The U.S. government should brief companies about supply chain security threats, like the ones allegedly posed by Russian cybersecurity firm Kaspersky, yet the government shouldn’t be in the business of blacklisting, officials and executives said Thursday.
Companies have to manage the risks suppliers might present, be it from an inadequate security posture, or — as is alleged against Kaspersky — links to Russian intelligence agencies, panelists told a session at the Intelligence and National Security Summit.
“We’re in a position to help you make those [risk management] decisions [about suppliers], we’re not in a position to make them for you,” said John Felker, director of the National Cybersecurity and Communications Integration Center at the Department of Homeland Security.
“The government has always been reluctant to create blacklists,” observed former DHS Undersecretary Suzanne Spaulding.
Representatives of vital industries agreed with Felker and Spaulding during a discussion on critical infrastructure cybersecurity.
The companies that provide the so-called tier one telecommunications backbone, like AT&T, have quarterly meetings with national security officials where “we talk about suppliers, about the security threats that are there,” said AT&T’s Vice President for Global Public Policy Chris Boyer.
He said there had been briefings on particular suppliers, including some requested by the companies. However, Boyer said government officials he has dealt with has stopped short of asking for a ban on Kaspersky products.
“My experience of it hasn’t been anything like a blacklist per se.” Boyer said. Conversations about suppliers concern “risk factors and we then take that into account in the business decisions we make. It’s more collaborative than ‘You shalt not.'”
There has been a tremendous amount of heat placed on Kaspersky in the past few months, from various government agencies moving to ban use of the company’s products to the FBI advising private companies to stay away from using the products on their own systems.
“The focus has all been on [Kaspersky’s alleged] links to Russian intelligence,” Spaulding said. “The focus should be on Russian law, and the requirements that places on companies that are based there. Kaspersky’s servers are there, the data [they collect from customers] is there … Russian law requires that the government can get access to it,” Spaulding told CyberScoop after the session.
She said if U.S. companies stopped buying Kaspersky’s products because of concern about the legal regime in Russia that would send a powerful message.
“Governments need to start to think about their laws, their legal frameworks and the impact that has on the competitiveness of their companies,” she said.
Letting the market secure its supply chain was an approach other panelists mentioned, and not just in the context of Kaspersky.
The private sector needs to look at supply chain security as an opportunity as well as a threat, said Fred Hintermister, who runs the Electricity Information Sharing and Analysis Center.
Supply chain security is a risk, but it’s also “a strategic competitive advantage,” he said, “The marketplace can be very, very powerful in taking care of a lot of these issues.”