The restart of trade talks with China and other developments flowing from last weekend's G-20 meeting could eventually nudge DHS supply-chain and other initiatives in different directions, but it's going to take a while for President Trump's encounters in Osaka, Japan to translate into cyber policy.
The information and communications technology supply-chain executive order signed by Trump in May – widely seen as aimed at cyber threats emanating from China – “was not part of” the president's comments at the G-20 on reviving the trade negotiations, administration officials have sought to clarify.
Trump in a meeting with Chinese President Xi Jinping agreed to remove some restrictions on sales of U.S.-made parts to Chinese telecom Huawei, which had been added in May to the Commerce Department “entities list.” Commerce on May 20 delayed implementation for 90 days and Trump’s comments likely signal further delay.
“Anything to do with national security concerns will not receive a new license from the Commerce Department,” White House economic advisor Larry Kudlow said Sunday. “Stuff that's generally available will be probably getting a temporary license from the Commerce Department. We'll see how far that goes.”
The Cybersecurity and Infrastructure Security Agency is leading on the Department of Homeland Security's piece of the executive order, which involves developing a risk assessment for the ICT supply chain.
The first draft of that assessment was due June 28, according to an internal DHS timeline. The final draft is due July 31 under that timeline, and this risk assessment could become an important data point in any number of CISA policy deliberations.
“The importance of resilient and secure infrastructure, we discussed that at great length,” Trump said at his wrap-up news conference for the G-20 summit in Osaka. But it may be some time before we see how all this actually affects national policy and specifically the work at CISA.
Meanwhile, the prospect of a regulatory role for CISA was in the air, raised in recent interviews with a member of DHS' supply-chain security task force and a former high-ranking White House cyber official.
The government-industry Information and Communications Technology Supply Chain Risk Management Task Force, being run by CISA, approved a policy recommendation in June “for a proposed federal acquisition rule aimed to prevent counterfeit [information and communications technology] from being procured by incentivizing ICT purchase from original equipment manufacturers and authorized resellers only,” according to a DHS statement at the time.
In a subsequent interview with Inside Cybersecurity, Andras Szakal, a task force member and vice president and chief technology officer of IBM, said the proposal was written as regulatory language for revising the Federal Acquisition Regulation. “It makes the policy recommendation [for] DHS to pursue a change to the FAR, or a policy change. So I guess it could manifest itself in several different ways.”
Szakal said the decision would be up to DHS and other federal agencies, but he called for a regulatory mandate.
“I think that the government just didn't have the stomach for requiring this type of policy change until recently,” Szakal said. “[S]ometimes the government moves when it becomes obvious that there is a significant risk that needs to be managed.”
In another exclusive Inside Cybersecurity interview, former National Security Council and presidential cybersecurity advisor Richard Clarke said “there should be [at CISA] a regulatory function that clears up all these regulations, makes them consistent, and applies them evenly across all agencies, and where there are stupid inconsistencies, either between agencies or with state laws, clear it up.”
He specifically cited as a problem the unwillingness of the Federal Communications Commission to set regulations for next-generation 5G network security. At individual companies, Clarke said, CISA could require those that are publicly traded to have an elevated CISO position with access to corporate boards.
In other CISA-related news in recent days, the cyber agency is urging “information security and privacy practitioners” to make use of new guidance from the National Institute of Standards and Technology on securing Internet of Things devices.
Finally, CISA Director Christopher Krebs, in Israel for “Cyber Week,” offered some practical advice on cybersecurity steps in the context of tensions with Iran.
In an interview with the Jerusalem Post, Krebs said it's important to “increase resilience among the American people, to draw attention to the techniques used by Iran.” To avoid “spear phishing,” for example, he said to “be on the lookout for anything that is a bit off -- language, spelling, like the use of British-style spelling. Scrutinize what comes in and use multifactor authentication,” according to the paper. – Charlie Mitchell (cmitchell@iwpnews.com)