I'm testifying today on supply chain vulnerabilities and cybersecurity. The testimony is in a hearing held by the House Commerce Committee's Subcommittee on Communications and Technology. Here's my quick diagnosis of the issue:
Intrusions on our networks have reached new heights. They have moved from penetration of government and military systems to wholesale compromises of companies, trade associations, think tanks, and law firms. Most of these attacks have been carried out for espionage purposes – stealing commercial, diplomatic, and military secrets on a massive scale.
This espionage campaign has paid dividends for our adversaries, and it’s likely to pay more, because any network that can be compromised for the purpose of espionage can be compromised for the purpose of sabotage. The next time we face the prospect of a serious military conflict, we can expect our adversaries to threaten the destruction of computer networks – and the civilian infrastructure they support – inside the United States, probably before we have fired a shot. From the American point of view, this is a new and profoundly destabilizing vulnerability. From our adversaries’ point of view, it is an exciting new weapon with enormous potential to neutralize many of our traditional military advantages.
To make things worse, one of the countries that the Obama administration has criticized most often for cyberattacks, China, is also a major supplier of increasingly sophisticated electronic equipment to the United States. Given the value of cyberespionage for waging both war and peace, it’s only reasonable to assume that every potential adversary asks itself whether it can make the job of its cyberwarriors easier by tinkering with electronic gear before it’s shipped to the United States. Or, as I put it in Skating on Stilts, a book about technology challenges to policymakers, if the “countries that [view] us as an intelligence target … could get their companies to compromise U.S. networks, they’d do it in a heartbeat.”
The remainder of the testimony discusses the limited legal authority that government has to deal with the risk of "intrusion-friendly" technology from abroad:
CFIUS is an inadequate tool for this job. It gives the government only haphazard insight and leverage over the security of telecommunications and information technology. That’s because CFIUS has jurisdiction only over corporate acquisitions. Team Telecom, which I also oversaw from a DHS perspective, adds a bit to that authority, giving national security agencies an ability to impose conditions on foreign telecommunications carriers seeking Federal Communications Commission licenses to operate in the United States. But Team Telecom has no explicit authority in law; its reach is no greater than the FCC’s. As a result, even the most dangerous and unreliable suppliers of commercial telecom and IT equipment are free to sell their products in the United States without an inquiry into the security risks the products may pose.
I close with a look at new measures emerging from the government's recent focus on this risk, from the executive order on cybersecurity to various provisions adopted under the defense authorization or the appropriations process.
Full testimony is here: Baker testimony to House Commerce on supply chain security.