A U.S. cybersecurity task force dedicated to protecting data throughout American networks aims to have a diverse set of opinions. That doesn’t mean just anyone is invited.
Since 2018, the Department of Homeland Security’s Information and Communications Technology Supply Chain Task Force has been charged with developing strategies to ensure that government agencies and companies aren’t made vulnerable by partners, vendors, contractors, suppliers or other organizations in their business orbit.
Members include a range of government bodies, telecommunication giants like Verizon and AT&T, and global tech firms including Microsoft and Cisco. DHS officials assess potential task force members based on a risk assessment that includes whether an entity might add value to ongoing conversations, and whether possible damage from including that organization outweighs the possible benefits. It’s the kind of criteria that makes the addition of a company like Huawei, the Chinese telecom that U.S. intelligence officials say represents a threat to national security, an unlikely one.
“It’s fair to say that the risk judgment associated with Huawei makes it uncomfortable for them to be associated with conversations about our critical infrastructure,” Bob Kolasky, assistant director for the national risk management center in DHS’ Cybersecurity and Infrastructure Security Agency, said Wednesday during CrowdStrike’s Fal.Con for Public Sector Conference, produced by FedScoop and CyberScoop.
U.S. officials have warned that Huawei, which is lobbying to help construct 5G cellular networks through the world, is subject to Chinese laws that require technology firms to provide information, even unwittingly, to government security services. The company also is accused of conspiring to steal American trade secrets, violating U.S. sanctions, and helping conduct espionage on international targets.
Kolasky added that Huawei likely does not own enough critical infrastructure in the U.S. to warrant inclusion on task force, though the risk assessment represents a clear example of how the federal government’s approach to cybersecurity has changed since 2017.
While Obama administration officials were primarily focused on identifying and minimizing the influence of adversarial foreign countries, more recent data protection strategies are motivated to minimize damage from possible attacks on vulnerable U.S. networks.
“We have seen adversaries behaving differently,” said Joyce Carroll, assistant director for supply chain and cyber at the National Counterintelligence and Security Center, part of the Office of the Director of National Intelligence. “With the evolving threat landscape and changes in technology, what we now see is that it’s important to focus on areas where the adversary could have the most harmful impact.”
The effort emerged out of a realization that the U.S. government would need to increase its visibility over firms based in countries where it’s more difficult to refuse intelligence agencies’ demands to collect data. In 2017, for instance, the government prohibited the use of antivirus software from Kaspersky, a Russian security vendor. (Both Kaspersky and Huawei repeatedly have denied any wrongdoing in the face of U.S. allegations.)
Since then, the task force has encouraged organizations to adopt recognized supply chain security strategies such as purchasing technology from authorized resellers or original equipment manufacturers, establishing risk management procedures and clearer contractual language.