Federal cyber chief: Supply chain security against foreign influence needs work

Written by

Although the U.S. government is working to prevent foreign telecommunications firms like Huawei from building 5G networks in the U.S. and abroad, there are still few answers on how to secure the government’s technology supply chain, according to federal Chief Information Security Officer Grant Schneider.

“Could [a company] come under the influence of a foreign adversary in any way shape or form? Is there quality where we need it to be? … How do we ensure their supply chain and the parts that they’re taking in and putting inside their box are actually the parts they’re expecting?” Schneider said at the Fortinet Security Summit, produced by FedScoop and StateScoop. “I don’t think we have an answer on what are the solutions to all those [questions.]”

The administration also isn’t clear yet on whether the government itself should be assessing which contractors are meeting requirements, or whether that assessment should be completed elsewhere, according to Schneider.

“As we look at our supply chain and we look at what our supply chain programs need to have, there’s going to be a variety of due diligence,” Schneider said. “And I think one of the things we’re looking at in the government is how much of that do we put on our providers.”

As far as whether the pendulum is swinging in the direction of government involvement or contractor control over supply chain decisions, Schneider does not think the government is in a position to presume suppliers and subcontractors are meeting supply chain requirements upfront.

“I’m probably not going to directly trust you’ve done them all,” Schneider told CyberScoop on the sidelines of the event.

Vendors knowingly selling technology to the U.S. government that could pose a cybersecurity risk to the U.S. under false pretenses is a broader issue. Earlier this year, Fortinet settled allegations under the False Claims Act it sold the U.S. military technology it falsely labeled as American-made. Additionally, tech titan Cisco agreed to pay $8.6 million to settle claims it knowingly sold surveillance equipment with cybersecurity vulnerabilities to the government. Another company, Aventura, was charged weeks ago with selling vulnerable Chinese-made technology to the U.S. military.

It’s not just the tech that the government needs to worry about.  When it comes to a recent case of two former Twitter employees who were charged with spying on Saudi dissidents on behalf of the Saudi Kingdom, Schneider indicated the private sector has a large role to play. When asked what the Trump administration should be doing to thwart tech companies being allegedly used for foreign espionage, Schneider pointed to Twitter.

“I think everyone has … a responsibility for their workforce and to know the actions that their workforce is taking and need[s] to have ways to be sure that they … have the proper controls in place,” Schneider said.