Mr. Adam Meyers (00:00):
… unfold. For Congress's part, particularly in support of small businesses, it's appropriate to engage in a more meaningful conversation on the use of tax credits, rebates, or other incentives than we've undertaken to date. We ought to make the best-in-class cybersecurity tools and training more accessible. Thank you for the opportunity to testify today, and I look forward to your questions.
Mr. Blumenthal (00:24):
Thanks very much, Mr. Meyers. I'm going to yield to Senator Hawley for his first round of questions because he has another commitment. He may have to leave for it before we finish the hearing. I am going to vote. We have a vote that's ongoing right now and I will hopefully be back by the time he finishes his questions. If not, if Senator Grassley has questions, Senator Hawley can yield to Senator Grassley and I'll certainly be back by the time he finishes. Thank you. Thanks, Senator Hawley.
Mr. Hawley (00:54):
Thank you. Thank you, Mr. Chairman. Thanks again to all of you for being here. Mr. Meyers, if I could just start with you. You just referred to the Salt Typhoon attack as a sophisticated attack. Can you just elaborate? We still don't know a whole lot exactly of what's happened, at least from public reporting. You have extensive experience in this area as you've just elaborated going back years now. So could you give us your sense of the sophistication level involved here, what we might be looking at in terms of ramifications?
Mr. Adam Meyers (01:22):
Sure. Thank you, Senator. The sophistication isn't necessarily just to be measured in terms of how they get in, but what they do once they get, in terms of the broad collection operations that China has been running in general. This really belies what their intention is to collect large amounts of information that they could later exploit, whether that be political information, military information, or intellectual property. We've seen the Chinese over the past decade significantly up-level what they were doing. In the testimony I refer to smash and grab operations where they would break into one target, steal the thing that they want, and then leave. They are now maintaining persistent and enduring access to those targets in order to continuously collect large amounts of information and exploit downstream relationships to other interesting targets
Mr. Hawley (02:16):
Exploit downstream relationships. Give me an example.
Mr. Adam Meyers (02:19):
Sure. So with a lot of the telcos or ISPs that might be targeted, they have customer trust relationships. In other words, other organizations rely on those critical infrastructures for services or even shared services or web hosting, things of that nature, and they can exploit that trust relationship to then take on the persona of the initially targeted organization to exploit that trust relationship and use that to move to other areas.
Mr. Hawley (02:49):
So could the hackers impersonate particular individuals?
Mr. Adam Meyers (02:55):
They could, yes.
Mr. Hawley (02:57):
Could they disrupt specific communications between particular people?
Mr. Adam Meyers (03:05):
I'd say it's fair to say once they gain access to the telco or to the mobile provider, they could initiate or disrupt communications and it's at the core of the system. So they'd be able to basically do anything that the telco could do.
Mr. Hawley (03:20):
You mentioned their intention being to exploit this information. What are some possible examples of that exploitation? What could we be looking at?
Mr. Adam Meyers (03:30):
In the case of many of these Chinese adversaries, espionage would be the number one objective or motive in order to collect information. But as I mentioned with Vanguard Panda, and this has been covered pretty extensively elsewhere, there is a concern about pre-positioning. So if there was to be, for example, an escalation around Taiwan, could they use that access to disrupt logistics or disrupt military operations or critical infrastructure in the region that would potentially slow or disrupt the US response.
Mr. Hawley (04:02):
Got it. Just on that point, does the use of a foreign network hardware in this country, like for instance, Huawei, does that make these vulnerabilities worse? Is that something we should be particularly concerned about? What's the effect of that? How does that play into this?
Mr. Adam Meyers (04:18):
Well, I think with a lot of that foreign technology, there's really no way to assess what's in there. In other words, there is a hardware supply chain concern there. They could have other microchips or other software running inside those devices. So this should be a huge concern.
Mr. Hawley (04:33):
Is that true of American companies whose hardware is manufactured in China?
Mr. Adam Meyers (04:40):
Potentially that could be part of the supply chain concern if it comes back with something different than what was specced. Yes.
Mr. Hawley (04:49):
Mr. Bresnick, let me just ask you on that point, and I've seen your report here, which ties will bind, which is extremely alarming in many respects, and I want to make sure I get some of these figures right. You say based on your research, 80% of Apple's suppliers are based in China.
Mr. Sam Bresnick (05:06):
So that's almost exactly right. 80% of Apple's suppliers have at least one facility in China.
Mr. Hawley (05:14):
Got it.
Mr. Sam Bresnick (05:15):
That's not to say that all of them… That 80% are in China.
Mr. Hawley (05:18):
I got it. 95% of Apple's key consumer products are manufactured in China.
Mr. Sam Bresnick (05:23):
That's according to Financial Time story. That number is coming down right now, but when the report was written, those were the figures.
Mr. Hawley (05:31):
32% of Amazon's suppliers are based in China. These are huge numbers. I guess my question is, and you said in your testimony a moment ago, you don't advocate total or full decoupling. I'm just wondering with numbers like these, are these companies able to decouple at all? I mean, this is an incredible dependency that you outline in your report.
Mr. Sam Bresnick (05:52):
Yeah, thank you for the question. I think right now part of my answer against decoupling is based on the fact that there is no way to completely decouple right now. If you sever manufacturing ties to China, the electronics industry ceases to function essentially. So I advocate for a de-risking approach where these companies have to set up alternative supply chains in other countries, whether that's in Southeast Asia, South Asia, closer to the United States, it's going to take some time to build up these alternative supply chains.
Mr. Hawley (06:24):
What would happen if China invaded Taiwan successfully?
Mr. Sam Bresnick (06:29):
Can you clarify that?
Mr. Hawley (06:30):
Well, I'm just thinking about these supply chains and these companies' dependence on China, and then also the significance of Taiwan to the global supply chain in so many of these areas. What would the effect be on these companies and let's say our national security broadly if China successfully invaded Taiwan?
Mr. Sam Bresnick (06:53):
Yeah, so obviously that is a very difficult question to answer. I would point you to a report by some researchers at the Baker Institute that I can share with you that tries to outline what an invasion of Taiwan might mean for corporations, national security, etc. I think it's very difficult to tell because we don't know how the Chinese government would react to an invasion and however we responded. They could react in a way to sever supply chains. They could interfere with supply chains, they could arrest corporate employees. There's a wide range of eventualities that I don't think anyone has really thought through fully.
Mr. Hawley (07:33):
I want to come back to this, but Senator Grassley, let me turn to you.
Mr. Grassley (07:36):
Thank you. Thank you. I missed the first two people testifying and I apologize. I'm going to start out with Mr. Stehlin. This Congress, I've engaged in extensive oversight relating to cybersecurity of our critical infrastructure and security of American people's data. I've written to federal agencies in the private sector about cyber attacks and the steps taken to protect them. Much of the equipment used in the administration of US critical infrastructure, particularly telecommunication, is or was manufactured in China. What are the national security implications of Chinese technology and equipment in our networks?
Mr. David Stehlin (08:21):
Thanks for the question, Senator. The implications are significant from a variety of perspectives. Probably the lowest hanging fruit is we still have a lot of Chinese Huawei and ZTE equipment in small service providers in rural America. There was a rip and replace bill that was put in place in 2020, partially funded to the tune of about 40%, $1.9 billion, but there's another $3.3 billion needed to pull out that Huawei gear from these service providers, typically small, more than 6,000 sites across America. And oh, by the way, many of them are very close to military installations. Senator Daines has put forth a bill to address that in this Congress. So that's about the lowest hanging fruit we have.
(09:11)
But without knowing what's in the products, whether they be products that have an American name on them or a trusted country's name on them or a Chinese company's name on them, we don't really know what's in there. And that's why we started Supply Chain Security, SCS 9001. It requires a full bill of materials. It requires understanding from a zero-trust perspective where all the software comes from. Synopsys earlier this year did a study of looking at a thousand code bases of various enterprise equipment and found that 96% used open-source software and more than 70% had critical vulnerabilities. So this is pervasive. It's a massive issue.
Mr. Grassley (09:57):
Okay. Mr. Fish, the office of National Cyber Director has identified memory safety typically represents 70% of the cyber risk facing legacy and modern IT systems. For the manufacturers of these IT systems, what would you recommend they do now to prevent memory safety exploitation?
Mr. Isaac Stone Fish (10:21):
Thank you. Chinese laws require a huge amount of data sharing for companies that have large presences in China and even small presences. And every Chinese entity that has at least three party members must have a party cell. So it must have official party representation inside the businesses. So for companies in the memory safety industry, and frankly for companies in a wide range of sensitive industries, they need to understand that if any part of their supply chain touches China, there are very concrete risks with that and they need to have a strategy for mitigating those risks.
Mr. Grassley (10:58):
And Mr. Meyers, last December, the DNI issued a public bulletin about the risk of foreign commercial spyware. In June, I introduced a bill that we entitled App I.D. Act with Senator Cortez Mastiff, which would require apps owned and controlled by foreign adversary companies to disclose that fact to users. Could you explain the threat posed by foreign commercial spyware to everyday American data privacy and steps that we can take to mitigate the threat?
Mr. Adam Meyers (11:35):
Thank you for the question, Senator. I think foreign commercial spyware is… There's a couple of ways to consider what that is made up of. There's spyware, which is meant to be spyware, offensive in nature. That is one set of concerns. The other side of that is data collecting code. As an example, on a mobile application, it might use a library that is collecting information about the user and then feeding that back for advertising purposes. And that information can also be used to garner information about the user, where they are, what they're doing, what they're looking at, what they're even saying. And so along those two lines, I think that they need to be considered differently. Foreign commercial spyware I think would be more along the lines of a offensive tool that would be regulated similar perhaps to a weapon system. The more concerning would be the software that is collecting information unbeknownst to the user and how that information is being used. The users don't even know that that library's loaded in the application that they're using.
Mr. Grassley (12:47):
Okay. My time's up and I'll have one more question for you, Mr. Meyers for answer in writing. Thank you.
Mr. Hawley (12:54):
Thank you, Senator. Mr. Stone Fish, let me come to you and pick up the line of questioning that I was starting to discuss with Mr. Bresnik. Here we've got these companies, Apple, Amazon, Microsoft, Tesla hugely, hugely invested in China and hugely dependent on China. And it would be one thing if they were run-of-the-mill, no-name companies, but Apple, Amazon, Microsoft? I mean, these are arguably… Each of those three are monopoly-size companies that have significant, significant control of vast sections of our consumer economy. So I guess my question is how concerned should we be that 80% of Apple's suppliers have a base in China, 95% of Apple's key consumer products are manufactured in China, a third of Amazon's suppliers are in China, 10% of Microsoft's China-based research lab produces… Or I should say Microsoft's China-based research lab produces 10% of the company's research output? Those are massive numbers. Should we be concerned about this or is this not relevant? I mean, are we panicking unnecessarily?
Mr. Isaac Stone Fish (14:05):
Thank you for bringing these issues up. I think this is incredibly important and I think there's this perception in DC that, "Oh, everyone's talking about China. We're talking about it too much." I don't think we're talking about this nearly enough. I am really appreciative that you brought up the potential for a Chinese invasion of Taiwan and a war with Taiwan. It's our very strong belief that the businesses you mentioned have constantly underpriced the risk of a Chinese invasion of Taiwan, and they've long underpriced the risk of their very heavy China exposure. There's massive national security implications of the figures that you just described, and I think US government agencies need to be really aware of the various different interests and influences inside these corporations.
(14:49)
We're in an era of shareholder capitalism, and if it's in Apple's best financial interest to double down on China, where does that leave us and where does it leave Apple consumers who's using an Apple laptop right here, but also the US government? And I think this is especially the case with Microsoft and the US government's relationship with Microsoft and understanding that the depth of Microsoft's entanglement with China and with the Chinese Communist Party poses very real supply chain and security risks. And these are things that big US companies absolutely need to disclose.
Mr. Hawley (15:26):
You say that you think that these companies, there's a real risk that they underrate the significance of a potential Chinese invasion and takeover of Taiwan. Just elaborate on that, and what do you think are some of the scenarios there that we should be prepared for?
Mr. Isaac Stone Fish (15:38):
So three different potential scenarios. One is business as usual, tensions abate. Second is a limited Chinese invasion of Taiwan, perhaps a la what Russia did in Ukraine in 2014, seize a few of the outlying islands, assassinate Taiwanese politicians, seize a little bit of territory, and stop. Or a full-scale Chinese invasion of Taiwan, which could potentially lead to World War III. In the latter two scenarios, this would have massive upheavals for not only the global order, but US businesses and their interests in China, especially in the third scenario where the Taiwanese semiconductor market gets knocked offline potentially. Could drastically transform these companies and their share prices. And if this does happen, we expect a lot of companies will expect the US government to bail them out or to support them when at this time they're way too exposed to China for US national interests.
Mr. Hawley (16:34):
While the chairman gets ready to ask his questions, let me just ask you on that. On the scenario where the Taiwanese semiconductor production market gets completely knocked offline, which is a very real possibility for the scenario of a successful invasion of Taiwan, what would that look like for the United States? Just walk us through the potential ramifications there.
Mr. Isaac Stone Fish (16:55):
Initially it would be devastating. What usually happens in instances like this
Mr. Isaac Stone Fish (17:00):
With the caveat that these things are very unpredictable, is that devastating weeks, months, and then people come up with alternatives. It's unclear what that will be. But US ingenuity and brilliance would allow for alternate supply chains and alternate possibilities. And so, it wouldn't be catastrophic end to the technological age, but it would have very, very major implications. And the companies that today are making the right de-risking choices and are making the right choices of moving out of China, will be in much better shape if China does invade Taiwan.
Mr. Blumenthal (17:39):
Thanks, Senator Hawley. Thank you all again. One question that may occur to someone with little familiarity with the background and details here is, has Chinese spying and hacking gotten worse or are we just more aware of it? And if it's gotten worse, what's your assessment as to the reasons, I think I know, but I would be very interested in your views beginning with Mr. Stonefish. Obviously, there's been a lot of focus on Chinese companies like Huawei, and we're perhaps less aware of how American companies have been put at risk because they are doing work in China, taking advantage of a huge Chinese market and production facilities that the Chinese require them to put there, sometimes so they can steal their technology. But have the Chinese tactics and strategy emphasized more spying, hacking, and so forth? Or is it just we're more aware of it?
Mr. Isaac Stone Fish (19:01):
Thank you. That's an excellent question. I'll answer in two ways. My big worry is that because so many US companies and entities are so exposed to China, they don't talk publicly about hacking or Chinese espionage, and we don't get anything close to a full picture because it's so taboo for companies to go public with Chinese incursions into their business. I will say the geopolitical moment we're in puts Chinese citizens and Chinese and Americans in a very, very difficult spot because for so many of them, Beijing expects them to act as agents of the Communist Party's interests and the party state. And many of them don't want to. They don't want to have anything to do with that, but Beijing puts them in this incredibly difficult position.
(19:51)
And so, I encourage us all to spare a moment and empathize with that very, very difficult place that they're put into. And I'd encourage also US companies that employ Chinese staff to really think hard about how to protect them because if tensions between the United States and China worsen, you are going to have companies that work on sensitive American issues with hundreds of thousands of staff in China who Beijing sees as enemy combatants and starts to round up. And US companies need to take some responsibility for that.
Mr. Blumenthal (20:25):
So I take it your answer would be that the Chinese have become more aggressive and in a sense, expansionist in their use of spying and hacking.
Mr. Isaac Stone Fish (20:35):
Yes.
Mr. Blumenthal (20:37):
Others have a view on that? Yes, Mr. Myers?
Mr. Adam Meyers (20:41):
Thank you, sir. So as far as has Chinese exploitation, espionage gotten worse, I'd say that there's three things I would comment on there. Yes, it absolutely has increased. The first concern is that it is matured. They've moved away from smash and grab operations to bulk collection, longer term operations against upstream providers, whether it be telecoms, ISPs, consulting organizations, professional services. So they've matured how they do it and what they're collecting. The second thing, in 2017, 2018, Chinese national security law has effectively privatized the vulnerability research or crowdsourced it, meaning if you do vulnerability research in China, it doesn't go to the vendor as it would here in the United States in order to ensure that gets fixed and that there's no exploitation, it goes through the Chinese government. So they effectively get first right of refusal for any weapons that are created by researchers or by research organizations and things like the Tian Fu Cup, where they have prone to own competitions to see who can write these vulnerabilities, and it's become more opaque.
(21:55)
So we only see what maybe categories have won, but we don't actually see what the vulnerabilities or the exploits are. And then thirdly, we've seen that the Chinese have diversified who's doing this operations. Prior to 2015, this was largely the People's Liberation Army. Following the reorg of the People's Liberation Army in 2015, 2016, we started seeing the Ministry of State Security taking a greater role, and now a whole bunch of contract elements, which we've seen in the news and US indictments, US Department of Justice has identified many of them. They are expanding it. So they've effectively created an offensive cyber operations industrial base within China, which is building weapons and capabilities and tools at an incredible pace.
Mr. Blumenthal (22:44):
Mr. Stehlin.
Mr. David Stehlin (22:45):
Thank you, sir. Yeah, I would add to that, that it's definitely getting more difficult, especially as these networks are growing. So 20 years ago, we basically had wireline networks. Now we have hundreds of millions of people with maybe a million cell towers using wireless networks. And then thirdly, we're in the IoT phase where everything is connected in our homes, whether it's your doorbell or a video camera or your refrigerator, each of these devices is an avenue of access. And typically, we as consumers buy the least expensive thing that's out there, which is the least secure thing that's out there. So it is getting to be a bigger problem than before.
Mr. Blumenthal (23:22):
To what extent apropos of that comment are, for example, Chinese- manufactured drones creating a vulnerability in our country?
Mr. David Stehlin (23:36):
A large extent, and I'll give you an example. Often wireless companies will use drones to access the equipment that's up on a tower, it might be a thousand feet up, to analyze the latest, to see what's up there, is it the latest generation, et cetera. Chinese drones often with these service providers that are in rural America are accessing some of these towers, and that information is getting fed back to China for sure.
Mr. Blumenthal (24:07):
Let me ask you on this supply chain issue, obviously our dependence on China for supply chain creates vulnerabilities. Mr. Stone Fish, I think you created a graphic, very powerful set of graphs that show that dependence ranking companies, in fact, according to their dependence and vulnerability. Have you seen any effort? I mean, they know that they're dependent, any effort to pull back to create some independence to address this issue?
Mr. Isaac Stone Fish (24:46):
Thank you. We have seen some movement by select companies to better understand and reduce their China exposure. For a variety of reasons, they're very, very private about it. We encourage transparency there, but a lot of them don't like to talk about it publicly because they're afraid of reprisals from Beijing. But people understand both because of the potential for President-elect Trump's tariffs, also because of the potential for a Chinese invasion of Taiwan. And also because there's a lot of very real frustration in the United States and in the halls of Congress about US overexposure to China that many businesses or some businesses, I would say, are moving to reduce this exposure.
Mr. Blumenthal (25:30):
Mr. Bresnick?
Mr. Sam Bresnick (25:32):
I would agree with that. I would also caution that China has huge advantages in, at least electronic supply chains. It's a massive country that has millions of engineers who are specialized in these very niche electronics manufacturing industries. It has very good power supplies, it has access to water. It has all of these resources that would allow it to be the world's major player in electronics. And again, these companies are trying to shift supply chains. It's a little bit slow going because you can't just plop down a factory in India or Malaysia or Vietnam. You can do that, but the intermediate parts are still coming from China, right? So you move the supplier, the first level supplier, you're still depending on China. So, it's not really a matter of picking these suppliers up and putting them in other places. You have to create ecosystems, manufacturing ecosystems that go with those to fully actually reduce the China exposure.
Mr. Blumenthal (26:33):
Do you think it's more the practical difficulty of relocating the supply provider, or is it as Mr. Stone Fish suggested, the fear of reprisals? Do you understand the question? In other words, is it the logistical difficulty of moving a supplier or a source of supply out of China, or is it the fear that there will be some kind of revenge from the Chinese government?
Mr. Sam Bresnick (27:06):
I think you could credibly argue it's both. I think it's very hard to logistically do this. And you see companies like Apple, for example, which has made an effort to make more of its phones in India generally through Foxconn, a Taiwanese electronics manufacturing company. At the same time they're doing that, Tim Cook is going to China and he's announcing new investments in China. So, I think these things go hand in hand. There's a desire to stay in the good graces of the Chinese Communist Party, and there's a desire to actually make moves to reduce exposure.
Mr. Blumenthal (27:40):
And would you say Apple has been effective in trying to reduce its exposure?
Mr. Sam Bresnick (27:45):
I only know from news reports, but they're claiming they're making more and more iPhones in India this year. So it appears that they're on the path to reducing their exposure, but I can't tell you how that will go going forward.
Mr. Blumenthal (27:59):
If you as witnesses, I'll ask this question of all of you, were to cite a company that has been effective in trying to relocate its supply chain, could you name one for the committee? I'm not asking you to condemn, I'm asking you to praise. I hope you'll be more… I would understand your reluctance to condemn, but are there any good guys here? Maybe Mr. Stone Fish.
Mr. Isaac Stone Fish (28:32):
So we would love, and I hate to answer it in an evasive way, but we would love for the environment to be that the companies that we work with, and some companies are proud of reducing their exposure to China, but they're petrified. They're very afraid of reprisal from the Communist Party. They're afraid of losing business in China. They're afraid about their Chinese staff. And so, it's a massive structural issue. And as companies start to reduce their exposure, and we often try to remind people the non-Chinese market is much larger than the Chinese market because people just say, "Oh, it's China or nothing." But it's a big world out there, and we have a massive, massive market here. So, our hope is that companies will be confident enough to say, "Hey, we've made these really good decisions and then really good changes," but it's not quite there yet.
Mr. Blumenthal (29:22):
I'm going to interrupt my question. I have more, to yield to Senator Blackburn.
Mrs. Blackburn (29:27):
Thank you, Mr. Chairman, and thank you to you all for being here and talking with us on this today. It's so interesting to me how the American people have become so aware of the Chinese Communist Party and their tendency to spy on Americans, and they try to find any little entry point in the technologies that we use on a daily basis. And part of the problem with this is so much of our citizens' transactional life is actually conducted virtually, and people are now dependent on that, and they appreciate the efficiencies of that. And one of the things that we have looked at is we've… And Senator Blumenthal and I've worked on these issues from several different angles, but looking at how they use drones, how they use apps, how they use cranes, you name it. They are always looking for a more efficient way to spy on us. Now, one of the things we realized they had started to use is routers and the embedding of malware into these routers.
(30:56)
And of course, the US had a… Hackers used routers to target some of our critical infrastructure and water systems. And Director Ray brought this up in one of our hearings that what they were doing was pre-positioning themselves to carry out a larger attack. So we know this is here. So Senator Luhan and I introduced The Routers Act, which would give us an ability to guard against these cyber threats. And it's a pretty simple bill because it requires commerce to review the national security threat that comes from some of these routers and technologies that are developed, manufactured, or supplied coming out of China. And also, we added to that Russia, Iran, North Korea, Cuba, and Venezuela. So they're doing a study on this so that Congress can then take further action after we have better insight into this. But Mr. Meyers, I want to come to you first. I want you to speak for a minute on the importance of understanding this landscape and the appreciation of the threat that is actually in front of us and why a study like The Routers Act is so important.
Mr. Adam Meyers (32:24):
Thank you, Senator. The routers, like much of the other technology part of the underlying infrastructure represent in many cases an unmanaged or unmonitored system. In other words, with endpoint technology, laptops, desktops, servers, network infrastructure is often not instrumented to collect information telemetry for security analysts and threat hunters to be able to evaluate what's happening on that system. Routers are also frequently internet accessible, meaning a threat actor can touch that from anywhere in the world. It's not protected behind firewalls or things, security appliances, and the routers are often very constrained in terms of space. So they don't have a lot of room for security tools and security capabilities to be built onto them, and they're meant for speed. They're meant to route packets from point A to point B as quickly as possible. So routers have become increasingly targeted by nation state threat actors, especially groups from China like Vanguard Panda, and Salt Typhoon, because they're unmanaged, there's no security layer around that, and it gives them the ability to intercept and redirect traffic very effectively.
Mrs. Blackburn (33:48):
Thank you. Mr. Stehlin, I want to come to you. Did I say your name right? Stehlin?
Mr. David Stehlin (33:52):
Yeah, that's correct. Thank you.
Mrs. Blackburn (33:54):
Thank you. Wanted to be sure of that. Senator Warner and I have
Mrs. Blackburn (34:00):
I've introduced legislation that would promote US standards and promote our leadership in standard setting, which when we look at China and the threat there, we feel that retaining that leadership is vitally important. I'd like to get you to weigh in on that and see where you are on that standard setting ability.
Mr. David Stehlin (34:24):
Thank you, Senator. Appreciate that. The bill that you're talking about, the promoting US Leadership and Standards Act with yourself and Senator Warner is very important.
(34:36)
Honestly, I think the US has lost a lot of its standard leadership and it's for a variety of reasons. We as a globe have become more regionalized. China is setting up its own set of standards, Europe is setting its own set, India is even heading down that path, and then the US separately.
(34:56)
There've been some questions over the past five to 10 years about should we be at the table with companies like Huawei when it comes to setting standards? If we're not, they're going to overwhelm us. It's a typical Chinese methodology of how they win. They win in mass and if we're not at the table, they will drive these international standards.
(35:16)
We need to have international standards and there has to be US leadership there as there had been for decades but that takes time, it takes money, and in a very competitive environment, a lot of companies have scaled back their team related to standards because they're trying to increase their gross margins. It's really critical that the US build back our leadership in standards and be at the table globally and help drive global standards.
Mrs. Blackburn (35:46):
Thank you. I've got one more question. May I go ahead with this? Mr. Bresnick, your report you did this summer on the PRC perspectives on the challenges, I'd like to ask you about Quantum.
(36:03)
This is something that at Commerce committee we've looked at a good bit and we're trying to get the Quantum Initiative reauthorized for the US, and some of us have a Quantum Sandbox bill, but I'd love for you to just talk for a second about how concerned you are about Chinese the CCP's investments into Quantum and the risk that presents.
Mr. Sam Bresnick (36:33):
Thank you for the question. Unfortunately, I am not really positioned to answer that question very well because that paper doesn't dive into Quantum very much. I'm happy to write to you, to do some research and write to you.
Mrs. Blackburn (36:48):
Okay, submit that one for the record.
Mr. Sam Bresnick (36:50):
Okay.
Mrs. Blackburn (36:50):
I would love to hear from you on that and get your perspective. Thank, Mr. Chairman.
Mr. Blumenthal (37:00):
Thanks, Senator Blackburn. I have a few more questions. We've talked a little bit about Apple's dependence on the Chinese supply chain. Let's talk a little bit about Tesla. Half of its production, a third of its sales roughly are dependent on China. Does that concern you Mr. Stone Fish, Mr. Bresnick, and why?
Mr. Isaac Stone Fish (37:29):
It absolutely does concern me and it's a very, very difficult position for Mr. Musk to be in that Beijing loves to use corporate leverage over US companies and US individuals to advance its national security interests. Frankly, I don't know how Mr. Musk can balance the interests he has with the US government, with Tesla, and with SpaceX at the same time. It's very, very challenging.
(37:57)
This spring, Mr. Musk was in Beijing meeting with the Chinese premier Li Qiang. He wrote an article, was the first foreigner to do so writing an article for a big Chinese propaganda outlet a couple of years ago, and it's amazing. He's managed this balancing act for so long, and I'm very curious to see how he keeps it up.
Mr. Blumenthal (38:19):
When you say the Chinese will use their economic leverage, they will threaten to seize his operations, they will threaten to stop his sales. Is that the kind of leverage you talked about?
Mr. Isaac Stone Fish (38:33):
There's a Taiwanese businessman, Terry Goh, who is the chairman of the company that runs Foxconn. It's a very major Apple supplier, and he ran for Taiwanese presidency. As part of his campaign, he talked a big game on China and he said, if China wants to do anything to my businesses in China, go ahead, and so they did.
(38:52)
They started investigating, I think it was tax irregularities in his business, and Terry Goh went quiet. Oftentimes, they will say you're not following this tax rule, Latte the South Korean corporation, they had a land deal in South Korea with the US for a US weapons system, and suddenly their business in China had all sorts of problems. Beijing rarely ties it together directly because they like to keep people guessing.
(39:23)
It's very believable that Tesla will face a series of unrelated business challenges in China and we'll just wait for someone at a senior level, perhaps Mr. Musk or other people to work to placate Beijing so that those business challenges go away.
Mr. Blumenthal (39:40):
Do others have comments or observations? I am deeply troubled because the Department of Defense and other agencies are becoming more reliant on SpaceX, and Mr. Musk's been promised influence over federal budgets and regulations. The Wall Street Journal meanwhile has reported that Mr. Musk has been in regular contact with Vladimir Putin and that the Chinese government views him as a potential back channel to the White House.
(40:20)
Isn't only the vulnerability in China, it's also our reliance, our defense department's reliance on SpaceX, and the potential for that dependence to create a vulnerability for our government. I think it is beyond dangerous. I think it is a profound threat to our national security that Mr. Musk and SpaceX are in this position. It's not necessarily of Mr. Musk's doing, fairness to him. The Chinese government is an authoritarian and autocratic engine of repression, and they will use whatever levers they have to advance their interests.
(41:12)
In this country, we wouldn't think of throwing the CEO of General Motors in jail simply because we didn't like her public statements but in China, that happens. They would never think of relying on a company that in turn, had a dependence on the United States. They would seize that company.
(41:45)
Now, I am not suggesting the United States of America seize SpaceX, but we are in a profoundly anomalous position vis-a-vis China where we have turned the other cheek and we've left that cheek turned, and China isn't stopping at the cheek, it's seizing the whole head. I think that you are absolutely right what you said at the very beginning, Mr. Stone Fish, that all of these technology firms have now reached a crossroads.
(42:22)
They've been trying to be on both tracks at the same time, they've tried to straddle the fence, and they've reached an endpoint for that dual strategy where risk can be managed. It can no longer be managed, which is why I asked the question about whether the Chinese threat level has increased, and clearly it has. They've become more aggressive and there's no sign of that increasing risk in any way moderating or mitigating in the near future.
(42:59)
I think the conflicts of interest that have been raised here are not necessarily out of malevolence on the part of any tech CEO. It's the position that the Communist Chinese party has put them in. These are public companies, so they have an obligation to shareholders to maximize profit, that's what they're doing by being there, but somehow they have lost a moral compass here or a national security compass.
(43:36)
Mr. Bresnick, you have said you can't simply plop down, I think that was the term you used, a new factory somewhere. A company can do a lot if it's willing to incur the cost. At the end of the day, it's all about cost and expense. You can move operations. It may be costly to make those investments, but it is possible to do it, and companies have done it and decided to break that dependence.
(44:10)
We've been talking a little bit about TikTok and ByteDance. TikTok spent years promising that it could hold its Chinese parent company, ByteDance, apart from its US operation, no connection, complete separation. Despite those promises, TikTok was found storing data in China and spying on users, which has led to the action taken by the Congress.
(44:42)
Let me ask all of you, based on your experience, do you trust that ByteDance and TikTok could ignore demands from the Chinese government, like TikTok claimed that it could? Mr. Salem?
Mr. David Stehlin (44:56):
Thank you, Senator. I don't think they can ignore it. They're, like most large Chinese companies, very dependent and connected to the CCP, so I'm not sure how they would ever ignore that, and I'm not sure how they would ever separate their algorithm to make it a company that's not dependent on the basis of how it was found. What they do with that information, it allows them to create a Trojan horse, as we've talked about in other discussion here for possible future use.
Mr. Blumenthal (45:36):
Other comments? Mr. Stone Fish?
Mr. Isaac Stone Fish (45:38):
If Apple and Microsoft can't ignore the dictates of the Chinese Communist Party, TikTok doesn't have a prayer to do so. I think that the broad framing and what a lot of folks outside of the national security world don't understand is the threat that TikTok poses in the United States in the very scary but very real possibility of a war between the US and China. TikTok in a time of peace is a manageable threat. TikTok in a time of war is absolutely devastating.
Mr. Blumenthal (46:13):
I think that's very well put. The only amendment I would offer is I think it's a serious threat in a time of peace as well as war, and actually could lead to war by giving the Chinese greater capability and perhaps complacency about our determination. Let me ask you, Mr. Meyers, can you tell us a little bit more about what CrowdStrike has seen from Chinese hackers targeting phone and IT companies?
Mr. Adam Meyers (46:48):
Thank you, Senator. They continue to operate in every vertical that we monitor, every geographic region. They are constantly collecting information that will enable them to have diplomatic success, potentially military utility. They target intellectual property of American and western businesses, which they attempt to steal and replicate within their own markets. They have been using these same capabilities to target dissidents, to target individuals who have spoken out or taken a negative position on the CCP or the PRC in general, and we see this not abating.
(47:33)
I'd like to maybe just introduce something that I thought of as we were talking about some of the other topics that in order to have a good defense, you need to have a good offense. There is sitting and watching them conduct these operations collection, there's things that we can do to stop that. There's things that we can do to disrupt their operations and activities, and I think that this is something that we need to partner with public sector and private sector in order to have much more effective disruptions to impose costs on those threat actors and demonstrate that this is not something that can occur without any sort of repercussions.
Mr. Blumenthal (48:18):
The Wall Street Journal reported that in some cases, Chinese hackers have obtained access to the wiretapping capabilities built into phone and broadband networks. The FBI and Cybersecurity and Infrastructure Security Agency have acknowledged that those hackers obtained call records and communications of US government targets.
(48:48)
Could you break down for us in of common sense, layman's terms, what that means? There are capabilities in the networks that enable the United States lawfully, with a court warrant and approval to do wiretapping, and somehow the Chinese have hacked into those capabilities and they now can do what the United States government could do only with court approval as well as the United States could do in wiretapping our citizens. Is that roughly what's happening?
Mr. Adam Meyers (49:23):
That's my understanding, sir, yes. The lawful intercept tools that are present for lawful purposes if there's a warrant or other means for law enforcement to collect information is a goldmine for a foreign threat actor. This provides full content and the ability to not just see who somebody is calling and when they're calling, but more information about what the content of that call is, the content of SMS traffic, and what mobile device, what tower it's talking to. It can also provide them what is the physical location, and not just that, but who are they with? What other devices might be present with that individual? As they move from tower to tower, they could see are they in a car with other individuals, with other devices that can then be additional targets that they might want to collect on.
Mr. Blumenthal (50:20):
They can harvest and collect huge amounts of data with that capability, correct?
Mr. Adam Meyers (50:26):
Yes, it's a goldmine.
Mr. Blumenthal (50:28):
A goldmine that is permitted, I'm being somewhat simplistic here, by the United States government. My reaction, and I think the reaction a lot of people, is shame on us for somehow permitting it. Aren't there actions we can take to stop them? When I say we, I mean the United States government or the IT systems, or the layman would say someone stop it.
Mr. Adam Meyers (50:59):
Yeah,
Mr. Adam Meyers (51:00):
Yeah, I would agree with that. And I think that this is to my earlier point, that we should be looking at how to disrupt these operations. We can no longer sit by and watch them happen. We need to work to identify infrastructure that is being used to conduct these intrusions. We need to look at what tools are being used. And disruption can take many different forms. It can be publicly acknowledging and outing it so that it becomes more aware and people can stop it. It can involve working with providers to disrupt the infrastructure, to take down domains and IP addresses that are being used by these threat actors and more aggressive means as well. But again, I think we need to be looking at how to disrupt this activity, not just watch it happen.
Mr. Blumenthal (51:50):
I wonder, Mr. Stehlin, if you could describe maybe just a broad level how enforcement systems work and the risks associated with their breach. In other words, what are the risks of breaches of law enforcement?
Mr. David Stehlin (52:08):
Thank you for that, Senator. Yeah. The CALEA Act, the Communications Assistance for Law Enforcement Act put in place in 1994 allows for the use of intercept access points, which are a blend of hardware and software to allow lawful intercept of information through a court order as we described. In essence, it's the same technology that's used to run any sophisticated network. It's just dedicated for this application. So if we don't fundamentally solve the problem of understanding where the software's coming from, where the hardware's coming from, is it trusted, is the vendor a trusted vendor? We will have these types of issues for things like lawful intercept as well as common usage of wire line and wireless networks. So it's a fundamental problem of using standards to hold and verify these companies to make sure that they are building trusted components and trusted products.
Mr. Blumenthal (53:17):
I want to ask a final question. Going back to where I began, the Federal Communication Commission is not without power and agency here. I've suggested that it ought to start rulemaking, it ought to take some action even under existing authority. We love to introduce new legislation in Congress, but often we know it is going to be futile. And so I have tried to emphasize the importance of agencies using their existing authority. Do you agree with me that the FCC ought to begin rulemaking and that it ought to take some action to help protect our country and the American public? And I'll just go down the table. Mr. Stone Fish.
Mr. Isaac Stone Fish (54:13):
Yes. And very quickly on existing legislation, the Uyghur Forced Labor Prevention Act restricts the export of goods made in Xinjiang and forces the companies to themselves prove whether or not they were made with forced labor. It's an excellent piece of legislation. I look forward to seeing more implementation of it.
Mr. Blumenthal (54:30):
Thank you. Mr. Bresnick.
Mr. Sam Bresnick (54:33):
It's a little outside my area of research, but I will say some of my colleagues at CSET, including one sitting behind me, has written about that issue, and we can forward you research on how to use existing authorities for the purposes you mentioned.
Mr. Blumenthal (54:47):
Wonderful. That would be greatly appreciated. Thank you. Mr. Stehlin?
Mr. David Stehlin (54:50):
Yes, sir. Two things. First of all, I mentioned rip and replace before. If Congress can fully fund that 3.3 billion, which comes to the FCC to help them pull out untrusted gear from small wireless networks. That's number one. Number two, the FCC has a new program, a cybersecurity labeling program for home IOT devices. Currently, it's voluntary, it's in its formative stage, but this is something that will help us stop access of devices in the home, whether it's a home router or a ring doorbell, for example, and ensure that those devices are trusted. So they would put a label on the device to show that it is in fact trusted. So those are a couple of examples.
Mr. Blumenthal (55:37):
Thank you. Mr. Myers.
Mr. Adam Meyers (55:39):
Thank you, sir. I'd say that we at CrowdStrike are happy to work with any agency, law enforcement, intelligence community or federal agency that has a mandate to do anything to disrupt or to negatively impact these adversaries, collecting intelligence, and we'll continue to work with our partners.
Mr. Blumenthal (55:59):
Thank you. I would welcome any suggestions for remedies, whether they're legislative or administrative that we can push. This session has been enormously valuable. I apologize that more of my colleagues weren't here, but they will be reading the transcript and they have staff who are here. And this topic is going to continue in public importance, so we will want to continue to be in touch with you and really greatly value your contribution. And the record's going to be kept open for a week so my colleagues can ask additional questions for the record if they wish.
(56:44)
We will probably have some, but very much welcome any follow up, Mr. Bresnick, or any of you may have. This topic is growing fortunately in awareness as my colleague, Senator Blackburn, mentioned, the American public is becoming more aware but still not enough. And so we're going to keep telling them about Chinese spying and hacking and trying to do something about it. I apologize. We have another vote that's ongoing. I don't have anyone to take the gavel for me at this point, and you've been very patient. So I'm going to close the hearing, keep the record open for a week. Thank you all.