Fireside Chat featuring

Rep. Michael McCaul, with Andrew Howell

Internet LIVESTREAM BY Eine FEBRUARY 28 2022 Internet Society

Fireside Chat featuring Rep. Michael McCaul, with Andrew Howell

State of the Net, Washington DC - February 28 2022

Andrew Howell

Good morning, everyone. Thank you all very much for being here today. It's great to see so many people live in person. | think this is the first time I've seen this large of a group. in about two anda half years, you see this large of group more regularly. But, welcome everybody who's here in person, and welcome to everybody who's watching online. Great to have you all with us here today, and thanks to the State of the Net team for giving me this opportunity to be here this morning with all of you, and for this Fireside Chat with Representative Michael McCaul.

Congressman McCaul, who's the Chair of the Congressional Internet Caucus is very familiar to all of you in tech policy circles. Since he came to Congress, he's been working on these issues very, very actively from Internet policy to cybersecurity policy. He is a force to be reckoned with ona regular basis, representing the 10th Congressional District, which stretches from Austin to the Houston suburbs. At the start of the 116th Congress, Congressman McCaul became the Republican Leader of the House Foreign Affairs Committee, after leading the House Homeland Security Committee. That's where we got to know each other. We do a lot of homeland security

work at my firm and, and him being such a leading voice on cyber is kind of a natural affinity for us.

In his capacity as the committee's Republican leader, Representative McCaul demonstrates an unwavering commitment to international engagement with our allies, countering the aggressive policies of our adversaries, and advancing stability and democracy around the world.

Michael McCaul I'm doing a great job...

Andrew Howell Doing a great job of it today.


It's a super exciting time. So very timely to have him here with us today on all those issues. Additionally, all of us in the tech community know him for his leadership as co-founder and co- chair of the Congressional High Tech Caucus, and the Cybersecurity Caucus, both of which provide him the ability to enhance Texas's role as a global leader on technology. So, let's get right into it. | have questions for you, we'll go from there.

So Congressman McCaul, you've been around technology issues, particularly cybersecurity, throughout your tenure in Congress, and you're clearly a thought leader in this space. One of the issues you've consistently talked about is the need to adopt international cybersecurity norms that would govern behavior by nations around the world. Can you talk a little bit about why you think this is such an important issue, and how you're working with your colleagues in Congress and folks in the Biden administration to advance global cyber norms?

Michael McCaul Yeah, thanks, Andrew, and thanks, everybody, for having me. It's great to be here.

If | could just maybe step back in why | think this is the last piece of the puzzle. About 15 or so years ago, we looked at the federal government, we thought, okay, who's gonna have what role? Who's going to defend the nation? Who's going to be offensive? Who's going to share information with the private sector? And there were debates. You had the DIB, you know the industrial base pilot program at NSA. And there were some thinking that maybe NSA was the perfect place to warehouse the intersection with the private sector to share threat information, and to the civilian

side, and the private sector. And then a guy named Snowden came around, kind of messed that idea a little bit. We really thought the Department of Homeland Security seemed to be the best place, because it was a civilian agency, to interface with the private sector, share threat information, and protect the systems. The problem wasn't at that time, it was not -- the capability was the issue. And, | Know we'll get into CISA later, but to stand up CISA authorized into law, and see where it's come since back in the day when it wasn't as capable, | think you would agree, but | think now it's at a much better place. So offensive, obviously, Department of Defense, NSA, stands up domestically in a time of war, have great offensive capability, defense has always been the challenge, the struggle, but the missing piece that we have yet to really tackle.

And | have my Cyber Diplomacy Act within the State Department, and State is actually standing this up as my bill languishes in the Senate, which, unfortunately that happens a lot in Congress, everything languishes in the Senate, and they don't really do a whole lot. So, it's sitting over there. But, this is where we really have, and | think what's happening right now demonstrates a need for this, international norms and standards.

| co-chaired the CSIS report back in the day, and it was, at that time, the most downloaded report, but there's our definition of cyber warfare, norms, standards, we could be working with our allies on this piece, and | just throw out as a question to the audience, as we look at the current conflict, and we know Russia has great cyber capabilities offensively, and they've been attacking, particularly the Baltics. Estonia gets, you know, and I've been there many times. As we look at what's happening right now with NATO and Article 5, if tanks rolled into Poland, or into Lithuania, Latvia, Estonia, we would certainly throw the red flag down and say that's a violation of Article 5, and therefore triggers a NATO full retaliation, attack against one, attack against all. And then we would be in a world war three, which we're trying to avoid.

He talks about his nuclear weapons, right? Clearly. But if you get into the cyber element, what if today he had a very destructive attack, not just in Ukraine, but in a NATO country? What is the proportionate response? Does that trigger Article 5? It raises all sorts of issues that we, to this day, are still ill prepared for. And so | guess, to your - - this long winded answer -- but that's why this last piece, which we still haven't finished yet -- it's kind of exciting, we did the other stuff -- but this is really the last piece of the puzzle that we're trying to put together as it impacts international norms and standards. Private sector cannot hack back, that's illegal, although | talked to a lot of companies that would love to do that. That is a role -- we don't want to Wild West, everybody's shooting their guns off, so we need rules of the road, but we need to know what is a proportionate response back. Once you do the attribution, and you know where it's coming from, then | would say we've crossed -- had too many red lines, the ransomware attack on colonial, you

know, and then we put some red lines up, and they get crossed again. It's just like the father of five, if you don't have consequences of bad behavior, guess what? Bad behavior continues, it's a very simple concept. We don't have that. And they hit with impunity. Russia, China, Iran, North Korea, and | would argue that our response to this day has not been adequate, and the consequences have not had certainty to stop the bad behavior. So, therefore, the bad behavior continues, and that's precisely, Andrew, where we find ourselves today.

Andrew Howell

As you look across your time here in Congress, and the time where you came here and the time we are now, your tenure here coincides with tremendous advancements in technology. A lot of that is kind of what you're reflecting on now. It's like we've had new and different things, kinetic versus cyber, or combinations of kinetic and cyber. And we also have kind of evolutions in technology. When you first came here, we lived largely in an on premises software world, now we live in a cloud first world, and companies are transitioning to cloud applications. How do you see that policy evolving as well to one where our cybersecurity policy is keeping up with the transition to the cloud? Are our cybersecurity policies still based more on a kind of on premise software world? How do you think about this, and look across your time here in Congress?

Michael McCaul

It's just like when the Internet came out, really a lot of people didn't understand it. Technology's neutral, but it can be used by good, or for good or bad purposes. And the cloud has a very good security feature to it. We are worried, the EU has a law, it's very parochial, that would stop our -- basically it's punitive to our companies, while at the same time very friendly to China and Russia. So, we sent a letter to the President, bipartisan, that we need to address this legislation that the EU is looking at. | think, given the current events, they are going to walk back that legislation. Least | would hope so.

But that's -- yeah, the cloud is -- it's here, it's now. Just like crypto currency. | know we were going to talk a little bit about that. | was on a panel with the Treasury Secretary Mnuchin at the Milken Institute, | know just about enough to be dangerous on cryptocurrency. Milk is like the wizard expert. One thing is clear, and it's the same thing, like crypto can be used for good or bad purposes. Blockchain is really the stability. But imagine right now, if Russia had its own digital currency, would these sanctions have any impact? No. China, in the future, China is working on its own digital yuan. Iran, another good example. But | think the Russian example is the most pertinent, if they had their own digital currency, talking about SWIFT -- it really makes SWIFT outdated. But yeah, it's gonna happen just like the Internet happened. And we got to be prepared

for this, and what are the ramifications of digital currency, and what would be the ramifications of countries having their own digital currency, because | think that is going to be the wave of the future. | argue, and Mnuchin, as well, that the United States has to lead. We need to set the rules of the road on this, and we need to start working on our own digital currency.

Everyone's saying how much the pandemic sped along the transition to cloud technologies, and the new technologies so that people could work remotely. As you look at what's happening right now, in terms of Russia and Ukraine, and European reaction and the United States reaction, you could see a world in which countries who see themselves as adversaries to Western countries, look at things like SWIFT and cutting off other financial tools, and say, Okay, what do we need to start doing now to modernize our systems, our technologies, in order to take that off the table for Western countries? That is a significant challenge, because it does take a long held traditional tool for the United States and western governments off the table, and it's going to require, we're going to have to think more interestingly, what are the next set of tools that you use if bad actors do things, but they've moved to...

What sanctions would be effective with digital currency, because it's basically a movement away from central banks and financial institutions to more digital? Of course all the sanctions right now are on the banks, oligarchs, Putin himself, and we have some export controls, which | think we're going to talk about in a minute.

Andrew Howell

Yeah. Let's talk a little bit about this move to the cloud. As more and more companies and countries have moved to the cloud, you've seen lots of countries, China, Russia, the European Union, push data localization, keep data here, requirements that data be housed locally, but companies that provide cloud services rely on the free movement of data around the world, which is obviously very contrary to that. How do you think about kind of what we should do, from a policy perspective, to fight back against this move to data localization? And how does this impact cybersecurity, knowing that obviously the free flow of information in a cybersecurity world requires data to move too, and that's the only way you know what's happening from a signals perspective, and you can detect things? How do you see the data localization impacting cybersecurity?

Michael McCaul

Well, | think the cloud can provide actually more security, if it's done right. It was designed to share the free flow of information, as you said, but yet we're seeing countries, like | mentioned this bill in the EU, that we sent this letter to the president urging him to take action, that would localize the

cloud to only the EU, and you couldn't have this free flow of information, which really kind of defeats the purpose in large part for why the cloud was invented in the first place. That's the danger, right? We don't want countries starting having their own cloud that has no interconnectivity to the international world.

Andrew Howell

I'm going to shift gears a little bit to an issue that has been top of mind for a lot of folks until, | guess, the last few days, semiconductors. You've been an outspoken voice on the need to do more from a US government perspective to enhance our ability to manufacture, design, and produce semiconductor chips here. Obviously your congressional district is one that houses lots of technology companies. As you look at the semiconductor environment, and what's happening congressionally, how do you see this issue resolving itself? How do you how do you see the House and the Senate coming together to resolve differences in their bills around funding for semiconductors? And how are how are constituents of yours, companies in your district, talking to you about the need for the United States to lead in the semiconductor space?

Michael McCaul

Before COVID, if you said supply chain, nobody would know what you're talking about, nor would they care, until they held up their medical. They corner 85% of rare earth minerals that they get through Belt and Road, and when | say they, I'm talking about China, out of Africa, Latin America. But then the semiconductor piece, to me, is the most critical right now. 90% of the advanced semiconductor chips are manufactured in Taiwan. | talked to the then Secretary Pompeo, and Wilbur Ross, and then the National Security Adviser O'Brien, about how can we protect -- how can we manufacture more of this here, or with our allied countries? We have to get it away from communist China where it's vulnerable, because we know that the Chinese are trying to infiltrate in Taiwan, and infiltrate TSMC. That is what led to the expansion, if you will -- TSMC in Arizona, was based on that premise, but we had to provide incentives for them to do this.

So, we took that idea, and | introduced the Chips for America Act. Senator Cornyn introduced the companion Doris Matsui, my Democrat colleague. | found after nine terms, if you're not willing to work across the aisle, you're not going to get anything done, because legislation, that's just the way it works. And then, we've garnered a lot of bipartisan support, everybody from Schumer to McCarthy and Pelosi. Everyone likes the idea of, Well, hey, if we incentivize manufacturers to relocate into the United States, that not only creates jobs and opportunities and investment in the United States, but it's also a national security piece. Chips are in everything, as you all know, from your phone to our most advanced weapon systems, and if they're compromised, and we know there are foreign adversaries who would like to, or stolen, then we have a real problem. Since that,

we got this bill authorized on the National Defense Authorization bill, and since that time, you've seen enormous investment in the United States.

Now, we're not finished yet, but Samsung in my district expanded $17 billion, Intel $20 billion, Micron's looking at $100-$250 billion investment here in the United States. There aren't very many of these companies, but where they are they're looking at -- but they're CEOs, they have shareholders, they need certainty that this idea is gonna actually work. | could maybe talk too long on this, but | got a call from the Secretary of Commerce saying, Hey, | really like your chips bill, can we just pass that thing on its own, a clean bill? | said, that would be great. It'd be great for the country in America, not just Republicans, great for the administration to get a victory. Then, like Congress does best, we screwed it up. They put all this other poison pill stuff in, like 8 billion to UN Climate Fund, that could go to China where they manufacture batteries and solar panels in the Xinjiang province, where they commit genocide. So, didn't seem like that was very good policy to me to muck up the chips bill with all this other stuff.

So, here's where we are now. We're doing what's called a Conference Committee. We haven't done one of these in a while.

Andrew Howell (Laughs)

Michael McCaul You must have worked on the hill.

Andrew Howell (Laughs more)

Michael McCaul

The Senate actually -- | don't normally applaud the Senate -- they did a pretty good job. They passed my chips bill, and then what's called the Endless Frontiers, which is a heavy investment in research and development, and everything from National Science Foundation, to DARPA. If we're gonna compete with China, that's putting a trillion dollars in its digital economy, it's everything from Al to 5G to quantum, you name it, they just shut a hypersonic off that we didn't think they had, but they do, circled the world and landed with precision with a nuclear payload. We don't have that, and we can't stop it because it maneuvers.

So, we're behind. We have to compete is the point, and that's the point of this bill. My bill on the semiconductor manufacturing side, and then a heavy investment in research and development to catch up -- not catch up, but just compete primarily, globally, with the great competition of our generation, that is against Communist China. Long term they are the greatest national security threat to the United States. So, that's why this bill is so important. I'll be on a conference committee, and we're going to try to strip all this stuff, poison pills, out from the House side, merge it with the Senate, and then it goes House, Senate, to the President. The White House likes it -- | mean, | was in the Oval Office with President Biden, and there were eight of us, half of us tech, half auto manufacturer members, and he said, This is great. | wish every meeting | have is like this, because everyone supports it. That's why I'm optimistic it will get over the finish line, because there is so much support for it, from Schumer to the President, from Pelosi to McCarthy. When we do, you're already seeing the investment, but you're gonna see an explosion of investment. We also have a multinational piece to it for our allies, as well. | don't care, as long as we're manufacturing this in places where it's not vulnerable to the IP theft being stolen, which they know how to do very well.

Andrew Howell

| think the multinational piece of that has garnered great attention, particularly in Europe. It's something that something that the United States wants to do in collaboration with allied countries, and makes good sense and is something that we should push forward.

Michael McCaul Since the introduction of our bill, we're seeing European countries introducing the same thing. So,

in a way, it's a global competition all way around, but if it's with our allies, that's where it needs to be.

Andrew Howell

Let's stay on this China theme for a minute, because you've been spending a lot of time for the last year, year and a half, as part of the China task force, that you've got with a bunch of your colleagues in the House, looking at these issues of US technological superiority, US technological challenges, vis-a-vis China, US industrial policy vis-a-vis China. How do you see this kind of great power competition shaping up with the US and China? What should Congress's role be in order to advance policies that help the United States stay on, or maintain, or get a better footing, when it comes to competing with China and other countries like that?

Michael McCaul

Yeah, great question. | chaired this China task force, we came out with, over 400 recommendations, mostly bipartisan, many of which have passed, but the chips for America was the number one recommendation. There's a panoply of issues, but the overarching goal is to be more competitive, because we're not. We're not in Africa, we're losing in South America, Indo- Pacific, we need economic alliances, with trade.

When it comes to competing with China, they invest huge amounts of capital in research and development. This is why, | think, this bill that | was talking about, it's imperative that we pass it to be more competitive, or they're going to start going ahead, just like with the hypersonic weapon, that now we're trying to catch up to them. Huawei, they're installing that all over. The Belt and Road initiative is brilliant. They are very clever. Under the UN, they're a developing nation, so what does that mean? They qualify for almost interest free loans from the World Bank, that they can then turn around and loan to truly developing nations, at a usurious interest rate, get them into a debt trap, take the rare earth minerals, put their own workers and, and then, Hey, we want that port, or that military base. This is happening throughout the Indo-Pacific, Africa, Latin America. We're finally waking up, and | think COVID, we woke up to some extent.

Not to digress, I'll make this really fast. In 1997, | was federal prosecutor here, and | prosecuted this guy, Johnny Chang. He led us to the director of Chinese intelligence, China aerospace, putting money in his Hong Kong bank account to put in the Presidential election, and why? Two things, they wanted the dual use technology, and the satellites, and they wanted to get in the WTO. They got both of those. Since that time, they have progressed tremendously in that space. They're in space, by the way, that's why we created the Space Force.

Their technology capabilities, and this will get to the heart of your question, we gave them a lot back in the day, and we tried to bring them in the family of nations. | talked to Secretary Baker, he goes: We tried, we wanted them to be more of a democracy, and capitalism, and bring them in the family of nations, and, you know, he said, it just didn't work. We gave them a lot -- what we didn't give them, they stole. There's a reason why the Houston consulate was shut down, because they were stealing all this IP from our universities, our Texas Medical Center, NASA.

And then, | would say, what they haven't stolen, we sell to them. If you look at the hypersonic, a lot of that's built on the backbone of American technology. This gets me into what we call the Export Control Act, which is under foreign affairs jurisdiction. In fact, we're doing some of these sanctions against Russia, right now, on semiconductors. There are these entities, Department of Commerce

has one, Department of Defense has one, but they're not the same. DoD is is more security, Commerce is more industry. So you look at this Bureau of Industry and Security within Commerce, we got this information, and | was able to make it public, that just in the last year alone, only 1% of the export licenses were denied, and that $60 billion was going into China from the United States to invest in Huawei, $40 billion into China to invest in SMIC, which is their semiconductor company.

Why are we doing this? We want to marry the list. These are entities that would go straight to the PLA, straight into their military apparatus. Not sort of civil military fusion, but these are companies that if you invest in there, and you're investing in China's military program, that's going to turn right back at us. We have to, in my judgment, and this is not gonna be an easy thing to do, navigating through all this, but we have to stop exporting this technology to our adversary that uses it to build its war machine that they're turning against us. You don't think President Xi is looking at Taiwan right now, with Putin, and what he's doing in Ukraine. I'm worried that the next year is going to be Xi, because he's always wanted Taiwan, he sees weakness. If he goes into Taiwan, and the South China Sea, it's very strategic, but what else, as | mentioned before, 90% of our advanced semiconductor chip manufacturing. So, this is going tol be really interesting.

The next Congress, stay tuned, because we're going to get -- hopefully do some big things that are going to, at the end of day, protect American companies, and our technology and our national security.

Andrew Howell

Alright, so I'd like to end this session on a little bit of a different note, by having you talk about one of your colleagues, a member that you worked a lot with over the years, Jim Langevin, who's announced he won't be seeking reelection this fall. You and he have worked together on countless cybersecurity issues over the years, you and he had formed a great bipartisan duo on a lot of these matters as it relates to DHS, and security issues and technology issues. Talk a little bit about kind of your work with him over the years, and what you think his departure is going to mean for congressional cybersecurity policy leadership, and who maybe you see, as the next generation on the Democratic side where you can team up with some folks?

Michael McCaul Well, first, you're making me feel kind of old.

Andrew Howell (laughs)


Michael McCaul

| wake up and |'m like, Mike, this is my ninth term and | never thought -- but it kind of symbolizes the passing of an era. We wrote that CSIS report 15 years ago, before it was cool to be in cyber -- now everybody talks about cyber -- with some really talented people. There's something missing today, that is wrong, that | think, hopefully, we'll be able to fix it through the American people. It's this intense political division that goes beyond a debate on policy, but rather, you're an enemy and you're an evil bad person, if you're on the other side of the aisle. It's on both sides, you have extremities on both my side of the aisle, and from the left and the right. It hurts the body politic. The way the Founding Fathers set this up was, compromise was necessary to get anything done. Today, it's a dirty word. If | went back home to my district and said, You know what I'm most proud of was | got ranked by the Lugar Institute in Georgetown, as most effective Republican. You know why? Because I'm bipartisan. But, you Know what? If | went home to my base and told them that, they'd probably throw me on Office. We didn't elect you to get along with the Democrats, you need to fight. Okay, we have plenty of fights, but we also have to get things done, and the only way to get things done is, Hey, I've got a great idea on breach notification, who am | going to go to? | can go to one of my side of the aisle but, if | really want it to pass, it's got to be bipartisan, and so | go to Jim. He's a fantastic guy, he's not an ideologue, he's very policy driven. He loves cybersecurity, the issue. I'm gonna miss him a lot, because | think he's irreplaceable.

Michael McCaul

To answer your question, | think there are a lot of younger members now. They understand this stuff a lot better than when | first got elected. But, beyond the issue of cyber, | think it's just a damage to the institution. | hope now we can repair some of that damage in the years to come and get back to some decency. Chairman Meeks and | don't agree on everything, but we're pragmatic. We basically have an understanding, like, Look, you're not going to agree with everything | want to do, and vice versa. But it's like where | just came out of, Israel. They put 10 parties together in the Knesset, can you imagine that? | said, How did you do that? They said, Well, we realize that we agree, actually, on 70% of the issues, it's the 30% that we fight over, and so they have this bond between all these different parties. We'll see how that goes. But that's probably reflective. The Congress would probably agree on cyber, that's almost a 100% issue. We probably agree on 70%, it's that 30% that you probably see on television or being debated in public. But anyway, the Chairman and |, we can agree to disagree, but we can do so with civility. We don't have to be disrespectful of each other. | disagree with their views, but | respect that. | think they're misguided, but | respect that.

Andrew Howell (Laughs)


Michael McCaul

I'm not gonna throw a temper tantrum and start yelling, screaming, which | think is very amateurish. You see a lot of members do that now. or they go on TV to get attention. Social media has changed politics forever. They'll go on YouTube and rant and rave, and, you know what, they get a lot of clicks, and they raise a lot of money off it, but they don't give a darn about getting anything done in the Congress. | don't care. | didn't get a like to go on social media, or YouTube, and rant and rave, | like to get things done, and | hope we start to get some of that back.

Andrew Howell

Well, that's a great way to great way to end this session. Thank you very much for doing it. I've asked everyone to please join me in thanking the congressman for being here today. Thank you, sir for doing it, appreciate it.