Federal IT, communications technology supply vulnerable to Chinese sabotage, espionage

A new report examines vulnerabilities in the U.S. government information and communications technology (ICT) supply chains posed by China. The report issues a warning about the extent to which China has penetrated the technology supply chain, and calls on the U.S. government and industry to develop a comprehensive strategy for securing their technology and products from foreign sabotage and espionage.

The U.S.-China Economic and Security Review Commission released a report entitled Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology, prepared for the Commission by Interos Solutions, Inc. The report examines vulnerabilities in the U.S. government information and communications technology (ICT) supply chains posed by China, and makes recommendations for supply chain risk management.

The report issues a warning about the extent to which China has penetrated the technology supply chain, and calls on the U.S. government and industry to develop a comprehensive strategy for securing their technology and products from foreign sabotage and espionage.

China did not emerge as a key node on the global ICT supply chain by chance,” the report says. “The Chinese government considers the ICT sector a ‘strategic sector’ in which it has invested significant state capital and influence on behalf of state-owned ICT enterprises.”

Derek Johnson writes on FCW that

At the same time, Bejiing has moved to prevent other countries from using similar strategies to crack the Chinese market, accelerating indigenous production of IT and communications parts and requiring outside businesses to turn over their source code store on Chinese servers and allow the government to conduct security audits on their products before gaining access to the Chinese market.

Furthermore, the report argues that the U.S. government lacks an overall strategy to anticipate future developments in supply chain, identify potential threats and mitigate threats. The overall push for IT modernization the government will increasingly rely on a web of complex supply chain operations that eventually originate with commercial suppliers in China. Laws like the Federal IT Acquisition Management Act and the Modernizing Government Technology Act put pressure on agencies to modernize through commercial-off-the-shelf products that are more likely to originate from China.

Key findings:

Effective supply chain risk management is the ability to anticipate future developments in supply chains, identity potential threats to supply chains, develop threat profiles, and mitigate or address future threats to the supply chain. Federal government laws and policies do not currently address supply chain risk management comprehensively.

Chinese government’s policies prioritize domestic production, extract intellectual property and technology from multinational companies in exchange for market access, use Chinese companies to further state goals, and target U.S. federal networks and the networks of federal contractors. These policies have heightened risks to the U.S. ICT supply chain, and to U.S. national and economic security.

Cyberattacks on supply chains will become easier—and more prevalent—as developing technologies such as fifth generation () mobile network technology and the Internet of Things (IoT) exponentially increase avenues for attack.

ICT products have increasingly complex, globalized, and dynamic supply chains, many of which include commercial suppliers that source from China at multiple points within a single supply chain. For example, an average of 51 percent of shipments to seven leading federal ICT providers originate in China (see Exhibit 1).

It is unlikely that political or economic shifts will push global ICT manufacturers to dramatically reduce their operations in China or their partnerships with Chinese firms. A national strategy is needed for supply chain risk management of U.S. ICT, and it must include supporting policies so that U.S. security posture is forward-leaning, rather than reactive and based on incident response.

To minimize risks, the federal government should: centralize the leadership of federal ICT supply chain risk management efforts, link federal funding to supply chain risk management, promote supply chain transparency, and craft forward-looking policies.

— Read more in Tara Beeny et al., Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology (Interos Solutions, April 2018)

Leave a comment

Register for your own account so you may participate in comment discussion. Please read the Comment Guidelines before posting. By leaving a comment, you agree to abide by our Comment Guidelines, our Privacy Policy, and Terms of Use. Please stay on topic, be civil, and be brief. Names are displayed with all comments. Learn more about Joining our Web Community.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here