Associations press House to change cyber supply chain law

Tuesday - 12/10/2013, 2:22pm EST

About a dozen industry associations are asking Congress to change the law prohibiting agencies under the Commerce, Justice, Science appropriations bill from buying technology or services from a company that is owned, directed or subsidized by China.

In a letter to House Appropriations Committee leaders, the technology associations are asking lawmakers to adopt the language in the Senate's version of the fiscal 2014 Commerce, Justice, Science spending bill that would let agencies make risk-based decisions about from whom they purchase technology.

Under the Senate's language, the agencies under Commerce, Justice, Science along with NASA and the National Science Foundation must first review "the supply chain risk for the information systems against criteria developed by the National Institute of Standards and Technology to inform acquisition decisions for high- impact information systems within the federal government and against international standards and guidelines, including those developed by NIST; reviewed the supply chain risk from the presumptive awardee against available and relevant threat information provided by the FBI and other appropriate agencies; and developed, in consultation with NIST and supply chain risk management experts, a mitigation strategy for any identified risks."

The associations called the Senate's approach a collaboration among lawmakers, industry experts, security professionals and others that supports "a common-sense alternative approach that would focus on real risks-an approach that can improve security of government information systems without putting unnecessary regulatory and economic burdens on industry."

House Appropriations Subcommittee on CJS initially put the provision in the 2013 consolidated appropriations bill after Rep. Frank Wolf (R-Va.), the chairman of the subcommittee, after a series of cyber incidents linked back to computers hosted in China.

In 2007, Wolf said hackers based in China broke into his offices' computers and stole information.

In March, Wolf announced the FBI was investigating whistleblower reports that the agency allowed a Chinese national inside access to sensitive information, and that the data may have made its way back to the Chinese mainland.

In October, Wolf called for stiffer penalties against countries or organizations that threaten the national security of the country.

"China's cyber espionage and theft of industrial trade secrets puts all of America's other adversaries to shame," Wolf said at a cybersecurity summit in Vienna, Va. "The Russians and Iranians and the North Koreans don't even come close. The PLA has put the KGB's Cold War espionage campaigns against the U.S. to shame. And yet, despite all of the recent public attention, the public response is surprisingly muted. In certain quarters of the media, government and even business community, there's even an air of acceptance — as if this is just a fact of life in the 21st Century."

An email to Wolf asking for comment on the associations' letter was not immediately returned.

The technology and business associations say the amendment from 2013 has some unintended consequences.

The groups wrote, "Agencies cannot prioritize security resources on riskier IT systems, which spreads these resources thinly at the expense of important mission- critical systems. Instead, the law focuses limited federal cybersecurity resources on a country-of-origin determination, rather than actionable cyber risks and threats, and the actual security profile of the IT product. Identifying a particular country-of origin does not determine the security of IT products; rather, security is truly a function of how a product is made, rather than where it is produced. Further, the law has unnecessarily slowed federal purchases of needed security technologies, putting key federal agencies behind the technology cycle and leaving them vulnerable. Some U.S. companies have had to cease, or interrupt, work at agencies with which they partner on projects significant to national security."

RELATED STORIES:

New policies on the way to better secure House lawmakers' computers

FBI investigating NASA whistleblower reports of Chinese data breach

Government needs more risk management across cyber supply chain, report says