Agency officials who handle supply-chain risk management would receive training on how to spot potential foreign threats in IT and communications technology under a bill senators proposed Friday.
The bipartisan Supply Chain Counterintelligence Training Act would emphasize identifying and mitigating aspects of technology that could allow adversaries to spy on the U.S. government. Sens. Ron Johnson, R-Wis., and Gary Peters, D-Mich. — the chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee — are the lead sponsors.
“America’s adversaries use any means necessary to gain access to valuable and sensitive government information, including possibly inserting compromising code into products or enlisting untrustworthy IT support personnel to exploit government systems,” Peters said in an announcement about the bill. “Allowing an adversary to gain a foothold in America’s technological supply chain is a risk that simply cannot be tolerated.”
The bill comes as the U.S. cybersecurity community and government are paying increased attention to where federal technology originates. Most prominent is the Department of Homeland Security’s 2017 binding operational directive ordering agencies to remove Russian cybersecurity company Kaspersky Lab’s products from their systems. DHS cited Kaspersky’s close ties to Russian intelligence, as well as Russian laws that could potentially force the company to hand over information on U.S. systems. The defense authorization bill that President Trump signed into law in August 2018 also blocks government purchases from Chinese tech companies Huawei and ZTE on similar grounds.
Kaspersky and Huawei both have rejected the U.S. accusations.
The Senate bill would require the Office of Management and Budget, Office of the Director of National Intelligence, the Department of Homeland Security and General Services Administration to collaborate on creating the program.
In December, Trump signed legislation establishing the Federal Acquisition Security Council and allowing classified information to be used in supporting supply chain risk assessments.
Last month, Federal Chief Information Security Officer Grant Schneider said the new council is developing criteria for making recommendations on equipment, products and services that shouldn’t be allowed to do business with government.
A Senate bill introduced earlier this year would create a White House Office of Critical Technologies and Security to protect against the theft of U.S.-developed technologies and risks to critical supply chains. Senators also have expressed concerns about the use of foreign VPN apps.