Dependence on China: A National Security Wake-Up Call

The Senate Committee on the Judiciary, Subcommittee on Privacy, Technology, and the Law, held a hearing on Tuesday, Nov. 19th at 2pm titled “Big Hacks and Big Tech: China’s Cybersecurity Threat”. This hearing addressed the growing concerns over cybersecurity threats posed by China, focusing on the implications for technology companies and national security. Senator Richard Blumenthal (CT) chaired the hearings and was joined by senators Marsha Blackburn (TN) and Josh Hawley (MO).

TIA’s CEO, David Stehlin, was invited to provide testimony alongside witnesses from CrowdStrike, Strategy Risks and Georgetown University. Below is a summary of their respective testimonies.

David Stehlin, CEO, Telecommunications Industry Association

  • Just last week, the Cybersecurity and Infrastructure Security Agency released a joint Cybersecurity Advisory with other U.S. agencies and trusted governments, focused on common vulnerabilities exploited in the supply chain. Many risks could be mitigated with a secure-by-design approach to ICT products and services. Recognizing this, TIA developed SCS 9001, the first Supply Chain Security standard, aligning with key cybersecurity frameworks. SCS 9001 helps suppliers ensure their ICT products and services are secure and trustworthy.
  • During the Q&A portion of the hearing, when asked “Do you agree that the FCC should begin rule making and take some action to protect our country and the American people?” Dave outlined two immediate steps:
    1. Congress should fully fund the $3.3B Rip and Replace program to support the FCC to help them remove untrusted gear from small ISPs networks.
    2. Continued roll out and expansion of the Cybersecurity labeling program for IoT devices which is currently voluntary and in its formative stage.

Isaac Stone Fish, CEO, Strategy Risks:

  • Isaac Stone Fish discusses the significant risks posed by U.S. technology companies’ exposure to China, emphasizing the impact on U.S. national security. He highlights the evolution of China’s influence over these companies, particularly through partnerships with state-owned enterprises and compliance with Chinese government regulations. Fish outlines the five categories used by Strategy Risks to measure exposure: Business Fundamentals, Partnerships and Politics, Regional Issues, Supply Chain, and Opacity. He provides examples of high exposure scores for major firms like Apple, Tesla, Microsoft, Amazon, and Meta, noting their extensive business operations and supply chains in China. Fish concludes by stressing the need for U.S. companies to reassess their China strategies and for policymakers to address these vulnerabilities to protect national security.

Sam Bresnick, Research Fellow, CSET, Georgetown University:

  • Sam Bresnick addresses the national security challenges posed by the economic and technological dependence between U.S. technology companies and China. He highlights the differences between the Russia-Ukraine and China-Taiwan relations, noting that U.S. tech companies had limited exposure to Russia, allowing them to support Ukraine more freely. In contrast, the deep economic ties with China present significant strategic challenges in a potential conflict scenario. Bresnick outlines the level of U.S. tech firms’ dependencies on China, including revenue, supply chain, and R&D activities, and the potential for Chinese coercive leverage. He emphasizes the need for U.S. companies to develop contingency plans and for policymakers to implement strategies that enhance corporate resilience and align with national security goals.

Adam Meyers, Senior Vice President, CrowdStrike:

  • Adam Meyers testimony highlights the evolution of China’s cyber threat from basic attacks to sophisticated operations aligned with national political aims. He discusses recent campaigns by threat actors like VANGUARDPANDA (Volt Typhoon) and LIMINALPANDA, emphasizing the need for enterprises to enhance identity security and visibility, the security industry to innovate with AI, and federal agencies to lead by example in cybersecurity. Meyers also recommends legislative oversight to ensure federal agencies pursue cybersecurity objectives and suggested incentives to make cybersecurity tools and training more accessible to small businesses.

To view the recording of the hearing and see the full testimonies of the witnesses, visit: https://www.judiciary.senate.gov/committee-activity/hearings/big-hacks-and-big-tech-chinas-cybersecurity-threat

To gain more insights on policies related to the ICT industry, we invite you to join TIA. By becoming a member, you will have access to exclusive resources, expert analyses, and networking opportunities with industry leaders, all of which can help you stay informed about the latest regulatory changes, technological advancements, and strategic trends shaping the future of the ICT sector. Contact us at membership@tiaonline.org