Robert Metzger, a leading lawyer on federal and defense acquisition rules, says President Trump's recent order on securing the communications and information technology supply chain will do more harm than good because of “unintended” consequences in addressing a “conjectural” threat.
“The breadth of the EO could mean indiscriminate application with unintended, even unexpected results,” according to Metzger, who provided a detailed written review of the Trump order to Inside Cybersecurity.
“It is possible that when the EO is used, the benefits of prohibiting a transaction are less than the adverse consequences to the U.S. and allies,” according to Metzger, who adds: “The risk to be avoided could be no more than conjectural -- even if realistic -- while the harm to industry and commerce could be real, widespread and lasting.”
The executive order signed May 15 calls on the Commerce Department to develop regulations to identify foreign adversaries with the intention of banning purchases of “technology services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” according to the order. The order is widely viewed as targeting China and Hauwei, a sentiment underscored by Commerce's decision to put Hauwei on an “entity list” that forbids U.S. companies from selling to the China-based tech giant.
The threat from China and concerns about supply-chain security long predate the signing of the Trump order, an issue addressed by Metzger as the co-author of a report sponsored by MITRE Corp. on reforming the Pentagon's acquisitions process.
“The MITRE Deliver Uncompromised Report stressed that adversaries seek to challenge U.S. interests by attacks directed against the supply chains upon which our government and industry depend,” according to Metzger. “The May 15 Executive Order should be understood in the context of such threats, of 'asymmetric warfare' and 'blended operations', as were addressed in the MITRE Deliver Uncompromised Report.”
Robert Metzger, attorney at Rogers Joseph O’Donnell
Metzger acknowledges the Trump order seeks to address a legitimate concern, and yet he raises concerns about the process and its wide-ranging impact.
“The Executive Order has a realistic appreciation of how foreign adversaries -- not limited to China -- can exploit vulnerabilities to conduct industrial espionage and otherwise injure communications networks and critical infrastructure,” Metzger wrote. “The intent of the EO is consistent with the observations and recommendations of Deliver Uncompromised. And the EO deserves credit for using a risk-informed approach and by recognizing that some threats can be suitably mitigated. Also aligned with Deliver Uncompromised is the EO’s 'whole-of-Government' approach.”
But Metzger warns: “Yet there are causes for concerns."
Those concerns include an “indiscriminate application with unintended, even unexpected results, [and that] the benefits of prohibiting a transaction are less than the adverse consequences to the U.S. and allies. The risk to be avoided could be no more than conjectural -- even if realistic -- while the harm to industry and commerce could be real, widespread and lasting,” according to Metzger.
Metzger also questions the rulemaking process laid out in the order.
“The EO calls for 'rules and regulations.' It will be formidably difficult to get this job done well, considering the multiplicity of critical terms in the EO which require definition and detail,” according to Metzger. “There will be much contention and very hard decisions just to get to sound definitions that will be workable for all federal components, on the one hand, and acceptable to the whole of affected industry and interests, on the other.”
The order comes amid a number of other federal initiatives for clearing government systems of Huawei products, including provisions in the National Defense Authorization Act for fiscal 2019 and the recently enacted SECURE Technology Act, which set up a federal acquisitions security council -- a situation addressed by Metzger who says the Trump EO may further complicate, rather than clarify, matters.
“These issues of 'administration' and 'implementation' are made harder still because the EO overlaps, in important respects, with other efforts already underway. An interagency group presently is working to implement Section 889 of NDAA FY 2019, which specifically bars the federal government from buying telecommunications equipment from Huawei and ZTE and is first to take effect soon, in August 2019,” according to Metzger.
“The SECURE Technology Act, also enacted late last year, created a new Acquisition Security Council (ASC) that is now working to develop government-wide methods to exclude high-risk sources. Reconciling these parallel efforts will be daunting -- even though all pursue the objective of stronger supply chain security,” Metzger notes while citing leadership concerns.
“And there will be questions of leadership,” he writes. “The ASC is chaired by the federal CIO and DHS has a key role. For the new EO, in contrast, the Secretary of Commerce has the lead role.”
He also argues implementation of the Trump order may take longer than expected in addressing an issue described as a national emergency.
“Implementation of the EO could take longer than planned,” he wrote. “This is because of the complexity of issues to be resolved for the EO, the presence of overlapping initiatives, the many agencies and departments involved, and the necessity of public stakeholder participation.”
Metzger is a “shareholder” in the law firm Rogers Joseph O'Donnell, and is a member of the firm's Government Contracts and Complex Commercial Litigation Practice Groups. He heads the firm's Washington, DC office.
Initial industry reaction to the Trump order was generally positive if guarded.
Robert Mayer, senior vice president for cybersecurity at USTelecom issued a statement saying: “Action is required against any country, organization or individual that exploits the technology supply chain to compromise our global internet and communications infrastructure. This is a national security issue of the highest order. Now that the Executive Order has been issued, it is critical there continues to be effective coordination across all agencies of government and close partnerships with the private sector to combat this growing threat to consumers and communities."
The information technology sector was among those raising concerns shortly after the release. -- Rick Weber (rweber@iwpnews.com)