Supply Chain: The Role of Chinese Equipment in U.S. Tech

International & National Security Law and Telecommunications & Electronic Media Practice Group Teleforum

Listen & Download

“Supply chain security” has been a hot topic in Congress and federal agencies in recent months.  There is concern among policymakers that the use of Chinese telecommunications equipment in U.S. networks and connected devices could pose security risks. Clete Johnson (Wilkinson Barker Knauer), Nova Daly (Wiley Rein), and Sarah Geffroy (AT&T) join us to share their thoughts on these concerns.  They also discuss the general role of Chinese equipment in the U.S. technology sector and the effect of banning sales to the U.S. public sector of such equipment on the U.S. and global economies.

Featuring:

Nova Daly, Senior Public Policy Advisor, Wiley Rein LLP

Sarah Geffroy, Director, Global Public Policy, AT&T; Senior Fellow, George Washington University Center for Cyber and Homeland Security

Clete Johnson, Partner, Wilkinson Barker Knauer, LLP

 

Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up here. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.

Event Transcript

Wesley Hodges:                Welcome to the Federalist Society's Practice Group Podcast. The following podcast, hosted by the Federalist Society's International and National Security Law and Telecommunications and Electronic Media Practice Groups was recorded on Friday, June 1st, 2018, during a live Teleforum conference call held exclusively for Federalist Society members.

Wesley Hodges:                Welcome to the Federalist Society's Teleforum conference call. This afternoon, our conversation is on supply chains, the role of Chinese equipment and US tech. My name is Wesley Hodges, and I'm the Associate Director of Practice Groups at the Federalist Society. As always, please note that all expressions of opinion are those of the experts on today's call.

Wesley Hodges:                Today we are very fortunate to have with us, Nova Daly, who is a Senior Public Policy Advisor at Wiley Rein LLP. Also with us is Sarah Geffroy, who is the director for global public policy at AT&T, and also a senior fellow at the George Washington University Center for Cyber and Homeland Security. Also with us is Clete Johnson, who is a partner at Wilkinson Barker Knauer, LLP.

Wesley Hodges:                After our speakers give remarks today on the subject and some back and forth time, we will move to an audience Q&A. So, as our speakers are speaking, keep in mind what questions you have for either them or for the subject as a whole. Thank you all for speaking with us. Clete, I believe the floor is yours to begin.

Clete Johnson:                  Great. Well, I really appreciate it, Wes, and to Nova and, and Sarah, um, as well, this is g-, this is quite a timely discussion and I, uh, the reason I say that is because there, I, d-, one of the very first regulatory, uh, proceedings, um, on this issue, uh, is, is reached a, a, a pretty significant turning point today. And that is that the Federal Communications Commission, FCC, uh, has a, it's, a due date for its comments on a, a proposed, uh, rule, uh, that would, uh, that would, uh, prohibit the use of public funds through what's called the Universal Service, uh, Fund, um, from, uh, from, uh, purchase, being used to purchase equipment or services, uh, from companies that pose a national security threat to the US communications infrastructure.

Clete Johnson:                  Um, that's a mouthful. In short, it would be a prohibition on, uh, potentially certain named companies, um, that, that I, that, um, that, that presently are, are in the market for these US, uh, funded projects and specifically, that's, those are things like, uh, uh, rural broadband, uh, rural health, um, lifeline project, uh, program and let's … This is something that's called E-rate that, that focuses on, uh, schools and libraries, um, and broadband service.

Clete Johnson:                  Um, so this is one part of a much broader and, and complex policy discourse but it's a, a pretty big day because it's the very first time that there will be a public, uh, uh, record with stakeholders weighing in on how to approach this challenge of supply chain security and the more narrow challenge within supply chain security of how to, uh, address, um, certain suspect, um, companies, uh, that, that are, uh, that consider just, uh, particular risks due to their, uh, due to their potential, um, use or, uh, uh, being exploited by a nation state intelligence services.

Clete Johnson:                  And we'll talk a lot more about that, um, in, in detail but in particular, their, the, the FCC notice, uh, of the proposed rulemaking, uh, notes one Russian company, um, and, uh, and notes, uh, two Chinese telecommunications companies, um, and those are, those are sort of the, the, uh, pre-, the presumed focus of this, of this rule.

Clete Johnson:                  At the same time, on the Hill, both the House and the Senate, um, are, are legislating on these issues through uh, what's called the National Defense Authorization Act or the NDAA. It's the annual, uh, essentially the annual defense bill, uh, that, that, um, that sets policy for the Pentagon and, um, and, and funding levels and, uh, there is a provision that has already passed the House, um, that would ban, uh, certain companies, uh, from, from being used, uh, by, uh, by companies that contract with the uni-, with the U.S. government, so it's essentially a, a, a contracting ban on, on, on these named companies, um, and t-, this, t-, there's some similarity between the FCC order and, uh, or, uh, proposed rule and this, the NDAA, uh, um, proposals.

Clete Johnson:                  The bill has already passed the house and it's, it, I, is, uh, is pending in the Senate, in the Senate Armed Services Committee, but it, it makes it look like it's quite likely that something in some form, uh, of this, on this ban, that the ban specific companies by name in statute which is, uh, lawyers in this, on this, on the line recognize is a relatively unusual, um, approach, uh, is very likely to be enacted into law.

Clete Johnson:                  So, the backdrop for this is, uh, and particularly with, with, with regard to the, uh, to the prominent Chinese companies is about 10 or so years of, uh, policy, uh, discourse percolating and, and what I would say is, uh, is, is, uh, until late last year, really a tiptoeing around the elephants in the room. How do you handle div-, uh, the perceived threats to the, to supply chain, to the supply chain of these certain companies.

Clete Johnson:                  And to be specific, what we're talking about is can a, uh, an intelligence service, um, of China or Russia or another adversary, uh, but, but in, in the telecom world, China is the most, um, is the most pertinent because of the, uh, of the m-, manufacturing base and so much of the telecommunications, um, equipment and infrastructure is, is built or passes, passes through in some way through China.

Clete Johnson:                  Can the, can the Chinese intelligence service, uh, you know, put, uh, compromise, uh, the equipment in some way at some point through the, the components being assembled or being designed in such a way that, um, that would allow for espionage, sabotage, even, uh, kind of warfare, prepping the battlefield, um, in, uh, s-, such that, that Chinese equipment is, you know, allows, uh, China to, to spy on us or, or our allies? Um, that's, that's the issue.

Clete Johnson:                  And this issue has been percolating for about 10 years with in, in ways that are sort of tiptoed around, uh, naming the companies that are, that are, uh, suspected to be the biggest challenges. Um, and that really changed in the last six months. And what it, what it moved from is from sort of, uh, d-, looking at this as a complex global supply chain and there are many companies involved including, uh, a couple of Chinese companies, Huawei and ZTE that are, that are seen as, as potential, uh, as special risks. Um, but not taking, uh, by name action, um, against those companies, the …

Clete Johnson:                  And the one, the one, uh, the exception that proves the rules is a House intelligence committee report back in 2012, um, that didn't take action but it, it recommended action but it was, it was simply a report. It was not legislation, um, that, that laid out these risks and, uh, for, for these two particular companies. Um, and, but other than that, the policy action was all about discussion about what to do about this and there was some statutes that sort of loosely danced around these companies and what to do.

Clete Johnson:                  And then, over the past six months, there has been really a flurry of activity in just about every realm of, of public policy from trade, um, and, you know, punitive tariffs to, uh, law enforcement from those, um, uh, commerce department, um, executing what's called an, an export denial order on ZTE, uh, based on violations of export controls law to CFIUS action. And I'm sure Nova will want to talk a little bit more about this but, uh, CFIUS action blocking, uh, uh, an acquisition that's relevant to, to these, uh, companies in certain ways, um, to regulatory activities. Talked about the FCC, uh, rulemaking process, um, to intense congressional pressure and action. Um, everything from legislation being consider to, uh, a number of prominent, um, senators in particular, um, going on what you might call a letter-writing campaign to, to the FCC chairman and reportedly to the Department of Agriculture, which funds some rural broadband as well, uh, to put pressure on them to, to push certain companies out of the market.

Clete Johnson:                  Um, and so we're at a real inflection point on these issues and it, it is, it is reached a point, um, at which, uh, it is, um, u-, the, it is a specific, by name, uh, concern and that has some, uh, some pluses and minuses, uh, um, in focusing in on particular companies. But the question is, with a global market that is, is, uh, exceedingly complex and even one piece of equipment might be made in 20 different countries, um, it, it, it, uh, the question about how to do address these concerns about, about espionage and sabotage that are very real concerns, um, has, uh, v-, very difficult, it's very difficult to come up with, with a simple answer.

Clete Johnson:                  Um, and this becomes even more and more important as we move closer to a 5G world. Those who are familiar with, with, uh, wireless communications will know that 5G is the fifth generation of, of, uh, of wireless technology. It will enable um, uh, uh, dramatic increases in connectivity and, and connection speeds that will allow, uh, um, uh, tremendous growth in the internet of things, connected cars uh, um, uh, basically all the George Jetson stuff that we, I, that, that I, that everybody dreams of. Um, and the, the, the issue about supply chain security and also the geopolitical, uh, uh, um, competition between, particularly between China and the United States, uh, really, uh, is, is at the nexus of that, um, the, 5G is at the nexus of those, of those challenges.

Clete Johnson:                  So, um, this discourse that's, that's going on right now and very pointedly with the record that's being created with the due date today at the FCC is, um, is a very, uh, a very robust, um, and, uh, you know, um, I think, uh, valuable discourse that is, that is finally on the record after about 10 years of sort of dancing around these issues. Uh, we're finally meeting, uh, meeting the issues head on and, and it's going to be a, quite a complex, uh, discussion about what to do and how and the timelines and, um, and just working out the details and I'm, I'm sure we'll talk a lot more about those details but I'll, I'll stop here having my kind of tee'd up the issues and pass it back to Wes.

Wesley Hodges:                Excellent. Thank you, Clete.

Wesley Hodges:                Nova, I believe that you're next to speak.

Nova Daly:                           Great. Thank you so much, Wes.

Nova Daly:                           Uh, so, I'd like to thank the Federalist Society for the opportunity to be on this august panel. Uh, my remarks and statistics derive, you know, not only from my experience in government and private sector, uh, including White House and then also Treasure running CFIUS.

Nova Daly:                           So, the helpful sort of publications I've found on this, uh, there's a recent Interos report prepared by the US/China Economics Security Review Commission, the Obama administration paper on semiconductors. This administration's national security strategy, and also, um, I don't know how publicly wide it's available but a DIUX report on China's technology transfers, as well as multiple articles.

Nova Daly:                           So, China has, uh, over the course of the last few decades, systematically sought to expand its indigenous technology and manufacturing capabilities and has thereby sort of created a territorial consolidations in global supply chains. You know, on the plus side, this has brought significant efficiencies, lower production costs and consumer benefits, not to mention raising hundreds of millions of Chinese out of po-, out of poverty but on the negative side, this has also created dependencies, economic and national security vulnerabilities and manufacturing job losses, not only for the US but for many nations.

Nova Daly:                           So, China's supply chain consolidation, it's state-driven economic model and technology transfers, whether it's through acquisitions to adventures or cyber theft, have engendered a growing and significant response not only from this administration and co-, and Congress, as Clete has noted there. And so I, uh, I note the recent sort of CFIUS bill, uh, potential legislation out there, uh, as well as the Section 301 investigation of China's IP practices, uh, that has proposed remedies of tariffs on 50 billion of goods, uh, potential investment restrictions and WTO actions.

Nova Daly:                           Now, while there may be inevitably some resolution, uh, to those tariffs and, uh, as Clete, uh, referred to, export restrictions that, uh, impacted ZTE, I believe we're possibly headed in the near time to a less global approach to production, uh, not only for China but likely also for the United States, uh, and with that most likely greater trade and investment disruption, competition between the US and China with global spillover effect.

Nova Daly:                           Uh, given the experience of the US export restrictions on the Chinese company ZTE, uh, and the essentially subsequent cessation of its production, uh, China has made pronouncements and it will likely more vigorously seek to consolidate supply chains, uh, and seek forced technology transfers.

Nova Daly:                           Uh, the simple fact is, as disorder increases especially due to [horizic 00:14:46] state and the challenges of economic and military power of an established nation, uh, political, social, and economic frictions historically increase and likely lead to more Balkanization of production.

Nova Daly:                           So, reducing this friction becomes even more challenging given the diffusion of technology and the resulting mutual vulnerabilities shared between the US and China in our telecommunication infrastructure and military supply chains.

Nova Daly:                           So, the US/China supply chain is deeply interwoven, uh, between our two countries and we're very int-, uh, interdependent. China is the largest importer and exporter of IT hardware globally, uh, for the GAO so we can't avoid this interdependence. On average, 51% of shipments, uh, to the leading US federal IT providers originate in China. This includes HP, IBM, Dell, and Cisco. Uh, this, uh, these shipments impact companies like Lockheed Martin, Northrop Grumman, Raytheon, to just name a few. Uh, 73% of the shipments to Microsoft originate, uh, from China and that's pretty significant.

Nova Daly:                           For China, I mean, just looking at, uh, ZTE, US companies provided to that, provide to that company 25% of the components in its products. Uh, for its Axon M smartphone alone, it's 60%, so the US export restrictions not only shut down ZTE but on the counter side, have a no-, negative impact on US companies like SanDisk, Qualcomm, Google and others that supply them.

Nova Daly:                           Uh, so China has become a key note in the global information technology supply chains and on purpose. Uh, state-drive policies, 13 year 5-year plan, the made in China 2025 are aggressive about the growth, uh, in these, uh, in these matters.

Nova Daly:                           So, I think US policy marks, given an interdependence and the plans of China and its state-driven model, I think they're right to be vigilant about sort of the national security vulnerabilities created by this interdependence. Uh, we have both of-, defensive, uh, considerations, situations where we can't get the parts we need and offensive considerations, where we have to consider the public and private networks that can be breached in technology and classified information that could be stolen.

Nova Daly:                           So, if, I think, um, broadly, uh, given China's sort of state policies of foster indigenous, indigenous information, uh, and its acquisitions through multiple and sometimes inappropriate means, uh, for technology, uh, to grow, uh, companies and increase market share through, through its actors and state owned and controlled actors. Uh, from a national security perspective, I think we, we have become less concerned, uh, uh, about sort of the nature of the relationship and more concerned about addressing the supply chain vulnerabilities that are directly confronting us.

Nova Daly:                           So, US military leadership has recognized this, uh, in nearly a decade ago at the outset of the race for the production of 5G technologies. In DOD's 2011 report on Congress on the military and security developments involving the People's Republic of China, it warned that information technology companies in China have close ties to its defense industry and the PLA. And, in that report, they specifically mention Huawei.

Nova Daly:                           So, uh, politically disruption is arising fairly quickly. Um, as Clete had note, there are multiple administration and legislative initiatives, either to ban, address, or restrict Chinese technologies outright. Uh, the new, uh, si-, CFIUS bill for, uh, FIRMA that's, uh, passed two committees, uh, in, in the House and Senate, um, has, um, is, is essentially driven by the Chinese investment mode, uh, that's increased rapidly and, uh, and, and it seeks to, uh, take a sperm focus on acquisitions of critical and emerging technologies and restrict them. There's a high likelihood that, given the Senate version, uh, uh, being attached to the Defense bill, NDAA, uh, that this is going to pass this year and it'll have broad consequences for Chinese-US investment and investment globally.

Nova Daly:                           And then, also, other things out there, uh, that are, uh, definitely showing the nature of the tumultuous, uh, uh, period we're finding, uh, in the relationships and [arrubio 00:18:59] has legislation and whatnot.

Nova Daly:                           Um, so how do we move forward from here? Uh, I'm going to park into, to Thucydides. Uh, [Sader 00:19:09] imply when rising power challenges a ruling power, war is inevitable. Uh, China is challenging the US but war is not inevitable and it can't be an option.

Nova Daly:                           So, both our nations needs to consider the simple and significant steps we need to take to safeguard our individual and our shared national security interests, whether calming the frictions in our relationship or not letting the rivalry expand beyond an economic competition.

Nova Daly:                           For our part, we need to focus, I think, on, uh, to invest in the federal cyber security management framework so that, uh, the obscure and unknown becomes transparent and with that respect, uh, we get a better understanding of the risk involved in techno-, Chinese technology in the US systems.

Nova Daly:                           Uh, simple speculation based on anti-China bias will only fuel greater animosities so evidence-based action is imperative, uh, and the core intention of the US, I think generally is, is for China to compete on a fair and level playing field and, and China needs to address that issue, especially with this administration.

Nova Daly:                           Um, that's why I think the US government and its actions is, is fairly justified in terms of sanctioning, uh, ZTE and to address other players such as Huawei, uh, and China broadly flouting international rules and good governance. So, I think now, it's really up to chin-, the Chinese government, to how they choose to respond, uh, and the tone they take will shape the next phase of the relationship. Those remarks. I'll turn it over to Wes.

Wesley Hodges:                Thank you, Nova. Appreciate your remarks.

Wesley Hodges:                Sarah, I believe that you are rounding us out. Please, go ahead.

Sarah Geffroy:                  -cellent. Uh, thanks Nova and Clete for both of your remarks and Wes and the Federalist Society for, for hosting this. Um, obviously, a really timely and important issue.

Sarah Geffroy:                  Um, you know, I think from our perspective and I, I'll, I'll put my dic-, disclaimer in right up front that, um, I'll try and frame some of this in terms of, um, observations and concerns I've seen across our sector and, and beyond and not necessarily, um, uh, just AT&T's, um, in-, internal deliv-, deliberations or anything like that but, you know, I think the, um, overarching point that, that we have honed in on, um, right up front is just the complexity and the broad impact, um, of, of these issues, really requires, uh, a fully coordinated federal effort, uh, and, and there are a lot of, uh, uh, different efforts going on, uh, right now, as Clete mentioned, and you know, I, I, I think we are obviously concerned with any legitimate national security threat to US networks and I think it has always been good partners with, um, with the government on such.

Sarah Geffroy:                  And so I don't mean to say that in a, uh, in a way to criticize but just to, to, um, you know, to point out, I think th-, there, there's been a lot of discussion over the years about, um, how serious, uh, the threat may be here and I think there's, there's been a lot of, uh, hand wringing about how to address it and that has tended to result in, um, some, some differing approaches, um, across government um, any one of which in isolation would likely not have the, uh, intended impact.

Sarah Geffroy:                  Um, forg-, Clete mentioned the, uh, congressional bans, um, and I think certainly putting something into legislation can have a, a, a direct impact but it also has limitations. Um, the, the bans that we've seen have been geared at either DOD suppliers or, uh, federal contractors across the federal government, um, but don't, uh, don't include those who, who are not. Um, it's been company-specific so far. I think at, at least the ones, um, that are top of mind for me have named companies, uh, Kaspersky, Huawei, ZTE and, uh, again, while those m-, might have immediate impact with respect to those companies, um, they're limiting in that, um, it, it, as I think we all know, it gets hard to rely on, uh, an act of Congress, uh, every time we need, every time we have an e-, emerging national security concern that, that, uh, uh, needs action.

Sarah Geffroy:                  Um, these have primarily been done in, in NDAA because NDAA is a must-pass bill every year so, um, you know, definitely limitations with, uh, relying on, on, uh, Congress to, to act in all these, these situations.

Sarah Geffroy:                  Um, I think that the other, the other piece of the Congressional bans, we, we, we know how hard it is to craft statutory language that gets exactly at what you're trying to get at without the unin-, potential unintended consequences and that, you know, I'm thinking in some of the language that we've seen out there, uh, banning, banning certain suppliers from, um, buying equipment from certain companies, um, it, you know, it, it may mean that you can't do business with that company at all. If you're going to do business with the federal government, it may also mean that you can't use that equipment, uh, to fulfill your government contact and those are, I think those are issues that are hard to craft language around, uh, to do, uh, what you're intending to do there.

Sarah Geffroy:                  Uh, the, the FCC's action that Clete spoke to, um, again, in isolation, um, the FCC has limited jurisdiction and I, I think from our standpoint, uh, we certainly want to see any, any ban or restriction, uh, apply across, um, a-, across the entire ecosystem, the entire, uh, information and communications ecosystem and the FCC, uh, does have limited jurisdiction here so, um, ours and other companies, uh, concerns are, you know, what does that mean from a competitive standpoint and, and, uh, you know, how does that affect us as a sector disproportionately or even within a sector, um, to the extent that there may be, uh, wavers and loopholes within, uh, a certain approach. You know, does it disproportionately affect [inaudible 00:25:20] companies over others?

Sarah Geffroy:                  Um, throughout the FCC proceeding, I've heard from, again, broad range of, of folks, um, looking at whether it makes sense to, uh, only prospectively ban, uh, purchasing of equipment and what, you know, what do you do with, uh, if you're affected by this but you al-, you already have that kind of equipment in your network and, um, you know, how, how do you or how do you regulate around that if there's a … If there's truly a legitimate security threat? Um, so, what do you do with the existing equipment is, is a question I've heard a lot of discussion about.

Sarah Geffroy:                  Um, and, and the other is, um, I think looking at the type of equipment and, and analyzing the ease of compromise, if you will, so if you look at, um, devices and handsets versus core network equipment, there are, you know, there's, there's a, there's a wide, a wide scale there and I think those are just questions that the FCC or anyone needs to look at when they're talking about what, what exactly it is that they're banning and what exactly, um, carries the highest risk that should be addressed, uh, first?

Sarah Geffroy:                  Uh, we've, we've seen or we've, we've heard rumors out there. Again, this is all, uh, this is all publicly reported, about potential executive orders in the works, um, from an outright ban on particular companies or, um, uh, somehow involving the use of [IEFA 00:26:52], um, and, and sort of designating a national emergency and, and sort of taking that approach.

Sarah Geffroy:                  Um, and my personal opinion, that would be very complicated, um, and, and I've heard a lot of, um, different opinions about it but it, but that would require some, some really precise, uh, crafting and, and it's, it would be a novel, certainly a novel application of IEFA, so, um, uh, that, that's a, a difficult one to tackle.

Sarah Geffroy:                  Uh, we, we spoke about the CFIUS act and, and, uh, that being used as an approach, an approach Nova mentioned, um, some of the, the, the things that the CFIUS amendments act would try and get at including, um, trying to sort of broaden the applicability and that's obviously very difficult, um, uh, just given the, the structure of, of businesses that are out there and, uh, and, and, and the impact of broadening that scope.

Sarah Geffroy:                  Um, some other, again, sort of [rument 00:27:57] issues that are, that are bubbling under the surface. Um, there was an article recently that, that DH-, DHS is undertaking a supply chain risk assessment, um, and, and, uh, there wasn't a whole lot of detail. There's not a whole lot of detail out there about what the scope of that might be. Um, some have suggested that the NSTAC, the, um, President’s National Security Telecommunications Advisory Committee, um, that this would be a good issue for, for them to tackle and make recommendations to the President on. They are in the midst right now of working on their cyber moon shot.

Sarah Geffroy:                  And I think, uh, the other area that was touched upon is 5G and the standards bodies. I know that's a lot of concerns have been raised about, uh, the standards making process and China's increased inv-, involvement in that and, uh, you know, we, we've, uh, uh, AT&T feels that that's, that process is still a viable one and, and the input and the levels of review that go into standards making is, um, very fulsome and, uh, but it is one that, that requires, um, an ongoing dedication to both from industry and, and from our, our government as well.

Sarah Geffroy:                  So, lot of, a lot of different approaches and, and I think absent a, a coordinating, coordinated federal strategy about how to approach this. Um, you know, I, uh, we worry that there may be some, some gaps over, you know, if, if the congressional bans didn't pass and, um, the FCC went ahead with theirs, or no executive orders. You know, you, you could have any number of different, um, different actions coming to, to fruition and resulting gaps, uh, in, in different parts of the sector and in industry.

Sarah Geffroy:                  So, just, uh, m-, moving forward, I think the solutions that, that should be considered and, um, we, we've spoken publicly about some of these, uh, is that, you know, the, the, the big principles that any solution or any strategy really needs to focus on are that the national security-related restrictions should apply to all operators regardless of regulatory classification and should be competitively neutral within the sector, within for us the telecommunication sector and, um, outside the sector.

Sarah Geffroy:                  Um, we obviously know, communications carriers are implicated, um, but, but so are other companies, other tech companies, cable companies, um, that are important providers of an increasing number of communication services and, and we want to see any, any restrictions or bans that are levied today, um, that they not disproportionally harm entities who have made decisions in the past, uh, perhaps not to use equipment, uh, notwithstanding a potential cost benefit, uh, versus, uh, the, there are companies who've made decisions over the years, um, for, for cost reasons that, um, that, uh, yeah, have, have made different decisions and I think we'd not want to see a disproportionate impact there.

Sarah Geffroy:                  Um, I think, uh, certainly and Clete touched on this as well. There needs to be, for any of these, a legit-, a legitimate national security risk and a consistent method for determining when there is one. Uh, it's the FCC brought this up in their rulemaking. Rightly so, I think for, for comment and they proposed whether they may be the right entity to make those determinations, whether somebody else may be like DHS, um, whether it's the intelligence community, uh, there definitely needs to be a, a coherent way to identify threats and, uh, uh, announce them in a public way, uh, that's consistent across the board.

Sarah Geffroy:                  I think, uh, not to make too much light of it but in, in, in recent years, a lot of the, the public pronounce-, pronouncements about threats have resulted from either as, as Clete mentioned, [HIPSEA's 00:32:07] report or, frankly, at some open hearings, uh, having members of Congress put directors of agencies on the spot about whether they would or wouldn't use particular companies' services and equipment in their own home and, and while that made the point and, i-, in those circumstances it's, it's, it, uh, that becomes tougher and tougher to do in a consistent way, I think going forward.

Sarah Geffroy:                  Um, and I think, uh, we certainly need to consider, uh, the business impacts of our decisions in that, that, uh, the proportionality of any, any action we take i-, in the face of those legitimate national security concerns, there are lot of legitimate US businesses, uh, working around the world in many different companies and, you know, as we've seen right lately, uh, the, those national security-based decisions, uh, do have impacts, um, on the business community and, and, you know, we would urge that to be a consideration in any plan going forward.

Sarah Geffroy:                  And then, the, the final point I'll make is I, I think we, we need to have a, a comprehensive long-term plan, uh, to deal with the supplier issue. I think right now, we have a handful of, of suppliers, all of them are foreign and two of them are Chinese. So, think the … E-, even if you were to ban Huawei and ZTE, the ability for those remaining suppliers to be competitive when, when Huawei, for example, is operating at, at a massive scale around the world just makes it, it much harder for them, uh, to do business, uh, uh, frankly, and I, I think that we need to look really at a, a long-term plan about, um, how to address that and, and, you know, how to support R&D, um, uh, financially and otherwise, um, to, to deal with that, uh, long-term supplier issue.

Sarah Geffroy:                  With that, I will turn it back over to Wes.

Wesley Hodges:                Thank you, Sarah and thank you to all of our speakers for excellent remarks.

Wesley Hodges:                Right now, I'm going to open the floor to questions, so if anyone has a question, uh, when you hear the prompt, you'll be, you'll be able to ask a question by entering the star key and the pound key.

Wesley Hodges:                Just briefly, before we turn to the queue of question, where do you see, um, all of this going?

Clete Johnson:                  I can, I can start it off and, um, you know, I think th-, this, this, our opening comments really fleshed out, uh, the incredible complexity and, and, uh, both breadth and depth of these, uh, of both the challenges and also the, the policy responses and this is truly, uh, t-, this is truly one of those issues that you really can't, uh, touch one part of it without having a follow on effects in business, technology, uh, security, um, law, uh, in some other part of this, of the economy or by, or, uh, technology and for internet, um, internet communications technology ecosystem.

Clete Johnson:                  Um, so I think, uh, and this is what I've, I've, I've, you, you, we're starting to hear a chorus of this particular point and it's something that, um, for instance, I expected to see in a lot of comments, uh, in this FCC proceeding. Um, and that's, that's this and to Sarah alluded to this, to, to this to some degree. There, there absolutely has to be a, uh, a coherent, holistic, um, um, US … Not only US government approach to this but no, US government, allied government, um, and I, and private sector response. Um, now that's, that's … I … That's saying a lot and it will be very difficult to, to make that happen and I think this is probably a multi-year process of, uh, determining how you've, how we, how we set, set all that up but it begins with getting the, to, uh, to US federal, uh, government, um, various agencies, uh, and including regulatory agencies, uh, but, but particularly the Department of Homeland Security, which is, uh, the sector, so-called sector-specific agency, um, before the communications sector and the information technology sector. Uh, what that means is they're the non-regulatory, uh, um, department that is responsible for that, for th-, for those two critical infrastructure sectors, sort of like treasury is the sector-specific agency for the financial services sector, um, and energy for, uh, for electricity e-, et cetera down the line.

Clete Johnson:                  The DHS is sector-specific agency for communications and IT and, uh, and therefore, uh, there's a lot of support for DHS to not go off on its own and do it's, do its own thing but instead to sort of be the lead coordinator and to lead the efforts in the federal government, uh, with regard to the communications and IT, um, supply chain security.

Clete Johnson:                  What that should mean in practice is that there's a coherent process, um, again, led by DHS that includes a lot of input from commerce and there are several parts of commerce that have relevant, uh, perspectives in and authorities from NIST on the technical side to NTIA on the, uh, internet governance and sort of internet ecosystem side and digital economy to the international trade administration on the, uh, on the, uh, trade issues, uh, to, um, uh, the bureau of industry and security on the, uh, on the export controls and, um, and sort of nefarious supply chain side of, uh, these issues. That's commerce.

Clete Johnson:                  It should also include input from the Department of Justice and the FBI, both on the law enforcement and, and intelligence side. Also, Department of Defense, both on the defense side and also the NSA, um, intelligence, my side of things, uh, as well as other elements of the intelligence community, uh, probably the State Department for the international diplomatic L.I., considerations. And you get the point. On and on down the, down the line, there should be, uh, live, fulsome input from all the relevant, uh, parts of the government and that, that can and, and should appropriately, uh, include, uh, uh, the regulatory community.

Clete Johnson:                  Um, and the, the, the challenge there is that, uh, the regulatory community needs to, uh, in a v-, that means the F-, FCC and other sectoral regulators. Um, it, it, uh, it, they need to be postured in such a way that they're enabling partnership between the government and the private sector, not, uh, not pro-, not sort of inhibiting or scaring away industry because industry is worried about, uh, more regulation or a regulatory enforcement action, et cetera. Um, but they need to be part of this, uh, two in the appropriate way, uh, because they're, in some cases, there's some particularized expertise that doesn't reside elsewhere in the government.

Clete Johnson:                  Um, on the FCC side, for instance, the, uh, nobody knows more about the 911 system in our country than, than the, uh, 10 or so folks who work on those issues at the FCC, uh, so they can, you know, they can have some particularized input but it needs to be within this broader, uh, holistic inner agency process. Um, and so my prediction is that that because that is so … Uh, it, it's such a blindingly obvious, uh, um, uh, the policy fact that th-, th-, these issues cannot be done in silos. They can't be done with one regulator doing one thing then another regulator doing the other and, you know, DHS doing one thing and Treasury doing something else.

Clete Johnson:                  Um, it, I think the, the fact of that will, will ultimately force some sort of coordination and my hope is that, uh, the coordination will be, uh, the, will, uh, will be planned and not just kind of have to happen because, uh, things get messed up so badly, but instead the government gets ahead of the curve and says, "What are you? We need to do this right. It needs to be coordinated," um, and, uh, DHS should be to sort of, um, chair the meeting but we're going to have this inter-agency process that is coherent and, uh, and navigable by all the players and has input from, uh, from the private sector, which knows this ni-, knows the market realities best.

Clete Johnson:                  So, that's both a hope and a prediction because I think it, it is a likely to happen because there's, uh, enough recognition that it needs to happen, so fingers crossed. (Laughs).

Wesley Hodges:                Thank you, Clete, for the very thorough analysis.

Wesley Hodges:                Sarah, please go ahead.

Sarah Geffroy:                  Uh, uh, I'll be the optimist here, which is unusual for me.

Wesley Hodges:                (Laughs).

Sarah Geffroy:                  It, uh, what, what Clete was just speaking to I think is, uh, from what I've seen in conversations and, and, uh, sort of looking at potential future activities, it, it seems like those conversations are happening, uh, across agencies, uh, i-, in a way that I haven't seen before so I'm also cautiously optimistic.

Sarah Geffroy:                  You know, I think it's going to be a, a timing issue, as always and, uh, uh, yeah, seeing what, what comes out of Congress, uh, and NDAA and, and, uh, yeah, I think often times, in the absence of a, a, a big inter-agency executive branch action, uh, Congress will act and, uh, that, uh, that, we're at that inflection point as, as Clete mentioned earlier that, uh, uh, will, will probably have, uh, uh, congressional action and but hopefully, it is one that can be, you know, folded into a more comprehensive approach.

Sarah Geffroy:                  Um, I think that, um, the, the, the last point I'll make, as Clete mentioned, the, the need for the regulatory community to, uh, to reach out and, and sort of foster that public/private partnership is, is one that's been, uh, growing in the, in the broader cyber security context over the years and I think it's a really important, important one but it obviously a, uh, a, a new area. You know, it's, it's not the, uh, it's not the way of, of the regulatory agencies and, and the private sector in the past and I think it's one that, um, yeah, it's just re-, requires a new way of thinking and, and hopefully is one that will continue, uh, to, to grow quickly.

Wesley Hodges:                Thank you, Sarah.

Wesley Hodges:                Nova, Do you have any comments for, or predictions or strategies regarding the future of this subject?

Nova Daly:                           Sure. Yeah. I think I absolutely agree with Sarah and Clete and definitely Sarah for a need for a coherent and comprehensive strategy to address this. Clete listed a number of different agencies and I think that formulation, um, makes a lot of sense. In terms of where I think it actually goes, I think I sort of alluded to in my comments. I think in the intermediate time, we're just, we're going to have more disruption. I just think we will. Um, I, I, you know, that is part and parcel of sort of where this administration is in terms of the challenges, you know, the fractious sort of nature of, uh, uh, nationalists and globalists within this administration in terms of how they want to approach the China issue.

Nova Daly:                           Uh, then, also the fractious sort of nature of what's going on with our allies and trade relations and, and working towards those solutions but I think eventually, what happens is, you know, as companies start to seize up their sort of longer-term planning. I mean, due to the lack of predictability in the market, uh, you know, that's going to have an effect on markets and, and, and broad economic, um, growth, not only here in the United States but globally. And I think, you know, when that starts to hit, I think this administration is going to start pulling things together. Definitely you're going to see leadership from DHS and the telecommunication markets. I think DOD is going to play a pretty major role, uh, as well given the …

Nova Daly:                           You know, if you think about the defense industrial base, that size, its preponderance, and how many providers, uh, are part of that and then attenuated to that is, is our o-, is our other intelligence agencies. I think that side is going to have a heavy hand in deciding which way to go but I think, you know, either way, this has to be, um, a coordinated response that needs to, needs the White House and, uh, needs the White House to lead it.

Nova Daly:                           I think, in the past, in the Bush administration, uh, these things were led by the National Security Council and I think that's sort of the right body to take on a broad, coordinated, uh, approach. It's also going to need Hill buy-in with its leadership so, you know, until things sort of settle out in these next round of elections, uh, in terms of that direction, it's going to be necessary. It's also going to need a, a global forum to sort of create some, some rules.

Nova Daly:                           It's interesting that the UK, uh, the EU, sorry, just, uh, did two WTO actions. One against us on some of our tariffs and then the other, uh, against China on its IP practices, which is in line with our 301 exercise on China's IP so it's going to need some global direction and I think maybe the G7 is a good forum to start putting these, um, these global issues into and maybe spill over to the G7 but generally, where I think it goes.

Wesley Hodges:                Thank you, [inaudible 00:46:05] for your remarks.

Wesley Hodges:                We have three questions currently in queue and about 15 minutes left to the call. Let's go ahead and turn to our first audience caller.

Speaker 5:                           Yes. Um, the first speaker mentioned, uh, that's it's likely that the NDAA will include a provision making certain named companies ineligible to participate or putting restrictions and sanctions on them.

Speaker 5:                           Uh, in the United States versus Brown, the Supreme Court struck down as a bill of attainder, a provision the labor management reporting and disclosure act that required that officers of labor unions sign affidavits of the effect that they were not members of the Communist Party USA. I'm wondering if that provision proposal in the NDAA would run afoul of the prohibition against bill of attainder.

Clete Johnson:                  No. I think that, that issue is a, is a great one to flag and it, it is something that has gotten some, uh, some discussion and sort of the wonkish corner of the, uh, legal and communications, my, uh, uh, the communications bar.

Clete Johnson:                  Um, in this case, I don't think and, and, uh, and while we're talking, I'm going to pull up the, a case but, um, I, I, I think it would be, uh, it would be a, uh, it, it, it could be an issue if it pertained to a US, uh, a person, um, but I, I, I don't think it's, uh, I think it's, it's likely to be resolved in favor of a, of, um, you know, of the statute.

Clete Johnson:                  And, uh, there is a, the case that, uh, that there's one other very recent, uh, almost directly relevant precedent and, and that is that, uh, the Department of Homeland Security recently, uh, named Kaspersky Lab, which is a, uh, a Russian software antivirus, uh, company. You've probably seen the ads for it, um, that is, uh, widely suspected, uh, in, in the, in the intelligence community of, uh, and the nat-, broader national security community of uh, of, in some ways doing the bidding of the Russian, of Russian intelligence services.

Clete Johnson:                  Um, and PHS recently put out what's called a binding operational directive, Abod, uh, that directs federal agencies, uh, to, that essentially bans, uh, the use of Kaspersky Lab, um, software in, in a, in any federal agency network and, um, Kaspersky filed two lawsuits, uh, against, um, DHS, uh, for that ban and, uh, and they were just dismissed. Both, both cases were dismissed. I think it was earlier this week.

Clete Johnson:                  Um, so while I think it is a, a, a good, uh, point to, to flag, um, I don't think that this is going to, uh, to ultimately be a bill of attainder issue. Um, now, let me caveat that by saying I've not done a, uh, a dramatic, uh, uh, dramatically deep, uh, uh, dive of legal research on this but, um, what I think is a very interesting issue. I think this is likely, um, in some form or another, uh, these, uh, these by-name, uh, bans are ver-, are, are likely to, to stick.

Clete Johnson:                  And even if they're, they're thrown out, uh, ultimately thrown out in court, I think the effect they will have on business decisions is, uh, i-, is, is, is maybe more important because I think a lot of companies will, will just determine that when you're making long-term investments that, that are likely to, uh, you know, to take place and live over of, over multiple election cycles and different regulatory, uh, uh, leadership, um, it, it's, it's just safer to go with, uh, a, with a, uh, an entity that's not likely to ever fall on any list. Um …

Sarah Geffroy:                  Uh, I just add in, too and I certainly haven't studied this aspect of this at all but, um, I think it, uh, in the, in the 2018 NDAA, um, but then there, I think named, uh, Huawei and ZTE and cor-, sort of correct me if, if I'm wrong.

Clete Johnson:                  That's right. Yeah. That's right.

Sarah Geffroy:                  They prohibited DOD from contracting with vendors that use Huawei and ZTE equipment as a, like an essential component of the technology that they're using to support their DOD contract, uh, so, uh, uh, there may be some, um, articles and, uh, whatnot out there from, from when that bill passed which I think was signed in December, if I remember.

Nova Daly:                           Yeah. That's right that was, for, for Huawei and ZTE, it was specific to DOD systems. That, that bill also banned Kaspersky, um, to, uh, kind of backed up the DHS my, binding operational directive and banned Kaspersky from, from all federal agencies but with Huawei and ZTE, it was just DOD.

Nova Daly:                           The bills that are pending now, um, go one step further. One, it, it, uh, it, it, it's for all agencies but it also, uh, is, is not just my banning Huawei and ZTE for agency networks but banning, uh, Huawei and ZTE from the, uh, from being used by contractors or by, by, uh, you know, entities that the, the, the US government contracts with. Um, so it's much, much broader.

Clete Johnson:                  Yeah. I think as Nova so yeah, I think that's interesting as do they have standing in US Courts, there's US pet-, persons and would it be someone else filing the suit? Uh, you know, a US person saying they're, you know, there's harm caused by that action and, you know, who's going to, who's willing to sort of take that.

Clete Johnson:                  Also, interestingly, sort of tangential to it is, um, within the CFIUS realm, there was a company, uh, [Rales 00:52:16], that sued, uh, the US government and the president for blocking, uh, one of their transactions and it went all the way to the, uh, circuit court. And they essentially didn't rule on the President's right to take, uh, decision to block under national security but they said that there was a due process element that had to be satisfied. So, when it gets in the national security realm, that's when the courts sort of defer to, I'd assume Congress and also, uh, …

Wesley Hodges:                Yeah.

Clete Johnson:                  … administrative authority.

Nova Daly:                           While we've been on here, I've just, I've looked up that ruling from, uh, from, uh, from earlier. It's actually earlier this week. Um, and it, that one of the, one of the Kaspersky, uh, lawsuits was specifically about a bill of attainder. Um, and the, the judge of the district courts are not, you know, hasn't been, uh, ruled upon it that at the appellate level but, um, the, the, the district court judge essentially says that this is not a, a bill of attainder, um, which has to do with, uh, individualized d-, deprivations of life, liberty, and property, um, and inflict punishment on individuals and corporations without a judicial trial.

Nova Daly:                           Um, so this, the, the, the distinction that the, the judge drew didn't have to do with, um, as I was previously thinking, the distinction between a US person and a, a, a non-US person. That may be another, uh, obstacle, um, to such a claim but it actually had to do with the fact that this, uh, the way the, the, what the judge said is that this statute doesn't inflict "punishment" on Kaspersky Lab. It, it, uh, it, it eliminates a perceived risk to the nation's cybersecurity.

Nova Daly:                           And so, and in so doing has the secondary effect of foreclosing one small source of revenue for a large multinational corporation. So, the judge held that this is not, uh, punishment, which is one of the constitutional prongs in the, uh, in the, uh, in the bill of attainder provision.

Wesley Hodges:                Thank you, caller, for your question.

Wesley Hodges:                We still have two questions in the queue. Just a couple minutes left, dang, so let's see if we can quickly get to our next question.

Chris:                                     Hi. This is Chris [Santonie 00:54:27]. Can you hear me?

Wesley Hodges:                Loud and clear.

Chris:                                     Great. Thank you.

Chris:                                     As I think about what, uh, successive administrations going back about 20 years and both parties have done, as it seems like they have felt that if, um, US engaged with China that, uh, it would move, uh, more quickly than otherwise towards a, uh, capitalist, non-authoritarian model and to the extent to which, um, the balance of trade, uh, got worse over time, uh, there was this notion, at least as I saw it, in the same way we talked about banks being too big to fail, uh, their relationship with China being too big to change because of the disruptions. Now, I, I appreciate the panelist's discussion about how this administration seems to be going in a different direction.

Chris:                                     So, just a couple thoughts or questions actually. One, um, is it your sense that there's more of a concern about, uh, you know, spying or, uh, uh, electronic warfare, similar sorts of, uh, actual, um, damage that could occur, uh, uh, in the same way that the, uh, the, the Soviets back in the 40s put, uh, the bug inside of the, the US seal that they, that they provided as a gift to the US Embassy or is it more of an issue of unav-, unavailability of supply if so many of the components are from, uh, China. So, that's the first question.

Chris:                                     The second, do you see, um, uh, the end state here being, uh, a, a, uh, limitation on the extent to which the military, US military or governmental entities use, uh, these components or even going beyond that to, uh, mass market consumer um, uh, uh, devices even being changed.

Chris:                                     Uh, last, I know, I know we have a lit-, only a little bit of time. Maybe you give, you know, quick replies to the extent to which you, you can. The third is, uh, uh, the degree of, um, connection between the timing of the administration looking at these issues and other related matters, whether it's balance of trade, IP piracy, uh, uh, job, uh, jobs in related industries and, and the US.

Chris:                                     And then finally, what sort of things short of a, uh, fundamental change in, uh, the, the nature of governance in China from an authoritarian non-capitalist, uh, uh, regime to something more akin to, you know, Western democracies? What short of that do you, do we, uh, think that the Chinese could do so that this issue, if not fully sort of resolved, would, would, uh, go more on the, on the back burner? Thank you.

Nova Daly:                           Sure. So, um, yes. Back in the Bush administration, we definitely thought engagement was the right way to go. I think there are, um, a lot of the folks then now don't see that as probably the proper engagement. I think they agree that a little bit more direct confrontational, uh, sort of relationship to get China to sort of change some of its practices is probably the way you have to go.

Nova Daly:                           So, whether it's electronic warfare, uh, uh, fears or the unavailability of supply, I think it's both but electronic warfare for sure. Uh, the OMB hacking, which I think was widely published. Clearly Chinese, uh, the prosecution of the five Chinese nationals for hacking Westinghouse, uh, solo world, uh, US Steel and others was also a demonstration of some of the vulnerabilities and that's only the stuff that was made public. There's been others that were fairly significant including possibly something with Google and other, uh, major US companies.

Nova Daly:                           So, I think there is a, a serious consideration that the, uh, that the spying not only of US government information but also of, um, US company information and proprietary information and, um, their know-how is important.

Nova Daly:                           Terms of sort of getting into through your last question. You know, what, you know, is this sort of like whether we think China really's going to change its ways? I don't think it's necessarily going to change how it seeks to govern itself but certainly the way, uh, it's, it's, uh, behaving sort of in the marketplace and in terms of intellectual property and i-, indigenous innovation I think is something that they can do and they can adjust to, uh, and to open this to sort of investment and wholly-owned subsidiaries is something they can do and I think they eventually will take that on as long as, uh, there's a global movement to do so. Um, in terms of the timing, IP and jobs, I think it's all sort of reach a, a grand crescendo, uh, and that's why you're seeing all these actions.

Nova Daly:                           And your second question, I'll just, uh, let others address.

Chris:                                     Thank you.

Wesley Hodges:                Thank you, caller.

Wesley Hodges:                Clete or Sarah, do you have a response to the second question?

Clete Johnson:                  The, the question dealt with whether reactions that were, I'm talking about here are, are likely to be, uh, limited for supply by US military or governmental entities or, or the notion is that there would also be, um, uh, at limitations in the extent to which, um, uh, mass market consumers would have, uh, devices that we might, uh, purchase, uh, no longer be able to use, uh, Chinese components.

Sarah Geffroy:                  So, I, I think it was certainly in the past the focus has been on the former. Um, h-, hard to predict where it will go but I think it, it, um, at the very least could have the consequence of impacting, um, consumer services and equipment as well.

Sarah Geffroy:                  Uh, you know, whether that's, that's the intention, uh, right now, uh, you know, I think some of these, the actions that we've seen has certainly broadened a bit more, incrementally broadened towards, um, uh, what they would impact so, um, you know, hard to say if, if that would, uh, be an intended priority soon but I could certainly see an impact, uh, occurring there.

Nova Daly:                           Yeah. I think this, the, the, just to add to that. I think that's right. The, the, the lever that's being used, uh, in the immediate near term is government funding so you're talking mostly about, uh, um, government funded, uh, networks on the kind of government network side and also I, uh, in the FCC setting, uh, government-subsidized purchases for private sector, uh, deployment of broadband and other, uh, networking.

Nova Daly:                           Um, so you're primarily talking about that sort of critical infrastructure side of things be it government networks or this government-funded infrastructure but, um, but it having a pretty significant ripple effect, um, on the, on the, I, uh, you know, sort of downstream, um, and it, I think it will inevitably, uh, particularly along with the other non, uh, with the other, uh, policy actions like, uh, like the trade, punitive trade tariffs and the, uh, commerce action on ZTE. It, it, uh, either legally or just in the, in the practical business by, uh, impact will have a pretty significant effect, more broadly than just those, uh, government procurement, uh, scenarios.

Nova Daly:                           Um, and the value of this, of this discourse is to really suss out where the risks are, where the, what the appropriate actions are, um, because frankly, I think if you talk to a, a number of the, uh, of the policymakers about this, um, they're not yet … They're either conflating a lot of these different, uh, risks and threats or they are, uh, not yet (laughs) parsing them out and, and looking at them, uh, distinctly, so the value of this policy process is that we're going to, I think finally going to start, um, digging into the distinctions and what to do about which threats.

Wesley Hodges:                Thank you, caller, for your question.

Wesley Hodges:                Looks like we're at the end of our time today so just want to let everyone know that this call is being recorded. It's going to be turned to a podcast and uploaded to our website and you can download it on Google Play and iTunes on the Federalist Society's website.

Wesley Hodges:                So, on behalf of the Federalist Society, I'd like to thank the experts for the benefit of their valuable time and expertise today. We welcome all listener feedback by email at info@fedsoc.org. Thank you all for joining us. This call is now adjourned. Thank you for listening.

Speaker 7:                           We hoped you enjoyed this Practice Group podcast. For materials related to this podcast and other Federalist Society multimedia, please visit the Federalist Society's website at fedsoc.org/multimedia.