Rogers: Cybersecurity Is Not Just Technology Issue, It’s a Geopolitical Issue

Rogers Discusses Legislative Landscape on Cybersecurity, Rise of China at Cyberscoop’s CyberTalks

 WASHINGTON – Rep. Mike Rogers (R-Ala.), ranking member of the House Homeland Security Committee, today delivered the keynote address at Cyberscoop’s DC CyberTalks. His speech discussed the legislative landscape on cybersecurity issues, highlighting the threats China poses.

On China:

“We all know cybersecurity is not just a technology issue. It is a global, geopolitical issue. China, Russia, and other adversaries are seizing on our society’s commitment to openness, free speech, and innovation. Rather than build a competitive advantage, they’ve decided to steal one. China openly touts its plan to become the world’s premier power by brute force and outright theft…China is deliberately targeting emerging technology that has the potential to transform our society as part of its ‘Made in China 2025’ initiative. We clearly have a host of cybersecurity problems that need to be addressed to counter China, Russia, and other bad actors’ geopolitical ambitions.”

On CISA:

“One of the important moments in my career was when President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act…I believe that Director Chris Krebs is the right person to lead the agency and he is doing a great job. We couldn’t have gotten a better person…I will make sure it is the one voice for all federal government agencies. What does concern me is that other departments and agencies are creating their own cybersecurity offices. We can’t have multiple agencies undermining each other. Stovepiping isn’t the solution. Congress created CISA to be the lead for the federal government and we need to ensure that happens.”

On the Federal Cyber-workforce:

“Simply put, the government cannot compete with private sector pay and benefits. For instance, an entry level engineering salary at companies like Google, Facebook, and Microsoft starts above $150,000. A top-level Google engineer can make more than $600,000. There is no way the federal government can compete with these salaries. It’s time we start talking about pay reform for government workers in the cybersphere. We can’t address the multitude of problems I’ve outlined today if we don’t have a topnotch cyber-workforce.”

Rogers full remarks, as prepared for delivery:

It’s important that government officials and industry promote cybersecurity awareness. From large business to mom-and-pop stores, everyone is at danger of a malicious cyberattack if they aren’t aware of the latest efforts to harm them. 

I constantly worry that my local hardware store will be subject to an attack that forces them to close. I worry about a ransomware attack that shuts down my home county government of Calhoun, Alabama.

With the proper awareness, we, as government and industry officials, can prevent many of these harmful attacks. I thank you all for helping in this effort. Yet, cybersecurity can’t just be a once-a-year focus. 

We need to constantly educate the public on the dangers they face and reduce their vulnerabilities. Since cybersecurity isn’t limited to the month of October, it has been a major focus of my efforts at the Committee.

First, I want to acknowledge Rep. John Katko. He is the Ranking Member on the cyber subcommittee. He is doing tremendous work on the subcommittee and if you don’t know him, you should.

Rep. Katko and I have been focused on three major cyber issues at our Committee: CISA, critical infrastructure, and emerging technologies.  

One of the important moments in my career was when President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act.

Centralizing the federal government’s protection of critical infrastructure from physical and cyber threats into one office I believe will prove to be a wise decision.

With all new government agencies, making sure CISA is stood up correctly is important to its success. That is why I have been working closely with DHS to ensure this happens.

I believe that Director Chris Krebs is the right person to lead the agency and he is doing a great job. We couldn’t have gotten a better person.

While Director Krebs is working to stand up the agency and fulfill its mission, Congress also has a role to play in helping CISA. At this point, Congress and the executive branch should be doing everything we can to see that CISA is a well-oiled machine.

Part of that is staying out of the way until we need to get involved. Since I believe in the mission of CISA, I want to make sure it has the resources it needs to be successful. I will make sure it has the appropriations and human capital necessary to be the leader to thwart nation-states and dangerous hackers.

And I will make sure it is the one voice for all federal government agencies. What does concern me is that other departments and agencies are creating their own cybersecurity offices.

We can’t have multiple agencies undermining each other. Stovepiping isn’t the solution.

Congress created CISA to be the lead for the federal government and we need to ensure that happens. One issue that CISA is tackling right now is managing risks to our supply chain.

This is also a topic we are exploring at the Committee. Just last week we had an informative hearing on the vulnerabilities of our supply chain. I’m pleased CISA created the DHS Supply Chain Risk Management Task Force last year.

The task force is in the process of drawing up recommendations to identify and manage risk to the global information and communications technology supply chain.

The Task Force released an interim report and is expected to announce its full recommendations next year. I look forward to reading that report and acting if necessary.

 Another issue that both the Committee and CISA believe are important to tackle is securing our critical infrastructure. As we saw in the September attacks on Saudi Arabia, attacks on critical infrastructure are key pillars for nation states and terrorist organizations in their efforts to promote their agendas.

Our economy and way of life and economy run through our critical infrastructure every day. Congress and industry must do everything we can to secure our critical infrastructure and prevent deadly and costly attacks. Yet, there is no one-size-fits-all solution for industry.

What works for chemical security may not work for pipeline security. I’ve taken the approach of looking at the critical infrastructure ecosystem and working to ensure its resiliency against attacks. The federal government can’t do it alone. We need to work with industry to protect and harden this nation’s critical infrastructure from physical and cyberattacks.

Earlier this year, we passed an extension of the CFATS program. This is something we will have to deal with before it expires early next year. Our Committee passed a bill that I opposed. It sits in the Energy and Commerce Committee where it has little chance of moving in its current form. Senate Homeland Security Chairman Ron Johnson has his own views on CFATS.

In other words, its DOA.

And I know industry has its views on the program.

By using CFATS as an example, you can see this is a complex issue that isn’t easily solvable.

But the good news is we all have the same goal to harden and protect all critical infrastructure from attack.

I am ready to work with industry, my fellow Members of Congress, and the administration to ensure a Saudi-like attack does not occur on American soil. Emerging technologies present another daunting task.

If technology advanced in a reasonably slow and understandable fashion, then we probably wouldn’t be so concerned about attacks. But that’s not how technology works. It advances in leaps-and-bounds, not baby steps.

What is new and fast today, is obsolete and slow by next week.  These emerging technologies rapidly outpace the conversation on cybersecurity.

That makes securing technologies difficult. As I think about these technologies, I worry about our ability to prevent attacks.

AI, machine learning, 5G networks, and quantum computing are all coming to fruition. They represent great strides in human ingenuity.

But they also represent enormous security challenges. As industry and the federal government turn to these new developments, we must understand how they can be used against us.

And this is not just a civilian issue, it’s also effects the military. I sit on the Armed Services Committee and the military is exploring these technologies for both offensive and defense purposes.

I know I’ve said this already today, but industry and the federal government must work together on these security issues we face as new technologies come online.

But I implore you to not forget how these technologies affect the hardware stores and county offices in small town America.

Fortune 500 companies have the resources to throw at cybersecurity, but most small businesses don’t.

One of my top priorities this year has been to address the federal cyber-workforce shortage.

I’m not the first legislator to try to tackle this problem. We’ve seen proposals for pay reform, apprenticeships, and scholarships.

One thing the House did do this year in the NDAA was to creates a “Cybersecurity Defense Academy.” This pilot program will train veterans as cybersecurity personnel at DoD and I support its goal.

Yet, this proposal like all others, does not address the core workforce problem: competitive salaries. Simply put, the government cannot compete with private sector pay and benefits. For instance, an entry level engineering salary at companies like Google, Facebook, and Microsoft starts above $150,000. A top-level Google engineer can make more than $600,000.

There is no way the federal government can compete with these salaries.

It’s time we start talking about pay reform for government workers in the cybersphere. We can’t address the multitude of problems I’ve outlined today if we don’t have a topnotch cyber-workforce.

We all know cybersecurity is not just a technology issue.

It is a global, geopolitical issue.

China, Russia, and other adversaries are seizing on our society’s commitment to openness, free speech, and innovation.

Rather than build a competitive advantage, they’ve decided to steal one. China openly touts its plan to become the world’s premier power by brute force and outright theft.

We clearly have a host of cybersecurity problems that need to be addressed to counter China’s  geopolitical ambitions. We have begun to take steps to address them across the government. And the Trump Administration is taking threats from China seriously.

Entire sectors of our economy and nearly every part of our government is in China’s crosshairs. Technology that can’t be squeezed out of companies doing business in China is being deliberately poached from U.S. companies and universities.

FBI Director Christopher Wray said earlier this year that the FBI is actively investigating 1,000  cases of attempted IP theft in the United States, mostly involving China. By using the world’s rapid technological developments, the Communist party can control China like never before.

Big data is powering “social credit” monitoring to shame those who don’t support every party policy. Advances in machine learning are empowering the systematic extermination of the Uyghurs in western China. China is using facial recognition to detect ethnic minorities like the Uyghers and then systematically track them.

Our open social media platforms are now weapons for Chinese messaging, monitoring, and intelligence operations. These cybersecurity concepts are the primary means of geopolitical competition in the 21^st century.

Intelligence officials have warned public and private entities about telecommunications companies Huawei and ZTE and their ties to the Chinese Communist Party Committees. These companies have been directed to conduct surveillance and turn over heaps of data to the Chinese government on Chinese citizens and foreigners alike.

Beijing will use this power again and again. State-owned Chinese companies have systematically dominated manufacturing operations of critical components.

They also offer Chinese intelligence services access to all levels of the supply chain. China is also exploiting higher-education institutions that produce cutting-edge technology and research.

The Communist party is sending students and researchers to our institutions of higher education with a clear plan to steal U.S. research and engage in espionage.

At a Midwestern medical school, a Chinese researcher was arrested for economic espionage after he stole a patented cancer research compound. He also tried to delete proprietary research on the compound off the university’s computer server. If the Chinese government and its agents are willing to erase key cancer research, what else will they take?

We’ve seen these so-called academics target military intelligence, export-restricted research data, and other classified information. We cannot turn a blind eye to China’s growing exploitation of the open and collaborative nature of academic institutions. 

Last year the National Vetting Center was created to improve vetting on individuals seeking visa to work on high-value technologies in our country. We can do more to improve vetting of foreign students and scholars engaging in sensitive fields of study at U.S. institutions. 

China is also using technology and the size of its economy to export authoritarianism by attempting to censor speech abroad. These efforts were on full display earlier this month.

We saw the NBA capitulate to China after Houston Rocket’s general manager Daryl Morey tweeted support for the Hong Kong protests. In response to the tweet, the NBA issued press releases in both English and Chinese. In English, the league said it regretted that the tweet had offended people in China. In Chinese, the NBA said that it was “extremely disappointed” by Morey’s “inappropriate” tweet.

This isn’t the first time we’ve seen American companies get swept up in Chinese censorship. In Apple’s most recent iPhone software update, it removed the Hong Kong and Macau flag emojis in China. Apple has pulled apps from its store including one used by Hong Kong protestors to mark police locations and street closures.

Search providers like Google and Microsoft admit that they serve sanitized results to users in China. I’m concerned these companies have missed the point of economic engagement with China. Opening up China was supposed to put the forces of freedom and individualism in the driver’s seat.

 Instead, the Chinese government is using this openness to force outside companies to promote Chinese propaganda. We also must be concerned about the rise of wholly Chinese owned tech companies.

If you’re worried about what Facebook or Google is doing with your data, imagine what a platform under Beijing’s thumb would do with it. For instance, the Chinese-owned video-sharing app TikTok has been downloaded more than 1 billion times. China is already using TikTok to push its own agenda. If a user searches for “Hong Kong” on TikTok, you’ll find it conveniently ignores the ongoing protests.

China will continue to use apps like these as another tool to bring censorship to our shores. Ultimately, China is advancing all these efforts with the goal of global supremacy.

China is deliberately targeting emerging technology that has the potential to transform our society as part of its “Made in China 2025” initiative. We clearly have a host of cybersecurity problems that need to be addressed to counter China, Russia, and other bad actors’ geopolitical ambitions.

We have begun to take steps to address them across the government.

The Trump Administration is taking threats from China seriously. I applaud the president’s May executive order aimed at securing the information and communications technology supply chain.

I look forward to reviewing the Department of Commerce’s rules implementing this order in the coming weeks. The president is also using trade tools to try to extract concessions from China on these issues.

While free trade and open markets are the ideal, the Chinese government deliberately undermines global markets at our expense.  I encourage the president to continue to hold China’s feet to the fire until they seriously reform how they do business.

The cybersecurity challenges that I’ve outlined today span across borders, governments, and private entities. Collaboration and a “whole-of-society” approach is necessary to address the host of cyber-vulnerabilities our rivals present. It also requires bipartisan cooperation in Congress.

 I am ready and willing to partner with anyone who shares the desire to pushback against China and other adversaries, to protect not only America’s place as an innovator and global leader, but the ideals of liberty, freedom and democracy.

 

###