The National Telecommunications and Information Administration will play the lead role in deciding which entities present “unmitigatable” risks to the supply chain for information and communications technology and should be flagged for national security, in line with the new executive order banning the import of such products and services, according to a senior White House official.
“As we move forward as a government to identify clearly what we consider to be a concern from a security perspective, that requires dialogue and discussion and requires risk management, versus what we think is unmitigatable from a national security perspective,” Joyce Corell said referring to work underway at a newly convened Federal Acquisition Security Council. “Those conversations and the decisions we arrive at will be going forward in tandem with the executive order that NTIA is going to be leading.”
Corell is the assistant director of the supply chain directorate of the National Counterintelligence and Security Center at the Office of the Director of National Intelligence.
She spoke Thursday at the U.S. Chamber of Commerce's annual event on global supply-chain trends alongside Bob Kolasky, director of the Cybersecurity and Infrastructure Security Agency's National Risk Management Center; Chris Boyer, assistant vice president of global public policy for AT&T; and John Godfrey, senior vice president of public policy for Samsung, one of three non-Chinese suppliers of fifth-generation network equipment.
The event took place one day after the White House issued an order – which many see as targeting Chinese telecom entities – instructing the Secretary of the Commerce Department to establish rules for its exercise of new authorities, under the president's declaration of a national emergency, to ban the import of ICT products or services deemed a national security risk.
The EO did not mention the NTIA by name, but states, “The Secretary may, consistent with applicable law, redelegate any of the authorities conferred on the Secretary pursuant to this section within the Department of Commerce.”
On Thursday the Commerce Department also issued a statement noting the addition of the Chinese telecommunications firm Huawei to the Bureau of Industry and Security's “Entity List,” prohibiting U.S. entities from selling or transferring any of their technology to the company, based on national security grounds.
That suggests an easy path for Huawei ending up on a list of entities banned for imports as well, in accordance with Wednesday's EO. But amid critiques by the Information Technology Industry Council of the president's order as “extremely broad,” and a recognition of the importance of scrutinizing third-party components for vulnerabilities in software – which is foundational to information and communications technology – the NTIA is also a logical candidate to lead the effort.
“The Executive Order actually creates a brand new regulatory regime that the Department of Commerce will administer,” Corell said, while assuring the private-sector audience, “It's going to be a very transparent and iterative process with lots of opportunity for industry consultation.”
After the event, Kolasky, who co-chairs the Department of Homeland Security's Information and Communication Technology Supply Chain Risk Management Task Force along with leaders of ITIC, and USTelecom, told reporters regarding the EO, “We're going to let the evidence and analysis of where we think the risk is drive how we think the EO [should be implemented].”
“We will be giving [Commerce] our view on vulnerabilities and risks,” he said. “We will look broadly at where there could be elements of risk, but I hope we will be able to narrow...I don't think our risk assessment will be so broad.”
DHS, in collaboration with the Federal Communications Commission and other agencies called out in the order, have 80 days to submit a written assessment of the order.
Industry has also been weighing in through a multistakeholder effort at the NTIA to standardize and promote the adoption of a Software Bill of Materials. The project, led by NTIA's director of cybersecurity programs Allan Friedman, looks to bring transparency to the lengthy chain of third-party components that go into the creation of software code, which are often open sourced and can contain known vulnerabilities.
“The concern, from a supply chain risk management perspective is being able to know who your suppliers are,” Corell said. “Diversity of suppliers is a classic risk management technique, but do people really understand what their third-party risk is? How are people, whether they are in government organizations or in the private sector, really delving into who they're interested in doing business with, who their supplier is, and who their suppliers of suppliers are?”
Moving to a greater reliance on software to increase diversity, and mitigate supply chain risk, is an important strategy for telecom companies like AT&T, according to Boyer.
“One of the positive developments that we see, which we've been talking a lot about recently, is this idea of moving toward network function virtualization, or software defined networking,” Boyer said. “What we're trying to drive toward is that we can actually go to a more modular design where you have different subcomponents provided by different vendors and the software is decoupled from the hardware and get to an environment where you could start to see the barriers to entry slightly lower and that might see more innovation in the supply chain.”
Boyer and Godfrey said they are committed to a standards-based approach for facilitating more diversity and competition in the industry.
“There are standards bodies that are looking at that, like the Open Radio Access Network Alliance,” Boyer said. “We're really trying to drive the industry toward this more open, modular, interoperable design that can allow for more competition in the supply chain, which we think is partially one of the answers to this challenge of how do we get more players in the space.”
During the panel, Kolasky said, “on the software side, we aren't doing too much right now on the task force, but getting to good software assurance is something that is of interest across what we're talking about.” He added to Inside Cybersecurity that they have been collaborating with the NTIA on the SBOM effort.
Asked what would be most important for Commerce establishing “evidence-based” rules, Kolasky said, “talking to the experts who build and utilize the supply chain.” He said it comes back to information sharing, which he has stressed should be “bi-directional.”
On that note, Corell said during the panel that it would help if the private sector could be more specific about the kind of information they want from government.
“One of the things we'd like to see from industry, and this is playing out with the ICT SCRM task force, is we get a lot of commands in our community for better information sharing,” she said, “And it tends to be a very blanket statement that the industry wants more information, 'oh just give us more' as though more would solve anything.”
“So we would like to get some better clarity from the private sector on what specific types of information really make a difference and then please tell us exactly how it made a difference so that we can have a much more iterative collaboration with the private sector and [so that] the sharing that we do makes a difference,” she said. – Mariam Baksh (mbaksh@iwpnews.com)