Amid mounting concern about attacks by foreign adversaries on the Department of Homeland Security’s supply chain, two House subcommittees met today to discuss that threat and legislation proposed by the White House–the Federal Information Technology Supply Chain Risk Management Improvement Act–that would respond to the problem.
The legislative proposal, which President Trump submitted to Congress earlier this week, calls for a number of measures to protect the Federal supply chain.
It would establish an inter-agency Federal Information Technology Acquisition Security Council, which would be chaired by the Office of Management and Budget. And it would create another inter-agency initiative, the Critical Information Technology Supply Chain Risk Evaluation Board, that would be chaired by DHS. The legislation also calls for providing executive agencies with authorities relating to mitigating supply chain risks in the procurement of information technology.
A bill aimed at meeting the same supply chain threat–the Federal Acquisition Supply Chain Security Act of 2018–was introduced on June 19 by Sen. Claire McCaskill, D-Mo.
“There is no question that nation-states and criminal actors are constantly trying to exploit U.S. government and private sector systems to steal information or insert potentially harmful hardware or software,” said House Counterterrorism and Intelligence and Oversight Subcommittee Chairman Peter King, R-N.Y., at today’s hearing.
“The recent cases involving Kaspersky, ZTE, and Huawei underscore the threats posed to the Federal supply chain and the urgency in developing stronger mechanisms to secure it,” he said.
Gregory C. Wilshusen, director of Information Security Issues for the Government Accountability Office, stressed that as DHS’ supply chain grows and modernizes, the risk of cyberattacks also grows.
“In several reports issued since 2012, we have pointed out that the reliance on complex, global IT supply chains introduces multiple risks to Federal information and telecommunications systems,” he said at the hearing.
“This includes the risk of these systems being manipulated or damaged by leading foreign cyber-threat nations such as Russia, China, Iran, and North Korea. Threats and vulnerabilities created by these cyber-threat nations, vendors or suppliers closely linked to cyber-threat nations, and other malicious actors can be sophisticated and difficult to detect and, thus, pose a significant risk to organizations and Federal agencies.”
Across the board, legislators in both parties agreed that DHS doesn’t have the tools that it needs to secure its supply chain.
“The Federal Government is behind the curve in establishing robust supply chain security measures,” said King. “It is clear that additional tools, policies, resources, and legal authorities are urgently needed to address this challenge.”
Counterterrorism and Intelligence and Oversight Subcommittee Ranking Member Kathleen Rice, D-N.Y., agreed that legislators need a clearer grasp on what resources DHS needs.
“But most importantly, this committee needs to know what additional resources and supports are needed by Supply Chain Risk Management (SCRM) Program to carry out its mission effectively,” Rice said. “As I understand, there are only two employees dedicated to the SCRM Program. That seems completely inadequate given the task ahead.”
Oversight and Management Efficiency Subcommittee Chairman Scott Perry, R-Pa., pointed out that DHS doesn’t have the right authorizes to manage risk effectively.
“Under the regulations governing Federal procurements, DHS maintains limited authorities to terminate procurement contracts for unforeseen circumstances and to bar irresponsible entities from doing future business with the Federal government for up to three years,” he said.
Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at DHS’ National Protection and Programs Directorate (NPPD), was on hand to discuss President Trump’s proposed legislation. The legislation will enhance SCRM efforts across the Federal government, improve information sharing capabilities, and strengthen the procurement process governmentwide to identify and mitigate threats.
Manfra offered her support for the legislation, saying it will “strengthening our [DHS’] ability to help agencies execute departmental missions in an environment of changing vulnerabilities and threats.”
“I am pleased that the White House released a legislative proposal on Tuesday developed through the interagency process initiated in April,” said King in support of the legislation.
Beyond the new legislative proposal, Democratic legislators called for a Federal strategy to address cyber challenges posed by foreign nations.
“The President’s lack of candor and leadership on this issue, coupled with the urgent threats facing our supply chains, calls for the Federal government to develop a comprehensive strategy to protect our supply chains from foreign threats,” Rice said.
Homeland Security Committee Ranking Member Bennie Thompson echoed Rice’s call for a national strategy.
“Providing the authority won’t address the fact that the Trump Administration lacks a coherent, government-wide strategy to adequately address the challenges we continue to face from Russia and China,” he said.
Following today’s public hearing, the hearing moved to a closed-door session where Tina Gabbrielli, acting deputy under secretary for Intelligence Enterprise Operations at DHS, joined the witness panel.