Private Sector Urges Government to Do Better on Supply Chain Information Sharing with Tech and Telecom
The National Telecommunications and Information Administration (NTIA) in the Department of Commerce recently took comment on a security information-sharing mandate in Section 8 of the Secure and Trusted Communications Act of 2019. NTIA had asked numerous questions about how to get better information about supply chain and cyber risk to more participants in the information and communications technology (ICT) sector. These comments were submitted after NTIA announced the establishment of the Communications Supply Chain Risk Information Partnership (C-SCRIP), but hopefully can be incorporated into the program as it progresses. The tech and ICT sectors should watch these information sharing efforts, given the U.S. government’s increasing focus on supply chain and cybersecurity, which require effective public private partnerships.
NTIA’s C-SCRIP and other work could help address gaps in private sector understanding about companies and countries of concern to the U.S. Government, which has been identifying its concerns in disparate efforts across government, such as:
Section 889 of FY2019 National Defense Authorization Act’s restrictions on procurements that include Huawei, ZTE, and other companies’ equipment and services, as well as contracting with any entity that uses such services or equipment.
The evolving treatment of Huawei and ZTE under export controls imposed by the Bureau of Industry and Security in its Entity List.
Federal Communications Commission (FCC) action on supply chain, limiting use of federal subsidy funding to obtain or maintain equipment from identified companies, and its related efforts to collect information about the presence of equipment in U.S. networks.
Department of Homeland Security’s ICT Supply Chain Task Force
Federal Acquisition Supply Council’s consideration of trustworthy sources for federal procurement.
Identification by the Department of Defense of companies that work with the Chinese military
Increased scrutiny by “Team Telecom” of certain companies, and possible revocation of authorizations by the FCC.
Several commenters noted the multiplicity of efforts. T-Mobile, for example, urged NTIA to work to “maintain consistency across Federal activities.” It has been a challenge for companies to stay on top of the U.S. government’s many efforts, and to incorporate these risks into decision making.
Actionable information is critical. Several leading associations, along with the Communications Sector Coordinating Council (CSCC) shared recommendations and observations with NTIA. A common theme emerged: the government needs to do better, and faster, to get actionable information to the private sector. The Information Technology Industry Council noted that “what is most important is that any threats identified by NTIA be based on factual evidence of concrete risk.” CTIA emphasized the importance of “actionable, verified, and timely information” and like many commenters, encouraged NTIA to “lead efforts to push long-overdue changes to the way the government extends security clearances and declassifies information.”
The private sector is clamoring for access to clearances and information. Many commentators and government leaders have recognized the need to expand clearance access and declassification of information. CTIA said “[p]ublic-private forums have concluded for years that the Federal government must increase the amount of timely, verified, and actionable information shared with the private sector in order to stave off threats from foreign actors.” CompTIA says that “it may be possible for NTIA to facilitate limited-purpose clearances for sharing that type of information with certain individuals based on their positions, especially for small and rural businesses and suppliers that are often thinly-staffed.”
Congress in Section 8(a)(2)(C) of the Secure and Trusted Communications Act of 2019 directed the submission to Congress of a plan to increase declassification of information about supply chain security risks and expedite and expand security clearances. This will be an important effort and promises to benefit the private sector, as the current process for obtaining and maintaining clearances is arduous.
Government can lean on existing venues. Commenters noted that numerous venues already exist for such information sharing, including information sharing analysis centers (ISACs) and information sharing analysis organizations (ISAOs), as well as the CSCC, which several commenters noted is free to join. CTIA urged NTIA, among other priorities, to “look for ways to broaden participation in existing information sharing efforts rather than create a siloed approach that could fragment information sharing” and “help the Executive Branch harmonize overlapping supply chain efforts.”
Government needs to address risks in sharing efforts. Another notable theme touched on risks related to sharing information about suppliers. As the CSCC said “The government can encourage this important information sharing by decreasing the risk of litigation” in four ways: “(1) educating communications providers and suppliers about existing security threats; (2) coordinating two-way information sharing between the federal government and the CSCC for the dissemination of supply chain security risk information; (3) establishing a new organization within the Department of Homeland Security or Department of Commerce that would act as a clearinghouse for supply chain risk and threat information; and (4) working with Congress to enact a new law that would protect providers from legal action when sharing supply chain risk and threat information.” Because these moves would require legislation, NTIA’s efforts may not be able to cure the challenges that stymie information sharing.
Congress and the Executive Branch are right to look at information sharing, which has been a centerpiece and goal of longstanding federal cyber and national security policy. Federal policy has long emphasized public-private partnerships, which I have argued need to be preserved, protected, and expanded. In a paper published by the National Security Institute at George Mason’s Antonin Scalia Law School, Cyber Imperative: Preserve And Strengthen Public-Private Partnerships, “a cornerstone of the nation’s efforts to combat cyber threats have been public private partnerships designed to facilitate engagement and collaboration between the government and private sector.” That paper noted challenges to cooperation, which were consistent with comments recently filed with NTIA. It recommended that policymakers consider creating safer ways for companies to manage and discuss vulnerabilities and look at safe harbors and immunities for beneficial sharing activities. These recommendations are salient to address supply chain issues as well, given the limitations in current law and the overlap in government cyber activities.
Commenters urged NTIA to take a broad approach to participation. Supply chain security information may need to be broadly available across the ICT and technology sectors. As the U.S. government grapples with security concerns about emerging technology and Chinese economic and security competition, a broad array of private companies may want to obtain information from the U.S. government. For example, CompTIA urges NTIA to be sure to include suppliers and not just focus on providers, arguing that “trusted vendors of all sizes that supply ICT equipment and services to small and rural providers must also be able to access information shared through the program in order to effectively manage risk to those networks.”
What comes next?
NTIA has already announced phase one of its new information sharing program, though commenters urged it to slow down and consider the comments filed to ensure the work is productive and meets the needs of the private sector. NTIA will have to iterate the program and will have to report to Congress in September on its work to address clearances and declassification. In the meantime, companies should look for ways to address supply chain and security risks in their internal programs and procurement, while considering the array of other ongoing government activities. Stay tuned for more out of NTIA and other agencies on these issues, which may also appear in the FY2021 NDAA currently working its way through Congress.