March 26, 2020

Transcript from Engagement and Competition: China, Technology, and Global Supply Chains with the Cyberspace Solarium Commission

By Rep. Mike Gallagher, Samantha Ravich, John C. Inglis, Carrie Cordero and Martijn Rasser

On March 26, 2020, the CNAS Technology and National Security Program and the Cyberspace Solarium Commission hosted a virtual panel discussion on "Engagement and Competition: China, Technology, and Global Supply Chains." We are pleased to share the transcript of the panel discussion with you.

I. Opening Remarks

Martijn Rasser: Good morning everyone. Welcome to this virtual panel discussion hosted by the Center for a New American Security in conjunction with the Cyberspace Solarium Commission. I'm Martijn Rasser, Senior Fellow in the Technology and National Security Program at CNAS. Our topic today is a critical one, engagement and competition, China, technology and global supply chains. How the United States navigates these issues will have considerable impacts on the course of the 21st century.

Martijn Rasser: The Cyberspace Solarium Commission made a key contribution to shaping how we address this challenge by crafting a cyber strategy underpinned by dozens of specific recommendations for action. The strategy and findings are laid out in the Commission's Report that was released earlier this month. I encourage you to check it out. The report is thoughtful, compelling, and well-written. It's available on the Commission's website, solarium.gov. We'll dive into the broad themes and several of the specific recommendations made.

Martijn Rasser: A few housekeeping items. We'll kick off the discussion with several questions and then invite our attendees to join the conversation with open Q&A. As a reminder, this event is on the record and being recorded and when we come to the audience Q&A portion, I ask that you identify yourself by name and affiliation. Before we begin, I'd like to introduce my colleague, Megan Lamberth. Megan will manage the interactive portion of this webinar and she'll explain to you how you can engage with us, whether you're on your computer or on the phone. Go ahead Megan.

Megan Lamberth: Thank you, Martijn. And many thanks to all of you for joining our webinar this morning. There are a couple of different ways that you can participate and ask a question in today's session. If you are joining via video conference, you can submit questions in the Q&A box in the toolbar at the bottom of your screen and if you're joining by phone, you can press *9 to raise your hand. Martijn will call out the last four digits of your phone number and we will unmute you at that time. We ask that you please introduce yourself then. Finally, if you're experiencing any technical problems, please feel free to email Ainikki Riikonen at ariikonen@cnas.org. Back to you Martijn.

Martijn Rasser: Great. Thank you, Megan. Allright, let's get right to it and introduce our panel. We're here today with Congressman Mike Gallagher, Representative of Wisconsin's Eighth District and Co-Chairman of the Cyberspace Solarium Commission. Representative Gallagher is a former Marine, a combat veteran, and a former intelligence officer. We have two Cyberspace Solarium Commissioners joining us today, Dr. Samantha Ravich and Chris Inglis.

Martijn Rasser: Among the many hats she wears, Dr. Ravich is the chair of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and its transformative cyber innovation lab. She's the vice chair of the President's Intelligence Advisory Board. Chris Inglis is a former deputy director of the National Security Agency, currently serving as the Looker Distinguished Visiting Professor of Cyber Studies at the United States Naval Academy.

Martijn Rasser: Rounding out the panel is my colleague, Carrie Cordero, the Robert M. Gates Senior Fellow and general counsel at the Center for a New American Security, adjunct professor at Georgetown Law and a CNN legal and national security analyst. Representative Gallagher, let me begin with you, as co-chair of the Commission, set the scene on the Commission, its mandates and the core message of the Commission's report.

II. Panel Discussion

Rep. Mike Gallagher: Well, thank you for doing this. I'm glad we were able to adjust given the unique needs of the coronavirus crisis and I hope everyone watching is staying safe and staying healthy as we try and get good through these very difficult times.

Rep. Mike Gallagher: Though it was framed a bit differently in the legislation that gave life to the committee, one thing my co-chair, Senator Angus King, and I have kind of become fond of saying as a way to describe what we were after with the Commission was, and we want to be the 9/11 Commission without the 9/11. In other words, what are the changes we need to make now in terms of government structure, authorities and resources in order to restore some semblance of deterrence in cyberspace and prevent a massive cyberattack in particular? What is the mix of cost in position, denial of benefits and norms that we need in order to keep the country safe in cyber?

Rep. Mike Gallagher: And though the Commission draws its inspiration from the early part of the Cold War, and what we wrestled with in terms of concepts in the early nuclear age, I do think there is sort of a fundamental difference in terms of how we're thinking about deterrence and so much of the report focuses on deterrence itself.

Rep. Mike Gallagher: In other words, if the fundamental dilemma of the nuclear age was insuring deterrence could not fail and that the military must be in the business of waging peace, there was very little room for error and you can sort of read the works of Bernard Brodie and how that influenced Eisenhower and Eisenhower's Solarium sort of went through this issue. I think the fundamental dilemma of our cyber age is that right now it seems that deterrence is almost constantly failing below the use of force threshold in particular and that non-military instruments, particularly private sector actors, must step up and develop sufficient resilience to withstand cyberattacks and strike back with speed and agility.

Rep. Mike Gallagher: And I think if there is an overarching sub-theme besides this question of whether the deterrence is possible in cyberspace, to which we answer yes, I do think it's this concept of resilience. How can we incentivize more resilience in the private sector? How can we develop more resilience in the federal government? And over time, through that mix of denying benefits, of punishing bad actors, how can we establish norms or rules of the road in cyberspace, which are not something that are going to be created in a laboratory or even necessarily in a room full of diplomats at the outset?

Rep. Mike Gallagher: And so I just would finally say, this experience has been really a unique one and my most rewarding one in my time in Congress. And I think that's entirely a function of the quality of the commissioners that we have. I mentioned my co-chair, Angus King, who was fantastic to work with. Other legislators on the Commission, including Senator Ben Sasse and Congressman Jim Langevin. And then obviously we have two incredibly brilliant commissioners with us today, Samantha Ravich and Chris Inglis. And there are many times when Angus would lean over to me while we were watching these debates among some of the most brilliant minds of our day in cyberspace and say, “This is how Congress should work every day and doesn't.”

Rep. Mike Gallagher: And so it was really an honor to be part of this and I want to thank my fellow commissioners for their sincere effort. There were a lot of vicious disagreements, but everyone approached us with a spirit of not necessarily bipartisanship but just trying to figure out what works and what doesn't in cyber, trying to steal the best ideas, fix deficiencies in the federal government, and there really was just a unique mix of people in this effort. And so I really hope everyone will read the report.

Rep. Mike Gallagher: Just to end where I began with this idea of avoiding a cyber 9/11, it's why we did some unique things like begin with a narrative written by the authors of Ghost Fleet about what the future might look like if we don't make change right now. We're trying to get your attention. We're trying to engage everybody. That's why we wrote an unclassified report. And so thank you for allowing us to talk about it today.

Martijn Rasser: Absolutely, absolutely. I wanted to just ask you a question. So one challenge I see when formulating recommendations for cyber issues is the rapid pace of change. So how did the Commission address this in this work? Take cloud computing for example, the report emphasizes the benefits of cloud-based services and make several related recommendations. How did the Commission anticipate its recommendations to keep pace with the private sector, such as with changing architecture of cloud services and the varying security capabilities of cloud providers?

Rep. Mike Gallagher: Well, first I would say implicit, if not explicit in the report, or at least the chairman's letter in the beginning, is that a recognition of the federal government, to a greater extent sometimes than those of us who are embedded within it tend to appreciate is often not structured to act with the requisite speed and agility necessary to keep up with what's happening in the private sector, and therefore defend our interests in cyberspace. It's not to say we can't, it's just that we need to get comfortable with the idea that since so much of our critical infrastructure is owned by the private sector, there are times when the federal government needs to be a supporting effort and provide supporting fires as opposed to being the main effort. This is why so many of our recommendations are intended to, not with a heavy hand, but you know with the right incentive structure, incentivize the private sector to step up, strengthen their security posture, improve willing to partner with the federal government so as to avoid a breakout on their network.

Rep. Mike Gallagher: In fact, whenever we recommend a private sector regulation, our goal or our intent was really just to give the C-Suite a financial incentive to prioritize and improve their cyber posture rather than saying, "You must do it this way and that is the inflexible position of the federal government." It's also why we took a look internally at ourselves and did things like recommend the creation of a House Permanent Select and Senate Select Committee on Cybersecurity, not only to consolidate authority, but hopefully they get a repository of expertise on cyber within the legislative branch that can then do more effective oversight of the executive branch and ensure that it's keeping up.

Rep. Mike Gallagher: Finally, I'd say, as it pertains to cloud computing in particular, we are recommending certain things, like recognizing the security disparity among cloud providers, so we recommend the creation of a cloud security certification that providers can voluntarily attest to. But we also recognize that this could drive up the costs of cloud computing services even if only marginally and driving up costs could serve to either slow or decrease adoption, which would defeat the point entirely, and I think that's part of your question. We therefore call on Congress to direct the Department of Commerce, Small Business Administration, and DHS to conduct a study to figure out how best to incentivize the uptake of cloud services for state and local governments and small and medium-sized businesses, whether through small grants, tax incentives or other means. So, with that, I'll stop because we have much smarter commissioners here that can talk about this stuff.

Martijn Rasser: Thank you, Congressman. So, this report comes out of a very consequential time in our nation's history. We're at the cusp of what many believe will be a fourth industrial revolution fueled by technologies, such as artificial intelligence and 5G, fifth-generation wireless telecommunications. Cybersecurity is more important than ever. The current pandemic crisis further underscores the need for secure, robust and resilient cyber infrastructure. So before we discuss further details of the Commission's report, I want to take a step back and place it in a broader context. Carrie Cordero, what lessons should we draw from the Commission's report at this difficult time and what are relevant lessons from past systemic shocks the United States has faced?

Carrie Cordero: Thanks, Martijn. So first, I think I want to step back and just talk about the report a little bit in the context of what we're all currently going through with respect to us all being working remotely, and some of us working from home, and having to adjust all of our personal and professional lives and the disruption to the economy because I think there is a very common thread that we can draw from the current environment to the warnings that are provided in the Commission's report.

Carrie Cordero: And so the Commission has really done an incredible job of laying out the entire breadth of issues and really serving it up on a platter for action to be taken both by the executive and the legislative branch. I think the tension that some of us in the national security community are feeling, this week and last week, and I expect in the coming days and weeks and months, is that on one hand we have this current crisis with the coronavirus and on the other hand we want to make sure that other national security issues, other issues relevant to defense and foreign policy aren't ignored and don't get shoved to the side.

Carrie Cordero: In this particular circumstance, when we're talking about strategic issues related to cybersecurity, they actually are really interrelated and so I want to first underscore Congressman Gallagher's comments that what we don't want to do is wait for that so-called cyber 9/11, that the Commission is a call to warning to provide impetus for action and what we don't want to happen, what I would hate to see happen is these 75 plus recommendations be put on a shelf only to be taken off the shelf when something dramatic happens.

Carrie Cordero: Now, second, why I think that is particularly relevant, and actually more urgent given our current situation, is that one of the aspects of the report, one of the recommendations of the report, calls for a plan for continuity of economy. Well, what the report was talking about, and what the Commission was addressing, was continuity of economy in the context of a major cyberattack. What we're seeing in the coronavirus environment is that our government did not have in place a continuity of economy plan in place for a pandemic incident, and so now the Senate has taken action. But we certainly are in a position of where there is dramatic effects on the economy and we're playing catch up by trying to develop a quick plan on the fly.

Carrie Cordero: What the Solarium Commission recommended, and which is really I think urgent given the current circumstance, is that we need those types of plans and those strategies and those playbooks to be ready to go when the incident happens. And then the last thing I'll just add to that in terms of the connections between our current environment and the Solarium Commission report, is that there is not a day that I have logged on in the last two weeks that I don't fear what a maligned actor could do to our operations and to our economy now that so many more of us are conducting our business online. So I feel not that the Solarium Commission's Report is something for another day in the current environment with the coronavirus, but my perspective is that its recommendations and action on them are more urgent in the current environment.

Martijn Rasser: Thank you Carrie. Thank you. Chris Inglis, let me post this question to you first and then we'll explore this topic from several angles. What are the challenges that China poses in cyber? And as a corollary, I also want to ask you since we already, through our chat screen, have a question from Se-yong Kim from Voice of America, North Korea being the hot potato in the realm of cyberspace. If you're ready to address that point as well, please do so. But go ahead please, Chris.

Chris Inglis: So thanks for the question. If I can just first add a point to Carrie's points. The Commission, when you look, has quite a lot of detail, over 80 recommendations, but you'll note that we avoided the technical details of specifying, either in technology or in implementation, particular responses that would be relevant to the current circumstance, or perhaps technology specific. And what we really tried to do was to look at roles and responsibilities, such that we could harness all of the talent, all of the perspectives in our larger society. And because at this very moment we're finding that we have a massive reframing of how we deal with the infrastructure that we know as cyberspace, agility is probably the number one feature of what we need going forward.

Chris Inglis: Most of us today are dealing with this particular teleconference from places that we would never have imagined a week or two ago would be our primary workplaces. That last tactical mile may or may not be as well defended as we would hope. If we have agility in terms of reframing the architecture on the fly, if we've got built in the necessary resilience and robustness anywhere in our society, we can in fact stride for stride, stay a pace of current changes that are taking place in the current situation.

Chris Inglis: You asked specifically about China, and perhaps by extension North Korea, which might be another player in the room. I would say that what we see in the form of China is an attempt using economic methods, using perhaps engagement of global standards bodies and a rapid push of technology, which perhaps leaves security behind. A great challenge to us, us being the United States and like-minded nations, in terms of having the sort of technology, the resilience and robustness and that technology and the competence that the legal regimes that go hand in glove with that technology to serve our purposes.

Chris Inglis: 5G as a case in point, that very dense, somewhat autonomous brand or bent bag of technologies, which is now being introduced to the world is going to fundamentally change our opportunities to have some degree of autonomy, whether that's in self driving cars or devices that constitute an ability to manage our critical systems. But if that's not done in a way where we have confidence in the inherent security, resilience and robustness, if that's not done under our legal regime where we have confidence that we'll defend the privacy interest of those persons whose data is inside of that, we will wind up ruing the day that we gave that away to a player that doesn't have the same values, standards and approach that we do.

Chris Inglis: In all of those areas, we believe that China is not essentially approaching this in a way that is suitable or consistent with our interest. They massively invest in companies like Huawei to perhaps tilt the economics in favor of national industries. You can buy 5G gear from Huawei at probably 40% below a what would be a fair market price. They've taken over the standard's bodies largely through sins of omission on the part of the United States and others in ways that they've locked out American or like-minded nations have ability to play fairly and freely on that market foundation. And the security, while we've looked for smoking doors and not necessarily found them in gear like Huawei, the security is sufficiently bad that there are a number of front doors. The stuff is just not built very well. Even if it was built very well, the legal regime that China could bring to bear in terms of accessing the content of the information that's coursing through those systems, should concern in any privacy advocate within the United States.

Chris Inglis: All of that says that China is a real and material competitor. They're essentially trying to compete on a playing field that they've established according to their own interest and we need to challenge that. We need to do that using our own values. The report talks about what that approach might be. I'll leave it to a further discussion about some of the specific recommendations we've made. But it is a real and material challenge to us. It comes in the form of not simply China but Russia and North Korea, others taking unfair advantage with no consequences for their bad behavior in this space.

Martijn Rasser: Great points. Thank you. Samantha Ravich, how do you assess the China threat and what should the United States do in response?

Samantha Ravich: Well, thank you. Let me also kind of key off of some of the other comments first that that were made even back to the cloud computing that Representative Gallagher had talked about and some of the recommendations from the Commission. I think over the next hour, we're going to be drawing a lot of lessons about, we're currently in a live fire exercise, right? About what we have talked about, what we said might be coming in the cyber realm. We're seeing it now obviously play out on the coronavirus level on our economy and even when we talked about the cloud computing, the smaller cloud computing companies right now could be facing extremis, right?

Samantha Ravich: If they have one or two people in, in their organization that come down with a virus, will they be able to staff correctly? Will they be able to take care of the cybersecurity measures that they have to? The big ones, yes. The small ones, maybe not. Like other companies, they're kind of potentially moving resources away from cybersecurity just to stay alive in this very, very challenging environment. So, when we put recommendations out on a cloud security certification, that there are standards that that need to be met, if we had those in place at this time, I think we would be stronger for it, even in that particular instance on cloud computing. But we'll be able to draw that out as we continue this conversation.

Samantha Ravich: In terms of China and the threat from China, no surprise to anybody in this audience that China is using lots of different tools and methods to really fuel its economic rise to undermine our strategic capabilities. We came into this Commission thinking about the notions of cyber-enabled economic warfare where an adversary, such as China, uses cyber means to undermine key components of our economy in order to weaken us militarily and strategically as both Chris and Representative Gallagher have said. Up to this point, we really haven't been positioned well to defend against it, to understand how this is rippling across our economy, even prior obviously to coronavirus. And I want to get back to this moment in time and how it connects to all of this and what to do about it.

Samantha Ravich: [Inaudible] we see following now that certain parts of defense, industrial base, certain parts of the innovation base particularly so that China can grow stronger and we weaker because of it. I'm very concerned that again at this moment where our economy is being set back by coronavirus and the ripple effects that China will once again press its advantage. I mean there's going to be companies inside, very important strategic companies, small ones, medium size ones, probably not the largest ones, although I don't know about that, within our DIB that will be looking for lifelines, right? Whether it's bags of cash, whether it's bridge loans, whether it's just buying devalued stock.

Samantha Ravich: We could wake up from this nightmare of the virus and find that a number of our key economic assets are now in the hands of a competitor/adversary. So, on the bringing it back to the cyber side of this, this is we really did look at in the Commission through the lens of we are the number one military in the world because we are the number one economy in the world. We cannot separate these aspects protecting the strategic strength of our country on cyber without understanding the absolute critical, vital role of our economy and our economic actors in this. China understood this well before we did, and so the lens and the focus of the commission is to kind of reorient and realign that balance.

Martijn Rasser: No, great. Thank you. Representative Gallagher, Carrie Cordero, anything you'd like to add to these points?

Rep. Mike Gallagher: No, I just would say, I mean, there are so many things to unpack when it comes to the challenge posed by China and cyber. I just would say beyond the technical challenges, the sort of challenge or concern associated with a country that doesn't share our values dominating the future of 5G internet. I do believe there are more insidious ways in which China is openly and legally exploiting certain aspects of D.C. to wage information warfare and political warfare.

Rep. Mike Gallagher: Right now, obviously we've all seen in the context of coronavirus certain rhetoric coming from the Chinese Communist Party threatening to block exports and therefore plunge us into a sea of coronavirus to steal their phrase. But for a long time, they've been exploiting loopholes in FARA and LDA disclosure requirements to hire a lot of very senior former legislators and cyber aficionados and that can inject an enormous amount of influence and disinformation into our political bloodstream. And so not trying to, I'm very conscious of the fact that my district produced Joe McCarthy and I'm the second Marine intelligence officer ever elected to Congress from Wisconsin. But I just do think there's a whole, an under-explored issue of CCP influence domestically in the United States that makes these technical issues very challenging to unpack.

Carrie Cordero: I would just add also Martijn, that I think one of the challenges that has taken place, and I think the Solarium report moves us and advances us in this respect, is that so much of the malign cyber activity by foreign nations, particularly China, have been so behind the scenes that it's not a malign foreign activity that has been apparent to those sort of outside either the economic community that has been impacted by it or outside the defense community that has been victimized by it, if we want to talk about the theft of IP for example, or beyond the cyber policy community, absent some immediate news articles that focus on a particular attack or particular activity, all of the malign cyber activity that is going on, on a daily basis, it's not apparent. We don't see it in the physical world.

Carrie Cordero: And I think that that, it sounds obvious, but that challenge I think has then made it difficult from a public perspective and also from a legislative perspective to gain traction on these issues. I think one of the most valuable contributions that the Solarium Commission report makes at a high level beyond the end of all of the many valuable individual recommendations, but at the bigger picture level, the contribution that it makes is it coalesces in one place, in one unclassified report, all of these events that have taken place and that have taken place over a period of the last 10 to 15 years. Whereas normally the public is used to digesting them as, well there was this particular incident or that particular incident. So I think the fact that the report identifies all those and identifies them in an unclassified way, in a very digestible way, is an important contribution. And I hope that the transparency about the activities that are going on is something that we can do more on in the future.

Martijn Rasser: Yeah, that's very true Carrie. I mean, it's a very compelling report for exactly the reasons that you identify. I think this is probably a good time to perhaps dig into the tenants of layered deterrence, which this report lays out. Chris Inglis, would you like to tell us about what exactly that means and what it entails?

Chris Inglis: Yep. Thanks. I'm mastering a technology that I've only first used in the last two weeks, so thanks for your patience. Yeah, thanks for the question. So, as Congressman Gallagher indicated early on, while we believe that deterrence has not been working, and certainly classic deterrence has practiced in the nuclear age has not been working, we believe it can. And we recommend kind of from the top down a three-part strategy. We call it layered deterrence in the report, which essentially has three broad lines of effort.

Chris Inglis: The first would be to shape the environment, to essentially set expectations about what rational behavior is, to essentially establish roles, responsibilities such that folks, individuals, nations who engage in activities in that space have an understanding about what the U.S. and like-minded nations expectations and aspirations are in that space.

Chris Inglis: Second, broadly to practice what we used to call them in the traditional deterrence age deny benefits, to build in sufficient resilience, robustness, an ability to discern how the environments are actually being used and to counter either malicious activity and malign activities in a way that it's harder for an adversary to essentially have their way with us.

Chris Inglis: And then finally, for those adversaries that still come at you, whether they're criminals or nation states and everything in between who violate, intentionally violate those normative behaviors, to impose consequences on them, to impose costs. And in that regard as Congressman Gallagher indicated, while we have affirmed the use of military power, Cyber Command particularly, what we really did was to describe an environment where we have to use all instruments of power, some of which actually are already owned by the private sector in terms of what they can do using the various perspectives, authorities, capabilities. We don't go so far as to put the private sector in an inherently governmental role but the private sector and the governments, plural, working side by side can in fact impose consequences in a collaborative manner on adversaries in the space that make it such that if you're an adversary coming at one of us, you've got to beat all of us.

Chris Inglis: Across to all of that, we tried very hard to use market forces, regulation where necessary, but use market forces to effect defense in a collaborative integrated manner, as opposed to a division of effort where everyone defends their own patch and we can be essentially picked apart one by one, and imposing consequences to do that in the largest possible context, and international context is the one that is most strongly preferred. And so there's a very high premium given to working with international partners to ensure that when and whenever we can, we essentially approach this with the common values underpinning those alliances and use the mechanisms that broadly are available across many governments.

Martijn Rasser: Yeah. Multilateral approach will be critical to executing this well, including I think for the supply chain vulnerability issues that we're facing now. It was something I'd like to dig into some more right now. Dr. Ravich, why are our supply chains so vulnerable? How did we get here and, more importantly, what can we do about it in response? I'd love to get your thoughts on that.

Samantha Ravich: Well, we got here because the world is an interconnected place and market forces were looking for the most efficient, most cost-effective way to build their supply chains, and not a lot was thought about resiliency for this in a national security context. So over the last decade, decade and a half, we've seen these supply chains grow out for the major companies, especially the major companies in the defense industrial base, to thousands if not tens of thousands of contractors, subcontractors, and so on and so forth down the line. So much so that the Department of Defense really doesn't have any idea who is in the supply chains of the most critical parts of the defense industrial base. And when we kind of all open our eyes to the fact that all you need is a weak link to get into a supply chain, whether it is counterfeit items, which we have seen counterfeit items go into numerous, numerous quantities go into our defense industrial base, defense supply chain, or malicious code, we realize that we have a serious problem.

Samantha Ravich: So as we thought about, okay, what steps can the Cyber Solarium Commission make and recommend to kind of harden that supply chain? First of all, you need to understand it better. So we have recommendations in there on how the government needs to collect the data to better understand who is in the supply chains or in the defense industrial base, and the broader parts of, let's call it the national security industrial base, because first you have to know what's out there to be able to know what to protect. Then be able to prioritize those critical pieces that have to either be brought back onshore or for a like-minded, friendly country so that we are not put at risk from having those parts of the supply chain ended during crisis or extremis, manipulated counterfeit items put into it.

Samantha Ravich: We had talked about, again, live-fire exercise, what we're going through right now. Where are the N95 masks? Where are the respirators being made? Where are the pieces that are so important to our current medical supply chain, our pharmaceutical industry? We can talk a lot about that. Obviously important for our citizenry as well as our military capabilities that we have the ability to produce onshore or in friendly nations what we need. But again, it goes to a fundamental piece of the Solarium Commission, which is this if we want to have deterrence and, as Chris had said, resilience is a major part of deterrence, right? So that the adversary knows that if they attack us, we will be able to stand strong. We will be able to reconstitute what we need and what we must to be able to impose costs back upon the adversary.

Samantha Ravich: Hardening our supply chain is a key component of continuity of the economy so that the next day after a cyber day after we have those components ready to go. If I may, let me just talk for one second about this continuity of the economy, which Carrie had mentioned at first. It's a key component, key recommendation of the commission. We can talk about how it would actually be put into place with the planning cells. But it again fosters deterrence, it's not just what the government can do for the country. Deterrence also in resilience has to be what our economy can do, what it must do, as well as the citizenry itself. So things such as in continuity of the economy, understanding what are the key critical nodes that all else depends on in the economy so that they can be protected.

Samantha Ravich: We're seeing again in the coronavirus live-fire places like Walmart, places that know how to do distribution on a large scale. Who would have thought that they're a critical or essential infrastructure, right? I mean, all of the technology that we're doing to be able to communicate, to be able to share information, not just our electric grid, which of course is key and vital. Let me do a very clear shout out to Tom Fanning who was a commissioner on the Cyber Solarium Commission, CEO of Southern Company. They're a major grid utility operator [Inaudible] they serve. Tom Fanning was absolutely fantastic as a commissioner. He kind of brought to the Commission the understanding that in the grid and other places part of resilience might mean going back to analog, having the ability to actually pull a lever that will shut off a system if need be.

Samantha Ravich: We need to be thinking, and we are in the commission, what we've put forward as a pathway for continuity, the economy, things such as, as I said, critical nodes, going analog. How do we protect and restore C-data for key parts of the economy to be held here or potentially to be held in overseas friendly nations and the resilience of the American people themselves? In the cyber context, throughout the report, we have key recommendations that give the American people the ability to understand what is maybe more safe and less safe in terms of the technology that they are buying, that they are using. Right now, who knows as an American citizen, if you buy one device versus another, what's more secure. Pushing it down to even the citizenry level because we are all in this together and we cannot have resilience if we don't have the economy and the citizenry as key parts of it.

Martijn Rasser: Thank you for that. Carrie Cordero, as a lawyer and legal scholar, what's your perspective on how to restore credibility to supply chains?

Carrie Cordero: Well, a lot of it are some of the things that Dr. Ravich and Chris Inglis just described, which has to do with international, making choices about what we are going to bring back onshore. But then also I want to underscore something that I think they both mentioned, which is the importance of international partnerships. We have friends in the world, and we need to, as the Commission report encourages us as to do, develop those partnerships and work with those that are allied countries to counterbalance the malign influence and counterbalance the bad actors.

Carrie Cordero: Those partnerships, in this area, in the supply chain area are at the intersection of national security issues and the economic issues. So the countries that we should be looking at and the partners that we should be exploring how to do this with are those who are aligned with us both on the economic aspects and who we think that we can produce productive partnerships with and on common national security interests. The other piece that I'll mention, which hasn't been mentioned yet, but is also relevant to our current national conversation, and so I think it's worth flagging that it also was in the Commission report, is the role of the Defense Production Act. So many of us have learned more about the Defense Production Act just this week as it has been invoked in the coronavirus response as to whether or not it should be used and how it should be used to mandate industrial production of certain devices and equipment that will help first responders and help the medical community.

Carrie Cordero: The Commission report has some specific recommendations about the role of the Defense Production Act, where it can be used, and how it can be used, and proposes amendments to it in ways that can potentially help with this supply chain issue. And so I thought that that was something that hasn't really been explored before and that the Commission provides them new recommendations in that area. The other area that the Commission spends time making recommendations on to help improve the supply chain is the investment in research and development. And I think also because the Commission draws its mandate from a historical perspective of the critical role that U.S. federal government has played in funding at the nascent research and development level important and really globally changing technologies that have affected the world. On the R&D side, the Commission report recommends that more investment be placed on the research and development side to help drive the investment and the increased development and innovative thinking on the U.S. end that can help get us way out ahead on the supply chain issues.

Martijn Rasser: Congressman, I'd love to get your thoughts on this issue as well. And also, do you see any historical precedents that are applicable in this scenario?

Rep. Mike Gallagher: Well, first let me add a point to what Ms. Cordero said about the importance of allies. There was a Chinese academic, I forget who it was, who wrote an op ed, I believe in the New York times, in 2015 talking about U.S.-China competition before great power competition was the dominant phrase in our lexicon. And he ended with something that has sort of haunted me ever since, that I think is true. And he said the core of competition will come down to who has better friends. I do think while if you were to sequence the various layers of our strategy, I mean it'd be very difficult to do, we kind of place a premium on deterrence by denial while recommending more speedy deterrence by punishment and recognizing that over time it's going to be difficult but not impossible to entangle our friends and adversaries in a web of norms.

Rep. Mike Gallagher: At the end of the day, I just would like to underscore the importance of allies in this space, particularly at a time when we see the CCP trying to actively exploit this pandemic in order to expand their influence around the world. And so, I really think that the question of what does responsible decoupling from China look like? Not total decoupling. In other words, I suspect we'll always want Wisconsin farmers to sell soybeans to China, we'll always be willing to buy cheap t-shirts from China.

Rep. Mike Gallagher: Here in the United States, I do think over the next decade, almost regardless of who the president of United States is, because I think this is the new consensus position in U.S. foreign policy, we're going to have to go through this very difficult process of identifying what supply chains we are willing to pay to shore up, make more resilient, and bring certain manufacturing involved in those supply chains back to the United States. The obvious topic right now is our pharmaceutical supply chain, our medical supply chain, but the same could be said about a ton of aspects of defense industrial base as Commissioner Ravich laid out. I think there are just a few ways in which we can do that. I mean, I do think we're going to have to find a way to sort of draw a moat around foundational technologies, sustain independent supply chains, provide transparent capital markets. That's probably the lowest hanging fruit, and all of that is bound up in this broader effort to ensure our freedom from economic coercion.

Rep. Mike Gallagher: Whether there are historical precedents ... You know, it's interesting. I actually yesterday sent an email to some smart Cold War historians, and I asked them for what are the best books on the economic relationship and economic history of economic warfare of the Cold War in terms of us versus the Soviet Union. I'm starting to build that list myself, but I think what makes this competition much more difficult in some ways than our competition with the Soviets in the Cold War is precisely this point. It's that we didn't have to decouple from the Soviet Union because our economies didn't really interact that much. We are so, at least since 2001, we've become increasingly intertwined with China that we're discovering how difficult it is to decouple. But that's going to be something we have to figure out over the next decade.

Martijn Rasser: Oh, thank you for that. Mr. Inglis, do you have any thoughts on this particular topic?

Chris Inglis: So, I think that's all extremely well covered. I think we might have some questions to get onto, and so I'll leave that on the table as it has been described. Well done.

Martijn Rasser: Okay, excellent. Thank you. One final question before I turn to audience Q & A, and this is for the panel as a whole. We've talked a lot about the challenges we face with China. Where do you see room for engagement? What opportunities do we have to have a constructive dialogue with Beijing on these matters? If anyone ... Samantha Ravich, do you have any thoughts on that particular issue because there should be hopefully some areas where constructive dialogue can take place or perhaps you don't see it?

Samantha Ravich: Let me just say, I mean, there are things to explore so that where we are now doesn't get into something that resembles a hot shooting war, right? No one wants that, and but you can put your mind to it and see how it could be stumbled into. Whether it's South China Sea contingency, or it's something having to do even closer to our own hemisphere or where we're [Inaudible].

Samantha Ravich: Pharmaceuticals are something that we absolutely need for the protection of the homeland. So, making sure that the kind of where the boundaries are, and some of it will take place in establishing those boundaries through dialogue. Some of that establishing those boundaries will take place through persistent engagement on the cyberspace, and we also talk a lot about that. But, as we become more robust in our pushback, which I think every commissioner aligned with on this, it will open ... I think open the door to a better dialogue, especially for us.

Samantha Ravich: We've been in dialogues in the past with the Chinese, and we haven't been able to enter it through a position of strength. So, what the Commission really focuses and certainly in one of those parts of deterrence, will allow us to open that dialogue from a much, much better position than we have for the last two decades.

Rep. Mike Gallagher: Can I add a quick point on that? So, and I'm sure there are areas of cooperation, but let me invoke Mattis. Not Jim. Peter Mattis has a great argument on this, and he talks about and really chronicles how those advocating for engagement with the PRC, have typically pointed to four areas where it's in our interest to cooperate. WMD proliferation, economic interdependence, stability on the Korean peninsula, and environmental issues. But if you go down the list, we failed to make meaningful progress in all four areas.

Rep. Mike Gallagher: For example, Chinese promises that would build export controls to monitor dual use technologies never translated into action. We expanded economic ties, but at the cost of widespread technology transfer and course of trade practices. China has consistently helped undermine North Korean sanctions, and I would argue destabilize the Korean peninsula in the process. And obviously, perhaps most obviously, China's environmental track record has been abysmal or mixed at best.

Rep. Mike Gallagher: So, I'm sure there are ways to engage going forward and the avoidance of great power war is always a good idea, but even on those modest terms, engagement has failed to produce its desired outcomes.

Samantha Ravich: And if I can add one final piece on this, which is, I guess for those that really want to lean forward into international norms, trust but verify requires that you can verify, right? There's a lot of work that we need to do as a country and with our allies to get better on our technological capacity to verify before we commit to more quote international norms that require trust, because there is ... We are not in a position, let me say, to sign up for more international agreements where we can't verify that our interests are being secured and that the other signatories are living up to their commitments.

Download the full event transcript.

Download PDF

View All Reports View All Articles & Multimedia