Regulators grapple with supply chain security

As the U.S. government continues to identify potential threats in the technology supply chain in the public or private sector, officials must thread the needle between promoting good security practices while not running afoul of the free market, low-cost principles that have become a hallmark of the globalized economy.

Joyce Corell, assistant director for supply chain at the Office of the Director of National Intelligence, told FCW on the sidelines of a recent government meeting that while briefing members of the private sector on risks, they try to get companies to consider not just the immediate upfront costs that come with a particular contract or transaction, but the "total cost of ownership," which takes into account the potential for breaches, hacks and other forms of compromise that come with it.

A company's country of origin is "probably not the sole factor" in determining risk but "in certain cases it may be a very relevant factor."

"So, if you do business with a third party and risk arises from that third party, you're going to suffer the consequences of that," said Corell following a briefing of the Information Security and Privacy Advisory Board of the National Institute of Standards and Technology last week. "Your total cost of ownership includes their decision-making."

A NIST official told the board that research on the issue conducted across different industrial sectors in 2014-2015 found that many of the private sector companies most at-risk may already be on top of the problem.

"In general, what we found are the most sophisticated organizations in…cyber supply chain risk management are those organizations that are dependent on technology," said Jon Boyens, a NIST IT security specialist who focuses on supply chain issues. "So, they either buy technology products and services, or technology is foundational to the kind of services they provide."

Still, the economics of cheap commodity IT are hard to ignore. In April Bill Evanina, director of the U.S. National Counterterrorism and Security Center, said the federal government's efforts to convince the private sector not to do business with companies that are thought to pose a supply chain risk often run headlong into the economic realities that drive their decision-making.

"When you go to a board of directors of a CEO and say 'Hey, I know you have two bids, you have Cisco or Oracle, and then you have the Chinese company which is forty percent cheaper,' it's hard to explain to them and hard for them to explain to their constituents that they're going to pay 40 percent more for a U.S.-based company because it doesn't threaten national security," said Evanina.

This dynamic is coming into focus in an ongoing effort to introduce supply chain requirements into the to the Universal Service Fund -- a Federal Communications Commission program that subsidizes telephone service to low-income and rural users.

The effort was spurred by congressional concern that the funds could be used to purchase cell phones and other equipment from Huawei and ZTE, two Chinese telecommunications providers who have long been the subject of numerous national security concerns among intelligence and defense agencies. The U.S. arms of targeted Chinese firms as well as overall sector trade associations have objected to the FCC push to regulate USF on security grounds. 

At the ISPAB meeting June 22, a Republican staffer on the House Energy and Commerce Commission explained that program's focus on low-cost equipment prevented participating telecom firms from considering broader national security matters.

"If you're a rural telecom provider you're going to offer a cheaper option," said Sean Farrell, who works on the House Energy and Commerce telecommunications subcommittee. "And you kind of have to in a way, because the way USF works, they're being told constantly by the federal government that they have to use their dollars more efficiently."

USF funds got the attention of congressional defense committees because of the high proportion of military personnel who tend to live in or around rural areas, and they and their families might be using network gear and devices via USF-funded carriers.

Additionally, the Senate version of the National Defense Authorization Act passed this week tightens up procurement prohibitions on both Huawei and ZTE, while the Department of Defense briefed lawmakers and congressional staffers this week about threats to its technology industrial base from Chinese-based companies.

The problem has increasingly weighed on the minds of lawmakers. A bipartisan bill released this week seeks to create a more holistic approach to building supply chain security principles into government purchasing decisions while other members of Congress have been writing to major tech companies questioning their ties to Huawei, ZTE and other Chinese tech firms.

However, cutting off Chinese telecoms from the U.S. market could be easier said than done. While the collapse of distribution deals with AT&T and Verizon earlier this year has drastically curtailed the domestic reach of Huawei, ZTE accounts for 11 percent of the U.S. market share for cell phones, according to Counterpoint research. That has people like Farrell worried about unintended consequences from hard policy bans.

"If ZTE cannot operate effectively anymore, what do you do with the people who have already purchased ZTE phones?" asked Farrell. "They're not going to be able to update their software patches, and the whole intent here is to increase our nation's cybersecurity. Denying the ability of consumers to update their software patches on these phones isn't necessarily a good idea either, right?"