Several weeks ago, the House Small Business Committee held a hearing titled ZTE: A Threat to America’s Small Businesses to explore the economic and national security threats posed by the Chinese telecommunications equipment and systems firm ZTE. The day’s discussion focused on ways that American small businesses could protect themselves from ZTE specifically and Chinese-backed entities more generally as well as the mixed signals being sent by the administration of President Donald Trump regarding ZTE.
This April, the Department of Commerce instituted a ban preventing American companies from selling components to ZTE, cutting that Chinese telecom off from suppliers contributing up to 30 percent of the components used by ZTE in its phones and other products. The ban came in response to ZTE’s admission that it had violated sanctions by conspiring to sell equipment to Iran. Instead of lasting the originally planned seven years, however, news reports from early June indicated that the Trump Administration was negotiating an agreement to rescind the ban in exchange for ZTE’s payment of up to $1.7 billion in fines. In late June, ZTE appointed a new chairman and completely replaced its board in a move to distance itself from the sanctions violation.
In the month since this hearing took place, the Commerce Department did indeed lift the ban in mid-July, allowing U.S. suppliers to once again sell telecommunications components to ZTE. Although Capitol Hill lawmakers attempted to reinstate the ban through a provision of the regular Department of Defense spending bill, that provision had been stripped from the bill by late July although the bill retained language which prohibits companies contracting with the U.S. government from using equipment manufactured by either ZTE or Huawei, another major Chinese telecom.
In his opening statement for the June 27th hearing, House Small Business Committee chairman Congressman Steve Chabot (R-OH) expressed his deep concerns regarding the Commerce Department’s efforts to remove ZTE from the Denied Persons list and restore its business operations with American suppliers. “When we talk about existential threats to national security—and that is what ZTE is—it is the federal government’s job to protect Americans and American small businesses,” Chabot’s statement reads. In addition, Chabot spoke to the threats posed by a much wider assortment of state-backed actors engaging in cyber attacks of American small businesses both to steal intellectual property and to undermine the nation’s infrastructure. Concerns over the Trump Administration’s apparent vacillation on the ZTE ban were echoed by Congresswoman Nydia Velazquez (D-NY), ranking member of the House Small Business Committee. “The prevalence of ZTE’s products is disturbing when we realize that the company has a history of being a national security threat to American interests,” Velazquez said. “Unfortunately, it appears that the President seems intent on weakening our security posture when it comes to responding to this threat.”
The witness panel for this hearing consisted of David Linger, president and CEO of manufacturing process improvement firm TechSolve, Inc.; Andy Keiser, visiting fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School; and Matthew Olsen, president of IronNet Cybersecurity. In Linger’s testimony, he spoke to the fact that many small manufacturing firms are not prepared to handle a cyber attack. Linger also noted that cyber attacks on Internet of Things (IoT) platforms increased by 600 percent between 2016 and 2017, with one-fifth of those attacks originate from China. Keiser’s testimony acknowledged the difficulty that U.S. firms have in competing against state-backed firms like ZTE, which outbids American companies for cellular telephone tower projects by entering bids that are less than the cost of materials for the towers, not just the labor. Keiser also noted marketplace issues posed by Huawei, which has itself has misappropriated intellectual property from Cisco and Apple. Olsen’s testimony focused a great deal on the national security threats posed by widespread cyber attacks and the potential for ZTE to continue to engage in questionable business activities on behalf of the Chinese government. “From my perspective, the critical national security concern going forward is the risk that ZTE and other Chinese-backed technology firms may pose to U.S. telecommunications and other critical infrastructure,” Olsen’s testimony reads.
During the questioning period, Rep. Chabot noted that companies like ZTE and Huawei differ a great deal from publicly held companies on the New York Stock Exchange which have a much bigger profit motive; the Chinese firms mainly worked to serve China’s national security interests. “In the last two weeks, after the United States of America issued a denial order prohibiting them from purchasing any U.S. components, which essentially would have put them out of business, the two biggest Chinese state-owned banks infused $11 billion to keep them afloat,” Keiser said. “Name a Western company that might have that option.” Because ZTE provides infrastructure for telecommunications networks used by American consumers, Olsen noted that ZTE was in a unique position to carry out the Chinese government’s interests to disrupt communications in America or further aid in the stealing of American IP.
Congressman Rod Blum (R-IA) questioned the panel about cybersecurity in cloud computing contexts, noting that many small businesses and government agencies were increasingly moving towards the use of such technologies. “It’s kind of a nebulous thing,” Blum said. Keiser expressed concerns given the fact that, due to different functionalities between cloud services, entities typically use more than one cloud computing platform. Most Fortune 500 companies used an average of eight clouds, Keiser said. These concerns were echoed by Olsen. “I work in a technology firm and one of the engineers in my company has a sign above his computer that says, ‘There’s no such thing as the cloud, it’s just someone else’s computer,’” Olsen said. Although cloud platforms enabled data efficiencies and were preferable to storing data on insecure nodes within a company’s own IT infrastructure, Olsen stated that security in the cloud was only as safe as the current state of cloud-based security.
Despite the importance of addressing cybersecurity concerns, many people during the hearing spoke to the lack of resources many small business entities have to devote to such strategic planning. Congressman John Curtis (R-UT) asked the panel to identify the most important thing that Congress could be doing in order to protect small business cybersecurity. Keiser was supportive of Congressional action like the passage of the Cybersecurity Information Sharing Act of 2015 which encouraged the sharing of classified threat information to patch known vulnerabilities. However, Keiser noted that many cybersecurity threats could occur upstream of small businesses at the IT systems of their suppliers. Olsen said that the more that companies could be enabled to share information without a fear of liability or spilling proprietary information, it could encourage cybersecurity companies providing solutions to small businesses to pool together resources and make them more effective. Elsewhere, Keiser noted that certain small firms, including law firms and tax firms, were major targets for cyber attacks because of the value of the information stored by those entities.
The security threat that China poses to specific regions was largely driven home by Congresswoman Amata Coleman Radewagen (R-AS), the House delegate from American Samoa. Radewagen noted that American Samoa is only 40 miles away from Independent Samoa, where China has been increasing its presence by investing in a port development project. “It’s not just ZTE extending their tentacles around the world,” Radewagen said. “This is about the tactics that the Chinese state is using to subvert democracy abroad.” Olsen answered by noting China’s increasingly aggressive actions to assert its dominance over the South China Sea. “From a cyber perspective, cyber has become a vector of attack that China uses or could use to advance its national interests,” Olsen said.