⚡NIMITZ TECH NEWS FLASH⚡

“Big Hacks & Big Tech: China’s Cybersecurity Threat”

Senate Committee on the Judiciary Subcommittee on Privacy, Technology, and the Law

November 19, 2024 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony (linked):

• Mr. Sam Bresnick: Research Fellow, Center for Security and Emerging Technology (CSET), Georgetown University

• Mr. Isaac Stone Fish: Chief Executive Officer, Strategy Risks

• Ms. Adam Meyers: Senior Vice President, Crowdstrike

• Mr. David Stehlin: Chief Executive Officer, Telecommunications Industry Association

HEARING HIGHLIGHTS

IN THEIR WORDS

SUMMARY OF OPENING STATEMENTS FROM THE SUBCOMMITTEE

• Chairman Blumenthal began by highlighting the threats posed by Chinese hacking and interference, emphasizing the recent "Salt Typhoon" hacking campaign targeting U.S. phone companies, government officials, and political campaigns. He stressed the urgency of addressing vulnerabilities in the nation’s telecommunications and wiretapping systems, calling for the FCC to enforce security standards. Chairman Blumenthal criticized both Chinese and American companies for compromising national security, citing examples of corporate compliance with Chinese censorship and influence. He urged bipartisan action to counter Chinese espionage, tighten export controls on AI technology, and protect U.S. interests from exploitation by adversarial nations.

• Ranking Member Hawley underscored the severity of the "Salt Typhoon" hack, noting its unprecedented scale and the high-profile targets, including Senate staff, the vice president, and the president-elect. He called the hack a wake-up call about the scope of Chinese espionage and its challenge to U.S. national security. Ranking Member Hawley criticized American corporations for prioritizing profits over security, advocating for reshoring critical industries and supply chains. He concluded by emphasizing the need for robust action to curb Chinese influence and protect U.S. interests, praising the hearing's timeliness.

SUMMARY OF WITNESS STATEMENTS

• Mr. Stone Fish warned of the dangers posed by U.S. tech companies’ deep entanglements with China. He outlined how companies like Apple, Tesla, and Microsoft partner with Chinese entities, jeopardizing U.S. national security through supply chain vulnerabilities and partnerships with state-owned enterprises. He stressed that these companies have enabled China’s oppressive regime and espionage campaigns by prioritizing market access over ethical considerations. Mr. Stone Fish advocated for clear decisions by U.S. companies to prioritize American interests and emphasized the urgency of addressing these risks.

• Mr. Bresnick discussed the national security risks posed by U.S. tech companies’ economic and technological interdependencies with China. He compared the Russia-Ukraine war to potential conflicts with China, noting how deeper ties with China could constrain corporate flexibility during crises. Mr. Bresnick recommended incentivizing supply chain diversification, increasing transparency about foreign dependencies, and requiring contingency plans for scenarios like a Taiwan conflict. He concluded that balancing de-risking efforts with maintaining interdependence could stabilize bilateral relations and enhance national security.

• Mr. Stehlin focused on securing the information and communications technology (ICT) supply chain. He emphasized the growing vulnerabilities as technology advances and highlighted TIA’s development of SES 9001, a supply chain security standard aimed at ensuring trust and quality in ICT networks. Mr. Stehlin called for a defense-in-depth approach, particularly against state-sponsored actors like Huawei, and advocated for public-private partnerships to enhance supply chain resilience. He stressed the importance of building security into products from the outset to protect critical infrastructure.

• Mr. Myers described China’s evolution as a sophisticated cyber threat actor, detailing how Chinese adversaries conduct large-scale campaigns targeting critical infrastructure and sensitive industries. He highlighted specific examples of Chinese cyber operations, such as exploiting legacy telecommunications systems and pre-positioning for potential future conflicts. Mr. Myers advocated for proactive monitoring, increased threat intelligence sharing, and greater federal leadership in cybersecurity defense. He also recommended incentives like tax credits to help small businesses adopt advanced cybersecurity tools and practices.

SUMMARY OF Q and A

• Ranking Member Hawley questioned Mr. Myers about the "Salt Typhoon" attack's sophistication and potential ramifications. Mr. Myers described how attackers maintain persistent system access, enabling long-term data collection and exploitation of downstream relationships. He explained that hackers now prioritize strategic, enduring operations over "smash and grab" tactics to gather political, military, and intellectual property data.

  Ranking Member Hawley asked for examples of downstream exploitation, and Mr. Myers explained that hackers could compromise telecoms or ISPs to impersonate them, broadening their reach through trusted relationships. When asked if attackers could impersonate individuals or disrupt communications, Mr. Myers confirmed this was possible, highlighting the risks of telecom system breaches. He also noted that foreign hardware, like Huawei’s, presents major vulnerabilities due to the difficulty of detecting embedded risks.

  Turning to Mr. Sam Bresnick, Ranking Member Hawley asked about Apple’s dependence on China. Mr. Bresnick clarified that most Apple suppliers have a base in China and emphasized the industry's reliance on Chinese manufacturing. He stated that total decoupling from China is infeasible, advocating for "de-risking" by diversifying supply chains, though such changes take time. He also highlighted the severe economic and security disruptions a Chinese invasion of Taiwan could cause, including severed supply chains and detained corporate employees.

• Sen. Grassley asked Mr. Stehlin about Chinese-manufactured equipment in U.S. telecommunications infrastructure. Mr. Stehlin emphasized the national security risks posed by Huawei and ZTE equipment in rural areas, especially near military installations, and noted that additional funding is needed to remove these vulnerabilities. Sen. Grassley also asked Mr. Stone Fish about mitigating memory safety risks. Mr. Stone Fish stressed the risks of supply chains tied to China and urged companies to develop strategies to address these vulnerabilities.

  Sen. Grassley inquired about foreign commercial spyware, and Mr. Myers explained the difference between offensive spyware and data-collecting code embedded in apps. He warned that data-collecting tools gather user information without consent, representing a pervasive threat to privacy.

• Ranking Member Hawley asked Mr. Stone Fish about U.S. companies’ dependencies on China, citing Apple, Amazon, and Tesla. Mr. Stone Fish described these dependencies as under-discussed and emphasized their risks, particularly if China invades Taiwan. He outlined potential scenarios, from business as usual to a full-scale invasion, with the latter resulting in disrupted supply chains and economic upheaval. Regarding the collapse of Taiwan’s semiconductor market, Mr. Stone Fish noted the devastating short-term effects but expressed confidence in U.S. ingenuity to establish alternative solutions.

• Chairman Blumenthal asked Mr. Stone Fish whether Chinese spying and hacking have worsened or if awareness has simply increased. Mr. Stone Fish noted that while awareness is growing, the lack of transparency from U.S. companies conceals the full scope of Chinese incursions. He confirmed that China has become more aggressive and urged companies to protect their Chinese staff from Beijing’s demands. Mr. Myers added that China has diversified its cyber operations, leveraging a privatized vulnerability research system to bolster its offensive capabilities.

• Sen. Blackburn emphasized the growing awareness of the Chinese Communist Party’s espionage tactics, especially through everyday technologies. She discussed the Routers Act, co-sponsored with Sen. Luján, which mandates a review of national security threats posed by routers and technologies from adversarial nations like China, Russia, and Iran. She asked about these risks. Mr. Myers explained that routers, as unmanaged systems, are vulnerable to attacks from groups like Vanguard Panda and Salt Typhoon. Their frequent internet accessibility, lack of robust security tools, and design prioritizing speed over security allow attackers to intercept and redirect traffic, underscoring the need for action.

  Sen. Blackburn then asked Mr. Stehlin about the importance of U.S. leadership in global standard-setting, citing legislation she introduced with Sen. Warner. Mr. Stehlin highlighted how the U.S. has lost ground due to regionalization and aggressive tactics by China. He warned that absence from key discussions, especially with entities like Huawei present, risks ceding control to China. He called for renewed U.S. investment in international standard-setting to protect American interests.

  Turning to Mr. Bresnick, Sen. Blackburn inquired about China’s quantum technology investments. Mr. Bresnick acknowledged the importance of the issue but explained that his report did not address quantum risks.

• Chairman Blumenthal asked about the challenges of relocating supply chains. Mr. Bresnick explained that while companies like Apple are shifting production to India, China’s infrastructure and resources make it difficult to fully reduce dependency. Chairman Blumenthal also raised concerns about Tesla’s reliance on China. Mr. Stone Fish described how Beijing uses economic leverage over U.S. companies like Tesla, posing challenges for their dual roles in national and economic security.

  Chairman Blumenthal asked the panel about TikTok’s ability to resist CCP influence. Mr. Stehlin and Mr. Stone Fish agreed that TikTok cannot avoid Chinese government demands, describing it as a manageable threat in peacetime but a severe liability in wartime. Mr. Myers highlighted CrowdStrike’s observations of Chinese hackers targeting IT and telecom companies, emphasizing their ability to steal intellectual property, target dissidents, and exploit lawful intercept tools for surveillance.

  Chairman Blumenthal inquired about enforcement vulnerabilities, and Mr. Stehlin discussed risks tied to lawful intercept tools and the need for trusted hardware and software. Chairman Blumenthal concluded by urging the FCC to take action under its existing authority to improve cybersecurity, including supporting rip-and-replace programs and cybersecurity labeling for IoT devices. The panelists agreed, emphasizing the urgency of addressing Chinese cyber threats.

ADD TO THE NIMITZ NETWORK

Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.