[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] ZTE: A THREAT TO AMERICA'S SMALL BUSINESSES ======================================================================= HEARING BEFORE THE COMMITTEE ON SMALL BUSINESS UNITED STATES HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION __________ HEARING HELD JUNE 27, 2018 __________ [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Small Business Committee Document Number 115-082 Available via the GPO Website: www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 30-507 WASHINGTON : 2019 ----------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).E-mail, [email protected]. HOUSE COMMITTEE ON SMALL BUSINESS STEVE CHABOT, Ohio, Chairman STEVE KING, Iowa BLAINE LUETKEMEYER, Missouri DAVE BRAT, Virginia AUMUA AMATA COLEMAN RADEWAGEN, American Samoa STEVE KNIGHT, California TRENT KELLY, Mississippi ROD BLUM, Iowa JAMES COMER, Kentucky JENNIFFER GONZALEZ-COLON, Puerto Rico BRIAN FITZPATRICK, Pennsylvania ROGER MARSHALL, Kansas RALPH NORMAN, South Carolina JOHN CURTIS, Utah NYDIA VELAZQUEZ, New York, Ranking Member DWIGHT EVANS, Pennsylvania STEPHANIE MURPHY, Florida AL LAWSON, JR., Florida YVETTE CLARKE, New York JUDY CHU, California ALMA ADAMS, North Carolina ADRIANO ESPAILLAT, New York BRAD SCHNEIDER, Illinois VACANT Kevin Fitzpatrick, Majority Staff Director Jan Oliver, Majority Deputy Staff Director and Chief Counsel Adam Minehardt, Staff Director C O N T E N T S OPENING STATEMENTS Page Hon. Steve Chabot................................................ 1 Hon. Nydia Velazquez............................................. 2 WITNESSES Mr. David Linger, President & CEO, TechSolve, Inc., Cincinnati, OH............................................................. 4 Mr. Andy Keiser, Visiting Fellow, National Security Institute, Antonin Scalia Law School, George Mason University, Arlington, VA............................................................. 7 Mr. Matthew G. Olsen, President, IronNet Cybersecurity, Kensington, MD................................................. 8 APPENDIX Prepared Statements: Hon. Yvette D. Clarke, New York.............................. 24 Mr. David Linger, President & CEO, TechSolve, Inc., Cincinnati, OH............................................. 25 Mr. Andy Keiser, Visiting Fellow, National Security Institute, Antonin Scalia Law School, George Mason University, Arlington, VA.................................. 31 Mr. Matthew G. Olsen, President, IronNet Cybersecurity, Kensington, MD............................................. 36 Questions and Responses for the Record: Questions from Hon. Yvette Clarke to Mr. Matthew G. Olsen and Responses from Mr. Matthew G. Olsen........................ 42 Additional Material for the Record: None. ZTE: A THREAT TO AMERICA'S SMALL BUSINESSES ---------- WEDNESDAY, JUNE 27, 2018 House of Representatives, Committee on Small Business, Washington, DC. The Committee met, pursuant to call, at 11:02 a.m., in Room 2360, Rayburn House Office Building. Hon. Steve Chabot [chairman of the Committee] presiding. Present: Representatives Chabot, Brat, Radewagen, Kelly, Bloom, Curtis, Velazquez, Evans, Lawson, Adams, and Schneider. Chairman CHABOT. The Committee will come to order. We want to thank everyone for being here this morning. Today we are here to discuss a topic that has garnered quite a bit of attention in recent months. However, it is an issue that this Committee has paid very close attention to for a number of years now. That is the looming threat of Chinese telecommunications giant, ZTE. As this Committee has learned through past hearings, foreign-backed entities from countries like China and Russia regularly target small businesses to steal intellectual property and undermine America's critical infrastructure. The FBI has already determined that foreign state actors pose a serious cyber threat to the telecommunications supply chain. It is also clear that many foreign nations are responsible for direct cyberattacks on the United States in an effort to steal intellectual property and sensitive personal information. In a report by our colleagues on the Intelligence Committee, U.S. businesses and cybersecurity experts have reported persistent attacks that could be traced back to China and were thought to be supported by the Chinese government. And studies from the Department of Defense have warned of the difficulties associated with defending against threats posed by foreign nations, stating that, ``[the] means and opportunity [for nation-state adversaries] are present throughout the supply chain and lifecycle of software development.'' This is particularly troublesome for small businesses that not only rely on products from, but also engage in commerce with, globalized telecommunications firms in countries like China. Hearings by this Committee have shown that small businesses have become top targets for nefarious state-backed actors because they tend to be the softest targets. They have fewer resources to manage their information technology systems and respond to cybersecurity incidents, and they often lack the technical knowledge needed to assess the ever-evolving threats. Additionally, most small businesses do not have a lot of money to throw around and thus, may often purchase less expensive tech products often produced by large Chinese firms. This is a recipe for disaster. Now, let me be clear. I do not believe for a minute that an American small business owner would purposely buy a product that puts their own operations at risk, let alone jeopardize our national security. However, the problem is that most small businesses will not even know that they are using a product or service that has been provided by a nefarious actor. Nor should they. Their job is to run their business, employ hardworking Americans, and keep their customers happy. When we talk about existential threats to national security--and that is what ZTE is--it is the Federal government's job to protect Americans and American small businesses. That is exactly what happened in April of this year when ZTE was effectively banned from doing business in the U.S. After years of investigations and deliberations into the ZTE case, after ZTE was afforded its due process in this country (a favor I might add that usually goes unreturned to American companies in China), and after numerous second chances, the Trump administration rightfully made the decision to finally hold ZTE accountable, a move that many of our colleagues on both sides of the aisle applauded. Now, we face the very real possibility that ZTE may be given yet another chance. Commerce Secretary Wilbur Ross announced earlier this month that a new agreement had been reached with ZTE, and after paying over a billion dollars in penalties and forfeitures, the Bureau of Industry and Security will remove ZTE from the Denied Persons List and they can return to business as usual. I am very concerned that this decision could ultimately put Americans at risk. ZTE has consistently lied to this administration, and it is reasonable to assume that it will do so again. Today's hearing will examine the threat posed by ZTE to American small businesses, if ZTE is allowed to re-engage in the American economy. This is an important decision that impacts both our national security and our economic security, and I believe it demands much more attention than it has received so far. I think we all look forward to hearing from our witness about this threat this morning and how we can better guard against any of those issues. And I would now like to yield to the Ranking Member for her opening statement. Ms. VELAZQUEZ. Thank you, Mr. Chairman. And thank you really for holding this critical hearing. As we have seen time and again, in this committee and in national headlines, cybersecurity affects every facet of our lives. To this day, many of us remain deeply troubled about how an adversarial foreign power influenced our nation's 2016 election results and whether we will be prepared to prevent similar actions in the future. We have also heard in this committee, that small businesses are uniquely vulnerable to cyberattacks, whether it be from small-time cyber criminals or foreign powers intent on industrial sabotage, such as China and Russia. As one of the world's largest telecommunications equipment manufacturers, ZTE occupies a unique and dangerous space when it comes to many of these issues. An increasing number of consumer and business devices, like cars, appliances, communication networks, utilities, and phones, rely on smaller components manufactured by ZTE and other similar Chinese companies. The prevalence of ZTE's products is disturbing when we realize that the company has a history of being a national security threat to American interests. Concerns about ZTE date back to 2012 and those issues continue today. That is why this administration must take that threat posed by ZTE and other Chinese companies seriously. Unfortunately, it appears that the president seems intent on weakening our security posture when it comes to responding to this threat. The government has previously taken some steps to protect itself in this area. In April, the Commerce Department banned U.S. companies from selling parts or providing services to ZTE, virtually shutting down the company. In May, the Pentagon pulled ZTE phones from stores on U.S. military bases because they consider them a security threat. However, on June 7th, the president largely reversed these moves, agreeing to lift sanctions reportedly ignoring the advice of the U.S. intelligence community and many American economy advisors. Our national security cannot be imperiled by lax policy toward these hostile actors. Where the administration is taking unacceptable risks, Congress must step forward to contend with these illicit Chinese government-backed enterprises. Fortunately, the first legislative steps have been taken to correct the administration's careless approach. The Senate recently approved an amendment to the National Defense Authorization Act, that if enacted will reinstate sanctions, eliminating ZTE and Huawei access to U.S. suppliers. Sadly, President Trump is working with Senate republicans to undermine this effort. Without such restrictions, these Chinese companies can have major and costly implications for small businesses and their ability to operate, and it is irresponsible to ignore the threat and undermine the very interests Congress is here to protect. Clearly, cybersecurity is central to protecting both our national and economic security. During today's hearing, we will explore the critical issues facing small businesses in cyberspace and the dangers they face when actors with ill intent are afforded unfettered access to U.S. markets. It is my hope that today's discussion helps shed light on how Congress can work to protect our small businesses and our country from bad actors operating in cyberspace. I would like to thank the witnesses again for being here, and I yield back. Thank you. Chairman CHABOT. Thank you very much. The gentlelady yields back. And if Committee members have opening statements prepared we would ask that they be submitted for the record. And I will take just a moment to explain our rules and lighting system here. We operate under the 5-minute rule. Each of you gets 5 minutes to testify. The lights are there to kind of assist you. The green light will be on for 4 minutes. The yellow light will be on for a minute to let you know that it is about time to wrap up. And then the red light will come on saying that your time is up. So if you could stay within those parameters we would greatly appreciate it. We also apply those rules to ourselves, so we all get 5 minutes to ask questions as well. I would now like to introduce our distinguished panel here this morning. We will begin with Mr. David Linger, who has over 25 years of learning and success in bringing new technologies and innovations to market through roles in engineering, product development, product management, and business development. Mr. Linger currently serves as the President and CEO of TechSolve, Inc., which happens to be in my home district in Cincinnati, Ohio. His team of experts has leveraged its deep rooted knowledge in machining, data extraction, and the manufacturing process to translate emerging technologies into every day manufacturing and business solutions for small businesses. And we welcome you here today, Mr. Linger. Our next witness will be Andy Keiser, who comes to us as a Visiting Fellow from the National Security Institute. Previously, Mr. Keiser served 14 years on Capitol Hill for former House Intelligence Committee Chairman Mike Rogers, as Chief of Staff, Legislative Director handling Cybersecurity and Energy and Commerce Committee issues, and as senior advisor to the Intelligence Committee. And we welcome you here, Mr. Keiser. I would now like to yield to the Ranking Member for the purpose of introducing our third and final witness. Ms. VELAZQUEZ. Thank you, Mr. Chairman. It is my pleasure to introduce Mr. Matthew Olsen, Cofounder and President of IronNet Cybersecurity, a network security company in Maryland. Mr. Olsen is a graduate of the University of Virginia and Harvard Law. He began his distinguished career as a trial attorney for DOJ's Civil Rights division, and then as a federal prosecutor for the U.S. Attorney's Office for D.C., where he served as the first Director of the Office of National Security Division. Mr. Olsen has worked in the DOJ's National Security Division, and went on to serve as the Associate Deputy Attorney General and as the General Counsel of the National Security Agency. In the Obama administration he served as the Director of the National Counterterrorism Center, and is currently a member of the Homeland Security Advisory Council. Thank you for being here. Chairman CHABOT. Thank you very much. Mr. Linger, you are recognized for 5 minutes. STATEMENTS OF DAVID LINGER, PRESIDENT & CEO TECHSOLVE, INC.; ANDY KEISER, VISITING FELLOW, NATIONAL SECURITY INSTITUTE, ANTONIN SCALIA LAW SCHOOL, GEORGE MASON UNIVERSITY; MATTHEW G. OLSEN, PRESIDENT, IRONNET CYBERSECURITY STATEMENT OF DAVID LINGER Mr. LINGER. Thank you very much. Chairman Chabot, Ranking Member---- Chairman CHABOT. If you could turn the mic on that would be great. Thanks. Mr. LINGER. Chairman Chabot, Ranking Member Velazquez, and members of the Committee, thank you for inviting me to testify this morning on behalf of the U.S. small manufacturers regarding the impact that cyberattacks on this critical national asset. Only the government tops the manufacturing sector (followed by finance and healthcare) as the most targeted sector by cyber espionage. These aggressors are seeking to disrupt manufacturing not only through the ceiling of intellectual property, but also the destruction of the U.S. supply chain by crippling them both financially and through attacks on their intelligent machines. Rebecca Taylor, Senior Vice President for the National Center for Manufacturing Sciences (NCMS) stated, ``Every manufacturer is at risk. It is not a matter of if they will be targeted; it is a matter of when.'' A 2017 Ohio Manufacturing Extension Partnership (OH MEP) survey of Ohio manufacturers revealed that only 12.5 percent of manufacturers responded that they understand what cybersecurity is and have worked to protect their machines, intellectual property, and IT systems and only 4.5 percent have undergone a cybersecurity assessment. According to 2015 Census data, the vast majority of manufacturers are very small. Of the 250,000 firms in the U.S. manufacturing sector, only 1.5 percent of those manufacturers have greater than 500 employees, 188,000 have less than 25 employees. As President of TechSolve, I have a very unique perspective of the devastation these cyberattacks have caused our customers. I am here today to share the story of one such manufacturing company that has experienced these attacks and exemplifies the risks a majority of these manufacturers face on a 24/7 basis. To Tony Strobl, President of Cincinnati Crane & Hoist, these cyberattacks are a war on his company and his employees. Cincinnati Crane is a very small, 20-person company, based in Southwest Ohio, that supplies turn-key crane systems, parts, and services. Cincinnati Crane is a veteran-owned business that has seen growth of more than 400 percent in the last three years and was awarded the U.S. Department of Commerce Export Achievement Award in 2017. Earlier this year, Tony's company was the victim of social engineering, or more specifically a spear phishing campaign that contained malicious macros that breached their email system; went undetected for an uncertain amount of time; embedded hidden folders within Office365; ``spoofed'' legitimate invoices that were being emailed to Cincinnati Crane's customers; replaced those invoices with bogus invoices providing false banking information that ultimately syphoned over $200,000 from his customers. When the Cincinnati Crane invoices had aged 30 days and collection calls were made, customer after customer told Cincinnati Crane that they had already paid their invoices. The $200,000 that was stolen from Cincinnati Crane is now unrecoverable according to the FBI. Due to Cincinnati Crane's current financial standing, Tony had to make the devastating decision to lay off four of his employees, 20 percent of the company. Not only has this cyberwar affected those families, but it has severely hampered Tony's ability to complete customer orders, grow, and innovate. Cincinnati Crane's customers are afraid to conduct business with Tony. Not only are they concerned about sensitive drawings and corporate data that they have shared with Tony's project managers, but they are also afraid to open email correspondence, even making payments electronically with Cincinnati Crane. Even though TechSolve and its IT sub- contractors have scrubbed their systems and are working on long-term cybersecurity policies and procedures through remediation and adaptation of the NIST SP 800-171 cybersecurity controls, the effects of these cyberattacks continue to threaten its long-term viability. The Cisco 2018 Security Capabilities Benchmark Study further corroborates data that TechSolve has observed when it comes to manufacturers in general, but especially small manufacturers. There will be more operational technology (OT) or internet of thing (IOT) attacks in the future. Cyberattackers can hack into machine tool accessories or machine tools and alter the program. Therefore, either stopping the manufacturer from providing the right parts to their suppliers, or even worse, altering the quality of the part that is a portion of a larger assembly, thus compromising the entire system. For large defense primes and original equipment manufacturers (OEMs), it is critical for their supply chains to protect the integrity of that digital thread. There are a number of ways to entice companies to begin implementing cybersecurity best practices and the DOD has done a great job by leading the way and establishing one method, regulation through the current DFARS and NIST SP 800-171 controls. The current shortcoming is a lack of validating testing. TechSolve is working with several manufacturing companies that are conducting business with the DOD. They are technically ``in compliance'' with the DFARS; however, this does not make them cyber secure. Another approach is being discussed in the State of Ohio. The Attorney General is working with the Senate and House on former Senate Bill 220. This ``safe harbor'' bill, if passed, will create a law that will protect companies that can prove that they have proactively implemented and are maintaining cybersecurity measures within their systems. Research conducted by the National Cyber Security Alliance states that there was a 600 percent increase in IOT attacks from 2016 to 2017 and that the number one country of origin is China at 21 percent. Given these statistics, and the fact that 60 percent of small and mid-sized businesses that have been hacked shut down within 6 months of the attack, it is imperative for all of us that we safeguard this incredible important industry sector. Thank you. Chairman CHABOT. Mr. Keiser, you are recognized for 5 minutes. STATEMENT OF ANDY KEISER Mr. KEISER. Thank you, Mr. Chairman, Ranking Member Velazquez, distinguished members of the Committee. If you will forgive me, I am used to sitting in the back along with these guys as a staffer not in direct line of fire to you guys, so go easy on me. But pleasure to be here. I will start with a story that I think you all will immediately relate to. My former boss, as you mentioned, Chairman, Mike Rogers, first became interested in the activities of ZTE and Huawei not because he was a former U.S. Army officer or because he was a former FBI agent, or even because he was on the Intelligence Committee. He actually got interested in those companies because a Michigan company, similar to Mr. Linger here from Ohio, came to him with a problem. So as all of you would do, he listened to that small business owner very carefully. What he was doing was building cell towers in sort of the hinterlands of Michigan, out in the thumb as we would call it. And he found companies, Chinese companies were coming in at a price that was astonishing to him. So he would offer a bid and these companies, Huawei and ZTE would come in not just blew his bid, but below the cost of what the materials were to build the towers. So that got a former FBI agent thinking, why on earth would these companies be doing that? More on that later. As I do not need to remind this room, small business is the lifeblood of the economy. Two out of every three new private sectors jobs are created by small business. It is inherently creative, resilient, and able to adapt quickly to market conditions, but one thing it is not able to do is respond to Nation state attacks, aggressive, unrelenting espionage with theft of trade secrets. Those are exactly the challenges presented by ZTE and Huawei. A little history on China I think is important for the Committee. For thousands of years, China, of course, viewed itself as superior to all other world powers. Following an self-described century of humiliation resulting from imperialist incursions from the West and Japan, it now seeks a return to that perch under the consolidated leadership of President Xi Jinping, newly pronounced President for Life, China intends to become a global economic, military, and technological leader rivaling or surpassing the United States really in the next 10 to 15 years. There are some troubling indicators to this. The Chinese GDP is scheduled to surpass that of the United States by 2029. The Chinese military is rapidly modernizing and they are directly aiming their capabilities at U.S. strengths. That includes cyber, sea power, and space. Part of their grand vision, of course, includes the Made in China 2025 strategic plan where they will become the world's leader in high-tech fields squarely within the expertise of ZTE and Huawei. Those two companies that we are discussing today are working fast to put western vendors out of business to secure market dominance. In just 7 years, Huawei has actually gone from an afterthought with poorly functioning equipment and only 10 percent market share, to the top position in lucrative business like LTE radio. Excluding the United States, Huawei actually has a 38 percent total market share globally. By investing heavily in R&D, which they are doing but perhaps more concerning by stealing their way to some innovation, they have achieved this market position. Actually, Huawei has admitted to stealing router products, secrets from Cisco, all the way down to the typos in the manual. Huawei apparently has stolen the design for the iPhone right down to the last screw. As mentioned earlier, I worked on the House Intelligence Committee, and we issued a report back in 2012. Many of those findings still hold true to this day. In 2012, the report stated the risks associated with Huawei and ZTE's provision of equipment to U.S. critical infrastructure could undermine core U.S. national security interests. Perhaps more relevant to this Committee, the report suggested the risks associated with doing business with either ZTE or Huawei for equipment or services were certainly not recommended. We can discuss the denial order by the Commerce Department in some detail, but it was pretty hard hitting. Among other things, specifically to ZTE, the Commerce Department stated that ZTE demonstrated a pattern of deception, false statements, and repeated violations. In fact, they admitted to committing 380 violations and engaged in an elaborate scheme to prevent disclosure to the U.S. government. Look forward to getting into some more details in Q&A but Chairman Rogers and Ranking Member Ruppersberger at the time teamed up again to write an op ed in the Wall Street Journal earlier this year which called the threat from ZTE a clear and present danger to U.S. national security. I agree completely with this and encourage this body and the rest of the Hill to respond accordingly. Thank you very much for the time. Chairman CHABOT. Thank you very much, Mr. Keiser. Mr. Olsen, you are recognized for 5 minutes. STATEMENT OF MATTHEW G. OLSEN Mr. OLSEN. Thank you, Mr. Chairman, and Ranking Member Velazquez, and members of the Committee. I really appreciate the opportunity to be here for this important hearing. And I would like to commend the Committee for addressing this issue, particularly in light of the cybersecurity and intelligence challenges facing the country. And at the outset, I would also like to recognize the important work of this Committee in promoting cybersecurity more broadly for our nation's small business community. You have done some really important work. In my brief statement I will first just describe the overall cybersecurity threat landscape, focusing in particular on the threat from China, and then I will discuss in particular the risks posed by ZTE as a Chinese-backed enterprise to our national security. First, as the Committee is well aware, small businesses are at the forefront of our ongoing digital revolution, and this is because small businesses have the agility and flexibility to create new products and to capitalize on advances in technology. But with these advances in technology, there has been a related and really alarming trend in the scope and impact of cyberattacks. Such attacks now encompass both disruptive and destructive type of attacks on both our public and private sector networks as Mr. Linger and Mr. Keiser have both addressed. In addition to these types of attacks, disruptive and destructive, the threat landscape is also marked by massive data breaches. Most concerning is the use of ransomware. We have seen an increase in ransomware, especially hitting small businesses over the past few years, and these have hit hospitals, educational institutions, and manufacturing companies. Beyond these attacks, the threat landscape also includes the ongoing theft of intellectual property, and again, Mr. Keiser talked I think quite persuasively about that. You know, from a broader perspective, it is important to recognize that as a free society, we remain just vulnerable to asymmetric attacks, whether that is from terrorist organizations in the United States or from cyber-enabled attacks from a range of actors online. Nation-states have long sought access to the critical systems of other nations for espionage and we are seeing an expansion from these traditional activities to a more aggressive, as I said, destructive attacks from Nation states. Now, just looking at China in particular, our intelligence officials have repeatedly singled out China as one of the small number of nations around the world that pose the greatest threat to us in cyber. In the worldwide assessment, the director of National Intelligence said that China will continue to use cyber espionage and bolster cyberattack capabilities to support national security priorities. That was just in February of this year. And while the overall volume of attacks from Chinese government actors diminished right after 2015, there was a bilateral agreement between the United States and China, recently, nation-state hackers from China appear to have reorganized and retooled in a way that makes them more stealthy and actually more effective in their espionage operations, and recent attacks indicate that China is really optimizing their plans to continue to obtain very valuable information from both the government and our private sector. All right. So turning from China and the cyber threat landscape to ZTE in particular, in the authoritative report from 2012 that Mr. Keiser referenced from the House Intelligence Committee there I think, again, that remains the touchstone for any review of Huawei and ZTE. The Committee concluded that based on both classified and unclassified information, Huawei and ZTE, I quote, ``cannot be trusted to be free of foreign state influence, and thus pose a security threat to the United States and to our systems.'' And now more recently, just this past year, intelligence leaders reaffirmed in testimony to Congress that ZTE poses a threat to our national security. In February, all of the intelligence community heads unanimously found or recommended that we avoid technology products from both ZTE and Huawei. The FBI director testified that ZTE's access to our networks pose a challenge because of their capacity, one, to exercise control over our networks, to steal information, and to conduct undetected espionage. So all three of those are risks. And we are not alone. The United Kingdom recently cautioned against the use of ZTE equipment. Now, for its part, as we have heard ZTE has proven to be a particularly bad actor, flouting U.S. export laws and deceiving regulators, and for that they have been fined and sanctioned. So I look forward to talking more about that. I would say in sum that from my perspective the critical security concerns for us is the risk that ZTE and other Chinese-backed organizations pose to our critical infrastructure. Given that ZTE has proven to be particularly untrustworthy, I believe that it poses a clear and significant risk to our national security. So I thank you for the opportunity to be here and look forward to your questions. Chairman CHABOT. Thank you very much. And I will recognize myself for 5 minutes to begin the questioning. Mr. Keiser, I am going to go to you first. You had talked about in Michigan, the cell towers going up below the cost of materials. So where does that end up, that story? Mr. KEISER. So I think where does it end up? He lost the bid, the small business owner. So Huawei and ZTE are out in some of our rural areas. Some of the providers use them. They are, as Matt knows extraordinarily well, they are thankfully nowhere near our Five Eyes network, the intelligence sharing agreement that we have with Australia, New Zealand, the UK. And so that is where that ended up. But I think the important fact there was it proved that Huawei and ZTE are not in this for profit. Unlike any other western company, they are not beholden to shareholders. This is a strategic plan by the communist Chinese government to at least have the capability to collect information around the world, and perhaps more concerning, to turn off a switch in the event of a potential conflict and create havoc that we do not even want to think about on this Committee. Chairman CHABOT. So just to make one point, the motivation, the goal of companies like ZTE, Huawei, are different than those that are say on the New York Stock Exchange or publicly held who have a profit motive who are competing with each other; this is more of a national security or something that they are trying to accomplish that is a goal of the Chinese government. Is that right? Mr. KEISER. That is right. I will give you an example. In the last two weeks, after the United States of America issued a denial order prohibiting them from purchasing any U.S. components, which essentially would have put them out of business, the two biggest Chinese state-owned banks infused $11 billion to keep them afloat. Name a western company that might have that option. Chairman CHABOT. Mr. Olsen, let me ask you a question. Do you believe that ZTE is a threat to America's small businesses? Is it something that they should be concerned about as well? And if so, why? Mr. OLSEN. I absolutely do. I believe that ZTE poses a threat, you know, more broadly, but also in particular to America's small businesses. The key I think, as we started to address is that as a Chinese-backed organization company, it essentially is in the position to advance the national interests of China. And we have seen from the broader features of China and how it has acted in cybersecurity, in the cyber landscape stealing information from the United States. Because ZTE is in a communications infrastructure company, it would put ZTE in a position to carry out those interests for China, whether it is to disrupt our infrastructure or to potentially steal information. So from that perspective I do think it is a threat. Chairman CHABOT. Mr. Linger, you had mentioned a couple of statistics in your testimony. I think one that you mentioned that the number of attacks had gone up in recent years pretty substantially and then the principal bad actor in this was a Chinese entity of one form or another. And I think third, that 60 percent of small businesses that undergo one of these cyberattacks are out of business within 6 months according to your testimony. Could you touch on those, if you want to expand up on those a little? Mr. LINGER. I think a bit of a perfect storm is you have the sophistication of the attacks and the hackers, combined with this move to digital manufacturing, this move to an internet of things where now more and more information is on the systems in the shop. And now those are not protected. That is now vulnerable. And that is where we are seeing an increase, even if a company is protecting their front office, if you will, they may not be protecting all the designs and the models and the data that is on their machines, and that is what is happening. Chairman CHABOT. Thank you. In the little time I have got left, let me go back to you, Mr. Olsen. I think, and you referred to this, in April of this year, the United Kingdom considered products manufactured by ZTE to be a significant national security risk. In that same month, the Department of Defense banned sales of ZTE wireless products on military bases. And I think the Ranking Member mentioned that. Considering our own military and the militaries of our allies that they have determined these products to be at risk, again, is that of particular concern to somebody, say to small businesses of this country who do not have the same sophisticated technology protecting them? Mr. OLSEN. Yes. Absolutely. I mean, again, the core national security concern does involve our national security systems, our military systems, intelligence systems, classified systems, and those of other allied countries, like the United Kingdom. But that concern certain emanates out from those core intelligent systems to encompass small businesses. Because of the nature of our networks and how closely they are linked, a threat even at a small business can pose a national security threat to the country. Chairman CHABOT. Thank you very much. And the Ranking Member is recognized for 5 minutes. Ms. VELAZQUEZ. Thank you. Mr. Olsen, we know that companies like ZTE and Huawei, which have the capacity to maliciously modify or steal information and conduct undetected espionage, have a large global presence. How can we protect ourselves from these companies acting here in the U.S.? Mr. OLSEN. So I think in the instance of Huawei and ZTE, what we have seen is we have actually seen government action to help protect the country. The sanctions regime that is in existence for protecting our interests in terms of how our technology is shared around the world, that is part of the regime that ZTE violated in selling products that contain U.S. protects to Iran and North Korea. Admittedly, it violated those. So the enforcement of those sanctions regimes is one way that we can protect ourselves. We certainly can protect ourselves by imposing limitations at a government level, government agencies, military, our U.S. military as we have seen purchasing those products because of the risk that they pose. But I think, you know, I would say two more things. One, better, and again, Mr. Linger discussed this, the hardening of our cybersecurity because the threat comes from these companies but it comes much more broadly than that so that small businesses need to up their game when it comes to cybersecurity. And then fourth, again, just the work of this Committee and Congress in bringing attention to this issue. Ms. VELAZQUEZ. But is it not a really bad proposition when we are taking all these steps but at the same time the administration is sending a different message? So we are warning them that we are watching, but on the other hand, we are saying we are going to do everything we can to help them? Mr. OLSEN. Yes. I would tend to align my views with those recently expressed by Senator Warner and Senator Rubio in a bipartisan expression of their view about where we should be with respect to ZTE and the imposition of sanctions. And I do think that ZTE in particular has proven itself to be not trustworthy both in the sanctions violations, but also directly in their statements which turned out to be false to the U.S. government during those negotiations in the settlement. Ms. VELAZQUEZ. Thank you. Mr. Linger, as you discussed in your testimony, small business manufacturers have made the shift to utilizing smart machines that store data. Yet, this adds another layer of risk for businesses, especially when the machines use components made by companies like ZTE. Can you describe how this backdoor access can be used nefariously and what steps small manufacturers can take to protect themselves? Mr. LINGER. That is a great question. I think certainly, as companies, manufacturers and small manufacturers, for them to compete nationally and internationally, they have got to up their game in terms of the digital manufacturing. They have got to be connected. They have to gain all the efficiencies that are available when all the machines are connected and talking to one another and real time data is being used to drive that production site. That is what is driving this use of information real time on the plant floor. That is your point and now you are exposed. Right? Ms. VELAZQUEZ. Right. Mr. LINGER. So you have to connect all the data, and protect at the same time. And so, so much of it is awareness and understanding that that data is there and it is vulnerable. And to put technology and action in place to protect it. Ms. VELAZQUEZ. Thank you. Mr. Keiser, in your testimony you brought up the concern that Chinese-backed companies can undercut independent American-owned small companies. What is at risk when small businesses are competing with government-based competition? Mr. KEISER. Right. Good question. I think it is impossible for them to do. Right? You have this massive theft of intellectual property. You also have forced technology transfer that the Chinese participate in. All of this undermines U.S. companies' ability to innovate, create jobs, come up with the next fancy gizmo we might be carrying in our pockets, and that just makes it harder for them to pull that off. Ms. VELAZQUEZ. Thank you. Mr. Olsen, you noted that ZTE reportedly has about 75,000 employees and operates in more than 160 countries. What does ZTE's operation look like in the U.S., and how many of those 7,000 employees are in the United States? Mr. OLSEN. So I know from reports that ZTE has focused its cellphone sales in developing countries primarily, so outside the United States. But it does have a substantial presence here and that is partly the concern. I do not have a specific number on the employees. Ms. VELAZQUEZ. Thank you. I yield back. Chairman CHABOT. Thank you. The gentlelady yields back. The gentleman from Iowa, Mr. Blum, who is the Chairman of the Subcommittee on Agriculture, Energy and Trade is recognized for 5 minutes. Mr. BLUM. Thank you, Chairman Chabot. Thank you for our witnesses for being here today. And Mr. Chairman, I have noticed lately we have had a lot of witnesses from Cincinnati, Ohio. Is that a coincidence? Chairman CHABOT. They are just the best witnesses, do you know what I mean? We love all our witnesses from all over the country. Mr. BLUM. I would like to talk for a few minutes about the cloud. I know increasingly small businesses are moving to the cloud. The president of my small business just informed me a couple weeks ago that we are going to the cloud. And the Department of Defense, I believe, is going to the cloud. Is cloud-based computing more secure or less secure, particularly for small businesses? It is kind of a nebulous thing and I am really curious to what your answers are on this. So anyone, or all that want to take a shot at this, please go ahead. Mr. KEISER. So good question. I worry a bit about the cloud. I worry about having a consolidation of information that the right set of keys can get into. I think OPM comes to mind, a massive breach. I worry about the Pentagon coming up with one giant cloud to house all of its unclassified information. I am actually skeptical they will be able to pull that off, actually. Most Fortune 500 companies have an average of eight clouds. So you might have a Microsoft cloud running your Outlook and your Office applications. You might have---- Mr. BLUM. Is that due to security concerns? Mr. KEISER. It is due to functionality, typically, actually. So I worry a little bit about that but curious if Matt has a different view. Mr. OLSEN. I share your concerns there. I work at a technology firm and one of the engineers in my company has a sign above his computer. It says, ``There is no such thing as the cloud. It is just someone else's computer.'' Mr. BLUM. That is great. That is great. Yeah. Mr. OLSEN. To sort of make the point that it really depends. And this security in the cloud is only as safe as the cloud-based security. Now, there are some efficiencies that can be gained from a security perspective where the data is together, and if you are in a very secure cloud environment that can be more secure than having information spread out on a number of insecure nodes or laptops or computers; right? So there are some potential advantages. Certainly, there are other functionality advantages to having applications run in the cloud that companies are increasingly taking advantage of. So the last thing I would just say is security in the cloud is a critical issue because, as you point out, sir, this is a trend that is going to continue, that we are going to continue to see migration to the cloud. The government is doing it. The private sector is doing it. Mr. BLUM. How secure is the cloud? How secure is it? Mr. OLSEN. Again, some companies are very secure. The major companies that---- Mr. BLUM. But some are not? Mr. OLSEN.--yeah, that have moved directly into the cloud I think are secure. The government itself is working with Amazon, for example, in the intelligence community. So they have managed to, obviously, make that secure enough to work for the intelligence community. Mr. BLUM. But a small company going to a cloud provider could be opening themselves up if that provider cuts corners, particularly on security; correct? Mr. OLSEN. I think that is right. I think that is why it is just so important to be vigilant regardless of where you keep your data and your applications. Mr. BLUM. Mr. Linger? Mr. LINGER. I would say that in so many cases for a small manufacturer, they are better off in the cloud. The security measures there are immensely better than what they have on their one server in their back room of their shop. Now, obviously, if they are doing the things right, maybe you would not say that, but I would say 80 percent of the companies that I see are so insecure in how they handle their data on their plant floor that the cloud is safer. And that may change over time. Mr. BLUM. Thank you for that. This is a very simple question. Should ZTE be banned from doing business in the United States? Let's not worry about what the administration is doing. What is your opinion? Mr. KEISER. So, I mean, I think clearly, from doing business in the United States? Unequivocally yes. Whether they should be completely put out of business around the world is another question. To be fair though, the steps taken in the last couple years are far more significant than we had seen in the previous three administrations I would say. Mr. BLUM. Mr. Olsen? Mr. OLSEN. Yes. I mean, I think I agree with the position that the government took when it prohibited U.S. technology companies from selling their companies to ZTE. That was part of the sanctions regime. And I think that there certain should be--I would take seriously the advice of the intelligence community saying that people should not use ZTE products. Mr. BLUM. Mr. Linger? Mr. LINGER. Yeah. It comes down to the actual devices themselves and where is the device, where is it placed, and what can it do? Understanding at that technical level. Mr. BLUM. Thank you for your insights. I yield back, Mr. Chairman. Chairman CHABOT. Thank you. The gentleman yields back. The gentleman from Pennsylvania, Mr. Evans, who is the Ranking Member of the Subcommittee on Economic Growth, Tax, and Capital Access is recognized for 5 minutes. Mr. EVANS. Thank you, Mr. Chairman. I am going to ask these questions and I would like for the whole panel to respond to them. Are there lessons from counterintelligence and counterterrorism that we can apply in our fight against cyber threats? Although today's hearing is focused on a Chinese company, it is critical that we do not turn a blind eye to other potential hackers from abroad. Are there other countries we should be paying attention to? Mr. OLSEN. I can start if that is all right. First, on your first question, Mr. Evans, there certainly are lessons we can learn from the counterterrorism fight from the last 16 years where we have learned--that we can apply to cybersecurity. And I will just list them quickly. One, is it a team effort? We need to work together. The government needs to work in cooperative fashion across the government, but in particular, the government and the private sector need to work very closely together because 98 percent of the nation's critical infrastructure are in the hands of the private sector, which is the primary target for cyberattacks. It is a team effort. Two, we need to build up a cadre of cyber expertise. We did that in counterterrorism. I worked with them at the National Counterterrorism Center, a lot of experts. We need to do the same thing in cyber. We have a dearth of cybersecurity expertise in this country that needs to be filled. And third, we need to harden our defenses. Again, we did that with respect to terrorism. We put a lot of money and resources into hardening our defenses. We need to do the same thing in cybersecurity. So those are the lessons I think we can learn. In terms of other countries that pose a significant threat, I think typically I would consider four significant countries that pose a threat. They include certainly China, but also Russia, Iran, and North Korea. Mr. LINGER. I will chime in. Clearly, plenty of bad actors. The key is to go ahead and get your defenses in place. And for small companies, a lot of low-hanging fruit for them to get up to a 90 percent level of protection versus being in the twenties or zero percent. Therefore, with regard to who the bad actor is, you are going to be protected. So that is the first step. Mr. KEISER. It is a great point, Congressman. So certainly, the Chinese are most aggressive in particularly theft of intellectual property here in the U.S., but others have launched very devastating attacks. I mean, the North Koreans almost took Sony off the map. Some experts believe if they were a U.S.-based company, they would not exist anymore after that attack. It was so devastating. The Iranians, of course, went after our financial system in New York in a meaningful way, so plenty of bad folks to keep an eye on. Mr. EVANS. In terms of lessons would you say to the question I asked, applying fighting, any lessons? Mr. KEISER. Well, it is important to understand the infrastructure of the internet, I think, to understand the threat. The internet was not built for security. The internet was built for ease of communication. So there is a fundamental flaw that Matt and his colleagues, certainly his old colleagues at the NSA, grapple with every day which is exactly that. So obviously, hardening the systems. A general awareness. I mean, the majority of the attacks still are very low level, simple phishing attacks or other things that could be prevented with a little cyber hygiene we call it in the business. So really the whole country rallying around those sort of simple tasks would have a meaningful impact. Mr. EVANS. Thank you, Mr. Chairman. I yield back the balance of my time. Chairman CHABOT. Thank you. The gentleman yields back. The gentlelady from American Samoa, Mrs. Radewagen, who is the Chairman of the Subcommittee on Health and Technology is recognized for 5 minutes. Mrs. RADEWAGEN. Talofa. Good morning. I want to thank Chairman Chabot and Ranking Member Velazquez for holding this very important hearing. And thank all of you for testifying. Though this hearing is about the threat of ZTE to America's small businesses, make no mistake. It is not just ZTE extending their tentacles around the world as Mr. Keiser said, this is about the tactics that the Chinese state is using to subvert democracy abroad. My own home district of American Samoa is just next door to, or 40 miles from independent Samoa. The Chinese state has heavily invested there, so much so that they are building a port where vessels of the Peoples Liberation Army and Navy can make call. As Chairman of the Subcommittee on Health and Technology, I take this threat seriously. Gentlemen, what actions can we take to protect small businesses from unfair competitive practices of Chinese firms? Mr. OLSEN. I suspect that we all have some thoughts about that. So thank you for that question. I do think, as you pointed out at the outset of your comments that we do see that China has become increasingly aggressive in the region, and particularly in the South China Sea. And we have also, I would say, from a cyber perspective, that cyber has become a vector of attack that China uses or could use to advance its national interest. What we have seen historically from China as Mr. Keiser pointed out is using cyberattacks or cyber espionage as a way to gain competitive advantage. That is to steal information, intellectual property from American companies. In answer to your question directly, I would say that there are, and again, Mr. Linger talked about this, but there are so many things that small businesses can do that we would put in the category of low-hanging fruit, that is, hardening their capacity to withstand a cyberattack by improving their defenses. And then relatedly, to improve their resilience. That is, to be in a position to better respond because to a certain degree, cyberattacks are inevitable. So how a company responds, how quickly it responds, how it responds from a strategic communication standpoint, those often have a lot to do with how effective they are in withstanding a cyberattack. Mrs. RADEWAGEN. Mr. Keiser? Mr. KEISER. Sure. Thank you for the question. So Matt got into the details on the defensive side. A couple important things have happened in recent years. Under the Obama administration, they first issued indictments of Chinese PLA officers, Peoples Liberation Army officers who were involved in the actual theft of American intellectual property which sent, of course, you are never going to get them in a U.S. court, but it sent a pretty important signal that we are not just going to sit back and tolerate that. Other actions have identified some of these actors, including a private sector report called a Mandiant Report, which I would commend to everyone's reading that specifically named the PLA offices in China, where they were, what they were doing in this aggressive activity. It got folks' attention. Actually, took them off the map for a handful of months. They, of course, rebranded and went back to their old ways. But nonetheless, actions like that, I think, are important. I think this ZTE action is very significant. I mean, you took a top five telecommunications company in the world off the map. Now we might throw them a lifeline here, but Congress I think is going to have the last say on that. I think some of us up here are hoping anyway. Mr. LINGER. Yes. Thank you for the question. I think Mr. Olsen hit the nail on the head. It is in the planning. Doing your planning for cyberattack just as though you are planning your company's budget for the year or your annual strategic planning. It is something you just have to do. Be diligent on it. Having a plan in place so that if an attack occurs you know how to respond to it. Mrs. RADEWAGEN. Thank you, Mr. Chairman. I yield back. Chairman CHABOT. Thank you very much. The gentlelady yields back. The gentlelady from North Carolina, Ms. Adams, who is the Ranking Member of the Subcommittee on Investigations, Oversight, and Regulations is recognized for 5 minutes. Mrs. ADAMS. Thank you, Mr. Chairman. Thank you, Madam Ranking Member. If I could just take a moment and introduce three students who are interning, Jemia Booker, North Carolina. All from Carolina, let me say. Jemia is from JCSU in my district. Jasmine Caruthers, South Carolina, CBC intern. And Tony Watlington from North Carolina A&T where I went to school. But let me thank all of you for your testimony. This is a very interesting discussion. The back and forth between President Trump and China on tariffs has been incredibly concerning for my state of North Carolina. Many of the products targeted by China's retaliatory tariffs are major exports from my state. A large part of Trump's stated reasoning for initiating this potential trade war with China was the intellectual property policies, but a deal on ZTE now seems to be a key part of these negotiations. Are these tariff negotiations and the deal on ZTE announced by the Commerce Department sufficiently effective in protecting American companies from the cyber threats posed by ZTE and other Chinese companies? This question is for Mr. Olsen. Mr. OLSEN. I do think that when we talk about the cyber threats from China, a multi-pronged approach is the right one. So we have talked about many of the features of such an approach which include obviously the hardening of our defenses, you know, improving our cybersecurity across the board. A key part of that, and Congress can play a role here is in promoting information sharing between companies, among companies in a sector, as well as between the government and private industry. And Congress has played a critical role in promoting such information sharing. So that is one piece of it. I do think that taking a strong stand against China, whether that is through, for example, what Mr. Keiser talked about, the prosecution of Chinese government hackers. That did seem to have an impact. That was an aggressive step by the Department of Justice, and I think that was the right thing to do. I think we should demand that where we see that type of activity by China, that the criminal justice system is quite effective or can be quite effective in sending a deterrent message. But I think when you talk specifically about ZTE or Huawei, that the steps that the Commerce Department took both in sanctioning ZTE and also in imposing additional fines for being deceptive, that is exactly the right thing to do. And as a former prosecutor, I speak I think with some degree of understanding how important it is when a company during the course of negotiations is deceptive and lies to the government, then you cannot allow that to go forward. Ms. ADAMS. Thank you. You know, one of the challenges for small businesses in the space is the cost of implementing a cybersecurity plan. Unfortunately, we know that minority-owned small businesses are more likely to face obstacles like difficulty accessing capital. How can Congress ensure that we are inclusive of minority-owned and disadvantaged small businesses and any policies that we implement to encourage small businesses to invest in cyber security? Mr. Olsen? Mr. OLSEN. You know, investment in cybersecurity is a challenge across the board. I think Mr. Linger talked about how it needs to be part of the risk management and strategic plan for every company. And it is very hard in particular for small companies who have so many demands on their limited resources to take the steps necessary to invest in security, particularly cybersecurity, because the risk is not well understood and the really sobering fact is that even our biggest and strongest companies are really no match for a nation state. A determined nation state. So I think that the challenge is one that companies face across the board. Ms. ADAMS. Thank you. Mr. Linger, let me quickly ask you about common mistakes that small businesses make in their approach to cybersecurity and how they can be avoided. You have got about 36 seconds. Mr. LINGER. Sure. Thank you. It is just doing the basics. Just having a strong password policy across the company. Protecting their servers. Some of these companies, they are small and they really need to put up about $50,000 down on hardware and software and continuous monitoring of their systems to be protected. They have got to try to plan for this. But that is the issue. Some of it can be done internally with policy, but a lot of it does require some technology and monitoring. Ms. ADAMS. Thank you very much. Mr. Chair, I yield back. Chairman CHABOT. Thank you. The gentlelady yields back. The gentleman from Utah, Mr. Curtis, is recognized for 5 minutes. Mr. CURTIS. Thank you, Mr. Chairman and Ranking Member. This is a really important hearing, and I am grateful that you have put this together, and I appreciate our witnesses that have come to be part of this. Over the last several years, and particularly the last few months, we have witnessed foreign actors taking steps to infiltrate America's infrastructure and weaken our national security. Utah, where I am from, is a great state of innovation and nationally recognized for our tech community. And it has been instrumental in the great economic development the tech community has in our state. However, with all these impressive innovations comes risks. More than ever before, criminals are targeting our computer networks and technology infrastructure, instilling proprietary information. In fact, Utah state government's own network sees an average of 5 million attacks every month. Small businesses are not immune from cyberattacks, and as we have heard here today, are actually more likely to be targeted because they lack the resources. As a former small business owner, I understand that many small businesses do not have an IT department. Mr. Linger, I hear you say $50,000, and that is just insurmountable for many small businesses. As a matter of fact, usually the owner or the family members take that IT hat and try to deal with this problem. Because of this, I am proud to cosponsor and be a supporter of the Chairman's Small Business Cybersecurity Enhancement bill that will give small businesses better access to defense measures to defend against cyberattacks. So my question for the three of you is what is the very most important thing that we can be doing to help these small businesses here in Congress, protect them from the bad actors, like ZTE and others? Mr. Linger, let's start with you. Mr. LINGER. Any support that you can provide for those small businesses, it is so critical. I mean, it is a significant investment that they do not have. And to your point, oftentimes, their IT department is the owner's son who is in high school; right? You see that again and again. Yes. So any measure that can flow down to help them with those systems is imperative. Mr. KEISER. A couple things that have not been mentioned Mr. Olsen touched on. Information sharing. So Congress did pass a law a couple of years ago to encourage classified threat information to be shared mainly with the ISPs, the internet service providers, that would essentially patch known vulnerabilities so the small business owners would be the beneficiary of that but, of course, might never see it because it would happen upstream. So that is one. Another impotent one that Congresswoman Adams mentioned is the educational component. So training the next generation of sort of cyber warriors. And they do not always need a 4 or 8- year computer science degree but maybe a 2-year degree in just understanding the basic blocking and tackling of cybersecurity is another area I think that Congress could look at. Mr. CURTIS. Thank you. Mr. OLSEN. And I do think picking up on that last point that the Committee has been active in promoting education and training for cybersecurity for small businesses, I think that is critical. That is one. I think two is the promotion and development of standards so that companies have a sense of what right looks like in this space. What does it look like? What is achievable? And doing so with a particular sensitivity and eye toward the challenges that small businesses face as opposed to Fortune 100 companies. And then third, moving more broadly, I do think that there is an opportunity in the market for cybersecurity companies to help smaller companies pool together so that they are not in this alone. So what cybersecurity is today is largely you are on your own. Every company is doing this by themselves. The ability of companies to work together to share information, threat information without fear of liability or spilling proprietary information, there is a movement afoot to do that, and the more companies can pool their resources and work together in a common defense, the more effective they will be. Mr. CURTIS. So it is interesting. As you were all three talking I was thinking to myself, is there a role for a chamber of commerce or somebody like that who historically has worked together with health plans and things like that. Are you seeing that take shape? And is there any way that we could nudge that forward that you can all think of? Mr. KEISER. So every major industry has something called an ISAC, information security sharing, that does exactly that. So probably the furthest along would be the financial services sector given the type of information they hold and the value. But every sector is coming up with these ISACs. So you even have a health ISAC. You have energy. And others are coming online. I think the more, the better. As Matt said, it is a huge ecosystem and you have to patch all of it at the same time to have complete security that we likely will never be able to achieve. Mr. CURTIS. Thank you. I would love to hear more. I am afraid I am out of time. And so thanks once again for coming and holding this hearing. And I yield my time. Chairman CHABOT. Thank you very much. The gentleman yields back. The gentleman from Florida, Mr. Lawson, who is the Ranking Member on the Subcommittee on Health and Technology is recognized for 5 minutes. Mr. LAWSON. Thank you very much, Mr. Chairman. And welcome to the Committee. I was just listening to most of your testimony and I was wondering if there was any question I could ask you. And the reason being is that I see small business kind of like three levels. I was a small business owner myself. One from up to 100,000, one to a quarter of a million, and the ones to a million. So you leave a wide gap in there. There is a wide gap in there among these businesses. And I was just trying to think from your standpoint hearing the testimony this morning, I guess it is after noon now, and the question may be more appropriate for the Justice Department. But what modification at the Federal level can be made to protect a cyber system from hacking from companies like ZTE? You know, and maybe you might want to comment on that because, you know, at some of the levels I dealt with, they do not know anything about cybersecurity. All they know is something happened to them, you know, so what can the Federal government do? Mr. OLSEN. It is a great question because, you know, much of the risk is borne by the private sector at the local level, small companies that are really being hit on a daily basis with relatively small scale cyberattacks. Whether it is a ransomware, someone who locks up your data, stealing of data. So these can be devastating but they do not rise to the level of a national security threat perhaps or at least in the isolated incident. But there is a critical role for the Federal government to play on a number of levels. One, as we are talking about today, when we identify a bad actor like ZTE, to use the tools that the Federal government has, whether those are the tools of prosecution, regulatory, sanction-related tools, like the Commerce Department and the State Department have, you know, to use those tools and to use them directly when we have a bad actor that we have identified, and that is really the case with ZTE. But from a policy level more broadly, both Mr. Keiser and I have spoken about Congress's Enactment of the Cyber Information Sharing Act of 2015. What that act did was to really address some of the concerns that companies had about liability perhaps or anti-trust concerns about sharing cyber threat information and it eliminated those. So it addressed those and took those away. And that, as I have talked a little bit about, you know, the ability of especially large companies to get together and to act in a common dense, just like a neighborhood watch, for example, because what these actors do, bad actors are doing is they are going down the line. They do not really care which company they hit. They will just knock on the door until they get in. And so if you are only acting by yourself, you know, you are vulnerable. But if companies share information, if they see something they can share that quickly in a way that can protect them, then they are going to be much better protected, and Congress can play a real important role from a policy perspective in encouraging that. Mr. LAWSON. Mr. Keiser? Mr. KEISER. One thing to think about, I think there are, as you mentioned, the different size companies is an important point. You have some small firms that are huge targets for espionage, particularly law firms, tax firms, that might be small and fit those small categories you mentioned, but hold awfully important information. I mean, we have seen cases of the Chinese getting into a law firm, stealing their information because they were active in a bid or in a merger and acquisition and they wanted that information to use to undercut the bid. So you see different aspects of that. There is a line though in cybersecurity that goes something like this. There are companies that have been hacked by the Chinese and know it, and then there are companies that have been hacked by the Chinese and do not know it. Mr. LAWSON. Wow. Mr. LINGER. Yeah, I will just reiterate. It is that supply chain. So those larger companies are going to have more in terms of protection, but they are going to find the weakest links. Somewhere down the supply chain there is going to be a small manufacturer that makes a critical component that they are very good at producing and those are the ones that are going to be targeted. So sharing that information across that board, supporting those larger companies that give those best practices down to the smaller companies is a way to help make the entire supply chain safe and secure. Mr. LAWSON. Okay. And I do not have much time but Mr. Olsen, since you have been a prosecutor, are we hacking anybody? I mean, if you do not want to answer I can understand. Mr. OLSEN. We are not like the Chinese. Mr. LAWSON. That might have been an unfair question. With that, Mr. Chairman, I need to yield back. Chairman CHABOT. Thank you very much. The gentleman yields back. I think that concludes on both sides. We want to thank our very distinguished panel for being here today. As you know, this Committee is responsible for doing everything it possibly can to help small businesses and to protect them, and they continue to be targets for cyberattacks. And the Ranking Member and I have worked on legislation on this to help to protect. For example, it has the SBICs using best practices out there to educate the small business communities, what they can do to protect themselves. But it is still a dangerous world out there. And as you all mentioned, you have got North Korea, you have got Iran, Russia, and especially China constantly. The gentleman from Utah mentioned 5,000 attacks in his state in one month. So it is incredible what they have to put up with. So thank you for helping us, and especially drawing attention to ZTE and Huawei and what they have been doing and how our country needs to do everything possible to protect ourselves from them in particular. And then finally, I just would note, you mentioned Sony and the attack on them. If my recollection serves me I think was that not in response to a movie? It was, I think, the Interview, Seth Rogan and James Franco? I felt it was my patriotic duty to see the movie, which I did, if for no other reason than to annoy Kim Jung-un. So, but we do appreciate you mentioning that, and I am certainly glad they did survive that because it was a serious attack. So again, we want to thank you all very much for what you have done to help this Committee to help America's small businesses. And I would ask unanimous consent that members may have 5 legislative days to submit statements and supporting materials for the record. Without objection, so ordered. If there is no further business to come before the Committee, we are adjourned. Thank you. [Whereupon, at 12:11 p.m., the Committee was adjourned.] [Mr. David Linger's Response to Questions were not submitted in a timely manner.] A P P E N D I X [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]