Trump officials look to neutralize cyber threats in supply chain
Federal officials are ramping up efforts to crack down on threats to the U.S. supply chain amid growing fears about the risks from foreign-made technology.
The worry is that hackers can sabotage technology or software used in American products or computer systems for future cyberattacks or espionage.
The moves come amid increased tensions over trade and security with China, whose telecom companies are seen as a particular threat.
{mosads}
The issue has the attention of the White House, which is said to be preparing two executive orders that could be unveiled in days to address that threat.
One of President Trump’s expected directives will reportedly authorize the Commerce Department to block business transactions between U.S. and foreign telecom companies over national security concerns.
U.S. computer networks are “attractive targets for espionage, sabotage and foreign interference activity,” the order says, according to a draft reviewed by The Washington Post.
The second order, according to a Republican source familiar with the deliberations, will reform the Federal Communications Commission’s (FCC) “Team Telecom” review process.
Team Telecom, run by the FCC, brings officials from a number of agencies, including the Justice Department, Pentagon and Homeland Security (DHS), to review foreign investments in the telecom industry for national security concerns.
But national security and telecom lawyers have long criticized the review process for delays and lax oversight.
Supply chain security is an issue that has also been on the FCC’s radar. In April, Republican FCC Commissioner Michael O’Rielly issued a notice of proposed rulemaking to crack down on security risks.
His proposal would prohibit the use of Universal Service Fund money to purchase telecom equipment or services “identified as posing a national security risk to communications networks or the communications supply chain.”
“[A]s the supply chain for our nation’s communications networks increasingly reaches far beyond U.S. borders, the need to address these threats has become more pressing,” his proposal warned.
The potential threat posed by foreign technology is also in the spotlight thanks to the controversy over ZTE and Huawei, two Chinese telecom firms that U.S. intelligence has flagged as security risks.
The 2019 National Defense Authorization Act, which lawmakers sent to Trump’s desk this week, includes language that would ban the federal government from using those companies’ products.
Trump’s upcoming executive orders are expected to further “squeeze” such Chinese companies, according to the Republican source.
The source said the White House is expected to rely on the International Emergency Economic Powers Act (IEEPA), which gives the president authority to “deal with an unusual and extraordinary threat” in several ways, including by restricting economic transactions with a foreign nation.
The White House did not respond to a request for comment on the matter.
The National Telecommunications and Information Administration said they did not have any information to share regarding the executive orders.
The executive orders are just one prong of a multifaceted effort to protect the U.S. supply chain.
DHS on Tuesday unveiled a new supply chain task force at a cybersecurity summit in New York. It will include federal officials and representatives from the public sector, who will recommend actions for “identifying and managing risk associated with the global [information and communications technology] supply chain and related third-party risk.”
Cyber threats to the supply chain are not a new challenge for the federal government.
Top intelligence officials and experts have long warned that the threat is both real and active.
“It’s not just what is in the hardware itself, it is the way the hardware is maintained and controlled,” Rob Joyce, a top cybersecurity official at the National Security Agency, said at the cyber summit Tuesday.
Joyce’s warning came one week after a report from U.S. intelligence agencies warned that cyber criminals are actively carrying out supply chain attacks.
“Hackers are clearly targeting software supply chains to achieve a range of potential effects to include cyber espionage, organizational disruption, or demonstrable financial impact,” said the report from the National Counterintelligence and Security Center, part of the Office of the Director of National Intelligence.
Meanwhile, lawmakers are also eyeing legislation to address the issue.
Last month, Sens. James Lankford (R-Okla.) and Claire McCaskill (D-Mo.) introduced a bill that would trigger a governmentwide process for agencies to use when purchasing information technology systems so they can avoid compromised software.
The bill is intended to prevent the sort of threat posed by Russian-origin firm Kaspersky Lab.
The Pentagon first flagged software that had been produced by the multinational cyber firm in 2004, citing its ties to the Kremlin. But last September, DHS ordered agencies to remove Kaspersky software and banned its use by the federal government. At the time, DHS argued Russia could use Kaspersky Labs to “intercept communications transiting Russian networks.”
The company has fiercely pushed back on the claim that they are tied to the Russian government.
Despite those denials, concern that Kaspersky could pose a risk to the U.S. captured the attention of Capitol Hill lawmakers last year after top intelligence officials told the Senate Intelligence Committee they would not be comfortable using its software on their computer systems.
Congress soon moved on legislation in an annual defense policy bill mandating that the software be removed.
Some experts, however, say the fight is not so easy.
Jim Lewis, senior vice president of the Center for Strategic and International Studies, said companies like Huawei are producing quality products at an affordable price — a deal that’s hard for other countries to pass up, despite fears about Chinese espionage.
“Many countries, including a few European countries, have decided ‘we will go with the money.’ And that is where the Chinese have an advantage,” Lewis told The Hill.
“For us, the problem is that whereas an African country may not have a security problem with China, we have a security problem with China. So if we find ourselves dependent on their stuff, we are at a disadvantage.”
Experts say that creates a problem that goes beyond the U.S. if allies are using compromised technology.
“Even if the United States isn’t relying directly on some of these companies, certainly our allies are,” said Daniel Castro, vice president of the Information Technology and Innovation Foundation, adding that this will potentially compromise both sides.
Castro also noted that the risks won’t go away, forcing the U.S. to constantly work to ensure devices are secure.
“I don’t think we can eliminate threats, we can only mitigate them,” Castro added.
Asked if the executive order would help mitigate the risk, Lewis said it wouldn’t make a difference — as long as the U.S. relies on Chinese technology.
“The one thing that always hampers the U.S. is that we are cheapskates,” Lewis said.
“It is not as though people are not going to buy this stuff. The Chinese stuff is cheaper and it is not bad — Huawei makes good stuff. So we are going to have to think not only how do we block Huawei, but how do we build a Western industrial base that can support our telecom needs in a more secure way.”
Castro argued that a greater threat than espionage was a foreign nation exploiting vulnerabilities in a device to carry out an attack.
One such case involves the NotPetya virus, which crippled Ukraine last year, wiping data from computers used by banks, government officials, airports and energy companies. But the attack also spread to hit U.S. companies, including FedEx, causing hundreds of millions of dollars in damages. The CIA attributed the attack to Russia.
NotPetya was particularly destructive, but overall the number of supply chain attacks is increasing. CrowdStrike, a cybersecurity firm, surveyed information technology professionals across a handful of countries last month and found 66 percent had experienced an attack through the supply chain.
Experts warn the issue is not going away.
“We all know China does a lot of domestic surveillance. What they do in China is what they would like to do in the rest of the world. And selling people your phone systems gives you a way to do that,” Lewis said.
Morgan Chalfant contributed.