\nDavid Rothenstein, Senior Vice President, General Counsel and \n  Secretary, Ciena...............................................    99\n    Prepared statement...........................................   101\n    Answers to submitted questions...............................   150\nJohn Lindquist, President and CEO, Electronic Warfare Associates.   111\n    Prepared statement...........................................   113\n    Answers to submitted questions...............................   153\nDean Garfield, President and CEO, Information Technology Industry \n  Council........................................................   118\n    Prepared statement...........................................   120\n    Answers to submitted questions...............................   156\n\n\n    CYBERSECURITY: AN EXAMINATION OF THE COMMUNICATIONS SUPPLY CHAIN\n\n                              ----------                              \n\n\n                         TUESDAY, MAY 21, 2013\n\n                  House of Representatives,\n     Subcommittee on Communications and Technology,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 2:02 p.m., in \nroom 2123 of the Rayburn House Office Building, Hon. Greg \nWalden (chairman of the subcommittee) presiding.\n    Members present: Representatives Walden, Latta, Shimkus, \nTerry, Blackburn, Lance, Guthrie, Gardner, Long, Ellmers, \nEshoo, Matsui, Welch, and Waxman (ex officio).\n    Staff present: Carl Anderson, Counsel, Oversight; Ray Baum, \nSenior Policy Advisor/Director of Coalitions; Neil Fried, Chief \nCounsel, C&T; Debbee Hancock, Press Secretary; David Redl, \nCounsel, Telecom; Charlotte Savercool, Executive Assistant, \nLegislative Clerk; Kelsey Guyselman, Telecom; Roger Sherman, \nDemocratic Chief Counsel; Shawn Chang, Democratic Senior \nCounsel; Margaret McCarthy, Democratic Staff; Patrick Donovan, \nDemocratic FCC Detail; and Kara Van Stralen, Democratic Policy \nAnalyst.\n\n  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF OREGON\n\n    Mr. Walden. We are going to call to order the Subcommittee \non Communications and Technology for our hearing on \n``Cybersecurity: an Examination of the Communications Supply \nChain.\'\' And just for the benefit of our witnesses--I don\'t \nknow if benefit is the right word--but in about 10 minutes we \nare probably going to get called to the House Floor for votes. \nSo don\'t flee when we do. We will plan to return and be sure \nand get your testimony in and our questions. But we will begin \nwith our opening statements and, as you know, things around \nhere aren\'t always certain so, who knows, we may get everything \ndone, but I doubt it. So we will go ahead and get started, but \nwe want to thank you all for being here and for submitting your \ntestimony.\n    Our communications networks strengths--its ubiquity and \ninterconnected nature--may actually also be a weakness. Those \nwho wish to harm our Nation, to steal money or intellectual \nproperty, or merely to cause mischief can focus on myriad \nhardware and software components that make up the \ncommunications infrastructure. And they can do so anywhere in \nthe design, the delivery, the installation, or the operation of \nthose components. So today\'s hearing will focus on securing \nthat communications supply chain.\n    We are fortunate to have as a member of this subcommittee \nthe full chairman of the House Intelligence Committee, Chairman \nMike Rogers. The experience and resources he brings were \ninvaluable to the bipartisan Cyber Security Working Group last \nCongress, as well as to this subcommittee\'s three prior cyber \nhearings.\n    Many of us have concluded that promoting information-\nsharing through the Cyber Intelligence Sharing and Protection \nAct, CISPA, that he and Representative Ruppersberger have now \ntwice assured through the House with large bipartisan votes, is \npivotal to better securing our networks. It was also in large \npart this committee\'s 2012 report on the communications supply \nchain that prompted this hearing. Supply chain risk management \nis essential if we are to guard against those that would \ncompromise network equipment or exploit the software that runs \nover and through it.\n    Understanding that you can never eliminate these risks, how \ndo you minimize them without compromising the interconnectivity \nthat makes networks useful? How secure is the communications \nsupply chain? Where are the vulnerabilities? How much should we \nfocus on securing physical access to components as they make \ntheir way from design to installation? How much on the internal \nworkings of the components themselves? How do the risks and \nresponses differ for hardware and software? What about for \ninternationally sourced products as opposed to domestically \nsourced products? What progress has been made through the \npublic-private partnerships, standards organization, and the \ndevelopment of best practices, and what role should the \ngovernment play?\n    These are among the questions we will examine in this \nhearing, as well as through the bipartisan Supply Chain Working \nGroup that we launch today. Representative Mike Rogers and my \ncolleague and friend from California, Anna Eshoo, will co-chair \nthis group, which will also include Representatives Latta, \nDoyle, Terry, Lujan, Kinzinger, and Matheson.\n    As I did last Congress, I will urge that we abide by a \ncyber Hippocratic Oath and first do no harm as we consider the \ntools available to the public and private sectors in making our \ncommunications supply chain secure.\n    With that, I would yield to the vice chair of the \nsubcommittee, Mr. Latta.\n    [The prepared statement of Mr. Walden follows:]\n\n                 Prepared statement of Hon. Greg Walden\n\n    Our communications network\'s strengths--its ubiquity and \ninterconnected nature--may also be weaknesses. Those who wish \nto harm our nation, to steal money or intellectual property, or \nmerely to cause mischief, can focus on myriad hardware and \nsoftware components that make up the communications \ninfrastructure. And they can do so anywhere in the design, \ndelivery, installation or operation of those components. \nToday\'s hearing will focus on securing that communications \nsupply chain.\n    We are fortunate to have as a member of this subcommittee \nHouse Intelligence Committee Chairman Mike Rogers. The \nexperience and resources he brings were invaluable to the \nbipartisan cybersecurity working group last Congress as well as \nthis subcommittee\'s three prior cyber hearings. Many of us have \nconcluded that promoting information sharing through the Cyber \nIntelligence Sharing and Protection Act that he and Rep. \nRuppersberger have now twice ushered through the House is \npivotal to better securing our networks. It was also in large \npart his committee\'s 2012 report on the communications supply \nchain that prompted this hearing. Supply chain risk management \nis essential if we are to guard against those that would \ncompromise network equipment or exploit the software that runs \nover and through it.\n    Understanding that you can never eliminate these risks, how \ndo you minimize them without compromising the interconnectivity \nthat makes networks useful? How secure is the communications \nsupply chain? Where are the vulnerabilities? How much should we \nfocus on securing physical access to components as they make \ntheir way from design to installation? How much on the internal \nworkings of the components themselves? How do the risks and \nresponses differ for hardware and software? What about for \ninternationally sourced products as opposed to domestic ones? \nWhat progress has been made through public-private \npartnerships, standards organizations and the development of \nbest practices? What role should the government play?\n    These are among the questions we will examine in this \nhearing, as well as through the bipartisan supply chain working \ngroup we launch today. Reps. Mike Rogers and Anna Eshoo will \nco-chair the group, which will also include Reps. Latta, Doyle, \nTerry, Lujan, Kinzinger, and Matheson. As I did last Congress, \nI will urge that we abide by a cyber Hippocratic Oath and first \ndo no harm as we consider the tools available to the public and \nprivate sectors in making our communications supply chain \nsecure.\n\n                                #  #  #\n\n    Mr. Latta. Thank you, Mr. Chairman, and I appreciate you \nyielding and holding this hearing today on a very critical and \nimportant topic. I want to thank our witnesses for being here \nand I look forward to your testimony today.\n    Not a day goes by that I don\'t seem to pick up a newspaper \nand read about a cyber attack or the vulnerability on the front \npage of a newspaper. Cyber crime and cyber warfare can affect \nany individual or business since we all depend on our \ninterconnected communication networks. This is an issue not \njust of national security but economic security.\n    Again, I thank our witnesses for being here. I look forward \nto your comments on the communications supply chain. I also \nthank the Chairman for convening a bipartisan working group on \nthis topic and I look forward to being part of the start of a \nvery thoughtful and serious discussion on the threats of the \nsupply chain and possible solutions. And with that, Mr. \nChairman, I yield back.\n    Mr. Walden. Anyone else on the Republican side seeking to \nmake a comment on the final minute-and-a-half of my time? If \nnot, I yield back the balance and recognize my friend, the \nranking member of this subcommittee, Ms. Eshoo, for 5 minutes.\n\n OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Ms. Eshoo. Thank you, Mr. Chairman, and thank you for \nholding this very important hearing. Welcome to all of our \nwitnesses.\n    Mr. Chairman, the implications of foreign-controlled \ntelecommunications infrastructure companies providing equipment \nto the U.S. market, I think, really presents a very real threat \nto our country. As the Office of the National \nCounterintelligence Executive has noted, ``the globalization of \nthe world economy has placed critical links in the \nmanufacturing supply chain under the direct control of U.S. \nadversaries.\'\'\n    Just last month, despite press reports suggesting that \nHuawei was leaving the U.S. market, the company now denies such \nreports and has stated that, ``Huawei has no connection to the \ncyber security issues the U.S. has encountered in the past, \ncurrent, and future.\'\' That is quite a statement.\n    These are not new threats. It in fact, more than 3 years \nago as a member of the House Intelligence Committee, I wrote to \nthe director of National Intelligence asking for an assessment \nof the national security implications of Chinese-origin \ntelecommunications equipment on our law enforcement and \nintelligence efforts, as well as on our switch \ntelecommunications infrastructure. While I can\'t discuss, \nobviously, the results of that assessment in an unclassified \nhearing, suffice it to say, the answers were troubling.\n    Since that time, I have reiterated my concerns with the FCC \nChairman Genachowski and in late 2011 I joined colleagues in \nrequesting that the GAO study the potential security risks of \nforeign manufactured equipment. The newly released GAO study \nrecognizes that multiple points within the supply chain can \ncreate vulnerabilities for threat actors to exploit. But a \ncombination of initiatives by both the public and private \nsector are being established to fight back.\n    The President\'s Executive Order issued in February is an \nexample. NIST has been tasked with developing a framework to \nreduce cyber attacks to critical infrastructure, and as NIST \nundertakes the development of this framework, supply chain \nsecurity should be a component. In fact, this morning, Chairman \nWalden and myself raised this very issue with Dr. Gallagher.\n    Moving forward, I am very pleased to co-chair, at the \nchairman\'s request, the subcommittee\'s newest working group \nfocusing on supply chain security and integrity with \nRepresentative Mike Rogers, who chairs the House Intelligence \nCommittee. And through stakeholder meetings, I think we will be \nable to better understand what additional steps can be taken to \nprotect U.S. telecommunications infrastructure from \ninappropriate foreign control or influence.\n    So again, I thank each one of our witnesses that are here \ntoday for your important testimony that you are going to give, \nthe important answers that you are going to give to our \nquestions, and for your steadfast commitment to securing the \ncommunications equipment supply chain for our Nation.\n    And I yield back, Mr. Chairman.\n    Mr. Walden. If you want to yield to----\n    Ms. Eshoo. Does anyone want me to yield my remaining time \nto them? Ms. Matsui or--OK. Sure.\n    Ms. Matsui. Thank you very much, Ms. Eshoo. I would like to \nalso thank the chairman for holding today\'s hearing.\n    This year alone, we have seen significant cyber breaches to \nour economy. We know rogue states and skilled hackers are \nrelentless and continue to pose a real threat breaching \nsensitive information stored by both the private and public \nsectors, as well as the American consumer.\n    To address the cyber threats I believe industry and \ngovernment must be partners. It is not a one-way street. We \nlive in a digital world where information is readily available \non the internet and can be accessed from just about anywhere. \nWe also live in an innovative economy where America\'s \ninnovative spirit has led to new devices, equipment, and \ncommunications that penetrate the global marketplace.\n    This has also created an international supply chain of \ntechnology components. Today, it is not surprising if a product \nand its components originate from several different countries. \nThat is why it is critical for industry to continue to be \nvigilant in assuring their manufacturing and distribution \nprocesses are not compromised. We should also be mindful of \nhackers trying to circumvent the supply chain by infecting \nbotnets and malware onto popular mobile apps.\n    Addressing mobile security should be a priority moving \nforward, particularly as millions of Americans download their \nfavorite apps, which in some cases includes personal \ninformation.\n    Again, I thank the chairman for holding today\'s hearing and \nI yield back the remainder of my time.\n    Mr. Walden. The gentlelady yields back the remainder of her \ntime. And seeing no one on our side seeking time, I would yield \nnow to the gentleman from California, Mr. Waxman, for 5 \nminutes.\n\nOPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF CALIFORNIA\n\n    Mr. Waxman. Thank you very much, Mr. Chairman, for holding \ntoday\'s hearing on cyber security risks in the communications \nsupply chain.\n    This morning, our full committee heard a wide range of \nperspectives on the cyber threats to our critical \ninfrastructure, including broadband networks.\n    While the Executive Order on cyber security protections for \ncritical infrastructure was an important step forward, this \nmorning\'s hearing demonstrated that there is much more work to \nbe done to protect the networks that undergird the American \neconomy.\n    One key area of vulnerability--the long supply chains for \ncommunications network equipment--is the subject of this \nafternoon\'s hearing. The globalization of the supply market for \ninformation and communications technology has undoubtedly \ncreated many benefits for our economy and coincided with \nincredible investment, competition, and innovation in the \ncommunications marketplace.\n    But it has also made it possible for our adversaries to \nexploit weaknesses during the design, production, delivery, and \npost-installation servicing of communications network \nequipment.\n    Industry and the federal government are working to respond \nto these threats.\n    As several of our witnesses this afternoon will discuss, \ncompanies are taking action to respond to supply chain risks. \nVoluntary industry consortia and public-private partnerships \nare also seeking to minimize these cyber exposures and I \napplaud these efforts.\n    But we should consider all options that could help minimize \nthe cyber threats in the supply chain.\n    I look forward to hearing from GAO about its analysis of \nwhat other countries are doing in this area, as well as the \npotential benefits and drawbacks of adopting new review \nprocesses for purchases of foreign-manufactured communications \nequipment.\n    And I am pleased, Mr. Chairman, that the Subcommittee is \nconvening a working group to examine supply chain security in \nmore depth. The co-chairs of the working group--Representative \nMike Rogers, who is the chairman of the House Intelligence \nCommittee, and Representative Anna Eshoo, who has served on \nthat committee, as well as the ranking member on this \nsubcommittee--have great expertise from their service, as well \nas on both committees.\n    I look forward to our continued bipartisan work in this \narea. I thank all of the witnesses for being here and for their \ntestimony. I want to apologize in advance that the conflict in \nschedule will keep me from being here to hear everything that \nis said, but I have staff listening in, I have got the \ntestimony that I can review, and when the questions are asked \nand answered, I will be able to get a sense from those as well \nof the views that this very distinguished group will be giving \nto our subcommittee.\n    Thank you for this opportunity to give an opening \nstatement. I thank all of you for being here today.\n    Mr. Walden. And the gentleman yields back the balance of \nhis time. The good news is the votes now aren\'t going to come \nuntil 2:25 to 2:30, so we may actually get to hear from some of \nour witnesses.\n    And so we are going to start with Mr. Goldstein, who is the \ndirector of Physical Infrastructure Issues for the Government \nAccountability Office. Turn on your microphone, pull it close, \nand the next 5 minutes are yours, sir. Thank you for your work.\n\n      STATEMENTS OF MARK L. GOLDSTEIN, DIRECTOR, PHYSICAL \n   INFRASTRUCTURE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; \n  STEWART A. BAKER, PARTNER, STEPTOE AND JOHNSON, LLP, FORMER \n    ASSISTANT SECRETARY FOR POLICY, DEPARTMENT OF HOMELAND \n   SECURITY; JENNIFER BISCEGLIE, PRESIDENT AND CEO, INTEROS \nSOLUTIONS, INC.; ROBERT B. DIX, JR., VICE PRESIDENT, GOVERNMENT \n    AFFAIRS AND CRITICAL INFRASTRUCTURE PROTECTION, JUNIPER \n   NETWORKS, INC.; DAVID ROTHENSTEIN, SENIOR VICE PRESIDENT, \nGENERAL COUNSEL AND SECRETARY, CIENA; JOHN LINDQUIST, PRESIDENT \n  AND CEO, ELECTRONIC WARFARE ASSOCIATES; AND DEAN GARFIELD, \n   PRESIDENT AND CEO, INFORMATION TECHNOLOGY INDUSTRY COUNCIL\n\n                 STATEMENT OF MARK L. GOLDSTEIN\n\n    Mr. Goldstein. I will try not to take all of it.\n    Thank you, Mr. Chairman and members of the subcommittee. I \nam pleased to be here this afternoon to discuss issues \nsurrounding the communications supply chain.\n    The United States is increasingly reliant on commercial \ncommunications networks for matters of national and economic \nsecurity. These networks, which are primarily owned by the \nprivate sector, are highly dependent on equipment manufacturers \nin foreign countries. Certain entities in the Federal \nGovernment view this dependence as an emerging threat that \nintroduces risks to the networks. GAO has requested review \nactions taken to respond to security risks from foreign \nmanufactured equipment.\n    This testimony addresses how network providers and \nequipment manufacturers help ensure the security of foreign \nmanufactured equipment used in commercial communications \nnetworks, how the Federal Government is addressing the risks of \nsuch equipment, and other approaches for addressing those risks \nand issues related to these approaches.\n    My testimony today is the public version of a national \nsecurity sensitive report that GAO issued in May 2013. \nInformation that the Department of Defense deemed sensitive has \nbeen omitted.\n    Let me briefly discuss the findings of the report that I \nmay talk about today. First, the network providers and \nequipment manufacturers GAO spoke with reported taking steps in \ntheir security plans and procurement processes to ensure the \nintegrity of parts and equipment obtained from foreign sources. \nAlthough these companies do not consider foreign manufactured \nequipment to be their most pressing security threat, their \nbrand image and profitability depend on providing secure, \nreliable service.\n    In the absence of industry or government standards on the \nuse of this equipment, companies have adopted a range of \nvoluntary risk management practices. These practices span the \nlifecycle of equipment and cover areas such as selecting \nvendors, establishing vendor security requirements, and testing \nand monitoring equipment. Equipment that is considered critical \nto the functioning of the network is likely to be subject to \nmore stringent security requirements according to these \ncompanies.\n    In addition to these efforts, companies are collaborating \non the development of industry security standards and best \npractices and participating in information-sharing efforts \nwithin industry and with the Federal Government.\n    Second, the Federal Government has begun efforts to address \nthe security of the supply chain for commercial networks. In \n2013 the President issued an Executive Order to create a \nframework to reduce cyber risks to critical infrastructure, the \nNational Institutes of Standards and Technologies, responsible \nfor leading this effort, which is to provide technology-neutral \nguidance to critical infrastructure owners and operators.\n    NIST published a request for information, which it is \nconducting using a comprehensive review to obtain stakeholder \ninput and develop the framework. You heard testimony on this \neffort this morning. NIST officials said the extent to which \nsupply chain security of commercial communication networks will \nbe incorporated into the framework is dependant in part on the \ninput that they receive from stakeholders.\n    The Department of Defense considered the other federal \nefforts GAO identified to be sensitive to national security, \nand I cannot talk about them in a public forum.\n    And third, there are a variety of other approaches for \naddressing potential risks posed by foreign manufactured \nequipment and commercial communications networks. For example, \nthe Australian government is considering a proposal to \nestablish a risk-based regulatory framework that requires \nnetwork providers to be able to demonstrate competent \nsupervision and effective controls over their networks. The \ngovernment would also have the authority to use enforcement \nmeasures to address noncompliance.\n    In the United Kingdom, the government requires network and \nservice providers to manage risks and network security and can \nimpose financial penalties for security breaches.\n    While these approaches are intended to improve supply chain \nsecurity of communications networks, they may also create the \npotential for trade barriers and additional costs which the \nFederal Government would have to take into account if it chose \nto pursue such efforts.\n    Mr. Chairman, this concludes my oral statement. I would be \nhappy to respond to comments. Thank you.\n    [The prepared statement of Mr. Goldstein follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T5436.001\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.002\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.003\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.004\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.005\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.006\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.007\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.008\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.009\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.010\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.011\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.012\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.013\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.014\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.015\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.016\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.017\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.018\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.019\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.020\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.021\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.022\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.023\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.024\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.025\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.026\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.027\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.028\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.029\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.030\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.031\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.032\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.033\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.034\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.035\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.036\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.037\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.038\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.039\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.040\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.041\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.042\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.043\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.044\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.045\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.046\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.047\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.048\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.049\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.050\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.051\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.052\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.053\n    \n    Mr. Walden. Thank you, Mr. Goldstein. We appreciate the \nwork of your team and you----\n    Mr. Goldstein. Thank you.\n    Mr. Walden [continuing]. And we appreciate your being here.\n    I will now go to Mr. Stewart A. Baker who is a partner in \nSteptoe & Johnson, LLP, and we appreciate your being here and \nlook forward to your comments, sir. Go ahead.\n\n                 STATEMENT OF STEWART A. BAKER\n\n    Mr. Baker. Chairman Walden, Ranking Member Eshoo, members \nof the committee, it is a pleasure to be before you again. I \nwas at the Department of Homeland Security and in charge of the \nCFIUS process until 2009, so I have been here before to talk \nabout that.\n    I would like to start with the problem that we have. We are \nunder massive cyber espionage attacks. There is no one who is \nimmune against these attacks. I am willing to bet that \neverybody on this panel and everybody on the committee has \nalready been the subject of intrusions aimed at stealing \nsecrets on behalf of the People\'s Liberation Army or some other \nforeign government.\n    We do not know how to keep people out of our systems \neffectively. And that is despite the fact that we have, by and \nlarge, an IT infrastructure that is designed by U.S. companies \nwho are doing their best to give us security. We simply have \nnot been able to find all of the holes in the code or all of \nthe flaws that can be exploited. That is with the best will in \nthe world.\n    At the same time, in the last 20 years, I think, as the \nPresident\'s efforts to name and shame China and other attackers \nhave demonstrated, there is plenty of name but not a lot of \nshame on the other side. This has been an enormously productive \nintelligence source and it is an enormous weapon that can be \nused against the United States if we get into a shooting war \nthat our adversaries would like to get us out of. Everything \nthat can be exploited for espionage purposes can be exploited \nfor sabotage purposes.\n    Our systems can be made to break causing great harm to \nAmericans, including potentially deaths here. And we will have \nto face that prospect in the next serious conflict that we face \ninternationally because the ability to cause that harm is \nmoving down the food chain to the point where Iran and North \nKorea are significant powers in causing this harm.\n    So that is the situation that we face. The question is we \nare deep in a hole. Are we going to stop digging? And here is \nthe question that we need to face as we look at our supply \nchain. If American companies looking at their own code and \ntrying to give us security can\'t find a way to do that, how \ncomfortable are we having companies from countries that are not \nour friends provide the code, provide the hardware? We are not \ngoing to find those problems. We can\'t even find all of them in \nthe products that we make ourselves here in the United States, \nas witnessed through all of the exploitable vulnerabilities we \nface.\n    And so we face the prospect that some of this equipment \nsimply is not going to be safe. As we have asked ourselves, how \ndo we deal with that problem? It turns out that our tools for \ndealing with it are remarkably limited. I ran the CFIUS \nprocess; I ran the team telecom process for DHS. Those are very \nlimited tools. CFIUS only applies if somebody buys something. \nIf they want to sell something here, there is no restriction \nwhatsoever. So telecommunications gear can be sold in the \nUnited States without any review whatsoever.\n    We got to the point, I think, actually in the stimulus bill \nwhere we had provided subsidies to buy telecommunications \nequipment to carriers and they were buying, with our money, \nHuawei and ZTE gear because we had no way to prevent that, but \nat the same time that the U.S. Government was telling Verizon \nand AT&T don\'t you buy that stuff. So we clearly lack an \nability to address the problem of infrastructure equipment \nbeing sold to the United States that we don\'t think is secure. \nThat is the first thing that I think the committee should \nexamine.\n    Beyond that, I think we have also discovered as we have \nbegun looking at this problem that our procurement laws do not \ntake into account sufficiently supply chain risk, do not \nrequire that our contractors take enough account of supply \nchain risk. So if there were two things that I would urge the \ncommittee to address, it is, one, the limited nature of team \ntelecom and CFIUS remedies and the still remarkably limited \nability of government procurement officers to take account of \nthis risk.\n    [The prepared statement of Mr. Baker follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T5436.054\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.055\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.056\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.057\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.058\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.059\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.060\n    \n    Mr. Walden. Mr. Baker, thank you for your testimony.\n    We are going to go now to Jennifer Bisceglie, who is \nPresident and CEO of Interos Solutions, Incorporated. We \nwelcome you and look forward to your comments.\n\n                STATEMENT OF JENNIFER BISCEGLIE\n\n    Ms. Bisceglie. Thank you. Good afternoon, Mr. Chairman and \nmembers of the subcommittee.\n    Mr. Walden. I am going to have you move that microphone a \nlittle closer and make sure the light is on.\n    Ms. Bisceglie. It was on.\n    Mr. Walden. OK.\n    Ms. Bisceglie. Can you hear me now? Good afternoon, Mr. \nChairman and members of the subcommittee. My name is Jennifer \nBisceglie, President of Interos solutions. Thank you for \ninviting me to testify on behalf of our industry peers focused \non supply chain risk management, or SCRM, as we like to call \nit.\n    My company Interos is built on 20 years of global supply \nchain and IT implementation experience. Over the past 6 years, \nwe have seen the discussions turn from simple compliance to \nresiliency, which is ensuring business operations would \ncontinue even if the supply chains were interrupted; and now to \nproduct integrity, which is caused by a manmade malicious \nattack.\n    In response to this, Interos has set up a SCRM global \nthreat information Center, which offers capabilities to help \nboth the public and private sector organizations implement SCRM \nframeworks, conduct supplier audits, and conduct open-source \nresearch to identify potential threats with current or future \nsuppliers.\n    I will first share some of our observations and then follow \nthose with some recommendations. First, a common definition for \nsupply chain risk management and cyber security does not exist, \nnor is there a standard way to measure either challenge. To us, \nthe definition of cyber security extends deep into the supply \nchain as cyber capabilities are increasingly reliant on \nglobally sourced, commercially produced information technology \nand communications hardware, software, and services.\n    To us, cyber security means transparency of where things \nare coming from, where they are going to, and who has access to \nthem along the way. That is also the definition of supply chain \nrisk management.\n    Our second observation is that supply chain risk management \nmust be viewed as an investment versus an expense. Interos is \nworking with the Department of Energy on their enterprise SCRM \nprogram. With only three Interos team members supporting the \nentire Department of Energy enterprise, they have an \ninfrastructure they can share resources and information \nthroughout their entire enterprise now.\n    In this case, it is a relatively low-cost investment and \nyields tremendous benefits. Much of the success of this program \ncan be attributed to a strong DOE leadership, as well as having \nthe ability to work with the Department of Defense\'s trusted \nsystems and network SCRM roundtable and their interagency \nworking groups.\n    Third, we feel supply chain risk management is successful \nwhen it is a cultural shift that supports current business \nprocess and reduces the need to develop new stovepipe processes \nthat increase costs and create additional work for the risk \nowner. It is not an issue of being too expensive to do it. It \nis an issue of being too expensive to ignore it.\n    Now to our recommendations: from our perspective, Congress \ncan take four steps to better protect our Nation\'s critical \ninfrastructure. First, awareness and education has to start at \nthe top in order to be adopted by those actually executing the \nmission. In our experience, the level of awareness of the \nchallenge varies across federal agencies, as does their level \nof attention to managing their supply chain risk. Awareness and \neducation is critical to communicate that supply chain risk \nimpacts everyone within the federal infrastructure.\n    Second, fund the program, assign someone within each agency \nto own the issue, and measure the success. We have seen SCRM \nfocal points, as directed by the Bush and the Obama \nAdministrations, being implemented in different areas within \nthe agencies. Without the top-down support within the agency, \nwithout an owner of the concern, and without funding, these \nprograms are being bootstrapped and implemented in various \nfashions, not conducive to effective protection.\n    Three, the low-cost, low-price technically acceptable \nenvironment is in direct opposition to a safe and secure \ncritical infrastructure unless we are able to accurately define \nour acceptable supply chain risk tolerance at the beginning of \nan acquisition cycle. While we understand the federal budget \nconstraints and the temptation to fund program objectives with \nsimply the lowest bid, when it comes to cyber security, it is \nnot a good strategy. Failure to protect our critical \ninfrastructure and educate risk owners on the threats that are \nbrought into an organization by buying from unverified sources \nwill result in continued and increasingly harmful attacks.\n    Last, implement contractual language that works. We \nunderstand that as part of Executive Order 13636, GSA, NIST, \nand DOD are working with potential recommendations to update \nthe FAR language. In addition, there are multiple industry \nassociations working on standards for supply chain risk \nmanagement. Doing as much as possible via internal policy \nchanges and contractual language as a way to inform suppliers \nof how to do business with you and to mitigate risks coming \ninto your organization is a much less expensive way to approach \nthe problem than regulation and legislation.\n    In conclusion, the solution needs to be viewed as an \ninvestment in national security, not just another expense. The \nkey for industry and government is to work separately on their \ninternal enterprise risk tolerance levels through good business \npractices, including awareness training and contractual \nagreements. This will enable each to meet collaboratively and \nhave informed discussions about where vulnerabilities lie and \nwhat it will take to protect our country.\n    Thank you for the opportunity to present our views. I look \nforward to answering any questions.\n    [The prepared statement of Ms. Bisceglie follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T5436.061\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.062\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.063\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.064\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.065\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.066\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.067\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.068\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.069\n    \n    Mr. Walden. Thank you very much for your testimony.\n    We will now go to Mr. Robert B. Dix, Jr., Vice President of \nGovernment Affairs and Critical Infrastructure Protection, \nJuniper Networks, Incorporated. Mr. Dix, pull that microphone \nright up and thanks for being with us today. We look forward to \nyour testimony.\n\n                STATEMENT OF ROBERT B. DIX, JR.\n\n    Mr. Dix. Good afternoon, Chairman Walden, Ranking Member \nEshoo, and members of the subcommittee. Thank you for inviting \nme to be a participant in today\'s hearing on the security of \nthe communication supply chain.\n    As indicated, my name is Bob Dix and I serve as the Vice \nPresident of Government Affairs and Critical Infrastructure \nProtection for Juniper Networks, a publicly held private \ncorporation headquartered in Sunnyvale, California, in \nCongresswoman Eshoo\'s district.\n    I will attempt to address three aspects of this important \nsubject of security and integrity of the communication supply \nchain: first, the risk created by government procurement \npractices utilizing unauthorized equipment providers; second, \nsupply chain integrity initiatives by industry; and third, \nseveral recommendations where the government can help improve \nboth government and private sector supply chain integrity.\n    The government views its commercial supply chain rightly as \na major element in its risk profile, but many of its risk \nmanagement efforts are not coordinated and were not developed \nin collaboration with industries that share legitimate concerns \nabout supply chain security. Today, there are more than 100 \ndifferent initiatives around supply chain in the government.\n    Also as we sit here today, the government continues to make \npurchases from untrusted and unauthorized sources. The urge to \nsave money pushes agencies to brokers and other gray market \nsuppliers that are not part of the authorized or trusted supply \nchain for original equipment manufacturers. This is in also an \narea where much mischief takes place for both counterfeiters \nand those attempting to penetrate the government supply chain \nwith malicious intent.\n    Interestingly, when the government purchases equipment and \nthen identifies it as counterfeit, it often assumes the OEM has \na gap in its supply chain, pointing fingers at the private \nsector when in many cases they need to be looking in the \nmirror. The government does not instead ask why it bought \nsensitive ICT products from an untrusted source.\n    I have included in my written statement several real-life \nexamples just that Juniper Networks has experienced which are \nillustrative of this challenge, but time today does not permit \nme to go through each one of those. But I hope you will take a \nchance to look at those.\n    While Juniper understands the importance of improving \nsupply chain assurance for the Federal Government, it often \nappears that the government itself does not understand the \nenormous investment that many in the private sector make to \nprotect the integrity of their supply chain. It is in our \nbusiness interest. It is a market differentiator. Juniper, like \nmany companies, has a supply chain assurance and brand \nintegrity program for securing our products and supply chain. \nWe employ best practices for security from organizations \nincluding the Open Groups, Trusted Technology Forum, AGMA, and \nSafeco to name a few. This includes component integrity, \ntraceability of products, anti-counterfeit measures, and much \nmore.\n    As is clear from the variety and breadth of the standards, \nbodies, and organizations that industry relies on, many \ncompanies believe that a variety of standards and best \npractices contribute to supply chain integrity. But as \ndiscussed earlier, there is also compelling evidence that there \nare gaps and contradictions in the government\'s policies and \npractices that contribute to supply chain risk. Here are a \ncouple of proposals that, if addressed, could have immediate \nimpact on securing the communication supply chain. First, the \nExecutive Branch, at the urging of this committee, of course, \nshould issue a directive requiring federal departments and \nagencies to purchase only from trusted and authorized sources, \nespecially for mission-essential functions, unless there is \nsome compelling reason to go outside of that channel. If there \nis such a compelling reason, the purchaser should be required \nto put a justification and authorization in writing. It is low-\nhanging fruit; we should do it immediately.\n    Second, the government should require that small business \nvendors be certified as authorized resellers and partners. \nRequirements pertaining to small business set-asides also have \nthe secondary impact of causing procurement officers to pursue \nacquisitions through providers who are not part of the \nauthorized and trusted supply chain.\n    We all understand the importance of small businesses to the \ngovernment\'s industrial base and to the economy in general. It \nis important to recognize that bad actors also exploit our \nreliance on small business as a means of entry. Counterfeiters \nand others attempt to introduce their tainted equipment into \nour critical infrastructure through small business enterprises.\n    Third, members of this committee have been involved in \nattempting to pursue better information-sharing. We support \nCISPA and we appreciate all the good work here and hope that \nyou will support moving that bill through the Senate.\n    While we are working on legislation to break down barriers \nto improve timely, reliable, and actionable situation \nawareness, there is a step we could take immediately. We \ncontinue to hear that the government has significant concerns \nabout supply chain and the threat to national and economic \nsecurity. The government has access to case studies of \nsuccessful, unsuccessful, interrupted, or disrupted attempts to \nperpetrate network intrusions through the supply chain. We \nshould take those lessons learned from those experiences and \nshare the tactics, techniques, and procedures, not sources and \nmethods that cross over into the classified space that we can \nlearn from and better inform the community in their own risk \nmanagement decision-making.\n    There are a couple of others in my testimony I hope that we \nwill get to in the questions. But on behalf of the 9,000 proud \nemployees of Juniper Networks, I thank you again for the \nopportunity to participate in this important discussion. \nIndustry looks forward to continuing the collaborative \nrelationship with Congress and the Administration on this \nimportant issue. I welcome your questions.\n    [The prepared statement of Mr. Dix follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T5436.070\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.071\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.072\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.073\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.074\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.075\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.076\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.077\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.078\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.079\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.080\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.081\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.082\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.083\n    \n    Mr. Walden. Mr. Dix, thank you very much.\n    They have called the votes. I believe they have, right? And \nso we will recess at this point. So close, Mr. Rothenstein, so \nclose. And then we will come back and start with you and get to \nour other two witnesses, and then Q&A. So thank you for your \npatience and we will be back shortly.\n    [Recess.]\n    Mr. Latta [presiding]. I would like to call the \nsubcommittee back to order. And I believe next in order of our \nwitnesses is Mr. Rothenstein, and thanks very much for being \nhere today. We appreciate your testimony.\n\n                 STATEMENT OF DAVID ROTHENSTEIN\n\n    Mr. Rothenstein. My pleasure. I hope that delay only served \nto build anticipation of my testimony.\n    Vice Chairman Latta, Ranking Member Eshoo, members of the \nsubcommittee, my name is David Rothenstein and it is my \npleasure to appear before you today. I serve as senior vice \npresident and general counsel of Ciena Corporation, a publicly \nheld Maryland-based provider of equipment software and services \nthat support transport and switching, aggregation management \nand voice, video, and data traffic on communications networks. \nOur products are used by communications network service \nproviders, cable operators, governments, and enterprises across \nthe globe.\n    Today, a number of current market trends, including the \nproliferation of smartphones, tablets, and mobile devices, are \nsubstantially increasing the demand on networks. This means \nthat Ciena must deliver faster, more efficient, and more secure \nequipment to our customers to help them meet their end-user \nrequirements.\n    As with most technology companies, our success is largely \ndriven by our innovation. Our global patent portfolio is our \nlifeblood and it enables us to develop leading-edge solutions \nand get new products to market quickly. In order to support \nthis continuous innovation and because our equipment sits in \ncritical infrastructure networks around the world, Ciena\'s \nexecutive team spends a lot of time looking at the intersection \nof cyber security and supply chain.\n    Because our customers demand best-in-class product delivery \nlead times, quality and performance, security of supply, and \nproduct security and integrity, we have taken steps during the \npast few years to transform and optimize our supply chain \noperations. These changes have enabled us to use our supply \nchain as a differentiator in the market.\n    One example of these changes has been our focus in \ndesigning and manufacturing equipment and software that meets \nor exceeds the security needs of our customers. For years, our \ncustomers have generally inquired with us about the security, \nintegrity, and assurance of their networks. With this in mind, \nin 2011 we performed a detailed analysis of our supply chain \nthat considered a range of factors.\n    As a result of this analysis, we decided at that time to \nbegin a gradual exit from China of key elements of our supply \nchain. This was not an easy decision. China represents one of \nthe largest and fastest-growing markets for communications \nequipment in the world. And the country is home to the \nfabrication facilities that produce many of the components that \ngo into our products. However, based on what we knew about our \nproducts, our customers, and the business and security \nenvironment in China, we decided to make this change.\n    In contrast to some of our peers, we weren\'t as concerned \nabout the potential adverse impact of this decision on our \nsales opportunities in China. Several years ago, because of the \nsignificant barriers to entry and the technology transfer \nrequirements to do business in China, we decided not to pursue \na go-to-market sales strategy in that country. We are now \nalmost 2 years into our supply chain transformation. By the end \nof 2013, we will have transitioned all of the manufacture and \nassembly of our products and a sizable portion of our global \nspend on finished and semi-finished assemblies from China to \nother jurisdictions, primarily Mexico and Thailand. In so \ndoing, we have increased the velocity of our supply chain, \nsolidified our security of supply, and insured the security and \nassuredness of our products. At the same time we have remained \nvery competitive in the market from a cost standpoint.\n    There are some parts that we continue to source from China. \nWe are in active discussions with our major vendors as to their \nplans for transitioning out of China, largely to address issues \nrelating to counterfeit goods and intellectual property \ninfringement. We are less concerned about the security \nvulnerabilities of these products even if they are primarily \npassive products that are neither programmable nor capable of \nbeing embedded with damaging computer code or malware.\n    At the same time, we have taken extensive steps to ensure \nthe integrity of the active or programmable components in our \nproducts. We require now that these components are sourced from \noutside of China. We maintain rigorous and internal practices \nand capabilities that enable us to identify any issues with \nrespect to the security of our components. And by implementing \nstrict controls over our own software developments and by \nourselves performing the final testing and validation of the \nsoftware loaded on to our products, we ensure the integrity of \nour software, which is the critical element that controls and \nmanages our products and our customer\'s networks.\n    In conclusion, Ciena applauds the Subcommittee for taking \non this issue. In our case, we proactively elected to make \nchanges to our supply chain and not to wait for legislation, \nregulation, or the Administration\'s implementation of the \nrecent Executive Order on cyber security. Instead, we talked to \nour customers, conducted a thorough business analysis and risk \nassessment, and made a decision that we continue to implement \ntoday. While this strategy may not necessarily work for others, \nit has worked effectively for us. It makes good business sense \nand delivers additional security for our customers and for \ntheir networks.\n    With that, I conclude my remarks and am pleased to take any \nquestions.\n    [The prepared statement of Mr. Rothenstein follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T5436.084\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.085\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.086\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.087\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.088\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.089\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.090\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.091\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.092\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.093\n    \n    Mr. Latta. Well, thank you for your testimony.\n    And our next witness is Mr. John Lindquist, President and \nCEO of EWA Information and Infrastructure Technologies, Inc. \nGood afternoon and thanks for testifying.\n\n                  STATEMENT OF JOHN LINDQUIST\n\n    Mr. Lindquist. Thank you, Mr. Vice Chairman, members of the \ncommittee. Thank you very much for the opportunity to testify.\n    As we all know, the security of our telecom systems is in \nfact very critical. We are aware of the myriad threats to the \nU.S. and the threat is real but is not limited to a single \ncountry, geographic area, or organization. Protection is made \ndifficult because the supply chain for electronic systems and \ndevices in general and specifically telecommunication systems \nis truly global. Most of the telecom system vendors have very \nlarge footprints in China and elsewhere around the globe, and \nmany of these worldwide locations are easily and directly \naccessible by the various threat nations and organizations.\n    Furthermore, it is the nature of the system development to \nmake use of software routines and hardware components that are \ngenerally available in the market, and it is virtually \nimpossible to determine the pedigree of all of the hardware and \nthe software that goes into a telecommunications system. Our \nadversaries are professional, highly technically capable \nintelligence organizations or sophisticated criminals, neither \nof which would have any difficulty circumventing a trusted \nsupplier system.\n    To address the security dilemma effectively, an evidence-\nbased security process should be applied, that enables an \ninformed judgment that an adequate level of assurance has been \nprovided that the system is free of malicious features and does \nnot contain serious security defects; and that is without \nregard to origin of the system.\n    IIT had been selected by several telecommunications \ncarriers as an independent evaluator to implement such a \nprocess. The process we are implementing is comprised of two \nmajor phases. The first is an in-depth security assessment of \nthe system software, hardware, and firmware to include all \npatches, upgrades, and modifications as they occur.\n    The second phase is a delivery process that ensures that \nthe deployed system and all patches, upgrades, and \nmodifications are exactly the ones that were evaluated and \ndetermined to be suitable and acceptable. The key features of \nthe process include: willing participation of the developer and \nvendor; a trusted independent evaluator; direct coordination \nbetween and among the stakeholders, particularly the telecoms \nand the concerned government agencies and the evaluator without \ninterference or necessarily knowledge of the vendor; correction \nof unintentional defects before deployment; immediate \ninvolvement of law enforcement if evidence of malicious intent \nis discovered; and a delivery system that ensures that the \nsystem delivered matches the evaluated system and prevents the \nvendor or any other un-presented party from accessing the \nsystem during or after delivery; and finally, a scheme for \nmonitoring the system after deployment.\n    In our case, the vendors have been very willing to comply \nbecause compliance was a condition of the sale to the \ntelecommunications carrier. Under those contracts, they provide \nus the design documentation, source code, the complete set of \nsample components, replication of the compilation environment \nfor their software and firmware, advance notice of all design \nchanges, patches, and modifications, and access to their \ndevelopment facilities to provide us the understanding of their \nprocess.\n    We were selected because of our intimate knowledge of the \nthreat. We have a comprehensive process with clear analytical \nand reporting criteria that explicitly addresses the evolving \nthreat. We have secure facilities. We use exclusively U.S. \npersonnel, who have been vetted through the U.S. security \nclearance process, and we have a staff fully qualified and \nequipped to perform the evaluations.\n    The contracts in each case specifically provide for the \ndirect private communication between the evaluator and \nstakeholders. Telecommunication carriers, by contractual \nmandate, are the primary beneficiary of our work. A condition \nof acceptance is a report from us describing what we did, the \nfaults found, the correction implemented, and any residual \nrisk, and we are free to discuss any issues directly with the \ntelecom and the government.\n    In our lab, we subject the system to a detailed analysis, \nboth a static analysis of the software and a dynamic testing of \nthe software and hardware. There have been thousands of defects \nfound and mitigated, not all of these in Chinese systems; as a \nmatter fact, many of them in systems that currently exist in \nthe telecommunication system.\n    The software is delivered directly from us to the networks. \nThe hardware is subjected to a random sampling process, and the \nfirmware is either delivered directly from us or the boards are \nre-flashed by us, all again to make sure that the delivered \nsoftware is what we evaluated. Our recommendation is that some \nevidence-based security process like this is included in the \ngovernment\'s approaches, including the NIST security framework \nand other programs across the government.\n    Thank you very much.\n    [The prepared statement of Mr. Lindquist follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T5436.094\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.095\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.096\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.097\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.098\n    \n    Mr. Latta. And thank you very much for your testimony.\n    Our next witness will be Dean Garfield, President and CEO, \nInformation Technology Industry Council. And Mr. Garfield, you \nare recognized for 5 minutes.\n\n                   STATEMENT OF DEAN GARFIELD\n\n    Mr. Garfield. Thank you, Mr. Chairman, since I see him \nwalking back in, Mr. Vice Chairman, and Ranking Member Eshoo. \nOn behalf of the world\'s most dynamic and innovative companies, \nI would like to thank you for all that this subcommittee and \ncommittee does on the issues that are most important to us and \nfor spotlighting this issue today.\n    Supply chain integrity and assurance is core to who we are \nand what we do. It is a business imperative. And so we are \nencouraged to see the formation of a bipartisan working group \nand look forward to working with you. Your first principle, \nwhich is do no harm, is a good credo for all of the work that \nwe do in this area.\n    I submitted testimony for the record and so I will focus my \noral testimony today on three areas: one, providing a window \ninto our supply chains; two is sharing some of the things we do \nboth as individual companies and as a sector to ensure supply \nchain integrity; and then, third, to make some recommendations \nwhere Congress can be helpful.\n    I have the privilege of working for companies that are \ntruly transforming the world. The products and mobile devices \nthat we all walk around with every day are more powerful today \nthan ever before. In fact, the mobile device that we all carry \naround has more processing power than the Apollo 11, or even \nmore recently, the Mars rover. Those mobile devices are \npresented under a singular brand but they include hundreds, and \nin some cases, thousands of components.\n    To ensure that we are providing our consumers with the best \nproducts at the best prices, those components are sourced in \nthe United States and in fact around the world as well to \nensure that the services and the products that we deliver are \nconsistently of the highest quality and that our global supply \nchains are highly integrated.\n    With that in mind, any change, risk mitigation, or \notherwise around supply chain assurance is carefully calibrated \nand we would highly encourage that any advocacy or policy \nadvance in this area be carefully calibrated as well.\n    The industry engages--both as individual companies and as \nwell as a sector--in a number of steps to both manage and \nmitigate risk. As individual companies, they adopt and \nintegrate best practices on a continuous and systemic basis \nthat includes instilling and teaching secure sourcing, \ninstilling and teaching secure coding, instilling and teaching \nidentification authentication among a host of steps that are \ntaken, some of which have been talked about by the other \npanelists generally.\n    As well, those individual steps that are taken by specific \ncompanies are complemented by industry-wide, sector-wide \nactivities both through standards activities, and also through \nconsensus-based voluntary global standard-setting \norganizations, such as ISO and IEC, which have advanced a \nnumber of standards that are quite relevant in this area, \nincluding the common criteria which is focused on product \nassurance or through standards that are focused on not products \nbut the processes as well that complement those products, \nincluding the Open Group Trusted Technology Forum.\n    It is important to note that in both instances our \ngovernment and other governments have an important role to play \nand do engage in those consensus-based voluntary global \nstandards-setting organizations. In fact, over 26 countries \nhave adopted the common criteria as a part of their government \nprocurement practices. And so while eliminating or not \nmandating requirements on the private sector, which we strongly \ndiscourage, they are able to ensure that the government \nprocurement processes benefit from the best practices of the \nprivate sector.\n    So where are the gaps and what can government do? We would \nrecommend four things: one is ensuring that where you are and \nwe are creating the proper incentives for the effective \nimplementation of the cyber security Executive Order from the \nWhite House that was issued earlier this year. That Executive \nOrder charges the DOD and the General Service Administration, \nGSA, to look at ways of integrating best practices and \nstandards from the private sector into the government \nprocurement practices. It would be useful to create incentives \nto make sure that happens appropriately.\n    Second is your oversight power. As Mr. Dix pointed out, \nthere are hundreds of initiatives within the public sector \nfocused on product assurance, gaining some order and ensuring \nthat the private sector input is integrated into those efforts \nis critically important.\n    Third is through sourcing. Ensuring that through government \nprocurement, the government is sourcing from original equipment \nmanufacturers and their authenticated suppliers is critical in \norder to have the kind of products assurance that we all have \nin mind.\n    And then fifth and final is making sure that we get an \ninformation-sharing bill similar to the one that has made its \nway through the House passed through the Senate as well.\n    Thank you very much.\n    [The prepared statement of Mr. Garfield follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T5436.099\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.100\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.101\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.102\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.103\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.104\n    \n    [GRAPHIC] [TIFF OMITTED] T5436.105\n    \n    Mr. Latta. Thank you, Mr. Garfield, for your testimony. \nAnd, Mr. Chair, do you want to resume the chair?\n    Mr. Walden. Or I can just ask questions from here if you \nwant to wield that big gavel there.\n    Mr. Latta. Yes. Well, with that then the vice chair will \nrecognize the chairman of the subcommittee for his 5 minutes of \nquestions.\n    Mr. Walden. Thank you, sir, and thanks for filling in and \ngetting the hearing going back from the votes. I got detained, \nas occasionally happens on the floor.\n    Mr. Garfield--first of all, thank you to all of our \nwitnesses--but I appreciated your comments. Our networks and \nthe threats they face are varied, as you know, and they are \never-changing, as you reference in your testimony. So how do we \nsecure our supply chain without losing the flexibility that is \ncritical to both how our communication networks function and \nthen how to defend them? What do you recommend here?\n    Mr. Garfield. You put your finger on the idea of the point \nof drawing balance. I think building on the best practices that \nare being developed in the private sector and integrating those \ninto the government procurement efforts. There are a number of \nstandards-based initiatives that are moving forward, \nspecifically focused on product assurance in supply chains. And \nso I would strongly encourage taking advantage of those best \npractices and integrating them into our government procurement \npractice.\n    Mr. Walden. You know, I have another question here that \nplays on this a bit for Ms. Bisceglie and Mr. Baker and you, \nMr. Garfield. Sometimes it appears the government sort of has \nan ad hoc process if you will when it comes to protecting the \nsupply chain. A high-ranking official will place a call or \nwrite a little letter to a company suggesting that the company \nnot do business with a particular vendor or a particular piece \nof equipment. I have actually had experience with that with a \nconstituent. So do we need a more formalized process, which \nraises all kinds of questions as to who is making those \ndecisions and all, but both as a matter of good process for \nequipment buyers and sellers to ensure that the measures are \neffective? And then how would you formalize that process?\n    And I don\'t want to hobble, you know, the fast-paced \ncommunications industry with a lot of bureaucracy, and red \ntape, and approval processes either. We fight that in other \nsectors and you certainly don\'t want it here. And it gets back \nto the hearings that we held that said, you know, first do no \nharm in this area. Bad guys will get ahead of us and we will be \nlocked into old laws and rules. So is there a way to strike a \nbalance here? And what do you recommend?\n    Ms. Bisceglie. I am happy to go first.\n    So I do agree we need to have--I think it is a separate \nslippery slope----\n    Mr. Walden. Yes.\n    Ms. Bisceglie [continuing]. As you just mentioned. And I \nthink that there are different levels. There is a varied way to \nput in a formalized process and I personally believe or we \npersonally believe there is no one-size-fits-all, but we like \nto talk about frameworks.\n    Mr. Walden. Right.\n    Ms. Bisceglie. And that framework consists of training and \nawareness, which I talked about earlier----\n    Mr. Walden. Right.\n    Ms. Bisceglie [continuing]. Which is a very big thing. \nFolks need to understand what the risk is that we are all \ntalking about.\n    Mr. Walden. Right.\n    Ms. Bisceglie. Additionally, I think that the thing that we \nhave seen over the last 6 years is that organizations, both \npublic and private, really struggle with understanding their \ninternal risk tolerance. So how much risk can I actually accept \ninto my organization----\n    Mr. Walden. Like anything else.\n    Ms. Bisceglie [continuing]. And that is not necessarily a \nsingle risk number of 1 to 5. It can be based on the essential \nfunction of that organization and if it has multiple functions, \nthen it gets prioritized, if you will, into the different \nprograms that that organization conducts as well as the systems \nthat support that. And then underneath that, I think you do \nhave some sort of a formal process. It gets really simple to us \nand that it really goes back to just really good business \npractices and understanding who you are buying from.\n    Mr. Walden. Right.\n    Ms. Bisceglie. But unless you can look at an organization \nand understand where their vulnerabilities exist and have a \nprocess to go through that, I think it is a very difficult \nplace to go. I do think that that last-minute, that 3:00 a.m. \nphone call is again a very dangerous place to be.\n    Mr. Walden. Mr. Baker?\n    Mr. Baker. So I completely agree we can\'t just start \nregulating----\n    Mr. Walden. Right.\n    Mr. Baker [continuing]. The private sector and tell them \nhow to do this. At the same time, if we rely exclusively on the \ngovernment communicating informally about its concerns, you run \nthe risk that the people who want to make these sales will just \nkeep lowering the price and lowering the price.\n    Mr. Walden. Right, we have seen that.\n    Mr. Baker. Hard to resist. And so I would suggest that \nthere needs to be authority for the government at a minimum to \nask questions. What is in your supply chain?\n    Mr. Walden. Right.\n    Mr. Baker. You know, what products are you buying? And to \ncommunicate where they have a strong basis, that is not \nacceptable. We know enough to know that that is a risky place \nto buy your equipment, so don\'t do it.\n    Mr. Walden. I will show a little ignorance here, but is \nthere sort of a range of equipment in the system that there is \nsome that is more important to make sure you get right than \nothers, or is it just everything matters?\n    Mr. Baker. There is a view abroad and in the industry as \nwell in telecommunications that the core is your most important \nproduct----\n    Mr. Walden. Right.\n    Mr. Baker [continuing]. And you cannot compromise the core \nand that the edge is less risky because fewer people are----\n    Mr. Walden. Do you agree with that?\n    Mr. Baker [continuing]. For any particular system. I am not \nsure in an internet world as the edge gets smarter and smarter \nthat that is a distinction that holds up as well as we would \nlike it to. But that is certainly something that we have seen \nin other telecommunications decision-making.\n    Mr. Walden. I know Mr. Garfield didn\'t get a chance to \nrespond but I also know my time has run out so--yes, you have \ngot to watch this vice chair. He is mean with that gavel. Do \nyou have anything to add to that, Mr. Garfield?\n    Mr. Garfield. I do. I think there are two specific \nprocesses----\n    Mr. Walden. Yes.\n    Mr. Garfield [continuing]. That would be useful. One is a \nprocess that is being set up through CISPA if it is passed \nthrough the Senate----\n    Mr. Walden. Right.\n    Mr. Garfield [continuing]. Which is a formal process for \ninformation-sharing through the government with the protections \nnecessary to make sure that information-sharing takes place.\n    The second is that the Executive Order sets up a process \nthrough the Department of Defense and General Service \nAdministration. And so creating ways to incentivize the success \nof that, which Congress can still do, I think is critically \nimportant.\n    Mr. Walden. All right. Thank you very much and I yield back \nthe deficit balance of my time.\n    Mr. Latta. The chairman is so recognized. The chair now \nrecognizes the gentlelady from California and the ranking \nmember, Ms. Eshoo, for 5 minutes.\n    Ms. Eshoo. Thank you, Mr. Chairman. It is nice to see you \nin the chairman seat, and you are always a gentleman and I \nappreciate that.\n    Mr. Walden. Reserving the right to object.\n    Ms. Eshoo. Well, the same applies to you Mr. Chairman. The \nsame applies to you. Not to worry, not to worry. Thank you to \nall the witnesses. Let\'s see, two, four, six, seven people \nhave, you know, each in your own way have come in with \nsomething that has some refinement to it that helps to not \nnecessarily bring closure but get us to focus on the areas that \nare really important for us to focus on when it comes to a \npublic role of national security and the integrity of the \nsupply chain. So I thank you.\n    I have a lot of questions. Let me start with--and Mr. \nLindquist is probably not going to be surprised with the \nElectronic Warfare Associates, that is quite a name. Warfare \nAssociates. How about Peace-fare Associates? But I guess that \ndoesn\'t work as well. Now, I understand that your company \nvetted Huawei\'s equipment and you gave it your seal of \napproval. I might add that the more I have heard witnesses \nspeak, the more I think the government really needs to have \nsome kind of list of essentially a good housekeeping seal of \napproval on it because small companies especially really need \nto have some help and direction so that they are not caught in \nsome kind of seamless web.\n    But can you explain the service you provided Huawei and \nwhat ongoing monitoring you have conducted to maintain your \ncertainty that their equipment is safe to use? And did Huawei \npay you for this? And, I mean, if they did, you know, I don\'t \nknow where that places the veracity of the report. I mean, it \ncould be--I am not saying that is--but it could be the \nequivalent of what happened on Wall Street when the rating \nagencies were paid to give some of these, you know, too-big-to-\nfail great, great ratings. But they paid for them. And so, you \nknow, in the aftermath and the rubble of the aftermath, that \ndidn\'t sound so good. It didn\'t feel so good and really wreaked \na lot of havoc. Did Huawei pay you for the report? And then the \nrest of my question.\n    Mr. Lindquist. First of all no, Huawei did not pay for----\n    Ms. Eshoo. You did this voluntarily for them?\n    Mr. Lindquist. No, the telecommunications carrier paid for \nit.\n    Ms. Eshoo. And who was that?\n    Mr. Lindquist. I am not at liberty to disclose that because \nwe have an NDA with them. If I get their permission, I can tell \nyou easily who it is.\n    Ms. Eshoo. I see. That is interesting.\n    Mr. Lindquist. But it is one of the major----\n    Ms. Eshoo. Yes.\n    Mr. Lindquist [continuing]. Telecommunications companies. \nAnd----\n    Ms. Eshoo. An American telecommunications company?\n    Mr. Lindquist. American telecommunications company.\n    Ms. Eshoo. Yes.\n    Mr. Lindquist. Secondly----\n    Ms. Eshoo. Can you tell us this? Is it an American \ntelecommunications company that buys equipment from Huawei?\n    Mr. Lindquist. They are in the process of doing that. The \nequipment, in answer the second part of your question----\n    Ms. Eshoo. Yes.\n    Mr. Lindquist [continuing]. We are in the process of \nevaluating their system. The evaluation is by no means complete \nand we are only evaluating the radio area network portion of \nit. There are numerous reports. We do not give a seal of \napproval. What we do is take the known threats and we have very \ngood access through some of our work within the government to \nthe agreed list of cyber threats and what----\n    Ms. Eshoo. Well, do you get your information from the \nintelligence community or Homeland Security?\n    Mr. Lindquist. The intelligence community.\n    Ms. Eshoo. This is so interesting. So you do a report that \nvets Huawei, who wants to more than get a toehold which have \nfor years and it is very public and deeply concerned about. You \nare paid by an American major telecommunications corporation \nthat is looking to buy Huawei\'s equipment and you work with the \nintelligence community to see with the shortfalls are and vet \nit and say that the equipment is terrific for the American \nmarket. Have I gotten that straight?\n    Mr. Lindquist. Well, except that we don\'t say it is \nterrific or----\n    Ms. Eshoo. What did you say?\n    Mr. Lindquist. What we do say is what we looked at and what \nwe found, and if we found things, what corrections were made.\n    Ms. Eshoo. I see. See, my issue on all of this is not \nwhether their equipment is good or not. That is not the point. \nThe point is that our infrastructure is so precious to this \ncountry and it is a part of our national security. There is no \nquestion about it. And so does it pose a threat? If so, how? \nYou know, maybe they make some of the best equipment in the \nworld but that is not my point. That is not my point at all. So \nit is interesting what you just said.\n    And let me ask all the witnesses and you can just give me a \nyes or no. Should there be transparency requirements, including \ndivestments in state ownership placed on companies seeking to \nsell telecommunications infrastructure equipment to U.S. \nnetwork providers? And should this be a U.S. or an \ninternational standard? Maybe it is hard to answer yes or no \nbut----\n    Mr. Goldstein. I don\'t think I can give you a yes or no, \nma\'am. I think, particularly from our perspective, we didn\'t \nlook at those issues specifically. It is something we are happy \nto talk to staff about.\n    Ms. Eshoo. I want to thank you for your work, too.\n    Mr. Goldstein. Thank you.\n    Ms. Eshoo. Yes.\n    Mr. Baker. I do think that as we adjust to a world where \nthere really are no telecommunications integrators in the \nUnited States, we need authority to ask for quite a bit of \ninformation from the people----\n    Ms. Eshoo. Yes.\n    Mr. Baker [continuing]. Who are supplying that technology.\n    Ms. Eshoo. Thank you.\n    Ms. Bisceglie. I absolutely agree. I think transparency is \nthe key and you liken it to--if you look at what is happening \nwith the pharmaceutical agencies within your actual State----\n    Ms. Eshoo. Yes.\n    Ms. Bisceglie [continuing]. That the pharmaceutical law, \nthe E-Pedigree law of 2015 that has everybody looking at \ntransparency, I think there are lessons to be learned there.\n    Ms. Eshoo. Yes. OK.\n    Mr. Dix. Transparency is important and having a standard \nthat provides certification and accreditation like a \nwhitelisting type of opportunity would be very valuable to this \nprocess.\n    Ms. Eshoo. Thank you.\n    Mr. Rothenstein. Yes, we would agree. We would support some \nlevel of transparency and I think, frankly, Ranking Member \nEshoo, you hit the nail on the head. It is less about the U.S. \nGovernment and about the large service providers who have a lot \nof know-how----\n    Ms. Eshoo. Yes.\n    Mr. Rothenstein [continuing]. The resources, and are \nknowing smart buyers of telecom equipment understand the risks. \nIt is more about other critical infrastructure owners and \noperators, the alternative operators, the enterprises who may \nnot have the same level of understanding and resources where \nthe transparency really is going to be important.\n    Ms. Eshoo. It is helpful. Yes.\n    Mr. Lindquist. As I said earlier, I would reiterate \ntransparency is important. That is why in the process that we \nimplement we are looking at all the design documentation behind \nthe various systems to ensure that there is no inexplicable \ncapability or functionality within the system.\n    Mr. Garfield. I work in the tech sector so, of course, we \nbelieve in transparency. I don\'t have an answer as it relates \nspecifically to this issue.\n    Ms. Eshoo. Thank you. Thank you, Mr. Chairman, for your \npatience. Thank you to all the witnesses.\n    Mr. Latta. Thank you very much. The gentlelady yields back \nand the chair recognizes himself now for 5 minutes.\n    And if I could start with Mr. Goldstein, I found it kind of \ninteresting in your testimony on page 5 where you state that \nother countries such as Australia, India, and the United \nKingdom are similarly concerned about emerging threats to the \ncommercial communication networks posed by the global supply \nchain, have taken actions to improve their ability to address \nthis security challenge. What exactly have those three \ncountries done?\n    Mr. Goldstein. There are three countries--there are many \nothers----\n    Mr. Latta. Right.\n    Mr. Goldstein [continuing]. That we don\'t get into here. \nBut Australia has developed a regulatory reform proposal that \nthey expect to put in place shortly that would allow the \ngovernment to have more authority to examine what companies are \ndoing, what they are buying, how they document their purchases, \ntake a look to make sure that those companies are competent in \nputting networks together, and if the government does not feel \nthat they are doing it in a way that can be secured, that they \ncan ask them to do more. They can require them to do more than \nthey are doing and it has enforcement powers and potential to \nfind those companies that don\'t do it. That is a proposal that \nis likely to pass soon.\n    India has a very similar reform program in place. Where it \ndiffers is that they have also proposed requiring--certainly \nencouraging and in many cases requiring much of their equipment \nto be made and tested in the country and could not be obtained \nelsewhere. That particular part of the proposal has been put on \nhold because the United States and some other countries have \nobjected because of potential barriers to trade.\n    And the United Kingdom has put in place a very similar \nprogram to the one that Australia is now contemplating to have \na greater regulatory review over the practices and actions of \ncompanies putting networks in place, which also has authorities \nfor them to go in and look very specifically at what they have \ndone and how they are going to get assurance that those are \nsecure networks, as well as to be able to enforce actions that \nthey feel would be necessary if those companies did not do as \nmuch as they probably should be doing.\n    Mr. Latta. Thank you.\n    Mr. Rothenstein, if I could turn to your written testimony. \nI thought it kind of interesting where you had also had \nmentioned that in 2011 your company had made a conscious \ndecision to gradually exit key elements of your supply chain \nfrom China. And at the time over 1/5 of your global chain at \nthat time originated in China. You go on to state that, you \nknow, you are looking at other jurisdictions that you are \nmoving into now in Mexico and Thailand. I am just curious. How \nis that working out, and what have you found so far with that \ntransition?\n    Mr. Rothenstein. So in terms of the actual specific--so you \nare right. About 20 percent at the time of our manufacturing \nassembly of our supply chain originated in China and it is now \ndown to less than 1 percent. And in terms of the procurement to \nfinished to semi-finished assemblies, that was about 65 to 70 \npercent of the supply chain 2 years ago. That is now below 50 \npercent. The part that we attacked, as I mentioned in my \ntestimony, was that relating to active or programmable \ncomponents.\n    In terms of how it has gone, it has gone very, very well. \nWe have partnered effectively with two of our long-standing \ncontract manufacturers in Mexico and one in Thailand. We have \nimproved the velocity of our supply chain. It is a lot quicker \nto get equipment to our key North American market when you are \ndriving it by truck over the border as opposed to the slow boat \nfrom China. We have been able to essentially achieve cost \nparity in terms of labor rates and landed cost rates largely \nbecause those contract manufacturers had existing facilities in \nthose locations.\n    And as a result of that, we have been able to, in addition \nto velocity maintaining cost parity, we have gotten tremendous \npositive feedback from our customer base in terms of that \nsupply chain strategy. They viewed very positively our thought \nprocess, our decision, and they have given us direct feedback \nthat they view with a greater level of comfort, security, and \nassuredness of the risk profile of our equipment to their \nnetworks.\n    Mr. Latta. And in the balance of my last 27 seconds if I \ncould turn to Mr. Lindquist, what are the different challenges \nin protecting the software and hardware supply chain and is one \nmore vulnerable than the other?\n    Mr. Lindquist. What are the different challenges in \nprotecting it?\n    Mr. Latta. In protecting the software and hardware supply \nchains and is one more vulnerable than the other?\n    Mr. Lindquist. I think the current state of affairs--and it \nis referring to the second question first--I think the software \nis more vulnerable. I think there are more people who have \nperfected techniques for exploiting software than in the \nhardware. It is also easier to do at any stage in the process.\n    And what we are endeavoring to do is to separate the vendor \nfrom the products so that once the system has been determined \nto be secure enough, and there is always some residual risk, \nthat the vendor no longer has access to that system to \nintroduce any new malicious capability into the system.\n    Mr. Latta. Well, thank you very much. And my time has \nexpired.\n    And the chair would now recognize the gentleman from \nIllinois, Mr. Shimkus, for 5 minutes.\n    Mr. Shimkus. Thank you, Mr. Chairman. Thank you all for \nbeing here. It is a great committee with high-tech things. I \nalways joke that for my colleagues who don\'t have teenagers, \nthen the government ought to issue them one because that helps \nyou figure out how this stuff works.\n    The hearing this morning was on cyber security, too, with \nthe electric grid and the like. So we had a little debate about \nthe cloud, which I understand are server farms and that brings \nsome, especially when the government is contracting. And my son \nand I are together on concerns about the cloud. You know, \neverybody thinks it is--but, you know, there are some issues \nthere, cyber security and especially if the government is being \ninvolved and really contracting that space.\n    We differ on CISPA and we have had numerous debates. So the \nlast time we cast the vote I was home that next morning and he \ncomes into the room and he is all grouchy and he is reading all \nof his internet stuff. And he says I don\'t have to ask how you \nvoted on CISPA, Dad. I know how you voted--which I supported. \nAnd he was none too pleased.\n    But my debate or discussion with him is information-\nsharing, really on the code system so you could have firewalls. \nAnd if our intel communities or you guys know something is \ncrazy going on out there, you can build a firewall. At least \nyou have an idea of what you might expect.\n    So, Mr. Garfield, I don\'t know if it was in your statement \nbut in question-and-answers you also talked about information-\nsharing. And were you referring to that in the supply chain \ndebate that we are having here, that there ought to be \ninformation-sharing like we would have in firewall protection a \nla like CISPA?\n    Mr. Garfield. Yes is the simple answer. Information-sharing \nand passing of risk mitigation information is critical to \nprotecting our cyber security generally but also for risk \nassurance in the context of supply chains as well. And so, I \nthink, moving CISPA and the information components of that was \ncritically important and getting it through the Senate is \ncritically important----\n    Mr. Shimkus. But the CISPA bill that we are passing--you \nknow, correct me if I am wrong--I thought it was just on code. \nWas it also on the supply chain? It could be?\n    Mr. Garfield. Yes, it is around sharing actionable \nintelligence----\n    Mr. Shimkus. Here on----\n    Mr. Garfield [continuing]. On threats and mitigating \nthreats.\n    Mr. Shimkus. I got another good point for my son then, \nright? I got another good point.\n    Mr. Garfield. You can give him my phone number.\n    Mr. Shimkus. Good. Great. Good, I always need a little \nhelp.\n    And Ms. Bisceglie, SCRM, now, I have got a new acronym. \nJust what we need, another acronym here in Washington, SCRM, \nwhich was supply chain----\n    Ms. Bisceglie. Risk management.\n    Mr. Shimkus [continuing]. Risk management, which is all \ntied into this. I want to follow up with you on this cost \npressure issue that you raised and how do you think we can \nreally address it? I mean if you really want to make sure that \nyour equipment is secure, you are willing to pay for it, but if \nyou are in a competitive, very fast-moving technological field \nand you want to get market entry and you want to have a low-\ncost provider, there is risk involved in that, correct?\n    Ms. Bisceglie. There is, and actually, that is when the \nchairman asked his question earlier when we talked about \nputting a framework in place, something that is repeatable and \nscalable. I personally think that is the key, an effort to keep \nthe acquisition costs down, because I totally understand the \nneed to get procurements done faster, technology to the street \nfaster, and into users\' hands faster. But unless we have ways \nof understanding what our organizational risk tolerance is so \nthat we know what protectionisms we already have in place, it \nis going to be very difficult to really take risky endeavors \nlike you are mentioning.\n    Mr. Shimkus. And I was also caught by the whole debate. \nThere was a pharmaceutical reference which we are involved with \nand the Track-and-Trace legislation----\n    Ms. Bisceglie. Yes.\n    Mr. Shimkus [continuing]. In maybe some States. Just for \nthe record, when some States move to a very controlled system, \nthey have to then postpone the enactment date because they \ncan\'t do it----\n    Ms. Bisceglie. Yes.\n    Mr. Shimkus [continuing]. In that time, which then would \naffect the market in delivery of goods and services. So the \nquestion is--because what the chairman said to begin with was, \nfirst do no harm.\n    Ms. Bisceglie. Yes.\n    Mr. Shimkus. So does the Executive Order and its process \nhave the opportunity to do harm in this process? Does anyone \nwant to comment? Is there a concern that the Executive Order \nand this rollout and their involvement has an opportunity to do \nharm? Mr. Garfield?\n    Mr. Garfield. Yes, there is always risk, right? We are in \nthe business of risk mitigation but overall our view is that \nthe Executive Order actually creates a framework that advances \nthe ball in a very positive way. The fundamental question for \nus is how can Congress complement that and that is what I tried \nto articulate in talking about the things that Congress can do \nto ensure it continues to move in a positive direction.\n    Mr. Shimkus. Mr. Chairman, my time is up but I think there \nare a couple more that want to comment.\n    Mr. Dix. I would just add many of us want to approach the \nanswer to that question with an open mind, but we are taking a \nwait-and-see approach because it is not at the endgame yet and \nthere are opportunities along the way for this not to be as \ngood as it might be.\n    Mr. Shimkus. Always good to trust but verify.\n    Mr. Dix. Yes, sir.\n    Mr. Shimkus. If no one else wants to jump in, I yield back \nmy time. Thank you, Mr. Chairman.\n    Mr. Walden. Thank you. Now, I will turn to the gentleman \nfrom Colorado, Mr. Gardner, for 5 minutes.\n    Mr. Gardner. Thank you, Mr. Chairman, and thank you to the \nwitnesses for joining us today.\n    And, Mr. Baker, I will direct this question to you. \nQuestions raised by foreign-directed cyber attacks on U.S. \ninstitutions suggest that the United States Government must \ngive careful consideration to how the national security \ninterests are controlled, monitored, and regulated. How \nconcerned should we be by the prospect that any critical \ninfrastructure provider that serves the core of our national \nsecurity interests could come under foreign control and \ntherefore outside the supervision of the U.S. Government?\n    Mr. Baker. We have to be concerned about that. It is not \nlikely that we will be able to stop globalization of this \nindustry so the idea that we can simply say no I think is not \nrealistic. But we have to then put in place transparency and \nregulatory authority that makes sure that those companies do \nnot serve other nations\' interests when they supply us with \nthat equipment.\n    Mr. Gardner. And in keeping those kinds of concerns in \nmind--and we have seen in the past the mergers of U.S. \ncompanies with foreign companies--what are some of the national \nsecurity implications of such a purchase then?\n    Mr. Baker. So I did this a lot when I was at DHS and indeed \nwhen I was at NSA. In the telecommunications industry we have a \nwell-developed set of rules in which we negotiate a mitigation \nagreement with the buyer if the buyer is a foreign buyer, which \ngives us some control. It is not perfect by any means, and I am \noften unenthusiastic about the results. But it is the tool that \nwe have.\n    In the context of companies selling products to the United \nStates, we have none of those controls unless they actually buy \na U.S. company so that any company can sell products into our \ncritical infrastructure without any regulation or transparency. \nIt is only when they try to buy a U.S. company that we have any \nauthority at all.\n    Mr. Gardner. Reports of stories of foreign-directed cyber \nattacks against U.S. institutions provoke difficult questions \nabout the control reaching oversight of the United States \nnational security interests. Do you agree that the idea of \nsurrendering control of a critical infrastructure provider like \nSprint to a foreign entity Softbank beyond full U.S. oversight \ndeserves very careful consideration and should not be hurried?\n    Mr. Baker. It certainly deserves careful consideration. I \nwould point out, as I answered to the last question, for many \nthe security agencies there will be a temptation to say the \nonly way we will be able to tell Sprint the products they can \nbuy, what they can have in their infrastructure, is if we enter \ninto a negotiated agreement. That is a negotiated agreement \nwith a foreign buyer. They have no authority at all in the \nother context so it is an odd set, currently, of incentives for \nthe U.S. Government in which they might actually have more \nregulatory authority if they let the transaction go through.\n    Mr. Gardner. You mentioned in your testimony a little bit \nabout CFIUS, whether it is adequate or not. That is relied on \nby Congress, by the FCC. Where are the pitfalls? What are the \nproblems?\n    Mr. Baker. The problem is that if you want to introduce \nproducts that are not reliable into the U.S. market, you can \njust walk in and start taking orders. Even if it is going right \ninto the core of the telecommunications industry, there is no \nauthority anywhere in the U.S. Government to say no to that \ntoday. Only if an unreliable buyer or seller actually tries to \nacquire a U.S. company is there any authority at all.\n    Team Telecom at the FCC has some authority over foreign \ncarriers but not over foreign suppliers of equipment. CFIUS \ngives authority only over buyers of U.S. companies. So there is \na real regulatory gap there with respect to some of this \nequipment that we have not yet found a solution for.\n    Mr. Garfield. May I weigh in on this?\n    Mr. Gardner. Please.\n    Mr. Garfield. I think we have to be exceptionally careful \nabout developing prophylactic rules around private sector \nagreements as it relates to supply chain assurances. India was \nused as a reference earlier in talking about an example of \ncountries moving in a particular direction. There are a whole \nhost of companies that I represent in the technology sector \nthat are being foreclosed from the Indian market because of \nthose types of rules. And so I just think that those types of \nrules have to be carefully calibrated and, from my perspective, \ndiscouraged.\n    Mr. Gardner. Thank you. I yield back my time.\n    Mr. Walden. I thank the gentleman. I thank all of our \nwitnesses and committee members for their participation today, \nreally a superb panel of witnesses. Your information that you \nshared has been very, very valuable. Your written testimony is \nhelpful to us and to our staffs as we wrestle with this issue \ngoing forward in protecting the country and trying also not to \nstifle innovation and technology being developed in America. So \nwe have got to get this right. And your depths of experience \nand your willingness to come here and share that with us is a \ngreat benefit to the American people. And so we thank you for \nyour participation; we thank you for your assistance.\n    And the record will remain open for additional questions, I \nam sure. And we hope that you will accept our invitation to \nwork with us even further as we go forward. We want to get this \nright. So thank you very much. With that, the Subcommittee \nstands adjourned.\n    [Whereupon, at 4:12 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n                 Prepared statement of Hon. Fred Upton\n\n    Wired and wireless technologies are increasingly becoming \nthe medium over which we manage our lives, our government, and \nour country. As a result, national security, economic security, \nand personal security are now also matters of communications \nsecurity. Where once it may have been sufficient to guard the \ndoors to our homes, our banks, our offices, our factories, and \nour utilities, today we must also guard the virtual doors to \nour networks.\n    This hearing will look at the locks we place on those \nnetworks throughout the communications supply chain. Just as \nthe networks and the cyber threats they confront are varied and \never evolving, so too must be our defenses. A one-size-fits-all \nsolution is likely to be as successful as fitting every lock \nwith the same key.\n    What means are at the disposal of the private sector and \ngovernment to secure our networks? What\'s working? What isn\'t? \nWhere are the threats coming from? What kind of risk and cost-\nbenefit analyses should we be engaging in to find the right \nsolutions? I ask the witnesses to help frame the issues for us \ntoday so we can determine where we-and the nation-should focus \nattention. If no one watches the door, surely someone will walk \nin who shouldn\'t.\n\n                                #  #  #\n\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] T5436.106\n\n[GRAPHIC] [TIFF OMITTED] T5436.107\n\n[GRAPHIC] [TIFF OMITTED] T5436.108\n\n[GRAPHIC] [TIFF OMITTED] T5436.109\n\n[GRAPHIC] [TIFF OMITTED] T5436.110\n\n[GRAPHIC] [TIFF OMITTED] T5436.111\n\n[GRAPHIC] [TIFF OMITTED] T5436.112\n\n[GRAPHIC] [TIFF OMITTED] T5436.113\n\n[GRAPHIC] [TIFF OMITTED] T5436.114\n\n[GRAPHIC] [TIFF OMITTED] T5436.115\n\n[GRAPHIC] [TIFF OMITTED] T5436.116\n\n[GRAPHIC] [TIFF OMITTED] T5436.117\n\n[GRAPHIC] [TIFF OMITTED] T5436.118\n\n[GRAPHIC] [TIFF OMITTED] T5436.119\n\n[GRAPHIC] [TIFF OMITTED] T5436.120\n\n[GRAPHIC] [TIFF OMITTED] T5436.121\n\n[GRAPHIC] [TIFF OMITTED] T5436.122\n\n[GRAPHIC] [TIFF OMITTED] T5436.123\n\n[GRAPHIC] [TIFF OMITTED] T5436.124\n\n[GRAPHIC] [TIFF OMITTED] T5436.125\n\n[GRAPHIC] [TIFF OMITTED] T5436.126\n\n[GRAPHIC] [TIFF OMITTED] T5436.127\n\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'