Results

U.S. Senate Committee on Commerce, Science, and Transportation

12/11/2024 | Press release | Distributed by Public on 12/11/2024 15:25

Sen. Cruz: Cyberattacks from State-Sponsored Hackers Must Be Fought with Deterrence, Not Ineffective Regulation

Sen. Cruz: Cyberattacks from State-Sponsored Hackers Must Be Fought with Deterrence, Not Ineffective Regulation

December 11, 2024

WASHINGTON, D.C. - In his opening statement at today's Senate Commerce Subcommittee on Communications, Media, and Broadband hearing titled "Communications Networks Safety & Security," Ranking Member Ted Cruz (R-Texas) stressed the need for decisive and strategic action in the face of cyber threats from malicious overseas actors. This requires hard work and decision making rather than knee-jerk, ineffective regulation. The Biden administration's record of tolerating state-sponsored attacks and reacting through regulatory mission creep has harmed the U.S.'s economic interests, international reputation, and national security. It is time for policymakers to reevaluate this approach and develop an informed and coordinated strategy focused on robust incentives and deterrence.

Here are Sen. Cruz's remarks as prepared for delivery:

Thank you, Chairman Luján, and to our witnesses today.

Cyberattacks from state-sponsored hackers represent a grave threat. These attacks strike at the health of our economy, undermine the functioning of our government and security, and cost our country billions of dollars. State-backed hackers-especially those from the People's Republic of China, Russia, and Iran-are well-funded, highly sophisticated, and relentless in their exploits. No company could hold such a state aggressor at bay indefinitely once it is determined to attack.

These attacks have become all too frequent. The latest one, the so-called Salt Typhoon, was a group of hackers reportedly linked to China's Ministry of State Security who embedded in our telecommunications infrastructure and remained undetected, monitoring America's communications networks.

Based on public information, these Chinese hackers reportedly used backdoor channels to access sensitive government information about the integrity of their Chinese spy network operating in the United States.

These hackers also accessed American citizens' unencrypted texts, audio calls, and potentially emails from around the country and specifically targeted our nation's leaders, including President-elect Trump and Vice President-elect Vance.

There is still much unknown about the Salt Typhoon attack, and details continue to emerge. What is clear is that it was a significant cybersecurity breach with far-reaching implications for both the U.S. government and the public. This incident underscores the persistent and malicious interference by the Chinese Communist Party, a belligerent state actor with a long history of exploiting cyber and telecom avenues to harm U.S. interests.

This attack from a state-actor against our nation's infrastructure will not be the last. We must plug any vulnerabilities in communications networks. We already have in place a regime of cybersecurity authorities across multiple government agencies. Now is the time to review and align these so they work robustly and efficiently to ensure our nation's cybersecurity is as strong as it can be. This, however, is only a start.

For too long, the Biden-Harris administration has tolerated cyberattacks from the PRC and others while using these as a pretext to expand inefficient and redundant government regulations of, at best, dubious efficacy.

In the wake of this attack, we may hear more Pavlovian advocacy in this vein today. In fact, last week the Biden-FCC announced a declaratory ruling and proposed rulemaking to impose "a modern framework to help companies." The press release is short on details, but this seems to be a band-aid at best and a concealment of a serious blind spot at worst.

I have my doubts over whether an annual certification is the right solution, as well as questions about the FCC's technical expertise and legal authority on this matter. The FCC should not be using the waning days of this administration to rush into regulatory expansion.

Rather, the agency should be assisting cyber and national security experts in the Executive Branch to gather and disseminate the information the public and policy makers need to fully address this issue in the next administration.

As I have noted before, the federal government has a poor track record of protecting against cyberattacks, and we should be cautious about placing too much faith in more regulation and reporting requirements to protect us. Redundant regulations and reporting requirements stifle investment and can weaken incentives to promote secure communications networks and cooperate with federal authorities. In addition to plugging any holes, we should look at coordinating the cybersecurity tools we have already in place at DHS, the Department of Justice, and elsewhere. Where these conflict or overlap, I call for streamlining and removing any armor chinks.

And rather than finger pointing and punishment, we should be working constructively and asking what incentive structures could be implemented to make our cybersecurity defenses as strong as possible.

Finally, the Biden-Harris administration's lack of an effective response to the PRC's brazenness only emboldens our adversaries to push the boundaries further. One of my Senate colleagues called this the "worst telecom hack in our nation's history." If we continue the current administration's approach of weakness and dubious, knee-jerk, self-regulation, I may reply to my colleague, "yes, until the next one."

###