DHS rolls out supply chain task force

The Department of Homeland Security announced the formation of a new task force focused on supply chain threats to information and communications technology.

According to a release by DHS, the task force will develop recommendations for industry to identify and mitigate global supply chain risks for technology and communications products that often rely on multiple layers of contractors and subcontractors for different parts and components.

The agency is particularly worried about nation states targeting companies deep in the ICT supply chain and then "swimming upstream" to gain access to sensitive data and intellectual property.

"The nature of supply chain threats, because they can encompass a product's entire life cycle and often involve hardware, make them particularly challenging to defend against," said Christopher Krebs, undersecretary of the National Protection and Programs Directorate at DHS. "Government and industry have a shared interest and thus a shared responsibility in identifying and mitigating these threats in partnership."

The task force, made up of representatives from IT and communications companies and industry associations, is part of a larger push by DHS this past year to tackle cybersecurity vulnerabilities and foreign espionage threats to commercial hardware and software products made around the world.

Thus far, DHS has named two individuals and organizations, Robert Mayer of US Telecom and John Miller of the Information Technology Industry Council, as co-chairs for the task force. A department spokesperson declined to provide FCW with the names or organizations of the other members.

Even as the U.S. government and private industry have become increasingly concerned about the problem, it's not clear how effectively tech suppliers can be pushed to alter or move their operations, often dictated by economic factors like lower costs and favorable regulatory environments that have become fundamental staples of supply chain economics.

Following an Oct. 30 speech at a conference hosted by cybersecurity firm Symantec, Bill Evanina, director of the National Counterintelligence and Security Center, told FCW that those realities have informed the U.S. government's strategy towards pushing for wider use of contract clauses that emphasize security accountability at the top of the chain.

"You can't unwind it at a macro level, you have to start with baby steps," said Evanina.
"Start with your first tier supplier and…your second tier supplier and make them accountable for who they subcontract with."

Evanina said the decision by the Director of National Intelligence earlier this year to release an unclassified version of its annual economic espionage report to the public for the first time has opened the eyes of corporations in America to the monetary and reputational impact of supply chain compromises and are "now seeing this [threat] for what it is."

"I think we've gotten all that data into the intelligence community every year but we really haven't done a good job of exploiting it and getting it to the folks who are being penetrated," said Evanina.

Evanina also said ODNI is having "aggressive" conversations with Sens. Mark Warner (D-Va.), Richard.Burr (R-N.C.), Marco Rubio (R-Fl.) and John Cornyn (R-Texas) about potential legislative options to address supply chain threats, alluding to closer partnerships between the U.S. government plus and tech companies. Those ideas, he noted, would likely need to overcome significant roadblocks dealing with privacy and civil liberties concerns from tech companies and the public.

"There has to be an opportunity here for Congress to allow not only flexibility but modernization of how we defend our country against other nation states," said Evanina.

The task force was announced a day after the Wall Street Journal reported that the Department of Commerce barred Chinese chip maker Fujian Jinhua Integrated Circuit Corporation from doing business with U.S. technology firms, which has been accused of stealing intellectual property from an American supplier.

Evanina confirmed to FCW that ODNI played a part in that outcome through intelligence and threat data and claimed the company constituted both an intellectual property threat as well as a specific supply chain threat, though he did not provide specifics.