Earlier this month, the White House launched its Framework for Improving Critical Infrastructure Cybersecurity, a yearlong project developed to help the country’s critical infrastructure manage various cyber threats. The framework articulates security standards for companies all sizes, or according to Lisa Monaco, the White House’s counterterrorism advisor, it creates a “common language to discuss cybersecurity.” Although implementation of the framework’s various technical standards and guidelines remains voluntary, the Department of Homeland Security (DHS) is developing an incentives program to promote wide industry recognition.
White House cybersecurity coordinator Michael Daniel believes the proposed incentives scheme will motivate industry to adopt the framework. In addition, the National Institute for Standards and Technology (NIST) released a “road-map” to accompany the framework, a companion document that “identifies key areas of development, alignment, and collaboration” that will allow for refinement moving forward.
As the framework evolves with implementation, DHS and others should ensure that sufficient focus is given to incentivizing supply chain security, the process of protecting network components from malicious software that can be embedded earlier in the production chain. This could be achieved through enhanced procurement guidelines for companies sourcing components from foreign manufacturers, or better enabling intelligence agencies to share threat information with vetted industry partners. Nevertheless, the Obama administration should also pursue legislative amendments that could bring existing regulations in line with the framework. This would enable relevant agencies such as DHS, the Department of Commerce, and the Federal Communications Commission (FCC), amongst others, to respond more appropriately to supply chain threats, while further incentivizing industry compliance with the framework.
For the most part, Congress has used legislation to ensure government and military agencies take effective steps to protect the supply chain of government networks. For example, Section 852 of the 2012 Defense Authorization Act requires the Department of Defense to map critical defense systems, from raw materials to the final product, authorizing the exclusion of any product believed to pose an unacceptable degree of risk. Similarly, Section 516 of the 2013 Continuing Resolution will bar the Department of Justice, the Department of Commerce, NASA, and others from procuring systems “produced, manufactured or assembled by . . . entities that are owned, directed or subsidized by the People’s Republic of China” without having consulted the appropriate law enforcement or intelligence agency.
A similar authority should be granted to those agencies tasked with policing commercial networks as well, although the federal government has undertaken considerable steps to monitor industries with a national security dimension in the past. For instance, the Committee on Foreign Investment in the United States (CFIUS) is authorized to review transactions involving foreign nationals and U.S. businesses for national security implications, negotiating “mitigation” agreements that allow the government to inspect any software or relevant component in an attempt to safeguard U.S. networks. However, CFIUS’s authority extends only to corporate acquisitions – the committee is not authorized to inspect specific imports, such as the equipment, components, or software used to support critical infrastructure networks. The responsibility to inspect imports falls to the Department of Commerce – Section 232 of the 1962 Trade Expansion Act authorizes the investigation of imported products for national security implications; however, these investigations are typically initiated by industry request, and require Presidential approval to block offending products.
Nevertheless, the launch of the DHS framework indicates, at minimum, an industry willingness to participate in a program of risk management. However, the framework does not provide legal authority for government agencies to respond to supply chain threats that may arise as a result of oversight or unwilling participants. DHS may draw power from section 201 of the Homeland Security Act, although it could not identify specific authority as it has yet to face circumstances related to a commercial network’s supply chain requiring legal action. Similarly, the Department of Commerce could seek additional authority under section 232 of the Trade Expansion Act to allow for inspections without an industry request, but has acknowledged this expanded power has yet to be required for regulating the communications sector.
Authority over the communications sector falls largely to the FCC. The agency regulates communications service providers under section 309(a) of the Communications Act, but it is unclear if this authority extends to internet service providers as well. Presidential Policy Directive 21 grants the FCC authority to “(identify) communications sector vulnerabilities and (work) with industry and other stakeholders to address those vulnerabilities.” However, the degree to which this broad grant could be enacted to regulate supply chain security remains unclear.
Currently, the DHS framework does not require the exclusion of particular vendors or the adoption of stricter inspection regimens. However, it could provide a degree of legal leverage needed to incentivize industry action: companies failing to follow security guidelines may be forced to defend these choices in court. But supply chain security is an issue requiring an aggressive policy regime that extends beyond what a voluntary framework can realistically accomplish. Alternatively, targeted legislative changes could indicate an express recognition of the authority for relevant agencies to address supply chain threats, thereby reducing the risk of legal challenges and possibly allowing for the adoption of more effective regulations in the future. Nevertheless, the DHS framework signifies a degree of industry commitment to enhanced cyber security, a positive step towards improving the nation’s critical infrastructure.