DHS Official Defends Decision Excluding FCC as Principal on Supply Chain Task Force
China, the supply chain and 5G are the top policy focuses of the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency, Director Christopher Krebs said Tuesday at a lunch sponsored by Samsung and the Telecommunications Industry Association. Krebs defended DHS’ decision not to include the FCC among the principal members of the Information and Communications Technology (ICT) Task Force unveiled last year. Commissioner Jessica Rosenworcel said repeatedly the FCC should have a seat.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
There are chairs and co-chairs and DHS was looking for “the smallest group organization that could lead the effort,” Krebs said in response to our question. “I can’t have 15 co-chairs.” His agency has legal authority to convene the task force “that frankly no other part of the federal government has,” he said.
“Leaving out the agency with primary oversight over communications is neither prudent nor wise,” Rosenworcel told us Tuesday. “The FCC has its own ongoing proceeding that speaks directly to these issues. We should be at the table where decisions are being made because we all have a role in developing a common approach to 5G security.”
The government members of the task force, unveiled in November, are DHS, DOD, the Treasury and Commerce departments, General Services Administration, DOJ, Office of the Director of National Intelligence and the Social Security Administration. The FCC is involved in the working groups, DHS officials said (see 1902060056).
“We have a lot of work to do” on safety and integrity of networks, Krebs said. “If we bring a 4G LTE … mentality to managing risk in 5G, then we’ve lost the game.” The agency wants to work with industry on opportunities and risks, he said.
The focus shouldn’t be just risks, Krebs said. “What are the opportunities associated with 5G?" he asked. “We have an advantage and we need to seize it. … We need to make sure that we’re putting the good options on the table, not just taking the bad options off.” Dealing with security shouldn’t mean constantly patching networks, he said. “How do we get to secure by design, secure by deployment?” Krebs said. “That goes for 5G.”
Uncertainty continues on the Trump administration's stance on a ban on using the use of equipment from Chinese suppliers Huawei and ZTE in U.S. networks (see 1902210057). The U.S. in January indicted Huawei officials and subsidiaries on charges including conspiracy to violate U.S. economic sanctions against Iran (see 1901280052).
“When we built this global supply chain, we thought we were going to be friends with China,” said Jim Lewis, Center for Strategic and International Studies senior vice president. “People went there, a great market opportunity. The Chinese may have had other intentions, but they were a little conflicted about it. They aren’t conflicted now.” Chinese suppliers are part of the supply chain, Lewis said. “It’s going to be very difficult to untangle that,” he said: “With that comes the risk of espionage and possibly disruption.”
“It would be better if we were friends -- we’re not,” Lewis said of the Chinese. But he noted China also faces big challenges. Its government allocated $120 billion to build a semiconductor industry, he said: “This is their fourth or fifth try and it hasn’t worked in the past. It might not work this time.” Lewis said he recently testified before Congress about the risks of Chinese subway cars. “It seems a little crazy, but it shows how far we have come in worrying about this,” he said. “Could a Chinese subway car be used to spy on you?”
Bob Kolasky, director of DHS’ National Risk Management Center, in charge of the ICT task force, said he's a “risk purist” and it’s becoming critical for companies to better understand their supply chain. “Part of the risk comes in not knowing the depth of your supply chain,” he said. “The better you understand the supply chain, the better you understand the risks, the better the business decisions.”
Kolasky said he has been out “telling the story of the task force.” The panel will make a series of recommendations for the government -- some may require legislation and others encourage new partnerships, he said: “The time is right to resolve some of this.” The task force is developing a strategic plan, likely by August, he said.
John Godfrey, Samsung senior vice president-public policy, said there are different ways of thinking about supply chain risks: “You expect your supply chain to deliver to you what you asked for, what you order, what you bought. If your supply chain is not in fact delivering to you what you think it is, that’s a risk.” Huawei, ZTE, Nokia and Ericsson are the biggest suppliers of network equipment, but Samsung is also growing that part of its business, Godfrey said.
“There’s a vast third-party ecosystem that we’re utilizing that is … part of what is ultimately delivered to our customers,” said Edna Conway, Cisco chief security officer-global value chain. “You should have relationships, quite frankly, with your industry peers, recognizing who’s doing what,” she said: “That will help you think in advance of what’s coming down the pike.” There's room for private-private partnerships, not just public-private partnerships, she said. “The currency of the digital economy is the same currency we’ve had since the beginning of time,” Conway said. “It’s trust. … That hasn’t changed.”