[Senate Hearing 116-582]
[From the U.S. Government Publishing Office]
S. Hrg. 116-582
5G SUPPLY CHAIN SECURITY:
THREATS AND SOLUTIONS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
__________
MARCH 4, 2020
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available online: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
52-663 PDF WASHINGTON : 2023
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED SIXTEENTH CONGRESS
SECOND SESSION
ROGER WICKER, Mississippi, Chairman
JOHN THUNE, South Dakota MARIA CANTWELL, Washington,
ROY BLUNT, Missouri Ranking
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts
CORY GARDNER, Colorado TOM UDALL, New Mexico
MARSHA BLACKBURN, Tennessee GARY PETERS, Michigan
SHELLEY MOORE CAPITO, West Virginia TAMMY BALDWIN, Wisconsin
MIKE LEE, Utah TAMMY DUCKWORTH, Illinois
RON JOHNSON, Wisconsin JON TESTER, Montana
TODD YOUNG, Indiana KYRSTEN SINEMA, Arizona
RICK SCOTT, Florida JACKY ROSEN, Nevada
John Keast, Staff Director
Crystal Tully, Deputy Staff Director
Steven Wall, General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Renae Black, Senior Counsel
C O N T E N T S
----------
Page
Hearing held on March 4, 2020.................................... 1
Statement of Senator Wicker...................................... 1
Statement of Senator Cantwell.................................... 3
Statement of Senator Fischer..................................... 37
Statement of Senator Rosen....................................... 39
Statement of Senator Gardner..................................... 41
Statement of Senator Thune....................................... 44
Statement of Senator Lee......................................... 46
Statement of Senator Peters...................................... 47
Statement of Senator Sullivan.................................... 49
Statement of Senator Scott....................................... 51
Statement of Senator Johnson..................................... 56
Witnesses
Steven K. Berry, President and Chief Executive Officer,
Competitive Carriers Association............................... 4
Prepared statement........................................... 6
Jason S. Boswell, Head of Security, Network Product Solutions,
Ericsson North America......................................... 10
Prepared statement........................................... 12
Asha Keddy, Corporate Vice President and General Manager, Next
Generation and Standards, Intel Corporation.................... 17
Prepared statement........................................... 19
Michael Murphy, Chief Technology Officer, Americas at Nokia...... 22
Prepared statement........................................... 24
Dr. James A. Lewis, Senior Vice President and Director,
Technology Policy Program, Center for Strategic and
International Studies (CSIS)................................... 28
Prepared statement........................................... 29
Appendix
Letter dated March 3, 2020 to Hon. Roger and Hon. Maria Cantwell
from Manoj Leelanivas, EVP & Chief Product Officer, Juniper
Networks....................................................... 61
Letter dated March 3, 2020 to Chairman Roger Wicker and Ranking
Member Maria Cantwell from Robert Fisher, SVP Federal
Government Relations, Verizon Communications and Tim McKone,
EVP Federal Relations, AT&T.................................... 62
Response to written questions submitted to Steven K. Berry by:
Hon. Amy Klobuchar........................................... 63
Hon. Jon Tester.............................................. 63
Response to written question submitted by Hon. Amy Klobuchar to:
Jason S. Boswell............................................. 64
Response to written question submitted by Hon. Kyrsten Sinema to:
Asha Keddy................................................... 65
Dr. James A. Lewis........................................... 66
5G SUPPLY CHAIN SECURITY:
THREATS AND SOLUTIONS
----------
WEDNESDAY, MARCH 4, 2020
U.S. Senate,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Committee met, pursuant to notice, at 10:03 a.m. in
room SR-253, Russell Senate Office Building, Hon. Roger Wicker,
Chairman of the Committee, presiding.
Present: Senators Wicker [presiding], Thune, Blunt,
Fischer, Sullivan, Gardner, Lee, Johnson, Young, Scott,
Cantwell, Peters and Rosen.
OPENING STATEMENT OF HON. ROGER WICKER,
U.S. SENATOR FROM MISSISSIPPI
The Chairman. Good morning and welcome to the newly
restored Committee room of the Commerce Committee.
I want to thank Senator Blunt of the Rules Committee and
the Architect of the Capitol for their effort in restoring this
room and welcome all of you to a history-making hearing, the
first hearing in the newly opened room.
Today, the Committee convenes to discuss the security and
integrity of the telecommunications supply chain. That is to
say, the equipment and services that make up a communications
network.
I welcome our distinguished panel of witnesses and thank
them for appearing. Today, we'll hear from Mr. Steven Berry,
President and Chief Executive Officer of the Competitive
Carriers Association; Mr. Jason Boswell, Head of Security,
Network Product Solutions at Ericsson; Ms. Asha Keddy,
Corporate Vice President and General Manager of Next Generation
and Standards at Intel; Mr. Mike Murphy, Chief Technology
Officer, Americas at Nokia; and Dr. James Lewis, Senior Vice
President and Director of the Technology Policy Program at the
Center for Strategic and International Studies.
Closing the digital divide and positioning the United
States to win the global race to 5G are priorities for this
committee. Over the past several months, we have been
discussing the wide-ranging economic and social benefits that
broadband connectivity has delivered to communities across the
country.
We've also discussed the promise of 5G networks to build
upon these past advances and create new opportunities.
Our continued ability to connect all Americans and provide
access to next generation technology will depend in large part
on the security of the Nation's communications infrastructure.
Over the past few years, the U.S. Government's intelligence
officials and international allies have determined that
telecommunications equipment from certain vendors, such as
Huawei and ZTE, poses a national security risk.
Foreign adversaries and enemies of the United States have
the capability of using this compromised equipment to spy on
Americans, steal our intellectual property, and otherwise
disrupt our way of life and economic well-being.
Today, both Congress and the Trump Administration have
taken a number of actions to address these security threats and
protect our networks and devices from hostile exploitation.
These actions include banning the use of Huawei and ZTE
components in government systems, prohibiting the use of the
Universal Service Funds to purchase communications equipment
and services from Huawei and ZTE, and other high-risk
suppliers, and adding Huawei and its affiliates to the entity
list.
Most recently, Congress passed the Secure and Trusted
Communications Networks Act. When signed into law by President
Trump in just a few days, this law will establish a critical
Rip and Replace program for small and rural telecommunications
operators to remove compromised equipment from their networks
and replace it with components from trusted suppliers.
While this is a meaningful step forward in safeguarding the
security of the Nation's communications systems, the
unfortunate reality is that our networks have already been
compromised by foreign adversaries.
We are seeing more reports that Huawei can covertly access
mobile phone networks around the world. At the same time, some
of our close allies are granting Huawei access to their
communications systems. These are troubling developments.
We need to do more to shore up our own network defenses
against hackers and state-sponsored actors, especially in our
Nation's rural and underserved communities. This effort will
require the development of a comprehensive strategy to secure
the telecommunications supply chain.
Currently, Huawei maintains the largest global market share
of telecommunications equipment. The absence of a viable and
affordable American or European alternative for end-to-end
telecommunications components, including radios, chips,
software, and devices, has enabled Huawei to increase its
global influence.
At a time of rising global demand for 5G equipment, I hope
witnesses will discuss what more Congress and the
Administration can do to support trusted suppliers, invest in
new technologies, and expand the domestic market for 5G network
components.
There are a number of international standard-setting
organizations, such as the Third Generation Partnership Project
or 3GPP and the International Telecommunications Union that are
developing technical standards for 5G. U.S. participation in
these organizations is also key to a secure telecommunications
supply chain.
Today's hearing is an opportunity for witnesses to discuss
how to increase U.S. engagement in the standards development
process. This will help ensure American technical expertise and
priorities are considered in the development of next generation
technologies.
Finally, I hope we will learn about how the
telecommunications industry can improve its cyber hygiene,
meaning what best practices companies could adopt to mitigate
risks to vulnerable supply chains.
I also hope we will learn about what more the FCC can do to
secure legacy networks and manage security risks in the
transition to 5G.
Let me again welcome our witnesses and thank them for
joining us, and I recognize my friend and Ranking Member
Senator Cantwell.
STATEMENT OF HON. MARIA CANTWELL,
U.S. SENATOR FROM WASHINGTON
Senator Cantwell. Thank you, Mr. Chairman, and thank you
for holding this important hearing.
I, too, want to thank Senator Blunt for his work in getting
us back into our normal hearing room.
Today's hearing, obviously, we have a lot of great
witnesses here, and thank you for traveling to be here.
We've heard a lot about 5G networks and how it's going to
revolutionize everything from sectors of our economy to
advancements, but none of this will happen unless we make the
system secure.
Yesterday, we had a hearing as part of our review of the
budget for energy and we were focusing on our Nation's grid and
the fact that just recently, an attack on our grid in the West
was the first time an actor had actually brought down a power
system for more than 12 hours.
So it's no longer just people searching around and looking
at our power plants. Now, actors are starting to bring what are
essential services to a halt, and these are important issues
for us to address throughout our system.
So far, the discussion by policymakers about how to keep
unsecure networks and equipment out of our domestic networks
has been the focal point, but obviously eliminating the threat
posed by this equipment is the highest priority. We can't just
simply look at that issue. We need to make sure that we are a
loud voice across the globe for no government backdoors to any
security network.
By mitigating this, we are helping to communicate what
needs to be done. I believe it's an imperative that the U.S.
and its allies foster a truly secure, diverse, and reliable
supply chain for communications equipment. We need to assure
the communications systems are secure and that the connections
to those systems and software are also secure.
To accomplish this, first and foremost, we need a broader
strategic plan, and I know that recently our bill that we
passed out by our colleague, Senator Cornyn, in July was about
getting the President to send to Congress a much-needed
strategy on 5G, and hopefully we'll see more details on that
soon.
But we must also build a forceful global coalition of
countries to share our values and respect property rights and
the Rule of Law, and we need a smart multinational approach to
this. And so I hope that, Mr. Chairman, we'll continue to work
with our colleagues on the Intel Committee and on the Foreign
Affairs Committee to make sure that this is also being
accomplished.
We must create incentives for other countries to use
communication equipment that does not contain a government
backdoor access, and the United States should have a great
source of allies to work with us on these issues.
So again, appreciate this hearing this morning. I think
it's important to continue to clarify U.S. leadership on this
issue and how we move ahead, and I appreciate the fact that we
have so many great witnesses to talk about what these immediate
next steps are in the legislation that has gone to the
President's desk.
Thank you, Mr. Chairman.
The Chairman. And thank you, Senator Cantwell.
We have a vote on the Senate Floor scheduled for around
10:30 and so we'll just do the best we can sharing the gavel
and getting back and forth, but we are delighted to have the
testimony.
Your written statements will be included in the record in
full and we recognize each of you for around five minutes to
summarize your testimony.
Mr. Berry.
STATEMENT OF STEVEN K. BERRY, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, COMPETITIVE CARRIERS ASSOCIATION
Mr. Berry. Thank you, Mr. Chairman.
[Off microphone comments] for every American in Rural
America, reliable broadband maps. I look forward to your
successful completion of the Broadband Data Act and it's signed
into law. So from everyone from rural America, big thank you to
this committee.
Chairman Wicker, Ranking Member Cantwell, and members of
the Committee, thank you for the opportunity to testify about
security and integrity of the telecommunications supply chain,
both for existing wireless networks and for the Nation's future
5G.
CCA is the Nation's leading association for competitive
wireless carriers as well as the vendors and suppliers serving
that ecosystem. CCA and its members fully support efforts to
protect networks from cyber and national security threats.
I strongly commend this Committee's bipartisan efforts to
send the Secure and Trusted Communications Networks Act to the
President. This important legislation addresses many key
concerns. It provides all carriers with clear direction and,
importantly, creates a fund to help small carriers replace
covered equipment.
Since I last appeared at this Committee, there has been a
lot of talk about what steps small carriers must take to secure
their networks and your actions, as a matter of fact your
legislation, will allow these carriers and government officials
to not just talk the talk but actually walk the walk.
Wireless networks are providing connectivity for
innovations ranging from health, education, and public safety
to economic and social transformations. All carriers are
focused on providing secure connectivity against the ever-
growing array of threats. The transition to 5G networks
provides an opportunity for all carriers to build in security
as a basic function.
The challenge is heightened by carriers that have equipment
in their networks from companies deemed by Federal agencies to
pose a national security threat.
Now let me be clear. Most CCA members do not have covered
equipment in their networks. For those that do, often they
provide service to their own rural communities, operating where
other carrier providers don't provide service on the thinnest
of margins to connect their neighbors. These companies are
owned by and employ Americans in their local communities and I
can assure you these patriots want to take whatever steps
necessary to ensure our national security. Through your
actions, these carriers will have a program to support
replacing covered network elements.
Chairman Wicker, I completely agree with your floor remarks
when you said some things are worth paying and protecting
America is worth paying for.
The undertaking to replace existing equipment is
unprecedented, historic, never been done. Networks in operation
today were built over years, actually decades, and such a
significant undertaking will be all-encompassing.
Further, this task must be completed in a way that keeps
rural Americans connected. For all the talk about Rip and
Replace, carriers must actually create and execute individual
plans that replace and then rip. They must maintain service
before decommissioning. Anything less threatens the loss of
connectivity in rural America, including access to 9-1-1 and
public safety services.
These carriers are essentially attempting to rebuild the
airplane in midflight, and the challenge of securing networks
does not end here. As we enter the 5G era, there are new
opportunities for all carriers to build security into the
networks from the ground up.
There are three main factors for industry and policymakers
going forward. Number 1, all carriers must have clear guidance
and information from the Federal Government regarding security.
You did this. Your legislation facilitates information sharing
specifically for small providers.
Number 2, secure trusted network equipment must be
available for all carriers. The Act directs the creation of a
list of suggested replacements that would allow carriers with
and without covered equipment to confidently make the decisions
that they will need. Flexibility will be the secret sauce to
this success.
And Number 3, new technologies hold the promise to enhance
security, spur innovation, and save costs. We should explore
virtual technologies. However, policymakers should not mandate
technologies. If new technologies deliver on ther promise, they
will compete successfully in the marketplace.
And in closing, thank you again for the exceptional
leadership in passing the Secure and Trusted Communication
Networks Act. CCA is committed to working with not only all the
shareholders, the stockholders, and stakeholders, as you would
say, to accomplish the challenging task of securing our
networks while we maintain communications services for millions
of consumers in rural America, and so thank you for the
opportunity to testify, and I look forward to your questions.
[The prepared statement of Mr. Berry follows:]
Prepared Statement of Steven K. Berry, President and Chief Executive
Officer, Competitive Carriers Association
Chairman Wicker, Ranking Member Cantwell, and Members of the
Committee, thank you for the opportunity to testify about the security
and integrity of the telecommunications supply chain, both for existing
wireless networks and for our Nation's 5G future.
I am testifying on behalf of Competitive Carriers Association
(``CCA''), the Nation's leading association for competitive wireless
providers. CCA is composed of nearly 100 carrier members ranging from
small, rural providers serving fewer than 5,000 customers to regional
and nationwide providers serving millions of customers, as well as
vendors and suppliers that provide products and services throughout the
mobile communications ecosystem.
CCA and its members fully support efforts to protect and harden
networks from cybersecurity and other national security threats. Press
reports and actions by the Federal Government continue to underscore
the threats posed by certain companies and foreign adversaries. To
address these threats, I particularly commend this Committee's
bipartisan leadership in sending the Secure and Trusted Communications
Networks Act to the President for enactment. This important legislation
addresses several key concerns of competitive carriers that are working
to secure their networks. In particular, the legislation provides
certainty regarding what actions small carriers must take to modify
their existing networks and establishes a fund to ensure that resources
are available.
Beyond the immediate attention on network security, we must also
not lose focus on the economic security threats we face as a nation as
we compete globally to provide the latest innovations, powered by
wireless communications. Establishing American leadership for 5G
network deployments, including the potential for a greater role in the
5G supply chain, is an important goal, and one that can only be
achieved by ensuring that all Americans have access to the latest
services, both in urban population centers as well as rural America. In
fact, rural areas stand to enjoy the most immediate and significant
benefits through expanded access to the latest wireless services. No
one will win the so-called ``race to 5G'' without connecting the
millions of people living in rural America.
While wireless networks are providing connectivity for innovations
ranging from health and public safety advances to economic and social
transformations, these connections must be secure. All carriers are
therefore focused on ensuring that they are providing secure
connectivity amidst an ever-growing array of potential threats. The
transition to 5G networks provides an opportunity for all carriers to
build in security as a basic function of network architecture and
management.
Security threats are particularly acute for carriers that have
equipment or services in their networks from companies deemed by
Federal agencies, including the Federal Communications Commission
(``FCC''), to pose a ``national security threat to the integrity of
communications networks or the communications supply chain.'' To be
clear, most CCA members do not have covered equipment in their
networks. Those that do often provide service to their own rural
communities, operating where no other carrier will provide service and
at the thinnest of margins to connect their neighbors. These companies
are owned by and employ Americans in their local communities, and I can
assure you that these patriots want to take whatever steps are
necessary to ensure our national security.
Whether or not a carrier has covered equipment in its immediate
network, removing insecure network elements is a priority shared across
the industry. Telecommunications networks provide value to all
consumers through the network effects of connectivity, and networks
must interconnect with each other. Further, through roaming and other
arrangements between carriers, as you travel the country you have
likely enjoyed service from rural carriers, whether you realize it or
not. Accordingly, all networks must be secure.
This hearing is timely, with actions being taken not only by
Congress, but also by the FCC and an Executive Order from the
President. While the challenge is significant, and the legislative and
regulatory policy directions are unprecedented, I have confidence that
appropriate policies from the Federal Government will provide all
carriers with the guidance and certainty they need to secure
telecommunications networks. Through cooperative efforts and flexible
policies, and funds for replacement, the removal of covered networks
elements, where necessary, can be achieved. Such action will support
new technologies and innovations while allowing market forces to
advance secure services and make the latest wireless technology
available for all carriers, whether they serve customer bases that are
rural, regional, or nationwide.
All Carriers Must have Clear Guidance from the Federal Government
Regarding Security
As a foundational step, all carriers must have the information and
guidance from the Federal Government to confidently make decisions to
secure their networks. With respect to the need for clarity, I
appreciate the clear message sent by Congress through the Secure and
Trusted Communications Networks Act regarding what network equipment is
deemed to be insecure and must be removed from existing networks. This
clarity is particularly important for smaller carriers that may not
have dedicated staff focused exclusively on security issues or may not
have the necessary clearances to engage directly with the intelligence
community regarding potential threats.
I strongly encourage the Federal Government to continue to provide
clear, unambiguous directions regarding the national security needs for
communications networks so that government and industry can define a
clear pathway for enhanced security and allocate resources to sustain
these priorities. Such efforts help improve the security hygiene across
the entire telecommunications industry, for small carriers and
nationwide providers alike. Provisions in the Secure and Trusted
Communications Networks Act that facilitate information sharing,
specifically for smaller providers, will help advance this goal.
CCA has taken several steps to ensure that our members have access
to the information they need to make confident decisions regarding
potentially sensitive issues. For example, nearly a year ago
approximately three dozen CCA members, including members with and
without covered equipment, participated in a bipartisan, classified
briefing on wireless security issues with the U.S. Senate Select
Committee on Intelligence. I would like to thank Senators Warner and
Rubio for hosting CCA members and key leaders from the Intelligence
community to ensure that all carriers are provided with the information
they need to make decisions to provide secure telecommunications
services to their customers.
I am also very pleased that we were able to continue our
educational effort by partnering last year with the U.S. Chamber of
Commerce to conduct three Rural Engagement Initiative sessions. At
these events we brought together numerous stakeholders, including
representatives from Tier II and Tier III carriers serving rural areas,
security experts from leading American and international vendors and
suppliers, and key senior government officials from the Department of
Homeland Security, Department of Justice, Federal Communications
Commission, and Department of Commerce together in three different
locations--Denver, CO, Jackson, MS, and Chicago, IL--to have frank
discussions regarding current threats, potential solutions, and the
roadmap for network operations in the years ahead. These conversations
allowed both government and industry to gain a better sense of the
strategic threats, and a clearer understanding that there is no one-
size-fits-all solution to mitigating these threats. I truly appreciate
our partnership with the U.S. Chamber of Commerce on this effort to
bring critical information to all carriers. I also would like to
particularly thank the Department of Homeland Security's Cybersecurity
and Infrastructure Security Agency (``CISA'') for taking a lead role on
behalf of the United States Government in these sessions, which brought
tremendous value to competitive carriers and facilitated the direct
flow of information between government and industry stakeholders.
Building upon these conversations, I look forward to welcoming CISA as
a keynote speaker at CCA's upcoming Mobile Carriers Show later this
month.
Congress has Provided Clear Authority and Established a Fund to Secure
Existing Networks
The Secure and Trusted Communications Networks Act not only
provides clarity regarding what elements must be removed from existing
networks, it importantly creates a fund to facilitate replacement for
smaller carriers serving rural areas. I completely agree with your
remarks, Chairman Wicker, on the Senate floor late last year that
``some things are worth paying for, and protecting America, protecting
our electronic system, our broadband communications. . .is worth paying
for.''
I am encouraged that this sentiment shares bipartisan support not
only in Congress but also at the FCC. As FCC Commissioner Geoffrey
Starks noted last fall at CCA's Annual Convention, ``This is a national
problem that deserves a national solution, and we shouldn't expect
small carriers--who acted legally and in good faith--to replace their
insecure equipment on their own.'' Recent Congressional action will
provide needed resources for the replacement of covered equipment, an
important step that is particularly needed for carriers who are unable
to cover the costs of replacement without financial assistance from the
Federal Government.
As the new fund is established and administered by the FCC, I am
hopeful that resources will be available so that carriers can move
expeditiously to replace covered network elements. This means that
after a carrier with covered equipment has established a clear plan for
replacement and removal of networks elements, they will have access to
funding both as the process begins as well as at specified benchmarks
throughout the process. Such access to needed resources recognizes that
networks that were not initially economical to construct absent support
mechanisms are unlikely to be able to finance the project management
process without resources available long before certification that
covered elements have been completely removed. Additionally, as the
removal process moves forward, policymakers should allow for carriers
to triage their networks and focus on the most significant
vulnerabilities first. Specifically, policymakers should consider
prioritizing replacement of core network and routing elements first,
and radio and edge network elements thereafter, in recognition of using
available resources to prioritize the highest potential threats.
While the legislation that recently passed establishes a swift one-
year timeframe, I appreciate the inclusion of a waiver process to
ensure that carriers that are unable to complete changes to their
networks in such a rapid fashion remain eligible for support. Several
factors, including available spectrum resources, equipment
availability, limited windows to build in certain harsh geographic
areas, permitting processes, the need for testing and configuration of
new equipment, and even the availability of a properly trained
workforce will all impact the time necessary for each impacted carrier
to complete the transition process.
Going forward, I would be remiss not to mention concerns from our
carrier members that reverse auction procedures used to distribute
support for providing service in rural areas can lead to a race-to-the-
bottom where low costs are prioritized above all else. Several carriers
that have covered equipment in their networks today made vendor
selections a decade ago in order to meet the reverse auction structure
of Mobility Fund Phase I, where winning auction bids were those that
had the lowest cost to serve the greatest number of road-miles. Despite
there being no prohibited vendor selections at the time, it is now
clear that this mechanism led to undesirable consequences for several
carriers. While the FCC now has rules in place prohibiting using USF
support for specific vendors going forward, security priorities should
be appropriately funded so that other unintended consequences of
funding least-cost networks can be avoided in the future. All funding
recipients must be good stewards of taxpayer funds, but we should not
simply fund the cheapest possible networks at the expense of all other
priorities. There should be some mechanism in the funding process that
recognizes and rewards resiliency and security enhancements,
prioritizing providing reliable and secure connectivity for consumers.
Replacing Covered Network Elements Must Precede Decommissioning to
Maintain Connectivity
With clear guidance regarding network elements that pose security
threats and a newly established fund available to replace them,
carriers are eager to begin the work to transition their networks and
continue to move forward to best serve their customers. To ensure that
Americans in rural areas do not lose connectivity during this process,
including to voice connectivity and 9-1-1 emergency services, important
safeguards must be in place.
While those inside the beltway often refer to the process as ``rip
and replace,'' in practice carriers will typically need to ``replace,
then rip'' to ensure that the consumers served by rural carriers do not
lose service. This is a significant challenge for carriers, as a
separate, standalone network must be established and stood up alongside
current services before carriers can transition traffic to the new
equipment and then decommission the covered elements. Networks in
operation today have been built over years or even decades, and such a
significant rebuilding will be all encompassing, including not only
funding but also technical and logistical resources. Further, each
carrier's network is unique, and accordingly there is not one plan or
solution that can be followed by all carriers in this situation.
Individual carriers' plans may be particularly challenging based on any
given carriers' spectrum portfolio, which will need to support both new
and legacy networks during the transition process, as well as the
carrier's access to backhaul and other network characteristics. Again,
only a few CCA carrier members have covered equipment in their
networks, but all carriers understand the collective impact on their
colleagues, and recognize that successfully addressing this challenge
now will help everyone as we move to 5G.
Additionally, some covered equipment is outdated technology that is
no longer manufactured or supported for new construction by any vendor.
Equipment manufacturers generally are no longer making 2G and 3G
equipment, and it would make little sense for any carrier to deploy a
2G or 3G network today. Accordingly, while the Secure and Trusted
Communications Networks Fund should not create a windfall, resources
should be available for carriers to provide like-for-like services that
leave carriers more prepared at the end of the transition process to
utilize other resources to upgrade networks to the latest generation of
services in the future. For example, if a network with covered elements
supports 2G and 3G CDMA voice products, the replacement should also
support voice services, even if this means an enhancement in the
network to support VoLTE voice services that could subsequently be
upgraded as the carrier deploys 5G. This approach will ensure that the
transition process does not leave a rural area stranded on legacy
technologies while the rest of the industry advances. That is not a
windfall but a reality reflecting the state of today's technology.
New Technologies can Help Secure Networks; Mandates should not Stifle
Innovation
Removing covered network elements, as supported by the Secure and
Trusted Communications Networks Act, is a critical step to secure
today's networks, and several concepts included in the Act will also
help secure the 5G networks of the future. For example, the Act
requires the FCC to ``develop of list of suggested replacements of both
physical and virtual communications equipment, application and
management software, and services or categories of replacements of both
physical and virtual communications equipment, application and
management software, and services.'' Applied in a neutral fashion, this
list can provide guidance to all carriers regarding secure equipment
options for current and future network deployments, including end-to-
end equipment used by most carriers today as well as increasingly
virtualized and open source equipment and services.
As 5G wireless services provide increased potential to transfer
network services from physical equipment to software, new technologies
are increasingly coming to the market, including Open Radio Access
Network (``ORAN'') equipment. ORAN presents exciting new opportunities,
with the potential to disaggregate functionality to increase efficiency
and reduce costs. I encourage further research and development to
explore virtualized solutions. ORAN may provide opportunities to
increase security by breaking down the network stack and allowing
multiple vendors to provide off-the-shelf components and services that
when working together appropriately provide unified services. The
potential for introducing American vendors into the ecosystem has
tremendous benefits, but each layer must be sufficiently vetted for
security. Particularly in greenfield network builds, ORAN can provide
opportunities for new network designs that do not need to be integrated
to legacy networks. For example, DISH, a CCA member, has announced
plans to start deploying its standalone ORAN 5G network this year in
the United States.
However, policymakers should not mandate which technologies are
used in wireless networks, but instead should encourage research into
new, secure technologies to enhance customer choice, innovation, and
cost savings. For carriers with existing network infrastructure,
additional research may facilitate increased ORAN deployment as well,
and it is important that all network operators are positioned to manage
additional steps for interoperability across multiple vendors. Absent a
secure deployment approach, the increased number of access points that
can present opportunities for additional vendors can expose additional
entry points for bad actors. While ORAN equipment may be designed for
network efficiencies, these technologies are not necessarily designed
with the specific goal of enhancing security.
If new technologies like ORAN are successful, they will compete
successfully in the marketplace. We must be mindful, however, that
mandating using specific technology could require additional time for
carriers seeking to replace covered elements from their networks,
presenting a question of competing goals for policymakers. Smaller
providers often rely on one or a small number of equipment providers
for end-to-end services and do not have regular access to expansive
test beds to vet all network elements. Carriers will continue to rely
on existing trusted vendors, and may not be prepared for
interoperability and system integration costs involved with multiple
providers. They can ill afford to discover errors after deployment and
operations are turned up to provide service and may have additional
burdens to determine the cause of an error if there is a service
outage. Further, smaller carriers depend on shared economies of scale
for equipment with their larger competitors and are not in a position
to drive the ecosystem. As previous technologies have been deployed at
scale, smaller carriers can obtain economical access after deployment
by larger carriers. Some smaller competitive carriers have also
expressed concerns that an exclusive focus on new technologies that are
not yet fully standardized or vetted could risk cannibalizing existing,
trusted equipment providers.
As we seek to advance technologies and innovate, policymakers must
ensure that the United States telecommunications industry does not lose
access to trusted suppliers in the pursuit of potential new and
exciting technologies of the future.
Additionally, I applaud inclusion in the legislation the creation
of an information sharing program, led by the National
Telecommunications and Information Administration and in cooperation
with several other leading agencies, to share information regarding
supply chain security risks with trusted communications providers and
suppliers. This program can help ensure that all stakeholders have the
information they need to continue to make decisions to secure networks
into the future.
* * * * *
In closing, I would like to again congratulate this Committee for
its leadership in passing the Secure and Trusted Communications
Networks Act. As it is implemented, CCA is committed to working with
Congress, the Administration, and all stakeholders to accomplish the
unprecedented task of removing certain equipment out of
telecommunications networks and ensuring network operations proceed
using trusted vendors, all while maintaining communications services
for millions of Americans in rural areas. Building upon these efforts
to secure existing networks, we also have an opportunity to ensure that
security is a pillar of 5G networks as they expand throughout our
Nation.
Thank you for the opportunity to testify at this important hearing,
and I welcome any questions.
The Chairman. Thank you very much, Mr. Berry.
Mr. Boswell.
STATEMENT OF JASON S. BOSWELL, HEAD OF SECURITY, NETWORK
PRODUCT SOLUTIONS, ERICSSON NORTH AMERICA
Mr. Boswell. Thank you. Chairman Wicker, Ranking Member
Cantwell, members of the Committee, thank you for the
opportunity to appear today on behalf of Ericsson.
I'm Jason Boswell, Ericsson's Head of Security for Network
Product Solutions in North America. Since my early days as an
engineer, I've spent my whole career focused on security and
advanced telecommunications, and I'm pleased to provide
Ericsson's perspective on 5G supply chain security.
Let me start by commending the recent passage of Chairman
Wicker's bipartisan security legislation, The Secure and
Trusted Communications Networks Act.
We stand ready to assist small carriers replacing equipment
from untrusted vendors. The U.S. led the way on 4G and reaped
the economic benefits, $475 billion to GDP and four million
U.S. jobs. 5G will accelerate innovation and deliver even more
transformative benefits to consumers and businesses alike with
the potential to bring $500 billion to the U.S. economy and
three million new U.S. jobs.
But this also brings new security challenges due in part to
the increased potential attacks surface. We need networks that
are trustworthy, resilient, and secure by design, enabled by a
robust market of trusted suppliers, not just in the United
States but worldwide.
Ericsson is leading the way on secure 5G, supporting 65
percent of the 5G deployments across the U.S., including in
rural America. We have customers in over 180 countries, and I'm
proud to say that the U.S. is our largest market, accounting
for 30 percent of our global revenue and driving our R&D
priorities.
Ericsson has a longstanding and expanding commitment here.
Our North American headquarters is in Plano, Texas, and we
currently have over 7,000 employees in the U.S. We also have a
tower technician training facility in Texas and we will soon
open our $100 million 5G Smart Factory right here in the U.S.
In fact, in some breaking news, this just came in this
morning, today we announced our first 5G equipment rolling out
from that factory manufactured right there in Lewisville,
Texas.
Security is intertwined with the successful deployment of
5G networks and three key priorities will enable this 5G
rollout. First, we need increased mid-band spectrum
availability and we commend the FCC for allocating some mid-
band spectrum for 5G. It is a good start but more is needed.
Second, we need streamlined rules for small cell siting as
provided in Senators Thune and Schatz's STREAMLINE Act.
And third, we need to focus on developing a skilled 5G
workforce. Senators Gardner and Sinema's Tower Infrastructure
Deployment Act and Senators Thune, Tester, Moran, Peters, and
Wicker's Telecommunications Skilled Workforce Act would do just
that.
Security is a top priority for Ericsson and our actions
reflect our philosophy, both internally and externally.
First, since 2018, we have been executing a supply chain
regionalization strategy to place manufacturing and development
as close to the customer as possible in order to reduce risks,
regional disruptions, and dependence on one supply site or
vendor, and in all of our manufacturing and software
development, Ericsson secures our own supply chain with
integrity checks, site audits, sign-in and sign-out for all
software development, and cryptographic signing of hardware and
software that helps provide routes of trust for all of our
portfolio.
Second, we take a holistic approach to building security
into our systems from the start. Our own security and
reliability model guides security assurance across all of our
products and helps inform standards development.
Third, we lead industry-wide endeavors to advance security
across the whole 5G ecosystem, not just Ericsson products. This
involves our standards activities and also the development of
best practices for 5G security. We are active on the DHS Supply
Chain Risk Management Task Force where I co-chair a working
group on developing the standardized template for supply chain
evaluation to minimize risk in the purchasing process.
I'm also a member of the FCC's Security Advisory Committee.
I am on a working group focused on managing security risk in
the transition to 5G.
We need to sustain a secure and robust marketplace of
trusted suppliers in the U.S. and globally. To do so, it is
important to continue to pass 5G security legislation, such as
the thoughtful bill pending from Senators Cornyn, Sullivan,
Blackburn, and others, and keep holding hearings like this one
to highlight what industry and government agencies are doing to
ensure a secure 5G ecosystem.
Shining light on these efforts will make them even more
effective and allow the U.S. to set the global example for 5G
security.
On behalf of Ericsson, I thank the Committee for its
leadership. We look forward to working with you and I look
forward to your questions.
[The prepared statement of Mr. Boswell follows:]
Prepared Statement of Jason S. Boswell, Head of Security, Network
Product Solutions, Ericsson North America
Chairman Wicker, Ranking Member Cantwell, and Members of the
Committee, thank you for the opportunity to appear today on behalf of
Ericsson and to share our views on the important subject of supply
chain security in the 5G world. Ericsson commends the Committee for its
focus on these important issues, and we welcome the recent passage of
Chairman Wicker's bipartisan Secure and Trusted Communications Networks
Act. As Head of Security for Network Product Solutions in Ericsson
North America, I advise Ericsson's technicians, engineers, partners,
and customers on creating and maintaining secure Ericsson solutions
across the country. I also represent Ericsson in numerous industry
initiatives and collaborative efforts with government to develop and
implement industry-wide practices and policies to make the 5G supply
chain trustworthy, resilient, and secure. Since my early days as an
engineer more than 20 years ago, I have spent the entirety of my career
focused on security and advanced telecommunications. I am pleased to be
able to describe Ericsson's perspective on the important topic of
securing 5G and its supply chain.
I. Introduction
A Pivotal Moment for 5G. 5G will accelerate innovation, enhance
productivity, and make our lives better through transformative use
cases in manufacturing, telemedicine, agriculture, connected cars,
smart cities, and the Internet of Things, to name a few, plus a host of
applications and services that are still to come. 5G will deliver
significant benefits to consumers and business alike.
But this innovation brings new security challenges for the mobile
ecosystem as well, with broader attack surfaces, more devices, and
greater traffic. The United States is expected to account for 50
percent of the data breached or compromised across the globe by 2023--
we will be the lead target for cyberattacks. This is a clear call to
action for the U.S. We need networks that are trustworthy, resilient,
and secure by design--all on day one.
In short, as we embark on the 5G future and usher in the next
decade of telecommunications, we face a series of critical decisions,
and we have an opportunity for the U.S. to set a global example in 5G
network security across policy, technology, and standards. Whether we
live up to this moment will depend on how industry and government
together answer these questions:
Will 5G be innovative and dynamic?
Will 5G be secure and reliable?
Will 5G support the rule of law and enable fair competition
and the robust marketplace necessary to protect national
security?
I believe that with intentionality and foresight, the United States
will provide an emphatic ``yes'' in response to each of these
questions. This morning, I will share Ericsson's perspective on key
priorities and key action items that will help guide us through this
moment.
Ericsson: Who We Are and What We Do. At Ericsson, we long ago
embraced the idea of making communications available for everyone, and
we have aggressively executed on that vision ever since. Today, we
serve customers in the United States and more than 180 other countries.
Ericsson is a global 5G leader. To highlight just a few
accomplishments:
We were the first supplier with commercial 5G live networks
in four continents, and currently we support twenty-four live
5G networks in fourteen countries.
We now support the widest ecosystem of supported devices on
5G live networks, with over forty.
In every nation state that has conducted a national security
5G assessment, Ericsson has been designated as both a secure
and trusted 5G supplier.
Since 2015, we have delivered more than five million 5G-
ready radio units world-wide, which only need a remote software
update to launch 5G; hypothetically, this number of radios
corresponds to covering the entire U.S. and Europe with 5G.
We led the way on 5G standards, with the highest share of 5G
essential patent declarations--15.8 percent--of any
organization in the world. And more broadly, we have one of the
industry's strongest intellectual property portfolios, which
includes more than 54,000 granted patents worldwide. Ericsson
is the largest holder of standard essential patents for mobile
communication. Our unrivalled patent portfolio covers 2G, 3G,
and 4G, and we are the main driver of industry standardization
for 5G.
Our primary headquarters is in Sweden--a country with which the
U.S. has a longstanding defense cooperation--but we have key
development operations, as well as product, verification, and release
activities, in North America. The United States is our largest market,
and Ericsson has a longstanding and expanding commitment to the U.S.
Our presence in the U.S. dates back nearly 120 years. Ericsson now has
over 7,000 employees working in the U.S., and our North America
headquarters is located in Plano, Texas. And, we are actively expanding
our investment in U.S. manufacturing and U.S. jobs. Of note, we are
opening our first 5G smart factory in the United States, in Lewisville,
Texas. This facility will be a connected smart factory, producing
Advanced Antenna System radios to enable rapid 5G deployments. In
addition, our Lewisville, Texas Center of Excellence (CoE) is an
enhanced tower technician training facility that provides best-in-class
field services training and support for Ericsson's employees and
partners. In 2019, 847 tower tech trainees completed training at the
Lewisville CoE.
Over the last two years, Ericsson has had other investments and
achievements in the United States, including:
Producing the first 5G radios in the U.S. in 2018, with a
production partner in St. Petersburg, Florida;
Supporting 65 percent of the 5G deployments across the
United States, including efforts to close the digital divide in
rural America;
Opening a 5G ASIC Design Center in Austin, Texas, to help
accelerate 5G product development; and
Creating a new innovation hub at Ericsson's Silicon Valley
facility in Santa Clara, California to enable our industry
partners and customers to accelerate adoption of advances in
artificial intelligence (AI) and machine learning.
Apart from its direct investments in the U.S., Ericsson serves a
broad and diverse U.S. customer base, which includes nationwide and
regional communication service providers serving both rural and urban
markets with all technologies (wireline and wireless
telecommunications, cable, and satellite). We have partnerships and
collaborations with rural Wireless Internet Service Providers (WISPs)
and carriers--such as GCI Communications, Cellcom, Bluegrass Cellular,
and many more--in furtherance of our commitment to bring 5G to rural
areas. Ericsson also maintains strategic partnerships with NVIDIA,
Intel, Qualcomm, Juniper, and many other U.S. companies. In fact,
Ericsson's global sourcing of active components for Ericsson's 5G radio
base stations relies up to 90 percent on U.S. technology suppliers.
Finally, we participate in more than 100 industry organizations,
standards bodies, and other technology alliance groups.
As discussed further below, Ericsson employs a holistic approach to
ensuring the security of its supply chain and its products, which is
made more effective by an environment here in the U.S. consisting of
pro-deployment public policies and 5G investment, combined with
industry-led collaboration with government for a secure 5G ecosystem.
II. Ericsson's View of the Priorities That Enable a Successful and
Secure 5G Rollout
Security is inextricably tied to the successful development of 5G
networks--without one, you simply do not have the other. Before
explaining Ericsson's approach to assuring 5G supply chain security,
let me identify three key priorities for enabling a successful and
secure 5G rollout.
Accelerating 5G deployment in North America. The United States
enjoyed first mover advantage in the 4G world, and it can win the 5G
pole position as well. Indeed, the North American market is large
enough to lead the world market, setting the global agenda for
innovation and security and market competition. Conversely, any delay
in 5G advancement policies could allow other actors that may pose
national security risks to gain the first-mover advantage in the 5G
investment cycle and set technology standards for global companies to
adopt. In short, being first in 5G deployment is not merely an
honorarium--it is a meaningful step toward a secure 5G ecosystem.
As Ericsson has advocated, and as the members of this Committee
have advanced, Congress can accelerate 5G deployment in the U.S. by
taking the following near-term actions:
Increase spectrum availability, especially mid-band;
Put in place reasonable, streamlined small cell siting
rules;
Develop and deploy a skilled tower workforce; and
Ensure effective incentives to encourage 5G deployment in
rural areas.
Below, I identify several measures before the Senate that can help
accomplish these objectives.
Strengthening and ensuring the long-term viability of a
competitive, dynamic, diverse, robust global market of trusted and
secure suppliers. Over the past two decades, the global market of
wireless communications equipment suppliers has seen significant
consolidation, but today there are a number of suppliers of 5G radio
access network equipment in addition to Ericsson. Additional suppliers,
including U.S. companies, provide different elements of core network
equipment, and evolving innovations in open and interoperable
networking and virtualization will allow new participants to compete
with established global suppliers. In short, even with bans on Chinese
vendors, the 5G ecosystem presently is diverse and competitive--
attributes that are imperative not only for ever-advancing innovation
but also to ensure security and resiliency throughout global networks.
A key strategic goal for public policy aimed at a secure and
trusted 5G supply chain is to maintain a global, competitive, diverse
market of trusted suppliers. Network security is a global issue, not
just a domestic one, and security on a global level only reinforces and
enhances security here at home. We should therefore continue to
encourage the adoption, without delay, of principles and guidelines
favoring trusted suppliers and supply chains--on a global basis. We all
have a mutual interest in such a competitive market--suppliers and
service providers alike. And we agree with the principles that security
and trust are two independent factors that need to be assessed to
protect 5G networks. These principles are key to establishing an end-
to-end view of risk across the multiple layers of telecommunications
infrastructure.
Supporting the important, ongoing work of standards processes and
government-industry coordination. Ericsson is a leading participant in
developing the standards for 5G security through the global 3rd
Generation Partnership Project (3GPP), and we are engaged in an effort
through the Alliance for Telecommunications Industry Solutions (ATIS),
supported by the Department of Defense, to develop standards for
securing the 5G supply chain. These technical standards are crucial for
security because they give all suppliers and carriers a common--and
open and transparent--technical understanding of interoperability and
security. This allows for vetting and identification and correction of
technical vulnerabilities. To be clear, 5G security standards and 5G
supply chain standards are presently still under development, and
Ericsson is helping shape them for long-term security.
Once industry adopts standards, the next crucial step is effective
network configuration and deployment. Here, I need to emphasize how 5G
is different from previous generations of wireless communications.
Unlike the steps from 1G to 2G to 3G to 4G, each of which constituted
advances in both capability and security, 5G is a totally new and
different technology and network architecture. When fully deployed, 5G
will be ``virtualized'' across a service based architecture (SBA)--
meaning that the core network functions will happen through a cloud-
based and ``software defined'' network, which allow tailored security
solutions for each different network function, also known as a network
``slice.'' Virtualized networking will allow for unprecedented
capabilities for specialization in security for different isolated
functions--for instance, separating mission-critical network instances
such as connected medical devices from less critical devices and
functions. These new architectures and technologies will also allow for
more discrete control of access to data, topology obfuscation between
network segments, greater requirements on inter-element encryption,
provisions for extended authentication, enhanced privacy protections
for subscribers, and many other new capabilities. Individual
configurations in real-world deployments will be different in every
case, but in all cases they should be based on the rigorous, open, and
interoperable standards that Ericsson is helping develop now.
We believe the role of the government in advancing the security of
these deployments is to continue to put its attention and resources
behind the robust government-industry collaboration efforts that are
presently underway. In short, we must work together effectively and
efficiently to ensure that these deployments are secure, as described
below.
III. Ericsson's Activities and Leadership That Advance These Priorities
Security is a top priority for Ericsson, and our actions on
security reflect our philosophy: Networks must, from the very start, be
trustworthy, resilient, and secure by design.
How does Ericsson ensure a secure supply chain? In all of our
manufacturing and software development facilities globally, Ericsson
relies on tight quality controls, traceability and integrity checks,
regular site audits, tests, and verifications to ensure compliance with
our own security standards and appropriate industry specification
guidelines. All of Ericsson's software is verified, cryptographically
signed, and distributed centrally from Sweden, and, when so required,
under Swedish export licenses. We have strict software version controls
with check-in/check-out security, meaning that both the Ericsson
employee who wrote the code and the individual who reviewed/accepted
the changes are logged. Binaries are provided via secure download from
the Ericsson Software Gateway in Sweden, including a signature which
provides a trust anchor that ensures the software originated from
Ericsson and has not been tampered with in transit.
Where are Ericsson products developed and manufactured? Ericsson
has a global, flexible, high-integrity supply chain, with manufacturing
established in several countries around the world--including a sizeable
presence in the U.S., as I described above. Since 2018, we have been
proactively executing a regionalization strategy for our supply chain,
to place manufacturing and development as close to the customer market
as possible in order to mitigate potential risks or regional
disruptions and reduce dependence on one supply site or vendor. In
general, all active ``intelligent'' 3PP electronics (e.g., digital
semiconductors, silicon-based technology, application-specific
integrated circuits (ASICs), field programmable gate arrays (FPGAs),
etc.) for the Ericsson Radio System (ERS) are predominantly sourced
from U.S. companies, with a minor part from Japanese, Korean, and
European companies.
How does Ericsson provide security assurance? Ericsson takes a
holistic approach to ensure that security is built in from the start,
across supply chain, software and hardware development, testing,
implementation, and operation. For many years, Ericsson has worked
systematically to incorporate security from the start (security by
design) into all phases of product development, and we have a well-
established internal governance framework for product security. This
framework is how Ericsson is able to consistently deliver on our
product security commitment. The framework's key characteristics
include:
Defining our product security and privacy ambition level;
Ensuring the implementation of appropriate security and
privacy;
Following up and measuring actual product security and
privacy status; and
Enabling professional security services, such as security
and privacy training recommendations, solution level
integration guidance, and potential hardening activities that
need to be included in customer delivery projects.
In addition, all personnel and suppliers follow Ericsson's Code of
Conduct and Code of Business Ethics. Ericsson places top priority on
protecting our customers' networks and their customers' data, as well
as our intellectual property, all of which are governed under internal
policies, and certified by ISO/IEC 27001 and ISO 9001, which are
recognized as international guidelines on Information Security
Management and requirements for Quality Management Systems,
respectively.
Finally, we strongly believe in the principles of responsible
vulnerability disclosure towards all parties involved. Accordingly, the
Ericsson PSIRT (Product Security Incident Response Team) is responsible
for our product vulnerability management process, coordination of
customer product security incidents, and reported security issues
affecting Ericsson products, solutions, and services.
How does Ericsson promote and advise on industry-wide best
practices in 5G and supply chain security? Our security efforts do not
end with our products--Ericsson actively contributes to a number of
U.S.-based industry initiatives organized around ensuring supply chain
security. These include the Communications Sector Coordinating Council
(CSCC) and its Cybersecurity Committee (where I participate directly as
a member), the Council to Secure the Digital Economy (CSDE), and
multiple working groups within the standard-setting organization ATIS.
I also personally provide leadership in numerous government-
industry initiatives convened to promote collaboration on supply chain
security. I will cite three examples here, which are especially
relevant to this discussion.
First, it has been my privilege to participate in the
groundbreaking work of the Department of Homeland Security (DHS)
Information and Communications Technology (ICT) Supply Chain Risk
Management Task Force. The DHS ICT Supply Chain Risk Management Task
Force exemplifies how industry and government collaboration can quickly
and effectively deliver useful, sharable, expert-driven guidance in
complex areas like supply chain and 5G security. The Task Force
represents a formal, action-oriented collaboration between industry and
government that ties together various streams of activity. For example,
in September 2019, the Task Force released an interim report with
findings and recommendations from working groups that focused on:
The timely sharing of actionable information about supply
chain risks across the community (WG1);
The understanding and evaluation of supply chain threats
(WG2);
The identification of criteria, processes and structures for
establishing Qualified Bidder Lists (QBL) and Qualified
Manufacturer Lists (QML) (WG3); and
Policy recommendations for incentivizing the purchase of ICT
from original equipment manufacturers and authorized resellers
only (WG4).
In 2020, I will continue Ericsson's work in the Task Force Threat
Evaluation Working Group (WG2) by analyzing mitigations and risk
determination across multiple areas of the supply chain and making
recommendations on best practices and methodologies. I will also be co-
chairing a new working group (2020 WG4) to develop attestation
frameworks around various aspects of supply chain risk management. This
will help make requirements such as the NIST security standards and
other risk guidelines more understandable, predictable, and useful, and
also will address gaps in risk management or visibility by providing a
flexible template that can help guide planning and assessments and
provide clarity for acquisition reporting and vetting processes.
Second, I participate in the important work of the President's
National Security Telecommunication Advisory Council (NSTAC). In
particular, I serve on a subcommittee tasked by the NSTAC with
examining the security impact of software-defined networking (SDN) on
the U.S. government's National Security and Emergency Preparedness
functions, identifying the challenges and opportunities provided by
SDN, and assessing the use of SDN and other virtualization technologies
in support of national security.
Third, I represent Ericsson on the Communications Security,
Reliability, and Interoperability Council (CSRIC), which makes security
policy recommendations to the Federal Communications Commission (FCC).
Ericsson is working across three working groups in the current
iteration of CSRIC, CSRIC VII, notably:
Managing Security Risk in the Transition to 5G (WG2), in
which I am directly involved;
Managing Security Risk in Emerging 5G Implementations (WG3);
and
911 Security Vulnerabilities during the IP Transition (WG4).
Beyond these activities, we also work closely with other government
departments and agencies, including the National Telecommunications and
Information Administration (NTIA) and the National Institute of
Standards and Technology (NIST), both within the Department of
Commerce, as well as with the Departments of Defense and Energy.
Standards work is another foundational component of good security
assurance, as it supplies guidance and frameworks that ensure security
and privacy requirements are met consistently. Ericsson has been a
leading contributor in standards and frameworks groups such as 3GPP,
ETSI, IETF, GSMA, IEEE, the O-RAN Alliance, the Open Network
Foundation, and many more. As noted above, in total, Ericsson is a
member of more than 100 industry organizations, standards bodies, and
other technology alliance groups, as part of our mission to drive 5G
forward.
IV. Ericsson's Recommendations for the Committee to Support and Promote
These Priorities
At the beginning of my testimony, I listed three questions that
mark this moment in the trajectory to 5G:
Will 5G be innovative and dynamic?
Will 5G be secure and reliable?
Will 5G support the rule of law and enable fair competition
and the robust marketplace necessary to protect national
security?
As noted above, I believe that with intentionality and foresight,
the answer to these questions can be an emphatic ``yes.'' Now for the
hard part: How do we get there?
As a general matter, Ericsson urges the Committee to support the
various efforts described above, with an eye toward ensuring that
industry and government are coordinating efficiently and collaborating
productively on 5G security and supply chain matters, both domestically
and globally.
More specifically, we recommend that the Committee take the
following steps:
(1) Pass, implement, and oversee 5G security legislation. As I
noted at the outset, the Senate's recent passage of Chairman Wicker's
Secure and Trusted Communications Networks Act represents a thoughtful
and crucial step forward. We look forward to the President signing this
bill and stand ready to work with the small operators who will have to
replace existing equipment. As the Committee is well aware, further
opportunities to build on the momentum of that legislation await, as
several additional bipartisan 5G security-related bills have passed in
the House of Representatives. These include the House companion bill to
Senator Cornyn's Secure 5G and Beyond Act, co-sponsored by Senators
Sullivan and Blackburn of this Committee and others, which would
require the U.S. to develop a 5G security strategy. Passage of such
measures in the Senate would help demonstrate the U.S. commitment to 5G
security to countries around the world grappling with these issues.
(2) Support actions to accelerate 5G deployment. As I discussed,
Ericsson believes that accelerated U.S. 5G deployment will in turn
protect the security of the 5G supply chain, a goal that can be
achieved through (i) increasing spectrum availability, especially mid-
band; (ii) putting in place reasonable, streamlined small cell siting
rules; (iii) developing and deploying a skilled tower workforce; and
(iv) ensuring effective incentives to encourage 5G deployment in rural
areas. We commend the work being done in these areas and urge the
Committee to take up proposals to advance 5G deployments in the U.S.,
such as the STREAMLINE Act introduced by Senators Thune and Schatz,
which would preempt certain state/local small cell deployment
regulation; the TOWER Infrastructure Deployment Act introduced by
Senators Gardner and Sinema, which would require the FCC to set up an
Advisory Council to look at tower workforce issues; and the
Telecommunications Skilled Workforce Act recently introduced by
Senators Thune, Tester, Moran, Peters, and Wicker, which would require
cooperation among various agency heads to develop recommendations and
guidance that would empower the U.S. to catch up on the workforce
demands of the 5G era.
(3) Continue to enable a secure and robust marketplace of trusted
suppliers in the U.S. and globally. As I have discussed, one of the key
priorities for 5G is to strengthen and ensure the viability of a
competitive, dynamic, diverse, and robust marketplace of trusted and
secure suppliers on a global level, much like what we already have in
the United States, recognizing that global and domestic security are
intertwined. Such a marketplace, involving trusted and secure companies
like Ericsson, can counter other potential players that may pose
threats to national security. The Committee should remain attentive to
factors that might promote--or undermine--the development of this
global marketplace.
(4) Continue to hold hearings on the subject of 5G security. In
Ericsson's view, hearings such as this one provide an important vehicle
for highlighting what industry is doing to ensure a secure 5G world--
and for maintaining pressure on industry to stay true to its security
commitments. Such hearings can have a similar motivating impact on
government actors with security responsibility within their respective
jurisdictions around the world. Shining additional light on all of
these efforts will make them more effective in ensuring a secure supply
chain.
* * *
On behalf of Ericsson, I thank the Committee for its leadership in
this area. We look forward to continuing to work with you, other
government actors, and our industry partners to ensure that the 5G
world is a secure one. Thank you again for the opportunity to testify
today, and I look forward to your questions.
The Chairman. Thank you very much, Mr. Boswell.
Ms. Keddy.
STATEMENT OF ASHA KEDDY, CORPORATE VICE PRESIDENT
AND GENERAL MANAGER, NEXT GENERATION
AND STANDARDS, INTEL CORPORATION
Ms. Keddy. Chairman Wicker, Ranking Member Cantwell, and
members of the Committee, thank you for inviting me to speak
about 5G and supply chain [off microphone comments] Intel
Corporation.
My responsibilities include our participation in industry
standards and forums, including 3GPP, and driving the benefits
of 5G to various other industries to fuel widespread
innovation.
Intel is a U.S. semiconductor manufacturer that employs
more than a 100,000 people globally with more than half of
those in the United States. Intel is the largest global
semiconductor supplier with the vast majority for advanced
manufacturing and R&D conducted in the U.S.
It used to be Intel inside only in computers, PCs, and data
centers, but now we are inside the network, as well. 5G runs on
Intel. We are a leader in 5G and one of our roles is to supply
high-volume and high-quality products to telecom equipment
manufacturers, including Nokia and Ericsson.
By 2021, we are expected to become the world's largest chip
maker for 5G infrastructure. Intel takes a leading role in 5G
standards and industry groups, including 3GPP, IEEE, and ITU. I
also represent Intel at CTIA's Board of Directors and Intel is
a member of the ORAN Alliance and the new ATIS 5G Supply Chain
Working Group.
For today's discussion on 5G supply chains, I would like to
begin by discussing current developments regarding 5G networks
followed by our work to improve supply chain security and some
policy recommendations.
5G marks the convergence of communications and compute
capabilities which will fundamentally change our world. The
U.S. was the first nation with widespread 4G coverage which led
to the American app economy. 5G will enable benefits to
businesses in many sectors, such as industrial and IOT
manufacturing, transportation, agriculture, and health care.
Virtualization is critical to enabling the transition to
5G. As a part of this evolution, some of the network functions
are being virtualized rather than being served by a turnkey
solution, creating what we call a virtual radio access network
or VRAN.
Intel's product line supports various 5G network approaches
ranging from the traditional telecommunications equipment
manufacturers, like Ericsson and Nokia, so that they can
continue to develop products to ensure continuity in the
telecom industry to also new VRAN entrants, such as Altiostar
and Mavenir.
We recognize that security challenges exist. Intel will
continue our proactive efforts to build a more trusted
foundation for all computing systems. Intel's unique position
in the technology supply chain has allowed us to take a leading
role when it comes to transparency and security in partnership
with our suppliers and customers.
We have already developed a set of policies and procedures
at our own factories to validate where and when Intel-built
components were manufactured.
In today's complex supply chain for information and
communications technology, Intel is working with manufacturers
across the supply chain to help them offer customers better
transparency and visibility into manufacturing, support, and
retirement of computing devices. Intel calls this effort
Compute Lifecycle Assurance.
The industry needs an end-to-end framework like this
initiative that can be applied to improve integrity,
resilience, and security during the entire platform cycle.
The U.S. Government also has a valuable role to play in the
5G supply chain by encouraging and supporting the emergence of
a vibrant and trusted U.S. ecosystem. Given the potential of 5G
to provide valuable benefits to American businesses and
consumers, the U.S. Government should take measures, including
investments and incentives, to help facilitate widespread 5G
deployments in the U.S. and to accelerate new technological
innovation.
Thank you for the opportunity to highlight Intel's role in
this 5G ecosystem and our approach to supply chain security. I
look forward to your questions.
[The prepared statement of Ms. Keddy follows:]
Prepared Statement of Aysha Keddy, Corporate Vice President and General
Manager, Next Generation and Standards, Intel Corporation
Chairman Wicker, Ranking Member Cantwell, and Members of the
Committee, thank you for inviting Intel to speak about 5G supply chain
security. I serve as Corporate Vice President in engineering,
responsible for next generation technology and standards at Intel
Corporation. In this role, I am responsible for future products
including the convergence of communications, compute and artificial
intelligence and defining the future networks towards 6G. My
responsibilities also include Intel's contributions to industry
standards and the company's leadership in global forums including IEEE,
3GPP and multiple industry fora. It is my job to drive the benefits of
5G to various other businesses by fueling innovation for homes, cities
and enterprise.
Intel Corporation is a U.S. semiconductor manufacturer
headquartered in Santa Clara, California that employs over 100,000
people globally, with more than half of those in the United States.
Intel is the largest global semiconductor supplier, with the majority
of our advanced manufacturing and research and development (R&D) is
conducted in the United States. Revenue earned in global markets
contributes to Intel's Annual R&D and Capital Investments of 29.6
billion dollars.\1\ Intel is one of the last integrated device
manufacturers (IDM) in the United States. This means Intel owns
production for most of its products from conception, through design, to
manufacturing, all the way to delivery to a device manufacturer. Having
most of our design and fabrication within the same company creates
significant technology advantages for Intel in setting the highest
standards for quality, consistency and security. And when we identify
problems, the IDM model creates advantages for Intel in resolving
problems rapidly.
---------------------------------------------------------------------------
\1\ Source: 2019 Q4 10K filing from Intel Corporation, https://
www.intc.com/investor-relations/financials-and-filings/earnings-
results/default.aspx
---------------------------------------------------------------------------
Intel's processors, memory, storage and other products power much
of the world's computing capability. Intel is a leader in 5G and one of
our roles is to supply high volume and high-quality products to telecom
equipment manufacturers. By 2021, we are expected to become the world's
largest silicon provider for 5G infrastructure. 5G runs on Intel. It
used to be Intel inside computers and data centers, but now Intel is
inside the network as well.
Intel also participates in over 250 standards and industry groups
worldwide including industry alliances, regional standards
organizations, international industry standards groups and formal
international standards bodies. For 5G standards involvement, Intel
holds leadership positions in 3GPP, IEEE, and the International
Telecommunications Union. Intel is also a board member of the Telecom
Infra Project and a member of the ORAN Alliance. Intel also
participates in the new ATIS 5G Supply Chain Working Group tasked by
the Department of Defense with developing standards and evaluating
certification options necessary to establish ``assured'' commercial 5G
networks.
For today's discussion on 5G supply chains, I would like to begin
by discussing some developments regarding 5G networks followed by some
important considerations regarding supply chains.
5G networks:
5G marks the convergence of communications and compute
capabilities, a world in which 5G, Wi-Fi, artificial intelligence, the
cloud, and edge computing combine to fundamentally change our world.
The U.S. was the first nation with widespread 4G coverage which led to
many innovations that many of us use every day on our smartphones from
ordering rides to groceries to take-out dinners to checking in for
flights to reading books or watching shows. 5G will enable these types
of benefits to businesses in many different industries such industrial
IoT in manufacturing, mining, agriculture, healthcare, etc.
Virtualization is critical to enable to transition to 5G. Radio
Access Network (RAN) architectures are evolving to support a diverse
set of deployments. As part of this evolution, some of the network
functions are virtualized rather than being served by discrete
products, creating what are called virtual Radio Access Networks. An
analogy would be if you previously needed one computer to do
presentations, another computer to browse the internet, another
computer for e-mail, etc. but now you can do all those functions on a
single computer. This way you can use the processing power on the
application that needs it the most at a specific point in time.
Network virtualization has been a ten-year journey across the
communications industry, which started at the core of the network to
service provider metro and neighborhood central offices--and now out to
the RAN, the last link between users and the network (e.g., cell tower
to end user). Network virtualization enables the agility of software-
based innovation. Just as this approach enabled the dot com companies
of the 90s to provide new services to consumers, software innovation
including Virtual RANs are intended to enable a breadth of service
opportunity in telecommunications.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
3GPP is developing a global 5G standard which will be implemented
in networks worldwide. These networks will include traditional cellular
operators as well as new entrants. Different services providers will
take steps in network virtualization on varying timelines, so different
options will exist ranging from the traditional telecommunications
equipment manufacturer model to the different flavors of Virtual RAN.
Open RAN, such as the work within the Open RAN Alliance, is one version
of a Virtual RAN. The Open RAN Alliance is working to develop an
interoperable specification with open interfaces between the base
stations and the radio which enables cellular operators to utilize
different vendors.
Intel's product lines support the various approaches ranging from
traditional telecom equipment manufacturers (e.g., Ericsson and Nokia),
so they can continue to deliver products to ensure continuity in
telecom industry, to new entrants (e.g., Altiostar and Mavenir) through
our rich software development kit, open source activities and reference
platform designs.
Technology Supply Chains
We recognize there are security challenges to overcome. Worldwide,
policymakers have begun to focus on supply chain risks in new ways. In
August 2018, MITRE published the highly influential report, Deliver
Uncompromised, which described the urgency and importance for supply
chain risks to receive attention during product procurement. New U.S.
laws, including the 2018 SECURE Technology Act, gave Federal agencies
new authority to consider supply chain risks when procuring products.
From Europe's ``digital sovereignty'' efforts to Japan's ``Cyber/
Physical Security Framework'' efforts, there are signs of strong
interest in shining a spotlight on the trust and transparency of supply
chains for information and communications technology.
Intel will continue our proactive efforts to build a more trusted
foundation for all computing systems. Intel's unique position in the
technology supply chain has allowed us to take a leading role, in
partnership with our suppliers and customers, when it comes to
transparency and security. Intel's supply chain depends on successful,
consistent, and trustworthy relationships with roughly 14,000 companies
who provide Intel with the raw materials, products and services
required for us to supply technology to over 2,100 customers. The
collaboration and commitment occur across the supply chain--from
Intel's suppliers, through Intel internal production, and outbound to
Intel's customers.
Intel identifies four key stages in the compute supply chain:
build, transfer, operate and retire. Each stage includes unique
threats. Examples of these threats include:
Build
Injection of malicious code, logic or components during
design or manufacturing
Cyber-attack against a supplier resulting in denial of
service (DOS), supply chain disruption, data corruption, data
breach
Transfer
Counterfeit for profit, sabotage, or other reason
Interdiction and tampering during manufacturing or transit
Operate
Compromising administrator credentials
Installation of vulnerable code or components
Retire
Theft of components/data from retired system
Appropriate of residual data left on systems
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Compute Lifecycle Assurance
Addressing the gap between trustworthiness and `leap of faith' is a
primary motivation for a new Intel initiative designed to help increase
data available to end user customers about the supply chain that brings
computing devices to your doorstep. Intel describes the effort as
``Compute Lifecycle Assurance,'' and it starts with the goal of making
supply chains more transparent.
Intel has tackled big, complex problems like this before. We
actively led and collaborated with the industry to influence policies
and processes concerning the use of conflict-free minerals--not only
for Intel products--but across the industry. In addition, we have
already developed a set of policies and procedures at our own factories
to validate where and when every component of a server was
manufactured. These examples represent an important beginning, and
there is more that can be done.
In today's increasingly complex supply chain environment, we want
to provide our customers with a full range of tools and solutions that
deliver assurances of integrity throughout the entire lifetime of a
platform. This starts with a security-first approach to design. It
continues as platforms change custody, ownership and physical location
several times during their assembly, transportation and provisioning.
Once operational, they may then require updates for optimal performance
and security. Finally, upon retirement from service, platforms should
ensure the confidentiality of data that was transmitted, erased or
stored.
The industry needs an end-to-end framework that can be applied
across this multiyear life of any platform. And that is our goal with
the Compute Lifecycle Assurance Initiative--to substantially improve
transparency and to provide higher levels of assurance that improve
integrity, resilience and security during the entire platform
lifecycle.
Today Intel is working to:
Invest in tools and processes that improve the integrity of
Intel computing products across every lifecycle stage, building
on the Transparent Supply Chain tools we have today.
Contribute best practices, learned from our decades of
experience, for the collection, measurement, stewardship and
reporting of platform data to meet our customers' evolving
needs.
Collaborate with the ecosystem to develop innovative ways
that enhance access to platform data while maintaining
confidentiality of that data across the platform lifecycle.
Policy Considerations
The United States government has a valuable role to play in the 5G
supply chain by encouraging and supporting the emergence of a vibrant
and trusted ecosystem. Intel commends the work done in 2019 by the
Department of Homeland Security's Supply Chain Risk Management task
force and sees this type of public sector-industry collaboration as
vital to identifying and solving important questions about technology
supply chain. Likewise, the work done by the Commerce Department's
National Institute of Standards and Technology (NIST), has been
extremely helpful in creating common goals and frameworks for progress
among policymakers and industry. Intel has been active in these and
other efforts to offer its expertise and insight in addressing supply
chain risks and mitigations.
Given the potential of 5G to provide valuable benefits to American
businesses and consumers, the United States government should take
measures to help facilitate widespread 5G deployments. Intel has
advocated extensively for mid-band spectrum. Mechanisms to encourage
increased investments in 5G infrastructure and to facilitate continued
innovation throughout the 5G ecosystem will be critical. We appreciate
Congressional and Executive Branch interest in areas such as potential
broadband infrastructure deployment funding,), and ways to spur
innovation and deployments in 5G such as the USA Telecoms Act, which
serves as a good starting point for further discussion.
The Chairman. Thank you very much, Ms. Keddy.
Mr. Murphy.
STATEMENT OF MICHAEL MURPHY,
CHIEF TECHNOLOGY OFFICER, AMERICAS AT NOKIA
Mr. Murphy. Chairman Wicker, Ranking Member Cantwell, and
members of the Committee, on behalf of Nokia, thank you for the
opportunity to testify today.
First, a short introduction. Nokia's been the leader in
every generation of wireline and wireless communications. We
have 11,000 employees in North America, across 28 sites, with
five innovation hubs, including Bell Labs, the recipient of
nine Nobel Prizes. We are the sole telecom supplier on the
Ethisphere Honoree List recognizing the most ethical companies
in 2020.
I'd like to address the FCC's decision requiring removal of
equipment of certain vendors. Nokia completed 60 major swaps in
the last 3 years, including the largest ever done, replacing
75,000 base stations in Verizon and AT&T networks. We know
swaps.
Given the demand on crews for elevated 5G activity, rural
customers might be challenged to complete their tasks in the 12
months indicated in the Secure and Trusted Telecommunications
Networks Act. As such, we recommend that usage of the 6-month
extension or more be granted liberally.
With respect to technology selection, we're at the
confluence of 4G and 5G and thus many products now support both
technologies. We believe rural carriers should be allowed to
purchase those versus only like-for-like 4G systems. This would
allow them to secure their networks and jumpstart 5G
activities. The risk of gold-plating could be mitigated by
employing like-for-like at the service level.
Also, there is a Senate bill that proposes to restrict
monies for replacement on a condition of ORAN Alliance
certification within 7 years. However, fully compliant ORAN
products are few and immature. Putting that burden on rural
carriers, the least capable of being early adopters, is perhaps
unreasonable and thus a technology-neutral approach might be
more appropriate.
Finally, there is some anxiety in this transition. However,
the U.S. was the first country in the world to launch 5G
networks, the first to utilize millimeter Wave, low-band
frequencies, virtualized solutions, and more. These have been
done by Nokia, Samsung, and Ericsson. So it is incorrect to
suggest non-Chinese vendors cannot lead in the 5G or represent
a reduction in capabilities.
As for the 5G marketplace at large, it is challenging.
China has made aggressive use of its Development Bank to
support indigenous suppliers. Payment terms offered, while
legal, are unavailable to competitors through commercial banks.
The U.S. Export-Import Bank and the International
Development Finance Corporation could potentially rebalance the
situation. Also, the Chinese telecom market is massive,
supporting significant R&D spend by domestic suppliers
subsequently applied to foreign markets.
R&D spending support in the U.S. through the National
Spectrum Consortium, the U.S. Connect, and the Senate
Intelligence Committee bill are excellent. However, more could
be done to support 5G product development, local use cases, and
especially 6G research.
Finally, regarding 5G security, 5G will enable use cases
supporting critical services across multiple industries. This
makes the 5G attack surface larger than in 4G with the
potential for catastrophic impacts should bad actors infiltrate
networks.
This was known during the creation of 5G and actions in
3GPP standards have resolved many of the weaknesses in 4G.
However, network breaches are still possible.
Nokia does not support the view that either product or
geographic isolation are effective. Rather, security is best
served by using trusted suppliers. For example, in Nokia,
ethics and reporting of unethical behavior is mandatory for all
employees and is a prerequisite for employment.
In product development, Nokia implements a design for
security governance model that involves testing all products
for vulnerabilities followed by structured resolution processes
and rigid correction timelines. Transparency is mandatory.
It should be noted that these activities are independent of
country of origin and that is my final thought. Namely, that
the governance, historical behavior, ethics, and security
systems implemented by companies are the true definition of
trust.
In closing, thank you again, Chairman Wicker, Ranking
Member Cantwell, and members of the Committee, for the
opportunity to testify here today.
[The prepared statement of Mr. Murphy follows:]
Prepared Statement of Michael Murphy, Chief Technology Officer,
Americas at Nokia
Chairman Thune, Ranking Member Cantwell, and members of the
Committee, on behalf of Nokia, thank you for the opportunity to testify
today.
Nokia appreciates the leadership of this Committee, Congress, the
Federal Communications Commission (FCC), and the Administration in
securing U.S. communications networks. In this testimony, I want to
discuss several topics.
First, given recent congressional action regarding the
critical need to move forward in assisting small carriers with
removing untrusted vendor equipment in their networks, I will
outline several issues Congress and the FCC must keep in mind
to ensure that the removal occurs without a negative impact on
carriers and the communities they serve.
Second, an important element of ensuring a secure supply
chain for communications equipment is guaranteeing that the
trusted suppliers already providing equipment to the U.S.
market can compete at a global scale and on fair terms. I will
share Nokia's perspective on the current global marketplace and
some challenges that are the result of advantages extended to
Chinese suppliers that are not available to other suppliers and
how that can be mitigated to ensure a level playing field for
trusted suppliers.
Finally, I will highlight several of Nokia's leading
security and supply chain activities, including design for
security and supply chain validation, and why we believe they
result in trustworthy networks. I will also comment on how new
U.S. actions on supply chain security should recognize
practical timelines to ensure execution success.
About Nokia:
Nokia is the industry's only global supplier having an end-to-end
portfolio of network equipment, software, services and licensed
technology. Our customers include communications service providers
whose combined networks support 6.1 billion subscriptions, and our
enterprise customers have deployed over 1,000 industrial networks
worldwide. We transform how people live, work and communicate. We are
the only telecommunications equipment provider listed in Ethisphere's
2020 Honoree list of ethical companies.
Nokia has a massive presence in North America with more than 11,000
employees, the bulk of those in the United States. We have 28 sites
including five major innovation hubs of which four are in the United
States: Sunnyvale, CA; Dallas, TX; Naperville, IL; and Murray Hill, NJ
the site of the iconic Nokia Bell Labs, recipient of 9 Nobel Prizes.
There are also two major Nokia data centers in the U.S., one in Plano,
TX and the other in Chicago, IL. In addition, SAC Wireless, a Nokia
subsidiary, has 21 sites in the United States. SAC offers turnkey
services to support major network builds and upgrades for 4G, 5G, Small
Cells and FirstNet. Those services include site selection and
acquisition, engineering, construction, optimization, maintenance and
end-to-end program management.
Nokia has been a leader in every generation of wireline and
wireless communications to date and continues that leadership in 5G.
The race to innovate never stops. In fact, even as we continue to roll
out the earliest 5G networks, our work on 6G has already begun at Bell
Labs.
Removal and Remediation of Equipment Provided by Untrusted Vendors in
U.S. Rural Networks
Throughout the FCC's secure supply chain proceedings, Nokia
provided technical input on the strengths and weaknesses of networks
with respect to their inherent security and how a secure supply chain
could be created by using our own company's internal governance as
examples.
Now, given the FCC's decision to require removal of equipment from
certain vendors, Nokia would like to offer additional perspectives on
what the FCC and Congress should bear in mind before prescribing the
final replacement guidelines and funding criteria. That advice, as I
outline herein, is that flexibility in timing and technology neutrality
will be essential if this effort is to be successful. Executed well,
this effort can also help in the U.S.'s drive towards 5G leadership.
Flexibility in timing:
The FCC correctly recognized during its rulemaking process that a
funded reimbursement program should be implemented before requiring
recipients that receive universal service fund support to remove and
replace covered equipment from their networks. Congress has taken the
first critical step by passing the Secure and Trusted
Telecommunications Networks Act.\1\ Nokia believes that several
provisions of the Act are prudent, particularly the provision granting
discretion to the FCC to extend the time allowed for impacted carriers
to replace covered equipment from one year, by up to an additional six
months, and the directive for the FCC to remain technology neutral in
establishing the list of recommended replacement equipment. The
following provides some detail on why we support those provisions.
---------------------------------------------------------------------------
\1\ Protecting Against National Security Threats to the
Communications Supply Chain Through FCC Programs, Report and Order,
Further Notice of Proposed Rulemaking, and Order, WC Docket No. 18-89,
FCC 19-121, � 122 (rel. Nov. 26, 2019) (``Order and FNPRM'').
---------------------------------------------------------------------------
Nokia completed more than 60 major swaps in the last three years,
including the largest ever done, replacing 75,000 base stations in both
the Verizon and AT&T networks following our acquisition of Alcatel-
Lucent and the transition to a new product platform. Those projects
required removal and replacement while also maintaining service
continuity and service quality. That is--and should be--the expectation
of swap activities for all impacted carriers in this context. Based on
those past experiences, Nokia can attest that these efforts require
careful planning, are network specific, and the times required vary
significantly from project to project. Network size is not the only
factor affecting timelines. For example, new product variants or
features may be required for unique spectrum combinations or to match
customized capabilities provided by the previous vendor.
Beyond routine timelines, ongoing large 5G builds are creating a
shortage of qualified tower crews. In fact, despite Nokia having the
largest in-house field service team in the U.S., we still see a dearth
of crews to meet 5G demands in 2020 and into 2021. Small rural markets
covering vast rural landscapes with shortened climbing windows during
winter months only exacerbate the issue. We appreciate the leadership
of Senators Thune, Tester, Moran, Peters, and Wicker in introducing the
Telecommunications Skilled Workforce Act to help address this gap.
In short, our view is that flexibility in timelines are a necessary
practical reality, and thus extensions to the current one-year proposal
will likely need to be granted liberally.
Flexibility in technology:
During the rulemaking process, the FCC proposed ``to make available
reasonable replacement costs for the equipment and services produced
and provided by covered companies. . . .'' \2\ and asked whether
recipients of universal service funding should be ``allowed to seek
reimbursement for technology upgrades to their networks . . .'' \3\
Nokia noted to the FCC that carriers replacing equipment need to have
the freedom to buy solutions that are not just ``like for like,'' due
to the unique times we are in (that is, in the midst of a 4G to 5G
transition, the drive towards more open systems and virtualization).
All of these play a role in what a rural carrier should, or should not,
do in removing and replacing a supplier. The following provides Nokia's
recommendation on these competing and complex topics.
---------------------------------------------------------------------------
\2\ Id. � 137.
\3\ Id.
---------------------------------------------------------------------------
Regarding ``like for like,'' Nokia is and will continue to offer
such solutions to all impacted carriers when they are available,
appropriate and cost-effective. However, a significant part of Nokia's
portfolio sold today supports both LTE and 5G through software
upgrades. Replacing impacted carriers' equipment with older generation
``LTE only'' hardware could burden rural communities with avoidable
near-term high 5G upgrade costs. A potential way forward is to offer
``5G Ready'' hardware but costing only the LTE components. Putting it
another way, supporting ``like for like'' at the service level, but not
necessarily at the hardware level. This would help mitigate the risk of
gold plating and potentially help accelerate 5G in rural communities,
thus supporting the U.S. drive towards nationwide 5G leadership. In
short, there are no downsides.
In addition to avoiding being overly prescriptive on replacing
``like for like,'' the FCC should also not condition funds on any
prescriptive technology mandates. No specific technology, network
configuration, or other similar mandate will be a one-size fits all
solution to all network deployments. For this reason, Congress was wise
to direct the FCC to implement a list of potential replacements that is
technology neutral. At the same time, a recently introduced Senate bill
suggests restricting any money for replacement on the condition that
the relevant carrier must develop and submit a plan certifying that it
will migrate to an open solution within seven years. While the intent
of that bill is to encourage U.S. based 5G entrepreneurship, its timing
brings with it some practical challenges.
The reality is that fully compliant open interfaces as specified by
the ORAN Alliance, the most relevant in this context, have not been
deployed anywhere in the world yet. These are new grounds for the
industry. In fact, it is uncertain whether the most critical interface
specified by ORAN will be deployed widely, as alternatives are already
being proposed by several contributing, significant members. Likewise,
virtualization, an orthogonal technology to ORAN, that can also
facilitate open systems, has only been deployed by one carrier globally
in a 5G Radio Access Network. In short, there is limited maturity in
both ORAN and Radio Access Network virtualization. For this reason,
Nokia believes that putting these burdens on rural carriers, the least
capable of being early adopters, would be unreasonable and should not
be a pre-requisite for Federal funding to replace their existing
equipment, at this time.
The Challenging Marketplace for 5G
Speculation about ``the Race to 5G'' and anxiety about which
countries will lead and which vendors will prevail has been a staple of
public commentary for the last couple of years. Much of that commentary
and anxiety has suggested that non-Chinese vendors are not capable of
matching the breadth or quality of products offered by Chinese
suppliers and, as a result, would not succeed. While that argument is
incorrect, there are areas of concern that need to be addressed.
The U.S. was the first country in the world to launch 5G in the
fourth quarter of 2018, followed by more significant launches in April
of 2019. The U.S. was also the first country in the world to launch 5G
based on mmWave. The first to launch 5G on low band frequencies,
nationwide. The first to deploy a virtualized solution. And the U.S.
will also be the first globally to launch what is called a Standalone
5G core network and the first to launch a technology called Dynamic
Spectrum Sharing or DSS, allowing 5G and 4G to be deployed on the same
spectrum. These firsts have and are being done by Nokia, Ericsson and
Samsung. So, it is factually incorrect to say non-Chinese vendors are
incapable of leading in 5G.
That does not, however, mean that the marketplace is without
challenges. Policymakers should note that the pressure on many global
wireless operators to reduce capital and operations costs, if very
high, even as they deploy 5G networks, is very high. Against this
backdrop, government programs including export credit agencies play a
very significant role in coloring the attractiveness of supplier
pricing. China has made aggressive use of its development bank and
other programs to support its indigenous suppliers. Other nations have
been far more reserved. For example, the U.S. Export Import Bank has
not focused on telecommunications infrastructure projects in many
years.
The payment terms being offered by Chinese suppliers suggest the
underlying financing mechanisms, while legal, are neither consistent
with commercial norms, nor available to competitors from commercial
banks. We believe this is an approach that is common across many
markets now based on requests from some of our customers to match these
lengthy, low-interest payment terms. We raise these lawful finance
mechanisms to ensure that Congress and the Administration know that
they have tools available today to make a considerable difference in
the competitive balance in the coming years through existing
institutions.
The U.S. Export Import Bank and the recently renamed International
Development Finance Corporation could potentially provide billions of
dollars of grants, direct loans, loan guarantees, and insurance to
exporters of 5G technology with its origins in the U.S, including to
Nokia. Fortunately, there is movement in this direction now that
reauthorization has been completed and the Administration appears to
support moving forward as well. I encourage Congress to express its
support for using these important programs to support trusted suppliers
and to help them compete on a more level playing field internationally.
An additional challenge is that the Chinese telecommunications
market is massive and dominated by domestic suppliers that collectively
provide more than 70 percent of the equipment for LTE networks, a
figure that is likely to go higher in 5G. That places Chinese suppliers
in a position whereby they can spend massively on R&D and use that
depth in foreign markets. Policymakers here in the U.S. and other
nations that want to ensure a diversity of suppliers should work to
coordinate their own R&D support programs might be utilized and
coordinated to support a level playing field. To date, much of the R&D
spending in the U.S. has been in support of foundational research
through funding of incubators via the National Spectrum Consortium and
U.S. Connect. The recent Senate Intelligence Committee bill authorizing
significant funding for research on network virtualization is an
additional opportunity to provide essential research support. These are
well designed efforts showing the potential for promising returns, but
they are ultimately insufficient in scope and resource level. The
missing components are support for further 5G product development, 6G
foundational research, and support generally for creating new
manufacturing and industrial base development activities in the U.S.
5G Security Planning and Nokia's Supply Chain Practices and Policies
I would like to turn now to the topic of 5G readiness and security.
It has become widely understood that 5G will enable advanced, new use
cases supporting critical services such as autonomous driving, factory
automation, connected healthcare and others. These, combined with an
architectural approach that includes virtualization and distribution,
increases the inherent risk and potential damage caused by bad actors
on 5G networks. Putting it another way, as 5G expands beyond smartphone
users, and IoT devices start to play a larger role, the network attack
surface increases. This has given rise to concerns about whether 5G is
``ready'' from a security perspective. We believe it is for several
reasons.
First, learnings from LTE networks and the vulnerabilities
encountered in them have been addressed by improved security mechanisms
in 5G standards as specified by 3GPP. For example, in 4G networks, the
identify of users is often transferred ``clear'' across the air
interface. This has allowed ``IMSI hackers'' to capture user identities
and use them maliciously. This has been corrected in 5G through
encryption of user identities. At this level, 5G is a significantly
more secure system. Second, in addition to improving interface level
security, 5G also introduced network wide security through the concept
of secure, virtual ``slices'' across networks that cannot be breached
by users in other slices. Visualize a government ``slice'' across a
public network, that is protected and unreachable by users in a public
smartphone slice.
However, even with these improvements, the reality is that bad
actors could still infiltrate a 5G network. In other words, you still
must trust suppliers to not act maliciously even with improved,
standardized approaches to security. In that regard, Nokia does not
support the view that either product or geographic isolation are
effective. A breach in one part of a network could extend to other
parts of the network. For this reason, Nokia believes the final and
most important element of a secure system, comes from the governance
models, ethical behavior and product development processes that
suppliers demonstrate and apply. And here I would like to provide Nokia
as an example.
One of the reasons for Nokia being on Ethisphere's ethical honoree
list comes from internal governance that mandates both corporate and
personal ethical behavior. Training in ethics and reporting of
unethical behavior is mandatory for all employees and is a prerequisite
for employment with zero tolerance.
At the product level, Nokia systemically ensures that the products
we deliver are secure through a Design For Security (DfSec) governance
model that involves security testing of all product releases and
continuous monitoring of all software components used in our products
for vulnerabilities. Product teams have structured processes and
enforced timelines for how any uncovered vulnerabilities must be
handled and communicated to affected customers. To ensure our own
products are secure during this process involves strict guidelines
related to coding, hardening, testing, and updates. Processes we expect
of 3rd party suppliers as well. Transparency and a governance model for
corrective action are part of how we deliver products.
Finally, Nokia monitors a number of networks through a Threat
Intelligence Lab. Results from that lab allow us to understand and
deliver updates to customers to proactively prevent wider issues.
I hope that this information provides a meaningful basis for U.S.
consideration about future supply chain activities. It is critically
important that policymakers understand what is actually done today to
ensure component security, product security and post-sale security
support before prescribing new regimes for testing or certification
that could impose costs on your trusted suppliers without necessarily
providing a security dividend. And that is where a supply chain
security strategy really should begin, careful assessment of known
risks and current industry practices. Actions the U.S. might consider
should draw from areas only where gaps are perceived. In helping
industry to be a constructive partner in this process, Nokia recommends
the following:
Identify best practices in design for security, supply chain
validation and post-sale support and encourage the adoption of
those practices;
Rather than focus on countries of origin for component
sourcing or manufacturing, specify the components or activities
that give rise to the risk of exploitation or manipulation. Not
all components and products create risk. Narrowing the focus to
specific components or products with risk will assist suppliers
in making critical and cooperative decisions with governments
about supply chain activities.
Thank you again Chairman Thune, Ranking member Cantwell and members
of the Committee for the opportunity to testify here today.
The Chairman. Thank you, sir.
And Dr. Lewis.
STATEMENT OF DR. JAMES A. LEWIS,
SENIOR VICE PRESIDENT AND DIRECTOR,
TECHNOLOGY POLICY PROGRAM, CENTER FOR STRATEGIC
AND INTERNATIONAL STUDIES (CSIS)
Dr. Lewis. Thank you, Mr. Chairman.
Mr. Chairman, Ranking Member Cantwell, thank you for the
opportunity to testify.
We hear that 5G is a race the U.S. cannot lose but if it is
a race, we are not losing. Let's review some key issues.
The U.S. has not been rebuffed in Europe. The U.K. decision
is best seen as a partial ban. Europeans agree on the risk of
using Huawei and the EU calls China a systemic rival.
Where there is disagreement is over how to manage risk.
Germany has a dilemma. If it bans Huawei, China has threatened
to retaliate against German exports and China is Germany's
largest market. German car companies have allegedly asked
Chancellor Merkel not to ban Huawei and Germany is tempted to
copy the U.K. partial ban.
Those who advocate a partial ban argue that if properly
implemented, it makes the risk of using Huawei equipment
acceptable. A full ban is best, but if countries decide against
it, the U.S. will need to help make partial bans effective.
Spectrum is not an obstacle. Telecommunications companies
say that the spectrum allocation process could be faster and
cheaper, but spectrum decisions have not put the U.S. at a
disadvantage.
The key issue, as you know, is finding ways to share
spectrum now held by DoD. Standards are a battleground but in
5G, it is a battle where the U.S. is doing well. This could
change if U.S. export controls handicap our companies. This is
a self-inflicted wound we must avoid.
Telecoms' technology is changing. The telecom supply chain
will depend on technologies where the U.S. leads, like
semiconductors. Blocking exports of semiconductor manufacturing
equipment is the best way to preserve this lead.
Huawei does not sell the best 5G equipment. A review by a
European intelligence agency found that Huawei was the most
vulnerable to exploitation. Nokia and Ericsson offer better and
more secure 5G technology.
U.S. companies are strong in the markets that 5G will
enable. We face tough competitors but the chief risk to this
U.S. strength in 5G innovation will be badly designed privacy
rules.
The doomsday argument is that because of the slowness in 5G
deployment and the lack of spectrum, American entrepreneurs
will not be able to take advantage of 5G, but the U.S. is not
slow in 5G deployment and spectrum allocation is not an issue.
5G is a symptom of a larger problem. We face a powerful
opponent who is using espionage and predatory economic
practices, including exploiting American patents to gain
advantage. 5G is part of this contest.
Our strategy is strength in America's technology base, work
with allies, and hold China accountable, and many of the bills
introduced recently by this Committee and others move us in
that direction.
To summarize, I believe America's 5G problem is over-
stated. If we take the right steps, we can win this race. The
larger issue is how to deal with an increasingly hostile China.
Thank you, and I look forward to your questions.
[The prepared statement of Dr. Lewis follows:]
Prepared Statement of Dr. James A. Lewis, Senior Vice President
and Director, Technology Policy Program, Center for Strategic
and International Studies (CSIS)
Mr. Chairman, Ranking Member Cantwell, distinguished members of the
Committee, thank you for the opportunity to testify. The fifth
generation of telecommunications network technology is an important
development and I hope my testimony can dispel some of the myths and
offer a path forward for American prosperity and security.
We often hear that 5G is a race the U.S. cannot lose. It sounds
dramatic, but I am not sure what it means. I am sure, however, that if
there is a race, we are not losing. The U.S. is well positioned to take
advantage of 5G technology, just as it did with 4G. The difference this
time is we have real competition, a competitor who is well resourced,
with a strong technology workforce, and a long record of unscrupulous
behavior. We face a dynamic competitor in China, and there are things
the U.S. can do to strengthen both its security and its technological
leadership. Congress can play an important role in this.
The 5G issue has become politicized and this shapes reporting in
unhelpful ways. Let's dispel some of the myths. First, the U.S. has not
been rebuffed in Europe. In speaking to colleagues in the UK and
Europe, there is broad agreement with the U.S. on the risks of using
Huawei. The UK action is best seen as a partial ban on Huawei. The UK
has blocked Huawei from two thirds of their network and from being used
in sensitive areas around government and military installations. They
and other European countries are committed to maintaining supplier
diversity and avoiding Huawei dominance. The U.S. needs to find ways to
benefit from these shared concerns to develop secure telecommunications
networks.
Where there is disagreement is in how to manage risk. The U.S.,
Japan and Australia have banned Huawei technology in their networks.
This is the only way to eliminate risk entirely. Those who advocate a
partial ban argue that if properly implemented, it makes the risk of
using Huawei manageable. Some European countries will copy the UK's
decision. This provides the U.S. an opportunity to work with our allies
to ensure that a partial ban reduces risk and there could be real
advantages for the security of telecom networks and cybersecurity. The
recently issued European Union 5G Toolbox provides a framework to guide
policy in a way that, if implemented fully, would reduce China's use of
telecom infrastructure for espionage and influence.
A full ban is the best outcome for security. It is not, in the
judgment of some of our allies, the best outcome for their economies.
Germany, for example, faces a dilemma. If it bans Huawei, the Chinese
have explicitly threatened to retaliate again German auto exports, and
China is Germany's largest market--China is playing hardball. German
car companies have reportedly asked Chancellor Merkel not to ban
Huawei. However, if Germany uses Huawei, China's intent is to use
espionage to hollow out the German industry, and in particular the auto
industry. If countries ultimately choose a partial ban, we will need to
work with them to ensure that it is well implemented.
There is a larger debate over whether banning Huawei from the
``core'' of telecom networks and confining them to the ``edge,'' such
as the Radio Access Network (such as the cell tower that connects your
phone to the network) will actually work. U.S. and Australian agencies
say no, the UK and others (including some American tech companies) say
yes. Frankly, the issue is moot. The UK has chosen a partial ban,
others will follow them. It would be best for security if countries
adopted a full ban, but if they do not, the U.S. needs to help make the
partial ban as effective as possible. There is concern about how
Germany may implement a partial ban, but the way to persuade it and
others to cooperate with the U.S. is not by using heavy-handed threats
to cut intelligence sharing. All Europeans say this doesn't help our
case and if we use a more deft diplomacy that focuses on winning
European cooperation in the battle against Chinese espionage, we are
more likely to be effective--the Europeans are already aware of the
problems of doing business with China, having declared that China is a
``Systemic Rival.''
The root of the 5G problem is Chinese espionage and Chinese
predatory economic practices. Our European and Asian partners have
realized the extent of the Chinese espionage campaign against them.
Countries near China are eager to cooperate, but there is an
ambivalence in Europe. China is not a military threat to them and there
is a reluctance to admit that the China market that Europe depends on
comes with real economic risk. Europeans say they want ``technological
sovereignty,'' to be free of both China and the U.S., and they cite
Snowden in an effort to show moral equivalence between the U.S. and
China. Spying, illicit subsidies, and predatory pricing helped Huawei
to drive western telecom manufactures from the market and other sectors
of the European economy, such as aerospace and automobiles, are now at
risk. Our task is to persuade European allies that it is better if the
democracies stand together.
Spectrum for 5G is not an issue. The FCC and NTIA have done a god
job at supporting 5G deployment. In talking to major telecommunications
suppliers, they say it would be nice if the spectrum allocation process
was faster and less expensive, but most say that it is working well to
meet their needs for 5G. Spectrum decisions have not put the U.S. at a
competitive disadvantage. The U.S. has one of the most flexible
regulatory frameworks that permits operators to migrate to another
technology in a wide range of bands. The United States is one of the
first deploying in high bands but we are also seeing deployment in
other bands. 5G will be deployed in the low, medium and high bands in
the United States. U.S. spectrum allocations have created demand for
tech companies to develop solutions that will allowed for 5G rapid
deployment.
The complaint that the U.S. has mismanaged 5G spectrum allocation
has led to a variety of strange proposals, such as a Federally-operated
5G network or a Federally-anointed spectrum monopoly. All of these are
silly and one way to explain this is that government monopolies were a
good economic policy in the 15th century but have not worked as well
since then. The best 5G policies rely on market forces. If there is an
issue in spectrum allocation, it is one the Committee if very familiar
with, and that is the process for deciding when the U.S. Department of
Defense should retain spectrum or when it should be reallocated for
economic purposes. NTIA has done a good job of balancing security and
economics, but in the new international competitions, emphasis on
economic benefit might better serve U.S. national interests.
Standards are a battleground, but in 5G it is a battle where the
U.S. is holding its own and retains the lead. This is not an easy
fight. China is politicizing the standards process, flooding meeting
with its experts, and is already leading in some bodies like the
International Telephony Union (ITU). This is not the case for 3GPP, the
standards body responsible for 5G. Its rules block efforts by one
government to seize control and frankly, Chinese technology is in many
cases inferior, making people reluctant to use it as a standard.
Interviews with leading American 5G companies show that the 3GPP
standards process is still led by western companies, not China.
One crucial element for maintaining this advantage is to not see
expanded export controls inadvertently damage the ability of American
companies to participate in standards discussions. The U.S. Department
of Commerce rules have created uncertainty. It is not good for U.S.
companies to be sidelined in standards discussions by our own rules
while Chinese companies are not.
Huawei is not the only supplier of 5G technology, nor is it the
best equipment available. In fact a review by a European intelligence
agency found Huawei was the most vulnerable to intelligence
exploitation because of engineering and software problems. Huawei has
undeniable strengths, and of them is its public relations department.
Which has had considerable success in persuading people of the
necessity of buying from Huawei as it is the ``only'' supplier of 5G
technology which they must buy if they are not to ``fall behind.''
Nokia and Ericsson offer 5G technology that is better and more secure,
and Samsung is also establishing a presence in the 5G market.
The discussion of 5G has been shaped by the precedent of the
internet, a technology that has reshaped corporate fortunes and
national economies. People assume that 5G's economic effect will be the
same, but this should come with a precautionary note. The Internet was
created in the 1970s, commercialized in the 1990s, and began to rapidly
reshape markets in the first decade of this century. Change is not
instantaneous and the idea of falling behind unless you immediately
install Huawei completely misrepresents the economics of digital
economies.
5G (and Wi-Fi) will enable connections between sensors, the data
they create, and powerful Internet computing resources. Innovators can
take advantage of this connection to create new services and
applications. These will be new enterprise and industrial applications
such as smart seaports, hospitals, or factories. Self-driving cars are
part of this and 5G will speed their use.
5G could be the start of another round of innovation and growth
similar to what we saw with the arrival of the internet, but for this
to happen, 5G must be accompanied by ``complementary investments.''
These include the invention of new products and services that make use
of 5G networks, and the development of new business models and
processes that can profit from 5G. The U.S. is strong here, but so is
China. The need for complementary investments and innovations put the
``race'' metaphor in context, because what companies and countries do
with 5G is more important than how quickly they deploy or how ``much''
5G they have.
The doomsday argument is that because of slowness in American 5G
deployment and the allocation of the wrong spectrum frequencies, U.S.
inventors will not be able to come up with innovations that will take
advantage of 5G. But the U.S. is not slow in 5G deployment and the
spectrum issue is not a significant obstacle.
China does not lead in 5G. China will have more 5G phones or cell
towers simply because it has more people, but this is the wrong thing
to measure. American and Chinese deployments are roughly equivalent,
with 57 cities in China that have 5G as opposed to 50 in the U.S. The
key metrics are revenue and market share from the ability to use 5G to
create economic growth.
Companies will use 5G services to be more efficient and innovative,
and innovators will create new services and products that 5G can
enable, but what ultimately counts is how people use 5G to make money.
One way to make money from 5G is to sell the technologies that
enable it. This is where much of the public attention has focused
because of the security risks. There are five companies that sell
telecom network technologies--Ericsson, Huawei, Nokia, ZTE, and
Samsung--but they sit atop multinational supply chains that are largely
American, Japanese, and Chinese companies that make hardware and
software components used by the five major suppliers.
Another way to make money is to sell 5G services--this is what
telecom companies will do. The most ``disruptive'' way to make money,
and the way that probably offers the best outcomes for economic growth,
is to create applications (apps) that take advantage of 5G. Your
smartphone is in effect a tiny computer. The change in how people use
the internet, from desktops to smartphones and apps, helped American
companies define the mobile Internet and create the ``app economy''
that rapidly grew to be worth billions of dollars. 5G industrializes
the app economy and expands it beyond games and other consumer
programs, and this is where the opportunities for economic growth will
appear. 5G will move the app economy from consumer applications (like
Angry Birds) to industrial and enterprise applications.
It is true that Europe and China announced they intend to dominate
5G the way the U.S. dominates 4G, and American companies face new
competition, but success depends on making products and offering
services that appeal to the market. The most important market segment
for 5G will be enterprise applications that allow companies to operate
more efficiently and productively. Examples of these enterprise apps
would include supply chain management systems, customer relationship
management systems, and knowledge management systems. So far, the
``killer app'' for 5G has not been created, but U.S. companies are
strong in these markets. It is not credible to expect the nimble, well-
resourced, and entrepreneurial U.S. tech sector being squeezed out of a
profitable market.
The policies that promote success in each of these areas are
different. For technology producers, the focus on competition is over
5G's intellectual property, standards, and patents. Policy should
encourage and support R&D, protect intellectual property, and ensure a
level playing field in international standards and trade.
Each competitor has different plans for 5G. Germany intends to use
5G for industrial applications, part of its ``Industry 4.0'' plan, and
its strong manufacturing sector may give it an advantage. 5G will play
a central role in the development of smart and self-driving cars, and
all countries with an automotive industry will compete in this. China
already has valuable consumer apps (like WeChat), a strong developer
base, and will also pursue industrial and enterprise applications.
China had an advantage in developing apps for the Internet of things
since its companies are the source of many of these products. But
Chinese companies also face trust issues, since any Chinese-made device
that connects to the Internet could be exploited by Chinese
intelligence agencies.
Telecom technology used to be somewhat static, changing slowly. It
relied on specialized hardware, each generation providing incremental
improvements over the prior in speed and reliability. New technologies
like cloud computing were layered on top of established protocols and
equipment. This is now changing. Telecommunications technology is now
going through a transition similar to the effect of the commercial
Internet on computing three decades ago. This has major implications
for security and business.
The move to an open, modular approach to telecom will change supply
chain dynamics in ways that favor the U.S. (and Japan). The supply
chain for telecom will depend on semiconductors, chipsets, and
specialized software (including ``open source'' software), all areas
where the U.S. has a substantial lead over China--in some cases there
are no Chinese competitors. Estimates of how long this telecom
transformation will take range from three years to a decade. The shift
puts Huawei at a disadvantage. China will of course invest to catch up
(accompanied by increased espionage), but money alone won't remedy
China's lag in software and semiconductors.
The most visible aspect of this change is Open Radio Access Network
Alliance, an industry group developing architectures and software that
will enable virtualized networks (e.g., those based on software rather
than hardware), commodity computers, and standardized interface.
The companies that make the modular components for new telecom
technologies included both familiar names and new startups. Qualcomm,
Intel and Samsung make chips. Microsoft (which has a huge 5G lab)
writes operating system software. Cisco, Sienna, Xilinx, Nokia,
Fujitsu, and NEC make other essential components, as do a number of new
companies, such as Altiostar.
These are all American, Japanese or Korean companies. In contrast,
Huawei's strength in the new technologies is in RAN cell towers.
It is much easier to tell a story of gloom and peril, but it's not
a good guide for law or policy. There are, however, steps we need as
part of a comprehensive approach to 5G. The three most difficult
challenges are rebuilding the sources of American technology
leadership, effectively partnering with allies, and resisting China's
efforts to use espionage and predatory trade practices to attain
dominance. These are not unique to 5G and it is important to see 5G as
only a part of a larger technological competition.
Some recommendations are things the Committee has heard many times,
such as rebuilding the American tech workforce through investments in
college education and spending more on R&D for the ``hard sciences.''
It's worth noting that these steps would help with competing with China
in the standards battle by expanding the tech and engineering workforce
needed for the standards process.
An implementable suggestion is to restore the STEM scholarship
programs established by the Eisenhower administration in reaction to
our last technological security threat in the 1950s. This means paying
students to study engineering, math, sciences, coding, and languages.
The Chinese are not reluctant to spend money to build their tech
workforce and is this is one of their greatest advantages over us.
The U.S. can safeguard the standard process not only by increasing
the number of American participants, but by working with European and
Japanese partners to ensure that standards bodies remain open and
equitable, and with governance structure that remains able to resist
efforts to politicize or capture them.
A crucial element of maintaining a U.S. presence in standard bodies
is to make clear that export control regulations do not prevent U.S.
companies from participating in international standards discussions.
The Commerce Department needs to immediately clarify that standards
participation remains exempt from export regulations. This is a self-
inflicted wound that the U.S. must avoid.
R&D funding for the development of industrial apps and the Internet
of things is important. While market forces will drive some of this, we
can accelerate 5G deployment and the benefits to the U.S. economy by
supporting additional research. DARPA has a program on 5G security. NSF
and NIST have small programs in these areas, but they are dwarfed by
what China spends. We cannot expect to maintain technological
leadership when we are routinely outspent. An easy suggestion would be
to double the funding now allocated to 5G and cybersecurity.
There has been some discussion of whether to help Nokia and
Ericsson, the two European 5G equipment manufacturers, ranging from
support for R&D to outright purchases of the companies. An initial and
relatively uncontroversial step would be to find mechanisms to support
R&D by these companies. No option is off the table and there is
perennial talk that one of the companies will be bought or merged. In
the next decade, Nokia and Ericsson face the challenge of adjusting
their business models to accommodate changes in telecommunications,
since the proprietary ``stack'' that they and Huawei make will be
overtaken by technological change. In the near term, it is in our
interest to ensure that they continue to operate profitably and can
compete on equitable terms with Huawei. One approach would be to
instruct DOD to develop Cooperative Research and Development Agreements
(CRADA) with both companies, to fund their R&D.
Some recommendations may seem at first glance unrelated to 5G. 5G
depends on semiconductors, and the U.S. is the leading source of
supply. The Chinese government does not like this and intends to
develop its own semiconductor industry to replace American firms both
in China and in the global market. But to make chips, China needs to
buy semiconductor manufacturing equipment (SME) which it cannot produce
itself. The major sources of this SME are the U.S. and Japan, along
with one or two European companies. One way to limit China's role in 5G
is to limit exports of SME. Some of our allies have proposed augmenting
existing controls to do this. We should develop a new SME export
control regime with our Japanese and European partners, and Congress
can help the Administration focus on this by mandating it, with
timelines.
I hesitate to make recommendations on spectrum, since the process
is working well enough and since any effort at reform raises powerful
antibodies to block change. Congressional interest in seeing the
allocation process further streamlined and in reducing the ability of a
single agency to block reallocation would be helpful for the mobile
network world we have entered.
We face a difficult challenge of managing the transition from the
older model of telecommunications technology to the new, internet-based
approach. Some say this transition will be here in three years, others
say a decade, but the goal for now is to keep the two European
suppliers viable and technologically sound. To some extent this can be
left to the market, the customers of these companies will encourage
them to evolve, but the U.S. can assist by emphasizing this in
decisions with the governments of Sweden and Finland.
Whether or not other nations follow the UK precedent of a partial
ban, we and our security problem will continue to confront the
challenge of how to communicate securely over networks with
untrustworthy components. Finding a way to do this, and to help those
countries that choose a partial ban make it as effective as possible,
is a central strategic goal for the U.S. The Prague Principles for
secure telecommunications networks produced last year are a starting
point for this, and the U.S. can strengthen these principles at the
upcoming second meeting, by aligning them with measure criteria for
security. It is not enough to say that we should avoid a telecom
``monoculture.'' There must be an explicit commitment to buy from
multiple venders and to give preference to suppliers from democracies
even if the price is higher.
Huawei is a symptom of a larger problem and 5G is a symptom of
larger fears. We face, for the first time in decades, a powerful,
unscrupulous, well-resourced opponent who has publicly declared their
intent to displace us. We are not ready for this fight and do not have
a strategy to respond to this challenge. It is likely that for some
time we will be unable to develop such a strategy. This is not a
reflection on American politics, messy as it can be. It reflects that
we are in a different kind of competition. Increasing the defense
budget will not help the U.S. win. This is a competition over markets
and technology, things with which the foreign policy and defense
establishment are still unfamiliar. Strategies that traverse the
intersection of economics and security will not at first be easy for
the U.S. to construct.
China has strengths--a determined Leninist leadership willing to
spend on strategic goals (and even though the U.S. is twice as rich as
China, we are being outspent), an immense domestic market, and a plan
to shield this market from competition while using it as a base to
dominate a range of industries, assisted by predatory trade practices
and a massive economic espionage campaign. China has weaknesses as
well--the heavy economic costs of a repressive regime, the
inefficiencies of state capitalism, clumsy diplomacy and, above all, a
fear by the Party leaders of their own people. China is not our
technological peer but they are making immense efforts to change this.
The U.S. needs to act in response. We have seen some efforts in the
last few years, but more needs to be done, including a revitalized
science and technology base and a coordinated approach with our allies
on how to respond to China's espionage, unfair trade practices, and
efforts to reshape global rules to better accommodate authoritarianism.
To summarize; the problems often attributed to 5G in the U.S. are
often overstated or wrong; there are things we can do to speed up
deployment and reduce risk, but the larger issue is to how to deal with
an increasingly hostile China in a new kind of non-military
competition. Thank you for the opportunity to testify and I look
forward to your questions.
The Chairman. Well, thank you. Thank you very, very much.
Let me just make sure. Dr. Lewis, is your testimony the
official position of CSIS?
Dr. Lewis. CSIS doesn't take official positions because
we're either a nonpartisan or bipartisan, I forget which one it
is, but we're----
[Laughter.]
The Chairman. Well, I always thought you were bipartisan.
Dr. Lewis. Well, and I always thought because I was a
career officer I was nonpartisan, but in any case, it's the
individual scholar's, not the entity itself.
The Chairman. OK. So you don't think the sky's falling and
we're doing just fine in the race. Everybody on the panel agree
with that? Anybody like to comment or respond? Mr. Murphy?
Mr. Murphy. As I indicated, I mean, factually, the U.S. has
led in a number, first, for 5G, with the first deployments in
the fourth quarter of 2018 followed by more commercial systems
in April 2019, the first millimeter wave, the first to deploy
low-band spectrum nationwide with T-Mobile, the first with
virtual network solutions in Verizon.
So it is factually incorrect to say that non-Chinese
vendors are leading and there's a disadvantage [Off microphone
comments]
The Chairman. We may have a bit of a bug or two with our
public address system.
Let me put it this way and be careful how I choose my
words. Many of us are concerned that we may lack in affordable
and viable alternative for end-to-end communications equipment
to compete effectively in the global market.
What can the U.S. do to strengthen its supply chain
security requirement and is there in fact, Mr. Berry, we'll
start with you, a viable alternative to Huawei and ZTE
equipment available in the market? Mr. Berry and anyone else?
Mr. Berry. Thank you, Mr. Chairman. Well, first, what you
did in the Secure Trusted Act, you know, was a monumental
movement forward because you identified the need for the FCC to
create a list of suggested replacement, i.e., providers,
trusted vendors, that are available to everyone.
Most of the smaller carriers don't have the technology, not
the technology but the employment, you know, gravitas to do all
the research to identify what is a trusted provider. So that, I
think, is going to be a huge improvement on the supply chain.
I think it will also lead to some of our members, and we
not only have Nokia and Ericsson sitting at the table but some
of the new entrants, like Mavenir and Parallel and others that
are U.S.-based, looking for new technologies, and I think that
requirement that the Federal Government identifies secured
communication providers, equipment providers will help us move
forward quickly on alternatives.
I agree, I think we need to be ever vigilant on that, but I
don't think it's an impossible task, and I think the bill that
you just passed has done two things: provide information on a
continuous basis and with creating a list, you have essentially
directed the Federal Government to be involved.
I don't think it's a one-shot pony. I think they're going
to have to be involved every day providing good guidance to
carriers throughout the United States.
The Chairman. Ms. Keddy.
Ms. Keddy. Thank you.
The Chairman. If you would move that microphone? It's
pretty long for a petite person.
Ms. Keddy. Thank you. So I think the U.S. has been involved
and I believe that the focus should be on innovation.
If you look at 4G, we had many companies that didn't exist
before, like ride-sharing companies, Airbnb and all. So the
faster we have widespread roll-outs across the Nation and sort
of just the first, the better off we are, and I thank you for
many of the acts, including the Telecommunications Act, where
R&D is invested and it's a starting point.
We believe that the government can do more to help new
entrants and while maintaining existing incumbents, so that we
have a diverse supply chain. Virtualization is a key and the
faster we have widespread deployments, including with spectrum
and all, the better off we are because the innovation about 5G
is really focused on other industries, like the power that we
give to consumers in 4G. We would like to bring it to other
industries, like aviation, agriculture, and other economies,
and centers also are important.
Thank you.
The Chairman. Mr. Boswell, would you like to weigh in
briefly?
Mr. Boswell. Thank you, Chairman Wicker. Yes, I think
Ericsson's been a leader in secure 5G not only in the U.S. but
worldwide in rolling out networks and the reason is we've been
planning for this for a decade. We've been building the
standards and getting radios ready for what is coming right now
for a long time.
Going back to 2015, Ericsson radios that are in the field,
of which we have several hundred thousand, are ready for 5G
today with software upgradability. So that kind of foresight
and planning has allowed us to actually kind of be ready to go
full steam ahead on that race to 5G, given that other kind of
accelerators line up, as well, such as spectrum and small cell
siting and making sure our workforce is skilled and ready, as
well.
The Chairman. Thank you.
Senator Cantwell.
Senator Cantwell. Thank you, Mr. Chairman, and before I get
into questioning, I would wonder if we could--I'm a little
uncomfortable today not seeing a press table. I know that we
have press in the room, and they look like a resilient bunch of
people who are just writing away no matter what.
But I would feel more comfortable if we asked Senator Blunt
where the press table is supposed to be in the room. Then, we
could accommodate both the press having a place to write and
feel comfortable here and having some audience participation.
So I'm sure he's working on it or something. Well, let's ask
him when he comes.
OK. To the 5G question, Ms. Keddy, I hate to say decades
ago I was involved in trying to fight a past the Democratic
Administration on the Clipper chip. I felt that was a bad idea,
too. The notion that in the 1990s we thought the government
should have a backdoor to ease our concerns about great
encryption capability, and I kept thinking instead of saying
Intel on inside, you were going to be saying U.S. Government
inside.
So it didn't work when we thought about it, and it
shouldn't work today. And since you're a global company, and
Dr. Lewis, your comments about we're not really that far
behind, I don't know why we can't get parts of Asia, parts of
Europe in a more unified voice around communications equipment
that any company that has a government that is demanding access
to that technology as a backdoor is just unacceptable.
We need to just build this international alliance to just
say it's just unacceptable. You want to be a mature economy.
We're not against your companies. We're against the fact that
you demand a government backdoor to them. That's what we're
against. So I don't know why we can't build that international
coalition and communicate.
So, Dr. Lewis, Ms. Keddy, either one of you?
Ms. Keddy. We look at information security in two ways,
right, and so security has information security and supply
chain security and we look at how do we have security
constructs in both ways.
As far as to your question on backdoors, I think that the
government knows a lot more details than us and so we look
forward to working with the government to support the requests
that is provided versus being able to mandate it as a private
company.
Senator Cantwell. Dr. Lewis.
Dr. Lewis. Thank you, Senator. First, the U.S. could
benefit by making it clear to other countries that there are
alternatives to Huawei.
When I travel to Asia and to parts of Europe, I hear this.
Well, Huawei's the only place we can buy from. That's complete
nonsense, but we have to do a better case of getting the
alternatives out there.
Second, as I think some of my fellow panelists have
mentioned, U.S. support for exports would be helpful. That
would help us not match the Chinese but at least reduce what we
used to call the Huawei premiums. So export support is a
crucial part.
Finally, we are starting to build an international
coalition. It's been a little bumpy. It's not NATO. It's not
ASIAN, but it has members of both, and we could perhaps be a
little smoother in our approach sometimes. It doesn't help to
threaten people, but I see an international coalition emerging.
Senator Cantwell. Ms. Keddy, did you want to add something
to that?
Ms. Keddy. If I can add to Dr. Lewis' point on ensuring
like a standard base but diverse supply chain that gives more
choices, that will also help the options but in the case of
these events do happen, I wanted to emphasize the notion of
technology problems to technology solutions, so we can prevent
and detect all of these.
Senator Cantwell. Well, I think, Mr. Murphy, you're the
CTO, right? So you're probably our most technical person here.
I mean, Ms. Keddy, you probably have, but this is--look, we
should just like--you know, there are lots of examples of where
even if you had to put, you know, the crown jewels into some
sort of repository or something just to get cooperation and
interoperability, you could do that, but this notion that we're
not fighting this on a big broad principle is just crazy.
Like you've got to fight the principle. The principle is we
shouldn't live in a world today where any government has a
backdoor to technology. Like that's just not the way we want to
deploy, and that has to be consistent. It might be 5G now but
it will be something else later. And the more we communicate
that--the reason why I bring up the Clipper chip is we made the
same--well, we almost made the same mistake.
You know, the U.S. Government started saying, oh, my gosh,
don't want that level of encryption. I got to have a backdoor.
We're like no, we're not having a U.S. backdoor.
So I think this is the conversation that now needs to take
place in Asia and hopefully because it has many ramifications
for cloud and cloud services. That's one of the things they've
been demanding. Oh, you want to do cloud business in Asia? This
is what you got to do. Give us access. No, we're not going to
give them access to that.
So this is a global effort we need to communicate about.
So thank you. I'm sorry. I think----
Senator Gardner. Thank you, Senator Cantwell.
Senator Fischer is next.
STATEMENT OF HON. DEB FISCHER,
U.S. SENATOR FROM NEBRASKA
Senator Fischer. Thank you, Senator Gardner. Thank you,
Senator Cantwell.
I am glad that the Secure and Trusted Communications
Networks Act made it on to the President's desk last week, and
I was proud to be a co-sponsor of that companion bill in the
Senate last year.
This legislation is critical to create a stable and secure
foundation for America's communications networks. However, it
will also set the stage for carriers' ability to meet timelines
established in the legislation and how applicants can request
reimbursement.
Mr. Berry, are there still small providers who haven't been
able to secure commitments from trusted vendors to assure that
they can deliver the quantity of equipment needed for the
networks within those timelines?
Mr. Berry. Thanks for the questions, Senator. Yes, that is
a difficult task for many small carriers.
What we're seeing with this legislation, especially when
you kick-started the concept of you may actually be able to
replace that covered technology with new technology, our
carriers are already out there getting vendors and getting
equipment manufacturers to give us quotes and to give them
estimates of what it's going to take.
As a matter of fact, several on this panel have already
been involved with detailed conversations with the small
carriers. Our intent is not to let any moss grow on this stone.
We want to make sure that we're out there trying to find the
solution ASAP and, yes, new technologies could in fact create
new security opportunities, but there is a time lag. There is a
flexibility, a need for flexibility.
Some of the technology may not be ready to deploy today. It
may be ready in five-six-eight months, a year and a half. So we
need to measure twice and cut once and I think that maybe the
small carriers, especially with this Act, will get the
information they need and they're certainly ready and willing
to tackle the challenge.
Senator Fischer. You know, that information is going to
require them to have information on how to apply for the
funding, as well. That's going to be a big deal as we move into
this for any number of reasons, not the least being security.
What are you hearing from your members? What are the
questions you're hearing the most from your members who are
going to have to Rip and Replace?
Mr. Berry. I think the Number 1 issue is now that we have a
goal, the goal is no covered equipment in your network. The
next question is, OK, how do we prioritize that? Which elements
do we take out first? Do we take out, you know, everything from
the antenna back to the core? How do you do that? Do you go
from a 3G to a 4G to a 5G solution?
You know, part of the problem is many of the vendors are
not making the 2 or 3G technology that may be in some of these
networks. So how do you get to a 4G technology when you have 3G
technology but you have voice?
So it may be necessary to go to a 4G LTE VoLTE product so
you replace old technology with a newer technology that
actually has voice. So those things are real sort of in the
weeds but they're very detail-oriented and it's what our
carriers think about in terms of how do we maintain
connectivity, and it is like building a separate network while
you operate a network so you can transition on day one and
actually you'll be able to make a call.
Senator Fischer. Thank you. Dr. Lewis, you stated that the
bans on Huawei network technology, such as in the United
States, Japan, Australia, also, that that is the only way to
eliminate risk entirely.
A couple weeks ago, I was in the U.K. with a handful of my
colleagues and we met with the government there and obviously
we expressed some concerns about their recent action, as well
as the influence that that may have on actions within the EU.
Those are security concerns.
The U.K. is a member of 5 Eyes. That causes us to take a
step back and decide that special relationship we have with the
U.K., how do we move forward on that when it comes to security
measures.
Can the core really be securely isolated in a way that some
of these countries are talking about in theory? The Chinese
don't like this. Some countries are talking about this core and
how it's going to be secure and we don't need to worry and, you
know, my comeback is we have to put national security above
price. How would you answer that?
Dr. Lewis. Thank you, Senator. I think that the politics
and the commercial motives that our European partners have will
probably drive them to adopt a partial ban. That's not in the
best interests of their security. We have the discussion of a
backdoor, but they will be motivated by China's economic power.
That means for us, there are two things. First, we can help
them do better at making sure the partial ban eliminates risk
as much as possible. There's debate over this. I would defer to
my more technologically astute colleagues, but there are some
companies and some intelligence agencies that say a partial ban
could be made to work in the near term.
The second issue we need to bear in mind is this is not a
finished deal. The British have said, perhaps they said it to
you, that their opening position is limitation of 35 percent,
but they're willing to move that back as we go forward. So we
need to help them to make it work.
Now we need to help them get to move in the right direction
later on.
Senator Fischer. Thank you very much. Thank you, Cory.
Senator Gardner. Thank you, Senator Fischer.
And, Senator Rosen, in a different time zone, you may begin
your questions.
STATEMENT OF HON. JACKY ROSEN,
U.S. SENATOR FROM NEVADA
Senator Rosen. Thank you. Thank you so much. Thank you all
for being here and for this very important hearing.
I want to talk about how we promote the U.S. and its
wireless, how we really lead in this area because we are a
global leader in wireless technology and performance and
innovation, and the U.S. really is at the cusp of a
technological evolution.
Just as the 4G wireless industry created millions of jobs,
ushering in an era of social media, the gig economy, mobile
apps, 5G is going to fundamentally change the way that our
industries operate.
So for the U.S. to remain a leader in this space, our
response must be one of coordination and cooperation. This
means working with private sector, supporting R&D and emerging
technologies, coordinating with the relevant agencies and
participating, I believe really importantly, in standard-
setting where much of the foundational technology that makes 5G
possible.
Homeland Security Chairman Ron Johnson and I actually
recently introduced the bipartisan Promoting the United State
Wireless Leadership Act of 2020. We want to ensure the U.S. has
a seat at the table in the wireless standard-setting process
because our global economic competitiveness depends on our
participation in setting good standards for the next
generation.
So, Dr. Lewis, I'd like your opinion on how important it is
for the U.S. Government to participate in these standard-
setting bodies, including the International Telecommunications
Union, the 3G Generation Project, and I'd also like you to
comment on what is the impact of our participation or lack
thereof on technologies, including telemedicine, our connective
devices, our smart grids.
Can you speak to that, please?
Dr. Lewis. Yes, thank you, Senator. So there is a
distinction between the ITU and 3GPP. One of the questions that
is emerging is what the role of the U.S. should be in the ITU,
which is dominated by powers that are hostile to us in many
instances.
3GPP, as you've heard from some of my colleagues, we are
doing better. It's essential that we maintain a strong U.S.
presence there and if that includes funding for U.S. Government
participation, that would be valuable.
The dilemma if we withdraw, and I'm sure my other
colleagues will agree with this, the dilemma is if we withdraw
is that China seeks to dominate the standards process. It seeks
to politicize it and it seeks to have it pick China's
technology even though that technology is not the best
available.
So it's crucial for us in all the markets that 5G will
enable to maintain a strong presence in the standards bodies.
Senator Rosen. Well, that's great because it really leads
to my next question about telecom equipment manufacturing.
So with the absence of a major U.S. alternative to foreign
suppliers of 5G networking equipment, our wireless carriers
rely on just a few companies to manufacture the next generation
of 5G technology. Some U.S. companies, they sell switches and
routers that reside in the innermost parts of the carrier's
network but none actually build the wireless infrastructure
that allows cell sites to connect with smart phones and mobile
devices.
So in light of the Coronavirus that we've been dealing with
in the last few weeks or months, it's clear how dependent we
are on goods and commerce from other countries. A breakdown in
our supply chain highlights how interconnected we are and the
impact it has on our economy and our security.
So as we continue to discuss securing the 5G supply chain,
can the U.S. regain a footing in 5G equipment manufacturing?
What do you need from us to be able to do that or should we
look to possibly 6G to regain our leadership position in the
global markets? Anyone like to take that, please?
Mr. Berry. Let me just tackle that a little. I mean, Number
1, I don't think you can get behind on your Gs ever. We can't
avoid engaging in the 5G solutions, but I think some of the
technologies that our companies not only here at the table but
the new companies in the United States are finding to not only
replace those functionalities of equipment with software
solutions, i.e., virtualization of the network, everywhere from
the antenna back to the core and to the interface, you know,
with the devices, I think we're on the cusp of finding
significant opportunities for cost reduction and new
competitors in the marketplace.
And so I think that that is one of the areas that we need
to maybe rethink how we provide, quote unquote, equipment and
functionality to the network and I think some of the
specialists here that are engineers could explain that also
from their perspective.
Senator Rosen. What can we do in Congress to help
facilitate us being a leader in that?
Mr. Berry. Well, I think what you've done in the bill, the
Secure and Trusted, is a huge step forward, especially for the
small carriers that don't have the engineering staff to know
exactly the consequences of the technology, but there are a
couple bills sitting around in the House and the Senate that
recognizes this as a priority and I tend to concur that we need
more government inclusion and involvement with the private
sector as we move forward in the standard-setting bodies and I
think that would be a priority for the Nation as a whole.
Senator Rosen. I know I've exceeded my time, but can Ms.
Keddy answer?
Senator Gardner. Please.
Senator Rosen. Thank you.
Ms. Keddy. I just would like to add like incentives to
enable a widespread deployment across like rural and urban is
very important and also virtualization and open source efforts,
very vibrant new entrants that can be helped so that we have a
very diverse supply chain is important. So both these things,
including other telecoms acts that have R&D as a starting
point, which is good, but we'd like to see it much more toward
the innovations and incentives and other things for deployment.
Senator Rosen. Thank you.
STATEMENT OF HON. CORY GARDNER,
U.S. SENATOR FROM COLORADO
Senator Gardner. Thank you, Senator Rosen, and seeing the
Chairman has not returned, I'll move forward with the questions
I was going to ask.
Mr. Berry, Congress has finally succeeded in passing Rip
and Replace or to some Replace and Rip legislation to ensure
Huawei is removed from all U.S. telecommunications networks.
I've got deep concerns about Huawei and the intelligence that
we've received, which functions essentially as an arm of the
Chinese Central Government.
I'm thankful that your member companies are hard at work to
transition their equipment and to seek new vendors and while I
appreciate the dedication, I'm also hopeful that we can provide
them certainty to make sure that we ensure this Rip and Replace
model is not the default approach to network security in the
future.
Your members and other interested parties explored these
ideas at a series of rural engagement initiative events and
thank you very much for hosting one in Colorado, my home state.
What more can Congress do? What more can Congress be doing
to ensure better communication between the Federal Government
and companies of all sizes in the telecommunications industry
when it comes to long-term network security?
Mr. Berry. Thank you, Senator, and thank you for
recognizing the fact that our small carriers, as you may say,
have spent a lot of time on the educational side and that's one
thing, I think, that this Committee has made enormous progress
on is creating the focus and creating the education about what
are the security threats, what are the solutions, and I can't
stress the fact that you have now directed some certainty in
their lives going forward, not just for the carriers that have
covered equipment in a network but if you're a small carrier,
you can't afford to make the wrong decision and deploying your
resources, especially when you have limited capital to invest.
And so I think the industry and the vendors in our
industry, at least those that are CCA members, are stepping up
to the plate and I've seen a lot of activity internally with
their companies to say this is a problem, we need to be part of
the solution, and I can't congratulate them more on that.
But thank you. The U.S. Chamber of Commerce joined us in
those sessions. I must say that CISA was the specialist entity
within the Homeland Security. We couldn't have been more
pleased with the very frank discussions they shared with our
members throughout all those meetings.
Senator Gardner. Very good. Thank you, Mr. Berry.
I have a question for both Mr. Boswell and Mr. Murphy. I'll
start with Mr. Boswell. Obviously the concerns about Huawei and
insecurity with Huawei made clear our country's
telecommunications companies and many of our allies are rapidly
seeking new physical network vendors. That will largely benefit
non-Chinese companies, like Ericsson.
You never mentioned Ericsson's presence in China in your
testimony, but Ericsson's website talks about the company's
long history in China, going back to the 1890s. In fact, it
says, ``Ericsson has several joint venture companies in China
and has invested heavily in research and training in China
which provides a competitive advantage.''
You've also opened a Joint Research Institute with the
Beijing Institute of Technology.
Is Chinese-sourced research incorporated into Ericsson's
core network products? If so, what protections does the
security team have in place, including hiring protocols, to
ensure any Chinese Government-backed activities that might
otherwise attempt to undermine the security of those products?
Mr. Boswell. Thank you, Senator. I plan to address all of
those points that you make. Of course, China is a large market
and we can't and don't ignore that market or any other market
around the world, frankly, but we don't have production in
China for the U.S. market.
In fact, back in 2018, we proactively before it was kind of
a thing to be talking about, we started proactively executing a
regionalization strategy for our supply chain to put
manufacturing and development as close to the customer market
as possible in the United States.
Senator Gardner. Can I interrupt? Maybe we could follow up
with written questions for the record.
Is Chinese-sourced research incorporated into Ericsson's
core network products?
Mr. Boswell. So from a software standpoint, all of our
software from a development standpoint actually funnels through
Sweden and all of our software is scanned, verified, signed,
and centrally distributed from Sweden. That gives us tight
control and transparency----
Senator Gardner. And the answer is----
Mr. Boswell.--in chain of custody----
Senator Gardner. The answer is yes, you believe it's
properly filtered through other vendors and systems?
Mr. Boswell. Actually most of the development items from a
Chinese perspective would be for that Chinese market from a
manufacturing standpoint. So we do manufacture things in China
for the Chinese market, for example.
The majority of our R&D and development is actually in
Europe and North America.
Senator Gardner. So none of that Chinese work research that
you're doing at the Beijing Institute of Technology would find
its way through to products in the U.S.?
Mr. Boswell. I would have to follow up specifically about
that, but we do maintain a tight chain of custody of our code
with check-in/check-out policies to ensure that we can track
back where specific things have been sourced from.
Senator Gardner. Thank you. I'm going to quickly switch to
Mr. Murphy. Nokia has nearly 50 offices across mainland China
and China accounts for more than 10 percent of Nokia's sales,
according to the company's website. Nokia also operates six
research and development innovation hubs, three manufacturing
facilities, and employs 7,000 people throughout China's
footprint.
Your customers include China Mobile, China Telecom, and
China Railway, among other Chinese Government entities.
How would you answer the same question that I just asked
Mr. Boswell, how are you protecting the security infrastructure
and what security protocols do you have in place in China to do
so?
Mr. Murphy. Thank you, Senator Gardner. So perhaps to
divide that into two parts, one is manufacturing and one is
R&D.
On the manufacturing side, we have a number of
manufacturing plants around the world and depending on the
recipient of the product, we will make the best choice for
that. So, for example, in the case of the U.S., there's no
equipment that is manufactured in China.
On the R&D side, as you noted, we do have research in
China, but from my testimony, we apply the same standards for
our Chinese employees as we do for other global employees,
meaning they must sign ethical standards. It's a prerequisite
of employment. Also, software goes through a design for
security verification test. Vulnerabilities must be resolved
and documented.
So the fact that they're physically located in China kind
of is a little bit irrelevant in terms of producing a secure
product.
Senator Gardner. Thank you, Mr. Murphy. I apologize. I
cutoff others. I'm a minute and 30 seconds over. So I'm going
to cut myself off and I believe the next--Senator Lee, are you
ready--excuse me.
Senator Thune is next. Sorry.
STATEMENT OF HON. JOHN THUNE,
U.S. SENATOR FROM SOUTH DAKOTA
Senator Thune. Thank you, Mr. Chairman, and I want to thank
Chairman Wicker for holding today's hearing on a very important
issue and I think we all would agree that with increased speeds
and greater capacity, 5G networks are going to unleash new
innovations and enable breakthroughs in a variety of sectors,
from agriculture to health care.
There's a lot of promise with these new and advanced
technologies, but the United States is only going to be able to
deliver on those promises if we maintain the security of our
communications networks, both here at home and abroad.
The decisions that we make today with our trade partners
around the world are going to impact our national security and
economic outcomes for years to come.
I intend to introduce legislation this week to ensure the
security of our communications infrastructure as a clear
negotiating objective of U.S. trade policy.
Unfair trade practices of communications equipment
suppliers owned or controlled by a foreign government should
not be tolerated, period.
Mr. Lewis, when we think about future trade agreements with
the United Kingdom and other countries, should the security of
our communications networks be at the forefront of those
conversations?
Dr. Lewis. Thank you, Senator. I think this legislation is
long overdue. It is essential. Of course, it should be part of
our discussions with our allies and partners and in fact in any
trade agreement. So I think this is a great step forward. Thank
you.
Senator Thune. Thank you. Mr. Boswell, Mr. Murphy, 5G
networks have potential to generate greater virtualization in
software-defined functionalities.
Can you talk about some of the security benefits as well as
the challenges that exist with these new network elements? Mr.
Murphy or Mr. Boswell, either one.
Mr. Boswell. Sorry. Thank you, Senator. So, of course, 5G
will become more virtualized and software-defined and what we
mean by that is that the intelligence of the network will be
located more in the cloud or in some cases closer to the edge.
So distinctions between different parts of the network may
become blurred. It also actually gives us some distinct
advantages as we bring in new security technologies.
Now 5G will be built on what is already a very secure 4G
infrastructure, but it does bring new tools to the toolbox, so
to speak. The new architectures that we will roll out and the
types of technologies we will use allow us to do things like
additional encryption across the network, enhanced
authentication and more granular data access control for
enhanced privacy protection for subscribers. I think we would
all agree that's very important.
In addition, we'll have greater in-network segmentation
that can provide real-time prioritized network defense and
improved resilience. The availability of the network is
actually that's a key cornerstone of security, as well,
availability, in addition to confidentiality and integrity.
So there are new technologies that we'll see here, but
ultimately it's about how we design and build in, implement,
and operate those networks, as well, on top of what we see in
standards.
Senator Thune. Mr. Murphy.
Mr. Murphy. Thank you, Senator Thune. So 5G raises the bar
and lowers the bar at the same time. So it raises the bar in
the sense that 3GPP specifications have resolved many of the
vulnerabilities that used to exist in 4G. At the same time,
we're moving toward distributed and virtualized networks, which
one could argue lowers the bar, meaning they're more
vulnerable.
So we still need to take action on the product side as both
Mr. Boswell and myself have noted in design for security or
integrity protections in the things that we produce, but at the
end of the day, no matter what we do, there will always be a
vulnerability that can be infiltrated and thus it always comes
back to trust in the supplier themselves and this is where the
behavior, the ethics, the historical performance and behavior,
and the governance it puts on securing the products it produces
is the most important.
Senator Thune. Thank you. Mr. Berry, last week the Senate
sent legislation by Chairman Wicker to the President's desk
that would help rural telecommunications carriers remove
equipment from high-risk vendors, like Huawei and ZTE, from
their networks and replace it with secure telecommunications
equipment.
In your testimony, you suggested the lack of availability
of a properly trained workforce may impact the transition
process that these smaller carriers will have to complete to
remove the compromised equipment.
How will legislative efforts like the Telecommunications
Skilled Workforce Act that I introduced with several of my
colleagues on this Committee earlier this week help ensure the
necessary workforce is in place?
Mr. Berry. Thank you, Senator. Yes, S. 3355 is actually key
to being able to stay up with the growth, the expansive growth
of 5G. It would be a shame to lose the economic benefits that
this new technology promises if we have a lack of trained labor
force.
I think it would be a great move. We support it. There's a
lot going on in the wireless world. Not only do you have the
600 megahertz that we're repurposing, that's finishing up,
you've got a lot of carriers in rural America that they may
only have access to their towers and to their facilities for
maybe two or 3 months out of the year because of weather and
other climate issues.
So having a crew that's available and the technology to
deliver, you know, the labor force is critical and without it,
we'll not make that transition. So thank you so very much.
Senator Thune. All right. Thank you, Mr. Berry. My time has
expired. Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Thune.
Senator Lee.
STATEMENT OF HON. MIKE LEE,
U.S. SENATOR FROM UTAH
Senator Lee. Thank you, Mr. Chairman. Thanks to all of you
for being here.
There's what I think one could fairly characterize as a
broad consensus that there are vulnerabilities in the network
and that the use of Huawei equipment within the networks poses
a risk of access by the Chinese Government certainly for
espionage purposes and potentially for operational control
purposes. Either way, this is troubling.
It does seem, however, like there's some debate among
experts as to whether or to what extent this vulnerability
exists in equal parts throughout the network. There are some
who would draw a distinction, based on where the equipment in
question is located within the network. Some have suggested
that this makes a difference and that depending on where the
equipment is, you might be able to manage the risk through some
work-arounds.
So, Dr. Lewis, we'll start with you. Given your expertise
and your experience in this area, can you clarify whether or
not there is a distinction between the core and the periphery
of the networks and is that a distinction that could make a
difference for our security?
Dr. Lewis. Thank you, Senator. There is a distinction. It's
increasing under the development of 5G. What used to be done in
the core in terms of processing can now be done in some cases
at the edge, given the computing power that will reside in 5G
networks.
There is a debate over how to manage this risk, and there's
a third element here that might involve the use of cloud
computing as the backbone for some telecommunications
functions.
I think the debate is unresolved but if I had to speak, I
would say if you don't want any risk, don't use Huawei. If you
decide to use Huawei, you need to work hard to manage that
risk, but I think it can be done.
Senator Lee. Do you know that the FCC is having this
discussion internally in connection with the Rip and Replace
plan?
Dr. Lewis. I think that the FCC has come to the conclusion,
the correct conclusion that the best way to reduce risk in the
U.S. is to eliminate Huawei equipment.
Senator Lee. Right.
The Chairman. And Congress has come to that conclusion.
Dr. Lewis. Thank you, sir. Thank you, Mr. Chairman.
Senator Lee. And so for similar reasons, then you would
also say the same with respect to software. If you try to
impose a software solution to it, it might mitigate your risk
but it doesn't eliminate it. In order to eliminate it, you've
got to rip it all out.
Dr. Lewis. That's correct. You can reduce risk, but the
only way to eliminate it is to remove the technology.
Senator Lee. The FCC's NPRM to establish the Rip and
Replace program has been criticized, according to some, for
underestimating its costs, especially when you take into
account the resulting equipment options, the resulting options
that will involve less equipment being available. Fewer options
do tend to increase the price tag and sometimes can produce
additional costs and additional delays.
Mr. Berry, is the Rip and Replace price tag of $1 billion
accurate in your estimation?
Mr. Berry. Well, Senator, thank you. It's a tough question.
It's really difficult to actually know.
Right now, our carriers are going out to the vendors and
asking for bids and how can you actually replace the
technology. It's hard to say. I mean, a lot of it is also
timing and flexibility.
For example, you mentioned availability of services, goods,
and equipment, and the ability to actually, you know, build and
put the new technologies in place. It's a matter of timing and
the FCC, if you use a cycle of maybe a little longer than a
year, I appreciate the wisdom of the Committee's legislation of
a year to kick-start this but I also appreciate the fact that
you have a flexible opportunity there for the FCC to give
additional time, and I think with that, you can manage costs
and I think we'll see as more carriers come in with, you know,
verifiable cost estimates, as they apply their program to the
FCC, we'll see if that amount of money actually covers it or
not.
Of course, the legislation also provides for unique ability
to come back and identify additional resources.
Senator Lee. Just to be clear, does the Rip and Replace
price tag as we've got it now take into account the increased
cost of equipment resulting from it?
Mr. Berry. The increased cost of equipment for?
Senator Lee. Resulting in fewer options when you're taking
options off the table.
Mr. Berry. Well, it's interesting. The timing may actually
give you more options in the marketplace. Not only do we have
the legacy of networks that are in place and you're replacing
those legacy networks with probably existing, you know,
vendors, suppliers that are in that work space, but you have
new technologies coming onboard that, as time--if you can wait
9-10 months or a year, you may be able to reduce your costs.
So that's the unknown part and I think it's going to
absolutely require a cooperative effort. We know what the goal
is, to eliminate the equipment and the capability in the
networks. How fast you get there will depend on how much cost
it might cost.
Senator Lee. Thank you very much. Thank you, Chairman.
The Chairman. Thank you, Senator Lee.
Senator Peters.
STATEMENT OF HON. GARY PETERS,
U.S. SENATOR FROM MICHIGAN
Senator Peters. Thank you, Mr. Chairman, and to all of our
witnesses today, thank you for some excellent testimony here
today.
Mr. Boswell, this question is posed to you. With 4G, we
have hardware choke points to check, maintain, and improve
system security, but as we push to move from hardware to
software in order to allow more U.S. companies to participate
and take control of our supply chain, a question is can you
describe how companies will have the same ability to check the
cyber hygiene of software if there is no hardware choke point?
Mr. Boswell. Thank you, Senator. Yes, I would be happy to
describe that, what we feel is a process certainly of top
priority for Ericsson and my area of responsibility is security
of our network products and integrity of our supply chain, and
I believe that it focuses on three key pillars: transparency,
traceability, and trustworthiness. I'll talk a little bit about
each one, if that's OK.
Senator Peters. Yes.
Mr. Boswell. From a transparency standpoint, so we do at
the beginning code testing, vulnerability scanning, a privacy
impact report, hardening guidelines, and other things on every
release of code, and then we're very transparent in the process
of how that and how we do that and those results are shared
with the customers for all of those products, as well. So we're
very open there.
On the traceability aspect, all of our software is scanned,
verified, signed, and distributed in and from Sweden and that
actually gives us a lot of tight control over our software
development life cycle and the traceability of that supply
chain with things like check-in and check-out procedures at the
software level, and it provides a chain of software custody
that ensures authenticity and integrity of the code once it has
left Ericsson.
And then when it's deployed on a radio, for instance, with
a customer and it boots up, they can be sure that that is
verifiable and authentic code and it's going on secure and
authenticated hardware, as well, because we put our
certificates all the way down at the chip level of that radio.
That gives us what we call a hardware route of trust all the
way from the physical aspect of the radio to the software
that's running on top of it.
And last, from a trustworthiness standpoint, of course, the
trustworthiness of the network is going to be more than just
the security and integrity of products. It's also operational
procedures and transparency, how you do deployments, but also
are you operating under the Rule of Law and under an
independent judiciary. All of these things factor into
determining trustworthiness of a vendor.
So we try to convey some of that information through things
like the DHS Supply Chain Risk Management Task Force and giving
guidance from a government and industry perspective to
customers and carriers and enterprises and the rest of the
world on here's things that we think make us secure and high-
integrity supply chain.
Senator Peters. All right. Thank you. Mr. Berry, certainly
all the large network providers are building 5G and they're all
committed to cyber and we hear that loud and clear.
My concern is that some small-and medium-sized wireless
ISPs have fewer than 10 employees. Some of them can't afford to
have a full-time cybersecurity officer around the clock, as you
know.
So what recommendations do you have for Congress to
incentivize small- and medium-sized wireless ISPs that serve
our rural communities? How can we assist them so that they can
have a robust cybersecurity program but maintain profit
margins?
Mr. Berry. Thank you, Senator. You're absolutely correct.
That is a huge challenge for many of the small carriers
serving, you know, isolated areas throughout the United States.
I think the bill does a phenomenal job of saying let's
share information. Let's make sure that that information is
shared with small providers. So CISA--which is the Homeland
Security, they also are putting field offices out there and
saying, listen, here's your contact. I would recommend that
every carrier, whether it's WISP or a small wireless provider,
know who those contacts are and most states have contacts and
talk to them on a regular basis.
When the information gets out on this suggested list of
providers and you have a Federal program through CISA, the
Homeland Security, that can give you the data you need, you can
get that, you should talk to them all the time and they will
give you a head's up. They will let you know if this is a
problem or if you are going to experience problems.
I've been very impressed with the new CISA operation. I
think it's only a year or so in operation and they're doing a
phenomenal job.
Senator Peters. That's good to get that assessment. Is
there more that they can do?
Mr. Berry. Yes, I think there's more they can do, but I
think the U.S. Government, in conjunction with industry, are
doing a much better job of bringing some transparency to this
issue. I was at a conference out in Miter, which is, you know,
quasi-public/private entity, huge attendance from U.S.
Government entities, and I was really surprised at the quality
of data exchanged and the quality of interest from every
military operation to the private sector, including many of the
companies represented here.
Senator Peters. Great. Thank you for your answer.
Appreciate it.
The Chairman. Senator Sullivan.
STATEMENT OF HON. DAN SULLIVAN,
U.S. SENATOR FROM ALASKA
Senator Sullivan. Thank you, Mr. Chairman. I want to thank
the witnesses for this very enlightening hearing and testimony,
thank the Chairman.
Dr. Lewis, I want to talk a little bit about the issue of
reciprocity with China. Senator Van Hollen and I last week
introduced what is called The True Reciprocity Act of 2020, and
as you know, in a whole host of areas, media, investment,
economics, there's not a reciprocal relationship. They can do
things over here that we can't do over there, and as you also
know, Huawei, I mean, let's face it, I read the intel, they're
clearly ultimately controlled by the Communist Party of China.
Whoever says that's not the case doesn't know what they're
talking about, and clearly subsidized.
But let me give you something that I find very disturbing
that relates to reciprocity or the lack thereof and I'm
wondering how we can address it.
Huawei has recently begun to file patent infringement
lawsuits in the U.S. against its perceived or actual U.S.
competitors, U.S. companies. So specifically they've filed a $1
billion patent infringement case against Verizon claiming over
$1 billion in damages.
Could Verizon go to a Beijing court and file a patent
infringement lawsuit against Huawei? I mean, everybody's
laughing. What's the answer? Would they be treated fairly if
they could? You can say no. I mean, I think I want to get to a
broader point.
Dr. Lewis. That's a quick answer. No.
Senator Sullivan. OK. Hell no?
Dr. Lewis. Sure.
Senator Sullivan. OK.
[Laughter.]
Senator Sullivan. OK. But it's actually really an important
question because in my view, they're using the openness of the
U.S. society and our courts which are independent, theirs
aren't, actually as a weapon against us.
So I'm just wondering not just for you but the rest of the
panelists, the bill that Senator Van Hollen and I tries to say
essentially if we can't do it there, you shouldn't be able to
do it here. It is a broad category.
But should we look at, for example, maybe limiting
discovery if--I mean, Huawei is going to try to use this not
only to intimidate American companies but in the discovery
process maybe try to get trade secrets, maybe try to get
information from our tech companies, from our telecoms.
How should we be trying to address this because to me, this
is a really big problem? They wrote a Wall Street Journal op-ed
as if they're some kind of, you know, non-controlled party by
the Communist Party, but do you have any thoughts on that, any
of the other panelists, and then I have a quick question for
Mr. Berry.
Dr. Lewis. Let me start first, Senator, and thank you
because this is a crucial issue.
Every time I open the Washington Post or last week's
Economist and see an insert from China Daily, I feel like we
are definitely being taken advantage of because the Times or
even The Economist could not do that in China.
Senator Sullivan. So that's one of my elements and Senator
Van Hollen's bills on the media side, right? It essentially
says we can't go do that in China. Heck. You walk out of the
Senate and you do a vote, you have a Chinese journalist
sticking a mic in your face. Can our journalists stick mics in
Xi Jingping's face? I don't think so.
Dr. Lewis. This has been a long struggle over Chinese
espionage and one of the things we've discovered is that if you
close one door, our opponent will look to find another, and
unfortunately I believe they use patents and discovery
associated with patent cases as a new venue for espionage.
Senator Sullivan. And do you think it's threatening to the
competitiveness of American companies to have to open up to
broad-based discovery when there's no way they would allow us
to do it in China?
Dr. Lewis. I've only interviewed a few technology companies
but all of them would agree with you that it's very damaging.
Senator Sullivan. Well, I will ask the other witnesses if
you have a view on that and you want to submit it for the
record, please do. I think it's a really important issue and
it's a loophole.
Very quickly, I just wanted to ask Mr. Berry. I was part of
the co-sponsorship of the Chairman's leadership on the Rip and
Replace bill.
Can you speak to some of the other challenges dealing with
mostly rural and extremely rural and remote carriers that
Congress or the FCC can undertake as we are looking to
implement the legislation that the Chairman led and we recently
enacted in the Congress?
Mr. Berry. Thank you, Senator. Yes, we mentioned
accessibility is going to be the key to whether or not we get
this done in a rational, reasonable way.
In Rural America, these carriers are literally working and
operating on a shoestring and trying to keep connectivity while
you're literally restructuring your entire network is going to
require a lot of flexibility.
The FCC, you know, the last Order they did on USF,
essentially Mobility One, there was some concern whether or not
there was authority in there to be able to maintain your
network while you're transitioning. Some of us thought that
some of the provisions that the FCC had were retrospective in
nature instead of prospective.
We all have to get on the same game card on this. If we're
going to maintain the networks and provide services, especially
in Alaska, it's so difficult in many areas, you're going to
have to give a little flexibility to continue to maintain that
network as you transition out.
So prioritization of how you do it and I think we're going
to--just because a generator goes out on a network doesn't mean
that it's a Huawei product. Yes, that generator may actually
allow that network to operate. That may have some Huawei, you
know, goods and product in it, but that's not the reason you're
maintaining the network and so I think it's going to take a lot
of cooperative effort and the rural areas are going to be one
of the most difficult to deal with.
Senator Sullivan. Thank you. Mr. Chairman, I know that I'm
the last witness. Can I just----
The Chairman. Actually, we have Senator Scott here.
Senator Sullivan. Oh, I'm sorry, Senator Scott. I'm not
going to even finish my sentence then. I was going to ask for--
I'll just have the witnesses, if you can submit additional
comments on my earlier question about the lack of reciprocity
and the----
The Chairman. You're going to be given an opportunity to
say that aloud when I take my second round.
Senator Sullivan. Oh, well, maybe I'll hang out for that
then. Great.
The Chairman. Senator Scott.
STATEMENT OF HON. RICK SCOTT,
U.S. SENATOR FROM FLORIDA
Senator Scott. Thank you. Thank you, Chairman Wicker. Thank
you, Senator Sullivan, for giving me this opportunity.
[Laughter.]
Senator Scott. Mr. Berry, could you talk about what we need
to do to encourage private industry to create alternatives to
Huawei because if you just read the paper, what you're reading,
and when you talk to Europeans, they say, well, there are no
alternatives and so what do we need to be doing to help create
alternatives?
And then second, any of you can answer, if you're up here
in D.C., we all understand the risk of Huawei, but the public
doesn't get it. I mean, they don't hear it locally hardly at
all and so on both these, what can we do to encourage and what
can we do to get the public educated about the risk of Huawei?
Mr. Berry. Thank you, Senator. I mean that's a tough one.
What you can do to encourage is exactly what you did in the
bill. You provided a fund for replacement equipment which means
it got everyone's attention and, yes, everyone wants to find
solutions now because there's a potential to pay for it.
Small carriers don't drive the marketplace normally. They
don't drive the technology development. This gives us an
opportunity to recognize that there are some funds to actually
reimburse.
On the other side, I think the recognition that there's a
nefarious, you know, network element out there that needs to be
replaced gives everyone thought that maybe there's a better way
to do it, and I think our industry has the capability to
respond in a very effective fashion very quickly.
I think that's what we're seeing in the marketplace right
now and many of those sitting at this table are providing that
opportunity.
I know that small carriers really appreciate being able to
know if they make a decision to go with a certain technology,
it's on the recommended list. They're not going to literally
have to go wonder because they can't pay the bill.
Senator Scott. And how can we educate people better?
Mr. Berry. Well, it's a good idea. We did three nationwide
sessions trying to educate our carriers to the risk and we had
great response not only from Department of Justice, FCC,
Homeland Security, NTIA, and the White House. Those are the
types of things.
The big issue is everything's connected to the Internet
and, you know, it doesn't matter if it's a switch, a part of
the RAM, or part of the core, eventually it connects to the
Internet and just because it may happen in
Washington, D.C., you could have a plant shut down in
Florida because of that vulnerability. It's like the chain that
breaks at the weakest link and I think that's what all these
interesting discussions are trying to do right now is find that
weakest link and fix it.
Senator Scott. When you all were answering Senator
Sullivan's question, you talked about Huawei using the patent
process to take advantage of the American system and probably
other countries.
Is there anything that we should be doing to penalize
Huawei for doing that? Is there anything through the patent
process that we can do that would penalize them because
companies like Ericsson and Nokia don't do that?
Mr. Berry. For me, putting on my old hat as I used to be
counsel to the House Intelligence Committee years ago, the
nefarious thing about that is that open process, the best way
to defeat that challenge is potentially through information
that's classified and cannot be made public and that concerns
me from my service on the Hill.
I don't know exactly how you do that in a public fashion,
but that's a good way anyone can test the knowledge that the
U.S. intelligence community may have by bringing actions like
that and I'm not so sure I have a good answer for you.
Senator Scott. So is there legislation now that protects
classified information like that that would----
The Chairman. Well, will you yield to Senator Sullivan?
Senator Scott. Absolutely.
Senator Sullivan. Well, I mean, what we're looking at is
not the classified aspect but just the reciprocal aspect and
the reciprocal aspect to me is glaring, particularly in this
case, because our companies can't do that. So one response
that's pretty much in the bill that Senator Van Hollen and I
put forward is that you would limit discovery to Chinese
companies in American courts because we can't do discovery in
their courts. It seems very fair. Most Americans would, I
think, instinctively support it.
If we get all of our allies to do the same thing, then you
start to really leverage China to quit playing in a way that's
non-reciprocal.
Senator Scott. But there's nothing else that from
classified side that you have a recommendation that we need to
be doing?
Dr. Lewis. Well, Senator, one of the issues that's come up
in this discussion, and it's true, the one way the Chinese
leaders really dislike is reciprocity and so in discussions
with Chinese officials, if you say reciprocity as a threshold,
they are very unhappy.
We need to consider whether you can use some of the
sanctions tools available, whether it's putting people on the
entities list, whether there are other Treasury or Commerce
sanctions that might offer an opportunity to close off this new
avenue of espionage.
Senator Scott. Thank you. I think I'll stop. I think my
time's up.
The Chairman. Thank you very much.
Dr. Lewis, Huawei is on the entity list, it cannot receive
information from U.S. persons and entities, but it can sue and
try to get around that through discovery and you and Senator
Sullivan had a lenghty exchange about that.
Mr. Berry, is there anything more you'd like to say about
this issue? Then I'll give our other three witnesses a chance
to respond.
Mr. Berry. No, sir. I think it's another way to glean
information that would not otherwise have been made available
and I agree with Senator Sullivan that it has to be addressed.
The Chairman. Would anyone else like to weigh in on that? I
don't see anyone raising a hand.
Senator Sullivan. Chairman, can I just make one quick
point----
The Chairman. Yes.
Senator Sullivan.--just to add to this discussion?
So when I raised the issue of reciprocity with the Chinese
at very senior levels, including with our Ambassador here but
also with senior officials in Beijing, it's one of the issues
where they pretty much acknowledged that there's no reciprocal
treatment across a whole host of areas, but they say that it's
still appropriate that it's non-reciprocal because they're a
developing country. That's literally the answer. That's what
they say.
Obviously that's a debatable prospect, but I think true
reciprocity in the relationship has to be the standard. We get
our allies to do it, too, we can leverage China in a huge way
because they don't have reciprocal relationships with hardly
anybody.
That's my comment.
The Chairman. Thank you very much.
Now as we conclude, let me see if we can cover the Federal
Advisory Committee. The Communications Security Liability and
Interoperability Council that the FCC works through, I think we
call it CSRIC, its mission is to provide recommendations to the
FCC to ensure, among other things, optimal security and
reliability of communications systems.
So, Mr. Murphy, can you discuss why 5G networks will
require a different approach to communications network security
compared to 4G and 3G, and then, Mr. Berry, I'm going to follow
up by asking you concerning the security of the
telecommunications supply chain. It requires diligence from
operators to monitor their networks.
While there's no one-size-fits-all approach to address
vulnerabilities, what types of best practices are your member
companies adopting?
So, Mr. Murphy, would you care to help us on that issue?
Mr. Murphy. Yes, thank you, Chairman Wicker. So 4G is
largely dominated by smart phones. 5G will be dominated by
smart phones and IOT devices and many different types of
industries and some of those are critical industries.
Ranking Member Cantwell mentioned the power issue earlier
this morning. So the potential for catastrophic impacts are
larger in 5G. Likewise, the network itself is changing in the
way it's structured, moving toward a more distributed system,
more virtualized system. So we cannot take what was done in 4G
and say that was adequate for 5G. We need to look at 5G as
something that is new and has a higher bar for the security
processes we implement.
So that's why we think, for example, this whole issue of
trust of the supplier comes in to play. It has a more important
aspect in 5G compared to 4G and likewise on the technical
level, vendors, such as ourselves and Mr. Boswell with
Ericsson, we also have to up our game in the security process
we implement for 5G because it is not the same.
The Chairman. Mr. Boswell, you are going to have to up your
game?
Mr. Boswell. Senator, thank you. Actually, I definitely
would like to speak on this topic as I serve on the FCC's CSRIC
that you had mentioned.
All of our customers are going to be going through a
transition of some kind as they move into 5G and with this FCC
Security Advisory Council, we're working on two different
working groups right now. One of them is focused on stand-alone
5G security, the other is focused on--the one that I serve on
is the transition from the other Gs into 5G and I think that's
an area of extreme importance, especially for the smaller
carriers.
The reason is the work that we're doing there is very
collaborative, colleagues from Nokia, there are many others,
government and industry. The lessons learned out of what we can
do and the transition of 5G will be applicable not only for the
large carriers but also for those small carriers because all of
them will be in this transition state between 4 and 5G for
quite a while.
It's important for us to provide consistent and predictable
guidance on how do we update security policies and procedures
to be ready for this new virtualized software-defined
infrastructure.
For the smaller carriers in particular, that may be a
completely new thing for them. The larger ones have been
virtualizing things and doing some software-defined networking
stuff for a while.
So they not only have the challenge of I've got to go put a
radio on and figure out how to make that work and deliver new
services but now I've got virtualized infrastructure, as well.
That may be new for them.
So we're trying to address this in the FCC Security
Advisory Council that you mentioned and we appreciate the work
and the backing from the government that's set that up.
The Chairman. Mr. Berry.
Mr. Berry. Thank you, Senator. I guess it's important to
follow on that with its virtualized components or new portals
are not inherently more secure in and of themselves. We learn
how to make them more secure from actual experience and
practices and that's where CSRIC and the engineers and the vast
testing activities come in to play because you can share that
information with carriers.
Most of the small carriers are trying and still impact
their networks but, for example, if you go down to C SPIRE in
Jackson, Mississippi, you go in their NOC, their Network
Operations Center, they can tell you literally to the minute
how many adversarial attacks they've had on the network. They
can tell you how many intruders attempted to get into their
network and communicate with, you know, entities in their
network.
So some of our carriers are actually hiring outside third
party entities that monitor through dark fiber and other types
of scenarios everyone that's trying to touch their network. So
it's a constant thing and without CSRIC and some of the other
experience-oriented entities that are out there, our small
carriers would have a very difficult time coming up with best
practices because it changes, literally the threat changes
literally every day in some respect.
So that's a key component and I think not only do you have
to continue it but I think we're going to have to be probably
even more energetic in response in the coming years.
The Chairman. Thank you. Dr. Lewis, something you said
about partially using Huawei equipment might give someone the
impression that you are somewhat relaxed about what the United
Kingdom has done and so I'm just curious to learn what you
really, really think there. I can handle the truth.
Dr. Lewis. I am relieved to hear that, Mr. Chairman, and
let me say that Congress has been the bedrock of the opposition
to Huawei in the confrontation with China. So your work is much
appreciated, and I think your comments about how I'm relaxed
will please my friends in GCHQ. So we've got to look on the
bright side.
It's an open debate as to whether you can do the divide
that the British have talked about and the architectural fix.
My issue is you have to play the hand you're dealt and that's
the hand we've been dealt.
It would be better if they did what Australia did. They
chose not to do that. They're our closest allies in the world.
How do we work with them to make it a secure system?
They might change their mind. We have some leverage points,
but for right now, like partial ban, not like partial ban,
that's not the game. The game is how do we make our
communications with a key ally more secure?
The Chairman. Three of our witnesses have said today that
there are a lot of alternatives and apparently the U.K. is not
convinced. They didn't get that message. Am I on to something
here?
Dr. Lewis. I would say that the U.K. received political
direction possibly from the previous Prime Minister that it was
important to maintain good relations with both China and the
U.S., economic relations with China, security relations with
the U.S., and the British are trying to craft a solution that
will let them do both. That may not be possible, but I don't
think the technical debate over whether their partial ban can
work is over.
There are even American tech companies that will say with
the right architecture, with the right setup in the cloud, you
could make this work. So it's a to-be-determined kind of
question.
The Chairman. Senator Johnson.
STATEMENT OF HON. RON JOHNSON,
U.S. SENATOR FROM WISCONSIN
Senator Johnson. Thank you, Mr. Chairman. I've got a lot of
questions, so succinct answers would be helpful.
Mr. Lewis, I appreciate your testimony. I was in Munich.
Microsoft was talking about a cloud-based solution that just
basically leapfrogs the, no offense to Nokia and Ericsson, the
equipment issue when it comes to 5G.
I come at this from the standpoint of regardless what is
best in terms of national security, the reality is Huawei's
going to exist. There's 1.4 billion people in China, 400
million in the middle class. They got a good market and they're
going to have equipment and somewhere around the world that
equipment is going to be installed and in a global network,
we're going to come in contact with it. So we need to recognize
that reality.
Rather than, you know, trying to impose a policy that's not
going to be accepted by everybody, we better accept the reality
that we're going to have to come up with solutions that
contemplate the reality that Huawei's equipment is going to be
installed some places.
Can you speak to that, Mr. Lewis? Then I want to start
talking to Nokia and Ericsson about manufacturing capabilities
and capacities and that type of thing.
Dr. Lewis. Thank you, Senator. I think that's right,
unfortunately, that when you look at some of the markets in the
developing world where we have strong national interests, the
Middle East, Africa, South America, Huawei will be a presence
there, and so we need to learn how to operate on networks that
are not perhaps trustworthy.
We have an opportunity here, though, in the move toward 5G
and to 6G to work with our allies, to work with our security
partners to come up with standards and best practices that will
make telecom more secure.
So I don't see the British decision as a loss. I see it as
an opportunity.
Senator Johnson. Well, I view it as a reality. Speak to the
cloud-based solution for 5G, you know, basically leapfrogging
the equipment issue.
Dr. Lewis. And I'll defer to my other colleagues, of
course, but what I hear from interviewing many, many companies
is that this is an alternative. It will lead to greater
security, but it is somewhere between 3 years and 10 years out.
So it would be nice if it was here sooner. It will fix our
problems, make them smaller ultimately. Next year, it won't
help.
Senator Johnson. So often here, you can't defeat something
with nothing, but we have something. We've got Nokia. We have
Ericsson. How big of a capacity challenge is meeting the demand
for 5G as it develops and is deployed? I'll speak to both Nokia
and Ericsson here.
Mr. Murphy. I'm sorry, Senator Johnson. Cacacity in what
respect?
Senator Johnson. Of the equipment that's needed to satisfy
5G demand and deployment.
Mr. Murphy. Yes, so it?s growing at a different pace in
different countries across the world, but at the moment, we
don't see a significant issue with meeting the equipment
demand.
There's a great demand on capabilities which is very
challenging to meet. However, not so much on the equipment
side.
Senator Johnson. But we're always told that Huawei's
equipment is substandard, is that true or not true? Are they
advanced or are they ahead of Nokia and Ericsson in terms of
technology or on par or behind?
Mr. Murphy. I think it would be false--I mean, it's correct
to say that Huawei is a formidable competitor. That's partially
due to the massive research and development arm they're capable
of supporting due to their domestic market as well as support
on the sales side from the banks in China.
However, when it comes from a technical perspective, if we
go back to the earlier part of my testimony, if we look at
first in the world, it's actually the U.S. was the first in the
world to launch 5G back in the fourth quarter of 2018 and then
more commercial systems in 2019 and we have many more firsts.
So we do not feel we're at a technical disadvantage in
being able to keep on par with Huawei.
Senator Johnson. So China's predatory mercantilism, you're
talking right now about being supported by, you know, Chinese
banking. Is there a greater economic support from China? I
mean, how large an economic disadvantage is Nokia and Ericsson?
You know, how big a disadvantage is that to Huawei? I'll ask
Mr. Boswell to answer that one.
Mr. Boswell. Thank you, Senator. So we certainly believe in
the security and integrity of our network products and our
solutions and we think they're the best in the world.
You asked about kind of a comparison to them. As Mr. Murphy
said, they're a formidable opponent and certainly a competitor
on the world stage. Here in the U.S. market, the U.S. enjoys a
competitive and robust marketplace of secure and high-integrity
and trusted suppliers, and I think it's important to uphold
that as an example to the rest of the world.
We can still go really fast on this race to 5G and do it
with secure and trusted suppliers.
Senator Johnson. No offense. You're not answering the
question. I'm talking about what kind of cost disadvantage are
you at, both your companies at because of China's mercantilism
and their state-sponsored support. If it's just a matter of
EXIM Bank financing this stuff, you know, that's not a big
deal. If it's Russia or if it's China literally putting
billions and billions of dollars into subsidizing the sale of
the 5G equipment, that's a problem. So where are we at there?
Mr. Boswell. So my apologies, Senator. The finance side of
that thing is not really my forte. I'm on the security and
engineering side of our practices at Ericsson.
However, I would agree with what Mr. Murphy said about
we're not facing restrictions in terms of our ability to meet
manufacturing demand in terms of equipment and getting it out
there and meeting the roll-out demands that our customers are
asking for. That's both in the U.S. and in the rest of the
world.
So we're able to go kind of as fast as our customers are
wanting us to right now.
Senator Johnson. So if the Chairman would indulge me, can
anybody answer that question in terms of the cost disadvantage
we're at, anybody on the panel?
Mr. Murphy. I can try. So ironically, 25 years ago, I moved
to China at this time of the year, and I set up a research and
development lab and in my lab were two companies called Huawei
and ZTE, and they developed very rapidly obviously and they
developed because of government support and the provinces
purchasing their equipment and research and development done at
a very low cost, if not free, by universities and government
research institutes.
So that at that point in time, I believe that continues
today. They have very significant support from the government
and different entities within China in the execution of their
product developments and subsequently in the sales through the
financing mechanisms.
So we do have some disadvantages in that respect. We're not
having equal level of support from governments to help us. So
in a sense of what can be done to remediate that or mitigate
that, I think it's to create a level playing field, both on the
EXIM Bank-type things but also on the research and development
side to support vendors like ourselves to have a more level
playing field both in 5G and especially moving into 6G.
Senator Johnson. Well, we're not going to steal your
technology in this, so I can't get an answer that they're 30
percent below you guys. I mean, I won't get that answer and
again I've already taken more time.
Mr. Lewis, I just would like to meet with you at some point
in time.
Dr. Lewis. OK. You know, just a quick one on the------
The Chairman. Is that 30 percent accurate?
Senator Johnson. No. I was just picking that number out of
the air.
Dr. Lewis. There's some evidence that at least in one case
with the European company, it was at 30 percent discount. In
other cases, you know, it's been much greater. So we can answer
that in our question, if you wish.
Senator Johnson. OK. So we'll do that offline. Thank you,
Mr. Chairman.
The Chairman. Go ahead, Senator Johnson. This is
interesting.
Senator Johnson. Oh, OK. So answer the question. We need to
know that. If we're going to--and by the way, I mean, in the
private sector, if you've got an incumbent supplier that has a
monopoly that you want to get rid of, you start supporting
alternative suppliers, and I think we're in the same situation
here. We've got to--China has taken the wrong path. They're not
a benign force. They're a malignant force. This is a national
security issue. So we've got two suppliers here. We've
obviously helped them here by saying we're not going to allow
Huawei but we may need to do some support from the standpoint
of competing against their predatory mercantilism, but we need
to know what extent that is.
So again, Mr. Lewis, if you've got some information that
would be helpful.
Dr. Lewis. Well, perhaps this is best answered in a
question for the record, but in conversations with both U.S.
and foreign law enforcement and intelligence agencies, and I
don't know if my colleagues would agree, they would tell you
that if there's a Chinese interest in getting into that market
and having access to the national telecommunications system,
they would spend whatever it takes. So it's in hundreds of
millions in some cases, greater in others.
Senator Johnson. By the way, that's the kind of competitor
you don't like competing against. They'll buy the business at
any price. OK.
Well, again, we will talk offline and do some questions for
the record. Thank you, Mr. Chairman.
The Chairman. Thank you, Senator Johnson.
So, Dr. Lewis, it's not accurate to say that our allies who
made a decision that we wish they had not had no one else to
turn to? That's really not an accurate statement, is it?
Dr. Lewis. That's correct, Senator. As you've heard from
our colleagues from Nokia and Ericsson, there are many
alternatives.
The Chairman. And I think that's an important take-away
from this hearing and, Mr. Berry, do you want to have the last
word?
Mr. Berry. Thank you, Senator, appreciate it. To respond to
Senator Johnson, this Committee sent a huge shot across the bow
of every ally and friend to the United States. You said, this
Committee said we are willing to share the cost and take the
cost of ensuring our networks are secure. It doesn't matter
what the covered equipment providers cost is or is not. They
can't sell in the United States. They won't have a market in
the United States.
So I think what you did on the international front is far
more important than you may think. What you were willing to do
here is what you wanted Britain to do, what you wanted Poland
to do, France, all of our allies.
Now you have a barricade to stand behind and say can you
follow our lead and I think that's what you've done here.
The Chairman. Thank you. It was actually a statement by the
House and the Senate as a whole on a bipartisan basis and I
expect the President will be signing that legislation with some
fanfare in the next few days.
Thank you all, and I want to thank all of the members who
have come and gone and I think helped us strengthen our
understanding.
The hearing record will remain open for two weeks. During
this time, Senators are asked to submit any questions for the
record. Upon receipt, the witnesses are requested to submit
their written answers to the Committee as soon as possible but
by no later than Wednesday, April 1, 2020. Cross your heart,
hope to die.
And so with that, I want to thank the witnesses and
announce that this hearing is now adjourned.
[Whereupon, at 12:02 p.m., the hearing was adjourned.]
A P P E N D I X
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
Response to Written Question Submitted by Hon. Amy Klobuchar to
Steven K. Berry
Question. The Federal Communications Commission (FCC) estimates
that it will cost more than $1 billion for rural carriers to remove and
replace equipment and services from companies that pose a national
security threat, such as Huawei and ZTE. In your testimony, you
emphasized the importance of Federal funding for rural carriers that
cannot afford to cover these costs and of ensuring that rural
communities remain connected during the transition to secure 5G
networks.
In your view, are additional resources needed to ensure
rural carriers remain connected during the transition to secure
5G networks?
Answer. Congress created the Secure and Trusted Communications
Networks Reimbursement Program in the recently enacted Secure and
Trusted Communications Networks Act to provide the additional resources
needed to transition carriers away from covered equipment. While total
costs will vary by carrier and depend on how different networks are
structured, I am pleased that the FCC has sought $2 billion in
resources for this program, as well as administrative costs, in a
recent appropriations request.
______
Response to Written Questions Submitted by Hon. Jon Tester to
Steven K. Berry
Question 1. As you testified, the issue of suspect
telecommunications equipment disproportionately affects small carriers
in rural areas like much of Montana. For financial reasons, these
carriers sometimes chose to use equipment that we now know to pose
national security risks. What is the range of credible estimates for
the total cost of replacing covered communications equipment among
regional carriers, both in the ``core'' network and overall?
Answer. Each carrier's network is different, and accordingly
resources needed to replace covered equipment will vary by carrier
based on network architecture, current equipment in place, and size and
density of each carrier's geographic footprint. The United States has
never directed carriers to essentially remove all covered network
equipment in one year or seek waivers, and the need for flexibility and
ability to review new technologies that could reduce costs is extremely
important. We hope the FCC recognizes this in their policy decisions,
as technology advances and physical network components may differ in
cost from virtual components. CoBank has estimated network costs to
exceed $1 billion in network replacement costs, and the FCC recently
sought $2 billion to fund the overall replacement program. To speak
specifically to core costs, CCA carrier estimates approximate $3.7--$4
million per core, with additional costs for space to accommodate an
additional core, expanded HVAC capacity, and configuration costs.
Question 2. Much of the covered equipment is obsolete, and will
presumably be replaced by newer but functionally equivalent equipment,
but the telecommunications market has only further consolidated in the
short time since this equipment was installed. Are there proactive
steps that could help ensure carriers have access to a robust and
competitive market as they replace covered equipment? For example, do
you anticipate that radio access network virtualization can play a role
in replacement?
Answer. As you note, there are certain covered network elements
that support legacy technologies that are now obsolete and no longer
available from any trusted supplier. Carriers who must replace covered
network elements should be allowed to deploy equipment to support like-
for-like services, particularly with equipment that can be upgraded to
support future technologies. Virtualization, including through Open
Radio Access Network (ORAN) technologies, has the potential to
disaggregate functionality to increase efficiency and decrease costs.
Further research and development on ORAN should be encouraged. However,
policymakers should not mandate which technologies are used in wireless
networks, but rather encourage research into new, secure technologies
to enhance innovation, customer choice, and cost savings. Superior
products will win in the market.
Question 3. Are there currently enough skilled workers available to
replace covered equipment in American networks within the specified
timeline of one year after disbursement of funds? What steps can
Congress take, if any, to help ensure the necessary workforce is in
place in advance of the release of funds?
Answer. A properly trained, local workforce will be essential for
impacted rural carriers to complete the transition process to remove
covered network equipment; absent an appropriately trained workforce,
there will not be enough labor available to complete not only the
replacement of covered equipment but also other demands to wireless
service deployment. I thank you for your leadership in introducing S.
3355, the Telecommunications Skilled Workforce Act, alongside Senators
Wicker, Thune, Moran, and Peters to help meet the needs associated with
bringing connectivity to rural America.
______
Response to Written Question Submitted by Hon. Amy Klobuchar to
Jason S. Boswell
Question. In your testimony, you state that the United States is
expected to account for 50 percent of data breaches across the globe by
2023, making our networks a target for cyberattacks. You also highlight
the need for industry to develop 5G supply chain and security
standards.
Can you speak to how the industry is working together to
develop 5G supply chain and security standards to ensure that
all carriers, including small and rural carriers, remain
competitive?
Answer. Security is a top priority for Ericsson. Ericsson's
philosophy is that networks must, from the very start, be trustworthy,
resilient, and secure by design, and Ericsson employs a holistic
approach to ensuring the security of its supply chain and its products,
as detailed in my testimony. At the same time, Ericsson and other
companies in the information communications and technology (ICT) sector
recognize that ensuring security in the 5G era is a shared challenge
that requires collaborative and inclusive solutions. Accordingly,
Ericsson constantly works with a diverse range of relevant stakeholders
in industry and government--both in the U.S. and globally--through a
variety of complementary organizations and processes to address 5G
supply chain and security standards. This multi-faceted approach
ensures that all providers--regardless of their size, the nature of
their customer base, or other differentiating factors--are able to
participate in the problem-solving process and, in particular, that the
interests of small and rural carriers are taken into account.
Industry-led initiatives. Ericsson actively contributes to a number
of U.S.-based industry initiatives organized around ensuring supply
chain security. As described in my testimony, these include the
Communications Sector Coordinating Council (CSCC), which meets
regularly to review industry and government actions on critical
infrastructure protection priorities in order to improve the physical
and cyber security of sector assets, among other functions; and the
Council to Secure the Digital Economy (CSDE), which brings together
companies from across the ICT sector to combat increasingly
sophisticated and emerging cyber threats through collaborative action.
Standards-setting bodies. Standards work is a foundational
component of good security assurance, as it supplies guidance and
frameworks that ensure security and privacy requirements are met
consistently. As described in my testimony, Ericsson is a leading
participant in developing the standards for 5G security through the
global 3rd Generation Partnership Project (3GPP) and serves on multiple
working groups within the standard-setting organization the Alliance
for Telecommunications Industry Solutions (ATIS), including a newly-
launched effort through ATIS, supported by the Department of Defense,
to develop standards for securing the 5G supply chain. These technical
standards are crucial for security because they give all suppliers and
carriers a common--and open and transparent--technical understanding of
interoperability and security. This allows for vetting and
identification and correction of technical vulnerabilities. To be
clear, 5G security standards and 5G supply chain standards are
presently still under development, and Ericsson along with many other
companies is helping shape them for long-term security. In total,
Ericsson is a member of more than 100 industry organizations, standards
bodies, and other technology alliance groups, as part of its mission to
drive 5G forward.
Commercial partnerships. Ericsson further contributes to enhancing
security through commercial relationships with its broad and diverse
U.S. customer base, which includes nationwide and regional
communication service providers serving both rural and urban markets
with all technologies (wireline and wireless telecommunications, cable,
and satellite). As described in my testimony, Ericsson has partnerships
and collaborations with rural Wireless Internet Service Providers
(WISPs) and carriers--such as GCI Communications, Cellcom, Bluegrass
Cellular, and many more--in furtherance of its commitment to bring 5G
to rural areas. Ericsson also maintains strategic partnerships with
NVIDIA, Intel, Qualcomm, Juniper, and many other U.S. companies. In
fact, Ericsson's global sourcing of active components for Ericsson's 5G
radio base stations relies up to 90 percent on U.S. technology
suppliers.
Industry-government initiatives. Industry and government together
have convened numerous initiatives to promote collaboration on supply
chain security. For instance, as explained in my testimony, Ericsson is
involved in the following:
The Department of Homeland Security Information and
Communications Technology Supply Chain Risk Management Task
Force exemplifies how industry and government collaboration can
quickly and effectively deliver useful, sharable, expert-driven
guidance in complex areas like supply chain and 5G security.
The Task Force represents a formal, action-oriented
collaboration between industry and government that ties
together various streams of activity. In 2020, its working
groups will analyze mitigations and risk determination across
multiple areas of the supply chain in order to make
recommendations on best practices and methodologies, and
develop attestation frameworks around various aspects of supply
chain risk management to help security standards and other risk
guidelines more understandable, predictable, and useful.
The National Security Telecommunication Advisory Council
(NSTAC) is an industry-comprised body that advises the
President on national security and emergency preparedness
issues.
Similarly, the Communications Security, Reliability, and
Interoperability Council (CSRIC) is an industry-comprised body
that makes security policy recommendations to the Federal
Communications Commission (FCC). Three of its current working
groups are expressly focused on security issues: Managing
Security Risk in the Transition to 5G (WG2); Managing Security
Risk in Emerging 5G Implementations (WG3); and 911 Security
Vulnerabilities during the IP Transition (WG4).
Other engagement with government. Beyond these joint activities,
individual companies work closely with other government departments and
agencies. In Ericsson's case, these include the National
Telecommunications and Information Administration (NTIA) and the
National Institute of Standards and Technology (NIST), both within the
Department of Commerce; the FCC; the White House, and more
specifically, the Office of Science and Technology Policy (OSTP), the
National Economic Council (NEC), and the National Security Council
(NSC); and the Departments of State, Defense, and Energy.
Collectively, these complementary vehicles and processes invite and
permit the participation of all stakeholders, including small and rural
carriers, and thereby facilitate holistic solutions to shared security
challenges. In short, ongoing industry efforts are designed so that no
stakeholder is left behind in the race to a secure 5G world.
______
Response to Written Question Submitted by Hon. Kyrsten Sinema to
Asha Keddy
Question. As you know, the Intel Future Skills initiative works to
address the effect of technological advancement on the skills needed
for the jobs of the future.
In order to compete and stay ahead of Chinese technologies, we must
make significant investments in infrastructure, education, and
workforce training. In Arizona, we are already working to cultivate a
21st century workforce. For example, last year Arizona State University
and Sprint partnered to create a new 5G connectivity and Internet of
Things curriculum.
How can we work to best prepare students for the jobs needed to
build 5G equipment and networks in order to reduce provider dependence
on cheap, Chinese components?
Answer. Intel commends and supports efforts to increase investments
in infrastructure, education and workforce training. In passing the
CARES Act during March 2020, Congress took important steps to protect
early momentum to focus on these needs, and Intel supports additional
resources for these important areas in follow up COVID19 response
measures. In these uncertain times, one certainty is that the U.S. has
an opportunity to set priorities for success against the country's most
important challenges.
Today Congress has a rare opportunity to direct resources in ways
that support the efforts of U.S. workers to develop new skills and
begin building for the long term. Intel urges the Commerce Committee
and Congress to learn from the example of Arizona's forward-looking
plans. For example, in 2018 Arizona formed the Institute for Automated
Mobility to advance readiness for automated vehicles. This effort will
help advance technology readiness and regulatory frameworks for one of
the most important applications of 5G technology. Especially during
this time of pandemic, it is imperative to keep students and teachers
connected to mitigate some of the disruption. That's why Intel
announced the Intel Online learning initiative to support education-
focused nonprofit organizations and business partners to provide
students, without access to technology, with devices and online
learning resources. In close partnership with public school districts,
the initiative will enable PC donations, online virtual resources,
study-at-home guides and device connectivity assistance. The Intel
Online Learning Initiative builds on Intel's long-standing commitment
to technology that improves learning. Although Intel's broad efforts
were driven by a desire to support students, health care professionals
and businesses of all sizes during the COVID-19 pandemic, Intel has
strategically aligned its support with the goal of driving long term
innovation against the world's greatest challenges (for more
information on Intel's efforts, the press announcement is located at
the website https://newsroom.intel.com/news/intel-commits-technology-
response-combat
-coronavirus/gs.3a0m7n.
As a leading provider of technology to 5G infrastructure, an
employer of tens of thousands of the engineers who are inventing the
amazing experiences of the future, and as the world's leading
semiconductor integrated device manufacturer, Intel Corporation
welcomes the opportunity to advise and support efforts to ready
infrastructure, education and workforce in the U.S. for success in the
21st century and beyond.
______
Response to Written Question Submitted by Hon. Kyrsten Sinema to
Dr. James A. Lewis
Question. Arizona has led the way in developing and deploying the
technologies of the future. In 2019, two major carriers launched 5G
services in the Phoenix area, bringing Arizona families and companies
enhanced networks, greater connectivity, and the economic opportunities
that go alongside. However, greater connectivity also means greater
access to Arizonan's private personal information and propriety data.
There seems to be debate over the threats posed by equipment used
in the core network verses non-core parts.
Is there a security threat posed by Huawei and ZTE in non-core
parts of U.S. networks? If so, how great is the threat?
Answer. Chin is perhaps the most aggressive intelligence opponent
the U.S. has ever faced. This means that any Chinese technology that
connects back to a Chinese company could be exploited for espionage
purposes. Chinese law makes any Chinese company a tool for Chinese
espionage.
Huawei, with its longstanding and close ties to the Chinese
government, falls into an especially high category of risk. The only
way to completely eliminate risk is to not use Huawei equipment. Some
countries argue that for the next few years as we transition from 4G to
5G networks, it is possible to manage the risk of using Huawei
equipment through partial bans that limit the use of Huawei. These
countries share the U.S. assessment of the risk of using Huawei, but
argue that they can mitigate risk (but not eliminate it) to an
acceptable and manageable level by restricting the use of Huawei
equipment to limited part of the 5G network.
The United Kingdom, for example, uses a partial ban to exclude
Huawei equipment from ``sensitive'' areas and its use confined to the
edge. There is much debate over whether this partial ban is enough to
mitigate the risk of using Huawei equipment. 5G networks will perform
many operations once done in the core at the edge, which will have the
increased computing power. Edge computing is part of what provides 5G
with higher speeds, and this also means that keeping high-risk
suppliers out of the core does not end all opportunities for espionage
and disruption.
The UK argues that careful network architecting and greater
attention to cybersecurity can overcome this risk. In the U.S., where
many smaller networks still use Huawei equipment, there is less risk,
as this is older technology, but since these companies did not design
their network for security and may not have the best cybersecurity
tools available, using Huawei create espionage opportunities. China
will try to find ways to use this Huawei technology to collect
information from the network on which it is installed and attempt to
use it to gain access to other larger networks. The only way to
eliminate risk is to eliminate Huawei technology.
[all]