Securing the Network Supply ChainLooking Abroad for Ideas to Vet Vendors' Wares
Securing the supply chain - simply, assuring that computer and communications wares organizations procure are secure - is receiving much attention by the federal government.
Supply-chain security is a component of President Obama's cybersecurity framework, being developed under the guidance of the National Institute of Standards and Technology. Now, a House subcommittee has created a working group to explore the role of the federal government in assuring the security of the supply chain.
At a hearing May 21, House Energy and Commerce Communications and Technology Subcommittee Chairman Greg Walden, R-Ore., announced the formation of the bipartisan supply chain working group that will be co-chaired by Reps. Mike Rogers, R-Mich. and Anna Eshoo, D-Calif.
"The implications of foreign-controlled telecommunications infrastructure companies providing equipment to the U.S. market is a very serious threat, which Congress must review carefully," Eshoo said.
Eshoo's statement references an investigative report issued last fall by the House Permanent Select Committee on Intelligence, which is chaired by Rogers, and recommends that U.S. government systems, particularly sensitive IT systems, should refrain from using equipment and component parts manufactured by the two companies, Huawei and ZTE, the world's largest and fifth-largest telecom equipment makers, respectively [see House Panel: 2 Chinese Firms Pose IT Security Threat]. The two companies have denied that the Chinese government can alter their networking wares.
Worries about supply chain security increased earlier this week, when The New York Times reported that hackers from China's People Liberation Army appear to have resumed their attacks against American government and business computers after a three-month hiatus that began when reports from security provider Mandiant [see 6 Types of Data Chinese Hackers Pilfer] and the Defense Department documented digital assaults from China [see DoD Outlines China's Spying on U.S. IT].
Chinese Networking Muscle
China is the biggest provider of networking equipment to the United States, with a 39 percent share of the import market in 2011, the last year for which figures are available. According to the Government Accountability Office, citing a study by the International Trade Commission, imports of communications network equipment grew by $10 billion, or 76 percent, from 2007 through 2011. Some of those imports were from American manufacturers with plants overseas. China's share of those imports to the United States during that period increased by $4.9 billion, or 112 percent.
Mark Goldstein, GAO's director of physical infrastructure issues, told the House Energy and Commerce subcommittee that companies have adopted a range of voluntary risk-management practices in the absence of industry or government standards on the use of equipment from foreign manufacturers. He said the practices span the life cycle of equipment and cover areas such as selecting vendors, establishing vendor security requirements and testing and monitoring equipment. "Equipment that is considered critical to the functioning of the network is likely to be subject to more stringent security requirements, according to these companies," Goldstein testified.
Goldstein said NIST officials told GAO that the extent to which supply chain security of commercial communications networks will be incorporated into the framework is dependent in part on the input it receives from stakeholders.
NIST received more than 200 responses from stakeholders on areas the cybersecurity framework should focus on, and securing the supply chain was among the top common terms and phrases mentioned, according to NIST's Initial Analysis of Cybersecurity Framework Request for Information Responses [see NIST Analyzes Cybersecurity Framework Comments]. Among the responses published in the analysis, from an unidentified stakeholder:
"While we agree that owners and operators of critical infrastructure play a critical role in protecting their systems, processes and information, the IT and telecommunication sectors play an equally critical role to ensure that software and hardware products and telecommunication services are provided to the end user community that have the most up to date and advanced cyber security protection available. ... Therefore, the IT industry has a higher stewardship responsibility to work with all critical infrastructures to ensure their products are secure for their intended use."
How Other Nation's Address the Supply-Chain Threat
Goldstein, in his testimony before the subcommittee, discussed approaches other nations take to address potential risks posed by foreign-manufactured networking equipment. He said the Australian government is considering a plan to establish a risk-based regulatory framework that requires network providers to be able to demonstrate competent supervision and effective controls over their networks. The Australian government would also have the authority to use enforcement measures to address noncompliance. The British government requires network and service providers to manage risks to network security and can impose financial penalties for serious security breaches, he said.
The House, with its Republican majority, is unlikely to enact legislation to create regulations on supply-chain security, in part, because of the additional costs to businesses such rules might create.
"While these approaches are intended to improve supply chain security of communications networks, they may also create the potential for trade barriers, additional costs and constraints on competition, which the federal government would have to take into account if it chose to pursue such approaches," Goldstein said.