[House Hearing, 119 Congress]
[From the U.S. Government Publishing Office]



                 GLOBAL NETWORKS AT RISK: SECURING THE
                FUTURE OF COMMUNICATIONS INFRASTRUCTURE

=======================================================================





                                HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON COMMUNICATIONS AND
                               TECHNOLOGY

                                 OF THE

                         COMMITTEE ON ENERGY AND
                                COMMERCE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED NINETEENTH CONGRESS

                             FIRST SESSION
                               __________

                             APRIL 30, 2025
                               __________

                           Serial No. 119-17




               [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




     Published for the use of the Committee on Energy and Commerce

                   govinfo.gov/committee/house-energy
                        energycommerce.house.gov                                              
                                 ______

                   U.S. GOVERNMENT PUBLISHING OFFICE 

60-348 PDF                 WASHINGTON : 2025                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                             
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                        
                    COMMITTEE ON ENERGY AND COMMERCE

                        BRETT GUTHRIE, Kentucky
                                 Chairman
ROBERT E. LATTA, Ohio                FRANK PALLONE, Jr., New Jersey
H. MORGAN GRIFFITH, Virginia           Ranking Member
GUS M. BILIRAKIS, Florida            DIANA DeGETTE, Colorado
RICHARD HUDSON, North Carolina       JAN SCHAKOWSKY, Illinois
EARL L. ``BUDDY'' CARTER, Georgia    DORIS O. MATSUI, California
GARY J. PALMER, Alabama              KATHY CASTOR, Florida
NEAL P. DUNN, Florida                PAUL TONKO, New York
DAN CRENSHAW, Texas                  YVETTE D. CLARKE, New York
JOHN JOYCE, Pennsylvania, Vice       RAUL RUIZ, California
  Chairman                           SCOTT H. PETERS, California
RANDY K. WEBER, Sr., Texas           DEBBIE DINGELL, Michigan
RICK W. ALLEN, Georgia               MARC A. VEASEY, Texas
TROY BALDERSON, Ohio                 ROBIN L. KELLY, Illinois
RUSS FULCHER, Idaho                  NANETTE DIAZ BARRAGAN, California
AUGUST PFLUGER, Texas                DARREN SOTO, Florida
DIANA HARSHBARGER, Tennessee         KIM SCHRIER, Washington
MARIANNETTE MILLER-MEEKS, Iowa       LORI TRAHAN, Massachusetts
KAT CAMMACK, Florida                 LIZZIE FLETCHER, Texas
JAY OBERNOLTE, California            ALEXANDRIA OCASIO-CORTEZ, New York
JOHN JAMES, Michigan                 JAKE AUCHINCLOSS, Massachusetts
CLIFF BENTZ, Oregon                  TROY A. CARTER, Louisiana
ERIN HOUCHIN, Indiana                ROBERT MENENDEZ, New Jersey
RUSSELL FRY, South Carolina          KEVIN MULLIN, California
LAUREL M. LEE, Florida               GREG LANDSMAN, Ohio
NICHOLAS A. LANGWORTHY, New York     JENNIFER L. McCLELLAN, Virginia
THOMAS H. KEAN, Jr., New Jersey
MICHAEL A. RULLI, Ohio
GABE EVANS, Colorado
CRAIG A. GOLDMAN, Texas
JULIE FEDORCHAK, North Dakota

                                 ------                                

                           Professional Staff

                     MEGAN JACKSON, Staff Director
                SOPHIE KHANAHMADI, Deputy Staff Director
               TIFFANY GUARASCIO, Minority Staff Director
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
                                      
               
               
               
               
               
               
               
               
               
               
               
               
             Subcommittee on Communications and Technology

                     RICHARD HUDSON, North Carolina
                                 Chairman
RICK W. ALLEN, Georgia, Vice         DORIS O. MATSUI, California
  Chairman                             Ranking Member
ROBERT E. LATTA, Ohio                DARREN SOTO, Florida
GUS M. BILIRAKIS, Florida            YVETTE D. CLARKE, New York
EARL L. ``BUDDY'' CARTER, Georgia    RAUL RUIZ, California
NEAL P. DUNN, Florida                SCOTT H. PETERS, California
JOHN JOYCE, Pennsylvania             DEBBIE DINGELL, Michigan
RUSS FULCHER, Idaho                  ROBIN L. KELLY, Illinois
AUGUST PFLUGER, Texas                NANETTE DIAZ BARRAGAN, California
KAT CAMMACK, Florida                 TROY A. CARTER, Louisiana
JAY OBERNOLTE, California            ROBERT MENENDEZ, New Jersey
ERIN HOUCHIN, Indiana                GREG LANDSMAN, Ohio
RUSSELL FRY, South Carolina          JENNIFER L. McCLELLAN, Virginia
THOMAS H. KEAN, Jr., New Jersey      KATHY CASTOR, Florida
CRAIG A. GOLDMAN, Texas              FRANK PALLONE, Jr., New Jersey (ex 
JULIE FEDORCHAK, North Dakota          officio)
BRETT GUTHRIE, Kentucky (ex 
    officio)
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
















    
                             C O N T E N T S

                               ----------                              
                                                                   Page
Hon. Richard Hudson, a Representative in Congress from the State 
  of North Carolina, opening statement...........................     1
    Prepared statement...........................................     4
Hon. Doris O. Matsui, a Representative in Congress from the State 
  of California, opening statement...............................    10
    Prepared statement...........................................    12
Hon. Brett Guthrie, a Representative in Congress from the 
  Commonwealth of Kentucky, opening statement....................    14
    Prepared statement...........................................    16
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, opening statement.........................    22
    Prepared statement...........................................    24

                               Witnesses

Tom Stroup, President, Satellite Industry Association............    26
    Prepared statement...........................................    29
David Stehlin, Chief Executive Officer, Telecommunications 
  Industry Association...........................................    37
    Prepared statement...........................................    39
    Answers to submitted questions...............................   121
Jamil N. Jaffer, Founder and Executive Director, National 
  Security Institute, George Mason University Scalia Law School..    45
    Prepared statement...........................................    47
    Answers to submitted questions...............................   124
Laura Galante, Former Director, Cyber Threat Intelligence 
  Integration Center, Office of the Director of National 
  Intelligence...................................................    65
    Prepared statement...........................................    68
    Answers to submitted questions...............................   129

                           Submitted Material

Inclusion of the following was approved by unanimous consent.
List of documents submitted for the record.......................   112
Letter from Ali Sheikh, Chief Product Officer, Graphiant, to Mr. 
  Hudson, et al..................................................   113
Article of March 24, 2025, ``China Unveils Game-Changing Weapon 
  That Could Decide Future Wars,'' by Micah McCartney, Newsweek..   115
Letter of April 30, 2025, from Mr. Pfluger, et al., to Brendan 
  Carr, Chairman, Federal Communications Commission..............   117

 
                  GLOBAL NETWORKS AT RISK: SECURING THE
                   FUTURE   OF  COMMUNICATIONS   INFRA- 
                   STRUCTURE

                              ----------                              

                       WEDNESDAY, APRIL 30, 2025

                  House of Representatives,
     Subcommittee on Communications and Technology,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:05 a.m., in 
room 2322, Rayburn House Office Building, Hon. Richard Hudson 
(chairman of the subcommittee) presiding.
    Members present: Representatives Hudson, Allen, Latta, 
Bilirakis, Carter of Georgia, Dunn, Joyce, Fulcher, Pfluger, 
Obernolte, Fry, Kean, Goldman, Fedorchak, Guthrie (ex officio), 
Matsui (subcommittee ranking member), Soto, Clarke, Peters, 
Dingell, Barragan, Carter of Louisiana, Menendez, Landsman, 
McClellan, Castor, and Pallone (ex officio).
    Staff present: Sydney Greene, Director, Finance and 
Logistics; Kate Harper, Chief Counsel, Communications and 
Technology; Brittany Havens, Chief Counsel, Oversight and 
Investigations; Megan Jackson, Staff Director; John Lin, Senior 
Counsel, Communications and Technology; Sarah Meier, Counsel 
and Parliamentarian; Elaina Murphy, Professional Staff Member, 
Communications and Technology; Dylan Rogers, Professional Staff 
Member; Emma Schultheis, Clerk, Health; and Kaley Stidham, 
Press Assistant; Hannah Anton, Minority Policy Analyst; Keegan 
Cardman, Minority Staff Assistant; Parul Desai, Minority Chief 
Counsel, Communications and Technology; Tiffany Guarascio, 
Minority Staff Director; Dan Miller, Minority Professional 
Staff Member; Michael Scurato, Minority FCC Detailee; and 
Johanna Thomas, Minority Counsel.
    Mr. Hudson. The subcommittee will come to order.
    The Chair recognizes himself for an opening statement.

       OPENING STATEMENT OF HON. RICHARD HUDSON, A REP- 
        RESENTATIVE IN CONGRESS FROM THE STATE OF NORTH
        CAROLINA

    Good morning. Welcome to today's subcommittee hearing on 
``Global Networks at Risk: Securing the Future of 
Communications Infrastructure.'' This topic has never been more 
pressing. The United States is home to the world's leading 
companies and innovators who are driving the development of 
cutting-edge technologies, like artificial intelligence, the 
Internet of Things, and next-generation wireless technologies. 
These innovations are critical not just to our economy but the 
future of global connectivity.
    Communications are also central to our national defense. 
This is a top of mind for me, especially as the Representative 
of Fort Bragg, home of the U.S. Army Special Forces and largest 
military base in the world. Connectivity and secure 
communication networks are vital to maintaining our defense 
capabilities and keeping our Nation safe.
    Today, we rely on communications infrastructure in nearly 
every sector of our economy. As Americans become more 
connected, it is increasingly important the equipment we buy, 
the networks we rely on are secure, resilient, and protected 
from malicious actors.
    Unfortunately, the security of these networks is under 
threat. The Chinese Communist Party, for example, has been 
investing heavily to develop unsecure communications equipment 
and export it around the world to assist in their espionage 
activities, including in the United States. The known 
vulnerabilities in many technologies produced by foreign 
adversaries pose a direct threat to the national security of 
the United States.
    Last fall, we learned about Salt Typhoon, which may be the 
largest Chinese-backed telecommunications hack in our Nation's 
history. These hackers infiltrated U.S. telecommunications 
companies' networks impacting at least nine providers. This 
infiltration enabled the hackers to geolocate millions of 
individuals and record phone calls and impacted senior U.S. 
officials, including then-President-elect Trump and Vice 
President-elect Vance.
    In addition to these vulnerabilities, there are an 
increasing number of physical attacks on communications 
infrastructure, such as undersea cables. These cables are 
responsible for carrying data traffic across oceans and are 
susceptible to damage by the elements and unintentional acts, 
such as anchors dragging along the sea floor. But they have 
also been intentionally sabotaged, and because of their 
physical location under the ocean, it can be difficult to 
monitor unauthorized access to these cables.
    We must take decisive steps to address these threats. I was 
proud to support funding for the Secure and Trusted 
Communications Network Reimbursement Program, which will 
support the removal of the remaining Chinese equipment in our 
communications networks.
    Another key aspect of securing our communications 
infrastructure is the review of foreign investments in U.S. 
networks. Team Telecom is an interagency working group that 
reviews foreign investments in certain communications 
applications that come before the FCC. Team Telecom assesses 
the national security risks, law enforcement, and other policy 
considerations that may be associated with such investments. 
While this process is important, applications often get bogged 
down by delays and bureaucratic hurdles. We must find ways to 
make sure the national security concerns are addressed without 
hindering deployment.
    Satellite technology also plays an increasingly important 
role in our communications infrastructure. Satellites provide 
broadband services as well as mission-critical services to 
critical infrastructure companies and the Federal Government. 
Yet, the regulations governing the satellite operations have 
not kept pace with the growth in the industry.
    Last Congress, this committee led bipartisan legislation to 
streamline regulatory processes for satellite operators, and 
the Federal Communications Commission adopted many of those 
reforms. But more work remains to provide clarity and more 
certainty in the licensing process to ensure the U.S. remains a 
leader in this sector as well.
    We must meet these challenges head on. Innovation has 
provided untold benefits to Americans and to our economy. I 
look forward to hearing from the witnesses today about these 
issues.
    [The prepared statement of Mr. Hudson follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hudson. I now recognize the ranking member, Doris 
Matsui, for her opening statement. You are recognized.

      OPENING STATEMENT OF HON. DORIS O. MATSUI, A REP-
       RESENTATIVE IN CONGRESS FROM  THE STATE OF CALI-
       FORNIA

    Ms. Matsui. Thank you very much, Mr. Chairman.
    Today's hearing comes on the heels of Salt Typhoon, one of 
the worst hacks of U.S. history. Salt Typhoon is a wakeup call 
that drives home the vulnerabilities in our communications 
networks. These networks are the backbone of modern life, 
connecting us to businesses, public safety, healthcare, 
education, and communities. That is what makes them such a ripe 
target for attack by malicious actors, and why we must 
strengthen how we protect this critical infrastructure.
    Yet, I fear that we are moving backwards as the Trump 
administration won't even own up to its own pattern of security 
failures. President Trump is defending the indefensible, 
rallying behind the blunders of his Secretary of Defense, who 
leaked classified war plans to his wife and brother over an 
unsecured Signal chat. Likewise, he is standing blindly by his 
National Security Advisor and countless other senior officials 
who use Signal and personal Gmail accounts to conduct sensitive 
Government business.
    The Trump administration is handing highly sensitive data 
to deeply unserious people who can't be bothered to follow the 
law or basic common sense when it comes to protecting 
cybersecurity and keeping sensitive information safe. The world 
is watching. Bad actors are ready to take advantage of this 
administration's gross incompetence.
    In Congress, my Republican colleagues talk tough about 
protecting America against foreign adversaries, but talk is 
cheap. Their refusal to hold the Trump administration 
accountable despite serious security breaches speaks volumes. 
Republicans are also staying silent as President Trump slashes 
our Federal cyber workforce, gutting our Nation's capability to 
prepare for and respond to attacks on our critical 
infrastructure.
    As one of his earliest acts in office, President Trump 
disbanded the Cyber Safety Review Board, leaving in limbo our 
investigation into the largest telecommunications hack in U.S. 
history. Instead, Salt Typhoon remains active as this 
administration jeopardizes our Government's ability to assess 
the damage and work on solutions.
    As President Trump is wreaking havoc on our critical 
communications infrastructure with his destructive tariffs, 
rather than boosting U.S. companies, his tariffs have driven up 
cost and damaged supply chains at exactly the wrong time. 
Meanwhile, Democrats have been working diligently to increase 
network safety and protect American's information.
    As coauthor of the Secure and Trusted Communications 
Network Act, I have been a staunch advocate of securing our 
network supply chain. Last Congress, we secured the last $3 
billion to fully fund the Rip-and-Replace Program and remove 
vulnerable Chinese equipment from our telecommunications 
infrastructure. I urge our agencies to ensure smooth and timely 
completion of this national security imperative.
    I have been dedicated to advancing innovations such as open 
radio access networks, or open RAN, to bolster our supply chain 
diversity. And earlier this week, the FUTURE Networks Act 
passed the House. This bill would bring the brightest minds 
across industry, academia, and government to collaborate on the 
development of our next-generation wireless technologies, 
including identifying supply chain and cybersecurity 
vulnerabilities so that we can more effectively prevent them.
    These are important steps to strengthen network security, 
and we must build on this work as America faces growing cyber 
threats. This is not the time for inaction. I urge my 
Republican colleagues to speak up and hold the administration 
accountable for security failures. We must work on bipartisan 
solutions to secure our communications networks as our 
subcommittee has historically done.
    I look forward to hearing from our witnesses on how we can 
proactively protect against future attacks.
    [The prepared statement of Ms. Matsui follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Ms. Matsui. And with that, I yield the balance of my time.
    Mr. Hudson. Thank you.
    I now recognize the chairman of the full committee, the 
gentleman from Kentucky, for 5 minutes for his opening 
statement.

        OPENING STATEMENT OF HON. BRETT GUTHRIE, A REP-
         RESENTATIVE IN CONGRESS  FROM THE COMMONWEALTH
         OF KENTUCKY

    Mr. Guthrie. Thank you. Thank you, Chair Hudson. I 
appreciate the opportunity to be here for this important 
hearing.
    Americans are connected to internet in nearly every aspect 
of their daily lives. Whether it is work, staying in touch with 
loved ones, or receiving healthcare, reliable connectivity is 
essential. The underlying communications infrastructure is what 
allows Americans in businesses of all sizes to utilize the many 
digital services that have redefined our economy in society. 
And while reliable access is important, it must also be secure. 
That is why today's hearing is very important.
    Sophisticated cyber actors, specifically the governments of 
China, Russia, North Korea, and Iran, directly engage in 
activities aimed at infiltrating our critical infrastructure, 
especially our communications networks. These state adversaries 
and other malicious cyber actors continuously seek to exploit 
weaknesses in our networks, not only to steal sensitive data 
and commit fraud against Americans, but they also stand to gain 
sensitive business and government information as they seek to 
establish footholds for surveillance in future exploitation.
    We have seen these efforts play out in recent attacks. We 
only have to point back to October when Chinese hackers 
breached the American court wiretap system. Our adversaries 
could also have the capability to cut off our communication 
services altogether, and think about how disruptive and 
devastating that would be for society.
    Our networks are vulnerable to physical disruptions. For 
instance, fiber cuts can take months to repair, depending on 
where they are located, and if we are talking about subsea 
cables that are isolated in the ocean, these cuts could 
interrupt international data flows and result in degraded 
service for millions of people over an extended period of time, 
given the relative difficulty of repair.
    Increasingly, satellite-provided services are being used to 
help close the digital divide and provide positioning 
navigation and timing data for government and private-sector 
uses. Foreign adversaries, again, like China and Russia, are 
reportedly developing antisatellite capabilities, which would 
cause serious disruption to critical services.
    And in the case of GPS, a satellite-provided service, we 
have very few alternatives. Disruption to these critical 
communication services has the potential to cause chaos here in 
the homeland and reverberate throughout the economy. It could 
also give our adversaries the ability to disrupt American 
military mobilization in the event of conflict or attack.
    Securing our communications systems from bad actors has 
been a longstanding priority--bipartisan priority of this 
committee and is essential to preserving our national economic 
security. This committee led the effort to rip and replace 
untrusted vendor equipment from our mobile networks by passing 
the Secure and Trusted Communications Networks Act. We built on 
these efforts by passing USA Telecommunications Act in 2020 to 
foster a more competitive market for trusted equipment vendors 
by promoting open RAN technology. More work remains to protect 
our critical infrastructure and harden these essential services 
against adversarial threats.
    Thank you to the witnesses for your participation. I look 
forward to hearing from you about how to protect our 
communications infrastructure and ensure that the U.S. is 
prepared to defend against the CCP and any other adversaries. I 
really appreciate you all being here today, and I look forward 
to the discussion.
    [The prepared statement of Mr. Guthrie follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Guthrie. And with that, Mr. Chairman, I will yield 
back.
    Mr. Hudson. The gentleman yields back.
    I will now recognize the gentleman from New Jersey, the 
ranking member, for 5 minutes for your opening statement.

    OPENING STATEMENT OF HON. FRANK PALLONE, Jr., A REP-
     RESENTATIVE IN CONGRESS FROM  THE STATE OF NEW JER-
     SEY

    Mr. Pallone. Thank you, Mr. Chairman.
    While today's discussion is important and timely, I am 
worried that my Republican colleagues are failing to even 
acknowledge the unprecedented and troubling actions of the 
Trump administration that are putting our national security at 
risk. Defending our telecommunications infrastructure from our 
foreign adversaries and other bad actors is critically 
important. On a daily basis, our Nation's telecommunications 
networks carry enormous amounts of data that not only include 
our most personal information but also sensitive Government 
materials that any foreign nation would love to digest.
    And late last year, we learned that SAC--no, Salt Typhoon, 
I am sorry, that Salt Typhoon, a cyber espionage operation 
backed by China, infiltrated several American 
telecommunications networks to gain access to detailed 
information on President Trump, former Vice President Harris, 
other political figures, and American surveillance information.
    And that is why it is so disturbing to watch as the Trump 
administration has mishandled sensitive national security 
information. In one of the worst security failures in decades, 
Defense Secretary Hegseth last month shared highly sensitive 
war plans on Signal, an unofficial and unsecure messaging app. 
The unsecure group chat was created by National Security 
Advisor Waltz, and he inadvertently included a reporter in the 
chat. Hegseth also shared this same information in a separate 
chat with some family members.
    Now, this reckless conduct put the lives of our American 
troops at risk, in my opinion. If any adversary got access to 
these messages, they could have shut down--or they could have 
shot down American planes or targeted American ships. And yet 
Secretary Hegseth continues to lead the Department of Defense. 
I don't know for how long, but it is an outrage, and shows that 
the administration doesn't take these threats very seriously.
    And this is on top of the fact that Elon Musk and his DOGE 
minions are being given access, often unauthorized, to 
sensitive information and undermining American's security on a 
daily basis, and that could include our nuclear secrets. Musk 
and DOGE are also haphazardly and indiscriminately cutting and 
slashing important Government programs and experienced public 
servants, which is weakening our country, without any pushback 
from congressional Republicans.
    And while President Trump likes to act tough against China, 
he is blatantly violating Congress' bipartisan TikTok 
legislation and continuing to allow the Chinese Communist Party 
to compromise American devices, harvest American's data, 
promote pro-Communist propaganda, and undermine American 
interests.
    So securing our country's telecommunication networks and 
infrastructure is serious business, but the Trump 
administration is not taking the task seriously. Imposing 
arbitrary tariffs on telecommunications equipment and ships 
that are vital to enhancing the safety and security of our 
networks one day and then pausing them the next day is only 
causing chaos and confusion. The administration's actions are 
increasing the chances that our foreign adversaries and others 
attempt even larger-scale attacks on our telecommunications 
networks, which no one wants to see.
    Despite President Trump's recklessness and my Republican 
colleagues' silence, today's hearing topic underpins a 
significant part of the American economy. From healthcare to 
energy to public safety, nearly every facet of American life 
relies on our Nation's telecommunications networks and 
infrastructure. And while the innovations and advancements that 
these networks enable us to do are remarkable, it also makes 
them and the devices that run on top of them targets.
    So this will only increase as more devices in our homes are 
connected. If cars, television, home security systems, and more 
are connected to the internet, they are vulnerable to attacks. 
The reality means that our homes can now be attacked without 
anyone touching a single door or window.
    So it is imperative that we understand the vulnerabilities 
and risks our networks and devices face to better protect our 
country and consumers from attack, and to keep up with the 
rapidly evolving technological landscape our Nation faces.
    And I urge my Republican colleagues to stop these 
irresponsible budget reconciliation plans as well. Rather than 
using spectrum auction proceeds to fund giant tax breaks to 
American billionaires and big corporations, we should use the 
proceeds from spectrum to help fund Next Generation 9-1-1, 
which will enhance the safety of our energy networks and save 
countless American lives.
    The Trump administration must also stop delaying sending 
States their funds from the BEAD Program. These funds will 
ensure reliable connectivity across the country, which is 
crucial for our national security and economic prosperity. The 
only person who benefits from these delaying tactics is Elon 
Musk, who is trying to get taxpayer money funneled to his 
Starlink service.
    So I look forward, Mr. Chairman, to hearing from today's 
witnesses, and I do think this is an important hearing about 
our telecommunication infrastructure and devices.
    [The prepared statement of Mr. Pallone follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Pallone. Thank you, Mr. Chairman. I yield back.
    Mr. Hudson. Thank you.
    We have now concluded with Member opening statements. The 
Chair reminds Members that, pursuant to the committee rules, 
all Members' opening statements will be made part of the 
record.
    We would like to thank our witnesses for being here today 
to testify before this subcommittee. Our witnesses will have 5 
minutes to provide an opening statement, which will be followed 
by a round of questions from the members.
    The witnesses here before us today are Tom Stroup, 
president of the Satellite Industry Association; David Stehlin, 
chief executive officer, Telecommunications Industry 
Association; Jamil `` Ja-far`''--or ``Jaff-er.'' Jaffer, I 
apologize--founder and executive director, National Security 
Institute; and Laura Galante, former intelligence community 
cyber executive and Director, Cyber Threat and Intelligence 
Integration Center, Office of the Director of National 
Intelligence.
    Mr. Stroup, you are recognized for 5 minutes for your 
opening statement.

      STATEMENTS OF TOM STROUP, PRESIDENT,  SATELLITE IN- 
       DUSTRY ASSOCIATION; DAVID STEHLIN, CHIEF EXECUTIVE
       OFFICER, TELECOMMUNICATIONS INDUSTRY  ASSOCIATION;
       JAMIL N. JAFFER,  FOUNDER  AND EXECUTIVE DIRECTOR,
       NATIONAL SECURITY INSTITUTE,  GEORGE MASON UNIVER- 
       SITY SCALIA LAW SCHOOL;  AND LAURA GALANTE, FORMER
       DIRECTOR,  CYBER THREAT  INTELLIGENCE  INTEGRATION
       CENTER,  OFFICE OF THE DIRECTOR OF NATIONAL INTEL-
       LIGENCE

                    STATEMENT OF TOM STROUP

    Mr. Stroup. Chairman Hudson, Ranking Member Matsui, 
Chairman Guthrie, Ranking Member Pallone, and distinguished 
members of the subcommittee, thank you for inviting me to 
testify before you today. I am Tom Stroup, president of the 
Satellite Industry Association.
    Satellites are the backbone of modern society. We rely on 
them for communications, position navigation and timing, and 
remote sensing across the globe. Satellites provide critical 
services to hundreds of millions of Americans and billions of 
people around the world every day. The companies represented by 
SIA are poised to provide resilient services in any situation 
to empower U.S. leadership and support U.S. citizens and allies 
in an interconnected and contested world.
    We are at a time of tremendous innovation in the space 
industry with over 12,000 active satellites on orbit today and 
plans for tens of thousands more through the end of the decade. 
Satellite services support all 16 critical infrastructures, 
including through communications for emergency services, 
position navigation and timing for agriculture, resilience for 
global telecommunications, and remote sensing data to improve 
our national security.
    Satellites are the fastest way to connect the unconnected, 
with multiple American companies providing high-speed internet 
and more launching in the near future. The satellite industry 
provides FCC-defined broadband service today across the globe 
and is ready to bring the Nation into an interconnected future 
as a backbone for 5G, IoT, and AI technologies.
    In addition, satellites play a critical role in preparation 
response and recovery from natural disasters, electrical 
outages, and terrorist attacks. Remote sensing data and 
analytics can help pinpoint and quantify initial damage 
assessments in the immediate aftermath of a disaster. Synthetic 
aperture radio satellites can see through clouds and allow the 
mapping of damaged regions when storms are still overhead. 
Furthermore, unlike terrestrial communications counterparts, 
satellite networks are not susceptible to damage from such 
disasters because the primary repeaters are on board the 
spacecraft and not part of the ground infrastructure.
    In addition to the benefit of having its primary 
infrastructure in space, many communications satellite 
operators provide customer connectivity through multi-orbit 
services. These services marry the low latency of LEO systems 
with the ability of GEO systems to deliver large amounts of 
capacity in high-traffic areas. While both GEO and non-GEO 
systems have the ability to provide large amounts of capacity, 
the combined solutions offer the best of both systems, 
enhancing the resiliency and reliability of services.
    Another recent development furthering network resiliency is 
the deployment of direct-to-device mobile satellite 
connectivity led through major partnerships between satellite 
operators and both wireless carriers and manufacturers, which 
greatly expand the range of communications available to mobile 
customers.
    The satellite industry today is investing continuously to 
ensure it can address the challenges of the future and to make 
its technologies available to every American. Satellite 
companies are working to optimize the use of spectrum by 
investing in high-throughput satellites and flexible software-
defined payloads that allow for instantaneous reallocation of 
spectrum resources and the mitigation of harmful interference. 
Satellite system operators are continuing to invest in network 
cybersecurity, including using AI for vulnerability testing. 
Launch costs have also declined dramatically, providing 
opportunities for rapid replenishment of satellite 
constellations.
    While the U.S. has long led the space sector, China is 
closing the gap with similar investments in space technologies 
that will challenge our national security community while also 
undermining democracy around the globe. It is critical for 
Congress to support continued domestic innovation and avoid 
regulations that put U.S. providers on an unequal playing field 
internationally.
    Our members are dedicated to advancing the national 
interests, ensuring competitiveness of satellite companies in 
the U.S. and globally, and driving progress for the benefit of 
all Americans.
    In furtherance of these goals, we have five priorities: 
Number one, promote American space innovation through 
streamlined regulations without unnecessary red tape and 
bureaucracy; two, lead standards development internationally; 
third, enact effective space debris policies and rigorously 
advocate for adoption of similar policies in other countries 
and in international fora; fourth, streamline space system 
procurement for greater efficiency in government acquisition; 
and finally, spur development in investment through access to 
sufficient spectrum resources.
    I appreciate the opportunity to appear before you today on 
behalf of the satellite industry, and I look forward to your 
questions.
    [The prepared statement of Mr. Stroup follows:]
   
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hudson. Thank you.
    Mr. Stehlin, you are recognized for 5 minutes for your 
opening statement.

                   STATEMENT OF DAVID STEHLIN

    Mr. Stehlin. Chairman Hudson, Vice Chair Allen, Ranking 
Member Matsui, and members of the subcommittee, my name is Dave 
Stehlin. I am the CEO of TIA, the Telecommunications Industry 
Association, and I appreciate the opportunity to speak about 
this important subject: Securing the future of 
telecommunications infrastructure so that Americans can depend 
on trusted, secure, resilient, high-speed networks.
    For more than 85 years, TIA has, with our 400-member 
organizations, developed technical and process improvement 
standards and advanced new technologies that drive our economy 
and improve the lives of our citizens. TIA's current standards 
cover a wide range of areas, including data center 
infrastructure, cell tower structures, structured cabling, 
public safety and emergency responder radios, hearing aid 
compatibility with mobile devices, telecom quality management, 
and our most recent focus on cyber and supply chain security.
    We are a technology-agnostic organization, meaning that we 
support all wire line, wireless, and satellite-trusted 
technologies. In short, TIA has nearly a century of experience 
in ensuring that communications networks are built efficiently 
and resiliently with trusted suppliers.
    I have been the CEO of TIA for the past 5-plus years and 
have run both publicly traded and venture-backed telecom 
technology companies for the past 40 years. I have seen 
tremendous change in technology improvement, but I also 
recognize that security improvements always lag behind 
technology advancements. I have experienced firsthand how 
state-owned entities like Huawei operate on a global stage 
undermining a competitive market of trusted ICT vendors.
    As a graduate of the Naval Academy and former Marine 
officer, I take national security very seriously, and I 
understand that the national security threat posed by entities 
controlled by our adversaries can cause dramatic and 
significant, long-lasting effects to our communications 
networks.
    Every type of critical infrastructure, from electrical grid 
to water systems to emergency responders to the internet, all 
use similar information communications technologies and 
systems. Potential vulnerabilities in these systems have a 
broad impact due to the unique role played by communications 
networks in our infrastructure. Every one of CISA's 16 
identified critical infrastructures uses fundamental ICT 
networks.
    Network attacks come from many directions, including state-
sponsored enemies, criminals, and terrorists. And while the 
attack possibilities are endless, we must have a defense in 
depth, which starts with supply chain security. We must ensure 
that the products and services that make up our networks are 
coming from trusted suppliers who can demonstrate that security 
is designed in. We must verify before trusting.
    All of this is critical to the success of building trusted, 
resilient, and secure global networks. In this context, subsea 
cable systems are an area of growing concern. Across the globe, 
nefarious actors are increasingly disrupting networks by 
cutting cables and damaging the points where the cables come 
ashore. These subsea cable systems carry more than 99 percent 
of internet traffic across the continents, and more than $10 
trillion of financial transactions. These cables are 
irreplaceable backbones of the global internet, and while 
satellite communications plays an integral role in our 
networks, the data capacities of subsea cables cannot be 
overstated.
    Of course, in addition to these physical threats to our 
communication networks is the fundamental threat from untrusted 
software, hardware, and suppliers. As network architectures 
continue to advance and become more complex, the potential 
attack surface grows and expands as well. This gives bad 
actors, including those who are state sponsored by foreign 
adversaries, such as the CCP, more targets, for example, the 
recent Salt Typhoon attack.
    The U.S. Government has a long and bipartisan recognition 
of the supply chain threat vulnerabilities posed to our 
Nation's infrastructure. The industry recognizes this, and that 
is one of the reasons we at TIA initiated and developed the 
industry's first supply chain security standard, SCS 9001, 
about 3 years ago. This standard was designed with input from 
our members and both the U.S. Government and trusted allied 
governments, and aligns and operationalizes the NIST 
Cybersecurity Framework, the Prague Principles, and many other 
guidelines.
    SCS 9001 is a supply chain security management system 
intended to define and measure the requirements and controls 
for the design, development, production, and operations of ICT 
products and services. This is an effort that reaches beyond 
our domestic infrastructure, and TIA has been working with the 
Department of Commerce and the Department of State to help 
allied countries build trusted, wireless fiber and satellite 
networks.
    We appreciate the leadership that this committee brings us 
and has demonstrated by holding this hearing, and I would like 
to thank you for your time.
    [The prepared statement of Mr. Stehlin follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hudson. Thank you.
    Mr. Jaffer, you are recognized for 5 minutes for an opening 
statement.

                  STATEMENT OF JAMIL N. JAFFER

    Mr. Jaffer. Chairman Hudson, Ranking Member Matsui, members 
of the subcommittee, thank you for inviting me here today to 
discuss the threats facing our global networks and the 
telecommunications infrastructure of our Nation, its allies, 
and its partners. I want to thank the chairman and the ranking 
member for holding this hearing, particularly given the major 
threats that we face today against our global 
telecommunications infrastructure from China, Russia, Iran, and 
North Korea.
    While recent reports have come to light about the major 
hacks of the United States telecommunications infrastructure 
and the deployment of destructive capabilities within our 
infrastructure by China, these are only a small part of a much 
larger effort architected by our adversaries. These adversaries 
include not just the Nations of China, Russia, Iran, and North 
Korea but their proxies as well.
    And they are aimed not just at collecting information and 
intelligence on the American government and our Federal 
policies and priorities but on our citizens, and putting in 
place capabilities that if they decide to use could take down 
significant parts of our financial system, our energy 
infrastructure, and the like. And, of course, our entire Nation 
and all of its capabilities, including the modern AI 
revolution, runs on top of the global telecommunications 
infrastructure that we are talking about today.
    And so, while our hearing today is focused on this global 
infrastructure, we need to think about it in the context of two 
major issues: the larger national security and economic 
competition with China and its key economic and technological 
elements, and the increasing and robust collaboration between 
China, Russia, Iran, and North Korea.
    We know--the Director of National Intelligence told us that 
China presents the most comprehensive and robust military 
threat to U.S. national security, with a joint force capable of 
full-spectrum warfare. This is true in the cyber domain as 
well, where the Director of National Intelligence told us that 
China remains the most active and persistent cyber threat to 
the U.S. Government, private sector, and critical 
infrastructure networks, and that China has demonstrated the 
ability not just to compromise U.S. infrastructure with those 
formidable cyber capabilities but also that has the ability to 
conduct destructive and disruptive activities. And this is 
where Volt Typhoon and Salt Typhoon come into play.
    Now, none of this is particularly new when it comes to 
China. Since at least 2019, we have known that the Director of 
National Intelligence told us that China is improving its cyber 
attack capabilities and that it had the ability back in 2019--6 
years ago--to launch cyber attacks that could cause localized 
temporary disruptions and disruptive effects on our critical 
infrastructure, including the disruption of natural gas 
pipelines for days to weeks. That was 6 years ago.
    And so we think about what their capabilities look like 
today, and we realize that this threat is much larger and much 
more significant than we think. And so let's talk about one 
particular example of how this plays out. We look at the Salt 
Typhoon hacks of the U.S. telecommunications infrastructure. In 
that effort, the FBI has told us that China targeted commercial 
telecommunications infrastructure and had a broad and 
significant cyber espionage campaign. They have compromised 
networks at multiple telecommunications companies--the chairman 
mentioned nine of them--to enable the theft of customer call 
records, the compromise of private communications, actual 
content on a number of individuals, while primarily focusing on 
U.S. Government and political activity, and the copying of 
information subject to U.S. law enforcement requests.
    Let me say it again: The Chinese Government was able to 
hack not just our call records, not just the communications of 
American government and political officials, but the records of 
U.S. law enforcement requests. That means people that we have 
on collection, whether for criminal purposes, maybe for foreign 
intelligence purposes, are now in the hands of the Chinese 
Government. And if the Chinese have it, they are almost 
certainly going to share it with the Russians, potentially with 
the Iranians, and potentially with the North Koreans.
    And don't believe me. Then-chairman of the Senate 
Intelligence Committee John Warner--sorry, pardon me--Mark 
Warner said it was the worst telecom hack in our Nation's 
history. The current Secretary of State, Marco Rubio, referred 
to it as ``an egregious, outrageous, and dangerous breach of 
our telecommunications systems across multiple companies.''
    So what can we do? In the last minute and a half remaining, 
I want to address one thing we should not do. We should not 
blame the private sector standing alone. The idea that we would 
expect the private sector to defend against nation state 
attacks standing alone makes no sense. We don't expect Target 
or Wal-Mart to put surface-to-air missiles on the tops of their 
warehouses to defend against Russian Bear bombers. Why should 
we expect any of our telecommunications companies to be able to 
effectively defend against committed nation state attackers who 
have virtually unlimited resources of national governments? It 
doesn't make sense.
    At the same time, we have to look internally at the 
Government to say, what did the Government know? When did it 
know about it? And why didn't it take action to protect its own 
data residing on these networks? So there's a lot of work to be 
done here. There are a lot of things we could talk about.
    I appreciate the opportunity to be here, and I look forward 
to your questions.
    [The prepared statement of Mr. Jaffer follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hudson. Thank you.
    Ms. Galante, you are recognized for 5 minutes for your 
opening statement.

                   STATEMENT OF LAURA GALANTE

    Ms. Galante. Thank you.
    Telecommunications fail.
    Good morning. Honorable Chair, Ranking Member, esteemed 
members of the committee, thanks for the opportunity to 
testify. I am Laura Galante. I served as the intelligence 
community cyber executive and the Director of the Cyber Threat 
Intelligence Integration Center at ODNI. I was also the 
intelligence community's lead for what is called the Unified 
Coordination Group, which responded to Salt Typhoon.
    I will focus my remarks today on the national security 
considerations for the U.S. telecom sector, whose growth has 
closely mirrored the digital transformation of our economy. 
Over the past 25 years, telco companies have evolved from phone 
service providers to complex, multiservice digital 
organizations navigating the convergence of communications, 
media, and technology. As with so many major digital shifts 
during this period, intelligence services have also become 
increasingly adept at targeting the immensely valuable data 
that telcos manage through their vast networks of digital 
roads.
    In short, companies in this sector have become key targets 
for foreign adversaries' operations. This leads us to the 
recent Chinese Government-sponsored operation, Salt Typhoon, 
regarded as the most expansive and consequential espionage ever 
conducted against the U.S. Sponsored by the Chinese Government 
and executed by contractors working for Beijing's Ministry of 
State Security, their intelligence bureau, this operation was 
first publicly detailed last fall, in 2024.
    At least nine U.S. telcos--that number was again confirmed 
by the FBI yesterday--and wireless communication companies were 
the victim of this extensive intelligence-gathering operation. 
The actors breached multiple layers of major telecoms' 
networks. They gained unprecedented access to U.S. mobile 
communications across different carriers and various wireless 
technologies. The access enabled them to compromise voice and 
text communications of key political figures and national 
security officials.
    Salt Typhoon gives us a window into three major issues. The 
first is the increased scale of adversary intelligence 
operations. Rather than focusing just on the communications of 
specific high-target individuals, what these Chinese actors did 
was they went after multiple data and access points through 
different victim companies in order to have this broad-scoped 
approach and a persistent intelligence capability to get after 
high-value information for a period of time. This wasn't a 
smash-and-grab, in-and-out type of cyber operation that we saw 
for years in the past. This was much larger.
    Second was the delayed detection of Salt Typhoon across the 
sector. Despite the telcos' significant cybersecurity programs, 
detecting Salt Typhoon required--and still requires--an 
extensive joint government and industry effort to respond. The 
ability to detect and then rapidly remediate and respond to 
these compromises against our most high-value networks, which 
we have all discussed, must be a core capability for companies 
in the sector.
    Third is that AI is rapidly expanding our adversaries' 
ability to process data. Rapid breakthroughs in AI have now 
equipped these actors with the capability to make sense of 
large and disparate data sets that previously required immense 
amounts of time and resources to understand what the data they 
collected meant and what to do with it. AI has supercharged 
their ability to analyze this.
    These capabilities enable even less sophisticated actors. 
We have been talking about highly sophisticated ones with 
China, but now less sophisticated actors will be able to 
extract key insights from vast amounts of data collected in 
different sectors and different industries.
    The hard question that this committee faces is how to 
strike that balance between securing these digital roads and 
everyday life with the enormous and growing demand for digital 
connectivity. We are not going to regulate our way out to find 
an enduring answer. The technology changes too quickly. The 
ingenuity of our adversaries is relentless.
    We have to build a better dynamic operational security 
model than what we have today. That model requires bringing 
threat intelligence and national security expertise, the 
intelligence community, together with private-sector 
representatives in the telco and secure technology sectors. 
This intelligence-driven approach is what will drive an 
operationally sound set of practices that companies can 
continue to implement and refine in their own infrastructure.
    The good news is we have done this before. One of the 
mechanisms available to drive this process until it was 
dissolved last month was called the Enduring Security Framework 
founded in 2007. Implemented by the National Security Agency, 
along with the Office of the Director of National Intelligence, 
and then DHS's CISA's Critical Infrastructure Partnership 
Advisory Council, this same framework proved successful enough 
that British intelligence and Australian intelligence used it 
as their model for their national cyber centers.
    In this model, security practitioners in government and 
industry alike used this to come up with dynamic processes 
about how you re-architected secure infrastructure for the 
future. Other boards that have also been dissolved, including 
the Cyber Safety Review Board, also worked to get to root 
causes of hard security and technical problems, and they 
investigated major cyber incidents, like Salt Typhoon.
    These are the joint efforts that created evidence-based 
approaches to address major security breaches, and threats in 
coordination with the private sector who owns the critical 
infrastructure in this country. This collaborative security and 
intelligence work has been America's differentiator in our 
global secure technology market. It is an ecosystem of security 
professionals, intelligence officials, analysts, and operators 
who work together to track vulnerabilities and threats as 
quickly as they spread--and that is fast in cyberspace--and 
deploy the patches and fixes and new security paradigms that we 
need to stay ahead of these threats.
    Dismantling this security ecosystem weakens our collective 
defense and our national security posture. It is not a risk we 
can afford at this moment.
    I look forward to your questions.
    [The prepared statement of Ms. Galante follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Hudson. Thank you.
    We will now begin questioning, and I recognize myself for 5 
minutes.
    Mr. Jaffer, I represent, as I mentioned, Fort Bragg. We 
like to call it the epicenter of the universe, home of our 
special forces and airborne. Why is maintaining the security of 
our communication networks essential to protecting our 
warfighters and our national security, especially as it relates 
to our adversaries, as we mentioned?
    Mr. Jaffer. Well, Mr. Chairman, it is hard to overstate how 
critical it is to protect our global telecommunications 
infrastructure. It is the backbone on which everything else 
runs, whether it is warfighter activities, communications with 
families and spouses, and the collection and analysis of all of 
our intelligence. While we do have highly classified systems 
that run on separate networks, that communication grid is 
connected, and if we don't--if that communication grid doesn't 
operate, it simply doesn't work.
    And fundamentally, our entire economics system turns on 
this global telecommunications infrastructure as well. The 
United States is so successful particularly because we built 
the system, it runs on our equipment, it runs on our 
capabilities and that our of allies. And the day it doesn't--
and as it has transitioned over to equipment run by 
adversaries, the more vulnerable it has become, the less secure 
we become, the less secure our warfighters are, and the less 
secure our entire economy is.
    Mr. Hudson. Appreciate that.
    Mr. Stehlin, do you have anything to add to that?
    Mr. Stehlin. Yes, I would 100 percent agree with everything 
that is going on there. We do need the public/private 
connection to make sure we address this. Everything we do from 
the military to our home lives uses ICT networks, and 
fundamentally they are all based on the same set of 
technologies and architectures, and we have to verify that 
those technologies and architectures are secure.
    Mr. Hudson. Emerging technologies have the potential to 
both enhance cybersecurity of our networks, but also threaten 
their security. It is kind of a double-edged sword.
    Mr. Stroup, in your testimony you talk about how AI can be 
harnessed to do vulnerability testing. Can you tell us more 
about how this is being deployed in the satellite industry?
    Mr. Stroup. Yes. Thank you for the question. There are a 
number of ways in which it is being deployed. First, is for 
anomaly detection, being able to identify if there is a 
different type of data that is coming into a network, being 
able to identify that in advance. Another is being able to take 
advantage of cybersecurity enhancements, being able to detect 
and respond to threats in real time, also being able to address 
signal-jamming detection and mitigation.
    And then finally, I would also like to emphasize it is 
important in space situational awareness. There are so many 
objects in space, and the opportunity to be able to identify, 
analyze, and determine whether they are going to pose a threat 
or risk to satellites are one of the uses of AI.
    Mr. Hudson. I appreciate that.
    Mr. Jaffer, how can AI be used in the communication 
networks to enhance security?
    Mr. Jaffer. Well, look, there's a lot of opportunities we 
have. These LLMs can identify threats and vulnerabilities. We 
just saw in the last few months the discovery of brand new 
vulnerabilities that we weren't aware of discovered by LLM 
models running over network data, right. So there is a big 
debate about will AI improve the attacker more or improve the 
defender more, and I actually it is a mixed bag, right.
    In some ways, it will definitely, as Ms. Galante pointed 
out, enable attackers who don't have capabilities today to have 
more capabilities. At the same time, the defender will have an 
edge as well because they will be able to get ahead of the 
threats, identify vulnerabilities, cut them off at the pass and 
go after the attackers.
    So while the offense, like in football, always has a little 
bit of an edge, right, and AI will enhance that, AI is going to 
enhance defenders as well. And its expanded use and ensuring 
that we don't overregulate it and crush it with unnecessary 
regulation will ensure that we maintain the edge. The reality 
is, our adversaries are going to use it on the offense. If we 
overregulate it and don't use it on the defense, we will fail.
    Mr. Hudson. I agree.
    Mr. Stehlin, economic security is national security. One of 
President Trump's top priorities is reshoring American 
manufacturing as the United States continues to reshore 
critical manufacturing and expand domestic data center 
capacity, secure, high-speed connectivity will be essential. 
What specific policy actions do you believe are necessary to 
ensure our communications infrastructure can meet these 
increasing demands without comprising on supply chain security 
or network resiliency?
    Mr. Stehlin. Yes, two things come to mind: First of all, we 
need to reshore as much as possible. The active components that 
make up our ICT networks, whether it be a core router or a base 
station, or even a home IoT device, these devices have 
semiconductors which are not made for the most part in the 
United States. Major security shortfall. That is not something 
that can change overnight. It is something that will take a 
long time.
    And it is not only that moving the fabs and things like 
that back here, but it is the whole ecosystem, moving that back 
here. And that is why many parts of Asia are successful in this 
area because the whole ecosystem is closely located to each 
other. So that whole supply chain needs to be both closely 
located with each other but also based in the United States. 
That is a fundamental strategic change and a long-term 
investment that we need to make.
    And I would refer back to something I mentioned before: 
supply chain security. You have to ensure that the supply chain 
itself is secure, not only that ecosystem but all the devices 
that make up a product, and the only way to do that is ensure 
that the processes that are used to make a product are verified 
to be trusted. So that is something that this standard does is 
it verifies trust. You have to verify it before giving trust 
out.
    Mr. Hudson. Got it. Thank you. My time is expired.
    I will now recognize the ranking member, Ms. Matsui, for 5 
minutes to ask your questions.
    Ms. Matsui. Thank you very much, Mr. Chairman.
    This Salt Typhoon attack exemplifies how expansive cyber 
operations against the U.S. have become. In an increasingly 
digital era where artificial intelligence emerging technologies 
can increase the capabilities of bad actors, we must address 
how America stays ahead of our adversaries.
    Ms. Galante, what is the most pressing issue this committee 
must resolve to prevent major cyber attacks like Salt Typhoon?
    Ms. Galante. Mature security programs in cyberspace are 
really important for major organizations, especially in the 
telco sector, to continue to refine and improve. There's some 
basic pillars of what a strong security program looks like: 
identity and access management; the tools and infrastructure to 
make sure they can look at their network and really log events 
that are happening; incident preparedness; risk in governance; 
and then their third-party vendor risk, which has been 
articulated quite a bit in how to manage that.
    But one of the key performance measures that I look to when 
I am talking with CISOs, chief information security officers, 
and others who have to secure these networks and are in charge 
of that edge of American security and competitiveness is their 
time to detect malicious activity and their time to respond. 
And it is those two measures that are key that we drive across 
critical industries like this so that we aren't caught with 
multiyear, major operations that have the scale and impact like 
Salt Typhoon.
    Ms. Matsui. OK. Now, you mentioned CISA, and obviously it 
provides crucial support also to the States and localities at 
the front lines for protecting critical infrastructure. Now, 
what does this administration risk when it downsizes our 
Federal cyber workforce and puts more burdens on States and 
local agencies?
    Ms. Galante. Cybersecurity is inherently a Federal issue. 
The internet doesn't know State boundaries, no put it mildly.
    Ms. Matsui. Right.
    Ms. Galante. And what CISA does and what other Federal 
cybersecurity and national cybersecurity agencies do is they 
are able to articulate the risk to networks out in States, 
critical infrastructure providers, energy companies, banks, and 
get that information out to them so that they can employ it in 
their security programs. We have to take a Federal approach to 
do this, because inherently the threat is one that goes after 
us at a national level.
    Ms. Matsui. OK. Now, I think this was mentioned before too, 
but as more smart devices known as the Internet of Things are 
adopted into American's homes, we need to help consumers make 
informed choices and decisions about the technology products 
that they purchase. Those interconnected smart devices can be 
an entry point also for cyber attacks. That is why I have 
supported steps like the FCC's U.S. Cyber Trust Mark, a 
labeling program that identifies trustworthy and secure 
products in the marketplace.
    Ms. Galante, how do voluntary measures like this instill 
trust and security in our technologies?
    Ms. Galante. I like the Cyber Trust Mark Program a lot. If 
people haven't seen it yet, it is a sticker, it is a badge, and 
a QR code. And what it is, is it is a shorthand to the consumer 
that says the product that you are buying here has a security 
management program behind it. It is going to get patched. There 
is going to be data protection, some of the key standards that 
we want behind that product.
    It is a little bit like when you turn your microwave around 
and there is that metallic sticker that you can't pull off that 
says you can plug this in and you are not going to get shocked. 
It is the same concept for interconnected devices. I think it 
should catch on.
    Ms. Matsui. OK. Great. And talking more about standards, I 
have long championed that the U.S. leadership in global 
technology standards and that the next generation reflect 
American values, including open market transparency and 
democracy.
    Mr. Stehlin, you mentioned SCS 9001. That is a supply chain 
security standard for information and communications technology 
industry. How can this and other standards ensure 
communications infrastructure is resilient against attacks from 
malicious actors?
    Mr. Stehlin. Yes, 9001 uses looking at not only the vendor 
of the supplier of equipment--is it a trusted vendor?--but it 
looks at the hardware and the software used in a product. Every 
single product out there uses open-source software, for 
example.
    Ms. Matsui. Yes.
    Mr. Stehlin. How do we trust that that open-source software 
is coming from an organization that can be trusted? Is there 
provenance that we can prove? Can we do things like incident 
management and move more quickly?
    We need to speak in one voice when it comes to cyber and 
supply chain security. And SCS allows the ability for both 
public networks and private networks to do so all the way down 
to IoT devices, like the FCC is working on with the cyber 
labeling program.
    Ms. Matsui. Well, I consider that very important, the 
standards that we set in our country for U.S. leadership, in 
particular, because we understand that the actors, the 
unfortunate actors that are against us are going to be going 
out there and doing their own thing.
    I want to talk more about--oh, I think I have run out of 
time already, right, Mr. Chairman?
    Mr. Hudson. Yes. Time flies when you are having fun.
    Ms. Matsui. But anyway, I will follow up later. OK. Thank 
you very much.
    Mr. Hudson. Thank you.
    I will now recognize--is it Dunn?--Dr. Dunn from Florida 
for 5 minutes to ask your questions.
    Mr. Dunn. Thank you very much, Mr. Chairman.
    You know, I would say that Americans have every form of 
technology at their fingertips for broadband deployment and 
fiberoptic cable and fixed wireless. And particularly important 
where I live, in rural Florida, is satellite systems.
    Historically, our country has done very well. They have 
done a stellar job, in fact, at building our telecoms 
infrastructure, and I think that under U.S. leadership, that 
industry is flourishing. Despite many challenges, the 
marketplace is providing responsive, innovative capabilities 
for commercial-use research intelligence and national security. 
But to sustain that dominance, we must invest in the 
infrastructure necessary to continue that rapid expansion in 
the future. That is just basic infrastructure investment.
    Accordingly, this week, Representative Carbajal and I are 
reintroducing the bipartisan bill, Secure United States 
Leadership in Space Act, which enables the tax-exempt status of 
private bonds on FAA-licensed spaceports, pretty basic stuff. 
It is like, you know, highways and, you know, seaports or 
whatnot.
    What makes this bill impactful is that it empowers the 
growth of the spaceport infrastructure that is so essential to 
a nation's enterprise to be funded more by private capital 
than, in fact, by the taxpayers. And this plays into the 
strengths, of course, of the U.S. system in our competition 
with China.
    As a member of this committee for many years, I have 
continued to work on legislation to streamline and secure our 
telecoms networks. Last year, Congress passed and the President 
signed into law, with my friend Darren Soto, the Launch 
Communications Act that addresses the satellite launch 
communications spectrum, so very outdated regulations at the 
FCC, and they are currently implementing those now. This year 
we will continue to prioritize that, all those efforts.
    Mr. Stroup, do you believe that the tax-exempt bonding 
rights for our spaceports can help secure U.S. leadership in 
space and space infrastructure, and engage private markets? 
Does that help the taxpayers?
    Mr. Stroup. Yes. Our industry is most dependent upon 
spaceports, and having access to as many spaceports as possible 
will benefit the industry. So while SIA does not represent the 
spaceport industry, our members are very dependent upon them.
    Mr. Dunn. So, I am from Florida. We have at least as many 
spaceports as most States, and I am very pleased with that. I 
sat on the board of spaceports for a number of years. I am 
really, really proud of the efforts in our State on that.
    Again, Mr. Stroup, you mentioned in your testimony, access 
to sufficient spectrum resources is necessary to secure our 
infrastructure. Can you briefly elaborate on this and share 
what kind of spectrum authorities you think would make the most 
sense right now for space industry?
    Mr. Stroup. Yes. Our industry is growing substantially. As 
an example, approximately 10 years ago, we had about 1,000 
operational satellites; today, that number is over 12,000. That 
is just to give you a sense of the growth in the industry. We 
provide a wide range of services, and we are increasingly 
expected to share spectrum with other industries. In some 
cases, it is the wireless industry.
    The industry, the satellite industry, for a long time 
shared spectrum amongst itself as well as with some other 
terrestrial users, such as microwave systems. But there is a 
continuous effort to get more spectrum, not only for the 
satellite industry, other growing industries like the wireless 
industry. So we are in a competitive environment just amongst 
ourselves, meaning those that use spectrum, but also in the 
global environment, and so seeking to have access to additional 
spectrum through the ITU process.
    I might note that the next WRC, which is taking place in 
2027, over 85 percent of the issues that are on the agenda are 
space-related, many of them giving us access to additional 
spectrum. So specifically relating to the ITU recommendations, 
seeking that the United States take the leadership position, as 
well as making additional spectrum available within the United 
States.
    Mr. Dunn. Well, thank you for that. I spent a lot of time, 
you know, focusing on space. But let's be honest, there is a 
lot of information flowing through the fiberoptic cables.
    And in the few seconds left, I am hoping Mr. Stehlin can 
address the resilience of the cables, the undersea cables. What 
can we do to protect these things? There has been nothing but 
interruptions of these cables lately. It seems like anybody 
with a motorboat can interfere. Can you give us some 
confidence?
    Mr. Stehlin. Yes. Well, first of all, there are somewhere 
in the range of 600 undersea cable systems around the globe, 
1,700 landing points. More landing points will help for sure. 
More repair ships, very much needed. If it takes a month or two 
to find a repair ship, you have a problem. So we need to 
rebuild the whole shipping side of things.
    Mr. Dunn. Well, thank you very much.
    Mr. Chairman, my time has elapsed, but I would love to talk 
to these people for the rest of the day. Thank you.
    Mr. Allen [presiding]. I thank the gentleman for yielding.
    Now, I will turn it over to Ranking Member Pallone for 5 
minutes for your questioning.
    Mr. Pallone. Thank you, Mr. Chairman.
    As I mentioned earlier, it is critically important that our 
country's telecommunications networks have the capabilities to 
effectively defend against foreign adversaries and other bad 
actors, but given the Trump administration's mishandling of 
sensitive information on Signal, and Musk and DOGE's access to 
sensitive Government information, it is clear that it is not 
just our telecommunications infrastructure that needs updated 
security standards and protocols.
    So I wanted to ask, Ms. Galante, are Signal, Gmail, and 
other commercial services the proper channels and tools for 
government officials to use in making national security 
decisions?
    Ms. Galante. National security decisions and deliberations 
from our adversaries' standpoint are intelligence gold, right. 
This is what they seek out. And it is for this reason that we 
have got classified communication channels.
    Mr. Pallone. OK. Now, under--I have a bill--bipartisan 
bill, the Secure and Trusted Communications Networks Act, and 
the FCC must place communications equipment or services that 
have been deemed a national security threat on its covered 
list, which effectively removes the equipment or services from 
our country's supply chain.
    So, again, Ms. Galante, will broadening the types of 
communications technology that can be placed on the FCC's 
covered list help us better secure our country's 
telecommunications networks and data from foreign adversaries?
    Ms. Galante. It will help us. The FCC's covered list goes a 
long way to give predictability and clarity about what products 
are insecure and what technologies shouldn't be used in our 
telecommunications technology.
    Mr. Pallone. OK. And, you know, the frequency of cyber 
attacks on our telecommunications networks I think shines a 
bright spotlight on the amount of personal data that these 
networks carry day in and day out, and it is imperative that 
our networks have strong security protocols in place so that 
our data is not an easy target for our foreign adversaries.
    But let me ask you again--or let me ask you this question: 
What types of capabilities should be built into our 
telecommunications networks to ensure they can successfully 
protect our data from the increasingly sophisticated cyber 
attacks and espionage we see from foreign adversaries? And if 
there is time, I would ask the others the same question.
    Ms. Galante. Telecommunications networks are incredibly 
complex. They are dealing with a stack of technologies that 
ranges from literally the ground up. And these are tough to 
secure, and they require really advanced security programs to 
do it the right way.
    Two of the measures that a secure program should be looking 
for, though--in how they perform, how the people and the tools 
and the team around this work--is their time to detect 
malicious activity and their ability to respond to it quickly. 
And the faster both of those things can happen, the more secure 
their program is going to be and the more resilient our entire 
sector will be.
    Mr. Pallone. You know, I wanted to ask others to comment on 
it, but I am still not sure, when I asked the first question 
about Signal and email and you said that--you know, I asked 
whether, you know, those are--commercial services are the 
proper channels for government officials to use in making 
national security decisions. What was your response again?
    Ms. Galante. Classified channels are the right place for 
national security deliberations----
    Mr. Pallone. And these are not.
    Ms. Galante. These are not classified channels.
    Mr. Pallone. OK. All right. Anyone else want to comment on 
the types of capabilities that should be built into the 
networks? I still got another minute. Yes.
    Mr. Stehlin. Yes, sir. We should look at the entire makeup 
of the vendor base. It is one of the challenges that we have 
around the world, is as we try to bring Western technology to 
friendly countries, we know that the Chinese will--and have for 
years worked their way in there by offering way underpriced 
product, offering the ability to fund the development and 
management of these networks, and then they work really hard 
with the legislative branch of many countries around the world.
    We have an uphill battle. And one of the challenges we have 
is, as China has often sold products way under cost, it has put 
so much pricing pressure on Western technology that R&D 
investment has gone way down.
    So the things we can do to help R&D rebuild in the United 
States would make a big difference.
    Mr. Pallone. Anyone else want to comment?
    Mr. Jaffer. Mr. Ranking Member, I think the other important 
thing to keep in mind is that the Government has a role to play 
here too. The Government needs to partner tightly and 
collaborate with industry to defend against these threats. If 
we leave the private sector alone to defend against these 
threats, we will fail every time.
    These private-sector companies are not in the business of 
defending against cyber threats. They are in the business of 
providing telecommunication services and capabilities to our 
citizens, to our allies, and to partners around the globe. And 
so, if they are going to do it effectively, the Government has 
to take the information it knows about and has. For example, in 
the Salt Typhoon case, it turns out we found out 5 days before 
the administration ended that we had detected the Salt Typhoon 
attackers on U.S. Government networks, hadn't realized who they 
were, and hadn't shared that information.
    It is almost like before 9/11, where we knew the attackers, 
some of the terrorists were in Malaysia and Kuala Lumpur, the 
CIA saw them there and then didn't bother to tell the FBI. That 
is a massive, massive failure of the Government to do its job 
to share information with the industry, help the industry 
protect itself, and take accountability for the fact that we 
had that information, didn't know what to do with it.
    Mr. Pallone. Thank you.
    Thank you, Mr. Chairman.
    Mr. Allen. I thank the gentleman for yielding.
    And now I recognize myself for 5 minutes for questioning.
    I want to thank our expert witnesses for joining us here 
today.
    As home to the Army Cyber Command in Augusta, Georgia, my 
district is a hub for cybersecurity expertise, and we hear 
significant concerns about Federal agency roles and regulatory 
burdens hindering our ability to secure critical 
infrastructure.
    Mr. Jaffer, cybersecurity--and you have already started to 
comment on this--cybersecurity professionals in my district 
highlight confusion over which agency--CISA, the Department of 
Defense, FCC or others--has primary jurisdiction over securing 
critical infrastructure, which would include 
telecommunications, satellites, and undersea cables. This lack 
of clarity can impede responses to threats like you mentioned, 
the Salt Typhoon breach.
    Mr. Jaffer, how are the roles of CISA, DoD and FCC 
currently defined, and what steps can reduce confusion to 
enhance coordination and protect our infrastructure?
    Mr. Jaffer. Well, thanks, Mr. Vice Chairman. I mean, the 
challenge here is that there is no one agency in the Government 
today responsible for defending our entire global cyber 
infrastructure, the U.S.'s, which we have built around the 
globe. And the problem is that, if you expect private industry 
to do it, it won't succeed. If you don't task somebody in the 
Government and give them the resources and the authorities to 
do it, it won't succeed.
    Now, in theory, we said to U.S. Cyber Command, ``It is your 
job to defend the infrastructure against nation states.'' But, 
of course, U.S. Cyber Command isn't resourced, doesn't have any 
authorities. And I am not sure there is a consensus amongst 
Congress and the administration about whether the Department of 
Defense should do that defense. In the absence of that 
consensus, the only way in which we can have the Government 
work effectively in the industry is to share information at 
scale.
    We have legislation today, the Cyber Information Sharing 
Act that was passed in 2015--set to expire in the next few 
months--that needs to be reauthorized. But, more importantly, 
we need to actually incentivize the sharing of information. We 
passed the authority, but we didn't provide the necessary 
regulatory liability protections to encourage to actually 
share.
    So the lawyers are telling them, ``Do the minimal amount 
necessary.'' What you want to do is you want to line up boards 
of directors, you want to line up the lawyers, and you want to 
line up industry with government. Government wants information. 
It has information. Both need to share. Neither are doing it 
effectively because the incentives aren't there, and the 
Government says, ``Well, we are not going to share all types of 
information with industry.''
    Well, if we are not going to do it, no one is going to do 
it. They are not going to know what the threat is. They are not 
going to defend well. And then we will all be looking back and 
saying, ``Why didn't they defend themselves better?,'' and we 
will have no one to blame but ourselves.
    Mr. Allen. Thank you, sir.
    The Cyber Incident Reporting for Critical Infrastructure 
Act aimed to streamline reporting to CISA, yet stakeholders 
note persistent issues with the duplicative requirements across 
other agencies, including varying definitions and timelines--
the very things that you are talking about--inconsistent 
incident definitions, like substantial laws versus potential 
adverse effects, and a lack of reciprocity, diverting resources 
from mitigating threats like those from the Chinese Communist 
Party.
    Mr. Stroup and Mr. Stehlin, how do these challenges impact 
the communication sector's ability to secure infrastructure, 
and what can the FCC's new Council on National Security do 
alongside CISA to harmonize reporting, standardize definitions, 
and establish reciprocity to strengthen resilience?
    Mr. Stroup.
    Mr. Stroup. Thank you for the question. So most satellite 
systems are dual use, and as a result, many of the issues that 
we are talking about are addressed through our supply chain 
because, for a long time, the security in supply chain has been 
important. There is a certification process that satellite 
companies need to go through in order to provide service to the 
U.S. Military.
    But I think that, getting to the cybersecurity issue, in 
terms of sharing information, I think that the key is the 
points that have been made by other members of the panel today, 
ensuring that there is a means of sharing the threats, giving 
companies an opportunity to address it. And, whether that is 
done through CISA, the FCC, I think making sure that there is a 
single point where members of our industry and other industries 
have access to that information is key to being able to address 
them.
    Mr. Allen. Mr. Stehlin.
    Mr. Stehlin. Thank you, sir. Yes, I would agree. We have to 
speak in one voice. We have to send clear messages across the 
country on both the public and the private side. We have to 
send clear messages to our international partners that we speak 
in one voice.
    And then we have to use things like benchmarking and 
continuous improvement to measure how we are doing and how we 
do things like incident reporting, how do we more quickly deal 
with problems like that to more quickly identify these 
incidences and to fix them.
    Mr. Allen. Good. Well, I hear that we have got to 
centralize this issue, and we have got multiple agencies 
involved. So thank you so much for sharing your expertise with 
us.
    Now, let's see, who do we go to next?
    Representative Soto, I yield to you 5 minutes for 
questioning.
    Mr. Soto. Thank you, Chairman.
    From satellites to cellphones, WiFi to the internet, there 
is so much information, communications, commerce, learning, 
telehealth, streaming and other daily activities that go 
through our telecommunication system.
    We saw with SolarWinds, Salt Typhoon, and other cyber 
attacks, these were a huge warning across multiple 
administrations, and we are going to continue to work with you 
all on resiliency.
    Unfortunately, we still can't protect ourselves from 
stupidity, as we see with the Signalgate scandal, but there 
have been efforts under the CHIPS Act with $3 billion for rip 
and replace to help with both U.S. telecom manufacturing, 
microchip manufacturing, and trying to replace a lot of this 
equipment made in China that we have no faith in anymore. U.S. 
telecom equipment will strengthen our network against attacks.
    Mr. Stehlin, we have seen some increase in manufacturing in 
the U.S. for telecom equipment and microchips. How is it going 
so far, and what can we do to improve it?
    Mr. Stehlin. I would say, at best, it is going OK. We have 
a long way to go. As I mentioned before, this is a strategic, 
multidecade change that has to occur. We have to build the 
whole ecosystem for the supply chain for the ICT networks.
    Fundamentally, 50 to 60 percent of the cost of every active 
device is the chip itself, and those chips are not made in the 
United States. And, if we can solve that problem, we will go a 
long way to having much more success in rebuilding our 
infrastructure, making sure that it is secure, and, also, 
adding jobs.
    And, since you are from Florida, sir, I want to mention 
that we recently started a program called Broadband Nation, 
which is a program to attract, train, and deliver the next 
generation of talent in the broadband space from cybersecurity 
to installers, and the State of Florida is the first to sign up 
with us. So we are working with Miami Dade College, the 
Secretary of Commerce in Florida to help push this across your 
State.
    Mr. Soto Well, we are thrilled about that. I realize, as we 
are doing U.S. manufacturing, there are still going to be some 
inputs from abroad, whether it is metals or other things. How 
are tariffs affecting our ability to bring back and manufacture 
telecom equipment?
    Mr. Stehlin. Tariffs will only raise prices. At the end of 
the day, that is the problem.
    Fundamentally, it makes sense to find ways to bring things 
back to the U.S., but if over a long period of time those 
prices are raised, fewer networks are going to get built, and 
that is a problem.
    Mr. Soto. And how would a potential recession affect 
investment to bring more manufacturing back? We saw a negative 
first quarter, first one since 2022. Do you see investments 
slowing, or are things moving along steadily?
    Mr. Stehlin. I haven't seen investments slowing yet, but 
fundamentally that is an issue. As somebody that has run a 
publicly traded company, I recognize that CAPX is critical, and 
that is one of the first things that you want to squeeze is 
CAPX.
    Mr. Soto. Mr. Stroup, we are proud of Cape Canaveral in 
Central Florida. You know, my colleague, Dr. Dunn, mentioned 
already the Launch Communications Act that we passed last term. 
We have seen 34 launches so far, mostly for satellites, right.
    What are some of the strengths and advantages of satellite 
internet against cyber attacks?
    Mr. Stroup. Thank you for the question. I think that one of 
the key strengths of the industry is the number of companies 
that are providing service and the ability to be able to 
provide service from multiple paths. Most satellite companies 
have multiple satellites, whether they are in geo or nongeo 
orbits, and as a result, if there is an attack on one of them, 
one of the satellites, there is an ability to be able to 
provide service from another satellite.
    In many cases, companies have also deployed multiorbit 
capabilities. So they are bringing to bear service from both 
geo and nongeo systems.
    And, of course, it is not just the satellites that are key 
in making this work. Terminals that operate across multiple 
operators, multiple frequencies are some of the means that the 
industry has to be able to address those kinds of attacks on 
their systems.
    Mr. Soto. So you mentioned that hive technology, where, if 
you take out one satellite, the rest still operate as a 
network. We have seen that be a strength so far in some areas, 
like in Ukraine.
    Ms. Galante, we saw the review board for cybersafety 
terminated before the end of the Salt Typhoon investigation. 
What effect does this have on learning from what happened with 
that cyber hack?
    Ms. Galante. The Cyber Safety Review Board functioned like 
the National Transportation Safety Board, and then it root 
caused major cybersecurity incidents to figure out what went 
wrong and then build a path towards a better remediation plan 
for others to learn from. Cutting off that investigation into 
Salt Typhoon early really limits the teleco sector's ability to 
understand from all the different sides of the house--the 
intelligence side, law enforcement, and then victim networks--
how we can improve. So it really shortchanges our national 
security to not have that investigative board available to 
learn from.
    Mr. Soto. Thank you. My time has expired.
    Mr. Dunn [presiding]. Thank you, Mr. Soto. I appreciate 
your line of questioning.
    He yields back, and we recognize Representative Latta for 5 
minutes of questions.
    Mr. Latta. Well, thank you very much, Mr. Chairman. And 
thank you so much to our witnesses for appearing today.
    Mr. Stehlin, we know that Communist Chinese-flagged vessels 
have been suspected in cutting undersea cables across the 
globe, but particularly those connected to Taiwan. Taiwan has 
reported five cases of seabed cable damage this year alone 
compared with just three each in 2023 and 2024.
    Is the answer to this growing problem more cable 
redundancy, or are there other technologies that can provide 
more reliable communications in the case of a coordinated 
attack?
    Mr. Stehlin. Thank you for that question, sir. The answer 
is more redundancy. We are not going to--and find a way to find 
a more efficient and bandwidth-capable technology than fiber 
optics.
    So there are 600 or so cable systems, subsea cable systems, 
in operation today. On average, 200 are damaged per year. And 
the great majority of those are Mother Nature or an anchor or 
something like that that is just an accident, but more and 
more, as you say, are coming from nefarious actors. It could be 
the Taiwan Strait. It could be the Baltic Sea. We have seen 
those in the past 6 months or 12 months. And it takes a long 
time to first find the problem, where is the break, and then 
fix it.
    And, as I mentioned earlier, we don't have enough ships out 
there to fix. One of the three biggest repair and installation 
companies is called WMN Technologies, which used to be called 
Huawei Marine Network Technologies. So they are the ones that 
drive a lot of this activity in the Far East. In the U.S. we 
have SubCom, and in Japan we have NEC, as other examples for 
friendly countries. But this is a big issue that needs to be 
addressed. More redundancy, yes, but we have got to find ways 
to more quickly repair issues.
    Mr. Latta. And, just a quick followup to what you just 
said: How long does it take to usually fix a cable?
    Mr. Stehlin. A sub cable, depending on where it is, if it 
is close to the shore, it is a lot quicker than if it is in the 
middle of the ocean. So it could take upwards of 2 months.
    Mr. Latta. Thank you. The other followup, I am really 
impressed by the technological innovations happening in the 
last several years as it relates to the internet and cellular 
connectivity using satellites. Are satellites at a point that 
they can provide backup for large amounts of data processing in 
the case of a widespread physical cable outage? Just a quick 
followup.
    Mr. Stehlin. Sure. Satellites can certainly help and 
support, but the bandwidth capability and the latency, low 
latency of fiber cables can't be replaced.
    Mr. Latta. OK. Thank you. And I hope I pronounced it--is it 
``Ga-lant''?
    Ms. Galante. ``Ga-lant-ay.''
    Mr. Latta. ``Ga-lant-ay.'' I am sorry. Ms. Galante, I have 
always been alarmed when a business in my district says that 
they have had their cybersecurity handled because--and hit 
because of bad actors, and they are always changing tactics and 
becoming more increasingly skilled at targeting our networks. 
As soon as you get one thing done, you would find out somebody 
figured their way around it.
    And these small businesses, in particular, small 
telecommunication companies, in my district and across the 
country aren't likely to have in-house personnel, let alone 
teams of professionals and cybersecurity expertise.
    You say in your written testimony that we can't regulate 
our way to securing our digital networks. So what role can the 
Federal Government play in ensuring that the private sector has 
those tools to secure our communications infrastructure?
    Ms. Galante. I think we need to focus effort with telco 
security companies, and that is really a range of different 
types of companies, to focus on what the goals need to be for 
their specific technology stacks and systems. We have done this 
in a large way in the banking sector and also in the energy 
sector. In both of those areas, there is a level of 
predictability and an increased ability to find malicious 
activity and remediate it quickly.
    Those performance measures are what we need to implement 
and think through and make real for implementation with the 
variety of companies in the telco sector.
    Mr. Latta. Thank you.
    Mr. Stehlin, just going back to you, I have legislation on 
the Routers Act, which passed the House earlier this week, to 
study the threat of certain routers built by our adversaries.
    What are you looking at to make American-made or routers 
made by our allies a better choice?
    Mr. Stehlin. We need to eliminate those that are bad 
choices, first of all, and we have to do quick evaluations of 
those companies and their history and the products that they 
develop and remove those bad choices from the consumer.
    Probably--there is an investigation underway right now for 
a company that is probably a bad choice but is the most 
frequently used home router out there.
    Mr. Latta. Thank you very much.
    Mr. Chairman, we have a lot of work to do in this area.
    And I want to thank our witnesses for appearing today. And 
I yield back the balance of my time.
    Mr. Dunn. We thank the chairman for his comments, and we 
will recognize the gentlelady from Michigan, Representative 
Dingell.
    Mrs. Dingell. Thank you, Mr. Chair.
    This committee has led bipartisan efforts to secure our 
communications networks, strengthen resiliency, and work 
closely with both Federal agencies and industry. We know 
threats are evolving and that we have got to continue to adapt. 
And now is the time to address additional risks across our 
communications technology networks, from vulnerabilities in our 
global supply chains and weaknesses in domestic critical 
infrastructure, to the risk emerging from new technologies now 
in mainstream and sectors like the automotive industry.
    To meet this moment, we must boost competition, continue to 
invest in domestic innovation and manufacturing, and ensure the 
integrity of systems Americans rely on daily, from wireless 
networks to broadband and cloud infrastructure.
    We are also seeing growing national security concerns from 
companies like BYD, a leading Chinese EV manufacturer, and 
DeepSeek, an emerging Chinese AI firm, raising alarms about how 
data is collected, transmitted, and exploited.
    We have to be proactive in addressing this. We have got to 
secure our critical infrastructure to ensure we outpace those 
who seek to undermine our national security and exploit our 
vulnerabilities, and we must also ensure that our Government 
officials are using basic security protocols for national 
security matters, as we have discussed, instead of commercial 
apps like Signal and Gmail.
    But, Ms. Galante, as all of you know, China doesn't play by 
the rules, especially in the auto sector. China has propped up 
the electric vehicle and battery manufacturers with state 
subsidies, allowing them to undercut global competitors, flood 
international markets, and destroy competition.
    This not only threatens American jobs and undercuts 
domestic manufacturing, but it also raises serious concerns 
about the security and the integrity of connected vehicles.
    As connected vehicles collect vast amounts of sensitive 
personal and location data, as well as the autonomous vehicles 
do that they are testing here, how can we ensure that foreign 
adversaries, especially those with ties to China, are not 
exploiting these technologies to access and misuse American 
data?
    Ms. Galante. Thank you, Congresswoman Dingell.
    I really appreciate your question on connected vehicles' 
security. This is a critical area. And you can't think of one 
where there is more of a combination of data privacy issues, 
potentially GPS and other location security needs, in addition 
to all of the different metrics that are used and will 
increasingly be used to have these autonomous vehicles and 
connected vehicles work.
    Security is critical here, and we can't tack it on after 
the fact. We have got to build this in, in what we call in the 
security industry, by design. Security by design. And one of 
the engineering principles that has to be at the center of how 
Detroit and others are focused on security in this area is 
called DevSecOps, development security operations, right.
    We need to make sure that we have got the minds across 
companies and across this sector who are focused on the 
security implementations working together on this. And the 
security concerns need to outweigh some of the competitive 
concerns here because a secure auto industry is good for 
America, and it is good for our allies as well. We have to be 
the leaders on that, and we need to take it from the design 
level up.
    Mrs. Dingell. Well, I agree. I am working with a group. I 
have got--I am going to go to a 5G question for Mr. Stehlin 
very quickly.
    Can you speak to the importance of beginning now to plan, 
invest, and lead in the next generation of advanced wireless 
technologies.
    Mr. Stehlin. Yes. Thank you for that question. Typically 
these advancements take a decade. So we are starting to work on 
6G, even though 5G has just been rolled out over the past 
couple years.
    One of the challenges is we need 5G to be financially 
successful, or the CFOs at the big ISPs are not going to want 
to invest in 6G. So it is really critical that these 
technologies are successful. It takes a long time to make them 
strong.
    But, yes, we are working now on things like 6G that will 
affect everything from the home to the business to automated 
cars.
    Mrs. Dingell. So, in 40 seconds, what specific steps should 
Congress take to better align its efforts to help you and 
ensure U.S. leadership stays?
    Mr. Stehlin. R&D tax credits. Let's start there. Let's find 
ways to increase the investment in the United States so that we 
can spend more money in R&D. That innovation is something that 
has been a hallmark of our industry. Look at how your price per 
megabit has come down over the past 10 or 20 years as compared 
to your cost for kilowatt hours. We have gone down by 95 
percent because of innovation.
    Mrs. Dingell. Thank you, Mr. Chair, and I yield back.
    Mr. Dunn. Thank you, Representative Dingell. We now give 5 
minutes to Dr. John Joyce from Pennsylvania.
    Mr. Joyce. Thank you, Mr. Chairman and Ranking Member 
Matsui, for holding today's hearing.
    Thank you, also, to our witnesses for agreeing to be 
present with us.
    We all know it is no secret that we are living in a world 
where our communications infrastructure is increasingly at 
risk. Between cyber attacks from foreign entities, such as 
Chinese Communist Party, to targeted network infiltration, it 
is more important than ever that the United States is more 
vigilant and prepared to defend itself against these multiple 
bad actors. That is why, along with Representative Susie Lee, 
that I introduced H.R.2061, the Information and Communication 
Technology Strategy Act.
    This important legislation will develop that the Department 
of Commerce is consistently updating Congress on what needs to 
be done to adequately secure our communication systems through 
our supply chains. This will be one step in a long list of 
necessary actions that the U.S. Government needs to be taking 
to adequately protect our critical networks.
    Mr. Jaffer, how would you evaluate the readiness of our 
current telecommunication systems against these identifiable 
and well-known bad actors, and I will list them: Specifically, 
how are we prepared when it comes to China, when it comes to 
Iran, and when it comes to North Korea,who we recognize are 
repeat offenders?
    Mr. Jaffer. Well, you know, Dr. Joyce, we are very--we are 
ill prepared. Our telecommunication infrastructure is 
vulnerable. We know it, our Government is not effective at 
deterring bad activity by our adversaries, and we are not 
working together collaboratively to defend that piece of 
critical infrastructure.
    There are other pieces of critical infrastructure as well 
that we are not good at defending, but that is one area where 
we need to work more effectively as a government and industry 
together.
    There are a few things we can do in the immediate term to 
address some of these issues. One, to your point about supply 
chains, we know today that we rely massively on China for 
things like semiconductors, critical minerals. We are seeing it 
today in the tariff wars, where China is cutting us off from 
critical minerals. We need to develop a domestic and ally 
capability to refine, to extract and refine those.
    We have critical minerals here in the United States. We 
have the ability to obtain them for our allies and partners 
abroad. We simply send 96 percent upwards of that material in 
kiers over to China to refine. It makes no sense.
    The signature semiconductors, we see the situation in 
Taiwan. If we are going to survive on our current technology 
basis, we have got to be able to defend Taiwan. China is 
threatening it. It is not clear that if today China were to go 
across the Taiwan Straits, that the United States would do 
anything or that we could get there in time to effectively 
defend our friends in Taiwan.
    Mr. Joyce. Mr. Jaffer, can you help me understand a 
different issue? How has Huawei become the global behemoth that 
it is today, and what more do we need to do to counter Huawei 
in the spread of untrusted telecommunications equipment, 
especially when we see allies and partners using equipment from 
Huawei?
    Mr. Jaffer. Dr. Joyce, it is a great question. The way they 
have obtained this advantage is they have done it on the backs 
of stolen intellectual property from American companies, 
including Cisco. They have built routers that look a lot like a 
Cisco router because they stole that technology.
    Now, they have improved on it. They modified it over time, 
but that is where they stole it from in the beginning.
    On top of that, they have depended on low-interest loans 
and no-interest grants from the Chinese Government. The Chinese 
Government goes around the globe subsidizing their purchases, 
giving countries other stuff, other benefits for taking Huawei 
equipment.
    And so we have got to compete in a world in which China is 
acting noneconomically to put their surveillance gear in place 
in allied countries and countries around the globe--not just 
allies, but partners as well. We can't do that effectively 
until we partner with our friends who make telecommunications.
    We don't make a ton of handsets. We make a lot of routers. 
We make a lot of core network gear. Then we have to get that 
into those networks.
    We did rip and replace at home. That is amazing. That is 
the right thing to do. We have got to do global replace, and 
that means putting some of our money and incentivizing our 
manufacturers and giving them the capabilities to go abroad and 
deliver that capability to our friends the way the Chinese are 
doing against us with the Huawei and ZTE.
    Mr. Joyce. Mr. Stehlin, in the moments that are remaining--
first of all, thank you for your leadership and your advocacy 
at SIA. But what specific actions have your member 
organizations taken to protect themselves against the attacks 
and strengthen the supply chain?
    Mr. Stehlin. Yes. So we are and our members are very much 
focused on the processes that are used to develop new products. 
It is, as you mentioned a minute ago, a big challenge with 
companies, companies like Huawei, that undercut us financially, 
often selling below cost just to win the business and to hang 
onto it.
    We need to rebuild our infrastructure here in the U.S. We 
need to rebuild our vendor base in the U.S., and it starts with 
the ICT space, specifically with semiconductors.
    Mr. Joyce. And I thank you. And I think you, I, and 
President Trump all recognize that building that 
infrastructure, that supply chain right here in the U.S. is 
important and, actually, paramount for our success.
    I thank all of our witnesses for being with us here today, 
and, Mr. Chair, I yield.
    Mr. Fry [presiding]. The gentleman yields.
    The Chair now recognizes the gentlelady from California, 
Ms. Barragan.
    Ms. Barragan. Thank you, Mr. Chairman. We just heard that 
it is important to build the infrastructure here, chips made in 
the U.S., develop a domestic capability. We kind of heard this.
    Mr. Stehlin, you brought this up--and this hearing, by the 
way, is called ``Securing the Future of Communications 
Infrastructure.'' If we repealed CHIPS, if we repeal the CHIPS 
Act, would that be helpful?
    Mr. Stehlin. No.
    Ms. Barragan. OK. Why would it not be helpful?
    Mr. Stehlin. It would not be helpful because we need more 
capital investment in the United States. It needs to be a 
strategic investment.
    I won't address some of the specifics of the CHIPS Act. 
But, fundamentally and strategically, it is critical that these 
skills be brought back to the United States as quickly as 
possible.
    Ms. Barragan. Thank you. I also disagree withthe President 
that we should repeal the CHIPS Act.
    Ms. Galante, in 2017 the San Pedro Bay Port Complex, the 
busiest in the Nation and located in my district in southern 
California, experienced a major ransomware attack that forced 
the shipping company Maersk to halt port operations for several 
days and ultimately cost the company over $300 million.
    This cyber attack prompted the port to establish a Cyber 
Resilience Center, which monitors the port's technology 
environment and now fends off 80 million cyber attacks per 
month.
    Ms. Galante, from a national security standpoint, how 
vulnerable are ports to cyber attacks from foreign adversaries 
and other bad actors, especially if cybersecurity has not been 
prioritized in these sectors?
    Ms. Galante. Port security is national security, and this 
area and the technology underneath of it is incredibly reliant 
on digital technology, and ever more so each year.
    We have also seen--you mentioned a recent ransomware 
attack. There has been a variety of targeting at ports in the 
U.S., but also globally. We have to up cybersecurity in this 
space.
    Last February there was an EEO on maritime cybersecurity. 
It put $20 billion into this. And I think that was an important 
investment, and it gave the Coast Guard additional authorities 
and responsibilities in cybersecurity. We have to take port 
security seriously.
    Ms. Barragan. Thank you. Cyber attacks often also hit 
marginalized communities the hardest with disruptions to 
hospitals, schools, and public services in communities of color 
that have already seen less resources and support. In fact, 
people of color have a 12 percent greater chance of 
experiencing some sort of financial damage resulting from a 
cybercrime incident and are 6 percent more likely to have their 
identity stolen.
    Ms. Galante, what steps should Congress take to ensure our 
National Cybersecurity Strategy prioritizes the protection of 
these vulnerable communities?
    Ms. Galante. You mentioned two sectors specifically: 
healthcare, and education and schools. These areas have been 
really hard hit by ransomware attacks over the last few years. 
And one of the reasons is because their security posture is 
incredibly weak. Schools don't have the funding to put in place 
the types of security measures that the banks, for example, do. 
We need to find some middle ground that makes these targets 
more secure.
    The other piece here that we haven't talked about but is an 
enormous problem across the country are cyber scams. I bet 
everyone in this room has gotten some text saying an Amazon 
package is headed their way, or ``double click'' or ``message 
me back, I have a great offer for you.'' Even love scams. This 
is a real epidemic that we have here.
    And the term in the cybersecurity community is called ``pig 
butchering.'' What they will do is use social engineering, use 
a conversation to aggregate and get people to put their funds--
sometimes student loan debt, other places where they have money 
and exposure and are really looking for a way to get money and 
get out of a bad situation--and they will go and invest it in a 
fake crypto scheme.
    A lot of these criminals behind this activity are in 
Southeast Asia, they are in Eastern Europe. And they are 
profiting from it. We need more exposure, and we need to shine 
a light on these cyber scams and what they are doing to 
everyday Americans.
    Ms. Barragan. Great. Thank you.
    Mr. Jaffer, when I got to Congress, I had two phones. One 
is my personal phone, and one is a government-issued phone. If 
I am going to have a conversation with somebody on one of these 
phones that has classified information, which one should I use?
    Mr. Jaffer. Neither one.
    Ms. Barragan. OK. But this one has Signal on it. Are you 
telling me that Signal--I shouldn't be having classified 
conversations on Signal?
    Mr. Jaffer. No. As Ms. Galante correctly laid out, we have 
systems for classified communications today--are the only 
places to have classified communications.
    The problem, of course, is those devices, particularly if 
you are talking about TSCI data, are in SCIFs, right. You can't 
have classified communications outside of a SCIF at the TSCI 
level.
    So, if you want to communicate about an ongoing activity, 
you have got to figure out a way to do it. Signal is not a good 
way to do it.
    At the same time, if we don't give our Government officials 
capable ways of communicating on the fly--the reality is 
everyone expects instantaneous communication today. That is 
just the world we live in. And so if you are a Government 
official, you are in a tough position of saying, ``Do I have to 
go to a SCIF? How do I do that?''
    Using Signal is not the right answer, but we have got to 
give our senior leaders and our Government officials a way to 
communicate that works on the fly, on the run, that doesn't 
force them to go in a room and hide out. Otherwise, they will 
never use it, and they will find workarounds, and then we will 
have bad situations where they are having communications over 
systems they are not authorized to have them over.
    Ms. Barragan. Thank you. You would think the Secretary of 
the Department of Defense would know that.
    I yield back.
    Mr. Fry. The gentlelady yields.
    The Chair now recognizes the gentleman from Florida, Mr. 
Bilirakis.
    Mr. Bilirakis. Thank you.
    I appreciate it very much. I thank the witnesses for their 
testimony today.
    I want to start off with Mr. Stehlin. In your written 
testimony, you mentioned your organization developed the SCS 
9001 supply chain security standard. I am a big proponent for 
industry-led standards generally, but, of course, there has to 
be something in it for the participants for it to work.
    What fundamental elements does a company's product have to 
show it to receive a certification under your system, and what 
benefits result from achieving certification?
    Mr. Stehlin. Thank you for that question. Yes, the benefits 
are tremendous in that you can verify trust, and you can prove 
that your product, hardware, software, as well as the company 
itself is a trusted supplier. A service provider or a 
government or a critical network operator is going to want to 
buy from companies that have proven that their products are 
trusted.
    And then we use continuous improvement to constantly 
upgrade the processes. We don't tell a company through the 
standard how they develop a product. They just have to have 
certain processes and controls in place and verify that those 
are there.
    Mr. Bilirakis. Thank you very much.
    Mr. Jaffer, when talking about the Salt Typhoon, much is 
said about how data, political figures, and corporations were 
compromised, and that the threats they can pose to national 
security and business interests. However, less is said about 
how the privacy and data for--of everyday Americans was 
compromised and is impacted.
    Why should the average American be concerned about the Salt 
Typhoon attacks on their own data, and what threats does China 
pose to them by having this individual data?
    Mr. Jaffer. Well, Congressman Bilirakis, it is a great 
question. The challenge that we have today is that the Chinese 
deeply infiltrate our telecommunications networks. That means 
they have access to massive amounts of metadata of ordinary 
Americans. The communications that you and I have, a phone 
call, the date, time, and duration of that phone call, 
potentially the same date/time duration of emails that we 
engage in, and then they can choose who to go after.
    So we know they can get both metadata and content. So 
average Americans should be worried that they have all their 
metadata, and then, on top of that, if the government, if the 
Chinese Government chooses to, they can go and collect the 
contents of those communications as well. So it is a full 
spectrum capability--if we had that capability on Chinese 
networks, we would be thrilled--the Chinese achieved our 
networks, and yet today we are not focused on this problem, 
right. We are talking about Signal chats and the like. And, no 
doubt, that is a big problem, but the real threat is that our 
entire telecommunications infrastructure was compromised, and 
the U.S. Government has not responded to it, has not taken 
accountability for its own failures in detecting that threat 
and helping our telecommunications system defend it. Instead, 
our Government has said, ``We will blame the telecommunications 
providers.''
    You are never going to beat China if you are a private-
sector company. You have got to have the Government's help. The 
Government is not doing its job. This is never going to work.
    On top of that, the American people should also be worried 
about apps they have on their phones like TikTok, which collect 
massive amounts of data on them. People think, well, you know, 
these are just videos of kids and dogs and--but the reality is, 
is that it is collecting a tremendous amount of information, 
not just who you are communicating with but your voice as well, 
numerous times, and it passed that data back to Chinese 
Communist Party.
    We have a law--the Congress passed a law in a bipartisan 
way. That law has yet to be implemented because we, you know, 
we made a political call that it is better to have TikTok 
running. We need to enforce the law that is in place today. 
TikTok should be banned in this country. And, to the extent 
that American people have access to it, they should take it off 
their phones because they are voluntarily letting the Chinese 
Government onto their devices to collect data on them. When you 
combine that data with all the other information the Chinese 
Government has, that it is going to conduct a very significant 
intelligence and operations against American citizens around 
the globe, that is a bad day for America.
    Mr. Bilirakis. Thank you very much. I appreciate it.
    I yield back, Mr. Chairman.
    Mr. Fry. The gentleman yields.
    The Chair now recognizes the gentleman from Louisiana, Mr. 
Carter.
    Mr. Carter of Louisiana. Thank you, Mr. Chairman.
    And thank you, witnesses, for being here today. Today's 
hearing addresses a matter of urgent national importance. I 
believe this is an important hearing, and the security 
challenges we face are real, and they can be met with 
bipartisan cooperation. And I am enthusiastic that this 
committee can do just that.
    Our telecommunications infrastructure faces daily threats 
from hostile foreign actors, cyber criminals, and even policy 
failures here at home that we just heard of moments ago, but 
adversaries like the Chinese Communist Party exploit 
vulnerabilities in our networks to spy, disrupt, and steal.
    The American people are also endangered by reckless 
behaviors within our own Government. However, I must echo many 
of my colleagues' comments who are concerned about recent 
security failures where senior defense officials are using 
unofficial and unsecure messaging apps like Signal to share 
sensitive and classified information that should have been put 
in a SCIF or some much more secure place for communications. We 
cannot have an important hearing like this and ignore 
irresponsible and dangerous lapses of judgment like this.
    As President Trump shifts responsibility for cyber defense 
to underfunded localities, dismantling national protections and 
disregarding bipartisan security legislation, our country is 
left more vulnerable. Meanwhile, Democrats are always willing 
to work across the aisle to modernize and secure our 
communications.
    My home State of Louisiana and the Nation must have the 
resources necessary to make sure we have the capacity to update 
our networks and provide for expanded broadband access. Funding 
for B programs has been vital, have been a vital component to 
the State's initiative to reduce the digital divide. Yet, in 
Louisiana, abruptly, before--just as we were completing our 
final stage, this administration froze those funds, negating 
all the work that had been done to advance this vital tool in 
our cybersecurity. This is a problem passed and implemented by 
a bipartisan Congress--a program that was passed, implemented 
by a bipartisan Congress. I can't say that enough.
    As we look forward to working with my colleagues across the 
aisle to pass the Next Generation 9-1-1 Act, we must not allow 
our public safety telecommunications and telecommunicators and 
first responders to do their jobs with outdated equipment and 
technologies. It is a must.
    I have heard each of you speak. You have spoken eloquently 
on the needs that we as Members of Congress can do and how we 
can listen better.
    Some things are political, and most things are not. This 
clearly is one that should not be.
    Ms. Galante, in your testimony, you discussed the Salt 
Typhoon attack that was unprecedented in scope. What risk are 
we taking by not moving to provide adequate funding to update 
the 9-1-1 network infrastructure around the country to a more 
IP-based technology like NG9-1-1----
    Ms. Galante. The emergency response 9-1-1 networks are 
incredibly critical to secure, and we have to up the posture on 
these different organizations and provide the funding to do it.
    In fact, over the last several years, emergency response 
centers and 9-1-1 lines have been widely targeted, especially 
by ransomware groups who look to freeze those networks and then 
get a payment in return. We have seen this happen in Texas and 
Pennsylvania and Florida, and there's probably many unreported 
instances of this as well. This is critical. We don't want to 
be in manual dispatch mode when you have ambulances going out.
    Mr. Carter of Louisiana. Mr. Stehlin, OpenRAN allows 
different parts of our network to be supplied by different 
equipment and software vendors. My understanding as this plug-
and-play approach means that no one vendor has the lock on any 
component within the network.
    How does this plug-and-play approach promote competition 
among vendors while benefits to everyday consumers like we see 
with other emerging technology?
    Mr. Stehlin. Thank you for that question. OpenRAN is an 
excellent technology that allows various aspects of a wireless 
network to be purchased from various vendors. So, if you have 
common continuity between the various parts, if the connections 
between a RAN device and a base station router are opened up, 
it allows more competition, so----
    Mr. Carter of Louisiana. You leave me about 6 seconds. Go 
on.
    Mr. Stehlin. The last thing I would say there is it is a 
challenging game to build wireless networks.
    Mr. Carter of Louisiana. Thank you. Mr. Jaffer, you 
mentioned just a moment ago about TikTok and the fact that this 
bipartisan body passed a ban on TikTok because of the massive 
breach and threat that it has for our cybersecurity. It has 
been extended 90 days, and now it has gone beyond that 90 days.
    Every day that goes by that the Communist China Party 
continues to collect the data, what kind of risk does that put 
our cybersecurity and country in?
    Mr. Jaffer. Mr. Carter, that--allowing TikTok to remain on 
American phones creates a massive, unprecedented risk to 
America's national security and the privacy and security of 
every single American citizen who has that app on their phone. 
It should be--people should voluntarily remove it immediately. 
The law should be enforced. There is no provision in the law 
that allows it to be extended beyond 90 days. There is one 90-
day extension allowed by law if, in fact, there is a deal in 
process. There is no provision for a 90-day extension. The law 
should be enforced today.
    And it is worth noting that even if the administration 
chooses to voluntarily not enforce the law against providers 
who allow TikTok to remain on their networks in the app stores 
and the like, those app providers and app subscribers can be 
held liable in a future administration if it is within the 
statute of limitations.
    So everybody who is allowing TikTok to remain on their 
devices should know that they are potentially exposing 
themselves to liability, even if this administration chooses 
not to enforce the law, in a future administration.
    Mr. Fry. Thank you. The gentleman's time has expired. The 
Chair now recognizes the gentleman from Georgia, Mr. Carter.
    Mr. Carter of Georgia. The other Carter--from the right 
coast.
    Thank you all for being here. I appreciate it very much.
    Let's talk about subsea cables because we know they are the 
backbone of the internet, and we know that they are critical 
for intercontinental communication and transactions. In fact, 
it is estimated that $10 trillion of financial transfers occur 
daily as a result of the subsea cables.
    Ten trillion dollars daily. That is a lot of money. That is 
a lot of transfers.
    Anybody who has read the news lately understands that, in 
the past 6 months, our adversaries have been using and 
targeting these cables and cutting into critical--to cripple 
the economic and national security of countries around the 
world. Obviously, an easy target. We understand that.
    Let's talk about the importance of redundancy, because 
redundancy is extremely important in the resilience of our 
cables and the diversity of routes that are needed to ensure we 
limit our vulnerability whenever we are talking about these 
cables.
    I have been working to try to expedite the permitting 
process of cables in the National Marine Sanctuaries with my 
bill H.R. 261, the Undersea Cable Protection Act, and I think 
we need to think about ways to expedite the permitting process 
more generally too. We need to get more cables deployed as 
quickly as possible and ensure that we can meet the capacity 
needs.
    Mr. Stehlin, I want to ask you, can you explain why 
redundancy is so important for subsea cables, and how important 
it is from a national security perspective that we don't have 
one single point of failure?
    Mr. Stehlin. Thank you for that question. Yes, it is really 
critical that you don't have a single point of failure. As I 
mentioned earlier, there are about 600 subsea cables in 
operation today around the world but something like 1,700 
landing points. So, as a cable gets closer to shore, it will 
split and have multiple landing points. We need to increase the 
number of cables, yes, but we also need to increase the number 
of landing points here in the United States. There may be 90 or 
so landing points in the United States.
    As you mentioned, permitting is a major issue. In some 
cases, it can take 400 days on average to get a permit, and 
sometimes up to 900 days to get a permit.
    Mr. Carter of Georgia. Nine hundred days.
    Mr. Stehlin. Nine hundred days. And so I would argue that, 
perhaps, we put NTIA, which is the President's advisor for 
telecom issues, in charge of Team Telecom instead of the DOJ. 
They look at it from a different perspective. DOJ absolutely 
should be on the committee but perhaps not have the lead.
    Mr. Carter of Georgia. So I mentioned my bill, H.R. 261, 
which also aims to prohibit duplicate permits that are 
currently being required by NOAA in marine sanctuaries 
especially. I know that there are other areas where there are 
duplicate permitting reviews that are delaying the deployment 
of cables.
    Can you suggest, Mr. Stehlin, where the committee might be 
able to work to streamline the permitting process for subsea 
cables?
    Mr. Stehlin. Yes, a great example might be a trusted 
partner framework. So, if somebody has built a cable in the 
past and has proven themselves, should they have to go through 
every single step yet again, or can they get fast-tracked 
because they have proven themselves to be a trusted partner?
    Mr. Carter of Georgia. Good. Good. Excellent. The special-
use permits that are issued by NOAA are limited to a 5-year 
license term, which is in stark contrast to the 25-year FCC 
license term.
    Can you speak to the justification of possibly having a 25-
year license term for subsea cables and the importance of a 
guaranteed 25-year term from an investment perspective?
    Mr. Stehlin. Yes. Typical payback for these subsea cables 
might be 7 years just to break even because you are talking 
hundreds of millions of dollars of investment upfront, and then 
you have to go through the permitting process--it might be 
pulled out, et cetera.
    So, by having a longer-term license, it ensures that the 
company is going to make that investment. If you have 7 years' 
payback just to break even, that is a tough business decision.
    Mr. Carter of Georgia. I want to talk in general terms 
right now, and when I say ``general terms,'' I do mean general. 
I don't care what sector of our economy you are talking about, 
when people come into my office, when businessmen come into my 
office, businesspeople come into my office, it is always the 
same story, whether it be--whether it be communications, 
healthcare, energy: ``Permitting, regulations crushing us. 
Crushing us. We have got to do something about this.''
    Thank you all for being here. Very, very important. I yield 
back.
    Mr. Fry. The gentleman yields.
    The Chair now recognizes the gentleman from New Jersey, Mr. 
Menendez.
    Mr. Menendez.Thank you, Mr. Chairman. With international 
cybersecurity threats on the rise, we are facing increasing 
threats to our critical infrastructure and our economy.
    This past fall, the U.S. experienced a devastating Chinese 
state-sponsored attack on our telecommunications networks, 
stealing sensitive geolocation data and targeting both 
Democratic and Republican elected officials.
    We have heard throughout this hearing about bipartisan 
support for defending our country against cyber threats, as we 
should, but the Trump administration has been weakening our 
country's cybersecurity defense system by slashing our cyber 
workforce and recklessly transmitting sensitive information, 
making it easier for our foreign adversaries to access 
Americans'--Americans'--most sensitive personal data.
    Ms. Galante, just yes or no, will the Trump administration 
dismantling the Cyber Safety Review Board weaken collaborative 
security and intelligence work?
    Ms. Galante. Yes.
    Mr. Menendez. Ms. Galante, is a public-private security 
ecosystem necessary for a strong collective defense and 
national security posture?
    Ms. Galante. Yes, it is critical.
    Mr. Menendez. Mr. Jaffer, you even said yourself, private 
companies cannot compete with China alone. So it seems that a 
public-private security ecosystem is essential for our national 
security. Would you agree with that, yes or no?
    Mr. Jaffer. Absolutely.
    Mr. Menendez. Thank you.
    Ms. Galante, going back to you, with China investing 
heavily in recruiting and training their cyber workforce, is it 
important to our national security for the U.S. Government to 
maintain a robust cyber workforce capable of defending against 
cyber attacks?
    Ms. Galante. Incredibly important.
    Mr. Menendez. And not just maintain it, but we should be 
growing it and doing everything we possibly can to get more 
people at community colleges, at universities across the 
country, to begin their career in cybersecurity; is that 
correct?
    Ms. Galante. Especially at this moment.
    Mr. Menendez. Thank you. That is why I am concerned about 
reports that DOGE plans to cut 1,300 jobs from the 
cybersecurity workforce at CISA. In fact, even the former head 
of CISA under the first Trump administration said that he is 
outraged by these cuts, and I look forward to all of my 
Republican colleagues joining me on a letter to the 
administration on this issue.
    Sticking with the theme of DOGE cuts, I want to ask a few 
questions about the increasing number of reports that DOGE has 
been leaking and weaponizing Americans' personal data. It seems 
like every day we hear another report about the mishandling of 
our personal information--and this is just the first 100 days. 
From individuals with Russian IP addresses attempting to log 
into Federal databases at the NLRB to DOGE employees gaining 
access to networks that hold nuclear secrets, it has become 
clear that the Trump administration cannot be trusted with our 
personal information.
    Ms. Galante, should Americans be concerned about reports 
that individuals with Russian IP addresses have attempted to 
log into a Federal database that holds our personal 
information?
    Ms. Galante. Yes. IP addresses coming from Russia and 
network traffic coming from Russia is typically blocked. So I 
am surprised that this isn't already getting filtered out.
    Mr. Menendez. There have also been reports that ICE is in 
the process of pulling together data from across Federal 
agencies for a database they call the alien tracker in order to 
facilitate mass deportations.
    Ms. Galante, just yes or no, would a database that stores 
personal data from multiple agencies across the Federal 
Government, such as the alien tracker, be a target-rich 
environment for our foreign adversaries to attack?
    Ms. Galante. It would be a prime target.
    Mr. Menendez. And once we accept that this administration 
is going to collect our personal information and put it into a 
database, whether it is for immigrants or any other group of 
Americans, it makes it highly susceptible to foreign attacks 
and puts all of our personal information at jeopardy. Would you 
agree with that?
    Ms. Galante. Highly valuable in our adversaries' hands.
    Mr. Menendez. So let's turn to AI quickly, because I 
believe you would agree that AI has increased the 
sophistication of cyber attacks against target-rich datasets.
    Ms. Galante. Yes.
    Mr. Menendez. And can you just briefly explain. Empowering 
AI, there are two components, as I understand it. Downstairs, 
we are on the Energy Subcommittee talking about the energy that 
goes into AI. The other is the collecting and use of data. Is 
that correct, and can you speak to that?
    Ms. Galante. Sure. On the collecting and use of data, your 
processing powers are incredibly multiplied when you are 
looking at datasets. You are able to find patterns. You are 
able to find different insights within large datasets. You are 
able to cross different modalities. This is the sort of the way 
that highly analytic endeavors are shorthanded and quickly 
given to our adversaries so that they can figure out how to 
make sense out of the noise in huge datasets and deploy them 
against us.
    Mr. Menendez. And this goes back to why we originally 
banned TikTok. Is that correct?
    Ms. Galante. It is one of the reasons why TikTok could 
provide a powerful dataset to our adversary.
    Mr. Menendez. So, while AI is strengthening our enemies' 
cyber capabilities, the Trump administration is leaving us 
vulnerable to attacks and weaponizing our data against us. This 
is not a Democratic-Republican issue. Any administration should 
prioritize protecting Americans' sensitive data, and my 
Republican colleagues cannot pretend to take threats from 
foreign actors seriously while the Trump administration is 
slashing CISA's workforce and allowing unauthorized DOGE 
employees to access Americans' data on demand.
    This should be a bipartisan issue. It is one I am concerned 
about. I dealt with it on Homeland Security with Mr. Pfluger--
sorry, the clock went off, so I couldn't tell--that we should 
all be in lockstep on, but that means we have to speak out when 
our administrations, Democrat or Republican, are failing us. 
This administration is failing us on this critical issue. Thank 
you, and I yield.
    Mr. Fry. The gentleman yields.
    The Chair now recognizes the real chair, Mr. Guthrie from 
Kentucky.
    Mr. Guthrie. Not the real chair. The other chair.
    So, hey, thanks a lot. I appreciate you guys being here. 
And, first, Mr. Stroup, I am kind of concerned about satellite 
GPS. And I am an old artilleryman. Old artilleryman. In my day, 
you had to use binoculars and see where a round landed, and 
then you would call it back in, and somebody would use that--
literally a slide rule to calculate what the data was, and you 
had to walk--you had to bracket the target, as we say, or walk 
it out.
    And, now, this has been years. So I don't even know what 
they do now, but they shoot a shot, they lase the--or they lase 
the target, send a GPS code to the guns. They shoot, lase the 
bursts, send the GPS code to the gun, and the guns adjust, and 
it is one round fired for effect now. That depends on 
satellites.
    So my big concern on satellite security, I mean, just walk 
through the national security--that is just shooting artillery. 
That is a whole lot of things that our satellites depend on in 
the civilian world, but also particularly our military world.
    I used to be the proverbial lieutenant with a map. Now you 
get an eight-digit ZIP Code--just by knowing what your watch 
tells you. So how do we do that? How do we fix the map?
    Mr. Stroup, I guess I couldn't see you. Mr. Pfluger is a 
tall guy. Sorry.
    Mr. Stroup. Thank you for the question. So, yes, obviously 
adversaries can use location information. The key from our 
perspective is ensuring that they are not subject to spoofing 
and to jamming. So the next generation of GPS satellites have 
increased capabilities against them. And, actually, I think it 
is important to note that there is already a redundant system 
for navigation system----
    Mr. Guthrie. How do you make it redundant for--I know you 
have got navigation. You have got--I mean, that is just as 
simple as, like, low artillery. You are talking about 2 or 3 
miles communication to each other.
    Mr. Stroup. So GPS is a free system provided by the 
Government. There is also another system operating off of a 
constellation of satellites, and there are also studies 
underway to look at other systems. But, certainly for the 
importance of all of the uses, whether it is military or 
commercial, we do have redundancy built into the system.
    Mr. Guthrie. OK. Thank you. I was looking at--Mr. Stehlin, 
I was looking at you because I couldn't see Mr. Stroup. So I 
will ask you this. I mentioned in my opening statement a 
concern for subsea cables. I mean, gosh, we have so much to 
protect. What are the threats to subsea cables, and how can we 
be less susceptible to damage?
    Mr. Stehlin. Redundancy, number one. Number two is having a 
repair system that is very quick and accurate, meaning more 
ships, a big shortage of ships, more landing points adds 
redundancy in the United States, and working with friendly 
governments to ensure the equipment they are using is trusted 
equipment.
    Mr. Guthrie. OK. Thank you. I am not sure how much time I 
have, but, Mr. Jaffer, the Rip-and-Replace, we led that effort. 
And, when we think about supply chains, what else do we need to 
do?
    Mr. Jaffer. Well, Mr. Chairman, I think certainly Rip-and-
Replace going global is going to be critical, right, because 
what is happening is our adversaries are putting this Huawei 
and ZTE and other Chinese gear in around the global. So it is 
important to expand that broadly.
    Beyond that, we need to look at other core supply chains, 
semiconductors, critical minerals. We know the Chinese have a 
choke hold on these things, whether it is the processing of 
critical minerals or the like. We need to get ahead of that and 
get ourselves out of that.
    And then, finally, we need to look at the entirety of the 
American supply chain. We realized during COVID that we have 
this dependency on China pharmaceutical precursors, and yet we 
continued to maintain and allow ourselves to be addicted to 
Chinese goods of all sorts.
    It is one thing to buy T-shirts from China. It is a whole 
other to buy critical minerals, semiconductors, and routing 
and----
    Mr. Guthrie. We had a hearing on medical devices, and we 
found in the medical device, because it was an investigation 
and oversight hearing, they had connections with ERL at the 
University of Beijing, and medical device, just collecting 
massive amounts of data, I think Mr. Menendez is talking about, 
so they use it in their AI.
    Mr. Jaffer. And just think about connected cars. Think 
about the havoc you could cause if instead of having a bunch 
of, whether it is Teslas or Slates, or whatever American EV 
manufacturer you want--Chevy, right, Ford--if we had a bunch of 
BYD cars running around the United States--which is what, by 
the way, China wants us to do. Part of the reason they are 
cutting us off from critical minerals is they want us to buy 
their electric cars so that those electric cars are connected. 
They could turn it off when the time is right.
    Mr. Guthrie. Well, thanks. I am not sure--I don't see the 
clock. Have I got a couple minutes?
    So I was in Europe, I was on a NATO meeting, and we were 
talking about all the privacy. We have to deal with privacy on 
this committee as well, so very interested in that. And my 
question was, If you have a system of Huawei and ZTE, should 
you even worry about your privacy? Do you have privacy even if 
you regulate privacy?
    Mr. Jaffer. You know----
    Mr. Guthrie. Doesn't it seem kind of inconsistent to say we 
are going to have all these privacy laws, but then we are going 
to let all the Chinese equipment in our country?
    Mr. Jaffer. It is astounding to watch the Europeans come 
after American companies because they are concerned about our 
privacy rules and our privacy regulations, and yet, one, they 
buy tremendous amounts of Chinese gear and are willing to give 
their privacy up to the Chinese.
    We also note that, you know, the Europeans have massive 
surveillance capabilities internally. They never talk about 
those. They talk about our industry and our companies. They 
don't talk about their own government surveillance 
capabilities.
    So I think it is really important to think, look, at the 
end of the day, if you have to make a decision, you could be 
like the Europeans, and you can regulate first and innovate 
second, or you could be like the Americans and innovate first. 
That's what we have got to do.
    Mr. Guthrie. Thanks. I can't see a clock, but I think they 
just gaveled me down, so thank you for your answers. I 
appreciate it very much. Thanks.
    Mr. Fry. The gentleman yields.
    Before we recognize the next person, we are going to reset 
this clock.
    [Pause.]
    Mr. Fry. There we go. The Chair now recognizes the 
gentleman from Ohio, Mr. Landsman.
    Mr. Landsman. Thank you, Mr. Chair. I appreciate all of 
you. I want to get into the undersea cable issue. And we have 
talked about this extensively, rightfully so, and would ask, 
Mr. Chair, for unanimous consent to enter into the record an 
article in Newsweek about China: ``China Unveils Game-Changing 
Weapon That Could Decide Future Wars.'' It just speaks to the 
fact that cybersecurity is national security, and national 
security is cybersecurity.
    And the article goes into, obviously, everything that China 
is doing with their submarine technology to disrupt these 
cables. The vast majority of communications goes through these 
cables, 95 percent of everything that we do globally. And your 
testimony today suggests there are several things that we have 
to do: One is the redundancy work; two is the ships; three, I 
am assuming, is part of the repair work, but the technologies, 
the sensors. I mean, I--and maybe I am jumping to a conclusion 
here that doesn't exist, but I assume that there are early 
detection work that we could be doing, or do we find out 
immediately when these things happen?
    So I am wondering if you can say a little bit more about--
or speak to existing legislation. I know Mr. Carter has a bill 
around permitting, and that is something that I think we should 
all jump on and support, especially to your point about trusted 
partners who are already doing this. Can you talk a little bit 
about the ships, what we would need to do. What does that look 
like?
    Mr. Stehlin. Yes. There are certain ships that are designed 
to lay and repair cables. You can go to Baltimore Harbor and 
see them from time to time.
    Mr. Landsman. Yes.
    Mr. Stehlin. That is one place to see them. And these ships 
lay out the cable. They are specifically designed to do this. 
Finding the problem, it can get isolated fairly quickly, 
because once you lose a signal you can identify where----
    Mr. Landsman. Fair enough.
    Mr. Stehlin [continuing]. The problem is, using something 
called an OTDR, an optical time-domain reflectometer, all 
right. So that is something that you can use to find out where 
the problem is. But then you have got an issue of what are the 
seas like, has the cable moved or shifted around because of 
tides and currents and things like that.
    So adding more ships and having this be a better and bigger 
industry is really important on top of ensuring that Western 
technology and Western companies take back the lead in this, 
rather than Huawei.
    Mr. Landsman. How many ships do we have now? How many do we 
need?
    Mr. Stehlin. I can't answer specifically, but it is single 
digits to low, maybe. perhaps a dozen.
    Mr. Landsman. Yes. Go ahead, sir.
    Mr. Stroup. If I may, since the issue of redundancy for 
undersea fiber cables has come up, I want to stress the 
importance of satellite, the ability to be able to transition 
immediately. And while we certainly don't have the ability to 
carry all of the traffic, as an example, that is carried into 
Taiwan, what they are doing, I think, is a good example of how 
we prepare for the potential of an undersea cable cut, and that 
is putting in place arrangements with multiple satellite 
companies, obtaining the terminals so that they do have true 
redundancy in real time. Thank you.
    Mr. Landsman. Yes, I think that makes sense. And I think 
the only point you were making, sir, is that it is not--it is 
good for redundancy and for those moments of acute need but not 
necessarily an alternative to the fiberoptics.
    I want to get back to the ships. Sorry. If it is single 
digits, I mean, do we need twice as many?
    Mr. Stehlin. The more landing points, the more cables we 
have, definitely the more ships you need.
    Mr. Landsman. Yes.
    Mr. Stehlin. And there is no doubt about it.
    Mr. Landsman. OK. So is there anything else? I mean, 
between Mr. Carter's bill, getting additional ships, the 
satellite partnerships that, you know, would expand our 
capacity, is there anything missing in terms of----
    Mr. Stehlin. Yes. I would reiterate the permitting 
process----
    Mr. Landsman. Yes.
    Mr. Stehlin [continuing]. Needs to be sped up. And, again, 
I think NTIA ought to have the lead with telecom.
    Mr. Landsman. Oh, NTIA. That was the other piece.
    Mr. Stehlin. Yes.
    Mr. Landsman. NTIA, got it. And then I know that Mr. 
Carter's bill does the permitting, or at least that is--it 
sounds like it does, but the NTIA piece I am not sure is--I 
will look into that. I appreciate that. That makes sense.
    And I yield back.
    Mr. Fry. The gentleman yields.
    The Chair now recognizes the gentleman from Ohio--or Ohio--
Idaho, Mr. Fulcher.
    Mr. Fulcher. Thank you, Mr. Chairman.
    Mr. Stehlin, I represent the great State of Idaho, and 
there is a lot of rural space there. And a lot of the ISPs 
don't have a tremendous number of cybersecurity resources, but 
yet, they will oftentimes be integrated with major 
infrastructure components, whether it be a power plant or a 
grid or flood control or some of those major things, and 
oftentimes can have an impact there without necessarily the 
infrastructure or the cybersecurity expertise to fend off some 
of these new threats that are on their way.
    I would like to get any suggestions or comments from you on 
how CICIG might be a resource for that or other sources of 
counsel through your role at TIA.
    Mr. Stehlin. Thank you for that. Yes, Idaho is a tremendous 
opportunity to take advantage of the moneys put forth with Rip-
and-Replace, for example. You know, these rural operators have 
a hard time making money running a business when you are so 
spread out. So removing things, untrusted gear like Huawei or 
ZTE gear, critically important. Number two, the BEAD money, 
very important for States like Idaho, to help those unserved 
and underserved.
    So finding ways to continue to push that money out to rural 
America is very, very critical, and the way that it is 
connected to your industry, not just to the consumer. All that 
is especially interwoven in rural America, so industry as well 
as rural America consumers are tightly connected, and therefore 
the networks need to be tightly connected.
    Mr. Fulcher. Thank you for that.
    I want to do a followup question, same general subject 
matter, but having to do with cybersecurity incident reporting 
requirements. That is another one of those things that can be 
cumbersome, especially if you are a small ISP, and I wanted to 
get your comments on that as well. Is harmonizing maybe an 
option or other forms of report sharing something that we 
should be looking at a little bit deeper?
    Mr. Stehlin. Absolutely. We need to speak in one voice. We 
need to have one way of reporting incidents. Right now, every 
company and many agencies and departments in the Government and 
in State governments have different ways of reporting things. 
So with all these different requirements, and you are a small 
rural company, who do you respond to? How do you quickly 
identify the problem, quickly resolve the problem?
    If we speak in one voice and have one voice of mitigation 
and incident reporting, we will more quickly fix the problem, 
and then we will continually improve, because that is what a 
good benchmarking system does. It allows you to get better and 
better.
    Mr. Fulcher. Thank you for that as well.
    I am going to shift to Mr. Jaffer, and I am going to 
magically make you king for a day, OK.
    Mr. Jaffer. I love that, Congressman Fulcher.
    Mr. Fulcher. Undersea cables----
    Mr. Jaffer. Sure.
    Mr. Fulcher [continuing]. We have been talking about that a 
lot, and I don't want to regurgitate what others have brought 
up or similar questions. I know--I have made notes of the 
patrolling issues, satellite monitoring, the permitting issues 
that we have got, the need for redundancy. What we haven't 
talked about is penalties for nefarious actors, or at least 
that I have heard. But as king for a day, could you hit that 
topic again? What are the steps we need to be taking?
    Mr. Jaffer. Look, we have to make it clear to our 
adversaries, Russia and China primarily, when it comes to 
undersea cables, that we view those as part of our critical 
infrastructure, and if those are hit and we know it is them, we 
will make them pay a price. That price could be economic, it 
might be sanctions, it might be military. The truth is that we 
rely so much on these networks.
    And, by the way, they have similar capabilities in 
counterspace as well. So it is both our satellites and our 
undersea cables that are at risk when it comes to China and 
Russia.
    They take out those systems, we have to make clear to them, 
you will pay a price, and then when they do it, we have to 
exact that cost. If we don't have credibility, deterrence 
doesn't work.
    And that is one of the fundamental problems, is we don't 
talk about where our red lines are, we don't talk about what 
our capabilities are to respond, and then when the bad thing 
happens, we don't respond. So it is no surprise our adversaries 
aren't deterred, whether it is the cyber domain, whether it is 
undersea cables or it is counterspace. These are all 
vulnerabilities, and our adversaries have gotten too used to 
coming after us and not paying a price.
    Mr. Fulcher. Mr. Chairman, I think I am going to wrap with 
that. I do have another question or two, but I am going to 
submit that.
    Thank you, Mr. Jaffer, Mr. Stehlin, for your comments, for 
the entire panel for joining us today. Also, please note that 
some of us have dueling committees, and so if you got repeat 
questions, you understand why.
    But, Mr. Chairman, with that, I yield back.
    Mr. Fry. The gentleman yields.
    The Chair now recognizes the gentlelady from New York, Ms. 
Clarke.
    Ms. Clarke. Thank you very much, Mr. Chairman.
    Good afternoon, everyone. And I thank our panelists for 
their expertise this afternoon.
    The security of our communications network is one of the 
utmost importance to America's national security and continued 
global economic leadership. Securing our critical 
infrastructure against cyber attacks has been a top priority of 
mine since entering Congress, and I am proud to have served as 
chair of the Cybersecurity and Infrastructure Protection 
Subcommittee of the Homeland Security Committee in previous 
Congresses, where I was able to pass legislation to stand up a 
national reporting infrastructure, the cyber attacks on 
critical infrastructure regime.
    We have seen an uptick in cyber attacks in recent years 
fueled by advances in technology, including artificial 
intelligence. Further advances in consumer and commercial 
technologies alike have helped spur innovation across 
industries, particularly within respect to the IoT devices, but 
also have the potential to create new vulnerabilities that must 
be addressed.
    The very threat vectors which we now face require a 
serious, focused effort on the part of our Federal Government. 
And sadly, our current administration has not proven up to the 
task.
    Last month's Executive order on cybersecurity preparedness 
will weaken our defenses at a time when we face more threats 
than ever by shifting the responsibility of defending critical 
infrastructure to State and local governments, which too often 
lack the funding and expertise to take on this role. This 
decision leaves schools, emergency service providers, local 
governments, and others at risk by shifting the burden of 
warding off attacks from hostile foreign actors onto their 
backs.
    Additionally, this administration's inane, half-baked 
tariff policy will devastate supply chains and drive up the 
cost related to defending our communications infrastructure.
    Further, securing communications infrastructure begins with 
practicing good personal cyber hygiene, something the current 
Defense Secretary and National Security Advisor seems almost 
willfully unaware of. Their reliance on unofficial and unsecure 
messaging apps risk the lives of American troops and warrants a 
serious bipartisan investigation. It is extremely unfortunate 
that the current administration has consistently sought to 
dismantle tools and programs meant to protect our critical 
infrastructure from cyber attacks while senior officials ignore 
laws and best practices.
    We in Congress must, however, continue to our work to 
increase network and supply chain safety to allow consumers and 
businesses alike to make informed decisions impacting the 
security of our communications networks. Recent breaches have 
shown that vulnerabilities in communication networks stem not 
just from telecommunications infrastructure but also from 
compromised end devices and personal behavior.
    To that end, the FCC under the Biden administration adopted 
a voluntary cybersecurity labeling program in March of last 
year so that approved devices would bear the U.S. Cyber Trust 
Mark to help consumers identify trustworthy and secure products 
in the IoT marketplace while encouraging manufacturers to meet 
higher standards in product development.
    My question is to Ms. Galante, but other panelists may 
weigh in as well: How could the implementation and possible 
expansion of the Cyber Trust Mark program help address the risk 
our communication networks face?
    Ms. Galante. Thank you, Congresswoman Clarke. The 
cybersecurity--the Cyber Trust Mark, cybersecurity mark on 
Internet of Things-connected devices, is an important step in 
getting a baseline so consumers know what products are secure. 
It is similar to the UL, that Underwriter Laboratory metallic 
sticker that we all have on our different appliances. And I 
hope that Cyber Trust Mark goes the same way, which is to give 
consumers confidence that the company behind that product is 
following basic rules in cybersecurity that will make that 
product safer for their own personal use, and also so that they 
have some reliability that it is going to be patched and 
updated over time.
    Ms. Clarke. Very well. Anyone else want to add?
    Mr. Stehlin, uh-huh.
    Mr. Stehlin. Yes. TIA is very close to the Cyber Trust Mark 
and has been involved with the FCC from its beginning. We hope 
that it gets rolled out later this year. There's a lot of steps 
forward. Right now it is focusing on smart consumer devices and 
does not include things like home routers. We think it needs 
to.
    Ms. Clarke. Yes, very well.
    Well, listen, my time is up. I thank you all so much for 
adding your expertise to this very important conversation.
    And with that, Mr. Chairman, I yield back.
    Mr. Fry. The gentlelady yields.
    Mr. Fulcher. Mr. Chairman?
    Mr. Fry. Yes, sir.
    Mr. Fulcher. Thank you, Mr. Chairman. At the request of my 
colleague, Mr. Pfluger, I would like to request the committee's 
permission to enter into the record a letter to the Honorable 
Brendan Carr, Chairman of the FCC, from a number of us on this 
committee. It has to do with recommendations on network and 
cybersecurity. So with the permission of the committee, I would 
like to submit that into the record.
    Mr. Fry. Without objection.
    [The information appears at the conclusion of the hearing.]
    Mr. Fulcher. Thank you.
    Mr. Fry. The Chair now recognizes the gentleman from New 
Jersey, Mr. Kean.
    Mr. Kean. Thank you, Mr. Chairman.
    And thank you to our witnesses for being here today.
    As a member of this committee and the Foreign Affairs 
Committee, I have a strong interest in identifying and 
advancing commonsense measures that strengthen our 
communications infrastructure and counter the threats posed by 
adversaries like China, Russia, and Iran.
    Mr. Stehlin, first of all, welcome south. I am happy to 
have a resident of New Jersey's Seventh Congressional District 
here, and I am glad you are here to share your expertise. I 
understand the Team Telecom process can be burdensome and cause 
delays. What are the obstacles that burden or delay deployment 
of additional undersea cables?
    Mr. Stehlin. Thank you, sir, for that question. And I have 
been a longtime resident of East Amwell in the Seventh 
District, 32 years in the same house.
    So NTIA should be the lead in Team Telecom. They are the 
President's advisor for all telecom issues. Absolutely, the 
DOJ, Department of Defense, Department of State, DHS ought to 
be involved as well.
    But looking at it from the perspective of how we improve 
our telecom systems ought to be the first and lead of any type 
of evaluation, so that type of change would improve the 
permitting duration. Today it averages over 400 days, some 
cases as long as 900 days to get a permit, and often before it 
even gets to the FCC for the final approval. So this long, 
drawn-out process occurs before the FCC even sees the 
application. By fundamentally changing that and looking at it 
from the perspective of how can we improve our economy rather 
than a Justice Department that maybe has a different 
perspective on things, I think that would go a long way to 
improving it.
    Mr. Kean. OK. And what steps can we take to keep the U.S. 
as an attractive place for vendors and suppliers across 
communications technology sector to do business, create jobs, 
and innovate here in the United States?
    Mr. Stehlin. We ought to reward trust, reward investment, 
and we ought to point out with a big spotlight those that are 
not trusted and encourage both the United States and our 
friends around the world to not buy from folks that are not 
trusted.
    Mr. Kean. Yes. Thank you.
    Mr. Stroup, I agree that it is important to maintain 
leadership within international standard-setting bodies. In 
your view, what should American leadership and investment in 
these international bodies look like to best counter China's 
efforts to advance its own agenda, particularly in the 
satellite industry?
    Mr. Stroup. Thank you for the question. I think one of the 
first opportunities is relating to WRC-27, making sure that the 
United States has positions that are supportive of the 
satellite industry and that they advocate them with their 
international counterparts at WRC-27. If there is a void, China 
most definitely will step in. The same is true with respect to 
other standard-setting opportunities. If we are not 
participants, China will definitely take advantage of the 
opportunity.
    Mr. Kean. OK. And can you talk about the weather satellites 
could play a role potentially as a redundancy in the event or 
failure of or attack on undersea cables?
    Mr. Stroup. Yes, absolutely. So I gave as an example 
previously, the government of Taiwan is making arrangements 
with multiple satellite operators, bringing in the terminals. 
So should there be a cut, there is an immediate transition to 
satellite capability. So the good--you know, the benefit of the 
satellite capabilities are our infrastructure is in the sky, so 
they are not subject to something like a cable cut.
    Mr. Kean. Thank you.
    And, Mr. Stehlin, I appreciate your discussion of strong 
supply chain security. What are the safeguards against, 
hypothetically, a previously trusted supplier or vendor 
suddenly being compromised by an adversarial actor? In other 
words, how can we make sure that trusted suppliers stay 
trusted?
    Mr. Stehlin. Continuous verification of trust, so having a 
certification program that a company has to go through on a 
regular basis to ensure that the processes they are using are 
trusted and ensure that the company itself doesn't have 
injunctions against it since the last time it got certified. 
Those types of things are really important.
    Mr. Kean. OK. Thank you all for your testimony, and I yield 
back.
    Mr. Fry. The gentleman yields.
    The Chair now recognizes the gentlelady from Virginia, Ms. 
McClellan. Perfect timing.
    Ms. McClellan. Thank you, Mr. Chairman and Ranking Member 
Matsui, and I apologize for my timing. But given the increased 
number of cybersecurity threats threatening our critical 
infrastructure, this hearing is incredibly important. And the 
irony of this hearing is not lost on me, that while we scramble 
to catch up in the increasingly intense cybersecurity arms 
race, some of my colleagues ignore that one of our Nation's 
biggest cybersecurity vulnerabilities is the current 
administration and its drastic cuts to the Cybersecurity and 
Infrastructure Security Agency, a national security team that 
prefers to coordinate via unsecure messaging apps instead of 
following standard security protocols.
    And it seems that the biggest step that we could take 
towards safeguarding our critical telecoms infrastructure is to 
hold the administration accountable for reckless behavior and 
unwarranted funding cuts that have made us more vulnerable.
    I want to start with Ms. Galante. Can you expand on what 
you mentioned in your testimony regarding the availability of 
AI to improve data processing capabilities to allow even 
unsophisticated adversaries to more effectively extract key 
insights from stolen data and how worried we should be that AI 
will also greatly expand the ability of adversaries to get 
around our cyber defenses and commit even more devastating 
cyber attacks?
    Ms. Galante. Thank you, Congresswoman McClellan. AI is a 
double-edged sword. You can use it for security purposes, you 
can use it for data exploitation and a whole myriad of other 
things. Specifically when it relates to how our adversaries are 
able to advance their skill set quickly, when it comes to the 
exfiltration and the capture of large data sets, this is an 
area where we really need to focus on what the 
counterintelligence gain can be to them and what the 
vulnerability is to us.
    When you are able to sweep up huge amounts of data, whether 
it is from a telecoms network or another source, and then 
aggregate those data points, you get valuable patterns of life, 
you get valuable data sets and insights that can be used 
against us. It is critical that we understand how our 
adversaries use this.
    Ms. McClellan. Thank you for that.
    And also for you, Ms. Galante, given the growing 
cooperation that we have witnessed between Russia, Iran, China, 
and the DPRK in kinetic warfare against Ukraine, to the extent 
possible, in an unclassified setting, can you elaborate on how 
concerned we should be about the possibility of greater 
cooperation among our adversaries to engage in cyber attacks 
against us and to what extent do you believe that type of 
cooperation has already begun?
    Ms. Galante. I am particularly concerned about the sharing, 
especially of vulnerabilities, in widely used software in the 
U.S. that our adversaries could share between each other. 
China, for example, has national laws that require that 
vulnerabilities found by Chinese researchers or Chinese 
citizens are first given to the government. That is really 
important.
    That, in a way, gives them, the Chinese Government, an 
advantage on the zero days, the unexploited vulnerabilities, 
that are typically at the core of many of the products or a 
potential vulnerability in many of our products and critical 
infrastructure across the U.S. If those are shared broadly, 
this becomes an avenue for a scaled attack against the U.S.
    Ms. McClellan. And how should the United States be 
preparing itself for both the potential of AI-enhanced cyber 
attacks on critical infrastructure and the possibility of more 
coordinated cyber attacks amongst multiple hostile foreign 
adversaries?
    Ms. Galante. We have to continue to invest in the ecosystem 
of security industry researchers, in intelligence operatives 
with our U.S. intelligence and law enforcement, national 
security agencies, who together put together the picture of 
what our adversaries are doing next, and the next edge of 
attacks that are going to be hitting us. It is that combination 
that is going to keep us ahead of the threat.
    Ms. McClellan. Thank you, and I yield back.
    Mr. Fry. The gentlelady yields.
    The Chair now recognizes himself for 5 minutes.
    The systems that connect us, our networks, our satellites, 
cables, towers, and data centers, form the invisible 
architecture of 21st century life. Safeguarding that 
infrastructure, as you have all talked about, is not just a 
matter of technology, it is a matter of strategy, security, and 
sovereignty. The demand for our networks has exploded. 
Obviously, every year more devices connect to U.S. networks, 
more data flows, and more critical services depend on 
uninterrupted and secure access.
    Our systems are under strain not only from increased usage, 
but geopolitical risks, supply chain disruptions, and 
escalating cyber threats, particularly from nation states like 
China, as you have talked about. This isn't only about 
protecting websites or cell towers, it is about protecting 
hospitals from ransomware, grid systems from blackouts, and 
first responders from dropped phone calls.
    Telecommunications is infrastructure. It is also national 
defense, and it is economic security. So let's treat it like 
that. It is a national priority.
    Mr. Stroup, you mentioned rapid expansion and innovation of 
the satellite industry. Can you elaborate on the most 
transformative advances that we have seen in maybe the last 5 
to 10 years and what they would mean for our national 
infrastructure?
    Mr. Stroup. Thank you for the question. I believe that it 
starts with reusable launch capability. We have much more rapid 
launch than ever before. That has allowed many more companies 
to be able to launch their systems into space. I think, in 
addition, in terms of capabilities, the utilization of high-
throughput-capacity capabilities has allowed expansion for 
broadband services.
    So in terms of services, that is something that I would 
emphasize. The rapid growth of satellite broadband is really 
dependent upon that.
    In addition, within respect to the remote sensing sector of 
the industry, the ability to manufacture and launch sensors 
into space has opened up a completely new industry.
    So I would say, those are just some of the points that I 
would emphasize. And then we have also seen within 
manufacturing utilization of mass manufacturing techniques just 
given the increase in the number of satellites that are being 
manufactured, changing from bespoke manufacturing of large, 
bus-size satellites to hundreds or thousands of satellites 
being launched into space each year.
    Mr. Fry. Can you point to--and I know we have talked about 
this broadly, some of the other witnesses--but specific 
policies that put your industry at a competitive disadvantage 
compared to, say, foreign competitors?
    Mr. Stroup. Yes, certainly. I think that the ease of 
licensing within the United States is extremely important, and 
we have made a number of recommendations to the FCC, and we 
also work with NOAA on remote sensing to be able to streamline 
the licensing process. We have seen, fortunately, a great deal 
of investment that has been made in the industry.
    But certainly, we don't want to push any of the licensing 
opportunities offshore, because that is something that I hear 
about from our members. In the past, it has taken a long time 
to be able to get a license approved.
    I will note that in the last few years, we saw the creation 
of the Space Bureau with the FCC. At the time, there were 
64,000 pending applications, and that has gone a great way to 
be able to address that. But that has been one of the key 
points that I have heard from our members, is being able to get 
a license quickly.
    Mr. Fry. Thank you for that.
    Mr. Stehlin, you have talked about how vulnerable the U.S. 
telecom supply chain is today to foreign interference and 
dependency. What specific areas concern you the most?
    Mr. Stehlin. Specifically, the lack of strategic investment 
in the United States in the ICT space. We have to pull back as 
much as possible the development of semiconductors in that 
entire ecosystem around semiconductor development. That is 
number one.
    Number two, the lack of overall R&D investment. We have to 
encourage companies, incentivize them to spend more money on 
R&D, and we can do that through tax credits.
    Mr. Fry. So reauthorizing that critical----
    Mr. Stehlin. Absolutely.
    Mr. Fry. OK. What key technical or architectural decisions 
must we make now to ensure that our networks can withstand 
cyber attacks or disruptions?
    Mr. Stehlin. We need to speak in one voice. Right now, ISPs 
each have their own methodology for managing cybersecurity and 
supply chain security. The Government has multiple ways of 
managing that, so we need to speak in one voice, which will 
allow us to react more quickly, to evaluate performance more 
quickly, and to continuously improve. We have to have a defense 
in depth, and speaking in one voice certainly helps.
    Mr. Fry. Thank you for that.
    Mr. Jaffer, you talked about our allies. This actually 
intrigued me a little bit. I assume that our allies are aware 
of the risks of buying this material from Communist China, and 
so if they are aware of that, what is causing them to continue 
to perpetuate the problem?
    Mr. Jaffer. It is a great question. I mean, two things: 
One, you know, our allies--take Europe, for example, they have 
known long about their addiction to Russian gas and how that 
caused them problems, and yet, they continue to buy it and buy 
it. We tried to build them a pipeline back in the Bush 
administration. They wouldn't do it. They built a pipeline to 
Russia instead. They are building a second one now. It makes no 
sense.
    They have the same attitude towards China. You look at 
the--even the United Kingdom, our closest partner, special 
relationship, British telecom built Huawei routers into their 
core networks. And when we went to them and told them this is a 
real problem, it took us a while to convince them. It took us a 
while to go around the globe.
    The first Trump administration spent lots of hours and days 
and months and weeks convincing our allies around the globe 
that this was a real threat. And that was only a decade after 
the House Intelligence Committee wrote a report about the 
threat from Huawei and ZTE.
    So we have known about this problem. We have been telling 
our friends and allies. And then, of course, we have had to pay 
Rip-and-Replace to take it out of our State and local networks 
as well.
    There is a coming threat, though: DJI drones being used by 
State and local law enforcement, crazy for Americans to be 
buying that. We should not allow that to happen. It is a huge 
mistake for American law enforcement to have those drones in 
their networks.
    Mr. Fry. Thank you for that. I see my time has expired.
    The Chair now recognizes the gentleman from California, Mr. 
Obernolte.
    Mr. Obernolte. Thank you very much, Mr. Chairman.
    And thanks to our witnesses. This has been a really 
important, really interesting hearing.
    Ms. Galante, I would like to start with you if I could. I 
found your testimony very interesting, and particularly the 
ways that foreign intelligence services are using security 
vulnerabilities at telcos to gather information on U.S. 
infrastructure and building the capacity to disrupt that 
infrastructure. I am wondering about your thoughts about to 
what level that constitutes more than just an unfriendly act.
    You know, we have kind of an informal understanding that 
intelligence gathering is something that all countries do, but 
building the capability to disrupt our infrastructure I think 
maybe goes beyond that.
    And, I mean, for example, if a foreign country did 
something that was overt, like came into--on U.S. territory, 
kidnapped American citizens, and took them back to Iran or 
China, for example, I mean, obviously, that would be tantamount 
to an act of war. That has started wars.
    Do we need to reprioritize our international reaction to 
acts like this?
    Ms. Galante. Thanks for the question, Mr. Obernolte. One of 
the key distinctions that made this more than a sort of 
standard act of espionage, if you can think of it that way, is 
the level of access that these actors had within the telco 
networks. And with telco networks especially, you can almost 
think of it as sort a multipronged tool. You are able to 
disrupt traffic. You would be able to take almost kineticlike 
steps in a network because of the types of tech that are there 
that would cause an effect that everyone would agree is far 
beyond espionage.
    That hasn't happened yet, as far as we know in these cases. 
It has just been an intelligence-gathering effort, and the 
access that these actors had presented additional 
opportunities. So that might be an area where you can really 
drive a distinction between what is traditionally known as 
espionage and what is largely considered prepositioning for an 
attack.
    Mr. Obernolte. Right. I think you have illustrated the key 
distinction there. I mean, there is information gathering, 
which is what espionage is geared towards, but then building a 
destructive capability is something I think might go beyond 
that. And if someone did something overt, like kidnapping U.S. 
citizens, we would say that is not all right, that is not OK. 
We would take a stand. I am wondering if maybe as an 
international community we need to set new norms about that 
behavior.
    Ms. Galante. And I think the discussion has to happen with 
our allies, right. This is not just a U.S. problem, that 
Chinese access into telcos. We need to look at countries and 
allies in Southeast Asia. We also need to look at some of our 
European friends who have been dealing with this as well. This 
is not just a U.S. problem, and we need to come together to be 
able to show where the real lines are here that we are not 
willing to tolerate.
    Mr. Obernolte. Right. Thank you.
    Mr. Stehlin, you highlighted the vulnerability of some of 
our subsea cables, which I was very appreciative of because a 
lot of people don't realize that vulnerability. Could you talk 
a little bit about what the backup might be to that, and how do 
we protect against that vulnerability? Because the problem is, 
we are uniquely vulnerable in that way, and I just don't see an 
easy way around that.
    Mr. Stehlin. There is no easy way around it other than 
having more cables and more landing points and quicker 
responses because of the volume of bandwidth, volume of traffic 
that goes across these cables. So that is really important, but 
we also need to be more on the offense, and as was described 
earlier, we need to tell our adversaries, ``Don't do this. 
There will be a significant action on our part if you continue 
to conduct nefarious acts.''
    Mr. Obernolte. Right. Well, I am hopeful that we can also 
do some modeling about how much of that international traffic 
would be debilitating, because it would be--you never know how 
debilitating it is going to be until it happens. But if you 
have done some modeling and you have done some exercises, you 
can kind of predict some of those failures.
    Mr. Stehlin. To build on that, the Houthis took out some 
cables in the Red Sea last year, and between Asia and Africa 
more than 50 percent of the traffic went down.
    Mr. Obernolte. Right.
    Mr. Stroup, with my remaining 47 seconds here, I appreciate 
your testimony. One of the things that you didn't mention when 
you are talking about disaster modeling is the really 
innovative way that satellites are being used for early 
detection of wildfires. That is critically important in my 
district. If we can put these fires out with fast aerial 
resources before we need boots on the ground, it could be a 
total game changer. Could you give us a quick update on how 
that is going?
    Mr. Stroup. Yes. I have actually seen a company just 
announce that they are providing as a service. A couple years 
ago, when I had the pleasure of testifying, you had asked a 
question about that capability, and I identified a manufacturer 
of that capability, and in the last 2 years we have seen 
companies moving forward with offering that as a service.
    Mr. Obernolte. Right. Well, m have, as you know, pilot 
programs, including some legislation that I offered to build 
out that capability, because I am absolutely convinced it is 
going to be a game changer for us in the West.
    Well, thank you very much for your testimony. I see I am 
out of time.
    Mr. Chairman, I yield back.
    Mr. Fry. The gentleman yields.
    And the purpose of this hearing now being concluded, I want 
to thank the witnesses for being here. I appreciate the 
professionalism, the expertise. I appreciate your testimony.
    And we are adjourned.
    This is a reminder, I remind all Members that they have 10 
business days to submit questions for the record. And I ask the 
witnesses to respond to the questions promptly. Members should 
submit their questions by the close of business on Wednesday, 
May 14.
    This hearing is adjourned.
    I also ask unanimous consent to enter into the record the 
documents included on the staff hearing document list.
    Without objection, that will be included.
    [The information appears at the conclusion of the hearing.]
    [Whereupon, at 12:44 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

                                 [all]