Inside Cybersecurity

August 11, 2022

Daily News

Adm. Simpson: ‘Heavy-handed’ ICT supply-chain plan could undermine innovation

By Charlie Mitchell / November 27, 2019

Retired Rear Adm. David Simpson, the former security chief at the Federal Communications Commission, offered a scathing review of the new Commerce Department proposal to secure information and communications technology supply chains from foreign cyber threats, saying the “heavy-handed” rule could destroy U.S. competitiveness in ICT markets.

“Kudos to the Department of Commerce for working to address risk elements in the supply chain for ICT,” Simpson said in a response to Inside Cybersecurity. “I am concerned however that in their attempt to establish effective mechanisms to address cyber risk in the supply chain, they have not fully appreciated risk factors to our vibrant innovation economy."

The Commerce Department this week released for comment a notice of proposed rulemaking for establishing a case-by-case process for evaluating and prohibiting transactions that pose a cybersecurity risk to the U.S. ICT supply chain.

Industry groups weighed in with measured support, especially for Commerce’s openness to further industry input on the substance of the rule.

But Simpson argued that the administration is missing a chance to promote a risk-management approach across the ICT ecosystem while leaning on a clunky regulatory framework.

“The NPRM strikes me as an approach that will be constrained by the Heisenberg Principle; in measuring sub-atomic characteristics, the only means at our disposal, changes sub-atomic relationships,” Simpson observed.

“The mechanisms to address ICT supply chain risk suggested by the Department of Commerce are so intrusive, I fear that they will fundamentally alter the market they’re trying to protect,” Simpson said. “By adding heavy-handed federal assessment, inspection, decision and enforcement layers, we run the risk of destroying our competitiveness in global ICT markets. We need to affirmatively address supply chain cyber risk, but there are better ways to do it.”

Simpson said the proposed “approval process shifts the burden of supply chain risk from companies to the federal government. It is the opposite of a light touch approach and puts the executive branch in the position of selecting winners and losers in the information economy.”

Further, he observed, the sheer number of entities that could be affected by the review requirements would overwhelm Commerce resources.

“There are over 30,000 domestic service providers with ever increasing internet protocol interdependencies,” he said. “There are many more vendors and customer companies with potential critical infrastructure impact that fall into the ecosystem around the service providers. This is a huge number of companies impacted by the rule, each with numerous transactions that fit the NPRM’s definition for review.”

With that in mind, he said, “The Department of Commerce agencies that the NPRM suggests would make supply chain risk assessments and decisions are not scaled to conduct relevant reviews within the 30-day decision window the NPRM outlines.”

But Simpson suggested the fundamental problem is that “Nothing in the order addresses the root causes of poor supply chain risk decisions being made in the ICT sector.”

“Rather than focus on the federal government making risk decisions for such an important part of our economy,” Simpson said, “I think a stronger approach would be one in which we seek to improve our expectation for companies in the ICT ecosystem market and have them develop supply chain risk programs and work within industry verticals to develop supply chain risk clearing house arrangements, which in turn become third party accreditation organizations with standing relationships to the interagency supply chain risk centers of excellence.”

He said, “Enforcement would then focus on companies that fail to affirmatively address supply chain within their corporate decision calculus …. a duty-of-care responsibility. Rather than focus on each transaction, a more effective rule could outline the characteristics of a safe harbor for companies that attain and sustain best practice supply chain risk management programs. The NPRM currently appears to add harmful bureaucratic layers to what has been and should continue to be an innovation focused ICT market where the U.S. retains its ‘first to market’ ICT innovation posture.” -- Charlie Mitchell (