U.S. 'Ill-Prepared' to Defend Communications Infrastructure, Lawmakers Told

The U.S. -- with vulnerable communications architecture and its government ineffective at deterring foreign threats -- "is ill-prepared" to defend its infrastructure from bad actors like China, Russia, Iran and North Korea, said Jamil Jaffer, the National Security Institute's executive director. The U.S. "would be thrilled" to have the same access to Chinese communications networks that the Chinese government has to U.S. networks, as the Salt Typhoon hack illustrated, he said. Washington has yet to respond or take any accountability, he argued, also criticizing the government for not following through on its TikTok ban -- the April 5 enforcement of which has been postponed by President Trump.

Without an agency solely responsible for defending cyber infrastructure, expecting industry to do it guarantees there will be failures, Jaffer said. DOD's U.S. Cyber Command isn't resourced or staffed to be a one-stop shop for cyber infrastructure defense, he said, and there's no consensus anyway about whether DOD should have that responsibility. Jaffer also told lawmakers that information-sharing between government and industry needs improvement.

He repeatedly suggested a federally funded global "rip-and-replace" program to counter Chinese government efforts that have helped firms such as Huawei gain huge telecom market. Also, there needs to be greater effort to create a U.S.-based supply chain of such goods as semiconductors and processed critical minerals, he said.

During the hearing, numerous Democratic lawmakers criticized the Trump administration for using the Signal messaging app and Gmail for sharing sensitive information, cutting staff at the Cybersecurity and Infrastructure Security Agency and disbanding the Cyber Safety Review Board.

CSRB was like the National Transportation Safety Board, charged with finding root causes when something goes wrong, said Laura Galante, former director of the Cyber Threat Intelligence Integration Center at the Office of the Director of National Intelligence.

Stehlin said there needs to be a more uniform way of reporting cyber incidents, as opposed to today's smorgasbord of reporting procedures among federal agencies, states and companies. That lack of uniformity makes it harder for operators -- particularly smaller ones -- to quickly identify and resolve cyber intrusion incidents, he said.

Asked by Rep. Bob Latta, R-Ohio, about how to incentivize the use of routers made in the U.S. or allied nations, Stehlin said bad-choice routers need to be eliminated from the marketplace. Efforts at returning infrastructure manufacturing to the U.S. are "at best ... going OK. We have a long way to go." He said new supply chains to that end will be a multi-decade process, with semiconductor chips a key.

While submarine cables in the Baltic Sea and Taiwan Strait are increasingly targeted for sabotage, the volume of bandwidth and data traffic those cables carry means there's no good substitute, Stehlin said. Jaffer said the U.S. needs to make it clear to other nations -- particularly China and Russia -- that the U.S. "will make them pay a price" for tampering or sabotage. He said the U.S. hasn't spelled out where the red lines are and doesn't respond when a subsea cable is breached. Adversary nations have gotten used to "coming after us and not paying a price."

Stehlin said NTIA should lead the interagency Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Services Sector. While DOJ, DOD and Homeland Security involvement is preferable, improving telecom systems should be the lead issue in any "Team Telecom" evaluation. Having NTIA drive Team Telecom evaluations should speed up permitting, he said, adding that the average Team Telecom review lasts more than 400 days before an application eventually reaches the FCC for final approval.