Consumer Electronics Daily was a Warren News publication.

House Homeland Security Wants to Aid Supply Chain Threat Information Sharing

Co-chairs of the Department of Homeland Security Information and Communications Technology Supply Chain Risk Management Task Force urged House Homeland Security Committee members to consider enacting new liability protections and incentives to encourage companies and foreign governments to share information on threats to the supply chain. Committee leaders appeared interested, during an Oct. 16 hearing, in further protections. They invoked perceived supply-chain threats posed by Kaspersky Lab and Chinese telecom equipment manufacturers Huawei and ZTE.

House Homeland Security Chairman Bennie Thompson, D-Miss., noted his ongoing concerns about President Donald Trump's commitment to protecting U.S. telecom infrastructure against Huawei and ZTE, given past efforts to loosen Commerce Department-imposed restrictions against both companies. “Our national security is not a bargaining chip, and [Trump] cannot negotiate away policies that will secure our supply chain,” Thompson said. House Communications Subcommittee leaders are also weighing supply chain security legislation, including the Secure and Trusted Communications Networks Act. H.R. 4459 would require the Federal Communications Commission to establish the Secure and Trusted Communications Reimbursement Program to provide funding to small carriers to remove equipment that may be a security risk.

The national security threat to the U.S. supply chain “has intensified as our intelligence community has been able to link certain foreign companies with a strong presence in our commercial and government supply chain to foreign intelligence agencies,” said House Homeland Security ranking member Mike Rogers, R-Ala. “We need to do a better job of identifying and prohibiting” Huawei and other national security threats “from infiltrating our supply chain” by employing a “holistic approach.”

USTelecom Senior Vice President-Cybersecurity Robert Mayer, an Information and Communications Technology Supply Chain Risk Management Task Force co-chair, noted Congress “made important progress” in encouraging information sharing via 2015's Cybersecurity Information Sharing Act (CISA). He said that's partly because of liability protections embedded in the statute, and additional safeguards are needed. The law includes liability protections “for sharing indicators” of cybersecurity compromise, but those don't cover entities' reporting of information on network components that show indications of malware or a “pattern of activities that make” an organization “feel suspicious,” Mayer said: Additional protections “would be very beneficial” for entities' ability “to share with upstream or downstream providers” or other interested parties. Now, “lawyers are going to be very reluctant to have that person or company” divulge that information “without liability protections,” he said.

The task force needs to do a “significant legal analysis” of potential sharing barriers “and how they can be adequately removed,” said co-chair and Information Technology Industry Council Vice President-Policy John Miller. “It's actually a much more complex set” of threat information “that needs to be shared or at least more diverse than” the cyber threat indicators included in CISA.

Rogers probed other incentives that would encourage other countries “to be as vigorous on” supply chain threat information sharing “as we are hoping to be.” The U.S. “can't make another country do anything.” Miller encouraged the U.S. to be actively engaged with its allies and other countries on supply chain security.