The nervousness over the security of the technology agencies are buying may have hit the necessary crescendo needed to change behaviors. The U.S. China Commission issued its final report on supply chain risks to federal IT last Thursday and the findings show the threat from China and other countries is not only real, but agencies already are in trouble.
“China did not emerge as a key node on the global [information and communications technology] ICT supply chain by chance. The Chinese government considers the ICT sector a ‘strategic sector’ in which it has invested significant state capital and influence on behalf of state-owned ICT enterprises,” the report states. “New policies requiring companies to surrender source code, store data on servers based in China, invest in Chinese companies, and allow the Chinese government to conduct security audits on their products open federal ICT providers — and the federal ICT networks they supply — to Chinese cyberespionage efforts and intellectual property theft. China also continues to target U.S. government contractors and other private sector entities as part of its efforts to gain economic advantage and pursue other state goals.”
The report, done by Interos Solutions, details six recommendations ranging from linking federal regulations to appropriations as an encouragement for agencies to secure their supply chains to adopting an adaptive risk management process.
“We also cannot separate the responsibility between both the federal government in how they acquire but also the share risk responsibility with industry, as this is an industry and business problem to solve,” said Jennifer Bisceglie, CEO of Interos Solutions. “Given where manufacturing of technology equipment occurs, we will have to work with countries as suppliers, even though in other situations they are not seen as ‘our friend.’ How do we mitigate concerns in our technology in the same way we negotiate risk in other business dealings? How do we understand what we’re willing to accept and how do we negotiate from there? It’s the same in how we deal with a global supplier base. We need to understand what risks we’re willing to accept and then work through shared risk acceptance and mitigations with our suppliers.”
The report found the lack of transparency among vendors and their supply chain partners and the link back to China was particularly disconcerting.
“The Chinese government has expended significant political and economic capital in its effort to expand and indigenize its ICT production capabilities,” the report states. “If U.S. multinationals fail to adhere to Chinese government regulations, they may face restricted market access in China, which could decrease their revenues and global competitiveness. But if U.S. companies — which are the primary providers of ICT to the U.S. federal government — surrender source code, proprietary business information, and security information to the Chinese government, they open themselves and federal ICT networks to Chinese cyberespionage efforts. This threat is not theoretical. Chinese government pressure on companies to submit source code for review may occur in support of, or in tandem with, other efforts to identify vulnerabilities in U.S. ICT products. The China Information Technology Evaluation Center (CNITSEC), which conducts the security reviews of foreign companies, is run by China’s Ministry of State Security. But Recorded Future, a U.S.-Swedish internet technology company focusing on cyber intelligence, has linked CNITSEC to APT3, a China-based cyberespionage unit that has hacked federal agencies and companies in the United States and Hong Kong.”
Dr. Larry Wortzel, a commissioner with the U.S. China Commission, said in an email to Federal News Radio, the report provided no real surprises, but did drive home some key current and future challenges.
“In my opinion, the big takeaway from the report is that ‘any information and communication technology component’s physical structure pales in importance compared with the firmware and software operating within in it,’” he said. “We have known that hardware was vulnerable, but the report highlights that ‘future risks will involve software, cloud-based infrastructures, and hyper-converged products rather than hardware.’ Furthermore, ‘a vendor’s, or manufacturer’s business alliances, investment sources, and joint research and development (R&D) efforts are also sources of risk.’”
Charles Thomas, the market planning director in the Anti-Bribery and Corruption Business Services division for LexisNexis Risk Solutions, said the underlying message of the report is clear for federal agencies, or really any organization: Know who you are doing business with.
He said the nature of the threat from a supplier that is owned by the Chinese or any other government shouldn’t be surprising to agencies.
Thomas said the report could’ve done a better job of highlighting the need to connect companies that are accused of breaking the law.
“In acquiring the goods, procurement shops and others should also look at the due diligence for entities around things like the foreign corrupt practices or human trafficking,” Thomas said. “It’s interesting there was no mention of those kinds of things. Due diligence was mentioned by supply chain, but one of things we are seeing is molding or convergence of multiple risk and compliance regimes, and companies have to do more with fewer resources. Why not come up with a strategy that covers multiple bases?”
Thomas added corporate reputational elements also should play a role in deciding who to do business with.
“Looking at the supply chain will give you a good idea [about the company] but you may miss something that would lead you to ask more questions,” he said. “You do not have to do a deep dive of investigative due diligence, but if you just cast a wide net to see what other outliers of risk exist beyond the traditional supply chain risks [you will get a more complete picture].”
The commission’s report adds to the growing oversight by congressional committees, to the new initiatives by the Homeland Security Department and to the pressure on contractors.
While all of these initiatives are helping to open the eyes of technology, acquisition and program leaders in agencies as well as executives at contractors, Bisceglie said it’s not enough.
“Right now, the U.S. has no clear understanding of what risks we’re willing to accept and how to articulate that with our industry partners in a way that allows industry to work normally, remembering that industry has just as much risk as the federal government does in the protection of their people, business continuity and intellectual property,” she said.
Wortzel said the commission will consider adding these recommendations to its final 2018 report to Congress, which the commission will issue in November.
“In my view, strengthening federal regulations in this area is a critical part of improving the U.S. government’s management of its supply chains. With respect to the executive branch, we continue to look at supply chain vulnerabilities within federal agencies, keeping in mind that we report to Congress,” he said.