[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
ZTE: A THREAT TO AMERICA'S SMALL BUSINESSES
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON SMALL BUSINESS
UNITED STATES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
HEARING HELD
JUNE 27, 2018
__________
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Small Business Committee Document Number 115-082
Available via the GPO Website: www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
30-507 WASHINGTON : 2019
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).E-mail,
[email protected].
HOUSE COMMITTEE ON SMALL BUSINESS
STEVE CHABOT, Ohio, Chairman
STEVE KING, Iowa
BLAINE LUETKEMEYER, Missouri
DAVE BRAT, Virginia
AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
STEVE KNIGHT, California
TRENT KELLY, Mississippi
ROD BLUM, Iowa
JAMES COMER, Kentucky
JENNIFFER GONZALEZ-COLON, Puerto Rico
BRIAN FITZPATRICK, Pennsylvania
ROGER MARSHALL, Kansas
RALPH NORMAN, South Carolina
JOHN CURTIS, Utah
NYDIA VELAZQUEZ, New York, Ranking Member
DWIGHT EVANS, Pennsylvania
STEPHANIE MURPHY, Florida
AL LAWSON, JR., Florida
YVETTE CLARKE, New York
JUDY CHU, California
ALMA ADAMS, North Carolina
ADRIANO ESPAILLAT, New York
BRAD SCHNEIDER, Illinois
VACANT
Kevin Fitzpatrick, Majority Staff Director
Jan Oliver, Majority Deputy Staff Director and Chief Counsel
Adam Minehardt, Staff Director
C O N T E N T S
OPENING STATEMENTS
Page
Hon. Steve Chabot................................................ 1
Hon. Nydia Velazquez............................................. 2
WITNESSES
Mr. David Linger, President & CEO, TechSolve, Inc., Cincinnati,
OH............................................................. 4
Mr. Andy Keiser, Visiting Fellow, National Security Institute,
Antonin Scalia Law School, George Mason University, Arlington,
VA............................................................. 7
Mr. Matthew G. Olsen, President, IronNet Cybersecurity,
Kensington, MD................................................. 8
APPENDIX
Prepared Statements:
Hon. Yvette D. Clarke, New York.............................. 24
Mr. David Linger, President & CEO, TechSolve, Inc.,
Cincinnati, OH............................................. 25
Mr. Andy Keiser, Visiting Fellow, National Security
Institute, Antonin Scalia Law School, George Mason
University, Arlington, VA.................................. 31
Mr. Matthew G. Olsen, President, IronNet Cybersecurity,
Kensington, MD............................................. 36
Questions and Responses for the Record:
Questions from Hon. Yvette Clarke to Mr. Matthew G. Olsen and
Responses from Mr. Matthew G. Olsen........................ 42
Additional Material for the Record:
None.
ZTE: A THREAT TO AMERICA'S SMALL BUSINESSES
----------
WEDNESDAY, JUNE 27, 2018
House of Representatives,
Committee on Small Business,
Washington, DC.
The Committee met, pursuant to call, at 11:02 a.m., in Room
2360, Rayburn House Office Building. Hon. Steve Chabot
[chairman of the Committee] presiding.
Present: Representatives Chabot, Brat, Radewagen, Kelly,
Bloom, Curtis, Velazquez, Evans, Lawson, Adams, and Schneider.
Chairman CHABOT. The Committee will come to order.
We want to thank everyone for being here this morning.
Today we are here to discuss a topic that has garnered
quite a bit of attention in recent months. However, it is an
issue that this Committee has paid very close attention to for
a number of years now. That is the looming threat of Chinese
telecommunications giant, ZTE.
As this Committee has learned through past hearings,
foreign-backed entities from countries like China and Russia
regularly target small businesses to steal intellectual
property and undermine America's critical infrastructure. The
FBI has already determined that foreign state actors pose a
serious cyber threat to the telecommunications supply chain. It
is also clear that many foreign nations are responsible for
direct cyberattacks on the United States in an effort to steal
intellectual property and sensitive personal information.
In a report by our colleagues on the Intelligence
Committee, U.S. businesses and cybersecurity experts have
reported persistent attacks that could be traced back to China
and were thought to be supported by the Chinese government. And
studies from the Department of Defense have warned of the
difficulties associated with defending against threats posed by
foreign nations, stating that, ``[the] means and opportunity
[for nation-state adversaries] are present throughout the
supply chain and lifecycle of software development.'' This is
particularly troublesome for small businesses that not only
rely on products from, but also engage in commerce with,
globalized telecommunications firms in countries like China.
Hearings by this Committee have shown that small businesses
have become top targets for nefarious state-backed actors
because they tend to be the softest targets. They have fewer
resources to manage their information technology systems and
respond to cybersecurity incidents, and they often lack the
technical knowledge needed to assess the ever-evolving threats.
Additionally, most small businesses do not have a lot of money
to throw around and thus, may often purchase less expensive
tech products often produced by large Chinese firms. This is a
recipe for disaster.
Now, let me be clear. I do not believe for a minute that an
American small business owner would purposely buy a product
that puts their own operations at risk, let alone jeopardize
our national security. However, the problem is that most small
businesses will not even know that they are using a product or
service that has been provided by a nefarious actor. Nor should
they. Their job is to run their business, employ hardworking
Americans, and keep their customers happy.
When we talk about existential threats to national
security--and that is what ZTE is--it is the Federal
government's job to protect Americans and American small
businesses.
That is exactly what happened in April of this year when
ZTE was effectively banned from doing business in the U.S.
After years of investigations and deliberations into the ZTE
case, after ZTE was afforded its due process in this country (a
favor I might add that usually goes unreturned to American
companies in China), and after numerous second chances, the
Trump administration rightfully made the decision to finally
hold ZTE accountable, a move that many of our colleagues on
both sides of the aisle applauded.
Now, we face the very real possibility that ZTE may be
given yet another chance. Commerce Secretary Wilbur Ross
announced earlier this month that a new agreement had been
reached with ZTE, and after paying over a billion dollars in
penalties and forfeitures, the Bureau of Industry and Security
will remove ZTE from the Denied Persons List and they can
return to business as usual.
I am very concerned that this decision could ultimately put
Americans at risk. ZTE has consistently lied to this
administration, and it is reasonable to assume that it will do
so again.
Today's hearing will examine the threat posed by ZTE to
American small businesses, if ZTE is allowed to re-engage in
the American economy. This is an important decision that
impacts both our national security and our economic security,
and I believe it demands much more attention than it has
received so far.
I think we all look forward to hearing from our witness
about this threat this morning and how we can better guard
against any of those issues.
And I would now like to yield to the Ranking Member for her
opening statement.
Ms. VELAZQUEZ. Thank you, Mr. Chairman. And thank you
really for holding this critical hearing.
As we have seen time and again, in this committee and in
national headlines, cybersecurity affects every facet of our
lives. To this day, many of us remain deeply troubled about how
an adversarial foreign power influenced our nation's 2016
election results and whether we will be prepared to prevent
similar actions in the future.
We have also heard in this committee, that small businesses
are uniquely vulnerable to cyberattacks, whether it be from
small-time cyber criminals or foreign powers intent on
industrial sabotage, such as China and Russia.
As one of the world's largest telecommunications equipment
manufacturers, ZTE occupies a unique and dangerous space when
it comes to many of these issues. An increasing number of
consumer and business devices, like cars, appliances,
communication networks, utilities, and phones, rely on smaller
components manufactured by ZTE and other similar Chinese
companies. The prevalence of ZTE's products is disturbing when
we realize that the company has a history of being a national
security threat to American interests. Concerns about ZTE date
back to 2012 and those issues continue today.
That is why this administration must take that threat posed
by ZTE and other Chinese companies seriously. Unfortunately, it
appears that the president seems intent on weakening our
security posture when it comes to responding to this threat.
The government has previously taken some steps to protect
itself in this area. In April, the Commerce Department banned
U.S. companies from selling parts or providing services to ZTE,
virtually shutting down the company. In May, the Pentagon
pulled ZTE phones from stores on U.S. military bases because
they consider them a security threat.
However, on June 7th, the president largely reversed these
moves, agreeing to lift sanctions reportedly ignoring the
advice of the U.S. intelligence community and many American
economy advisors.
Our national security cannot be imperiled by lax policy
toward these hostile actors. Where the administration is taking
unacceptable risks, Congress must step forward to contend with
these illicit Chinese government-backed enterprises.
Fortunately, the first legislative steps have been taken to
correct the administration's careless approach. The Senate
recently approved an amendment to the National Defense
Authorization Act, that if enacted will reinstate sanctions,
eliminating ZTE and Huawei access to U.S. suppliers.
Sadly, President Trump is working with Senate republicans
to undermine this effort. Without such restrictions, these
Chinese companies can have major and costly implications for
small businesses and their ability to operate, and it is
irresponsible to ignore the threat and undermine the very
interests Congress is here to protect. Clearly, cybersecurity
is central to protecting both our national and economic
security.
During today's hearing, we will explore the critical issues
facing small businesses in cyberspace and the dangers they face
when actors with ill intent are afforded unfettered access to
U.S. markets. It is my hope that today's discussion helps shed
light on how Congress can work to protect our small businesses
and our country from bad actors operating in cyberspace.
I would like to thank the witnesses again for being here,
and I yield back. Thank you.
Chairman CHABOT. Thank you very much. The gentlelady yields
back.
And if Committee members have opening statements prepared
we would ask that they be submitted for the record.
And I will take just a moment to explain our rules and
lighting system here. We operate under the 5-minute rule. Each
of you gets 5 minutes to testify. The lights are there to kind
of assist you. The green light will be on for 4 minutes. The
yellow light will be on for a minute to let you know that it is
about time to wrap up. And then the red light will come on
saying that your time is up. So if you could stay within those
parameters we would greatly appreciate it. We also apply those
rules to ourselves, so we all get 5 minutes to ask questions as
well.
I would now like to introduce our distinguished panel here
this morning. We will begin with Mr. David Linger, who has over
25 years of learning and success in bringing new technologies
and innovations to market through roles in engineering, product
development, product management, and business development. Mr.
Linger currently serves as the President and CEO of TechSolve,
Inc., which happens to be in my home district in Cincinnati,
Ohio. His team of experts has leveraged its deep rooted
knowledge in machining, data extraction, and the manufacturing
process to translate emerging technologies into every day
manufacturing and business solutions for small businesses. And
we welcome you here today, Mr. Linger.
Our next witness will be Andy Keiser, who comes to us as a
Visiting Fellow from the National Security Institute.
Previously, Mr. Keiser served 14 years on Capitol Hill for
former House Intelligence Committee Chairman Mike Rogers, as
Chief of Staff, Legislative Director handling Cybersecurity and
Energy and Commerce Committee issues, and as senior advisor to
the Intelligence Committee. And we welcome you here, Mr.
Keiser.
I would now like to yield to the Ranking Member for the
purpose of introducing our third and final witness.
Ms. VELAZQUEZ. Thank you, Mr. Chairman.
It is my pleasure to introduce Mr. Matthew Olsen, Cofounder
and President of IronNet Cybersecurity, a network security
company in Maryland. Mr. Olsen is a graduate of the University
of Virginia and Harvard Law. He began his distinguished career
as a trial attorney for DOJ's Civil Rights division, and then
as a federal prosecutor for the U.S. Attorney's Office for
D.C., where he served as the first Director of the Office of
National Security Division. Mr. Olsen has worked in the DOJ's
National Security Division, and went on to serve as the
Associate Deputy Attorney General and as the General Counsel of
the National Security Agency. In the Obama administration he
served as the Director of the National Counterterrorism Center,
and is currently a member of the Homeland Security Advisory
Council. Thank you for being here.
Chairman CHABOT. Thank you very much.
Mr. Linger, you are recognized for 5 minutes.
STATEMENTS OF DAVID LINGER, PRESIDENT & CEO TECHSOLVE, INC.;
ANDY KEISER, VISITING FELLOW, NATIONAL SECURITY INSTITUTE,
ANTONIN SCALIA LAW SCHOOL, GEORGE MASON UNIVERSITY; MATTHEW G.
OLSEN, PRESIDENT, IRONNET CYBERSECURITY
STATEMENT OF DAVID LINGER
Mr. LINGER. Thank you very much.
Chairman Chabot, Ranking Member----
Chairman CHABOT. If you could turn the mic on that would be
great. Thanks.
Mr. LINGER. Chairman Chabot, Ranking Member Velazquez, and
members of the Committee, thank you for inviting me to testify
this morning on behalf of the U.S. small manufacturers
regarding the impact that cyberattacks on this critical
national asset.
Only the government tops the manufacturing sector (followed
by finance and healthcare) as the most targeted sector by cyber
espionage. These aggressors are seeking to disrupt
manufacturing not only through the ceiling of intellectual
property, but also the destruction of the U.S. supply chain by
crippling them both financially and through attacks on their
intelligent machines.
Rebecca Taylor, Senior Vice President for the National
Center for Manufacturing Sciences (NCMS) stated, ``Every
manufacturer is at risk. It is not a matter of if they will be
targeted; it is a matter of when.''
A 2017 Ohio Manufacturing Extension Partnership (OH MEP)
survey of Ohio manufacturers revealed that only 12.5 percent of
manufacturers responded that they understand what cybersecurity
is and have worked to protect their machines, intellectual
property, and IT systems and only 4.5 percent have undergone a
cybersecurity assessment.
According to 2015 Census data, the vast majority of
manufacturers are very small. Of the 250,000 firms in the U.S.
manufacturing sector, only 1.5 percent of those manufacturers
have greater than 500 employees, 188,000 have less than 25
employees.
As President of TechSolve, I have a very unique perspective
of the devastation these cyberattacks have caused our
customers. I am here today to share the story of one such
manufacturing company that has experienced these attacks and
exemplifies the risks a majority of these manufacturers face on
a 24/7 basis. To Tony Strobl, President of Cincinnati Crane &
Hoist, these cyberattacks are a war on his company and his
employees. Cincinnati Crane is a very small, 20-person company,
based in Southwest Ohio, that supplies turn-key crane systems,
parts, and services. Cincinnati Crane is a veteran-owned
business that has seen growth of more than
400 percent in the last three years and was awarded the
U.S. Department of Commerce Export Achievement Award in 2017.
Earlier this year, Tony's company was the victim of social
engineering, or more specifically a spear phishing campaign
that contained malicious macros that breached their email
system; went undetected for an uncertain amount of time;
embedded hidden folders within Office365; ``spoofed''
legitimate invoices that were being emailed to Cincinnati
Crane's customers; replaced those invoices with bogus invoices
providing false banking information that ultimately syphoned
over $200,000 from his customers.
When the Cincinnati Crane invoices had aged 30 days and
collection calls were made, customer after customer told
Cincinnati Crane that they had already paid their invoices. The
$200,000 that was stolen from Cincinnati Crane is now
unrecoverable according to the FBI. Due to Cincinnati Crane's
current financial standing, Tony had to make the devastating
decision to lay off four of his employees, 20 percent of the
company.
Not only has this cyberwar affected those families, but it
has severely hampered Tony's ability to complete customer
orders, grow, and innovate.
Cincinnati Crane's customers are afraid to conduct business
with Tony. Not only are they concerned about sensitive drawings
and corporate data that they have shared with Tony's project
managers, but they are also afraid to open email
correspondence, even making payments electronically with
Cincinnati Crane. Even though TechSolve and its IT sub-
contractors have scrubbed their systems and are working on
long-term cybersecurity policies and procedures through
remediation and adaptation of the NIST SP 800-171 cybersecurity
controls, the effects of these cyberattacks continue to
threaten its long-term viability.
The Cisco 2018 Security Capabilities Benchmark Study
further corroborates data that TechSolve has observed when it
comes to manufacturers in general, but especially small
manufacturers. There will be more operational technology (OT)
or internet of thing (IOT) attacks in the future.
Cyberattackers can hack into machine tool accessories or
machine tools and alter the program. Therefore, either stopping
the manufacturer from providing the right parts to their
suppliers, or even worse, altering the quality of the part that
is a portion of a larger assembly, thus compromising the entire
system.
For large defense primes and original equipment
manufacturers (OEMs), it is critical for their supply chains to
protect the integrity of that digital thread.
There are a number of ways to entice companies to begin
implementing cybersecurity best practices and the DOD has done
a great job by leading the way and establishing one method,
regulation through the current DFARS and NIST SP 800-171
controls. The current shortcoming is a lack of validating
testing.
TechSolve is working with several manufacturing companies
that are conducting business with the DOD. They are technically
``in compliance'' with the DFARS; however, this does not make
them cyber secure.
Another approach is being discussed in the State of Ohio.
The Attorney General is working with the Senate and House on
former Senate Bill 220. This ``safe harbor'' bill, if passed,
will create a law that will protect companies that can prove
that they have proactively implemented and are maintaining
cybersecurity measures within their systems.
Research conducted by the National Cyber Security Alliance
states that there was a 600 percent increase in IOT attacks
from 2016 to 2017 and that the number one country of origin is
China at 21 percent. Given these statistics, and the fact that
60 percent of small and mid-sized businesses that have been
hacked shut down within 6 months of the attack, it is
imperative for all of us that we safeguard this incredible
important industry sector. Thank you.
Chairman CHABOT. Mr. Keiser, you are recognized for 5
minutes.
STATEMENT OF ANDY KEISER
Mr. KEISER. Thank you, Mr. Chairman, Ranking Member
Velazquez, distinguished members of the Committee. If you will
forgive me, I am used to sitting in the back along with these
guys as a staffer not in direct line of fire to you guys, so go
easy on me. But pleasure to be here.
I will start with a story that I think you all will
immediately relate to. My former boss, as you mentioned,
Chairman, Mike Rogers, first became interested in the
activities of ZTE and Huawei not because he was a former U.S.
Army officer or because he was a former FBI agent, or even
because he was on the Intelligence Committee. He actually got
interested in those companies because a Michigan company,
similar to Mr. Linger here from Ohio, came to him with a
problem.
So as all of you would do, he listened to that small
business owner very carefully. What he was doing was building
cell towers in sort of the hinterlands of Michigan, out in the
thumb as we would call it. And he found companies, Chinese
companies were coming in at a price that was astonishing to
him. So he would offer a bid and these companies, Huawei and
ZTE would come in not just blew his bid, but below the cost of
what the materials were to build the towers.
So that got a former FBI agent thinking, why on earth would
these companies be doing that? More on that later.
As I do not need to remind this room, small business is the
lifeblood of the economy. Two out of every three new private
sectors jobs are created by small business. It is inherently
creative, resilient, and able to adapt quickly to market
conditions, but one thing it is not able to do is respond to
Nation state attacks, aggressive, unrelenting espionage with
theft of trade secrets. Those are exactly the challenges
presented by ZTE and Huawei.
A little history on China I think is important for the
Committee. For thousands of years, China, of course, viewed
itself as superior to all other world powers. Following an
self-described century of humiliation resulting from
imperialist incursions from the West and Japan, it now seeks a
return to that perch under the consolidated leadership of
President Xi Jinping, newly pronounced President for Life,
China intends to become a global economic, military, and
technological leader rivaling or surpassing the United States
really in the next 10 to 15 years.
There are some troubling indicators to this. The Chinese
GDP is scheduled to surpass that of the United States by 2029.
The Chinese military is rapidly modernizing and they are
directly aiming their capabilities at U.S. strengths. That
includes cyber, sea power, and space.
Part of their grand vision, of course, includes the Made in
China 2025 strategic plan where they will become the world's
leader in high-tech fields squarely within the expertise of ZTE
and Huawei.
Those two companies that we are discussing today are
working fast to put western vendors out of business to secure
market dominance. In just 7 years, Huawei has actually gone
from an afterthought with poorly functioning equipment and only
10 percent market share, to the top position in lucrative
business like LTE radio.
Excluding the United States, Huawei actually has a 38
percent total market share globally. By investing heavily in
R&D, which they are doing but perhaps more concerning by
stealing their way to some innovation, they have achieved this
market position. Actually, Huawei has admitted to stealing
router products, secrets from Cisco, all the way down to the
typos in the manual. Huawei apparently has stolen the design
for the iPhone right down to the last screw.
As mentioned earlier, I worked on the House Intelligence
Committee, and we issued a report back in 2012. Many of those
findings still hold true to this day. In 2012, the report
stated the risks associated with Huawei and ZTE's provision of
equipment to U.S. critical infrastructure could undermine core
U.S. national security interests.
Perhaps more relevant to this Committee, the report
suggested the risks associated with doing business with either
ZTE or Huawei for equipment or services were certainly not
recommended.
We can discuss the denial order by the Commerce Department
in some detail, but it was pretty hard hitting. Among other
things, specifically to ZTE, the Commerce Department stated
that ZTE demonstrated a pattern of deception, false statements,
and repeated violations. In fact, they admitted to committing
380 violations and engaged in an elaborate scheme to prevent
disclosure to the U.S. government.
Look forward to getting into some more details in Q&A but
Chairman Rogers and Ranking Member Ruppersberger at the time
teamed up again to write an op ed in the Wall Street Journal
earlier this year which called the threat from ZTE a clear and
present danger to U.S. national security. I agree completely
with this and encourage this body and the rest of the Hill to
respond accordingly. Thank you very much for the time.
Chairman CHABOT. Thank you very much, Mr. Keiser.
Mr. Olsen, you are recognized for 5 minutes.
STATEMENT OF MATTHEW G. OLSEN
Mr. OLSEN. Thank you, Mr. Chairman, and Ranking Member
Velazquez, and members of the Committee. I really appreciate
the opportunity to be here for this important hearing. And I
would like to commend the Committee for addressing this issue,
particularly in light of the cybersecurity and intelligence
challenges facing the country. And at the outset, I would also
like to recognize the important work of this Committee in
promoting cybersecurity more broadly for our nation's small
business community. You have done some really important work.
In my brief statement I will first just describe the
overall cybersecurity threat landscape, focusing in particular
on the threat from China, and then I will discuss in particular
the risks posed by ZTE as a Chinese-backed enterprise to our
national security.
First, as the Committee is well aware, small businesses are
at the forefront of our ongoing digital revolution, and this is
because small businesses have the agility and flexibility to
create new products and to capitalize on advances in
technology. But with these advances in technology, there has
been a related and really alarming trend in the scope and
impact of cyberattacks. Such attacks now encompass both
disruptive and destructive type of attacks on both our public
and private sector networks as Mr. Linger and Mr. Keiser have
both addressed.
In addition to these types of attacks, disruptive and
destructive, the threat landscape is also marked by massive
data breaches. Most concerning is the use of ransomware. We
have seen an increase in ransomware, especially hitting small
businesses over the past few years, and these have hit
hospitals, educational institutions, and manufacturing
companies.
Beyond these attacks, the threat landscape also includes
the ongoing theft of intellectual property, and again, Mr.
Keiser talked I think quite persuasively about that.
You know, from a broader perspective, it is important to
recognize that as a free society, we remain just vulnerable to
asymmetric attacks, whether that is from terrorist
organizations in the United States or from cyber-enabled
attacks from a range of actors online. Nation-states have long
sought access to the critical systems of other nations for
espionage and we are seeing an expansion from these traditional
activities to a more aggressive, as I said, destructive attacks
from Nation states.
Now, just looking at China in particular, our intelligence
officials have repeatedly singled out China as one of the small
number of nations around the world that pose the greatest
threat to us in cyber. In the worldwide assessment, the
director of National Intelligence said that China will continue
to use cyber espionage and bolster cyberattack capabilities to
support national security priorities. That was just in February
of this year.
And while the overall volume of attacks from Chinese
government actors diminished right after 2015, there was a
bilateral agreement between the United States and China,
recently, nation-state hackers from China appear to have
reorganized and retooled in a way that makes them more stealthy
and actually more effective in their espionage operations, and
recent attacks indicate that China is really optimizing their
plans to continue to obtain very valuable information from both
the government and our private sector.
All right. So turning from China and the cyber threat
landscape to ZTE in particular, in the authoritative report
from 2012 that Mr. Keiser referenced from the House
Intelligence Committee there I think, again, that remains the
touchstone for any review of Huawei and ZTE. The Committee
concluded that based on both classified and unclassified
information, Huawei and ZTE, I quote, ``cannot be trusted to be
free of foreign state influence, and thus pose a security
threat to the United States and to our systems.''
And now more recently, just this past year, intelligence
leaders reaffirmed in testimony to Congress that ZTE poses a
threat to our national security. In February, all of the
intelligence community heads unanimously found or recommended
that we avoid technology products from both ZTE and Huawei. The
FBI director testified that ZTE's access to our networks pose a
challenge because of their capacity, one, to exercise control
over our networks, to steal information, and to conduct
undetected espionage. So all three of those are risks.
And we are not alone. The United Kingdom recently cautioned
against the use of ZTE equipment.
Now, for its part, as we have heard ZTE has proven to be a
particularly bad actor, flouting U.S. export laws and deceiving
regulators, and for that they have been fined and sanctioned.
So I look forward to talking more about that.
I would say in sum that from my perspective the critical
security concerns for us is the risk that ZTE and other
Chinese-backed organizations pose to our critical
infrastructure. Given that ZTE has proven to be particularly
untrustworthy, I believe that it poses a clear and significant
risk to our national security.
So I thank you for the opportunity to be here and look
forward to your questions.
Chairman CHABOT. Thank you very much.
And I will recognize myself for 5 minutes to begin the
questioning.
Mr. Keiser, I am going to go to you first. You had talked
about in Michigan, the cell towers going up below the cost of
materials. So where does that end up, that story?
Mr. KEISER. So I think where does it end up? He lost the
bid, the small business owner. So Huawei and ZTE are out in
some of our rural areas. Some of the providers use them. They
are, as Matt knows extraordinarily well, they are thankfully
nowhere near our Five Eyes network, the intelligence sharing
agreement that we have with Australia, New Zealand, the UK. And
so that is where that ended up. But I think the important fact
there was it proved that Huawei and ZTE are not in this for
profit. Unlike any other western company, they are not beholden
to shareholders. This is a strategic plan by the communist
Chinese government to at least have the capability to collect
information around the world, and perhaps more concerning, to
turn off a switch in the event of a potential conflict and
create havoc that we do not even want to think about on this
Committee.
Chairman CHABOT. So just to make one point, the motivation,
the goal of companies like ZTE, Huawei, are different than
those that are say on the New York Stock Exchange or publicly
held who have a profit motive who are competing with each
other; this is more of a national security or something that
they are trying to accomplish that is a goal of the Chinese
government. Is that right?
Mr. KEISER. That is right. I will give you an example. In
the last two weeks, after the United States of America issued a
denial order prohibiting them from purchasing any U.S.
components, which essentially would have put them out of
business, the two biggest Chinese state-owned banks infused $11
billion to keep them afloat. Name a western company that might
have that option.
Chairman CHABOT. Mr. Olsen, let me ask you a question. Do
you believe that ZTE is a threat to America's small businesses?
Is it something that they should be concerned about as well?
And if so, why?
Mr. OLSEN. I absolutely do. I believe that ZTE poses a
threat, you know, more broadly, but also in particular to
America's small businesses. The key I think, as we started to
address is that as a Chinese-backed organization company, it
essentially is in the position to advance the national
interests of China. And we have seen from the broader features
of China and how it has acted in cybersecurity, in the cyber
landscape stealing information from the United States. Because
ZTE is in a communications infrastructure company, it would put
ZTE in a position to carry out those interests for China,
whether it is to disrupt our infrastructure or to potentially
steal information. So from that perspective I do think it is a
threat.
Chairman CHABOT. Mr. Linger, you had mentioned a couple of
statistics in your testimony. I think one that you mentioned
that the number of attacks had gone up in recent years pretty
substantially and then the principal bad actor in this was a
Chinese entity of one form or another. And I think third, that
60 percent of small businesses that undergo one of these
cyberattacks are out of business within 6 months according to
your testimony. Could you touch on those, if you want to expand
up on those a little?
Mr. LINGER. I think a bit of a perfect storm is you have
the sophistication of the attacks and the hackers, combined
with this move to digital manufacturing, this move to an
internet of things where now more and more information is on
the systems in the shop. And now those are not protected. That
is now vulnerable. And that is where we are seeing an increase,
even if a company is protecting their front office, if you
will, they may not be protecting all the designs and the models
and the data that is on their machines, and that is what is
happening.
Chairman CHABOT. Thank you.
In the little time I have got left, let me go back to you,
Mr. Olsen. I think, and you referred to this, in April of this
year, the United Kingdom considered products manufactured by
ZTE to be a significant national security risk. In that same
month, the Department of Defense banned sales of ZTE wireless
products on military bases. And I think the Ranking Member
mentioned that.
Considering our own military and the militaries of our
allies that they have determined these products to be at risk,
again, is that of particular concern to somebody, say to small
businesses of this country who do not have the same
sophisticated technology protecting them?
Mr. OLSEN. Yes. Absolutely. I mean, again, the core
national security concern does involve our national security
systems, our military systems, intelligence systems, classified
systems, and those of other allied countries, like the United
Kingdom. But that concern certain emanates out from those core
intelligent systems to encompass small businesses. Because of
the nature of our networks and how closely they are linked, a
threat even at a small business can pose a national security
threat to the country.
Chairman CHABOT. Thank you very much.
And the Ranking Member is recognized for 5 minutes.
Ms. VELAZQUEZ. Thank you.
Mr. Olsen, we know that companies like ZTE and Huawei,
which have the capacity to maliciously modify or steal
information and conduct undetected espionage, have a large
global presence. How can we protect ourselves from these
companies acting here in the U.S.?
Mr. OLSEN. So I think in the instance of Huawei and ZTE,
what we have seen is we have actually seen government action to
help protect the country. The sanctions regime that is in
existence for protecting our interests in terms of how our
technology is shared around the world, that is part of the
regime that ZTE violated in selling products that contain U.S.
protects to Iran and North Korea. Admittedly, it violated
those.
So the enforcement of those sanctions regimes is one way
that we can protect ourselves. We certainly can protect
ourselves by imposing limitations at a government level,
government agencies, military, our U.S. military as we have
seen purchasing those products because of the risk that they
pose. But I think, you know, I would say two more things. One,
better, and again, Mr. Linger discussed this, the hardening of
our cybersecurity because the threat comes from these companies
but it comes much more broadly than that so that small
businesses need to up their game when it comes to
cybersecurity. And then fourth, again, just the work of this
Committee and Congress in bringing attention to this issue.
Ms. VELAZQUEZ. But is it not a really bad proposition when
we are taking all these steps but at the same time the
administration is sending a different message? So we are
warning them that we are watching, but on the other hand, we
are saying we are going to do everything we can to help them?
Mr. OLSEN. Yes. I would tend to align my views with those
recently expressed by Senator Warner and Senator Rubio in a
bipartisan expression of their view about where we should be
with respect to ZTE and the imposition of sanctions. And I do
think that ZTE in particular has proven itself to be not
trustworthy both in the sanctions violations, but also directly
in their statements which turned out to be false to the U.S.
government during those negotiations in the settlement.
Ms. VELAZQUEZ. Thank you.
Mr. Linger, as you discussed in your testimony, small
business manufacturers have made the shift to utilizing smart
machines that store data. Yet, this adds another layer of risk
for businesses, especially when the machines use components
made by companies like ZTE. Can you describe how this backdoor
access can be used nefariously and what steps small
manufacturers can take to protect themselves?
Mr. LINGER. That is a great question. I think certainly, as
companies, manufacturers and small manufacturers, for them to
compete nationally and internationally, they have got to up
their game in terms of the digital manufacturing. They have got
to be connected. They have to gain all the efficiencies that
are available when all the machines are connected and talking
to one another and real time data is being used to drive that
production site. That is what is driving this use of
information real time on the plant floor. That is your point
and now you are exposed. Right?
Ms. VELAZQUEZ. Right.
Mr. LINGER. So you have to connect all the data, and
protect at the same time. And so, so much of it is awareness
and understanding that that data is there and it is vulnerable.
And to put technology and action in place to protect it.
Ms. VELAZQUEZ. Thank you.
Mr. Keiser, in your testimony you brought up the concern
that Chinese-backed companies can undercut independent
American-owned small companies. What is at risk when small
businesses are competing with government-based competition?
Mr. KEISER. Right. Good question. I think it is impossible
for them to do. Right? You have this massive theft of
intellectual property. You also have forced technology transfer
that the Chinese participate in. All of this undermines U.S.
companies' ability to innovate, create jobs, come up with the
next fancy gizmo we might be carrying in our pockets, and that
just makes it harder for them to pull that off.
Ms. VELAZQUEZ. Thank you.
Mr. Olsen, you noted that ZTE reportedly has about 75,000
employees and operates in more than 160 countries. What does
ZTE's operation look like in the U.S., and how many of those
7,000 employees are in the United States?
Mr. OLSEN. So I know from reports that ZTE has focused its
cellphone sales in developing countries primarily, so outside
the United States. But it does have a substantial presence here
and that is partly the concern. I do not have a specific number
on the employees.
Ms. VELAZQUEZ. Thank you. I yield back.
Chairman CHABOT. Thank you. The gentlelady yields back.
The gentleman from Iowa, Mr. Blum, who is the Chairman of
the Subcommittee on Agriculture, Energy and Trade is recognized
for 5 minutes.
Mr. BLUM. Thank you, Chairman Chabot. Thank you for our
witnesses for being here today.
And Mr. Chairman, I have noticed lately we have had a lot
of witnesses from Cincinnati, Ohio. Is that a coincidence?
Chairman CHABOT. They are just the best witnesses, do you
know what I mean? We love all our witnesses from all over the
country.
Mr. BLUM. I would like to talk for a few minutes about the
cloud. I know increasingly small businesses are moving to the
cloud. The president of my small business just informed me a
couple weeks ago that we are going to the cloud. And the
Department of Defense, I believe, is going to the cloud. Is
cloud-based computing more secure or less secure, particularly
for small businesses? It is kind of a nebulous thing and I am
really curious to what your answers are on this. So anyone, or
all that want to take a shot at this, please go ahead.
Mr. KEISER. So good question. I worry a bit about the
cloud. I worry about having a consolidation of information that
the right set of keys can get into. I think OPM comes to mind,
a massive breach. I worry about the Pentagon coming up with one
giant cloud to house all of its unclassified information. I am
actually skeptical they will be able to pull that off,
actually. Most Fortune 500 companies have an average of eight
clouds. So you might have a Microsoft cloud running your
Outlook and your Office applications. You might have----
Mr. BLUM. Is that due to security concerns?
Mr. KEISER. It is due to functionality, typically,
actually. So I worry a little bit about that but curious if
Matt has a different view.
Mr. OLSEN. I share your concerns there. I work at a
technology firm and one of the engineers in my company has a
sign above his computer. It says, ``There is no such thing as
the cloud. It is just someone else's computer.''
Mr. BLUM. That is great. That is great. Yeah.
Mr. OLSEN. To sort of make the point that it really
depends. And this security in the cloud is only as safe as the
cloud-based security. Now, there are some efficiencies that can
be gained from a security perspective where the data is
together, and if you are in a very secure cloud environment
that can be more secure than having information spread out on a
number of insecure nodes or laptops or computers; right? So
there are some potential advantages. Certainly, there are other
functionality advantages to having applications run in the
cloud that companies are increasingly taking advantage of.
So the last thing I would just say is security in the cloud
is a critical issue because, as you point out, sir, this is a
trend that is going to continue, that we are going to continue
to see migration to the cloud. The government is doing it. The
private sector is doing it.
Mr. BLUM. How secure is the cloud? How secure is it?
Mr. OLSEN. Again, some companies are very secure. The major
companies that----
Mr. BLUM. But some are not?
Mr. OLSEN.--yeah, that have moved directly into the cloud I
think are secure. The government itself is working with Amazon,
for example, in the intelligence community. So they have
managed to, obviously, make that secure enough to work for the
intelligence community.
Mr. BLUM. But a small company going to a cloud provider
could be opening themselves up if that provider cuts corners,
particularly on security; correct?
Mr. OLSEN. I think that is right. I think that is why it is
just so important to be vigilant regardless of where you keep
your data and your applications.
Mr. BLUM. Mr. Linger?
Mr. LINGER. I would say that in so many cases for a small
manufacturer, they are better off in the cloud. The security
measures there are immensely better than what they have on
their one server in their back room of their shop. Now,
obviously, if they are doing the things right, maybe you would
not say that, but I would say 80 percent of the companies that
I see are so insecure in how they handle their data on their
plant floor that the cloud is safer. And that may change over
time.
Mr. BLUM. Thank you for that.
This is a very simple question. Should ZTE be banned from
doing business in the United States? Let's not worry about what
the administration is doing. What is your opinion?
Mr. KEISER. So, I mean, I think clearly, from doing
business in the United States? Unequivocally yes. Whether they
should be completely put out of business around the world is
another question. To be fair though, the steps taken in the
last couple years are far more significant than we had seen in
the previous three administrations I would say.
Mr. BLUM. Mr. Olsen?
Mr. OLSEN. Yes. I mean, I think I agree with the position
that the government took when it prohibited U.S. technology
companies from selling their companies to ZTE. That was part of
the sanctions regime. And I think that there certain should
be--I would take seriously the advice of the intelligence
community saying that people should not use ZTE products.
Mr. BLUM. Mr. Linger?
Mr. LINGER. Yeah. It comes down to the actual devices
themselves and where is the device, where is it placed, and
what can it do? Understanding at that technical level.
Mr. BLUM. Thank you for your insights. I yield back, Mr.
Chairman.
Chairman CHABOT. Thank you. The gentleman yields back.
The gentleman from Pennsylvania, Mr. Evans, who is the
Ranking Member of the Subcommittee on Economic Growth, Tax, and
Capital Access is recognized for 5 minutes.
Mr. EVANS. Thank you, Mr. Chairman.
I am going to ask these questions and I would like for the
whole panel to respond to them.
Are there lessons from counterintelligence and
counterterrorism that we can apply in our fight against cyber
threats? Although today's hearing is focused on a Chinese
company, it is critical that we do not turn a blind eye to
other potential hackers from abroad. Are there other countries
we should be paying attention to?
Mr. OLSEN. I can start if that is all right.
First, on your first question, Mr. Evans, there certainly
are lessons we can learn from the counterterrorism fight from
the last 16 years where we have learned--that we can apply to
cybersecurity. And I will just list them quickly. One, is it a
team effort? We need to work together. The government needs to
work in cooperative fashion across the government, but in
particular, the government and the private sector need to work
very closely together because 98 percent of the nation's
critical infrastructure are in the hands of the private sector,
which is the primary target for cyberattacks. It is a team
effort.
Two, we need to build up a cadre of cyber expertise. We did
that in counterterrorism. I worked with them at the National
Counterterrorism Center, a lot of experts. We need to do the
same thing in cyber. We have a dearth of cybersecurity
expertise in this country that needs to be filled.
And third, we need to harden our defenses. Again, we did
that with respect to terrorism. We put a lot of money and
resources into hardening our defenses. We need to do the same
thing in cybersecurity. So those are the lessons I think we can
learn.
In terms of other countries that pose a significant threat,
I think typically I would consider four significant countries
that pose a threat. They include certainly China, but also
Russia, Iran, and North Korea.
Mr. LINGER. I will chime in. Clearly, plenty of bad actors.
The key is to go ahead and get your defenses in place. And for
small companies, a lot of low-hanging fruit for them to get up
to a 90 percent level of protection versus being in the
twenties or zero percent. Therefore, with regard to who the bad
actor is, you are going to be protected. So that is the first
step.
Mr. KEISER. It is a great point, Congressman. So certainly,
the Chinese are most aggressive in particularly theft of
intellectual property here in the U.S., but others have
launched very devastating attacks. I mean, the North Koreans
almost took Sony off the map. Some experts believe if they were
a U.S.-based company, they would not exist anymore after that
attack. It was so devastating. The Iranians, of course, went
after our financial system in New York in a meaningful way, so
plenty of bad folks to keep an eye on.
Mr. EVANS. In terms of lessons would you say to the
question I asked, applying fighting, any lessons?
Mr. KEISER. Well, it is important to understand the
infrastructure of the internet, I think, to understand the
threat. The internet was not built for security. The internet
was built for ease of communication. So there is a fundamental
flaw that Matt and his colleagues, certainly his old colleagues
at the NSA, grapple with every day which is exactly that. So
obviously, hardening the systems. A general awareness. I mean,
the majority of the attacks still are very low level, simple
phishing attacks or other things that could be prevented with a
little cyber hygiene we call it in the business. So really the
whole country rallying around those sort of simple tasks would
have a meaningful impact.
Mr. EVANS. Thank you, Mr. Chairman. I yield back the
balance of my time.
Chairman CHABOT. Thank you. The gentleman yields back.
The gentlelady from American Samoa, Mrs. Radewagen, who is
the Chairman of the Subcommittee on Health and Technology is
recognized for 5 minutes.
Mrs. RADEWAGEN. Talofa. Good morning.
I want to thank Chairman Chabot and Ranking Member
Velazquez for holding this very important hearing. And thank
all of you for testifying.
Though this hearing is about the threat of ZTE to America's
small businesses, make no mistake. It is not just ZTE extending
their tentacles around the world as Mr. Keiser said, this is
about the tactics that the Chinese state is using to subvert
democracy abroad.
My own home district of American Samoa is just next door
to, or 40 miles from independent Samoa. The Chinese state has
heavily invested there, so much so that they are building a
port where vessels of the Peoples Liberation Army and Navy can
make call. As Chairman of the Subcommittee on Health and
Technology, I take this threat seriously.
Gentlemen, what actions can we take to protect small
businesses from unfair competitive practices of Chinese firms?
Mr. OLSEN. I suspect that we all have some thoughts about
that. So thank you for that question.
I do think, as you pointed out at the outset of your
comments that we do see that China has become increasingly
aggressive in the region, and particularly in the South China
Sea. And we have also, I would say, from a cyber perspective,
that cyber has become a vector of attack that China uses or
could use to advance its national interest. What we have seen
historically from China as Mr. Keiser pointed out is using
cyberattacks or cyber espionage as a way to gain competitive
advantage. That is to steal information, intellectual property
from American companies.
In answer to your question directly, I would say that there
are, and again, Mr. Linger talked about this, but there are so
many things that small businesses can do that we would put in
the category of low-hanging fruit, that is, hardening their
capacity to withstand a cyberattack by improving their
defenses. And then relatedly, to improve their resilience. That
is, to be in a position to better respond because to a certain
degree, cyberattacks are inevitable. So how a company responds,
how quickly it responds, how it responds from a strategic
communication standpoint, those often have a lot to do with how
effective they are in withstanding a cyberattack.
Mrs. RADEWAGEN. Mr. Keiser?
Mr. KEISER. Sure. Thank you for the question.
So Matt got into the details on the defensive side. A
couple important things have happened in recent years. Under
the Obama administration, they first issued indictments of
Chinese PLA officers, Peoples Liberation Army officers who were
involved in the actual theft of American intellectual property
which sent, of course, you are never going to get them in a
U.S. court, but it sent a pretty important signal that we are
not just going to sit back and tolerate that.
Other actions have identified some of these actors,
including a private sector report called a Mandiant Report,
which I would commend to everyone's reading that specifically
named the PLA offices in China, where they were, what they were
doing in this aggressive activity. It got folks' attention.
Actually, took them off the map for a handful of months. They,
of course, rebranded and went back to their old ways. But
nonetheless, actions like that, I think, are important. I think
this ZTE action is very significant. I mean, you took a top
five telecommunications company in the world off the map. Now
we might throw them a lifeline here, but Congress I think is
going to have the last say on that. I think some of us up here
are hoping anyway.
Mr. LINGER. Yes. Thank you for the question. I think Mr.
Olsen hit the nail on the head. It is in the planning. Doing
your planning for cyberattack just as though you are planning
your company's budget for the year or your annual strategic
planning. It is something you just have to do. Be diligent on
it. Having a plan in place so that if an attack occurs you know
how to respond to it.
Mrs. RADEWAGEN. Thank you, Mr. Chairman. I yield back.
Chairman CHABOT. Thank you very much. The gentlelady yields
back. The gentlelady from North Carolina, Ms. Adams, who is the
Ranking Member of the Subcommittee on Investigations,
Oversight, and Regulations is recognized for 5 minutes.
Mrs. ADAMS. Thank you, Mr. Chairman. Thank you, Madam
Ranking Member.
If I could just take a moment and introduce three students
who are interning, Jemia Booker, North Carolina. All from
Carolina, let me say. Jemia is from JCSU in my district.
Jasmine Caruthers, South Carolina, CBC intern. And Tony
Watlington from North Carolina A&T where I went to school.
But let me thank all of you for your testimony. This is a
very interesting discussion. The back and forth between
President Trump and China on tariffs has been incredibly
concerning for my state of North Carolina. Many of the products
targeted by China's retaliatory tariffs are major exports from
my state. A large part of Trump's stated reasoning for
initiating this potential trade war with China was the
intellectual property policies, but a deal on ZTE now seems to
be a key part of these negotiations. Are these tariff
negotiations and the deal on ZTE announced by the Commerce
Department sufficiently effective in protecting American
companies from the cyber threats posed by ZTE and other Chinese
companies? This question is for Mr. Olsen.
Mr. OLSEN. I do think that when we talk about the cyber
threats from China, a multi-pronged approach is the right one.
So we have talked about many of the features of such an
approach which include obviously the hardening of our defenses,
you know, improving our cybersecurity across the board. A key
part of that, and Congress can play a role here is in promoting
information sharing between companies, among companies in a
sector, as well as between the government and private industry.
And Congress has played a critical role in promoting such
information sharing. So that is one piece of it.
I do think that taking a strong stand against China,
whether that is through, for example, what Mr. Keiser talked
about, the prosecution of Chinese government hackers. That did
seem to have an impact. That was an aggressive step by the
Department of Justice, and I think that was the right thing to
do. I think we should demand that where we see that type of
activity by China, that the criminal justice system is quite
effective or can be quite effective in sending a deterrent
message.
But I think when you talk specifically about ZTE or Huawei,
that the steps that the Commerce Department took both in
sanctioning ZTE and also in imposing additional fines for being
deceptive, that is exactly the right thing to do. And as a
former prosecutor, I speak I think with some degree of
understanding how important it is when a company during the
course of negotiations is deceptive and lies to the government,
then you cannot allow that to go forward.
Ms. ADAMS. Thank you.
You know, one of the challenges for small businesses in the
space is the cost of implementing a cybersecurity plan.
Unfortunately, we know that minority-owned small businesses are
more likely to face obstacles like difficulty accessing
capital. How can Congress ensure that we are inclusive of
minority-owned and disadvantaged small businesses and any
policies that we implement to encourage small businesses to
invest in cyber security?
Mr. Olsen?
Mr. OLSEN. You know, investment in cybersecurity is a
challenge across the board. I think Mr. Linger talked about how
it needs to be part of the risk management and strategic plan
for every company. And it is very hard in particular for small
companies who have so many demands on their limited resources
to take the steps necessary to invest in security, particularly
cybersecurity, because the risk is not well understood and the
really sobering fact is that even our biggest and strongest
companies are really no match for a nation state. A determined
nation state. So I think that the challenge is one that
companies face across the board.
Ms. ADAMS. Thank you.
Mr. Linger, let me quickly ask you about common mistakes
that small businesses make in their approach to cybersecurity
and how they can be avoided.
You have got about 36 seconds.
Mr. LINGER. Sure. Thank you. It is just doing the basics.
Just having a strong password policy across the company.
Protecting their servers. Some of these companies, they are
small and they really need to put up about $50,000 down on
hardware and software and continuous monitoring of their
systems to be protected. They have got to try to plan for this.
But that is the issue. Some of it can be done internally with
policy, but a lot of it does require some technology and
monitoring.
Ms. ADAMS. Thank you very much.
Mr. Chair, I yield back.
Chairman CHABOT. Thank you. The gentlelady yields back.
The gentleman from Utah, Mr. Curtis, is recognized for 5
minutes.
Mr. CURTIS. Thank you, Mr. Chairman and Ranking Member.
This is a really important hearing, and I am grateful that you
have put this together, and I appreciate our witnesses that
have come to be part of this.
Over the last several years, and particularly the last few
months, we have witnessed foreign actors taking steps to
infiltrate America's infrastructure and weaken our national
security. Utah, where I am from, is a great state of innovation
and nationally recognized for our tech community. And it has
been instrumental in the great economic development the tech
community has in our state. However, with all these impressive
innovations comes risks.
More than ever before, criminals are targeting our computer
networks and technology infrastructure, instilling proprietary
information. In fact, Utah state government's own network sees
an average of 5 million attacks every month. Small businesses
are not immune from cyberattacks, and as we have heard here
today, are actually more likely to be targeted because they
lack the resources.
As a former small business owner, I understand that many
small businesses do not have an IT department. Mr. Linger, I
hear you say $50,000, and that is just insurmountable for many
small businesses. As a matter of fact, usually the owner or the
family members take that IT hat and try to deal with this
problem. Because of this, I am proud to cosponsor and be a
supporter of the Chairman's Small Business Cybersecurity
Enhancement bill that will give small businesses better access
to defense measures to defend against cyberattacks.
So my question for the three of you is what is the very
most important thing that we can be doing to help these small
businesses here in Congress, protect them from the bad actors,
like ZTE and others?
Mr. Linger, let's start with you.
Mr. LINGER. Any support that you can provide for those
small businesses, it is so critical. I mean, it is a
significant investment that they do not have. And to your
point, oftentimes, their IT department is the owner's son who
is in high school; right? You see that again and again. Yes. So
any measure that can flow down to help them with those systems
is imperative.
Mr. KEISER. A couple things that have not been mentioned
Mr. Olsen touched on. Information sharing. So Congress did pass
a law a couple of years ago to encourage classified threat
information to be shared mainly with the ISPs, the internet
service providers, that would essentially patch known
vulnerabilities so the small business owners would be the
beneficiary of that but, of course, might never see it because
it would happen upstream. So that is one.
Another impotent one that Congresswoman Adams mentioned is
the educational component. So training the next generation of
sort of cyber warriors. And they do not always need a 4 or 8-
year computer science degree but maybe a 2-year degree in just
understanding the basic blocking and tackling of cybersecurity
is another area I think that Congress could look at.
Mr. CURTIS. Thank you.
Mr. OLSEN. And I do think picking up on that last point
that the Committee has been active in promoting education and
training for cybersecurity for small businesses, I think that
is critical. That is one.
I think two is the promotion and development of standards
so that companies have a sense of what right looks like in this
space. What does it look like? What is achievable? And doing so
with a particular sensitivity and eye toward the challenges
that small businesses face as opposed to Fortune 100 companies.
And then third, moving more broadly, I do think that there
is an opportunity in the market for cybersecurity companies to
help smaller companies pool together so that they are not in
this alone. So what cybersecurity is today is largely you are
on your own. Every company is doing this by themselves. The
ability of companies to work together to share information,
threat information without fear of liability or spilling
proprietary information, there is a movement afoot to do that,
and the more companies can pool their resources and work
together in a common defense, the more effective they will be.
Mr. CURTIS. So it is interesting. As you were all three
talking I was thinking to myself, is there a role for a chamber
of commerce or somebody like that who historically has worked
together with health plans and things like that. Are you seeing
that take shape? And is there any way that we could nudge that
forward that you can all think of?
Mr. KEISER. So every major industry has something called an
ISAC, information security sharing, that does exactly that. So
probably the furthest along would be the financial services
sector given the type of information they hold and the value.
But every sector is coming up with these ISACs. So you even
have a health ISAC. You have energy. And others are coming
online. I think the more, the better. As Matt said, it is a
huge ecosystem and you have to patch all of it at the same time
to have complete security that we likely will never be able to
achieve.
Mr. CURTIS. Thank you. I would love to hear more. I am
afraid I am out of time. And so thanks once again for coming
and holding this hearing. And I yield my time.
Chairman CHABOT. Thank you very much. The gentleman yields
back. The gentleman from Florida, Mr. Lawson, who is the
Ranking Member on the Subcommittee on Health and Technology is
recognized for 5 minutes.
Mr. LAWSON. Thank you very much, Mr. Chairman. And welcome
to the Committee.
I was just listening to most of your testimony and I was
wondering if there was any question I could ask you. And the
reason being is that I see small business kind of like three
levels. I was a small business owner myself. One from up to
100,000, one to a quarter of a million, and the ones to a
million. So you leave a wide gap in there. There is a wide gap
in there among these businesses. And I was just trying to think
from your standpoint hearing the testimony this morning, I
guess it is after noon now, and the question may be more
appropriate for the Justice Department. But what modification
at the Federal level can be made to protect a cyber system from
hacking from companies like ZTE? You know, and maybe you might
want to comment on that because, you know, at some of the
levels I dealt with, they do not know anything about
cybersecurity. All they know is something happened to them, you
know, so what can the Federal government do?
Mr. OLSEN. It is a great question because, you know, much
of the risk is borne by the private sector at the local level,
small companies that are really being hit on a daily basis with
relatively small scale cyberattacks. Whether it is a
ransomware, someone who locks up your data, stealing of data.
So these can be devastating but they do not rise to the level
of a national security threat perhaps or at least in the
isolated incident.
But there is a critical role for the Federal government to
play on a number of levels. One, as we are talking about today,
when we identify a bad actor like ZTE, to use the tools that
the Federal government has, whether those are the tools of
prosecution, regulatory, sanction-related tools, like the
Commerce Department and the State Department have, you know, to
use those tools and to use them directly when we have a bad
actor that we have identified, and that is really the case with
ZTE. But from a policy level more broadly, both Mr. Keiser and
I have spoken about Congress's Enactment of the Cyber
Information Sharing Act of 2015. What that act did was to
really address some of the concerns that companies had about
liability perhaps or anti-trust concerns about sharing cyber
threat information and it eliminated those. So it addressed
those and took those away. And that, as I have talked a little
bit about, you know, the ability of especially large companies
to get together and to act in a common dense, just like a
neighborhood watch, for example, because what these actors do,
bad actors are doing is they are going down the line. They do
not really care which company they hit. They will just knock on
the door until they get in. And so if you are only acting by
yourself, you know, you are vulnerable. But if companies share
information, if they see something they can share that quickly
in a way that can protect them, then they are going to be much
better protected, and Congress can play a real important role
from a policy perspective in encouraging that.
Mr. LAWSON. Mr. Keiser?
Mr. KEISER. One thing to think about, I think there are, as
you mentioned, the different size companies is an important
point. You have some small firms that are huge targets for
espionage, particularly law firms, tax firms, that might be
small and fit those small categories you mentioned, but hold
awfully important information. I mean, we have seen cases of
the Chinese getting into a law firm, stealing their information
because they were active in a bid or in a merger and
acquisition and they wanted that information to use to undercut
the bid. So you see different aspects of that.
There is a line though in cybersecurity that goes something
like this. There are companies that have been hacked by the
Chinese and know it, and then there are companies that have
been hacked by the Chinese and do not know it.
Mr. LAWSON. Wow.
Mr. LINGER. Yeah, I will just reiterate. It is that supply
chain. So those larger companies are going to have more in
terms of protection, but they are going to find the weakest
links. Somewhere down the supply chain there is going to be a
small manufacturer that makes a critical component that they
are very good at producing and those are the ones that are
going to be targeted. So sharing that information across that
board, supporting those larger companies that give those best
practices down to the smaller companies is a way to help make
the entire supply chain safe and secure.
Mr. LAWSON. Okay. And I do not have much time but Mr.
Olsen, since you have been a prosecutor, are we hacking
anybody? I mean, if you do not want to answer I can understand.
Mr. OLSEN. We are not like the Chinese.
Mr. LAWSON. That might have been an unfair question.
With that, Mr. Chairman, I need to yield back.
Chairman CHABOT. Thank you very much. The gentleman yields
back.
I think that concludes on both sides. We want to thank our
very distinguished panel for being here today. As you know,
this Committee is responsible for doing everything it possibly
can to help small businesses and to protect them, and they
continue to be targets for cyberattacks. And the Ranking Member
and I have worked on legislation on this to help to protect.
For example, it has the SBICs using best practices out there to
educate the small business communities, what they can do to
protect themselves. But it is still a dangerous world out
there. And as you all mentioned, you have got North Korea, you
have got Iran, Russia, and especially China constantly. The
gentleman from Utah mentioned 5,000 attacks in his state in one
month. So it is incredible what they have to put up with.
So thank you for helping us, and especially drawing
attention to ZTE and Huawei and what they have been doing and
how our country needs to do everything possible to protect
ourselves from them in particular.
And then finally, I just would note, you mentioned Sony and
the attack on them. If my recollection serves me I think was
that not in response to a movie? It was, I think, the
Interview, Seth Rogan and James Franco? I felt it was my
patriotic duty to see the movie, which I did, if for no other
reason than to annoy Kim Jung-un. So, but we do appreciate you
mentioning that, and I am certainly glad they did survive that
because it was a serious attack.
So again, we want to thank you all very much for what you
have done to help this Committee to help America's small
businesses.
And I would ask unanimous consent that members may have 5
legislative days to submit statements and supporting materials
for the record.
Without objection, so ordered.
If there is no further business to come before the
Committee, we are adjourned. Thank you.
[Whereupon, at 12:11 p.m., the Committee was adjourned.]
[Mr. David Linger's Response to Questions were not
submitted in a timely manner.]
A P P E N D I X
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]