Reason may have begun to find its way back into America’s heated national conversation about cyber security. In late December, President Trump signed into law The Federal Acquisition Supply Chain Security Act of 2018. This bipartisan legislation marks a welcome departure from the ineffective practice of blocking specific companies on the basis of unsubstantiated assertions that they are national security threats. Instead, it adopts the far more sensible approach of creating a process for managing risks to the networks that serve federal government agencies or support critical U.S. infrastructure.
Banning individual companies has never been a good way to guard against cyber threats. It is far more effective to establish a comprehensive framework for identifying and addressing risks from all technology vendors. Malicious actors (including motivated and well-resourced nation states) can exploit vulnerabilities in global supply chains by virtual means, surreptitiously implanting malware and hidden functionality in digital networks and launching attacks, or disrupting service, however and whenever they choose.
They do not need physical access to network equipment to accomplish these goals; vulnerabilities in the global supply chain and in operational networks give them all the openings they need. Any technology vendor can be compromised, from any geographic location.
For that reason, it is necessary to implement regular, comprehensive testing for higher-risk systems such as those that perform key functions in critical parts of the finance, telecommunications or energy sectors and are therefore essential to national security or deliver essential government services. Critical components and software in these and other high-risk systems should be checked extensively before being deployed. Such an approach would greatly reduce the risk of a nationally significant cyber breach or attack.
This sort of testing is already taking place in other parts of the world. In December, Germany encouraged telecom equipment vendors to set up independent verification labs where third-party experts can test hardware and software for vulnerabilities. Last November, Huawei opened such a testing facility in Bonn. It will open another in Brussels early this year.
In the United Kingdom, where the government has overseen a Huawei testing center for the last eight years, Huawei is working to address concerns about its software development process. These concerns were outlined in a report issued last July by the U.K. government-chaired Oversight Board that monitors the center’s operations. In response, Huawei’s rotating chairman, Ken Hu, recently announced a five-year, $2 billion overhaul of Huawei’s software development processes aimed at making sure — transparently and publicly — that no software is compromised.
Even in the United States, there is a growing realization that a piecemeal, case-by-case approach to cyber security based on blocking “bad” companies must eventually be replaced by an assurance framework that manages risk from all vendors. The Federal Acquisition Supply Chain Security Act adopts this improved approach.
The act creates a Federal Acquisition Council charged with addressing security threats to America’s digital supply chain in the government IT acquisition process. Consisting of seven federal agencies, the council will use criteria created by the National Institute of Standards and Technology to decide which specific products should be excluded from procurement by U.S. government agencies because of supply chain risk.
Consistent with U.S. traditions of due process, companies whose products are targeted by a federal ban will be given reasons for the proposed action, plus a chance to show that the ban is not warranted. Government agencies will need to explain why more limited measures were not sufficient to mitigate the risk. Targeted companies will also have a limited right to judicial review in the U.S. Court of Appeals for the D.C. Circuit.
Passage of the act shows that Congress and the president recognize the importance of addressing digital supply chain risk in a transparent and comprehensive manner. One hopes that this signals a policy shift away from the ineffective “cyber security by logo” approach that labels some companies “good” and others “bad.”
If the United States is not up to the task of establishing a product assurance framework for all vendors supplying critical, high-risk systems, Huawei is open to discussing with customers and the U.S. government the possibility of setting up an evaluation center for the company’s products in the United States. This could serve as a proof of concept for governments elsewhere in the world. It would also mark an important step toward making America’s digital networks more secure.