Secure and Competitive Markets in the Digital Age
Secure and Competitive Markets in the Digital Age
December 2, 2020
3:00 pm - 4:00 pm
The R Street Cybersecurity and Emerging Threats team, in conjunction with Foundation for Defense of Democracies, hosted a discussion on how to create a cohesive, measured strategy for a secure information and communications technology (ICT) supply chain that balances both U.S. national and economic security and recognizes that U.S. global leadership not only benefits the well-being of American citizens but also promotes a norms-based international order.
This kickoff event included a keynote presentation from Rep. Mike Gallagher, followed by a roundtable discussion of the recommendations from the United States Cyberspace Solarium Commission for creating a secure and trustworthy ICT supply chain and the work still left.
Rep. Mike Gallagher (WI-08), Co-Chair, U.S. Cyberspace Solarium Commission
Erica Borghard, Resident Senior Fellow, Atlantic Council
Tatyana Bolton, Managing Senior Fellow, R Street Institute
Dr. Nina Kollars, Associate Professor, U.S. Naval War College; Non-Resident Fellow, Modern War Institute at West Point
RADM (Ret) Mark Montgomery, CCTI Senior Director and Senior Fellow, Foundation for Defense of Democracies
Jill Aitoro, Editor in Chief, SC Media and Editorial Director, CyberRisk Alliance (moderator)
Speaker biographies included below.
Rep. Mike Gallagher
Rep. Mike Gallagher represents Wisconsin’s 8th District in the U.S. House of Representatives. He is a 7th generation Wisconsin native, born and raised in Green Bay. He joined the United States Marine Corps the day he graduated from college and served for seven years on active duty as a Counterintelligence/Human Intelligence Officer and Regional Affairs Officer for the Middle East/North Africa, eventually earning the rank of Captain. He deployed twice to Al Anbar Province, Iraq as a commander of intelligence teams, served on General Petraeus’s Central Command Assessment Team in the Middle East, and worked for three years in the intelligence community, including tours at the National Counterterrorism Center and the Drug Enforcement Agency. He also served as the lead Republican staffer for Middle East, North Africa and Counterterrorism on the Senate Foreign Relations Committee. Prior to taking office, he worked in the private sector at a global energy and supply chain management company in Green Bay. He currently serves on the House Armed Services and Transportation and Infrastructure Committees, and as Co-Chair of the U.S. Cyberspace Solarium Commission.
Jill Aitoro is editor in chief of SC Media. She has 20 years of experience editing and reporting on technology, business and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. She’s interviewed executives from Fortune 500 companies and government officials from around the globe, and is a regular speaker at conferences and on network and cable news outlets. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group, guiding and developing the editorial strategy for Defense News, Federal Times, C4ISRNET, and the cyber brand Fifth Domain. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News. Jill has received multiple award honors for her reporting, editorial writing, and multimedia editorial projects. She hold a master’s degree and bachelor’s degree in journalism, from the University of North Carolina at Chapel Hill and Ohio University respectively, and lives with her family in Northern Virginia.
Tatyana Bolton is the Managing Senior Fellow at the R Street Institute for Cybersecurity and National Security. Most recently, she worked as the Senior Policy Director for the U.S. Cyberspace Solarium Commission focusing on U.S. government reorganization and resilience portfolios. From 2017-2020 she also served at the Cybersecurity and Infrastructure Security Agency as the Cyber Policy Lead in the Office of Strategy, Policy, and Plans where she developed strategies for strengthening the cybersecurity of our nation’s critical infrastructure. Her work included efforts on the Cyber Deterrence Strategy of the United States, the DHS Cybersecurity Strategy, and the National Cyber Strategy. Prior to her work at DHS, she served in various program management positions at Strategic Systems Programs for the U.S. Navy including budgeting, program management, and contracting. She is fluent in Russian and earned her MA in Security Studies with a focus on Asian affairs from Georgetown University’s Walsh School of Foreign Service’s Security Studies Program and earned a BA with honors in Political Science from the Ohio State University.
Dr. Erica Borghard
Dr. Erica Borghard is a resident senior fellow with the New American Engagement Initiative at the Scowcroft Center for Strategy and Security at the Atlantic Council, which aims to critically examine the core assumptions of American grand strategy and propose fresh, innovative ideas for US foreign policy. Erica’s own work addresses US grand strategy, with a particular focus on the strategic implications of emerging technologies; public-private partnerships and resilience; and covert action and proxy warfare. Erica continues to serve as a senior director on the U.S. Cyberspace Solarium Commission, a Congressional commission established to develop a comprehensive national strategy to defend the United States in cyberspace.
Dr. Nina Kollars
Dr. Nina Kollars is an associate professor at the U.S. Naval War College and a non-resident fellow at the Modern War Institute at West Point and an editorial board member for the Special Operations Journal. Her research interests are on cyber security and military innovation. She has published in numerous magazines and journals to include: “The Rise of Smart Machines: The Unique Peril of Intelligent Software Agents in Defense and Intelligence” in Palgrave Handbook of Security, Risk and Intelligence; “SOFWERX’s Return on Collision: Measuring Open Collaborative Innovation” in Special Operations Journal; and “Cyber Beyond Third Offset: A Call for Warfighter-Led Innovation” in War on the Rocks co-written with Jacquelyn Schneider.
RADM (Ret) Mark Montgomery
Mark Montgomery serves as senior director of the Center on Cyber and Technology Innovation, where he leads FDD’s efforts to advance U.S. prosperity and security through technology innovation while countering cyber threats that seek to diminish them. Prior to joining CCTI, he served as the Executive Director of the congressionally mandated U.S. Cyberspace Solarium Commission. Previously, he served as Policy Director for the Senate Armed Services Committee under the leadership of Senator John S. McCain, coordinating policy efforts on national security strategy, capabilities and requirements, and cyber policy. He served for 32 years in the U.S. Navy as a nuclear trained surface warfare officer, retiring as a Rear Admiral in 2017. His flag officer assignments included Director of Operations (J3) at U. S. Pacific Command; Commander of Carrier Strike Group 5 embarked on the USS George Washington stationed in Japan; and Deputy Director, Plans, Policy and Strategy (J5), at U. S. European Command. He was assigned to the National Security Council from 1998-2000, serving as Director for Transnational Threats. He has graduate degrees from the University of Pennsylvania and Oxford University, and completed the U.S. Navy’s nuclear power training program.
BOLTON: Great. Welcome everyone, and thank you for joining us today to discuss the national security imperative of a secure information communications technology supply chain. I’m Tatiana Bolton, the managing senior fellow for R Street Cybersecurity and Emerging Threats team. The R Street Institute is a non-profit, non-partisan public policy research organization, and our mission is to engage in public policy research, and outreach to promote free markets, and limited effective government. We’re pleased to co-host this event with the Foundation for Defense of Democracies. FDD is a Washington, D.C. based non-partisan research institute focused on national security and foreign policy.
FDD’s Center on Cyber and Technology Innovation seeks to advance U.S. prosperity and security through technology innovation while countering cyber threats that seek to diminish it. Earlier this fall, the Cyberspace Solarium Commission issued a white paper examining U.S. critical dependencies on key materials and technologies that make up the ICT supply chain. The commission concluded that the United States needs a strategy to ensure more trusted supply chains, and the availability of critical information and communications technology.
We are pleased to be joined today by Representative Mike Gallagher, who serves as the co-chair of the Cyberspace Solarium Commission, to talk about the commission’s findings, and the next phase of work to develop the strategy. He is an expert on cybersecurity, and we’re so pleased to have him here today. After the Congressman’s opening remarks, he and Jill Aitoro, the editorial director at CyberRisk Alliance, and the Editor in Chief of SC Media will delve deeper into the topic as well as about U.S. concerns about China.
Then, we’re going to turn the conversation over to our expert panelists to talk about critical technologies and materials, partnerships with U.S. allies, and the military implications of a lack of security in our ICT supply chain, and discuss the launch of our new Secure and Competitive Markets initiative. Congressman Gallagher, over to you.
GALLAGHER: Well, thank you very much. It’s an honor to be with you today, and I am certainly not an expert in cybersecurity, though I’ve had the privilege of working with a lot of actual experts over the last couple years, as part of the Cyberspace Solarium Commission, including Tatyana, who did phenomenal work as part of the Cyberspace Solarium Commission staff, and Mark Montgomery, and a few others that I know are part of this, and let me just first say at the outset how much I support this multi-think tank effort, multi-think tank look at industrial policy, because I really think it’s going to require best and brightest from a variety of institutions in the think tank community to come up with creative solutions in this space.
And, I think we’re very much at the beginning of a big initiative on this. Just quickly to talk about the Commission’s work, and the state of the Commission, our first year, I think, was a resounding success. My co-chair, Senator Angus King, and I are very proud of the team effort that produced our March report, which included 82 policy and legislative recommendations. We also completed four white papers that looked at specific issues, and produced some additional recommendations, one of which was inspired by lessons learned from the pandemic, and others.
In about an hour and a half, I’m going to an NDAA meeting for the conferees, but I expect to see about 25 of these legislative recommendations in the upcoming National Defense Authorization Act, including some of our most significant recommendations, and we really hope to work for a second year in 2021, and put some of our recommendations in front of the 117th Congress that we weren’t able to get passed in this Congress. Senator King and I had one consistent goal throughout the process, and this was really a bipartisan, and nonpartisan effort. We wanted to maintain it as a bipartisan effort.
And, honestly, if you had just come to any one of our meetings with a blindfold on, just listening to the substance of what was being discussed, you wouldn’t have been able to determine who was Democrat, and who was Republican. And we also have very good engagement from the executive branch as well, and that really we thought was a unique asset of our Commission was just the unique makeup, having four sitting legislators, high-level members of the executive branch, and then, a group of outside experts, I think, really made for a thoughtful debate and thoughtful recommendations, and so, we really hope that you’ll read not only the supply chain white paper, but also, the broader work of the Commission.
Just quickly, when it comes to supply chain strategy, obviously, I came here today to speak about one of the four white papers I mentioned, the most recent white paper on the need to develop a strategy to protect our critical technology supply chain, and to put it bluntly, in the context of supply chains for ICT, the United States has a China problem. China has mobilized state-owned and state-influenced companies to grab dominant positions in markets for many emerging technologies, including the market for ICT equipment. As a result of Chinese state intervention, the playing field is uneven, and global markets for critical technologies are neither free nor fair.
And, while China has a comprehensive strategy, the United States lacks an overarching vision for how to compete with China on this front, and as a result, the U.S. has a growing dependency on China for parts of our most critical supply chains, one that’s threatening to undermine the trustworthiness and the availability of critical technologies and components that constitute and connect to cyberspace, and potentially, impede American and partner companies’ competitiveness in global markets.
So, what the Commission is proposing is that any strategy to secure the United States high-tech supply chains must be built on a foundation of strong partnership with industry at home, and abroad, as well as partner and ally governments, and must rest on five key pillars. The first is that it must identify key materials, components, and finished products that are critical to the national and economic security in the United States through a risk-based approach. The second is that it must leverage instruments of capitalism and investment to ensure minimum viable manufacturing capacity of critical components and technologies.
The third is it must leverage existing and new efforts to provide greater government support to industry and to protect supply chains from compromise. The fourth is that it must outline ways for the U.S. government to facilitate a domestic market for finished technologies, and the fifth is that it must outline ways for the U.S. government to ensure the competitiveness of U.S and partner companies in global markets.
If you kind of step back, I think, the ability of Chinese manufacturers to undercut competitors has led to a growing web of Chinese technologies and critical systems from telecommunications networks, to power grids, to ports, and not just the United States, all around the world, and the challenge facing the United States is therefore complex, it’s multifaceted. It involves equal parts economics and security, but without an ICT industrial base strategy, America is falling behind competitively, and leaving its citizens at serious risk.
And maybe I’ll just conclude by saying, I know at times it’s been verboten to even use the term industrial strategy or industrial base strategy, but I say this as someone who represents a district in northeast Wisconsin that’s very heavy manufacturing and agriculture. It’s been my experience, limited though it may be over the last four years that, I think, most Americans welcome a discussion about how we onshore, nearshore, re-shore American manufacturing, and I think that the challenge we have is to do that in a way that avoids devolving into complete autarchy. We can’t build everything in the United States.
But certainly, when it comes to key ICT technology, I think, your average common sense American, whether they’re a Democrat or Republican would welcome a thoughtful discussion about that, and understands intuitively the stakes here, particularly, having just emerged, or gone through a pandemic where you had Chinese Communist Party officials threatening to cut off the exports of critical drugs and medical devices in order to hurt and kill Americans. I think there’s an opportunity we have here to harness that recognition, and to do something that will be not only good for our domestic economy, but essential for our national security.
I thank every person that’s involved in this effort, the variety of think tanks that are participating in it, and I look forward to stealing all of your good ideas, and copying and pasting them into legislative language as I’ve done successfully with Tatyana and Mark’s work over the last two years.
AITORO: Terrific. Thank you so much, Congressman. I really do appreciate – I’m sure everyone here appreciates the comments, and I think, we’re going to transition if you don’t mind into some quick Q&A. I’d like to actually touch on a couple of the areas that you covered, and go a little deeper, starting with the NDAA, which all eyes are on the NDAA right now. It seems like if all moves forward, and there are no vetoes which have come up in the last day or two, that we might kind of be in that final run. You did mention there were a number of provisions tied to cyber. Would you mind talking just about a couple of the most notable, in your eyes, that you see having good bipartisan support?
GALLAGHER: Well, yeah, I think, perhaps most important and simultaneously, most contentious is this idea of, well, two things. I’d say one is continuity of the economy planning. If you read our original Solarium report, you see this idea that is inspired from the early days of the old Cold War where really, we had a lot of experts in government think through the unthinkable of how would the United States survive and get back on track in the wake of a devastating nuclear exchange. And from that discussion emerged our plans for continuity of government and continuity of operations.
We sort of concluded that we need a similar effort for how do we recover economically in the wake of a massive cyberattack, and make sure we’re doing that planning now on the front end, so that we’re not trying to make it up on the fly, and I would go further and say, one of the things that we learned, or that we talked about in our pandemic white paper, pandemic annex, or “pannex,” as the cool kids are calling it on the streets, is really that you need the planning and the processes and the structure in place prior to the crisis in order to effectively navigate the crisis. So that sort of continuity of the economy planning is critical.
The second thing I’d say is the creation of a national cyber director, and we spent a ton of time looking at a variety of different models for how you, to quote my good friend, Angus King, “Have one throat to choke in cyber.” And, while there are strengths and weaknesses to different models, we concluded that a national cyber director modeled after the U.S. Trade Representative was the best option, or at least the least bad option, and I know there’s been a robust debate with the executive branch about that, but we feel very good about where the proposal landed, and I am cautiously optimistic that we’re going to advance in that direction.
And then, the final thing, it may sound simple. I know I said two, but I keep adding them in my mind, is requiring a force structure assessment for our Cyber Mission Forces. Their current structure is based on assessments that were done years ago. The world has changed significantly since then, and while I don’t want to prejudge the outcome of a future force structure assessment, I would suspect that when we do it, we’re going to realize that we need to radically alter the structure and size of our Cyber Mission Forces in order to protect the country in cyberspace. So those three things really stand out, but there’s a variety of other proposals, so we’ll see.
I’m a conferee, but there’re limits to what I know about what has made it in the final bill, so I’m anxiously awaiting this meeting at 5:00 PM to see what are our batting average is, and if you don’t think we’re competitive, we actually had outside experts review the work of all past Commissions, determine how successful they were in getting their proposals into law, and we want to beat the historical average by a wide margin. We’re operating under Vince Lombardi rules here. We’re not chasing perfection.
AITORO: I like that. I’m going to throw one more out at you, and see if you have any thoughts or comments in terms of support, and I know that there was talk of potentially having the ability to subpoena internet service providers for information about vulnerabilities of the critical infrastructure. It somewhat ties to the conversation we’re having today. Any thoughts on that in terms of bipartisan or GOP support for that?
GALLAGHER: Well, I would say, the work we did in the pandemic annex really underscored, or re-emphasized the need for not only such authority, but also, to enhance penalties for those who try and attack our critical infrastructure in the midst of a crisis, a pandemic, or otherwise. What the current state of play is legislatively on those, I don’t know quite honestly, but while there was a lot of different jurisdictional issues among the committees, at least within the Commission, there was widespread support. And for the committees we reached out to, you can look at the hearing that we did with HSGAC and others, I think there was a decent amount of bipartisan recognition of the need for such subpoena authority, but I’m sure your expert panel will correct me if I’m wrong in that assessment after this.
AITORO: Great, and while we have a few minutes here, I do want to touch, of course, on China. As you mentioned, and you used that powerful quote that the commissioner wrote in the white paper in October in terms of, “to put it bluntly, the U.S. has a China problem.” First to kind of clarify or pinpoint the problem, do you define this as military, competitive, economic, or all-encompassing in terms of the specific issue we have with ICT supply chain security?
GALLAGHER: Well, if the question is, sort of, what is the nature of the China problem itself? I think it’s primarily, and I’m speaking, this is Mike Gallagher and not necessarily the views of the Commission, because I have some views on China that I’m not sure the rest of the commissioners would agree to. I mean, I’m right and they’re wrong, but that’s a discussion for another day. I view it primarily as a Chinese Communist Party problem, and certainly the Chinese Communist Party is not recognizing any division between economic instruments of their power, or military instruments of their power, or otherwise.
I mean, whether it’s the idea of civil-military fusion or otherwise, or whether it’s just the basic reality that state champions work for the state, even Chinese companies that try and maintain the fiction that they’re not beholden to the Chinese Communist Party are. There are laws on the books in China that forced them to share all of their information with the Party.
I think we need to recognize that that is sort of the way that the Party is operating in a holistic fashion with a desire to dominate all of these industries, and eventually then flip the script on us when it comes to export controls and coerce American companies and other companies into obeying, sort of, their rules. So that’s point one.
Then I think if you recognize that, then it leads to point two, which is that we need to – we can’t, and we shouldn’t try and out CCP the CCP, but we are going to have to do a better job of breaking down barriers and stove pipes that exist within the federal government and thinking about this, not just as a military problem or an economic problem or a diplomatic problem, and then leveraging what is our unique strength relative to the CCP, which is that we don’t have sort of a top-down rigid hierarchical model. We have a very open entrepreneurial model, and really, we have a model in which the private sector is on the front lines.
I’d say, this is something that we struggle with throughout the commission’s work, which is that when you have a situation in which 80% of the critical infrastructure in cyberspace is concentrated in the private sector, what is the role of the federal government and how do you convince the federal government, in general, and the intelligence community, in particular, to really move to a model of being a reliable and trusted partner with the private sector, sharing information proactively with the private sector, rather than just demanding that they submit information and offering expertise in areas where the private sector really can provide it?
So, I’m not saying that we arrived at a perfect balance, but, we really did our best to ensure that we weren’t imposing onerous one size fits all government mandates on the private sector, but we’re instead trying to incentivize the private sector to prioritize cybersecurity, and also spur the federal government to get interested in areas where it currently is not doing enough.
The final thing I’d say, and again, this is going outside of the Commission’s work, is I have come to believe – although this relates to a lot of the original Cyberspace Solarium Commission report, that it is long past time for a dramatic investment in research and development from the federal government, particularly in the ICT technologies that the white paper identifies.
The fact is, you’re going to need some federal government investment, federal government partnership with academia in order to get innovation in these areas where there’s just no natural market right now, or for a variety of reasons the private sector is just unwilling to step up.
I actually have a bill, if you can believe it, with Chuck Schumer, and then a very progressive member of the house, Ro Khanna, called the Endless Frontiers Act, which would make the biggest investment in research and development from the federal government since the original Cold War. There’s no other issue that can unite me and Chuck Schumer like the threat posed by the Chinese Communist Party.
AITORO: Well, and you bring up an important point because this has long been talked about as what you might call an unfunded mandate for the critical infrastructure scenario. Then you also have the technology companies, which of course have a huge role in this, because particularly, in terms of some of the components from computer components, all the way down to some of the defense weapons systems, you really need that development happening in the industrial base, but all of that does require R&D funding. So, it is often difficult to mandate the prioritization for both critical infrastructure and private companies, as well as the industrial base, without the funding or the guarantee that there is a return on that investment.
GALLAGHER: Can I follow up to that real quick too?
GALLAGHER: I mean, one of the areas we talk about in the paper is that, for weapons systems in particular, obviously a lot of those – So, I work on Navy issues a lot, and I was a Marine in a past life. I mean, a lot of these weapons systems, which we spend billions of dollars on, rely on rare earth elements in order to function. Why is it that we can’t seem to wean ourselves off dependency on China in rare earths when we know that we have processing capability. We have allies like Australia with huge assets in this regard, the Japanese had a huge rare earth find a few years ago.
Obviously, it’s more complex. You got to figure out a way to get all this stuff and process it, but there’s got to be a way in which, with that investment from the federal government, or overall direction, we can get the private sector actors both in America and in our allied countries, particularly in Five Eyes allied countries to start working together.
The final thing I’d say, that your question made me think of is, for the past four years, we’ve been approaching the 5G discussion, for example, from a purely defensive standpoint. It’s really boiled down to Huawei is bad. ZTE is bad. Huawei is bad. ZTE is bad. I believe that, and that’s been a very important discussion for us to have internationally, and I think the Trump administration deserves enormous credit for successfully making that argument to allies like the Brits who were not initially inclined to believe it, and some of the progress we hope we’re making in Germany and other countries.
But that’s only half the battle. We have to go on offense and come up with some sort of free world integrated solution where we can compete with the Huaweis and the ZTEs of the world, not just on quality, but also a little bit on price. So that’s kind of where I would hope we go going forward and build off some of the things we’ve done in the Armed Services Committee to incorporate foreign countries like Australia officially into our national technological industrial base.
AITORO: Yeah. There are a couple of questions coming in, I am going to get them. I’m going to ask one more of my own, however. It again relates to China in terms of, so much of this does also rely not just on the U.S., but on allies and support from allies. China has been very strategic and quite successful in garnering support, particularly in the Pacific, from countries there, often using economic means, luring through economic means.
So how do we rally allies, not only to support the standards, for example, that the U.S. is pushing out, but to also kind of pull some of the middle of the road allies, so to speak, to come towards the U.S. and NATO in terms of where they align, despite some of the big promises that they’re hearing from China?
GALLAGHER: Yeah. That’s a great question. I think in some ways it is the question. I think we have two opportunities, well, potentially three. So first, I actually think if you look at what’s happening – Well, what’s been happening in Australia, really, since the start of the pandemic, but over the last two years, and really gained steam in the last week. I mean, it’s just, it’s brazen economic coercion, personal attacks on the Prime Minister and others. I actually think this is a scenario which Wolf Warrior diplomacy is backfiring.
By the way, probably the most fun thing I did during the pandemic while trapped in my basement was to watch the actual Wolf Warrior 1 and 2 movies, which you can do on YouTube. I find them to be quite insightful. I think Wolf Warrior 2 is the highest grossing Chinese film of all time, and they both are just amazing in their caricature of Americans. They make sort of like a Michael Bay movie look like a subtle work of art in comparison.
But, I do think around the world, the Wolf Warrior diplomats have been overplaying their hand. I think people are waking up to just how aggressive and brazen this is. So simply by sending a strong signal support to our closest allies, the Aussies in particular. I saw an incoming Biden administration official did that today, which I thought was a good move. So, that’s sort of step one and that’s the lowest hanging fruit, just aggressively defending our traditional allies. Joe Courtney and I have done a lot chairing the Friends of Australia Caucus in that regard.
The second area, our advantage – Well, I mean, I get that the Chinese market is massive. There’s a lot of money you can make there, but what we offer relative to that is, I mean, a huge market and a market that’s actually bigger once you start adding in our formal treaty allies alone, I think comprise upwards of 42% of the world’s GDP, but we offer transparency and rule of law, and we can be that unique actor that sets the terms of what a free and fair system looks like. I think we really need to make ourselves the economic and security partner of choice.
I hate to say it, but I think in a lot of these very obscure standard setting bodies around the world, we just haven’t shown up aggressively enough in recent years, and the CCP has. It may not be as sexy as some of the other stuff we do, but that diplomatic engagement, I think, matters, and is part of the reason, this is the final thing I’d say, in the final report, you’ll see, we’ve done a lot to try and enhance positions within the State Department that deal with these issues, really positions across the inner agency, which don’t get as much attention, but are really, really important.
I was talking with someone the other day in the administration about who in the government is paying attention to, sort of, the Australia’s first island chain, all these countries like Vanuatu, where if we just had like one person there, it could go a long way. We may not think that’s important, but it is, it adds up. So, we’ve tried to think through, kind of, how do you enhance the diplomatic instruments of American power that would help to make this argument to allies.
And sorry, to go on, for the countries that are not Five Eyes allies, not aligned. I mean, I don’t know. I mean, I think we have an opportunity with Vietnam right now, certainly it’s remarkable the positive view of Americans among the Vietnamese people. I think the administration has done a good job recently building enhancing ties with India. I think particularly in the wake of Chinese soldiers bludgeoning Indian soldiers to death, I did not have like hand-to-hand combat between China and India on my 2020 bingo card. So, I don’t know, there’s a lot of opportunities where we can make inroads with non-aligned countries too.
AITORO: Yeah. Yeah. That’s terrific. I know there’s a lot of domestic focus in growing their own industrial base. So, having them in alignment with the United States, is critical. There are a couple of questions here I want to quickly get you before we run out of time with you. We have one question to asking whether antitrust issues with certain companies are a part of the cyber strategy. Is that something that’s being considered?
GALLAGHER: By and large, we avoided those, issues and Mark can correct me if I’m wrong, I’m not sure we even really mentioned some of the thorny issues around Section 230, which often gets lumped into this discussion. It’s not to say they aren’t important, it’s just that we couldn’t address everything in the report.
I do think just as a political matter, just given what’s happened over the last few months and just the growing antipathy at least within the Republican Party, or skepticism towards Big Tech and some of the things they’re doing, I think there will be a discussion about antitrust issues in the next Congress. I have yet to see a framework that makes sense myself. I’m open to it. I’m open to some sort of limited reform of 230 that doesn’t go overboard.
The other thing was, we’re looking at sort of liability of final goods next year, but not antitrust. So, I guess the short answer was no, but I’m certain it will be a discussion in the next Congress.
AITORO: Okay. Terrific. Finally, if it’s okay, I wanted to get this last one in, someone wondered, would there be utility in resurrecting the Office of Technology Assessment to help more members of Congress ramp up an understanding in the underlying issues at work here?
GALLAGHER: So, I have voted in favor of that in the past. I think my Democratic colleague Takano usually does a bill every Congress to that end and then we recommend it in the final Cyberspace Solarium report. What’s really interesting, and this is kind of an obsession of mine, sort of the way in which Congress has evolved or devolved over time.
If you look at that change, it was part a series of reforms that were done in the 90s when the Republicans regained control of Congress for the first time, I think in 30 years, or maybe longer, under Gingrich’s Contract with America. There was a logic to it, right? It’s, “We’re going to drain the swamp by getting rid of all these unelected positions in Congress and we’re going to restore trust and give the American people more power.”
Well, the problem is by neutering tools that Congress had at its disposal, all you did increase the power of the executive branch relative to the legislative branch, which, if your concern is draining the swamp, it just increases the size and depth of the swamp, and members of Congress are always at a disadvantage when it comes to these highly technological issues.
I mean, I have a staff of seven people in D.C. and I’m not smart enough to keep up with all this stuff. So, I think having the Office of Technological Assessment would go a long way towards getting Congress on a level playing field with the executive branch.
I just would highlight another recommendation we had in there is the creation of a special committee for cybersecurity in Congress, so that you can sort of develop that expertise within Congress over time, that’s able to navigate the labyrinth that is the executive branch on national security and understand what’s working and what isn’t, so we can reinforce success and stop funding failure. So, yes. I could just say yes, or no, and answer your question, but –
AITORO: You made it all the more convincing, I suppose. Unfortunately, we’re out of time. I could speak to you far longer and I’m sure folks would be interested to hear what you have to say, but thank you so much for joining us. We’ll all be watching the NDAA and we will be looking to see what else emerges. So, thanks for being with us.
GALLAGHER: This was an absolute pleasure. And I really, again, can’t say enough about this effort. I mean, again, with a staff of seven, I have to rely upon the expertise that’s out there in the think tank community. So, thank you all for being part of this discussion and eager to work with all of you on it going forward.
AITORO: Terrific. Thank you so much. I encourage you to listen to the panel and all of our listeners out there to stay on for the panel. We’re going to bring everyone on camera so that they can join us for the second part of our discussion. As they do, I’m going to go ahead and get into some of the introductions.
GALLAGHER: Wait, as I sign off, can I just also highlight the great work that Dr. Erica Borghard did for the Commission? She was incredible in everything she contributed. And anything that I wrote about this topic that seemed smart probably has her fingerprints on it. So, thank you to Erica as well.
AITORO: That’s a great endorsement for the panelists. Thank you. All right. Terrific. So, we are going to move on to the panel. We about 30 minutes. Before I kick off introductions, I want to encourage folks please do ask questions. You’ll see the Q&A at the bottom of your screen. Type it in there. I’ll keep track of that. And we’re all going to have a discussion, and I’ll try to make reference to those as we roll along.
So, I’m going to quickly do some introductions. We have with us today, Mark Montgomery, who is a senior fellow at the Foundation for Defense of Democracies and a senior director of FDD’s Center on Cyber and Technology Innovation, previously served as executive director of the Cyberspace Solarium Commission, and is currently serving as a senior advisor to that Commission.
We have Erica Borghard, who we just heard a note on, who’s a resident senior fellow at Atlantic Council, focusing on the strategic implications of emerging technology. We have Nina Kollars, who is associate professor at the U.S. Naval War College and a nonresident fellow at the Modern War Institute at West Point. Her work focuses on cybersecurity and military innovation. And we have Tatyana Bolton, who you heard from a little bit earlier, who is managing senior fellow at the R Street Institute.
So welcome everybody. I’m excited to get the conversation rolling. I’m going to hop right into it so that we can utilize our time, and I am going to start with at Tatyana. Clearly, developing a comprehensive ICT supply chain strategy is a massive undertaking. We heard some of the reasons, of course, from the Congressman. Can you speak a little bit to the primary goals and how we balance national security with the economic interests as we pursue that effort?
BOLTON: Absolutely. Jill, you’re totally right. It is a massive undertaking, but a national strategy needs to be a massive undertaking because it needs to encompass and consider so many different perspectives, from economy to national security experts, to people who are experts on R&D and trade. And that’s why we’re bringing together scholars from a variety of different organizations and a variety of different fields, such as those that I mentioned, as well as technology, so we can develop a holistic and feasible set of concrete recommendations.
As you can see, we already have scholars who are participating from R Street, FDD, the Naval War College and the Atlantic Council, and we’ve reached out to other organizations across the political spectrum. So, as we gear up for the Secure and Competitive Markets Initiative, we’ll come together to decide the necessary values and provide a framework for weighing potential policy solutions.
We believe a strong national strategy must defend U.S. national security, while also encouraging free market competition because the innovation that this competition fosters is one of our greatest assets in the United States. The last thing we would want is for the United States to adopt China’s strategy of national champions and a state directed economy, which is, in our minds, a failing strategy.
Once we’ve agreed to that framework, we’ll break out into smaller groups. They’ll work on issues such as precious minerals or other components in ICT equipment, and competition with China. The goal is to provide actionable policies which balance economic and national security interests.
To end, I will just say that we can no longer simply admire the problem. The U.S. government needs better ideas, and we believe humbly and with recognition that the scale of this challenge is huge, that by bringing together these smart and creative minds, we can begin to solve the problem.
AITORO: You know, it’s funny. I have a question for Mark next, but I saw CISA put out a warning on how think tanks are being targeted by phishing attacks, and I think it’s all the brain power that is held by all these thinks tanks around the area. So, you all are clearly getting targeted for a reason.
Mark, I wanted to jump to you because this was just mentioned by Tatyana, it was mentioned by the Congressman, that really, the start of the base of the supply chain you might say is the raw materials. And we’ve heard for so long that China has such a dominance in terms of the rare earth industry. It’s used that dominance. We’ve seen them leverage that before, notably against Japan about a decade ago, though I am confident that’s not the only time. This has come up a lot in various government departments, Congress. It’s hard to tell how much progress is being made. Can you kind of speak to the situation as it stands now?
MONTGOMERY: Yeah. Thanks, Jill. Congressman Gallagher hit on this, but I’ll say kind of backing up, a core aspect when we build our national cybersecurity is that the critical technologies that constitute and connect us in cyberspace, as well as the building blocks of those components, the things that go into the generators and the pumps and the valves and the switches and the servers, they have to be available to U.S. producers when we need to build things and they have to be free from compromise during their production.
And the manufacturer and production of these critical technologies, it relies on a myriad, a ton of different raw materials and intermediate goods. And if our supply chains, if we can make them less complex, more local, or sourced through allies and partners, it’s going to be far easier and more efficient for the U.S. government to work with companies to protect the supply chain from compromise.
And when we think about these raw materials, the kind of ones that are used in high-tech products, we’re thinking about rare earth elements that the Congressman mentioned, silicon, germanium, those are two other elements. They are found all over the globe, and the U.S. even mine some of them and we even extract these materials from mine products. But more often than not, and increasingly, even despite the Japanese example, the U.S. relies on other countries for their refinement and we end up importing them.
Our greatest shortfall is those rare earth elements. I don’t want to get, you know, they’ve got weird names like lanthanum and samarium and such, but what they do is they kind of get the conductivity of the material, they emanate material better. They allow hardware to have special properties that give you peak performance. These aren’t found in abundance in the U.S., these rare earth elements. And without them, it leaves us a critical dependence. When you’re thinking about semiconductors, the display panels that use touch panels, functionality, improved radio transmission, all the fiber optics, really the stuff that goes into our military weapon systems like the chips inside precision guided munitions like LRASM, Navy weapon systems, they all rely on these rare earth elements for critical components.
And what’s really happened is while we could mine some of these, the extraction of the rare earth element from the ores is a really costly process, and it causes considerable environmental damage. So, for these reasons, the United States has really come to rely on China. They’ve taken advantage of their lower production costs, their government subsidies, and much, much, much fewer environmental restrictions to take a leadership position worldwide in this.
So, I know the Congressman said, “Hey, we got to take a look at this.” So, what I would say is when we take a look at it and what the art of the possible is, we’re going to have to expand our vision beyond the U.S. Because to address some of those issues I mentioned about the cost of production and the environmental impacts, we’re really going to have to rely on reliable partners in Asia and Europe, some of whom have already started working on this.
And to correct this dependency is not going to be cheap and it won’t be fast. But the truth is, I don’t mind buying my sneakers in China. I’d be really concerned about buying the raw materials for the LRASM missiles and things like that from China. So, we’re going to have to fix this. It just, it isn’t going to be a real quick change to the NDAA and we’re in business. This is a tens of billions of dollars issue and a lot of environmental work and understanding, whether we’re doing it in the United States or with our partners and allies.
AITORO: And probably years. I mean, you have to imagine when you think of both the financial and the production side of things, not to mention the agreements that would probably be needed with international partners. So, there could be reliance on China for some time, no?
MONTGOMERY: A decade. I think realistically, if we put our mind, if we put good American ingenuity, our good relationships with allies and partners who’ve already started this, this is a decade long issue and tens of billions of dollars. By the way, if you go one step up into the intermediate goods like microchips, that’s another billions and decade long – We’re in a fight. There, we’re in the game, but to stay in the game, it’s a tens of billions of dollars of investment issues.
So, these are really complex, hard things that aren’t going to be fixed by one or two Senators thinking, “Whoa, they might put this in my district or my state, and we’ll be okay.” This is a really, a national security challenge.
AITORO: And I’m going to circle back to everyone on aspects of that because I think a lot of it comes down to a money problem too, which Congress I don’t think is entirely willing to pony up in terms of the kind of investment that’s required for so many of these aspects. But first, I want to really quickly hear from all of our panelists. I want Erica perhaps to chat with us in terms of – ICT and supply chain generally tends to be focused on the economics. This came up with the Congressman as well, market share, competition, that sort of scenario, but are there military implications, and what might those be?
BORGHARD: Yeah, thanks Jill. I think that’s a great question, and Mark kind of alluded to this just in his remarks a few minutes ago. I do think there’s an important military dimension to these issues. And the way that I see it, I think there are kind of two sides to this challenge.
And the first one is perhaps like the more obvious one, right? The fact that compromises or vulnerabilities or fragility in the DOD supply chain has national security consequences, right? Vulnerabilities in hardware or software could provide an avenue for adversaries to conduct espionage, to distort the functioning of systems at critical times.
As Mark also mentioned, right, the fact that oversees dependence on critical technologies and also critical material could enable adversaries to cut off the DOD from access to them during a time of crisis, or even for their own coercive bargaining purposes, right? Not just for war fighting our crisis scenarios, but just for their own strategic ends.
And I think that we’ve all become a bit more aware of the salience of this issue because of COVID-19, but the reality is that it predates the pandemic. And that’s why, from my perspective, I think it will be really important to develop a systemic process for identifying what those critical technologies and capabilities for the DOD are, which will be part of this effort that we’re all kind of kicking off here today, and then developing a strategy that is based on partnerships, especially international partnerships, to build this sort of trusted network of suppliers.
And for the DOD also, the private sector plays an enormous role here in a way that we don’t always intuitively think about. And it’s obviously the defense industrial base, right, which is why any strategy for the DOD and securing the DOD supply chain has to be organized around the public-private partnership, which is not a sort of natural framework for thinking about military challenges. But, the reality is that the DOD doesn’t have a complete picture of its supply chain and there’s no sort of mechanism for making that happen without a public-private framework that’s based on some combination of both requirements and incentives.
And then sort of relatedly, I think a lot of people don’t realize the role that commercial off-the-shelf technology plays in military capabilities. And the F-35, for instance, relies on commercial off-the-shelf IOT technology for its sensor capabilities. And we all know about vulnerabilities in IOT devices, right? There have been recent DOD Inspector General reports that have shown that DOD continues to purchase commercial off-the-shelf technology that has been shown to be vulnerable. And so, there’s this sort of, not only an international partnership dimension, but also a public-private partnership dimension that’s important.
And so that’s kind of, that’s one sort of big slice of the issue. I think the other side that doesn’t get as much attention is the implications for war fighting in terms of sort of what the global ecosystem of information and communications technology looks like. And that’s where I see a really interesting intersection between the economic aspects, right? Like, who has relative global market share of ICT technologies? and then the military aspects and how they intersect.
So, when we think, a good example of this is 5G, right? But there are other examples. 5G technology will inevitably change the environment in which the U.S. military and its allies and partners are operating. And this creates lots of good opportunities, right? You can improve situational awareness of battlefield commanders. You can improve the volume and the speed with which information is shared between disperse units. You can improve precision targeting capabilities. But there are also risks, especially in terms of the ability of the U.S. and our allies and partners to operate despite or through adversary efforts to disrupt or deny or degrade telecommunications and the associated military capabilities that rest on that infrastructure in a given area of operations anywhere in the world, right?
And since the Persian Gulf War, commanders have become increasingly reliant on technical means of intelligence gathering at the tactical level. And the reality is that if China, for instance, takes the lead in fielding these ICT systems around the world, then the U.S. and our allies and partners will be operating in an environment where China has sort of shaped the telecommunications ecosystem. And so, I think this has important implications for war fighting that we don’t naturally think about. And so, I’ll leave it to the other panelists to share their thoughts on the military implications. I know Nina has some thoughts on this too, but those are sort of the two kind of big issues that I see in terms of framing the military challenges.
AITORO: Yeah. And Nina, I would like to hear from you. I mean, there was lots of mention there from Erica in terms of partners. And like I mentioned in the earlier conversation with Representative Gallagher, China is trying to win those partners and allies over as well. And they have what some might call a strong argument to do so from the economic side of things. So how does that fit, and long-term when you look at all of these issues, it really has the potential to shift the geopolitical nature of our military position around the world. So how does all of that fit into this conversation in terms of how we coordinate with allies?
KOLLARS: I can’t say enough. It’s always fun to convene a panel where we’re all talking about some subset of the part of an elephant, but ultimately, we sort of agree it’s an elephant. And that’s just sort of reassuring all the way around.
One, just to elevate a little bit of what Erica was talking about, I was in Venezuela – Sorry, I wasn’t in Venezuela. I was in Argentina last year and a good chunk of that country’s ICT is a gift from China. And that seems fine, except down there, sort of as part of a U.S. Naval diplomatic move to sort of talk about how we can be integrated better with their military. And so, if we’re going to be integrating with our military in a space where the Chinese own the ICT, it’s a very interesting and complicated dance.
KOLLARS: But as far as partners and allies are concerned, I want to be clear that I’m talking mostly about DOD’s corner of the universe, right? So, there’s all sorts of partners and allies questions when it comes to global trade or when it comes to marketplaces or just consumer space stuff. But when I’m talking specifically about DOD, we’re talking mostly – One of the things we don’t talk enough about is what do we think we mean by trust? I’m part of what’s called the Cyber and Innovation Policy Institute of The Naval War College. And one of the things we’re trying to look at is trust, not just in the technology or the supply chain itself, but what’s integral to any sort of strategy like this is to think about trust in our global partners and allies themselves. So, we have the Five Eyes partnerships. We have our relationships with UK.
One of the things that we really need to be thinking about is, what’s the status of that trust? How do we make it better? And that’s part of what is incredibly important for the safety and security and health of the capacity for the United States to protect power. So, everyone agrees that we need friends to fight, but we also need friends to build and secure. And that means getting beyond hardware and software and mapping supply chains. All of it is really important, and as you can see as the colleagues on the panel talk, we’re all talking about different parts of this.
But we also, in addition to thinking how do we do partnerships as Erica was talking about with our private sector, the down and in, the how do we do better by our own markets, how to make our own companies more competitive. We do need to be thinking up and out. With whom can we develop trust? With whom do we have trust now militarily? What do we have for technology exchanges? What can we do better and more? Mark was talking about potential relationship with Vietnam. These are very important questions that we need to think strategically. We can’t be slapdash or sloppy about it because trust in an ally is trust. And so, we need to think about with whom and why is that important?
We have to do it not just because we want to be friendly with the rest of the world. There’s a certain kind of credibility that comes with having military hard power. It’s a stabilizing factor, not just a de-stabilizing factor. Having military hard power is a stabilizing factor in global politics. And so, the capacity to have it, to secure it, to make it function correctly is part of this capacity. The United States has a vision of what it thinks the international system needs to be and its role in it.
And so, part of what has to happen here is we need to think broader than just down and in consumer marketplace, partially because, defense spending, the defense acquisitions process, is a tiny, tiny sliver of the broader consumer marketplace, right? It’s a unique market. In that unique market, the DOD has a lot of money, but it’s a unique minority stakeholder in the marketplace and the broader marketplace. So how do we get the United States to be more effective, the government, the DOD be more effective in flexing its requirements to be secure for the stuff that the DOD needs? We need partners to scale. So, one of the things we need to be thinking about is how do we reach out to our partners and allies across the world? How do we get our pieces to be interoperable? How do we secure it, not just for us?
And it can’t be just a U.S. only supply chain story. I mean, in my opinion, it would be impossible. DOD produced only by the United States? It’s impossible. So, we need to start thinking about how do we scale this up. And that’s what we need our partners and allies for. So, it’s not just about the machines themselves. We need to think about, how do we foster these long-term relationships with our global partners and allies who have a similar vision about the international stage and where we belong in it?
AITORO: Yeah. And that’s easier said than done when you consider a couple of factors. We talked about commercial offerings. DOD has tried repeatedly and continues to try and work more with commercial partners in a way that mirrors some of how they do business in terms of development. They’re not always successful in that because of some of the restrictions in terms of procurement and otherwise. And then what we’re seeing a lot around the world is a focus on domestic growth of the industrial base. The U.S. has kind of focused at home for this administration, but other countries have started to do the same. Australia was mentioned, for example, and we just did an interview with the former prime minister that spoke about needing to grow the domestic capabilities in cybersecurity. So what needs to happen? We talked about funding. We talked about incentives. With a new administration likely coming in, where do the priorities have to be to kind of move this plan forward, to enable it, because we’ve been talking about it for a long time? And that’s to anybody. I’m directing this at the whole group.
BOLTON: I will say one thing. I think what’s important in this initiative, and certainly from the R Street perspective, what we want to do is not necessarily focus entirely on the U.S. market and our producers, manufacturers and companies, but an international, sort of, partnership with other partners and allies that creates a more competitive global marketplace for all of these ICT products that can compete, like Representative Gallagher said, not only in quality, but in price. And we can only do that with partners and allies. Joakim Reiter from Vodafone today at the Aspen Cyber Summit said that optionality is the critical piece here. We can’t, on the one hand, suggest that the United States get out of any relationships and remove all Chinese products from our supply chain while not also creating the optionality for companies and consumers to move to another secure product.
If we cannot get into these markets and manufacture these goods ourselves or with partners and allies, we’re not going to be able to convince others to take these moves. Because while security is important and critical, you need to consider the resiliency of the networks and systems as well. And that is not possible without that optionality.
AITORO: Yeah. So, what’s the incentive for companies to start moving towards the R&D that would really be necessary for this? Does government, do agencies, does Congress need to step in and provide financial benefits to this happening? Are they doing that now? Do they need to do more? Anyone?
MONTGOMERY: I would say, this is going to be a very hard issue because it really depends on what’s the normal business case. If there’s a normal business case for R&D investment, we’d expect companies to do that. The problem comes when you have an extraordinary case. And I think we’re seeing this in the Foundries Act and the Protect Act, the semiconductor acts that they were in the Congress initially and then went into the NDAA. What you saw initially was the kind of money that’s really required. By the time it comes out of the authorization, it’ll be in the single billions. And then, by the time it gets down to the appropriators, we’ll be lucky if it’s a billion. So, in reality, you didn’t solve the problem.
I’d step back one more and say we really need to have a strategic approach. Our government is a can-do organization, even though if can-do appears to take too long and not do the right thing, there is an attempt at can-do. The problem we got right now is we have a lot of can-do going on, both legislatively with acts like the Foundries Act, the Protect Act, the Open Radio Access Network Act. And in agencies where you have DHS, DOD, Commerce, all shooting off with strategies and lines of effort. What you don’t see is a strategic kind of guidance that makes sure that you’ve identified what are the key technologies and equipment. It’s not everything. It’s the thing that government experts believe are necessary to defend ourselves.
And then you have to decide what’s the minimum you have to have. Because, it might be that between ourselves and our partners, we’re okay. I mean, it’s not perfect, but it’s there. And then once you determine that maybe you’re below that minimum capability or capacity, that’s when you start to turn on the gears of government intervention, whether it’s incentivizing or regulating or finding a good overseas source, resource to do it. That’s when the government I think gets engaged. But we’re “ready, fire, aim” on a lot of these efforts. So, I’m really hoping that the Biden Administration sits back on this and comes up with a comprehensive, critical technology, industrial strategy, and looks at those clean elements and figures the way out of this. But generally speaking, that can-do attitude translates into get it done too fast.
AITORO: Yeah. Yeah. Well, looking at the Biden Administration coming in, we’ve seen the relationship with China shift pretty dramatically over the last four years. It was very different from the Obama Administration. Some might say China as a threat has shifted over the course of the last four years as well. So how should the China policy be framed by the Biden Administration going in to help enable this? Any thoughts there? Seeing who might want to share.
MONTGOMERY: I’ll jump in one more time and just say, and I think Congressman Gallagher kind of referred to this. It’s we are in a competition. And even if sometimes we don’t understand we’re in a competition or don’t act like we’re in a competition, I’ve been observing, I think Erica has as well, China for 15 or 20 years, in my case. And they certainly know it and act like it. And that competition has resulted in the United States competing in a not free and not fair trade environment. And what I mean by this is they’ve used a mix of government-led industrial policy, not that there’s anything wrong with that. But with deceptive trade practices and state led intellectual property theft, there is a problem with that. The manipulation of international standards and trade bodies, there is a problem with that. And then an investment in research and development. And there’s not a problem with that. So, they use this mix of ethical, unethical, legal or illegal methods to create a very difficult environment for our companies.
I think we have to recognize we’re in that competitive environment. That doesn’t mean we’re going to war with them. But it does mean we’re probably in a longer-term strategic competition than we tend to hope we’re in. And so that’s how I look at it and that might be slightly pessimistic, but I think that’s the proper way to begin your strategic approach.
AITORO: No, that’s great. And I think too much optimism can sometimes stall progress and has shown to. Unfortunately, we are at time. So, I do want to thank all of our panelists for sharing really terrific perspectives. This is such an important topic. I think there’s zero question that step one is to develop a really strong strategy, and then it’s really about finding the best approach for implementing that. So, we will be very interested to keep an eye on how this moves forward and to hear more as efforts continue, both in government and throughout all of your organizations. So, we thank you for that. I’d also like to thank the audience for joining us today for this important conversation.
KOLLARS: Thank you.
BORGHARD: Thank you.
MONTGOMERY: Thanks. And thanks to Tatyana for pulling this together.
AITORO: Yeah. Thanks everybody.