5 questions on cyber and supply chain security with Rep. Mike Gallagher (R-WI)

Welcome to Cybersecurity Awareness Month. To highlight the importance of the cybersecurity supply chain I hosted web event at the American Enterprise Institute on September 18th on ensuring supply chain security for essential information and communications technologies. For the first part of the event, I was joined by Rep. Mike Gallagher (R-WI) for a discussion on ways the US can improve the security and resiliency of its high tech supply chains, as well as related topics of interest such as the TikTok ban, cyberattacks, and cybersecurity information sharing.

Below is an edited and abridged transcript of key highlights from our discussion. You can listen to the full event on AEI.org and read the full transcript here. Part two of this blog will highlight the expert panel discussion from the event.

Shane Tews: I'm going to start with the elephant in the room: TikTok and WeChat are potentially being banned from the US via an executive order from the Department of Commerce. How does this work, and is this any different than what China does to American tech companies?

Rep. Gallagher: I've been persuaded by the arguments of a fellow Wisconsinite named Ben Thompson who writes an amazing blog called “Stratechery.” He makes the case that there's no equivalence here. The fact is — whether it's social media companies like Facebook, Twitter, or YouTube — we allow Chinese Communist Party apparatchiks to exploit these platforms while denying access to their own citizens and denying access for US companies to mainland China. And so at some point, we have to insist upon reciprocity in our relationship, particularly when it comes to technological competition.

As it pertains to the development with TikTok, I've supported the ban on TikTok particularly when it comes to active duty DoD using it, and I think the administration is largely headed in the right direction. However, without having scrutinized the details, I think any sale of the US portion of TikTok that still allows the parent company to control the underlying algorithm would be a little bit problematic.

But the fact is: TikTok is popular because it's a very good product that consumers like a lot, and so the fact we got beat on that should be a wakeup call for both industry and the federal government. So, I guess I would say the devil is still in the details. I don't even know if the latest deal with Oracle has been finalized, but at least the government is waking up to the threat posed by companies like this.

This brings us to another topic that you focused on in the Cyberspace Solarium Commission report, which is the issue of public-private partnerships. The cross-sharing of information between the US government and a lot of the companies and governments we work with — especially the Five Eyes — has been a challenge in this space for a long time. Have you seen changes since you started working on the report (which came out last March)? Is it getting better?

 Our final report was released on March 11th. 48 hours later, the Capitol shut down, and I think our rollout may have been the last public event that was held at the US Capitol for at least a few months. So, a lot of things got overshadowed by the pandemic. Behind the scenes, we're continuing to work; I had to get a lot of our recommendations effectuated into law via the National Defense Authorization Act, and we actually are pretty cautiously optimistic on that, but I think the pandemic itself was a huge wakeup call for everybody that it's easy to take critical supply chains for granted up until the moment you no longer have them.

And what's true in the medical space is doubly true in the increasingly critical information and communications technology space: In America, we lack key industrial capacities for the mass production of essential technologies, including 5G telecommunications equipment. This has forced critical dependency on production in China and led to risks around the trustworthiness and availability of critical components and technologies.

I also think it has undermined American and partner economic competitiveness. So, I think the private sector is waking up, along with Congress, which is very slow to act sometimes in waking up. We've begun to take action to eliminate some of these dependencies through a variety of forward-looking bills including the Endless Frontiers Act, which would be a generational investment in R&D, the Chips for America Act, and the USA Telecommunications Act.

At the same time, the very disparate efforts in the executive branch have also aimed at managing supply chain risks to the federal government with the private sector as a partner. Unfortunately, I would say these initiatives — while admirable and worthy of support — lack organizing principles and an overarching strategic approach. And that's really what we're arguing for in the report. It's: How can we compete effectively with China? Because China does not have that same problem. The CCP has an industrial base strategy guided by Made in China 2025, China Standards 2035, and the doctrine of military-civil fusion. They've effectively seized market share in critical technologies and components through a mix of investments, engagements in standards and other international fora, and other protectionist policies.

In order to facilitate competition with the growing Chinese economic prowess in these technologies, we need to build more secure supply chains, and it's time the US developed and implemented a high-tech industrial strategy in concert with our allies and partners.

Are we seeing more help internationally? I know that South Korea has always been really diligent about this. They actually have a huge fab for their semiconductors in Austin, Texas, and the CHIPS Act is going to be huge, but I know we also have concerns about Taiwan. How are we doing with our partners?

We're making progress. I think it's fair to say that for most of the last four years, we've played largely a defensive game, and in 5G, this has amounted to a consistent argument that Huawei and ZTE can't be trusted. We have had all the evidence in the public square to make the case that there are counter-intelligence concerns to using Huawei and ZTE 5G equipment.

Where we haven't been as aggressive, and where I think we need to go, is sort of the offensive component of that. There are a lot of countries making 5G decisions. They may care about counterintelligence (CI) or intel in general, but they're more interested in just getting cheap internet. And Huawei and ZTE can obviously undercut their international competitors — Nokia and Ericsson — because they get massive state support.

But often, what I hear from our partners is that the real advantage they have is they offer an integrated solution. It's like 5G in a box, whereas if you go with the non-Huawei Western alternative, you have to contract with multiple different players. And so I do think we need to think long and hard with our international partners, and not just Nokia and Ericsson, but all the countries that have a role to play in this, starting with our Five Eyes partners about: How can we better play that offensive game? How can we pool our resources together in order to convince non-aligned countries to make key decisions in the next few years that will have impact for decades to come? Easier said than done; we have a lot of complicated anti-monopoly laws in the US that make that very difficult.

 And, as you alluded to, even some of our closest partners like Taiwan have concerns, but I would say, on balance, we've played defense well. Now, it's time to go on offense, and part of that is an industrial policy here in the United States, which starts with identifying the key materials, components, and finished products that are critical to the national and economic security of the United States. What's a risk-based approach that will allow us to identify where we need to invest more heavily and where the federal government needs to work with industry, partner countries, state, and local governments to identify key equipment and components and materials that follow for assembly? I'm not sure we've done that yet to the level we need to do.

The other thing is counterfeits. How can we avoid counterfeit devices and verify that people in critical supply chain networks are getting legit stuff? 

This gets to our need for an ICT industrial base strategy. And I want to be very clear here: You can't solve all of the problems in the supply chain — or even just the defense supply chain — overnight. We're advocating for carving out ICT as an area where we prioritize and focus because it is going to be so important in the near term and over the long term. I think that if we can do that, we can start to increase confidence in the supply chain and tackle things like counterfeit devices.

It's obviously a very complex thing and it's not going to be solved overnight, but I sense a bipartisan momentum behind a variety of these initiatives. Every piece of legislation I've introduced on 5G or anything at the intersection of China and tech on the Armed Services Committee has been exceptionally bipartisan.

On the Armed Services Committee, I think both parties recognize the need to reestablish US technological superiority and investment as part of an overall strategy to compete effectively with China. I think regardless of what happens in November, there's going to be some inevitable momentum behind some of these proposals, but maybe that's wishful thinking because I want to see all of the work of the Cyberspace Solarium Commission outlast my time in Congress.

Cyber attacks are mostly zero-day, meaning the vulnerability being exploited is unknown to the victim when the attack starts. Public-private information sharing information could expedite the process of identifying and stopping cyber attacks.

 But do you think that liability reform has gone far enough for private entities to feel comfortable sharing information with the government? We sometimes struggle to get private entities to share info with the government because there is a fear they will be held liable.

The honest answer is: I don't know. It’s the one-10-60 reporting, right? Where the industry standard becomes: You detect an intrusion on your network within one minute, you have an expert looking at it within 10 minutes, and then you prevent a breakout within 60 minutes, and your average breakout time is near that. In the report, you'll see, for example, we suggest mandatory penetration testing for at least publicly traded and listed companies.

This is one of those things where, over time, we start to send the signal from the federal government, and also get the c-suite to send the signal that you really need to prioritize this. Our hope is that it results in a better collaboration between the private and public sectors.

Shane Tews

Visiting Fellow

American Enterprise Institute

@ShaneTews

www.techpolicydaily.com