DHS official: 'We're not Consumer Reports'

The Department of Homeland Security sees its role in supply chain security as providing risk management advice, not a buying guide.

Although it is responsible for protecting the IT operations of the private electrical, financial and other critical infrastructure providers, "we can't tell them what to buy," said Matthew Travis, deputy under secretary at the Department of Homeland Security's National Protection and Programs Directorate. "We're not Consumer Reports."

What DHS can do, Travis said during an Oct. 19 AFCEA DC lunch panel on supply chain cybersecurity, is share threat information with those providers and explain the threat it sees.

The agency is in midst of a back-and-forth with industry on IT risk management, with an eye to possibly acquiring private-sector tools that can produce supply chain maps, identify counterfeit or altered hardware and software and mitigate risks posed by such threats. The Department of Defense and the Intelligence Community have such tools, but they operate in the classified space; DHS is looking to field an unclassified capability for agencies, contractors and other IT acquisition stakeholders, according to a question and answer document posted on FedBizOpps. Responses from industry are due Oct. 19.

The DHS directive to get rid of Kaspersky software across the government, citing possible foreign influence, launched the latest round of supply chain security activity.

While DOD wasn't bound by the DHS directive, it opted to follow suit. Donald Davidson, deputy director, cybersecurity risk management in the DOD's CIO office, said that going after Kaspersky was harder than it seemed because those products had been installed in many different ways that weren't immediately visible as direct purchases were.

Even though DOD and DHS acted quickly on Kaspersky, the government hasn't created a single playbook to address the growing threat.

"We don't have a comprehensive way to see threats or an interagency standard" for how to share threat information, said Maj. Johanna Wynne of the Army Futures Command.

DHS stood up a National Risk Management Center and supply chain task force over the summer to help immediately identify cross-cutting threats among critical infrastructure providers and bring agency and industry officials together to collaborate on problems down the road.

In its response to questions on its supply chain risk solicitation, DHS also noted that while classified information could help identify companies that present high risk levels when it comes to supply chain security, there's a lot out there that is not classified.

"There is a high degree of correlation between what you can find in open sources in terms of derogatory information and what we find in classified sources," the agency said.