Network security

United States: House approves supply chain and network security legislation – Part 1

On October 20, the House of Representatives passed five bills with overwhelming bipartisan support that aim to promote supply chain and network security. This article will focus on one bill addressed to the Department of Homeland Security (“DHS”) and two bills addressed to the Department of Commerce (“DOC”). While these legislative measures are directed at US government entities and therefore (at first glance) may not appear applicable to corporate supply chains, if passed, these bills could result in changes in laws, regulations. and downstream policies that will impact compliance measures. for companies.

DHS Software Supply Chain Risk Management Act, 2021 (HR 4611)

The DHS Software Supply Chain Risk Management Act would direct DHS to modernize its process for acquiring information and communications technology or services by requiring the Under Secretary of Management to issues department-wide guidelines to require DHS contractors to submit software bills that identify the origins of each component of the software provided to DHS.

Background

Increasingly sophisticated cyber attacks have become a greater threat to US national security, especially when directed against government agencies. In many cases, the cyber attack is not directed against the systems of government agencies, but against contractors who provide software and other computer (IT) services to federal agencies. For example, the SolarWinds 2020 cyber-espionage campaign, which has compromised many government agencies, began when hackers successfully breached the cybersecurity of the company that provided commercial software to the agencies. By adding spyware to the software on the vendor side, hackers were able to infiltrate agencies indirectly, and the complexity of some software supply chains allows for multiple points of infiltration. In order to identify risks in its own supply chain, DHS needs information from its IT contractors about the software used in their systems. In addition to securing its own cybersecurity, this information can help DHS become more aware of vulnerabilities in the government supply chain.

Summary

This bill requires DHS to issue guidelines for new and existing contracts for the purchase of certain IT and communications products and services for the department to ensure they are protected against spyware or other vulnerabilities. cybersecurity. Specifically, the guidelines should require the contractor to submit to the department a list of parts and components for the final product or service, along with either a certification that the components are free of known vulnerabilities or defects, or a notice of possible vulnerabilities. For new contracts the nomenclature and certifications should be submitted with the proposed offer, while for existing contracts the information should be updated in a timely manner. The new directive would come into effect within 180 days of its enactment, and the Government Accountability Office is to report to Congress within one year on the implementation of the bill’s provisions as well as recommendations to improve security. of the supply chain for IT and communications products.

Next steps

The bill passed by the House was received in the Senate and referred to the Senate Committee on Homeland Security and Government Affairs. The measure is now awaiting an increase by the committee before being considered by the Senate as a whole.

Information and Communication Technology Strategy Act (RH 4028)

The Information and Communications Technology Strategy Act would require the DOC to report and develop a whole-of-government strategy for the economic competitiveness of the information and communications technology supply chain.

Background

In recent years, there have been major security concerns regarding foreign companies (especially Chinese) offering US companies cheap communications equipment to install on their networks – which could potentially be used as a “back door” in the world. the computer systems of businesses and the US military. Due to past significant investments in the development and manufacture of equipment from China, US companies have largely withdrawn from the business. Few US companies currently sell telecommunications network equipment – the only exception being Cisco, which sells certain equipment that resides in the more private parts of an operator’s network. Cisco, however, does not compete in the market for cell tower equipment that allows cell sites to connect to smartphones and other mobile devices. While Sweden’s Ericsson and South Korean Samsung have gained market share in the United States (especially after pressure from the U.S. government for domestic networks and foreign allies to use these companies rather than the Chinese), many believe that ‘It is necessary to revitalize the manufacturers of American telecommunications equipment to ensure the security of the nation.

Summary

This bill requires the DOC to report to Congress on the economic competitiveness of trusted suppliers to the U.S. government and U.S. companies in the information and communications technology supply chain, and uses that report to create a whole-of-government strategy to ensure the competitiveness of trusted suppliers in the United States. More specifically, the report, to be published within one year, should assess the competitiveness of information and communications technology providers, assess the dependence of these providers on foreign players and identify federal resources needed to reduce reliance on information and communications. sellers on foreign players. Within six months of the report’s presentation to Congress, the DOC is to create a whole-of-government strategy to strengthen the economic competitiveness of US information and communications providers and reduce their dependence on foreign resources.

Next steps

The bill passed by the House was received in the Senate and referred to the Senate Committee on Commerce, Science and Transportation. The measure is now awaiting an increase by the committee before being considered by the Senate as a whole.

Open the law on RAN awareness (HR 4032)

The Open RAN Outreach Act would strengthen the diversity of US wireless networks and protect the supply chain from dependence on untrustworthy technology companies.

Background

A radio access network, like those that make up a cell phone network, is made up of cell sites and their subcomponents such as radios, hardware, and software. Many carriers today use a closed or proprietary network, which means they have to rely on a single end-to-end supplier or manufacturer, which can be more expensive. This can place a substantial financial burden on smaller operators to try to cut costs, potentially by using cheaper Chinese alternatives like Huawei. Currently, there are only three large non-Chinese companies (Ericsson, Samsung and Nokia) that produce end-to-end network equipment. An Open Radio Access Network (“Open-RAN”) is an open network infrastructure that allows different network components to be produced by different companies, which leads to a more diverse and competitive supply chain for the operators.

Summary

This bill requires the National Telecommunications and Information Administration within DOC to provide technical and awareness assistance to small communications network providers regarding the use of Open-RAN technologies. As part of this measure, outreach should include providing information on the uses, advantages and disadvantages of open networks, and how to participate in the federal supply chain innovation grants program. wireless, which provides funds that can be used to replace equipment made in China. in the wireless infrastructure of the United States.

Next steps

The bill passed by the House was received in the Senate and referred to the Senate Committee on Commerce, Science and Transportation. The measure is now awaiting an increase by the committee before being considered by the Senate as a whole.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *