Industry leaders from the telecommunications and IT sectors are urging caution for company managers in their purchasing decisions, as the Trump administration works out its process for implementing a recent executive order on supply-chain security that seeks to ban purchases from foreign adversaries.
The breadth of scope and uncertainty surrounding implementation of the Trump order issued in May – which requires regulations in October – was the focus of remarks by the industry co-chairs of a DHS information and communications technology task force on supply-chain security during a webinar co-hosted by USTelecom and Inside Cybersecurity on Thursday.
“We still don't know what's going to be called out,” said USTelecom's Robert Mayer during the webinar, who described “sweeping” EO requirements. Those requirements include the Commerce Department developing regulations by October for identifying foreign adversaries and banning the purchase of products and services from companies located in or connected with those countries.
Mayer said federal agencies are still “coordinating on how to implement” the requirements of the order, which is widely seen as targeting China, and that hopefully “industry will be invited to participate” in development of the new regulations.
The Information Technology Industry Council's John Miller called for a process for identifying and banning foreign influence in the nation's supply chain relied upon by critical infrastructure that would be “future proof,” in terms of anticipating future threats and technologies, “rather than singling out” a specific country or company such as China or tech giant Huawei.
“That can't happen in law every time there's a new threat,” Miller said, in making the case for a process that is agnostic toward companies or countries.
Both Miller and Mayer raised concerns that the issue of China is conflating national security and cybersecurity concerns with trade and geopolitical considerations.
Amid the uncertainty of implementing the Trump order, Miller singled out DHS as being “charged with trying to conduct” a “fact-based” and “objective process” for identifying supply-chain risks.
DHS is tasked with developing a supply-chain risk assessment within 80 days under the Trump order signed on May 15.
Yet Miller noted this is “going to be a conversation that's going to be going on for a while,” referring to the annual assessments required by the order.
DHS' Bob Kolasky, who leads the National Risk Management Center, said the rulemaking process will be a “transparent process,” unlike those of the countries targeted by the EO. Earlier during the webinar, Kolasky cited China, Russia, North Korea and Iran as threats to the nation’s supply chain. The webinar panel discussion was moderated by Inside Cybersecurity Chief Editor Charlie Mitchell.
Under the order, DHS is charged with developing a written risk assessment to guide the Commerce Department in developing regulations within 150 days that will identify foreign adversaries and lay out a process for banning purchases from those countries.
Kolasky said the DHS risk review will not be made public, and that the White House National Security Council will be tracking an interagency process for coordinating implementation of the EO.
DHS Cybersecurity and Infrastructure Security Agency Director Christopher Krebs recently said the ongoing work of the NRMC in assessing supply-chain risks, with input from the ICT task force, would be the basis for the new review required by the Trump order.
Krebs said NRMC will “scope it down to 5G” next-generation networks to address the concerns raised by the Trump order. He said NRMC is the “front door” for industry input at CISA, in remarks last month at Georgetown University Law Center.
During the webinar, Mayer said he hoped the ICT task force would remain “intact” in the wake of the Trump order, noting the group is expected bring “closure to its first work streams” by the end of summer, in time to provide advice to a new Federal Acquisition Security Council established by the SECURE Technology Act approved late last year.
“What will we be doing next” is something the task force needs to consider, said Mayer, who expects the group's work to “move beyond ICT” to include “participants from other sectors.”
Under the Trump order, DHS is required “in coordination with sector-specific agencies and coordinating councils as appropriate, [to] produce a written assessment within 80 days of the date of this order, and annually thereafter,” according to section 5(b) of the Executive Order for Securing the Information and Communications Technology Services Supply Chain.
The assessment must “include an evaluation of hardware, software, or services that are relied upon by multiple information and communications technology or service providers, including the communication services relied upon by critical infrastructure entities identified pursuant to section 9” of an Obama cybersecurity order issued in 2013. -- Rick Weber (rweber@iwpnews.com)
Editor's Note: This story was modified to clarify a quote by USTelecom's Robert Mayer.