House Homeland Security Wants to Aid Supply Chain Threat Information Sharing
Co-chairs of the Department of Homeland Security Information and Communications Technology Supply Chain Risk Management Task Force urged House Homeland Security Committee members to consider enacting new liability protections and incentives to encourage companies and foreign governments to share information on threats to the supply chain. Committee leaders appeared interested during a Wednesday hearing in further protections. They invoked perceived supply-chain threats posed by Kaspersky Lab and Chinese telecom equipment manufacturers Huawei and ZTE.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
House Homeland Security Chairman Bennie Thompson, D-Miss., noted his ongoing concerns about President Donald Trump's commitment to protecting U.S. telecom infrastructure against Huawei and ZTE, given past efforts to loosen Commerce Department-imposed restrictions against both companies (see 1908190040). “Our national security is not a bargaining chip, and [Trump] cannot negotiate away policies that will secure our supply chain,” Thompson said. House Communications Subcommittee leaders are also weighing supply chain security legislation, including the Secure and Trusted Communications Networks Act. HR-4459 would require the FCC establish the Secure and Trusted Communications Reimbursement Program to provide funding to small carriers to remove equipment that may be a security risk (see 1909240065).
The national security threat to the U.S. supply chain “has intensified as our intelligence community has been able to link certain foreign companies with a strong presence in our commercial and government supply chain to foreign intelligence agencies,” said House Homeland Security ranking member Mike Rogers, R-Ala. “We need to do a better job of identifying and prohibiting” Huawei and other national security threats “from infiltrating our supply chain” by employing a “holistic approach.”
USTelecom Senior Vice President-Cybersecurity Robert Mayer, an ICT Supply Chain Risk Management Task Force co-chair, noted Congress “made important progress” in encouraging information sharing via 2015's Cybersecurity Information Sharing Act. He said that's partly because of liability protections embedded in the statute, and additional safeguards are needed. The law includes liability protections “for sharing indicators” of cybersecurity compromise, but those don't cover entities' reporting of information on network components that show indications of malware or a “pattern of activities that make” an organization “feel suspicious,” Mayer said: Additional protections “would be very beneficial” for entities' ability “to share with upstream or downstream providers” or other interested parties. Now, “lawyers are going to be very reluctant to have that person or company” divulge that information “without liability protections,” he said.
The task force needs to do a “significant legal analysis” of potential sharing barriers “and how they can be adequately removed,” said co-chair and Information and Technology Industry Council Vice President-Policy John Miller. “It's actually a much more complex set” of threat information “that needs to be shared or at least more diverse than” the cyber threat indicators included in CISA.
Rogers probed other incentives that would encourage other countries “to be as vigorous on” supply chain threat information sharing “as we are hoping to be.” The U.S. “can't make another country do anything.” Miller encouraged the U.S. to be actively engaged with its allies and other countries on supply chain security, as it was earlier this year during the Prague 5G Security Conference (see 1905030052).