b'<html>\n<title> - TELECOMMUNICATIONS, GLOBAL COMPETITIVENESS, AND NATIONAL SECURITY</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n   TELECOMMUNICATIONS, GLOBAL COMPETITIVENESS, AND NATIONAL SECURITY\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                    SUBCOMMITTEE ON COMMUNICATIONS AND \n                                TECHNOLOGY\n\n                                 OF THE\n\n                           COMMITTEE ON ENERGY AND \n                                 COMMERCE\n                           HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              MAY 16, 2018\n\n                               __________\n\n                           Serial No. 115-128\n                           \n                           \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                           \n\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n                        \n                        \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n32-796 PDF                  WASHINGTON : 2018                     \n          \n-----------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3552455a75564046415d5059451b565a581b">[email&#160;protected]</a> \n                       \n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          GREG WALDEN, Oregon\n                                 Chairman\n\nJOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey\n  Vice Chairman                        Ranking Member\nFRED UPTON, Michigan                 BOBBY L. RUSH, Illinois\nJOHN SHIMKUS, Illinois               ANNA G. ESHOO, California\nMICHAEL C. BURGESS, Texas            ELIOT L. ENGEL, New York\nMARSHA BLACKBURN, Tennessee          GENE GREEN, Texas\nSTEVE SCALISE, Louisiana             DIANA DeGETTE, Colorado\nROBERT E. LATTA, Ohio                MICHAEL F. DOYLE, Pennsylvania\nCATHY McMORRIS RODGERS, Washington   JANICE D. SCHAKOWSKY, Illinois\nGREGG HARPER, Mississippi            G.K. BUTTERFIELD, North Carolina\nLEONARD LANCE, New Jersey            DORIS O. MATSUI, California\nBRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida\nPETE OLSON, Texas                    JOHN P. SARBANES, Maryland\nDAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California\nADAM KINZINGER, Illinois             PETER WELCH, Vermont\nH. MORGAN GRIFFITH, Virginia         BEN RAY LUJAN, New Mexico\nGUS M. BILIRAKIS, Florida            PAUL TONKO, New York\nBILL JOHNSON, Ohio                   YVETTE D. CLARKE, New York\nBILLY LONG, Missouri                 DAVID LOEBSACK, Iowa\nLARRY BUCSHON, Indiana               KURT SCHRADER, Oregon\nBILL FLORES, Texas                   JOSEPH P. KENNEDY, III, \nSUSAN W. BROOKS, Indiana             Massachusetts\nMARKWAYNE MULLIN, Oklahoma           TONY CARDENAS, California\nRICHARD HUDSON, North Carolina       RAUL RUIZ, California\nCHRIS COLLINS, New York              SCOTT H. PETERS, California\nKEVIN CRAMER, North Dakota           DEBBIE DINGELL, Michigan\nTIM WALBERG, Michigan\nMIMI WALTERS, California\nRYAN A. COSTELLO, Pennsylvania\nEARL L. ``BUDDY\'\' CARTER, Georgia\nJEFF DUNCAN, South Carolina\n\n                                 ______\n\n             Subcommittee on Communications and Technology\n\n                      MARSHA BLACKBURN, Tennessee\n                                 Chairman\nLEONARD LANCE, New Jersey            MICHAEL F. DOYLE, Pennsylvania\n  Vice Chairman                        Ranking Member\nJOHN SHIMKUS, Illinois               PETER WELCH, Vermont\nSTEVE SCALISE, Louisiana             YVETTE D. CLARKE, New York\nROBERT E. LATTA, Ohio                DAVID LOEBSACK, Iowa\nBRETT GUTHRIE, Kentucky              RAUL RUIZ, California\nPETE OLSON, Texas                    DEBBIE DINGELL, Michigan\nADAM KINZINGER, Illinois             BOBBY L. RUSH, Illinois\nGUS M. BILIRAKIS, Florida            ANNA G. ESHOO, California\nBILL JOHNSON, Ohio                   ELIOT L. ENGEL, New York\nBILLY LONG, Missouri                 G.K. BUTTERFIELD, North Carolina\nBILL FLORES, Texas                   DORIS O. MATSUI, California\nSUSAN W. BROOKS, Tennessee           JERRY McNERNEY, California\nCHRIS COLLINS, New York              FRANK PALLONE, Jr., New Jersey (ex \nKEVIN CRAMER, North Dakota               officio)\nMIMI WALTERS, California\nRYAN A. COSTELLO, Pennsylvania\nGREG WALDEN, Oregon (ex officio)\n\n                                  (ii)\n                             \n                             \n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. Marsha Blackburn, a Representative in Congress from the \n  State of Tennessee, opening statement..........................     1\n    Prepared statement...........................................     3\nHon. Leonard Lance, a Representative in Congress from the State \n  of New Jersey, opening statement...............................     3\n    Prepared statement...........................................     4\nHon. Yvette D. Clarke, a Representative in Congress from the \n  State of New York, opening statement...........................     4\nHon. Greg Walden, a Representative in Congress from the State of \n  Oregon, opening statement......................................     5\n    Prepared statement...........................................     7\nHon. Frank Pallone, Jr., a Representative in Congress from the \n  State of New Jersey, opening statement.........................     8\n    Prepared statement...........................................     9\nHon. Anna G. Eshoo, a Representative in Congress from the State \n  of California, prepared statement..............................    62\n\n                               Witnesses\n\nCharles Clancy, Professor of Electrical and Computer Engineering \n  and Director, Hume Center for National Security and Technology, \n  Virginia Tech..................................................    11\n    Prepared statement...........................................    13\n    Answers to submitted questions...............................   105\nSamm Sacks, Senior Fellow, Technology Policy Program, Center for \n  Strategic and International Studies............................    16\n    Prepared statement...........................................    18\n    Answers to submitted questions...............................   111\nClete D. Johnson, Partner, Wilkinson Barker Knauer, LLP..........    29\n    Prepared statement...........................................    31\n    Answers to submitted questions...............................   116\n\n                           Submitted Material\n\nLetter of May 16, 2018, from Nicholas J. Pisciotta, Chief \n  Executive Officer, Sicuro Innovations LLC, to Mrs. Blackburn \n  and Mr. Doyle, submitted by Mrs. Blackburn.....................    63\nLetter of May 16, 2018, from Michael O\'Rielly, Commissioner, \n  Federal Communications Commission, to Mrs. Blackburn and Mr. \n  Doyle, submitted by Mrs. Blackburn.............................    65\nReport on behalf of the U.S.-China Economic and Security Review \n  Commission, ``Supply Chain Vulnerabilities from China in U.S. \n  Federal Information and Communications Technology,\'\' April \n  2018, \\1\\ submitted by Mrs. Blackburn\nArticle, ``A U.S. Investment Strategy for Defense,\'\' by Andrew P. \n  Hunger, CSIS, submitted by Mrs. Blackburn......................    68\nArticle, ``Beijing\'s Cyber Governance System,\'\' by Samm Sacks, \n  CSIS, submitted by Mrs. Blackburn, submitted by Mrs. Blackburn.    74\nArticle of March 27, 2018, ``In U.S. Brawl With Huawei, Rural \n  Cable Firms Are an Unlikely Loser,\'\' by Drew FitzGerald and Stu \n  Woo, The Wall Street Journal, submitted by Mrs. Blackburn......    82\n\n----------\n\\1\\ The information has been retained in committee files and also \n  is available at  https://docs.house.gov/Committee/Calendar/\n  ByEvent.aspx?EventID=108301.\nArticle of January 8, 2018, ``Huawei, Seen as Possible Spy \n  Threat, Boomed Despite U.S. Warnings,\'\' by Stu Woo, Dan \n  Strumpf, and Betsy Morris, The Wall Street Journal, submitted \n  by Mrs. Blackburn..............................................    84\nOrder issued April 15, 2018, by Richard R. Majauskas, Acting \n  Assistant Secretary of Commerce for Export Enforcement, \n  submitted by Mrs. Blackburn....................................    89\nArticle of January 12, 2018, ``US Army base removes Chinese-made \n  surveillance cameras,\'\' by Max Greenwood, The Hill, submitted \n  by Mr. Long....................................................   103\n\n \n   TELECOMMUNICATIONS, GLOBAL COMPETITIVENESS, AND NATIONAL SECURITY\n\n                              ----------                              \n\n\n                        WEDNESDAY, MAY 16, 2018\n\n                  House of Representatives,\n     Subcommittee on Communications and Technology,\n                          Committee on Energy and Commerce,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10:00 a.m., in \nroom 2123, Rayburn House Office Building, Hon. Marsha Blackburn \n(chairman of the subcommittee) presiding.\n    Members present: Representatives Blackburn, Lance, Shimkus, \nLatta, Guthrie, Kinzinger, Bilirakis, Johnson, Long, Flores, \nBrooks, Collins, Walters, Costello, Walden (ex officio), Welch, \nClarke, Loebsack, Ruiz, Dingell, Eshoo, Butterfield, Matsui, \nand Pallone (ex officio).\n    Also present: Representative Walberg.\n    Staff present: Jon Adame, Policy Coordinator, \nCommunications and Technology; Samantha Bopp, Staff Assistant; \nDaniel Butler, Staff Assistant; Kristine Fargotstein, Detailee, \nCommunications and Technology; Sean Farrell, Professional Staff \nMember, Communications and Technology; Margaret Tucker Fogarty, \nStaff Assistant; Adam Fromm, Director of Outreach and \nCoalitions; Elena Hernandez, Press Secretary; Tim Kurth, Deputy \nChief Counsel, Communications and Technology; Lauren McCarty, \nCounsel, Communications and Technology; Austin Stonebraker, \nPress Assistant; Evan Viau, Legislative Clerk, Communications \nand Technology; Everett Winnick, Director of Information \nTechnology; Jeff Carroll, Minority Staff Director; Jennifer \nEpperson, Minority FCC Detailee; David Goldman, Minority Chief \nCounsel, Communications and Technology; Tiffany Guarascio, \nMinority Deputy Staff Director and Chief Health Advisor; Jerry \nLeverich III, Minority Counsel; Dan Miller, Minority Policy \nAnalyst; Andrew Souvall, Minority Director of Communications, \nMember Services, and Outreach; and C.J. Young, Minority Press \nSecretary.\n    Mrs. Blackburn. The Subcommittee on Communications and \nTechnology will now come to order. And I recognize myself 5 \nminutes for an opening statement.\n\nOPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF TENNESSEE\n\n    I want to welcome each of you to today\'s hearing. It is \nentitled ``Telecommunications, Global Competitiveness, and \nNational Security.\'\'\n    Our country\'s information technology sector is one of the \nbest economic growth engines the world has ever seen. It allows \npeople to communicate, be entrepreneurs, pursue educational \nopportunities. It fosters a greater efficiency across every \nsingle sector of the economy.\n    As I have said before, information is power, and history \nmakes clear that countries with the best communications have \nthe best advantage. Moreover, our Nation\'s defense, the men and \nwomen in uniform who serve our Nation depend on communications. \nU.S. military superiority is built upon intelligence, \nsurveillance, and reconnaissance, and the communication of this \ninformation to outmaneuver potential adversaries.\n    The purpose of today\'s hearing is to understand the nexus \nbetween telecommunications and national security in the global \ncontext. These are issues the subcommittee and the Energy and \nCommerce Committee more generally understand well.\n    In 2013, I authored a bill, H.R. 1468, SECURE IT, to \npromote greater voluntary sharing of cyber threats between the \nGovernment and the private sector, as well as among private \nsector companies. I was pleased that many of the provisions I \nauthored were signed into law in 2015. Additionally, the \nNational Institute of Standards and Technology, or NIST as we \nterm it, has taken great strides to collaborate with the \nprivate sector on developing a voluntary framework of \ncybersecurity best practices.\n    Last month, NIST published the latest version of its \nframework to be even more informative and useful to a broader \narray of stakeholders. In today\'s world where information \nliterally travels at the speed of light and new innovations are \nbrought to market at a dizzying pace, it is critically \nimportant to leverage robust information sharing about threats \nand vulnerabilities. This should include greater information \nsharing about the supply chain of hardware and software that \nmake up our communications networks.\n    When it comes to the supply chain, we must think about it \nover the long term. We are fully aware of the issues that the \nPresident has raised regarding China, Huawei, and ZTE. We are \naware that the Commerce Department has serious concerns. These \npoints merit discussion, and it is the reason our hearing is so \ntimely.\n    The quick and easy route would simply ban foreign vendors \nof vulnerable hardware and software from accessing our markets, \nbut the marketplace for hardware and software is global, and a \nhallmark of the communications industry is scale. In time, it \nwill be difficult for our domestic communications providers to \nobtain their network infrastructure from trusted sources when \nvulnerable foreign vendors acquire more and more global market \nshare.\n    What are the implications of all this to our Nation\'s \ncybersecurity? What are the implications in the race to 5G? \nWhat are the broader implications to our Nation\'s economy? And \nmost importantly, what are thoughtful solutions to such a \ncomplex problem? These are some of the questions for today\'s \nhearing that we will seek to address.\n    [The prepared statement of Mrs. Blackburn follows:]\n\n              Prepared statement of Hon. Marsha Blackburn\n\n    Welcome to today\'s subcommittee hearing entitled: \n``Telecommunications, Global Competitiveness, and National \nSecurity.\'\'\n    Our country\'s information technology sector is one of the \nbest economic growth engines the world has ever seen. It allows \npeople to communicate, be entrepreneurs, and pursue educational \nopportunities; it fosters greater efficiency across every \nsector of the economy. As I\'ve said before, information is \npower, and history makes clear that countries with the best \ncommunications have a competitive advantage.\n    Moreover, our Nation\'s defense--the men and women in \nuniform who serve our country--depend on communications. U.S. \nmilitary superiority is built upon intelligence, surveillance, \nand reconnaissance, and the communication of this information \nto outmaneuver potential adversaries.\n    The purpose of today\'s hearing is to understand the nexus \nbetween telecommunications and national security in a global \ncontext.\n    These are issues this subcommittee, and the Energy and \nCommerce Committee more generally, understand well. In 2013, I \nauthored a bill--H.R. 1468, SECURE IT--to promote greater \nvoluntary sharing of cyber threats between the Government and \nthe private sector, as well as among private sector companies.\n    I was pleased that many of the provisions I authored were \nsigned into law in 2015.\n    Additionally, the National Institute of Standards and \nTechnology, or ``NIST,\'\' has also taken great strides to \ncollaborate with the private sector on developing a voluntary \nFramework of cybersecurity best practices. Last month, NIST \npublished the latest version of its Framework to be even more \ninformative and useful to a broader array of stakeholders.\n    In today\'s world, where information literally travels at \nthe speed of light, and new innovations are brought to market \nat a dizzying pace, it is critically important to leverage \nrobust information sharing about threats and vulnerabilities.\n    This should include greater information sharing about the \nsupply chain of hardware and software that make up our \ncommunications networks.\n    When it comes to the supply chain, we must think about it \nover the long-term. We are fully aware of the issues that the \nPresident has raised regarding China, Huawei, and ZTE. We are \nalso aware that the Department of Commerce has serious \nconcerns. This point merits discussion, and it is the reason \nour hearing is so timely.\n    The quick and easy route would simply ban foreign vendors \nof vulnerable hardware and software from accessing our markets.\n    But the marketplace for hardware and software is global, \nand a hallmark of the communication industry is scale.\n    In time, it will be difficult for our domestic \ncommunications providers to obtain their network infrastructure \nfrom trusted sources when vulnerable foreign vendors acquire \nmore and more global market share.\n    What are the implications of all this to our Nation\'s \ncybersecurity?\n    What are the implications for the race to 5G?\n    What are the broader implications to our economy?\n    And, most importantly, what are thoughtful solutions to \nsuch a complex problem?\n    These are some of the questions today\'s hearing seeks to \naddress.\n    I am pleased to convene this hearing.\n    I look forward to the testimony of our witnesses.\n    And I yield 1 minute to the subcommittee\'s vice chairman, \nMr. Lance.\n\n    Mrs. Blackburn. And at this time, I yield my remainder of \ntime to Mr. Lance.\n\n OPENING STATEMENT OF HON. LEONARD LANCE, A REPRESENTATIVE IN \n             CONGRESS FROM THE STATE OF NEW JERSEY\n\n    Mr. Lance. Thank you, Madam Chairman.\n    This is a particularly timely hearing on an important \ntopic. The security of our next generation networks is an issue \nthat has come to the forefront. Earlier this year, a leaked \nmemo from the White House recommended we nationalize our 5G \nnetwork for national security reasons. While an extremely \nmisguided and unrealistic approach, it is important that we \nsecure our networks.\n    Just last month, the FCC voted unanimously to move a \nproposal forward to ban Federal funds from being used to \npurchase telecommunications equipment from companies deemed a \nsecurity threat, such as Chinese manufacturers Huawei and ZTE. \nI commend Chairman Pai and the rest of the Commission for \ntaking this important step.\n    ZTE has been deemed a security threat by our intelligence \nagencies and has been criticized by the Departments of Justice \nand Commerce for doing business in Iran and North Korea. Just \nyesterday, the nominee to head the National Counterintelligence \nand Security Center testified that Chinese intelligence uses \nChinese firms such as ZTE as a resource, and he would never use \na ZTE phone.\n    I am concerned about the national security implications of \nlessening the punishments against ZTE in a trade deal with \nChina. National security and the security of our networks are \nprimary concerns here, and the administration must consider \nthat above all else in dealing with China.\n    I look forward to discussing this and other important \nissues surrounding the security of our telecommunications \nnetworks and the global supply chain with you today. Thank you.\n    [The prepared statement of Mr. Lance follows:]\n\n                Prepared statement of Hon. Leonard Lance\n\n    Thank you, Chairman Blackburn and welcome to our \ndistinguished panel.\n    This is a particularly timely hearing on a very important \ntopic. The security of our next generation networks is an issue \nthat has come to the forefront recently. Earlier this year a \nleaked memo from the White House recommended we nationalize our \n5G networks for national security reasons. While an extremely \nmisguided and unrealistic approach, it is important we secure \nout networks. Just last month the FCC voted unanimously move a \nproposal forward to ban Federal funds from being used to \npurchase telecommunications equipment from companies deemed a \nsecurity threat, such as Chinese manufacturers Huawei (wah-way) \nand ZTE. I commend Chairman Pai and the rest of the Commission \nfor taking this important step.\n    ZTE has been deemed as a security threat by our \nintelligence agencies and has been punished by the Departments \nof Treasury and Commerce for doing business in Iran and North \nKorea. Just yesterday, the nominee to head the National \nCounterintelligence and Security Center testified that Chinese \nIntelligence uses Chinese firms such as ZTE as a resource and \nhe would never use a ZTE phone.\n    I am concerned about the national security implications of \nlessening the punishments against ZTE in a trade deal with \nChina. National security and the security of our networks is \nthe primary concern here and the administration must consider \nthat above all else in their dealings with China.\n    I look forward to discussing this and other important \nissues surrounding the security of our telecommunications \nnetworks and the global supply chain with you today.\n\n    Mr. Lance. Madame Chair, I yield back the balance of my \ntime.\n    Mrs. Blackburn. The gentleman yields back.\n    At this time, Ms. Clarke, you are recognized for 5 minutes.\n\nOPENING STATEMENT OF HON. YVETTE D. CLARKE, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF NEW YORK\n\n    Ms. Clarke. I thank you, Madam Chair, and I thank our \nwitnesses for coming with their expert testimony this morning.\n    Communication networks in the United States increasingly \nrely on equipment and services manufactured and provided by \nforeign companies. According to the Government Accountability \nOffice, more than 100 foreign countries imported communications \nnetwork equipment into the U.S. market between 2007 and 2011.\n    While the globalization of commerce and trade has created \nmany benefits, these long supply chains have made it possible \nfor bad actors to exploit vulnerabilities during design, \nproduction, delivery, and postinstallation servicing. The \nNational Counterintelligence executive has noted that, quote, \n``The globalization of the economy has placed critical links in \nmanufacturing supply chain under the direct control of U.S. \nadversaries,\'\' end quote.\n    Some examples of the communications supply chain threats \ninclude attempts to disrupt the ability of an organization to \noperate on the internet; attempts to infiltrate a computer \nsystem to view, delete, and modify data; and attempts to use \nviruses or worms to extract data for use or sale. Some experts \nhave even expressed concerns about the use of a kill switch, \nwhich could cause widespread communication outages and \ninterruption in the power grid. And with the recent \npronouncements of ZTE and Huawei, we know that this concern has \nbeen elevated to a national concern.\n    And so, today, we look forward to hearing from you your \nviews and your insights into what we can do to make sure that \nthe United States is well protected.\n    And I don\'t know if I have any colleagues that are seeking \nany time.\n    Well, then, Madam Chair, I yield back.\n    Mrs. Blackburn. The gentlelady yields back at this time.\n    Mr. Walden, you are recognized.\n\n  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF OREGON\n\n    Mr. Walden. Thank you, Madam Chair, and thanks for holding \nthis hearing on telecommunications, global competitiveness, and \nnational security. These are really, really important topics \nthis committee has dealt with before and will continue to deal \nwith. As chairman of this very subcommittee back in 2013, I \nheld a hearing on this same topic.\n    These are challenges that vex us, as demonstrated by our \nSubcommittee on Digital Commerce and Consumer Protection \nsubcommittee\'s hearing on CFIUS legislation last month.\n    Discussion on these topics usually happens in a classified \nsetting, so there will be limits to the conversations we can \nhave today, and we understand that. But as I mentioned, the \nEnergy and Commerce Committee has the expertise on \ncommunications technology and a key oversight role in this \ndebate.\n    For years, concerns have been raised about the supply chain \nand potential vulnerabilities that could be introduced into our \ncommunications networks. Of concern are foreign vendors that \nintegrate seemingly private companies with their military and \npolitical institutions. There are also concerns about \ncounterfeit equipment and fraud.\n    In more recent months, there have been alarm bells going \noff at all levels of Government about the potential threats to \nour communications networks. As startling as these threats are, \nsome of the proposed solutions can, frankly, be even more \ndistressing. Mr. Lance talked about that, I think, when that \ncomment emerged from the White House about nationalizing the \nsystem, I pointed out we are not Venezuela.\n    Before committees in Congress and different Federal \nagencies launch solutions to this complex challenge without \nproper coordination and investigation, I argue that we take a \nmore thorough and thoughtful approach. Any net assessment of a \nserious challenge requires some fundamental questions be asked \nat the outset. These would include: How significant is this \nproblem? Is it getting better or is it getting worse? What are \nthe potential solutions and potential unintended consequences? \nAnd most importantly, in a resource constrained environment, \nhow do you prioritize the solutions?\n    In the second half of the 20th century, we faced similar \nquestions as our adversaries appeared to outpace us in \nstrategic areas. In response, the United States invested \nheavily in research and development of cutting edge information \nand communications technologies. It is estimated the Government \nshare of R&D at that time was two-thirds of the total U.S. R&D \ninvestment, and this laid the groundwork for both U.S. military \nsuperiority and unprecedented economic growth in America. But \ntoday, the ratio of Government to private R&D investments is \ncompletely reversed. Moreover, the barriers to entry in advance \ntechnology have been substantially reduced as costs have come \ndown, research has globalized, and formally advanced \ntechnologies are now readily available.\n    So our competitors are more sophisticated than before, and \nsome use their understanding of market dynamics to manipulate \nthe market in their favor. And we simply can\'t replicate 20th \ncentury strategies for a 21st century economy. We have to be \nvery wary of protectionist policies. As the chairman pointed \nout in her opening statement, the marketplace for technology is \nglobal. Nor can we rely on Government-centric approaches to \nsimply spend our way out of this problem. Simply reacting to \nour competitors in symmetric tit-for-tat responses is never a \nwinning strategy. If you are reacting, you are probably losing.\n    A better approach is to find and exploit the asymmetries \nthat benefit us, the core competencies that define our economy \nand our society more broadly. This means development and early \nadoption of next generation disruptive technologies and doing \nthat here. It means strengthening our private sector through \ngreater information sharing about threats. It means better \ncoordination among Government agencies so the private sector \nknows where to go when they encounter vulnerabilities in \nnetworks and not burdening them with redundant, conflicting \nregulations or unnecessary costs. It means greater \ndissemination of best practices and empowering the \ninclusiveness and transparency of standard setting bodies. We \ncan either lead the world in these areas or we will have to \nfollow it.\n    Today\'s hearing is a very important step in leadership. I \nappreciate the chairwoman\'s holding this hearing and her \nleadership on all of these issues, and I look forward to the \ntestimony of our witnesses. I would tell you in advance we have \ntwo hearings going on simultaneously, no surprise for this full \ncommittee, so I will be coming and going, as will some other \nMembers, but we do appreciate your contribution to our better \nunderstanding of the threats we face and the solutions that \nmake sense in a global competitive environment.\n    [The prepared statement of Mr. Walden follows:]\n\n                 Prepared statement of Hon. Greg Walden\n\n    Thank you, Madame Chairman. I want to welcome our witnesses \nto this hearing on ``Telecommunications, Global \nCompetitiveness, and National Security.\'\'\n    These topics are not just timely, but ones which we have \nlong set aside partisan differences, as we counter national \nsecurity threats and empower our innovators to compete around \nthe world. As chairman of this subcommittee in 2013, I held a \nhearing on this very same topic. These are challenges that \nstill vex us, as demonstrated by our Subcommittee on Digital \nCommerce and Consumer Protection subcommittee\'s hearing on \nCFIUS legislation just last month\n    Discussion on these topics usually happens in a classified \nsetting, so there will be limits on our conversation today. \nBut, as I mentioned, the Energy and Commerce Committee has the \nexpertise on communications technology and a key oversight role \nin this debate.\n    For years, concerns have been raised about the supply \nchain, and potential vulnerabilities that may be introduced in \nour networks. Of concern are foreign vendors that integrate \nseemingly private companies with their military and political \ninstitutions.\n    There are also concerns about counterfeit equipment and \nfraud.\n    In more recent months, there have been alarm bells going \noff at all levels of Government about the potential threats to \nour communication networks.\n    As startling as these threats are, some of the proposed \nsolutions can be even more distressing.\n    Before committees in Congress, and different Federal \nagencies, launch solutions to this complex challenge without \nproper coordination and investigation, I argue that we take a \nmore thorough approach.\n    Any net assessment of a serious challenge requires some \nfundamental questions be asked at the outset:\n    How significant is the problem?\n    Is it getting worse?\n    What are the potential solutions and potential unintended \nconsequences?\n    Most importantly, in a resource constrained environment, \nhow do you prioritize solutions?\n    In the second half of the twentieth century, we faced \nsimilar questions as our adversaries appeared to out-pace us in \nstrategic areas.\n    In response, the United States invested heavily in the \nresearch and development of cutting-edge information and \ncommunications technology.\n    It\'s estimated the Government\'s share of R&D at that time \nwas two-thirds of total U.S. R&D investment. This laid the \nground work for both U.S. military superiority, and \nunprecedented economic growth.\n    But today, the ratio of Government-to-private R&D \ninvestment is completely reversed. Moreover, the barriers to \nentry in advanced technology have been substantially reduced as \ncosts have come down, research is globalized, and formerly \nadvanced technologies are now readily available.\n    Our competitors are more sophisticated than before, and \nsome use their understanding of market dynamics to manipulate \nthe market in their favor.\n    We cannot simply replicate 20th century strategies for the \n21st century economy, and we must be wary of protectionist \npolicies. As the chairman pointed out in her opening \nstatement--the marketplace for technology is global.\n    Nor can we rely on Government-centric approaches to simply \n``spend\'\' our way out of this problem.\n    Simply reacting to our competitors in symmetric, tit-for-\ntat responses is never a winning strategy.\n    If you are reacting, then you are losing.\n    A better approach is to find and exploit the asymmetries \nthat benefit us--the core competencies that define our economy, \nand our society more broadly.\n    This means development and early adoption of the next \ngeneration of disruptive technologies.\n    It means strengthening our private sector through greater \ninformation sharing about threats.\n    It means better coordination among Government agencies, so \nthe private sector knows where to go when they encounter \nvulnerabilities in networks, and not burdening them with \nredundant, conflicting regulations or unnecessary costs.\n    It means greater dissemination of best practices and \nempowering the inclusiveness and transparency of standards-\nsetting bodies.\n    We can either lead the world in these areas, or we can \nfollow it.\n    Today\'s hearing is a step in the direction of leadership, \nand I look forward to the captains of industry in technology \nand telecommunications heeding our call.\n    I thank the chairman for convening this hearing, and I look \nforward to the testimony of the witnesses.\n\n    Mr. Walden. Madame Chair, I yield back the balance of my \ntime.With that, Madam Chair, unless any Members on the \nRepublican side want the remainder of my time, I would be happy \nto yield back.\n    Mrs. Blackburn. The gentleman yields back.\n    Mr. Pallone, you are recognized for 5 minutes.\n\nOPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE \n            IN CONGRESS FROM THE STATE OF NEW JERSEY\n\n    Mr. Pallone. Thank you, Madam Chairman.\n    American broadband providers spend tens of billions of \ndollars every year to improve and extend our communications \nnetworks. The return on this investment is that our networks \nare fast, powerful, and global, but these benefits can be \nturned against us in an instant if the networks are not also \nsecure. Every day, we hear about hackers cracking our systems \nand stealing our data, but another risk lurking in our networks \nmay be even more dangerous: other nations quietly watching \neverything that we do online.\n    Unfortunately, a vast majority of our network equipment is \nnow manufactured overseas by foreign companies. Most of this \nequipment works well and causes no problems, but our \nintelligence agencies have identified certain companies like \nHuawei and ZTE from China as posing specific threats to our \nnational security. This equipment may have built in back doors \nthat allow other countries to vacuum up all of our data. Once \ninstalled, these back doors can be nearly impossible to detect. \nAnd these risks are so serious that it led the Trump \nadministration to float the idea of just building a federalized \nwireless network. While this solution was widely panned, the \nunderlying threat that led to this proposal is real.\n    On the other hand, U.S. networks depend on equipment from \nforeign companies as they race to build next generation \nnetworks, like 5G wireless technologies. For many broadband \nproviders, less expensive Chinese equipment may be the only \noption. And these issues are complex. But rather than crafting \na coherent plan forward, the Trump administration has made this \nproblem significantly more difficult.\n    With a tweet, the President muddled his own foreign policy, \nif he even had one, after the Commerce Department announced \nstrong sanctions against ZTE for risking our national security. \nThis weekend, the President tweeted that he is now worried \nthese sanctions will cost jobs in China. And this makes \nabsolutely no sense, in my opinion. That is why we need to hold \nmore hearings like this one.\n    The public needs to hear more about the national security \nrisks at play, and Congress needs to spend more time \nunderstanding potential options. The worst thing we can do is \nto rush to act without evaluating unintended consequences and \nwhether certain proposals can even solve the problem.\n    But, unfortunately, some of our colleagues on the Armed \nServices Committee are suggesting we do just that. A proposal \nhas been put forward as part of the National Defense \nAuthorization Act that would cut off access to a wide array of \nnetwork equipment without considering how to manage the risk to \nAmericans. Worse, these provisions in the bill have been \nspecifically crafted to circumvent our jurisdiction, and \nmaneuvers like this rarely result in good policy.\n    Rather than take rash action, Congress must carefully craft \na coherent plan subject to the rigors of regular order in the \ncommittees of expertise like ours. Our plan should make our \nnetworks both more robust and more secure. We are dealing with \na complicated relationship between the future of our \ncommunications networks and national security, and these issues \nshould not be taken lightly. So I urge my colleagues to oppose \nthese efforts. We must find a proper balance that keeps our \ncountry safe, while ensuring that every American has access to \npowerful next generation broadband networks.\n    And finally today, Madam Chairman, I wanted to make a \nbittersweet announcement. Unfortunately, David Goldman, our \nchief counsel on this subcommittee, will be leaving at the end \nof this month to pursue an opportunity in the private sector, \nso this is actually his last hearing. He is over there on my \nleft. And I say this is bittersweet because over the last 3 \nyears, David has been an invaluable part of our committee team. \nHe has provided us not only critical policy expertise, but also \nstrong strategic guidance that helped lead to the passage of \nthe bipartisan RAY BAUM\'s Act, for example, which included a \nlot of important Democratic priorities, including the SANDy \nAct.\n    And David, I think many of you know, has a long career of \npublic service, including time at the FCC and in the Senate, \nGod forbid, but, David, you will be missed, and we wish you \nnothing but the best in your future endeavors. Thank you so \nmuch. Thank you, David.\n    [The prepared statement of Mr. Pallone follows:]\n\n             Prepared statement of Hon. Frank Pallone, Jr.\n\n    American broadband providers spend tens of billions of \ndollars every year to improve and extend our communications \nnetworks. The return on this investment is that our networks \nare fast, powerful, and global. But these benefits can be \nturned against us in an instant if the networks are not also \nsecure.\n    Every day we hear about hackers cracking our systems and \nstealing our data. But another risk lurking in our networks may \nbe even more dangerous: other nations quietly watching \neverything we do online.\n    Unfortunately, a vast majority of our network equipment is \nnow manufactured overseas by foreign companies. Most of this \nequipment works well and causes no problems. But our \nintelligence agencies have identified certain companies like \nHuawei and ZTE from China as posing specific threats to our \nnational security.\n    This equipment may have built-in backdoors that allow other \ncountries to vacuum up all of our data. Once installed, these \nbackdoors can be nearly impossible to detect.\n    These risks are so serious that it led the Trump \nadministration to float the idea of just building a federalized \nwireless network. While this solution was widely panned, the \nunderlying threat that led to this proposal is real.\n    On the other hand, U.S. networks depend on equipment from \nforeign companies as they race to build next-generation \nnetworks, like 5G wireless technology. For many broadband \nproviders, less expensive Chinese equipment may be the only \noption.\n    These issues are complex. But rather than crafting a \ncoherent plan forward, the Trump administration has made this \nproblem significantly more difficult. With a tweet, the \nPresident muddled his own foreign policy--if he had one. After \nthe Commerce Department announced strong sanctions against ZTE \nfor risking our national security, this weekend the President \ntweeted that he is now worried these sanctions will cost jobs \nin China. This makes absolutely no sense.\n    That\'s why we need to hold more hearings like this one. The \npublic needs to hear more about the national security risks at \nplay. And Congress needs to spend more time understanding \npotential options. The worst thing we can do is to rush to act \nwithout evaluating unintended consequences and whether certain \nproposals can even solve the problem.\n    Unfortunately, some of our colleagues on the Armed Services \nCommittee are suggesting we do just that. A proposal has been \nput forward as part of the National Defense Authorization Act \nthat would cut-off access to a wide array of network equipment \nwithout considering how to manage the risks to Americans. \nWorse, these provisions in the bill have been specifically \ncrafted to circumvent our jurisdiction. Maneuvers like this \nrarely result in good policy.\n    Rather than take rash action, Congress must carefully craft \na coherent plan subject to the rigors of regular order in the \ncommittees of expertise like ours. Our plan should make our \nnetworks both more robust and more secure. We are dealing with \na complicated relationship between the future of our \ncommunications networks and national security. These issues \nshould not be taken lightly.\n    I urge my colleagues to oppose these efforts. We must find \na proper balance that keeps our country safe while still \nensuring that every American has access to powerful next-\ngeneration broadband networks.\n    Finally today, a bittersweet announcement, David Goldman, \nour chief counsel on this subcommittee, will be leaving at the \nend of this month to pursue an opportunity in the private \nsector. This is his last hearing. I say this is bittersweet \nbecause, over the last 3 years, he\'s been an invaluable part of \nthe committee team. David has provided us not only critical \npolicy expertise but also strong strategic guidance that helped \nlead to the passage of the bipartisan RAY BAUM Act, which \nincluded a lot of important Democratic priorities, including \nthe SANDy Act. David has a long career of public service--\nincluding time at the FCC and in the Senate.\n    David, you\'ll be missed, and we wish you nothing but the \nbest in your future endeavors.\n    Thank you, I yield back.\n\n    Mr. Pallone. I don\'t think anybody wants my time, so I will \nyield back, Madam Chair.\n    Mrs. Blackburn. The gentleman yields back.\n    And we add our well wishes to those that we are sending to \nDavid for a job well done and hope for the future.\n    At this time, this concludes our Member opening statements. \nAll Members are reminded that, pursuant to committee rules, \nyour statements will be made a part of the permanent record.\n    And to our witnesses, we welcome you. We appreciate that \nyou are here today. As you see, this is something that has \nbipartisan concern and attention from our committee.\n    And for our panel for today\'s hearing: Dr. Charles Clancy, \ndirector and professor at the Hume Center for National Security \nand Technology at Virginia Tech; Ms. Samm Sacks, senior fellow \nat the Technology Policy Program at CSIS; and Mr. Clete \nJohnson, a partner at Wilkinson Barker Knauer.\n    You all are welcome. We appreciate that you are here today.\n    We are going to begin the testimony today with you, Dr. \nClancy. You are now recognized for 5 minutes for your \nstatement.\n\n   STATEMENT OF CHARLES CLANCY, PROFESSOR OF ELECTRICAL AND \n  COMPUTER ENGINEERING AND DIRECTOR, HUME CENTER FOR NATIONAL \n  SECURITY AND TECHNOLOGY, VIRGINIA TECH; SAMM SACKS, SENIOR \n  FELLOW, TECHNOLOGY POLICY PROGRAM, CENTER FOR STRATEGIC AND \nINTERNATIONAL STUDIES; AND CLETE D. JOHNSON, PARTNER, WILKINSON \n                       BARKER KNAUER, LLP\n\n                  STATEMENT OF CHARLES CLANCY\n\n    Dr. Clancy. Thank you.\n    Chairman Blackburn, subcommittee members, my name is \nCharles Clancy. I am a professor of electrical and computer \nengineering at Virginia Tech. I am a recognized expert in \nwireless security, have held various leadership roles within \ninternational standards and technology organizations. And at \nVirginia Tech, I lead a major university program focused on the \nintersection of telecommunications, cybersecurity, and national \nsecurity.\n    Prior to joining Virginia Tech in 2010, I served as a \nresearch leader in emerging mobile technologies at the National \nSecurity Agency.\n    It is my distinct pleasure to address this committee again \non topics of critical national importance.\n    For the past 20 years, major forces have reshaped the \ntelecommunications industry here in the United States and \nglobally. Titans of the 20th century like Motorola and Lucent \nhave faded and given rise to innovators of the 21st century \nlike Apple and Cisco. These shifts have given birth to a global \nmarketplace, which in turn has resulted in a global supply \nchain, a topic of interest in the hearing today.\n    Supply chains for telecommunications are complex, as has \nbeen noted. They include development of intellectual property, \nstandards; fabrication of components and chips; assembly and \ntest of devices; development of software and firmware; \nacquisition, installation, management of devices and \noperational networks; and the data and services that operate \nover those global networks. Competing in a global marketplace \ndrives where and how each portion of the supply chain is \nexecuted.\n    An example I think that is pertinent is the modern supply \nchain of the Apple iPhone. Over 700 individual suppliers from \n30 countries provide equipment and components into the Apple \niPhone. It is one of the most sophisticated and complicated \nsupply chains of any consumer electronic device, while the \nultimate manufacturing happens in China where there are cameras \nfrom Japan, displays from Korea, and computer processors from \nTaiwan.\n    Only about 7 percent of the suppliers for the Apple iPhone \nare U.S.-based companies, to include chip manufacturers like \nQualcomm and Intel, although their chips are actually \nmanufactured in Korea and Taiwan. I think of note is the fact \nthat much of the chip manufacturing industry is now offshore, \nwith two-thirds of that industry operating out of China and \nTaiwan, and the United States only accounting for 8 percent.\n    Another interesting statistic to look at is standards. I \npersonally have observed the rise of Chinese participation in \nstandards bodies grow from almost nothing in 2005 to a \ncommanding presence by 2010. By 2023, if current trajectories \nhold, Huawei will be the number one filer of intellectual \nproperty and the number one author of international standards \nwithin the Internet Engineering Task Force, outpacing Cisco in \nthe next few years, based on current trends.\n    They have accomplished this not by buying American \ncompanies, but by buying American innovators with rigorous and \ncompetitive bonus packages for those who compete in these \nstandards organizations. And this has happened completely--is \ninvisible to the CFIUS process because it doesn\'t involve \nmergers and acquisitions.\n    So while several Chinese companies, as has been noted so \nfar, have clearly taken shortcuts from theft of intellectual \nproperty to product sales to embargoed countries, China is \nundeniably part of the supply chain. So as mentioned, it is a \ncomplex ecosystem, and securing it requires, I think, a nuanced \napproach.\n    So as we look at securing the supply chain, I think the \nnumber one piece of advice is that really it needs to be an \napproach based on risk management. The supply chain threat--the \ncyber threat to the United States is real and tangible. Supply \nchain operations are among the most pernicious and difficult to \ndetect. So a supply chain risk management approach that cuts \nacross different technologies, sectors, and components of the \nsupply chain I think is important.\n    One critical aspect of that is to look at the criticality \nof individual components. The criticality of a cell phone, for \nexample, is very different than that of a core internet router. \nAnd so the risk management approach that goes along with that, \nI think, needs to reflect criticality of the component that is \nbeing considered.\n    I think that the NIST cybersecurity framework provides a \ngreat starting point for formulating such a strategy. It \nrepresents a shift away from a compliance-based approach, such \nas banning particular companies I think would be representative \nof a compliance-based approach to solving the problem, and more \ntowards a risk management approach where the risks associated \nwith the each component are quantified.\n    So recommendations moving forward. I think that we need a \nthorough assessment of supply chains for critical \ninfrastructure. I think this needs to happen on a recurring \nbasis. And where there are gaps, those gaps need to be \nidentified and prioritized. Those priorities can then help \ninform how we foster a competitive domestic industry to fill \nthose gaps in a way that those actions can be done in a \nglobally competitive way.\n    Thank you.\n    [The prepared statement of Dr. Clancy follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mrs. Blackburn. The gentleman yields back.\n    Ms. Sacks, you are recognized.\n\n                    STATEMENT OF SAMM SACKS\n\n    Ms. Sacks. Madam Chairman Blackburn, Ranking Member \nPallone, members of the committee, thank you for the \nopportunity to testify today.\n    My testimony reflects my experience as an analyst of \nChinese technology policy for more than a decade. I have not \nonly worked with the U.S. Government, but also in the \ncommercial sector with leading multinational companies in \nChina. These complex structural challenges require a deep \nunderstanding of the commercial and the national security \ndimensions of our trade and investment relationship with China.\n    The Chinese leadership is in the midst of building the most \nextensive Governance system for information communications \ntechnology of any in the world. This is part of President Xi \nJinping\'s vision of building China into what he has referred to \nas a cyber superpower.\n    Today, I would like to discuss three implications for U.S. \nICT companies doing business with China. First, companies face \nat least seven different kinds of security reviews of ICT \nproducts and services. These are essentially black box reviews. \nWe have no idea what they will entail, in some cases, who will \nconduct them. They can cover network products and services, \ndata that has to be exported, internet technologies. The list \nis broad, and it gives the Government discretion to do as it \nwants using these reviews as channels to review source code and \nalso delay or block market access.\n    Second, many U.S. companies and China assume that data \nlocalization will be a reality of their operations in China, \ndespite these rules still being in draft. Data localization is \nnot only a market access barrier, but it is another tool for \nthe Government to gain visibility into networks and digital \ninformation.\n    Third, U.S. companies face informal pressures in China, \neven in the absence of specific regulation. This is \nparticularly in the case in areas referred to as core \ntechnologies where the Government has decided to double down on \nreducing reliance on foreign suppliers. This could include \nadvanced semiconductors, certain kinds of software, the \nhardware and algorithms behind artificial intelligence systems.\n    So in short, the aperture for ICT companies doing business \nwith China is rapidly closing. So what should be done?\n    We are correct to address areas where we have leverage with \nBeijing. We have seen that Beijing does not respond absent of \nexternal pressure. But the challenge is that U.S. Chinese and \ntechnology development, supply chains, commercial markets are \ntightly intertwined. Unilateral actions that isolate the United \nStates will undermine U.S. economic prosperity, our \ntechnological leadership, and our capacity for innovation.\n    In confronting China, we must have a clear understanding \nabout the consequences of our actions and where there will be \ncosts to ourselves. I have three recommendations.\n    First, we should coordinate with allies and partners to \ncreate multilateral pressure. We have seen this work in the \npast. In 2009, a coalition of U.S., Japanese, European business \nand policy leaders created pressure that convinced China to \nsuspend rules that would have required a type of surveillance \nscreening software on computers in China. Unilateral action \nwill compel China to retaliate against U.S. companies, leading \nBeijing to double down on the very structural problems that we \nare trying to address.\n    Second, we need channels to work with Chinese private \nsector players whose interests in some cases actually are more \naligned with ours than some might think. Chinese companies need \nto compete globally in commercial markets and are often \nhindered by their own government.\n    Third, we must play offense by investing in our own R&D, \ninfrastructure, STEM education, and a capital market that \nrewards investment. China will continue to invest in closing \nthe technology gap with the United States regardless of U.S. \nactions, so we must be able to compete through our own \ntechnological and economic leadership.\n    Thank you. I look forward to your questions.\n    [The prepared statement of Ms. Sacks follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mrs. Blackburn. The gentlelady yields back.\n    Mr. Johnson, you are recognized for 5 minutes.\n\n                 STATEMENT OF CLETE D. JOHNSON\n\n    Mr. Johnson. Thank you for the opportunity to share my \nperspective with you on this critical, bipartisan issue. My \ntestimony today reflects lessons from my experience with supply \nchain security issues, multiple Government-private sector \npositions, including as a logistics officer in the U.S. Army \nand as counsel for the Senate Intelligence Committee, the FCC, \nand the Department of Commerce.\n    Now at Wilkinson Barker and Knauer, I advise clients \nnavigating this complex security and market environment, \nparticularly through partnership with the Federal Government. \nMy advice to clients also draws on these experiences, but the \nviews I express today are my own.\n    This committee well knows that the global supply chains for \nhardware-software services that make up the world\'s internet \nand communications technology ecosystem raise complex national \nsecurity, strategic, economic, business, and technological \nconcerns. The United States has long played the leading role in \nadvancing these world changing tech developments, and \naddressing security concerns in a way that further advances \nthese innovations is absolutely crucial to maintaining that \nU.S. leadership.\n    As we advance to a thoroughly connected 5G world, the \ncapability of bad actors to use these technologies and to \nleverage their supply chains for IP theft, cyber espionage, \nsabotage, and even warfare presents acute threats. These are \nwell-funded, purposeful, sophisticated nation-state \nadversaries, spies, criminals, other malicious actors, and they \nare working hard to find openings for their nefarious purposes. \nAnd many such openings are there to be found.\n    The threats and vulnerabilities are real and they manifest \nin different ways at all levels of the global supply chain, \nbeginning with the Chinese and Russian companies identified in \nrecent Government actions. The actions that Congress and the \nadministration have taken in recent months to address these \nconcerns constitute a significant and welcome intensification \nof policy activity. We are at an inflection point on these \nissues for good reason, and we need to do this right. The \nissues are highly complex, as has been noted, and solutions \nmust take root in a global market in which rapid business \ndevelopments and the practical realities of the supply chain \nchallenge traditional boundaries and legal jurisdictions. The \nchallenges call for private sector leadership in close \ncollaborative engagement with Government partners through clear \nand effective processes.\n    In recent months, there have been more than a dozen new \nGovernment actions on these issues, and perhaps the most \nimportant is the FCC proposal championed by Chairman Pai and \nunanimously adopted last month to prevent Government funds from \npurchasing technology or services from companies that pose a \nnational security threat to U.S. communications infrastructure.\n    This process will significantly advance this policy \ndiscourse and can be a lever to move the whole Government and \nthe market in the right direction. The market needs clear, \npractical guidance that derives from well-informed processes \nwith input from experts from throughout the Government as well \nas from the private sector stakeholders who know the market \nbest.\n    Restrictions on the three companies identified in last \nyear\'s defense authorization act are really the easy step. The \nmore difficult questions have to do with how these policies \nwill be implemented, how they will be updated, possibly \nexpanded in the future.\n    So a few high level thoughts on the FCC proposal, which is \ntargeted to address supply chain security for networks \nsupported by public funds but has implications that are \nprecedent setting and potentially much more far reaching.\n    Identifying national security threats is a function of our \nintelligence, law enforcement, defense, and homeland security \nagencies, so as the FCC implements this rule, there will need \nto be thorough coordination through the Government to ensure \nthat new requirements are fully aligned with national security \ndecisions by the administration and Congress and that they \nderive from broader interagency policy processes or statutory \nrequirements.\n    DHS, as the sector-specific agency for the communications \nand IT sectors should coordinate these efforts with lots of \ninput from the Department of Commerce as well as input from the \nDepartments of State, Justice, Defense and, yes, the FCC. To \npromote a collaborative partnership with industry, sensitive \nprivate sector information should be formally protected under \nthe Protected Critical Infrastructure Information Act, which \nprohibits disclosure of protected information under FOIA and \nuse in litigation or regulatory enforcement actions.\n    In short, the FCC\'s actions in the month and years ahead \nshould derive from and they should further advance processes \nthat are built on principles of industry leadership and \nGovernment-industry partnership.\n    I look forward to further fleshing out these thoughts in \nanswers to your questions. Thank you.\n    [The prepared statement of Mr. Johnson follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mrs. Blackburn. The gentleman yields back.\n    And we thank you all for your statements. I will begin the \nquestioning and recognize myself for 5 minutes.\n    Mr. Johnson, I want to come to you first. You talked about \nin your testimony how complex this challenge is and the need \nfor collaboration, and I think we all agree with that. And we \nappreciate your background and the holistic view that you bring \nto looking at this and you know how and are familiar with the \nlegislation passed in 2015 and how that looks at a clear and \neffective process for the public-private collaboration in the \ncyber realm. But the law was not designed for threats to the \nsupply chain. And Ms. Sacks mentioned data transfer and things \nof that nature in her testimony.\n    So let\'s look at and talk about a formalized process for \ninformation sharing for the supply chain between the public and \nthe private sectors, and I would like to hear you weigh in on \nthat.\n    Mr. Johnson. Absolutely. And, Madam Chairman, you and your \ncolleagues on both sides of the aisle and both sides of this \nHill should be commended for the landmark legislation, the \nCyber Information Sharing Act. What it provided were paths and \nlegal clarity on the types of cyber threat information that can \nbe shared between industry and the Government, and Government \nback to industry, and also between industry players, along with \nprivacy protections and other protections.\n    And what that--that was a landmark effort because it \ncreated protections for that sharing that provide general \ncounsels and companies across the country certainty that if \nthey are engaging in this type of sharing, they are not--they \nare actually helping their legal risk posture as opposed to \ncontributing to it or taking risk.\n    What it did is it focuses on tactical and operational \ninformation sharing. It is basically sharing ones and zeros \ndigitally and by machines. So it is about the here and now \nthreat environment and what is happening on the network in this \ninstance. And it is about diagnostic type information.\n    What we need in this supply chain arena, and I mentioned \nthe protected critical--excuse me, Protected Critical \nInfrastructure Information Act, and we will talk about that a \nlittle bit more, what we need is more of an operational and \nstrategic. So as opposed to tactical and operational, you start \nwith operational, but it is also a strategic engagement between \nprivate sector entities and the expert Government agencies \nabout candid assessments of what they are doing, what is \nworking, what is not working, and in the area of supply chain, \nwhat they have, what they are seeing, what they are worried \nabout, and what the Government is worried about.\n    Mrs. Blackburn. OK. Let me ask you about that. We have done \na lot of work in this committee on rural broadband, and Ms. \nClarke and I have done a lot of work together on unserved \nareas. Whether it is urban, as in her district, or rural, as in \nmy district. So when you look at that, how do you ensure that \nsupply chain information sharing is disseminated to those \nsmaller broadband providers, whether they be urban, as in her \ndistrict, or rural, as in mine? Because they really do lack the \nstaff and the sophistication to handle that.\n    Mr. Johnson. That is a great way to look at that question \nbecause it speaks to what is the value to the company of this \nengagement. Are they doing it as a service to the Government? \nAre they taking extra time to do it? Or is it something that \nadds value to their bottom line because it creates efficiencies \nand an information environment that they need but they don\'t \nhave other ways to get?\n    So the best way to provide value to those low-margin rural \nand urban smaller providers is to make it worth their while to \ncome in and talk to the Government about what they see, what \nthey have got, and how the Government can help them, including \nby giving them clear guidance about it is not a good idea to go \nin this direction.\n    Mrs. Blackburn. I thank you for that.\n    I have only got 30 seconds left. And, Ms. Sacks, I have \ngot, let\'s see, three questions that I wanted to come to you \non, but I tell you what I am going to do. I am going to submit \nthem for the record for you to answer back to us. Because I \nappreciate your testimony and how you laid out what you think \nthe challenges are and then laid out the three steps, and I \nwanted to drill down on that a little bit further, but I will \nsubmit this.\n    I yield to Ms. Clarke 5 minutes for her questions.\n    Ms. Clarke. I thank you, Madam Chairwoman.\n    As American companies continue to work through preparations \nfor 5G, we often focus on domestic issues. And I think that \ntaking such a narrow approach can cause people to overlook the \nissues with making foreign components so integral to our supply \nchain. For instance, small businesses can often only get access \nto foreign-made equipment, which is often less expensive. But \nthis equipment is also more likely to be subject to sanctions. \nFor all the steps the FCC is taking to eliminate deployment \nregulations, it won\'t matter if providers can\'t get access to \nequipment made by other manufacturers.\n    So, Mr. Johnson, just drilling down on the practical \napplications, what does the landscape look like for small \nbusinesses who use Huawei and ZTE equipment?\n    Mr. Johnson. It depends company by company. I think looking \nacross the country, there are a number of providers of the \nvarious types of equipment and services that Huawei and ZTE \nprovide, and I think that will be the case regardless of their \nstatus in the U.S. market. They have a relatively small share \nof the U.S. market. I think in Huawei\'s case, I think their \nU.S. revenue is less than 1 percent of their global revenue. \nAnd in each of the areas that they lead various types of \nequipment, various types of devices, various types of services, \nthere are robust competitors in each of those arenas, as well \nas, you know, both in the case of global companies and also in \nthe case of smaller startups that are trying to break into the \nmarket.\n    So the record that is being created at the FCC, this is one \nof the reasons why this is such an important proceeding. For \nthe first time, on June 1, with all the comments due on that \nproceeding, there will be a public record to answer this \nquestion, what is the effect, and then there will be another \nreply round. And I think we are going to get a lot of \ninformation out of that that will help illuminate how this \naffects individual companies and how it affects certain parts \nof the market.\n    Ms. Clarke. So do you think that the domestic manufacturing \nmarket is capable of filling those gaps left by Huawei and ZTE?\n    Mr. Johnson. I think that the--as Dr. Clancy mentioned, the \nmarket has changed in pretty significant ways in recent years, \nand it might be better to say it as opposed to domestic \nmanufacturing, there certainly is domestic manufacturing in \nsome areas, but it may be better to look at it as a trusted \nsupplier manufacturing, which can take--can span continents and \noften does touch China. And the competition among trusted \nsuppliers is robust and dynamic, and I think that if there is a \nsmall vacuum that is created by any prohibition or restriction \npertaining to Huawei or ZTE, that market will probably respond \nto that pretty quickly.\n    Ms. Clarke. So to the panel, given that many small \nbusinesses serving low-income communities rely heavily on ZTE \nhandsets, I am particularly concerned about the fallout of the \nsanctions on Lifeline subscribers. What role can Congress play \nin easing some of the burdens small businesses will encounter \nin replacing ZTE handsets with secure alternatives? Any ideas \nout there?\n    Dr. Clancy. I would say that we need to differentiate a \nhandset from a core internet router. There are very different \nrisks associated with that. The risks associated with a ZTE \nhandset, in my opinion, are much lower to national security \nthan, for example, having core internet routers or core \ncellular network or 5G equipment from ZTE. So I think, in \nparticular, as you look at the NDAA language, the ability to \nclarify the difference between core infrastructure and edge \ndevices is important and would help, I think, address your \nconcern.\n    Ms. Sacks. I would like to add to Dr. Clancy\'s comments \nthat we leave it to the security experts to differentiate among \nthe specific risks and design mitigation strategies around \nthat, particularly as Chairman Walden mentioned, we need to \nprioritize resources accordingly. I think it is important that \nthe United States does not take a sweeping approach to banning \ncompanies based on national origin, but instead, looks at the \nspecific threats posed by equipment. And policies need to also \ntake into account the fallout, the repercussions for U.S. \ncompanies and the U.S. economy to those approaches.\n    Mr. Johnson. Ma\'am, I would add to that that the threat \nbased on handsets and individual devices is narrower. It does \npertain potentially to the holder of that device, but probably \nonly to that person. And so there is an issue of if you are a \nsensitive person, you probably want to be careful about what \ndevice you hold. And I think as we move forward through this \nprocess, we want to make sure that low-income people are not \nare not the subject of lesser security than sensitive personnel \nare.\n    Ms. Clarke. I yield back, Madam Chair. Thank you very much.\n    Mrs. Blackburn. The gentlelady yields back.\n    Mr. Latta, 5 minutes.\n    Mr. Latta. Well, thank you, Madam Chair. Thanks very much \nfor having this hearing today. It is very, very important.\n    I want to thank our panelists for being with us today, \nbecause we have talked about this issue in many hearings and a \nlot of outside discussions as to how critical this is.\n    And if I--Dr. Clancy, if I can start with you. In your \ntestimony, you talk about the risk management that comes down \nto telecommunications companies need to consider. You say the \ncriticality of each component in their network and the entire \nsupply chain for each product, and you also say it is \nfinancially impossible to eliminate that risk. And at the same \ntime, in your testimony, you talk about the over 700 suppliers \nfrom 30 countries that provide components, and you are talking \nabout the Apple iPhone, with only 7 percent of that coming from \nU.S. companies.\n    How do we give confidence to the consumers out there \nthrough the companies that, you know, these products that they \nare using are secure, when we see from your testimony at the \nsame time that, you know, it is impossible to eliminate all \nthat risk at that time?\n    Dr. Clancy. So my comments with respect to the iPhone were \nmerely to illustrate how complex supply chains are and how many \ndifferent parts of the world they touch, not necessarily \nindicating that that particular supply chain posture is good or \nbad. I think that from a consumer perspective, there needs to \nbe confidence that the products and services that they are \nusing meet their security thresholds. I think you also need to \nconsider the motivations of hackers and adversaries.\n    The specific comment about being financially and feasible \nto eliminate all risk, any determined adversary with enough \ntime and resources is going to be able to penetrate a target \nnetwork. So as you look at a risk management approach, you need \nto be able to identify what the most sensitive parts of your \nnetwork are, be able to fortify those as much as possible \nagainst those risks, whether it be a supply chain risk or it be \nan active cyber attack risk, and then make sure you are \nprioritizing those investments based on the criticality of the \nindividual components.\n    So I think that would be--again, my view, again, supply \nchain risk management looking at criticality of the devices, \nhow the devices are used in the network, and the supply chains \nassociated with each one I think is really, I think, the best \nstrategy.\n    Mr. Latta. Let me follow up with another question to you. \nAs the FCC, Congress, and other Federal agencies look at ways \nto prevent public funds from supporting suppliers that pose a \nthreat to national security, who should be making the \ndeterminations as to which suppliers pose a real threat?\n    Dr. Clancy. So that is an excellent question. Obviously, we \nhave seen either regulatory or legislative approaches to \nselecting those companies. I think that that process is, I \nthink, perishable, and there needs to be a more modular way of \nidentifying risks in the supply chain. While companies like \nHuawei, ZTE, and Kaspersky as well may represent specific \nexamples of supply chain risk, there are many component vendors \nas well that may present supply chain risk, depending on the \ntype of equipment they are being integrated into.\n    So I think there needs to be a role within the Federal \nGovernment for assessing and understanding the entire supply \nchain and assessing the risk of specific vendors in that supply \nchain. And then, as the chairwoman and Mr. Chairman mentioned, \nwas the ability for that information to be shared with industry \nas they look to construct and manage the risk associated with \ntheir supply chain.\n    Mr. Latta. One more question, and I am not picking on you \nhere. Is there sufficient competition in the vendor markets to \neven allow a telecommunications provider to have realistic \noptions to purchase economical and secure equipment?\n    Dr. Clancy. I believe so. I think that, as was pointed out, \nthe Huawei market share and ZTE market share, for example, is \nvery small, and there are a number of other vendors of similar \nprice point equipment that could be selected as an alternative. \nI think that we may need investment in U.S. industry, identify \nwhere the gaps are in U.S. supply chain in particularly \ncritically important aspects in order to foster domestic \ncompetitiveness on a global market in order to expand options.\n    Mr. Latta. Let me ask, how do we foster that to get that \nmore competitiveness than in the U.S. market?\n    Dr. Clancy. So depending on precisely where the risk is, \nyou could look at research and development investments, you \ncould look at economic investments to try and bolster \nparticular industries. Let\'s say, for example, there was an \neffort to--there was a determination that the fact that we have \nall of the chip manufacturing is happening offshore, right, I \nthink that could be an area where if you want to foster a chip \nfabrication industry in the United States, there are a wide \nrange of incentives that you can put together to try and \naccomplish that. Now, whether or not that makes economic sense, \nI don\'t know, but I think there are levers there.\n    Mr. Latta. Thank you. Madam Chair, my time has expired, and \nI yield back.\n    Mrs. Blackburn. Mr. Pallone, you are recognized for 5 \nminutes.\n    Mr. Pallone. Thank you, Madam Chairman.\n    The threats to our network supply chain pose a serious \nnational security risk, and I don\'t think forcing through \nprovisions as part of the National Defense Authorization Act is \nthe best process. So I ask Chairman Walden and Chairman \nBlackburn and the rest of my colleagues on our committee to \nwork together to pursue thoughtful legislation. Because these \nsecurity risks pose an urgent threat, I hope we can work \ntogether to quickly pass a bipartisan proposal. My questions \nwill therefore focus on how to craft the right policies for our \ncountry.\n    Mr. Johnson, in your written testimony, you suggest using \nthe interagency process to reach a better informed result, and \nsome may believe that an interagency process is too slow, \nhowever, to deal with the immediacy of this threat. So let me \nstart with Mr. Johnson. If Congress were to pass legislation \nsetting out an interagency process to address supply chain \nrisks, what is the fastest you think the executive branch could \nact to protect our supply chain? Is 180 days possible, for \nexample?\n    Mr. Johnson. Congressman, I think the executive branch is \nalready taking steps in that direction, and also already has \nmodels for interagency collaboration, particularly through a \npartnership of the Department of Homeland Security and Commerce \nleading this botnet reduction initiative under the executive \norder, for instance. So I think the muscle memory is there, and \nwith apologies to former overworked colleagues in the executive \nbranch, I think some pretty big steps could be taken in 180 \ndays. And the only thing I would add is that it would need to \ncontinue on day 181 and beyond. So this process will never be \nfinished. Kind of like the NIST framework, it will always be \nbeing improved.\n    Mr. Pallone. Well, thank you. I said that I was concerned \nthat the proposals being considered as part of the National \nDefense Authorization Act are static and would not evolve with \nthe changing threats to our supply chain. A solution that only \naddresses the risks we face today I think could simply give \nforeign actors a blueprint for avoiding our protections for \ntomorrow.\n    So again, Mr. Johnson, if we are actually going to create \nlasting protections for our supply chain, how should we craft \nlaws so they can respond to new and emerging threats?\n    Mr. Johnson. I think the answer to that is that continuous \nprocess, and it should include those two departments that I \nhave mentioned. It should include the FCC, as well as possibly \nother regulatory agencies, as well as State, Justice, FBI, \nDefense, potentially other agencies. And crucially it should \ninclude the opportunity for private sector entities who know \nthe market best and know the corners that the Government \ndoesn\'t necessarily see. It should provide opportunities for \nthem to come in in a candid, collaborative way, say hereis what \nwe are seeing, hereis what I am picking up, and hereis what my \nconcerns are, and hereis what the market bears. All of that is \nrelevant to this.\n    And as Dr. Clancy and Ms. Sacks noted, distinguishing \nbetween different components and parts of this market is \ncrucial and complex, and you really can\'t do that without this \nholistic look of all the elements of Government and relevant \nplayers in the private sector.\n    Mr. Pallone. All right. Thanks. And my last question, which \nI can get--any of you could answer, is I believe, as I said, \nthe committee should work together to produce informed and \nwell-reasoned bipartisan legislation to secure our supply \nchain. So with that in mind, could each of you tell me what you \nbelieve is the one thing we should include in a bill to protect \nour critical networks? And we have only got a minute and a \nhalf, but let me start with Dr. Clancy and we will go down.\n    Dr. Clancy. I think this--just generally, this notion of \nnot--any focus on specific companies will have perishable \nimpact, so there needs to be a modular approach to identifying \nwhat particular components of the supply chain are of the most \nrisk.\n    Mr. Pallone. Ms. Sacks. Thank you.\n    Ms. Sacks. We need to be careful not to replicate the China \nmodel in terms of picking winners and losers and using a state-\nled approach that doesn\'t enable the industry and investment to \ndo as it should. So we have an opportunity for technological \nleadership by enabling R&D, enabling more STEM education in a \nway that shows a U.S. versus a state capitalist model in \ntechnological development.\n    Mr. Pallone. Thank you. Thirty seconds. Mr. Johnson, 30 \nseconds left.\n    Mr. Johnson. I agree that the private sector perspective is \ncrucial to not be eclipsed by the Government perspective. And \nso I think clarity in the process in making clear what the--who \nis in the lead, who is putting in what inputs from the \ninteragency so that private sector companies can navigate that \nis crucial, as well as legal mechanisms that allow them to feel \nprotected in candid collaboration with the Government.\n    Mr. Pallone. Thank you. I yield back, Madam Chair.\n    Mrs. Blackburn. The gentleman yields back.\n    Mr. Johnson, you are recognized.\n    Mr. Johnson of Ohio. Thank you, Madam Chair.\n    I would like to--Mr. Pallone, most Johnsons can\'t even say \ntheir name within 30 seconds. He did a really good job of \nstaying in that timeframe there. So thank you.\n    Dr. Clancy, you know, some of the more concerning threats \narise from the ongoing access that vendors have. What is the \nscope of this access? Are the threats limited to software or \nfirmware updates, or could the ability of a technician to \nreplace and repair parts also introduce risks?\n    Dr. Clancy. So as you look at many of these vendors\' \nnetworks, Huawei would be a good example, they have deployed \ntelecommunications infrastructure globally, core switches and \nrouters throughout many countries all over the globe. And as \nwas mentioned, that market share here in the U.S. is fairly \nsmall. Part of that involves a service agreement where the \noperator has reach back in order to get service and support \nthat they need as part of that purchase of equipment. So \nwhether it is these devices doing software updates and getting \nnew firmware loaded or its vendors who are working under a \nsupport contract are able to log in and access those systems, \nboth of those represent operational security risks associated \nwith use of that equipment in the environment.\n    Mr. Johnson of Ohio. Well, using a risk management \napproach, how would a smaller rural provider that relies on \nthese kinds of services manage these kinds of threats?\n    Dr. Clancy. That is a great question. I think that the--I \nthink the NDAA language suggests that in certain situations if \nthe equipment is used, that any remote access be blocked. That \nalso has challenges because if you are now blocking software \nupdates, you may be blocking the ability to address \nvulnerabilities in the product that anyone could take advantage \nof, not just the vendor.\n    So I think, again, if you are looking at what equipment \nshould be deployed in a small rural internet service provider, \nI think that I would steer away from those that would have \nrisks, such as the companies that have been identified. But \nthat list should not be static, and there needs to be a way to \ncontinually provide industry with best practices about what \nproducts to use, which products potentially to avoid, and the \nrisks associated with that.\n    Mr. Johnson of Ohio. I guess it raises another question \nwhat the alternatives might be. I am a software engineer by \ntrade. I spent 30-plus years developing and implementing \nsoftware both within the Government and without. And, I mean, \nthe way we used to do it, there used to be a third-party \norganization, a black hat organization if you will, that tested \neverything and had the security and access and the security \nprivileges to be able to do that. The providers themselves, the \nvendors themselves weren\'t allowed to put their hands on the \noperational system. What alternatives do you see for the \nsituation?\n    Dr. Clancy. So I think there has been a fundamental shift \nin the market in the last probably decade towards managed \nservices. With the growth of the cloud and everything as a \nservice, people want telecom equipment as a service, and who \nbetter to provide that service than the vendor of that \nequipment.\n    I think it might be very interesting for a managed service \necosystem to grow here in the United States that could be a \nthird party to provision and manage those devices on behalf of \nsome of the smaller operators. I don\'t know the extent to which \nthat industry is mature right now because the vendors, for the \nmost part, are providing that as a benefit of buying their \nproducts.\n    Mr. Johnson of Ohio. Well, thank you.\n    Mr. Johnson, DHS recently announced that they are kicking \noff two investigations into the security of our Nation\'s \ntelecommunications supply chain, both from a general \nperspective and with regard to specific vulnerabilities. Can \nyou think of anything else that DHS, FCC, or other Federal \nagencies can examine to better address the holistic set of \nthreats that our telecommunications infrastructure faces?\n    Mr. Johnson. Yes, sir. And I think that that initiative----\n    Mr. Johnson of Ohio. You have got 30 seconds.\n    Mr. Johnson. I will do it quickly again. I am from Georgia, \nbut I will try to talk fast.\n    That particular initiative that has just kicked off I think \ncan be the beginning and the foundation of the broader \ninteragency and public-private look at these issues and inquiry \nthat we need to have. The FCC process that is going on will \nconclude a comment period on July 2, will add a lot of value to \nthat, and there is some other processes going along, and I \nthink the importance is to integrate all of that learning into \na navigable set of processes.\n    Mr. Johnson of Ohio. OK. Well, thank you. Madam Chair, my \ntime has expired. I yield back.\n    Mrs. Blackburn. The gentleman yields back.\n    Mr. Loebsack, 5 minutes.\n    Mr. Loebsack. Thank you, Madam Chair.\n    This has been absolutely fascinating. Very complex stuff, \nvery difficult for the average person. A lot of--and those of \nus up here on the dais who deal with these issues, very \ndifficult to deal with on a day-to-day basis and to understand \nthe issues. I am going to have a couple of questions in just a \nsecond having to do with that, but I do appreciate the \ndifferent approaches that have been taken here.\n    You know, the more technical issues, not to call you a \nPollyanna or something, Mr. Johnson, but this whole idea of \ninteragency cooperation sounds really great. I don\'t know how \nlikely it is that we are going to be very successful in that \nfront, but I think it is great. Keep pushing that as hard as \nyou possibly can, that what good Government is all about often \nis the agencies trying to cooperate with one another, even if \nit doesn\'t happen very often.\n    And, Ms. Sacks, I appreciate your comments about policy. I \ndon\'t think any of us wants to be, you know, a mercantilistic \nnation either, the way China and a number of others are, but at \nthe same time, for security reasons, we have to be very \ncareful. We have to have industries in America that build these \ncomponents, that are part of the supply chain, and it has got \nto be, I think, much more than it is at the moment.\n    We are still going to have national security concerns, \nthere is no doubt about that. But the whole idea of risk \nmanagement makes a lot of sense but, you know, how we are going \nto be able to identify all these different companies and all \nthe different components and all the rest to go through that, \nit is going to be a huge challenge, there\'s no doubt about it.\n    To me, I just--for me, I just want to know what my \nconstituents can do on a day-to-day basis to deal with all \nthis. Because very few of them are watching this, if we are \nbeing covered on any of the C-SPAN channels. And even if they \nare, it is hard for them to decipher all of the information \nthat we are hearing today.\n    You know, average folks out there, they have got something \nin their pocket that they have to worry about when it comes to \ncybersecurity. And all the information that they have, they \nhave stored and that is available to the bad guys out there. I \ndo----\n    Before I ask you this, sir, what they ought to do, I do \nwant to say this one more thing, and that is, I was on the \nArmed Services Committee for 8 years, so--and dealt a lot with \nsort of how we stay ahead of the bad guys in other countries. \nAnd this kind of reminds me of dealing with folks who were \nworking on IEDs on a regular basis, trying to stay ahead of the \ngame. That is what they are trying to do is stay ahead of the \nbad guys so that they didn\'t hurt our soldiers, our troops in \nthe field. This is kind of the same sort of thing, how do we \nstay ahead of the game? You know, because there are a lot of \nbad guys out there trying to do terrible things to our country \nwhen it comes to cybersecurity.\n    But to bring it down to the level of my constituents, what \ncan these folks do right now who have a concern about this \nissue, someone who has got an iPhone in their pocket or \nwhatever? What would you recommend that they do today to try to \ndeal with this situation? All of you, please.\n    Dr. Clancy. Sir, my perspective is you have to look at the \nrisks that they face. For the most part, the average citizen is \nfacing a criminal, an aspect of organized crime looking to \nsteal their credit card number\'s identity. They are probably \nnot the target of advanced persistent threats developed by \nnation-state actors or complex supply chain operations against \ntheir personal electronic devices.\n    Mr. Loebsack. Although they may be collateral damage from \nthat.\n    Dr. Clancy. They could be, but you have to then look at how \nthose actors would take advantage of that information. So best \nadvice for the average citizen is really to focus on cyber \nhygiene. The biggest risk to their security is clicking that \nlink in an email that takes them to a Web site where they type \nin their credit card number. So basic education and cyber \nhygiene is, I think, the most important thing that the average \ncitizen can do in this space.\n    Mr. Loebsack. Ms. Sacks, I know you deal with the macro \npolicy issues, but----\n    Ms. Sacks. I agree with Dr. Clancy\'s remarks. I defer to \nthe security experts on this.\n    Mr. Loebsack. Thank you.\n    And, Mr. Johnson.\n    Mr. Johnson. And I think simple awareness is a very big \nfirst step, whether it is online activity or purchasing \ndevices. Asking the question of whether I am doing this in a \nsecure way actually will usually lead you to the right secure \nstep.\n    Mr. Loebsack. Where can they find information to help \neducate them about this? Where can they go?\n    Mr. Johnson. There are a number of resources through the \nGovernment, through NIST publications, NTIA, FTC, FCC, DHS. And \nI think we are at a point now, and this is where the imperative \nof a coordinated, integrated Government operation is so \nimportant, because consumers need to know where do I look. They \nshouldn\'t have to look in a variety of different places.\n    Mr. Loebsack. I think it is our job too as Members of \nCongress to get that information out to our constituents as \nwell. So thanks to all of you. My time is up. I appreciate it.\n    And I yield back. Thank you, Madam Chair.\n    Mrs. Blackburn. Mr. Kinzinger, you are recognized.\n    Mr. Kinzinger. Thank you, Madam Chair, for this important \nhearing, and thank you all for being here. I think it is an \nimportant nexus between national security and E&C that, \nunfortunately, I don\'t think a lot of people see. So I \nappreciate it.\n    Dr. Clancy, I appreciate your service at the NSA. I fly for \nthe Air National Guard. I do mostly ISR missions, so you can \nmake that link there. I have become concerned recently about \nthese reports of Stingrays and cell-site simulators popping up \naround Washington, DC, which has made it into the open source. \nAre you aware of reports that DHS has detected the presence of \nthese devices in the greater DC area?\n    Dr. Clancy. I certainly have seen the volley of letters \nback and forth between Congress and the FCC on the topic. There \nhave been a number of academic studies as well that have \nidentified the likely presence of such devices in the area as \nwell.\n    Mr. Kinzinger. So DHS has confirmed that they have detected \ntheir presence, but they said they can\'t physically locate the \nStingrays. We have consulted with industry to figure out, you \nknow, what industry can do to help.\n    In the initial meeting, they told us they had met with the \nNational Protection and Programs Directorate on the matter and \nthey confirmed their awareness of Stingrays, but NPPD doesn\'t \nseem to know everything they need to know to actually do \nsomething about them. While protecting, of course, sources and \nmethods, do you think they are obligated to share some of this \nintelligence with industry under the Cybersecurity Act of 2015?\n    Dr. Clancy. I think that there are a variety of ways to \ndetect Stingrays. I think--and I am using Stingrays as a \ngeneric term to reflect NG capture technology in general. I \nthink that 5G standards have introduced new portions within the \nstandards that will allow carriers to be able to detect the \npresence of rogue-based stations. And I think we are all \nexcited about that capability as a way for sort of a network-\ncentric approach to addressing that problem.\n    I think that there are a lot of sensitivities around the \ntechnology, given its origins, and that has made it difficult \nfor effective information sharing between people that might \nseek to police this activity and those that are technical \nexperts on the underlying technology, although I am not in a \nposition to, I guess, have an opinion about whether the \nCybersecurity Information Sharing Act is the appropriate form \nfor that information exchange.\n    Mr. Kinzinger. And my concern is, you know, not from a \ncertain use perspective, but from, you know, this idea that \nthere may be intelligence agencies in the United States or in \nDC specifically, which we have read about in open source, that \nare actually doing this. And that is a big concern, because I \nwould think if in fact there are foreign intelligence agencies \nusing this technology, that should be a high priority for us in \nterms of determining that.\n    Like you, I understand, you know, the sensitivity of \ntalking about it, because, you know, it is what it is. We have \nreached out for more information, so we will follow through on \nthat.\n    To Mr. Johnson, the House Armed Services Committee marked \nup the fiscal year 2019 National Defense Authorization Act. It \nincluded a blanket ban on Huawei and ZTE equipment by \nGovernment agencies. I was very surprised and, frankly, \nconcerned by the President\'s comments recently, in fact, \nshowing somehow a loosening up of that concern with ZTE. And I \nhope they were comments that were misinterpreted or at least \nthere is some other thought given to that, because national \nsecurity is my top priority in Congress. In a perfect world, I \nwould like to see a strong security posture on this front with \nzero industry impact, but I feel like that is fairly \nunrealistic.\n    Is there a way to achieve a strong national security \nposture, including removal of corrupted equipment, with a \nrelatively low impact on industry? And could any impact be \ndistributed over the long term to minimize industry compliance \ncosts?\n    Mr. Johnson. I do--I think so. And I think the way to do \nthis is sort of there are three issues that are key to keep in \nmind. One is these issues are very, very complex and they touch \na number of different areas. And so it is very important to get \nthis right and that we use precise instruments instead of blunt \ninstruments where possible.\n    Two is that three companies have been identified in statute \nand in other Government actions--one Russian company and two \nChinese companies--and they have been identified for a number \nof reasons that we could just--the number of public reasons and \na number of reasons that we could discuss in a SCIF. And the \nFCC proposal on these issues is going to be an important \nbeginning in fleshing this out.\n    The third thing is that we need a process that I would say \nis much like how after World War II the Goldwater-Nichols Act \nbrought together all the different services and created a joint \ninteroperable military, and is something I know you can \nappreciate. And that type of approach, it is very difficult to \ndo. In the case of the military, it took a long time. We need \nthat type of effort for not only the Federal interagency, not \nonly the Federal interagency and the independent regulatory \nagencies, but also the Government and the private sector. It is \ngoing to take a long time, but we are a lot further along than \nwe were I would say 10 years ago when we first started looking \nat these issues and literally none of the players knew what the \nother ones were doing or how to do it.\n    So we need to get to the point where we can act quickly and \ndeliberately and know that we are taking sure-footed steps that \nconsider all the holistic elements.\n    Mr. Kinzinger. Thank you all for being here.\n    And I thank the Chair for her latitude. I yield back.\n    Mrs. Blackburn. Absolutely.\n    Ms. Eshoo, you are recognized for 5 minutes.\n    Ms. Eshoo. Thank you, Madam Chairwoman, for having this \nimportant hearing. And thank you to the witnesses for your \ntestimony.\n    This is an issue that I go way back on. I was a member of \nthe House Intelligence Committee for almost a decade, and the \nissue of Huawei and the challenges that it represented I took \nvery, very seriously. And as a matter of fact, when I was \nleaving the committee, and Mike Rogers, a former colleague and \nthen chairman of HPSCI, I made him swear on a stack of Bibles \nthat he would pick up the baton and keep going on this. Why? \nBecause when our country was attacked on September 11, there \nwas one thing that we had that worked an aided us in our \nnational security, and that was our telecommunications sector. \nThat is where the gold was.\n    And, you know, for us to be examining this now is very \nimportant, but we are not starting from scratch. It is a \ncompletely different picture now in terms of sophistication in \nour systems, what is manufactured, what companies know, what \nother companies have, what they do, how effective they are, who \nthey buy from. And so I think that the Congress has the tools \nto make a very strong decision. Mr. Kinzinger said that he \ntakes national security as his top issue. It is the top \nresponsibility for every single Member of Congress. We take our \noath of office to protect and defend, enemies external or \ninternal. So we cannot afford, the United States of America \ncannot afford to play footsie with these companies. They \nrepresent a direct challenge to our national security.\n    So what I want to ask you is, have any of you done an \nanalysis of the costs of whatever it takes in terms of the--you \nknow, a trusted supply chain so that we can make the shift and \nwe don\'t have to bother or be bothered with ZTE or Huawei or \nanyone else that presents themselves down the road? Whomever \nwants to answer. Has there been any kind of cost analysis of \nthis?\n    Ms. Sacks. I say this having worked in the national \nsecurity and the Department of Defense community, there has not \nbeen public information released about the specific problems \nassociated with Huawei and ZTE. I am not saying they doesn\'t \nexist, but in order to conduct exactly that kind of assessment, \nto do the kind of----\n    Ms. Eshoo. But we know--let me interrupt you just a second.\n    Ms. Sacks [continuing]. Needs to have public information, \nit cannot be classified----\n    Ms. Eshoo. Just a second. I know from classified briefings \nwhat the challenges are. I am not asking you to tell me about \nthat. I already know that. The challenge is, we want to have a \nsystem where we are not reliant on them for anything, for \nanything. And I think in different ways, you all have maybe \ntouched on it or gone around it. So would you like to say \nsomething on this?\n    Mr. Johnson. Yes, ma\'am. I think we need to urgently start \nthat process. And all the pieces are in place now, we know a \nlot more about what needs to be done.\n    Ms. Eshoo. So there has not been this examination, as far \nas you know?\n    Mr. Johnson. I think we are behind in doing that analysis, \nbut these processes that are underway right now are--will flesh \nthis information out. But, no, I think we don\'t know enough \nabout--we need a record on this. And that is what is so \nvaluable about this FCC process. It is focusing on one element \nof the problem, but it is the very first public record that \nwill exist on this issue.\n    Ms. Eshoo. I thank you.\n    Madam Chairwoman, I think that our committee needs to do a \nletter to the administration. I am not saying this to be \npolitical. This is a national security issue, and Republicans \nand Democrats have taken, both at this committee, at the House \nIntelligence Committee, for years have weighed in relative to \nthese companies and the national security threat. I don\'t know \nwhat is happening. I think that the Secretary of Commerce \ncertainly did the right thing. We should do this on a \nbipartisan basis. I don\'t know what is taking the President in \nwhatever direction. I am not going to make any political hits \non it. Overall, it is wrong and it is dangerous for us. And I \nthink that the Congress, coequal branch of Government, should \nweigh in with the administration formally and say, ``This is \nnot the way to go.\'\'\n    So I would just request that and have you consider it. I \nthink there would be support from this side of the aisle, and I \nthink there would be from yours, as well.\n    So I want to thank the witnesses and for your patience. I \nhave gone over my time. Thank you for your testimony on this \nmost important topic.\n    Mrs. Blackburn. The gentlelady yields back. And I look \nforward to discussing with her how we can continue to work in a \nbipartisan manner on this.\n    Mr. Bilirakis, you are recognized for 5 minutes.\n    Mr. Bilirakis. Thank you. Thank you, Madam Chair. I \nappreciate it very much.\n    Dr. Clancy, one of your recommendations to strengthen the \nsupply chain is a collaboration between industry and Government \nto identify at-risk products. That information can then be \nshared with developers and suppliers. The Department of Defense \nuses a software process standard called common criteria in \nwhich software is penetration tested for vulnerabilities and \nthen assigned a certification grade. The FAA has a similar \nprocess for its flight control systems.\n    I recently met with a software company with a cybersecurity \nresearch facility in my district. The company suggested a \nsimilar process at risk management--of risk management for \nmedical devices and other sensitive IoT devices. The results \ncould be used to identify and mitigate security threats. \nInterestingly, because it is a process and not a regulatory \nstandard, it can evolve with new technologies and threats.\n    So, Dr. Clancy, is this something that aligns with your \nthoughts on Government collaboration? And can you expand on any \nother ideas you have for Government participation in this space \nthat does not involve quickly outdated standards?\n    Dr. Clancy. Certainly. I think the common criteria is a \ngreat example of a framework that looks at cybersecurity risks, \nspecifically with software as you point out. There are--I think \nyou could more broadly look at the NIST cybersecurity framework \nas capturing kind of a superset of those objectives. I don\'t \nknow that any of them are necessarily well suited or have been \napplied in the supply chain space yet. I think that is \nsomething that is a study that would need to be undertaken.\n    I think in terms of managing and governing that process, I \nthink the interagency approach that Mr. Johnson proposed is a \ngreat starting point for that. The knowledge of the threat is \ndistributed across many different Government agencies. And I \nthink they would need to come together in order to bring \ntogether that complete picture in order to collaborate with \nindustry effectively.\n    Mr. Bilirakis. Thank you.\n    Mr. Johnson and Dr. Clancy, this question is for both of \nyou. There may be times where specific telecom suppliers raise \ntruly serious concerns which warrant action, but we cannot \navoid the reality of today\'s global supply chain. Where do we \nstand if we cannot adequately respond to threats that arise out \nof such a global supply chain? We will go with Mr. Johnson \nfirst, please.\n    Mr. Johnson. I understand your question is, given the \ninterconnected complex nature of the global supply chain, how \ndo we identify particular threats?\n    Mr. Bilirakis. Yes.\n    Mr. Johnson. I think just borrowing on some of my fellow \nwitnesses\' testimony, taking a risk management approach is \ncrucial, as is clear guidance to the market about where the \nrisks are, and that could include individual companies, it \ncould include individual products of individual companies, or \nit include other things that we haven\'t identified yet. And I \nthink the most important thing is to look at this through--not \nthrough a stovepipe of a certain agency or a certain industry \nsector, but holistically through the entire market in all its \ncomplexity, and clearly provide private sector advice or \nguidance about where the risks are. And this process needs to \ninclude their take on it, where do they see the risk and where \ndo they see--what do they see as how to do supply chain risk \nmanagement and trust its suppliers, and then create the \npositive feedback loop that continues to inform the market \nabout what is good and what is trusted and what is not.\n    Mr. Bilirakis. Dr. Clancy, please.\n    Dr. Clancy. As I pointed out in my testimony, I think it is \ngoing to be impossible to eliminate all risk from the supply \nchain. It is too global and there is too many different ways \nthat every product touches that global supply chain. So, again, \nrisk management is critical. You have to pick the areas where \nthere is the most risk in terms of bad actor behavior and the \nareas where there is the most criticality in terms of our \ncritical infrastructure and start there and then work your way \ndown.\n    Mr. Bilirakis. Thank you. Very good.\n    I yield back, Madam Chair. I appreciate it.\n    Mrs. Blackburn. Mrs. Dingell, you are recognized.\n    Mrs. Dingell. Thank you, Madam Chairman.\n    Much of the confusion surrounding this issue relates to the \nsimple truths that we don\'t know the full scope of the problem. \nAnd although it is helpful to hear different ideas for \nmitigating risk across networks, I believe it is difficult to \ncreate effective policy without knowing what we are up against. \nIt is difficult to change, or in this case, protect what you \ncan\'t measure.\n    These questions are all going to be for Mr. Johnson.\n    Mr. Johnson, you say in your testimony that you advise \ncompanies trying to navigate these threats. Can you tell us, \ngenerally, whether companies in the private sector are \nbeginning to take some sort of inventory of the risks that they \nare facing?\n    Mr. Johnson. I do think--and I have worked with a number of \nthe companies in this sector speaking broadly throughout in the \ncommunication sector device, cloud, and internet \ninfrastructure. For about a dozen years in, I don\'t know if I \ncan\'t hold a job, but I think this is now my fifth different \njob that I have worked with a number of these companies in both \nin Government and now in private practice. And I can say two \nthings: Number one, it is core to their business to--to their \nbusiness imperatives as a bottom line institution to advance \nsupply chain security.\n    And number two, we as a collective Government and industry \npartnership have advanced pretty significantly in those dozen \nyears in terms of situational awareness. We are not where we \nneed to be, and I don\'t think any individual company or any \nindividual agency is, but we have come a long way and the \ntrajectory is where it needs--is headed in the right direction. \nAnd I think now we just need to step on the gas with some \nurgency to fill out the data that we don\'t have.\n    Mrs. Dingell. So are there models for conducting this sort \nof dynamic threat assessment that stakeholders should be \nlooking to?\n    Mr. Johnson. I mentioned this briefly earlier. There is a \nmodel in the last year that has--of a process that has just \nbeen completed that I really think is a model of cybersecurity \npolicymaking. It was conducted under the executive order to \nreduce botnets and other distributed automated threats. It was \nled by the Commerce Department and the Department of Homeland \nSecurity, but included input from a whole host of other \nagencies and the FTC and the FCC and most crucially was driven \nby private sector input.\n    So the companies that are out on the front lines were \nhelping drive this process that was convened by the Government. \nAnd I think that model, it was very robust, it was very busy, \nthere was lots of activity, there were lots of threads that \nwere being followed, but it was navigable and it was clear. And \nI think that type of model could be replicated on the supply \nchain side, along with legal mechanisms to ensure the \nconfidentiality of sensitive data that is exchanged.\n    Mrs. Dingell. So on the Government side, how could Federal \nagencies best situate themselves to be effective partners for \nthe private sector? Do you think that the FCC, the Department \nof Homeland Security, Commerce, each have a role to play?\n    Mr. Johnson. I do. I think they and as well as a number of \nothers do. In the case of these issues, I think the Department \nof Homeland Security is the sector-specific agency for the \ncommunications sector and the IT sector so they can--they \nshould probably--and they also administer the statutory \nprotections for protecting confidentiality. I think they can \nsort of be the lead cat herder in the interagency and in \nconvening this process, but certainly the Department of \nCommerce, both through NIST and NTIA, and the International \nTrade Administration and the Bureau of Industry and Security, \nhave very important perspectives to add, as does the \nintelligence community, Department of Defense, and other \nregulatory agencies.\n    Mrs. Dingell. So, finally, what should the Federal \nGovernment be doing to incentivize research here at home so \nthat many of these emerging technologies are built here and \ndeveloped here?\n    Mr. Johnson. I think really the--that is a--that is maybe \nthe most difficult question of all, because we don\'t--here we \ndon\'t do State-directed, industrial policy like China does, and \nI don\'t think we want to do that. But we also want to send a \nvery clear message to the market that the future is secure. The \nfuture of the market needs to be trusted suppliers and secure \nproducts and services.\n    And I think that maybe the biggest benefit of these \nprocesses that are taking place right now is it sends a pretty \nclear message that security is--needs to be the future of the \nmarket. And if you build it secure, you are going to benefit in \nthe market.\n    Mrs. Dingell. Thank you, Madam Chair.\n    Mrs. Blackburn. The gentlelady yields back.\n    Mr. Lance, you are recognized.\n    Mr. Lance. Thank you, Chairman. To the entire panel, \nensuring a secure supply chain is a priority for all of us, but \nthe real question, from my perspective, is how do we as \npolicymakers, and we certainly don\'t have your expertise, \nensure that we get it right and avoid unintended consequences?\n    For instance, we saw the Department of Commerce crack down \non ZTE and rightfully so for violating sanctions in Iran and \nNorth Korea, and it is essentially an arm of Chinese \nintelligence. However, Commerce\'s penalties again ZTE also \nmeant companies are not sending security updates to those \nphones. While we are trying to protect ourselves, we are also \npotentially leaving ourselves vulnerable.\n    In your judgment, the expertise of the panel, how do we \nstrike a balance and protect ourselves from bad actors like ZTE \nwithout opening up other security gaps? I will start with you, \nDr. Clancy.\n    Dr. Clancy. So I think your example around software updates \nis a great one. If we look at--again, if we look at the problem \nholistically and you seek to manage cyber risk for an entire \nindustry, that includes both the selection of equipment and the \nconfiguration, provisioning, and management of that equipment. \nSo, for example, you can trade off whether or not the relative \nrisk associated with a low-cost component that is--perhaps has \nits software update patch path blocked because of some of these \nrequirements, and compare that to potentially a more expensive \npiece of equipment that doesn\'t have that.\n    So, again, if you are looking at the overall risk \nmanagement, I think you would be able to make those trades and \nbe able to make the best decision for overall security of, in \nthis case, telecommunications critical infrastructure sector.\n    Mr. Lance. Thank you.\n    Ms. Sacks.\n    Ms. Sacks. I agree with Dr. Clancy. I think this needs to \nbe a risk-based approach that is granular, that looks at \nspecific equipment and components going into systems not just \nfor companies of certain countries, but for all equipment \nproviders.\n    Mr. Lance. Thank you.\n    Mr. Johnson.\n    Mr. Johnson. Yes, sir. I think we need to find maybe not \nthe balance, but the combination between deliberate action and \nexpeditious action. And I think there is a way to do that even \nin this scenario. It needs to be clear. It needs to be--the \nsteps and timeframes or their phaseout periods, that all needs \nto be determined and it needs to be clear to the consumer and \nthe companies who are out on the front lines about what is \ngoing to happen and when.\n    Mr. Lance. Thank you.\n    Ms. Sacks, in your testimony, you recommended that the \nUnited States look for leverage to change Beijing\'s behavior \nand its ICT policies, and that it is not in our best interest \nto act unilaterally.\n    Have other countries taken action against ZTE and Huawei? \nAnd should the U.S. be looking to leverage the ZTE situation to \npressure China on its ICT policies instead of as a trade \nbargaining chip?\n    Ms. Sacks. Two points on that: One model that is worth \nconsidering is the U.K., which has incorporated Huawei into \ntheir systems, has set up a security testing center which they \nuse to test Huawei equipment that goes into the network. It is \nindependently audited and the results are reported directly to \nthe National Security Adviser.\n    So that is one model that should be considered, although we \nneed to take a number of things into consideration to \nstrengthen it. That center is staffed entirely by Huawei \nemployees. I think we would need a much more strengthened \nversion in the United States. And particularly if we are \nthinking about 5G and the complexities around massive software \ninvolved with 5G, would that kind of model be adequate for the \nnew security challenges posed by that.\n    So that is just one example of another country that we \nmight want to take into consideration.\n    Mr. Lance. In your professional judgment, is the U.K. the \nbest at this in the world?\n    Ms. Sacks. I don\'t know if they are the best, but they are \nthe one--I think that their model is one which is worth \nstudying.\n    Mr. Lance. Thank you. This has been a very interesting \npanel, and I thank all of you for participating.\n    And, Chairman, I yield back half a minute.\n    Mrs. Blackburn. The gentleman yields back.\n    Ms. Matsui, you are recognized.\n    Ms. Matsui. Thank you, Madam Chairman, and thank the \nwitnesses for being here today.\n    Virtual private networks assist companies and businesses in \npreventing foreign governments from monitoring traffic between \nproviders and their devices. There seems to be ongoing \nuncertainty surrounding whether and how rules blocking the use \nof VPNs in China not approved by Chinese government will be \nimplemented.\n    Ms. Sacks, as you note, this review requirement has a \npractical effect of allowing the Chinese government to approve \nthe channels companies use for international connectivity. What \nsecurity threats arise in China monitoring, reviewing, and \napproving VPNs, especially communications using VPNs where \nHuawei and ZTE have installed network equipment?\n    Ms. Sacks. One of the most important areas that we should \nwatch are restrictions around corporate VPNs in China, not just \nfor consumers, but also for companies in terms of sending \ninformation across borders to conduct HR baseline financial \noperations needed to conduct business there. I think that there \nare a number of channels that the Chinese government is using \nto increase their ability to monitor and control networks, the \ndata, the information that flows across that. The VPNs is one.\n    There are multiple different kinds of security reviews that \nare all in process. The scope of them is not clear, and there \nis competing jurisdictions, even within these different kinds \nof reviews. So you have the multilevel protection scheme, which \nhas been in place for several years, but now you have a new \nreview of network products and services connected with critical \ninformation infrastructure operators in China. We don\'t know \nwhat is going to follow the scope of that.\n    Ms. Matsui. OK. Well, thank you.\n    Back doors into hardware and network components are \ndesigned to avoid detection, and vulnerabilities introduced at \nthe beginning of the development process in the supply chain \nare particularly hard to detect. I echo the concerns of my \ncolleagues over the national security threats posed by \nequipment providers to the integrity of the communication \nsupply chain. I understand inherent difficulty approving where \nthere isn\'t a back door into our networks.\n    I want to ask this of each of you. Do you believe \nsufficient work is going towards a process to ensure when there \nis or is not a back door in switches, routers, or other \nnetworking equipment? Dr. Clancy?\n    Dr. Clancy. As you point out that such back doors or \nintentional vulnerabilities in software are extremely difficult \nto detect, particularly if they are specifically seeking to be \nhidden. I think that it would be very challenging to do a \nthorough assessment, for example, without access to source code \nfor the presence of such vulnerabilities in equipment purchased \nfrom foreign vendors. I think that that, though, is--the bigger \nthreat, at least immediately though, is the more front door \naccess, which is the managed vendor access where they are \nexplicitly given access to the license for the purpose of \nmanagement.\n    So I think we need to tackle the front door first. The back \ndoor is I think something that will only be effectively tackled \nthrough a risk-based approach, because guaranteeing that there \nare no back doors is virtually impossible.\n    Ms. Matsui. OK. Ms. Sacks, do you agree?\n    Ms. Sacks. I don\'t have anything to add to that.\n    Ms. Matsui. OK. Mr. Johnson.\n    Mr. Johnson. Yes, ma\'am. I agree with what Dr. Clancy said \nabout the difficulty of finding the purposely in place back \ndoor and also the threat of the front door that we see right \nnow through vendor management.\n    And Ms. Sacks had a really great example of an innovative \napproach to this that the U.K. is taking with regard to Huawei. \nThe only thing I would add to that is that at the same time \nthat the U.K. decided to that, we in the United States were--\nthose proposals were being made in the United States as well. \nLet us do this, we will do an independent testing, et cetera, \nand the United States decided not to do that. And I think that \nis probably--while I think it is correct that the U.K. model is \na very valuable reference point for testing, I am very weary of \nthe capabilities of testing to be able to find the real \nproblems when you have such a sophisticated actor. So I might--\nI just think testing can be an important part of it, but it is \nnever going to be a wholly sufficient answer. And I think we \nneed testing along with a holistic approach to trusted \nsuppliers.\n    Ms. Matsui. All right, OK. It looks like I don\'t have \nenough time. So anyway, I yield back the balance of my time. \nThank you.\n    Mrs. Blackburn. The gentlelady yields back.\n    Mr. Guthrie.\n    Mr. Guthrie. Thank you, Madam Chairman.\n    I appreciate the opportunity to be here and for our \nwitnesses to be here today for a timely issue.\n    My first question is for Ms. Sacks. It appears the response \nto network threats so far have been tactical with regard to \nspecific threats and strategic with regard to competition in \nthe supply chain. So what can we do to ensure our response is \nproactive and coordinated across the Federal Government? And do \nwe need to formalize this approach? And if so, what sort of \nframework is needed?\n    Ms. Sacks. I think that there has been a conflation of a \nlot of different kinds of challenges and problems connected to \nChinese security and industrial policy threats, and we need to \nbe much clearer. Are we talking about export controls, national \nsecurity risks, IP theft, FCPA, and that will help enhance \ncoordination, better coordination among these different actors \ngiven the different types of issues at hand. And once we are \nable to do that, I think that we can work more effectively with \nour allies and partners in other parts of the world to exert \nthe kind of leverage needed to change behavior.\n    Mr. Guthrie. Do you have any thoughts of what agencies, \ntimelines, and what scope, and how we balance agility with \nthoroughness?\n    Ms. Sacks. Here I think I would defer to Mr. Johnson.\n    Mr. Guthrie. That is fine. I was going to ask him next. I \nwas going to ask him next, so there we go.\n    Mr. Johnson. I spend a lot of time pushing that boulder \nover the mountain in the interagency. As I said a little bit \nearlier----\n    Mr. Guthrie. Didn\'t roll back down, did it?\n    Mr. Johnson. It rolls back down, and you push it a little \nbit further and it rolls back down again.\n    But there has been a lot of progress made in the past \ndecade or so in terms of getting the team to be more of a well-\noiled machine. It is not that yet. But I think we have ways \nto--we don\'t need to find ways, we have ways to have a \ncoherent, holistic process that includes input from all the \nrelevant stakeholders in Government and also in the private \nsector. That is what we need to do as--it needs to be--we need \nto be in a big hurry about it, and it needs to be urgent, and \nit also needs to be deliberative and continuous. We are not \ngoing to finish this project. It is going to go on for as long \nas we have these capabilities.\n    Mr. Guthrie. OK. So Mr. Johnson talked about the agencies. \nSo, Dr. Clancy, or any of you, actually--and you did mention it \nhas got to have input from the private sector. So what road \nshould the private sector--I will ask Dr. Clancy first, then we \ncan move on, what road should the private sector play in \ncollaboration with the Federal Government to address the \ntelecom supply chain risk assessment from the manufacturing \nperspective?\n    Dr. Clancy. Well, I think I will highlight a point I think \nthat is been made earlier in this hearing, is that the \nCybersecurity Information Sharing Act, landmark legislation, \nreally enables tactical sharing of operational cyber threat \ndata between the Federal Government and industry. I think over \nthe last 3 years as that has been operationalized, we have seen \na lot of industries come together and effectively use those \ninstruments.\n    Mr. Guthrie. Well, passing that was actually kind of \ncontroversial. I mean, some people really opposed that, and \nMembers. I mean, so how has that been effective? I didn\'t think \nabout that, you just said it, but----\n    Dr. Clancy. So I think it has--we have seen many of the \nISACs, the industry specific information sharing entities adopt \nvarious technology standards, like STIX and TAXII, protocols \nthat are specifically designed to share real-time threat \ninformation. I think there is still lots of hurdles to go. I \nthink there are lots of parts of industry that are still \nnervous about sharing information that might be negatively \nviewed by their regulators, and so I think there is still some \ncaution from an industry perspective. I think they are enjoying \nthe ability to consume information from the Federal Government, \nthough. So we haven\'t, I think, seen full bidirectional sharing \nbetween industry and Government, but we are getting a lot \ncloser to that, in my personal opinion.\n    But as you project that forward and you look at supply \nchains, supply chains are a very different type of threat. It \nis not an operational tactical threat. It is a much more \nstrategic threat where the long game is being played by \nadversaries in this space. And so it is less about tactical \ninformation sharing but more about understanding the bigger \npicture and being able to share risk assessments associated \nwith that with industry and among members of industry and with \nGovernment. I think we haven\'t gotten that far yet. And I think \nthat would be, again, whether it is the interagency framework \nthat Mr. Johnson has proposed or other mechanisms, I think that \nis really the next frontier.\n    Mr. Guthrie. I see you nodding, Mr. Johnson. Any comment \nyou want to add to that?\n    Mr. Johnson. I think that is right. The next step--we \ntalked about this right in the beginning, the next step beyond \nthe tactical real-time information sharing of the Cyber \nInformation Sharing Act is a more deliberative, in many cases, \nhuman interface about longer term strategic threats, and \ncompanies will need to have certainty that going into talk to \nthe Government about what they are worried about doesn\'t come \nback and hit them. You might call it a reverse Miranda \nprotection where nothing I say here will be used against me. \nAnd we really need to build this team and pull it together, and \nit has to be a trusted environment. There are some--the PCII \nprotections are statutory protections that provide that. And I \nwould be delighted to talk with you more about that when I am \nnot over time.\n    Mr. Guthrie. My time has expired. I appreciate it. Thank \nyou.\n    Mrs. Blackburn. The gentleman yields back.\n    Mr. Butterfield, you are recognized.\n    Mr. Butterfield. Thank you very much, Madam Chair.\n    Good morning to our witnesses today, and thank you for your \ntestimony.\n    Madam Chair, in thinking about the hearing today and trying \nto get a few notes ready to talk to these witnesses, it became \npretty clear to me how difficult securing our supply chain will \nbe. This seems not to just be a national security issue, but a \ntechnological issue, an economic development issue, a consumer \nissue, and even a trade issue. And so I appreciate that our \ncolleagues on the Armed Services Committee understand how to \napproach the national security portion, but we must also strive \nto better grasp the broader ramifications.\n    And so, Mr. Johnson, in your written testimony, you note \nthat securing our chain raises complex national security, \nstrategic, economic, business, and technological concerns. So \nmy question, sir, to you is, to ensure that we have developed \nthe right policy to manage the risk to our chain, supply chain, \ndo you think that we, Congress, should take steps to ensure we \nare adequately thinking through each of these complexities?\n    Mr. Johnson. Absolutely, yes.\n    Mr. Butterfield. In their interrelationships.\n    Mr. Johnson. Absolutely, yes. This is a very big deal and \nwe need to get it right.\n    Mr. Butterfield. What are some of the economic, business, \nand technological concerns that we should be focused on in \ntheir intersectionality?\n    Mr. Johnson. Well, just to take the example of 5G \ndeployment, the issues that pertain to 5G deployment moving to \nan almost entirely connected world, really have--in some ways \nthey have all the elements of what our country went through in \nthe fifties and sixties with regard to the space race. The \nimplications of what types of companies and what types of \ncountries are ahead in deploying 5G have geostrategic \nimplications, they have economic competitiveness implications, \nthey have espionage and sabotage and warfare implications. And \nso we certainly want the United States and other rule of law \nbased market democracies and those companies to be in the lead \nin order to maintain the interests that we--and values that we \nhold dear.\n    Mr. Butterfield. Now, there are some conversations that we \nhave heard about outright banning equipment from China, and I \nam paraphrasing some of that. I don\'t suspect that is your \nview. But what impact would outright banning equipment from \nChina have on low-income consumers?\n    Mr. Johnson. I think this has been expressed earlier by my \nfellow witnesses, but I think a country-of-origin ban of any \nkind is too blunt of an instrument, and it is not necessarily \nfeasible in the world we live in now, particularly with regard \nto China. There are a lot of trusted suppliers that have \nelements of China in their supply chains. And so we need to \ntake more of a scalpel and identify bad actors.\n    With regard to the bad actors that have been identified \nfrom China, and certainly there are some China-specific \nconcerns that we need to raise, but with regard to the two \nChinese companies that have been identified, the record that is \nbeing built in the FCC through the proposal to prevent USF \nfunds from going to companies like that is going to flesh out \nwhat the effect in the market is and, very importantly, what \nthe effect in the lower income and rural markets are where \ncompanies like Huawei and ZTE have most of their U.S. presence.\n    Mr. Butterfield. Let me ask you this, does the draft \ndefense authorization legislation that has been put forward \naccurately take each of your concerns into account?\n    Mr. Johnson. I think that--any proposal, particularly one \nthat is embedded in statute, needs to have a very significant \nvetting, tire kicking, and make sure that, you know, through \nhearings like this, that all of the important elements and \nconsiderations are embedded in whatever statute becomes law.\n    Mr. Butterfield. Dr. Clancy, you have 30 seconds, my last \n30 seconds. Any comments on any of this?\n    Dr. Clancy. So specifically with respect to your last \nquestion, I think the--while certainly the actors that have \nbeen identified so far represent, I think, substantiated risks \nto national security, they may not be the only ones, so \nfocusing only on those two is I think one challenge. I think \nthe other aspect that needs to be addressed is, again, the \ncriticality. There is a difference between a phone and a core \nnetwork router, and that is not adequately reflected in the \ncurrent draft legislation, in my opinion.\n    Mr. Butterfield. Thank you.\n    Sorry, Ms. Sacks, but we ran out of time.\n    I yield back, Madam Chair.\n    Mrs. Blackburn. The gentleman yields back.\n    Mr. Long, you are recognized.\n    Mr. Long. Thank you, Chairman.\n    Dr. Clancy, due to the interconnected nature of \ntelecommunications networks, operators don\'t always have \nvisibility into other parts of the network to know whether \nthere may be vulnerabilities. In some cases, information may be \ncarried over the network that has ridden over foreign networks. \nCan you speak to the global nature of the internet and how we \nshould address vulnerabilities given these threats?\n    Dr. Clancy. So there are a whole range of potential global \nthreats to the internet itself. The internet, from a \ngovernment\'s perspective, is really a series of bilateral \ncontracts between internet service providers that stitch \ntogether to form the fabric of what we know the internet to be. \nAnd any of the components of that core infrastructure have the \nability to influence things like control playing aspects of the \ninternet, routing tables being the most notable example, or any \nmajor internet service provider can cause major damage to the \ninternet by virtue of how the internet is constructed. So I \nthink that there are a whole range of threats.\n    I think the larger the market share of any one particular \nvendor, particularly vendors that we deem as a national \nsecurity risk, increases the global exposure to that risk, to \nthat threat.\n    Mr. Long. OK, thank you.\n    And, Ms. Sacks, the Department of Commerce denial order \nissued against ZTE is commonly cited as one of the reasons ZTE \nsought to cease operations in the United States. This order, a \nlaw enforcement action resulting from the violation of \nsanctions terms, was very disruptive. If this disruption serves \nas a model for future bans on specific network or device \nequipment providers, what is the impact on our ability to \nremain globally competitive?\n    Ms. Sacks. ZTE clearly violated export controls, and this \nis an export control issue rather than a trade issue, although \nthere are also separate national security implications. It has \nnot been usual for bans on sanctions to be lifted, but the \ntiming and the process involved with ZTE was highly unusual. We \nneed to see what comes out of this. U.S. companies are \ndefinitely going to have impact from that ban. We need to see \nwhat happens in terms of the President\'s moves as he works to \nnegotiate with the Chinese, but the conflation of an export \ncontrol issue with a trade issue is worrisome in my mind.\n    Mr. Long. Are these sorts of bans effective or are there \nother proactive measures that we can take to protect our \nnetworks and compete globally?\n    Ms. Sacks. We have seen with Beijing that access to global \nmarkets is a point of leverage that has brought them to the \nnegotiating table in 2015, so ahead of Xi Jingping\'s visit \nwhere they came with up the cyber agreement. So we see that \naccess to global markets is a point of leverage. However, we \nneed to also consider the ramifications on the follow-on \neffects in terms of retaliation against U.S. companies. That is \nwhy it is important to work in a multilateral fashion on this.\n    Mr. Long. OK, thank you.\n    And, Madam Chairman, I would like to submit an article for \nthe record, ``US Army base removes Chinese made surveillance \ncameras.\'\' This is Fort Leonard Wood in my home State of \nMissouri.\n    And with that, I yield.\n    Mrs. Blackburn. Without objection. The gentleman yields \nback.\n    [The information appears at the conclusion of the hearing.]\n    Mrs. Blackburn. Mr. Costello, you are recognized.\n    Mr. Costello. Thank you, Madam Chair.\n    Mr. Johnson, how would you advise a telecommunications \nprovider when it is making plans to expand its network? Of \ncourse, providers want to be cost conscious and purchase \neconomical equipment, but they also want to make sure they are \nnot introducing vulnerabilities into their network. How do \nthese providers weigh the tradeoffs in making these decisions?\n    Mr. Johnson. I think that is one of the central questions, \nsir. And it depends on who the provider is. I think most of the \nlarge providers are aware of and can take other options than \nsome of the companies that have been identified as particular \nconcern.\n    With smaller providers who operate on much smaller margins, \nit becomes a much more difficult question. And I think \naccording to our--you know, according to the public record from \nour Government and the intelligence community, that has been \npart of the reason why we are concerned about Huawei and ZTE in \nparticular, because the Chinese government knows that, the \ncompanies knows that, and so they can undercut the price. And \nyou hear anecdotes about the company sales approach is \nessentially tell me what your lowest competitor\'s price is and \nI will undercut it.\n    Mr. Costello. And let\'s talk about rural providers. How do \nwe mitigate the risk to come along with that equipment, \nequipment obviously purchased at below market rates? Is there a \nrisk that if we ban certain types of equipment, it will \nincrease the cost or time for expanding broadband access?\n    Mr. Johnson. I think there is a risk of a disruption, and \nthat is why I think this process needs to take place very \ndeliberately and expeditiously. It needs to have clear guidance \nto the players about what is going to happen when, what they \nneed to do, what they need to be aware of. And any disruption \nshould be dealt with through that process. But I do think--I \nhave got some faith in the fact that there are lots of other \ncompetitors who would love to keep competing in a competitive \nmarket and not essentially be frozen out of certain parts of \nthe market by uncompetitive, undercutting of prices.\n    So I think that if those two companies are restricted in \nsome way from certain parts of the market, I am very confident \nthat the market will respond, it will send a signal to other \nplayers in the market that, hey, there is reason to play here, \nbecause you are not going to be undercut in an uncompetitive \nway. And if there are any vacuums, they will be quickly filled.\n    Mr. Costello. So far we have been able to successfully \nlimit our risk by managing the standards bodies. Is this method \nsustainable? And I will ask an ancillary question, is \nleveraging the transparency aspect of standards bodies enough \nor can nefarious actors still engineer proprietary technologies \nbut introduce threats to the networks while still complying \nwith the agreed-upon standard?\n    Mr. Johnson. That is a great question. I will say a piece \nand then defer to Dr. Clancy, who is an expert on these issues. \nBut the sort of soft power of shaping the standards environment \nis something that is very important, something that the United \nStates has really led through its standards approach over the \npast several decades. And the Chinese have recognized that, and \nnow they are throwing a lot of resources at these standards \ndiscussions and standards bodies to help shape the field in \nsuch a way that it benefits their products and gives them \nintellectual property benefits that last a lot longer.\n    But I will defer to Dr. Clancy because I think he\'s \nparticipated in this process.\n    Dr. Clancy. I would agree. I believe that--my observation \nof China\'s role on standards bodies has been primarily that \nthey are looking to move their role into the innovation and IP \ncreation, and that is critical to the standards process, away \nfrom simply manufacturing devices. And so as they look to sort \nof professionalize their telecom ecosystem and be out in front, \nstandards is one of the ways that they are leveraging that.\n    I do believe in the open and transparent processes in \nstandards, so I am not worried about sort of slipping in back \ndoors in the standards, but there is, as Mr. Johnson noted, \nsort of this soft power influence in which companies \ntechnologies end up getting preferred and written into the \nstandards.\n    Mr. Costello. Semiconductors and microelectronics have \ncomparative advantage, I think, in standard setting focus. From \na securities standpoint, are network operators left at a \ncompetitive disadvantage?\n    Dr. Clancy. Specifically with respect to their use of----\n    Mr. Costello. In terms of power in the standard setting \nbodies.\n    Dr. Clancy. So, I mean, in the standard bodies that I have \nbeen involved in, it has been basically the more internet \nCiscos and Qualcomms and those sorts of companies that are \nreally leading those standards efforts here from the United \nStates. I think that that then translates down into silicon \nwhen you go to manufacture the product. I am not sure if quite \nI understand your question, though.\n    Mr. Costello. Well, I am out of time, so we will follow up \nafterwards.\n    Thank you. I yield back.\n    Mrs. Blackburn. Mr. Walberg, you are recognized.\n    Mr. Walberg. Madam Chairman, I thank you for waving me on \nthis subcommittee. It is of real interest, the subject today.\n    Ms. Sacks, one of the challenges we are talking about in \nour discussions on domestic manufacturing capability, we are \nalso talking about our ability to identify emerging \ntechnologies and bring them to commercialization for both U.S. \nand global markets. My colleagues today have expressed a need \nfor a national strategy that addresses threats to our \ntelecommunications networks to competition in the supply chain \nand to national security.\n    Can you elaborate a bit more on how human capital, those \npeople who know how to do this stuff and can be creative with \nintegrity, plays into such a national strategy?\n    Ms. Sacks. Human capital is one of the areas in which our \ntechnology development process is actually very interconnected \nwith China. We work closely with engineers in China, there are \na lot of very highly skilled, talented engineers coming out of \nChina. We have research centers that are highly interconnected. \nAnd so this is an area where there are possible national \nsecurity risks that need to be examined, but we also need to \nexamine what are the economic and the innovation benefits that \ncome from some of that interconnection on human capital. So we \nshould incorporate that into the discussion as well because I \nthink that there are potential downsides and upsides to that \nlevel of interconnection.\n    Mr. Walberg. What can Congress do to help to lead on this \npart of the puzzle?\n    Ms. Sacks. Let me get back to you on that one.\n    Mr. Walberg. OK. I take that as an interesting answer and \nlook forward to the answer.\n    One of the challenges when confronting threats to our \nsupply chain is the truly global nature of today\'s ICT supply \nchains. As vendors that provide potentially vulnerable \nequipment continue to improve the quality of their products and \nservices and gain global market share, the question is, what \ncan we do to ensure our domestic providers are left with no \nother option than to procure equipment from these vendors?\n    Ms. Sacks.\n    Ms. Sacks. I think that there are three main options, all \nof which, again, have downsides and are challenging. One is we \nneed to think about investing in ourselves but in a way that \ndoesn\'t replicate the China model so that we are not leaving it \nup to the Government to pick winners and losers but enabling \nR&D and enabling education; an investment in our own companies \nto be leaders in areas like 5G. We also have to think about \nwhat are the software solutions from a mitigation standpoint \nthat we can use, given the fact that there likely are going to \nbe companies like Huawei and ZTE in the global supply chain. \nAnd an isolationist approach is not necessarily going to be to \nour advantage either and could put us in a backwards technology \nposition. So there is a mitigation perspective as well as an \ninvestment perspective on our own side.\n    Mr. Walberg. So it is not just us building better stuff \nthen, as some would say would be in our best interest.\n    How does our ability to domestically source our own \nequipment, though, work in a world where the ICT supply chain \nis increasingly globalized? And then second question I would \nask with that, can you explain how we should take a risk \nmanagement approach to examining our domestic manufacturing \ncapability?\n    Ms. Sacks. I think Dr. Clancy has outlined a very effective \nrisk management approach. I will let him elaborate on that.\n    Dr. Clancy. Certainly. I mean, I think if you look at \ndomestic products, again, the iPhone which I brought up in my \nopening statement, the majority of that is sourced \ninternationally. So while we view that as domestic product, \nvery little of the components and the manufacturing itself are \ndomestic. So I think that we need to be cautious to not just \nlook at the company that is selling it to us, selling the end \nproduct, but also look at all the pieces behind the curtain \nthat went into manufacturing that as part of an overall risk \nmanagement approach to supply chain. And that should apply not \nonly to acquisition of Huawei and ZTE equipment from--as part \nof some network, but also look at the components that would go \ninto the production of a U.S. device as well.\n    Mr. Walberg. Thank you. Good advice.\n    And, Madam Chairman, thank you for letting me wave on, but \nit is important to understand what assistance we are using, all \nthe parts that are there, but to sure do our level best to make \nsure that we are secure for all sorts of reasons. So thank you.\n    I yield back.\n    Mrs. Blackburn. The gentleman yields back.\n    And as you can see, there are no additional Members who are \npresent and ready to ask questions. So we thank you all for \nbeing here.\n    As we conclude today, I ask unanimous consent to enter the \nfollowing documents: a letter from Sicuro Innovations, a letter \nfrom Commissioner O\'Rielly, a U.S.-China Commission report, \narticles by Samm Sacks and Andrew Hunter of CSIS, two Wall \nStreet Journal articles, and the ZTE denial order, and one \narticle from The Hill.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The U.S.-China Commission report has been retained in committee \nfiles and also is available at  https://docs.house.gov/Committee/\nCalendar/ByEvent.aspx?EventID=108301. The other information appears at \nthe conclusion of the hearing.\n---------------------------------------------------------------------------\n    Without objection, so ordered.\n    Pursuant to committee rules, I remind Members that they \nhave 10 business days to submit additional questions for the \nrecord, and I ask each of you witnesses to respond to those \nwithin 10 days of receipt of the questions.\n    Seeing no further business to come before the subcommittee \ntoday, without objection, the subcommittee is adjourned.\n    [Whereupon, at 12:01 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n                Prepared statement of Hon. Anna G. Eshoo\n\n    Today\'s hearing on supply chains is about an issue I go \nvery far back on. I served on the House Permanent Select \nCommittee on Intelligence for nearly a decade, and during that \ntime we had close examinations of supply chain manufacturers, \nincluding Huawei and other foreign manufacturers, and the \nserious challenges they represented.\n    I took these issues seriously more than a decade ago, and I \nstill do today. When my term on HPSCI was ending, I \nspecifically asked the then-chairman, Mike Rogers, to commit to \npressing on the threats to our national security that Huawei \npresented.\n    When our country was attacked on Sept. 11, 2001, we \npossessed something that was essential in the age of \nterrorism--our telecommunications systems. They were and they \nstill are part of the backbone of our national security and \nintelligence operations.\n    Fast forward to 2018, when the sophistication of what these \ntechnologies can do has increased exponentially, as well as \nwhat is manufactured. There is far more that today\'s companies \nin this sector on whom we rely for our communications can know, \nwhat other companies have access to, and whom they buy from. \nAnd we know for a fact, based on years of scrutiny which I was \na part of, that certain companies, particularly foreign \nenterprises, do not have our national interests at heart. Thus, \nwe have no business doing business with them. Period.\n    Congress can prevent this infiltration of our critical \ncommunucations systems. The number one responsibility of every \nMember of Congress is contained in our Oath of Office, `protect \nand defend\' our citizens from enemies external and internal. We \ncannot allow foreign entities to compromise our \ntelecommunications sector, because it would create a direct \nchallenge to our national security. I\'m bewildered that after \nso many years of hearings and investigations that we continue \nto consider whether we should use parts from companies whom we \nknow have adversarial intentions against our country. The \nanswer to this consideration is NO.\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'