Inside Cybersecurity

September 17, 2021

Daily News

Former DNI lawyer flags growing government role in mitigating supply-chain risks

By Rick Weber / September 6, 2018

NATIONAL HARBOR, MD. Former general counsel for the Director of National Intelligence, Robert Litt, told defense industry officials to expect the government to become more involved in addressing security risks in the supply chain, based on recent actions by the Trump administration such as banning federal purchases of products from Russia-based Kaspersky Lab.

“The government is getting involved in moderating the supply chain,” Litt said Wednesday at the Intelligence and National Security Summit, in describing the move as “one of the most interesting developments” affecting U.S. technologies.

Litt cited the Department of Homeland Security's recent directive on cleansing federal systems of Kaspersky products, as well as defense authorization legislation banning purchases from technology companies in China and Russia, as the latest indications of a growing trend by the government to get involved in supply-chain decisions affecting technology developments in the private sector.

Litt also referenced provisions in recently enacted defense authority legislation, which he described as “less known,” that would ban the government in two years from contracting with any company that uses products from countries deemed to be a national security threat -- Russia and China.

Those provisions expand on an existing ban for the Pentagon on purchasing products from Kaspersky and China-based ZTE and Huawei tech companies.

Litt indicated the implications of broader restrictions on secondary use of those products might not be fully understood for months or years.

He also cited recent revisions to the Foreign Investment Risk Review Modernization Act, which will require new regulations on government restrictions for foreign investments based on data and other security concerns. Litt said the next 18 months will provide clarity on how data intrusion efforts by foreign adversaries will be dealt with by regulators.

FIRRMA provides the Committee on Foreign Investment in the United States regulatory authority over “any mitigation agreement entered into, conditions imposed, or order issued pursuant” to the act, and “in any review or investigation of a covered transaction,” according to the text of the new law signed by President Trump on Aug. 13. CFIUS is an inter-agency body chaired by the Treasury Department with members coming from 16 departments, including Commerce, State, Defense and Homeland Security.

FIRRMA does not explicitly reference China but many of the new categories of activities subject to review by CFIUS are widely seen as targeting well-know Chinese tactics, particularly in cyberspace and in infiltrating IT supply chain.

Harvey Rishikof, who moderated the panel discussion, raised concerns about the aggregation of unclassified information by foreign adversaries to target critical operations and individuals “When it's aggregated it becomes critical,” he said, among other issues raised during the panel discussion.

Rishikof is a visiting professor at Temple University, and was the dean of faculty at the National War College and legal counsel to the deputy director of the FBI. Other panelists were Defense Security Service deputy director James Kren, Leslie Ledda of Raytheon, and Allan Sonsteby, deputy director of applied research at Pennsylvania State University. -- Rick Weber (