Summary of House Committee Meeting on ICT Supply Chain Risk
On October 16th the House Committee on Homeland Security held a hearing with leading members of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force to discuss current and future risks to the ICT supply chain. Task force witnesses alerted Congress to the need for better information-sharing between industry members about potential threats and how this might be accomplished by extending industry liability protections. They also encouraged financial incentives and contracting reforms to improve industry investment in supply chain protections.
Opening remarks from the task force began with Bob Kolasky, the head of the Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center. Kolasky indicated the need for a strong public private partnership and identified fifth generation cellular network technology (5G) as one of the most important priorities for ICT supply chain risk management. Robert Mayer, USTelecom’s Vice President of Cybersecurity, discussed how one of the major obstacles to supply chain risk assessment is the inability of private firms to legally share information about suspected bad actors. Mayer recommended legal analysis of potential liability protections to promote information sharing. The last task force representative John Miller, who is the Senior Vice President for Policy at the Information Technology Industry Council, extended the argument in favor of information sharing to our international partners. He also identified the increasing interconnectivity of ICT infrastructure as a growing challenge for supply chain risk management.
The ranking members of the committee asked for clarification on the current limitations of information sharing, how adversaries could exploit 5G, and how the task force’s work is lining up with other federal agencies dealing with risk management. Task force representatives addressed how select protections for industry information sharing do not extend to the wide range of risks present in securing the ICT supply chain. Without legal protections, industry communication about potential bad actors risks violating anti-trust laws. With regards to 5G, a task force representative noted that the new network would involve more participants, resulting in more attack vectors and more ways for adversaries to reach U.S. critical infrastructure. It was also noted that the task force was looking into the potential for supply chain risk analysis requirements in government contracts, and that task force representatives will be meeting with DoD officials to study a similar measure, the Cybersecurity Maturity Model Certification.
A recurring theme throughout the hearing was how best to increase supply chain protections at the industry level. Representative Katko (R-NY) asked after what incentives could be used to inspire greater interest in ICT supply chain risk. The task force representatives indicated that large companies are naturally interested in supply chain risks to protect their brands, but many corporations lack the resources to address such complicated issues and would likely need financial incentives. Representative Correa (D-CA) raised similar questions related to small businesses, as their entrepreneurship is an important source of innovation for the ICT industry. Task force members stressed the importance of industry side solutions, including trusted supplier lists and contracting rules, as a supplement to government incentives or subsidies.
A task force representative in their last remarks stated that they may provide recommendations for changes to information sharing and incentives down the road. Chairman Thompson (D-MS) indicated that the committee would be willing to make changes to information sharing, and expressed a desire that the task force address the risk posed by state actors and foreign government owned corporations in their next report.