The risks of supply chain threat sharing

While many national security initiatives can lean on non-public or classified intelligence to guide their efforts, for the most part that hasn't been the case when it comes to threats to the technology supply chain. In fact, suppliers can often have difficulty mapping out their own chains once it gets down to the third or fourth tier of subcontractors.

There have been efforts to correct that problem, with Congress passing a provision in the 2020 National Defense Authorization Act to establish a supply chain and counterintelligence task force at the Office of the Director of National Intelligence to improve intelligence for U.S. government acquisition. The Department of Homeland Security has also stood up an Information and Communications Technology Supply Chain Risk Management Task Force, including a working group dedicated to bidirectional information-sharing issues.

Despite these efforts, information about specific, credible threats to the supply chain can be hard to come by.

"Having spent the last 10 years in the intelligence community, I think a critical finding for me was that, despite public musings to the contrary, there is not some giant pile of supply chain intelligence sitting behind some sort of classification wall that is available to share," said Cheri Caddy, a senior cybersecurity advisor to the Department of Energy, a former National Security Agency official and one of the chairs of the information-sharing working group speaking at an Aug. 19 event hosted by the Intelligence and National Security Alliance.

In fact, some of the most relevant information has tended to come from either open source data or through shoe-leather reporting -- reaching out to companies for interviews, going behind paywalls for contract or supplier data and getting to the "ground truth of dealing with specific vendors and understanding when things are going wrong," Caddy said.

Kathryn Condello, senior director for national security emergency preparedness at CenturyLink and co-chair of the same working group, said often the most valuable information companies are looking for is also the hardest to safely share: what she calls "the naming of names problem."

Getting a heads up that a specific supplier or individual is untrustworthy or suspicious can help vendors -- particularly those who do business with the government -- keep their secondary and tertiary supply chains clean. That kind of insight can also be legally perilous for companies to share unless they have substantial evidence to back up the claim.

"How do you share the fact that you just canceled this contract with this vendor who was wonky because it just didn't look right?" asked Condello. "Well, it turns out there's a lot of law associated with not sharing kind of information."

Liability concerns

Dismas Locaria, a lawyer at Venable with a background in supply chain and information-sharing issues, told FCW that companies often have suspicions about certain suppliers but generally lack smoking-gun evidence of intentional wrongdoing. That uncertainty can leave them in danger of being sued for defamation or interference with a contract if they pass along information that turns out to be inaccurate. They could even find that same government scrutiny turned back around onto their operations.

"There are all sorts of things where, if you're wrong, you're potentially liable," said Locaria.

When it comes to sharing information on supply chain threats, he advises clients to stick to documentation wherever possible and avoid "the slippery slope" of adding any analysis or opinion on top.

"Are we talking names, [and] is our name on the record? Are we giving names? How specific are we getting?" said Locaria, running through a list of questions a company has to consider. "If we're talking names, then my view is let's just provide documents … turn it over to the government and let them make their own inferences about it. Let the document speak for itself and let the government connect the dots."

An interim report issued by the DHS task force last year laid out a number of data points that could be useful in sniffing out supply chain threats, such as information around counterfeit parts, malicious code inserted into software and tips about insider threats or physical attacks on participants or products in the chain. It also found that intelligence around this area was "unique" and that "actionable information often requires a level of specificity which may create sensitivities about how it is shared" that lead to "a range of legal considerations that ICT stakeholders must navigate."

"Critically, [we] concluded that effective information sharing may necessitate the exchange of sensitive vendor or supplier data, including the names of specific entities," the report stated.

The working group has subsequently reached out to law firms, including Wilkinson, Barker and Knauer, to develop a cheat sheet designed to guide vendors or employees who don't have legal backgrounds around what they can relay to the government or industry without running afoul of liability laws. A spokesperson with DHS' Cybersecurity and Infrastructure Security Agency said an updated report detailing the task force's year-two findings is currently scheduled for completion this fall.

Edna Conway, vice president and general manager of global security and risk and compliance for Azure at Microsoft, sits on the executive committee of the task force and co-leads the working group addressing information sharing. She told FCW that developing good policy around legally sharing supply chain risk information "continues to be a fundamental issue."

"We've been struggling with information exchange for years. Today, we live in a platform economy; that platform economy is built on a foundation of cloud and mobility technologies that has enabled us to be more efficient than ever before but also increased our interdependence," Conway said. "As a result, we need to share information in as close to real-time as possible. To ensure that we preserve the benefits of living in a democracy, we must share information in a manner that protects the rights of enterprises and individuals, and that requires a thoughtful process."

The risks of a 'safe harbor'

Balancing those equities can be tricky. On one hand, the federal government wants to take advantage of supply chain risk management insights -- such as concerns around using software from Kaspersky Labs -- that were an open secret among some in industry well before DHS banned the Russian-based antivirus firm from government systems and began warning companies about the risks of their data passing through Russian servers.

On the other hand, carving out broad liability protections for companies to pass such suspicions on to the government could create negative incentives, opening the door for bad actors to abuse that safe harbor or cast aspersions onto a competitor in the hopes of harming their business.

Changing the current dynamic would require an act of Congress, similar to the liability protections that were carved out in the 2015 Cybersecurity Information Sharing Act. Even then, Locaria said the government would likely need to set up a third-party clearinghouse to collect tips, verify that they touch on a legitimate security issue and possibly scrub or anonymize certain identifying information before passing them along to federal agencies.

That could help to vet what kind of information ends up in government hands and lessen the harm around the most spurious of claims, but the core problem remains the same.

"If the government creates a mechanism for people to share, then is that abused? Because not everybody's interests or efforts are altruistic," said Locaria. "What kind of incentives would the government be giving, a safe harbor for what? For anything? It can't be for anything because then competitors will be pulling all the stops out. For good faith? That's not a high bar."

Will Congress step in?

Congress has taken an interest as well. During a 2019 hearing on supply chain security, Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee, said the working group’s insights "suggests the need for further legal analysis and foreshadows the potential need for future legislative action."

Thompson added: "I think there will be some legislative fixes on liability and some other things we'll have to look at down the road."

The contours of the current discussion resemble the debate around information sharing before the passage of the Cybersecurity Information Sharing Act. Robert Meyer, who heads cybersecurity at the USTelecom trade association made the comparison in the 2019 hearing.

Mayer noted that the 2015 legislation protects companies from sharing indicators of compromise with regard to specific cybersecurity threats, but that no such protection exists for sharing adverse information about companies that may be linked to compromised hardware or software.

"The lawyers are going to be very reluctant to allow that person, that company, to make those kinds of remarks or evidence without liability protections because there are laws in place and private causes of action that could result in litigation," Mayer told lawmakers.

A bill introduced by Rep. Peter King (R-N.Y.) last year would give the DHS secretary the authority, upon recommendation from the department's chief acquisition officer and CIO, to restrict or exclude a vendor from IT acquisitions if a risk assessment concludes it poses a threat to the DHS supply chain. The bill would also give the DHS secretary latitude to take action before notifying the affected vendor. A legislative report on the bill -- which was approved by the House Homeland Security Committee but has not received a floor vote -- specifically mentions Chinese companies Huawei and ZTE as well as Russia-based Kaspersky Labs as national security threats to the supply chain.