Clauses in House and Senate versions of the National Defense Authorization Act (NDAA) that would limit or outright ban Federal government agencies from purchasing products from Chinese telecommunications equipment maker ZTE could have unintended downsides, according to Sean Farrell, a Republican staffer for the House Energy and Commerce Committee.
Farrell, speaking at an Information Security and Privacy Advisory Board (ISPAB) meeting Friday, told board members that freezing out particular companies, instead of looking at broader security issues, could lead to further problems.
“I think when legislation is targeted at specific companies, that can lend to a problem,” he said. “You’re trying to zero out a particular entity, but the underlying dynamics within the country that entity is operating in aren’t changing. If you can bankrupt a particular company or run it out of business somehow, it can reconstitute, and you’ve lost the ability then to make any gains you might have had.”
Acknowledging those concerns, Farrell pointed to a consent decree with ZTE announced by Commerce Secretary Wilbur Ross on June 7–which includes a $1 billion fine to ZTE, an overhaul of the company’s entire board of directors, and appointment of compliance experts designated by the U.S. government to oversee the company’s activities–as an alternative to virtually denying ZTE access to the U.S. market.
Completely shutting out the company could also produce unforeseen ramifications on security, Farrell asserted.
“You also have interesting unintended consequences. If ZTE can’t operate in the United States effectively anymore, what do you do for the people who have already purchased ZTE phones? They’re not going to be able to update their software patches. And if the whole intent here is to increase our nation’s cybersecurity, denying the ability of consumers to update their software patches on these phones isn’t necessarily a good idea either,” he said.
The approach the Energy and Commerce committee is attempting to formulate in cooperation with other congressional committees, Farrell said, is broader and more holistic, rather than simply keying in on big Chinese firms including ZTE and Huawei.
“You have a policy that seems like it makes a lot of sense on the surface, but problems emerge from that that you may have not contemplated when you first drafted it, and we need to just be very mindful of those going forward,” he said.
On a related note, Farrell said the committee recently released a discussion draft for reauthorization of the National Telecommunications and Information Administration (NTIA), a division of the Commerce Department. “Included in that, you have a sense of Congress talking about how NTIA should be playing a larger role and have a forward-looking perspective in dealing with supply chain risks to communications here domestically,” Farrell said.
He also said the committee is interested in working in a bipartisan way to “come up with a mechanism through NTIA to have a more formal process of information sharing when it comes to supply chain risks.”
And Senate members on Tuesday introduced legislation that would create a Federal Acquisition Security Council to oversee creation of a government-wide strategy to address IT supply chain security.
ISPAB member Steven Lipner noted that the United States also could learn from its allies through information sharing that would better inform on supply chain risks. He gave the example of the United Kingdom’s compliance and oversight dealings with Huawei, another major Chinese telecommunications firm cited in the NDAA.
Farrell said the process of information sharing on vulnerabilities–between agencies, the private and public sector, and with other nations–could play a big role in shoring up security gaps. He said the House and Senate Foreign Relations committees are working on a bill “that would effectively direct the State Department to come up with a better strategy on cyber and how it engages with other countries.”