CISA Director Christopher Krebs says supply-chain security will come to dominate his agency's agenda within the next few years, describing it almost as a flip-flop in priorities with cybersecurity.
Currently, the focus is on cybersecurity with a portion of that addressing supply-chain risks, but within the next five years it will be “supply chain all the time, and cybersecurity is a piece of it,” Krebs said at the Georgetown University Law Center's Cybersecurity Law Institute annual summit on Wednesday.
Krebs described supply chain -- and the threat from China and next-generation 5G networks -- as a “pathfinder” initiative, along with securing industrial control systems, which he called the “real frontier in cyberspace.”
Krebs laid out the Cybersecurity and Infrastructure Security Agency's agenda in a keynote address to the several hundred lawyers at the Georgetown Cybersecurity Law Institute event, where he said the agency's priorities took shape in the wake of the partial government shutdown in January as employees were returning to work and the agency needed to figure out what was most important to begin doing.
He said election security remains a top priority among the agency's “operational” functions, pledging that 2020 will be “even better” than the 2018 midterms in terms of working with states and local jurisdictions to protect election infrastructure.
But a main focus of his presentation was supply chain and the threat to 5G development from China. “It's the most fascinating part of my agency,” Krebs said in describing how the agency is addressing those risks.
Krebs laid out a three-pronged approach, which he described as a “test,” for determining the threat from a supplier. He said the process, which involves assessing the “what, who and where” of a product or service, is based on a 2017 “binding operational directive” issued by DHS that required federal agencies to remove from their systems all Kaspersky Lab products based on national security concerns over the company's link to the Russian government.
The BOD was upheld in court and eventually codified in law as part of the national defense authorization act, Krebs noted in indicating the broad political support for the process that is now at the center of the agency's supply-chain push.
For instance, the court's ruling in support of the BOD found that “federal networks are strategic national assets,” Krebs told the lawyers, adding “this concept” is something the agency is “operationalizing...on a daily basis.”
Krebs said the first component of the agency's supply-chain test, or “doctrine,” is to review the “what” of a product, which involves technical issues such as whether it can be updated, can updates be validated, and the connectivity of the product.
The second component, according to Krebs, involves the “where” -- the legal issues and “system of laws” of the country in which a product is developed and manufactured. And the third component is the “who” in terms of the relationship of a company's leadership to the military or intelligence operations of a foreign adversary.
Krebs said the agency's supply-chain risk review “comes into play” with President Trump's recent executive order aimed at China and Huawei Technologies on securing the U.S. telecommunications system.
He said an ongoing review by CISA's National Risk Management Center will be adjusted to meet a new 80-day deadline for an “assessment” of supply-chain risks under Trump's order signed on May 15.
NRMC will “scope it down to 5G” next-generation networks to address the issues raised by the order, said Krebs, adding it's difficult to get anything done in the government in that timeframe so the agency will be leveraging ongoing work to comply with requirements of the presidential directive.
On election security, Krebs testified on Capitol Hill later in the day, where he told lawmakers that CISA was developing an election security plan based on the lessons learned from the 2019 midterms.
“That planning process, again that sector specific plan that nests underneath the national infrastructure protection plan that you referenced, that is under development right now. It is built on lessons learned from the '18 process,” Krebs told members of the House Oversight national security subcommittee.
His comments were in response to a somewhat heated exchange about a DHS inspector general report criticizing CISA for not “establishing metrics to measure progress in securing the election infrastructure.”
In response, Krebs defended his agency by saying the “inspector general report, if you look at the end of it in the recommendations they make, they actually agree that we had made the progress and we're just awaiting documentation.”
He said the upcoming election security plan is “a consensus-based collaborative document,” adding: “I look forward to getting that wrapped up and we'll certainly push it up to the national security council” and to the president's National Security Adviser John Bolton. -- Rick Weber (rweber@iwpnews.com)