As China’s Huawei faces ongoing banishment and retrenchment in Europe, the question arises whether Huawei and its peers, including telecom gear maker ZTE, will get a reprieve under the incoming Biden administration. Huawei clearly thinks it has a shot of improving its relationship with its European customers in the post-Trump era: Huawei Vice President Victor Zhang has been lobbying UK Prime Minister Boris Johnson to revisit the ban against using his company’s technology in Britain’s 5G network build-out.
[ Keep up with 8 hot cyber security trends (and 4 going cold). Give your career a boost with top security certifications: Who they’re for, what they cost, and which you need. | Sign up for CSO newsletters. ]
Huawei landed in its current predicament due to the Trump regime’s fears that the company works with the Beijing government to implant malware in its equipment. It might not fare better under a Biden administration.
China’s likely continued exclusion from US markets even under a Biden administration was a top topic at a webinar on supply chain security hosted by US Telecom and Inside Cybersecurity. “The cybersecurity policies overall between the Obama Administration and to Trump and now to president-elect Biden should be relatively consistent,” Norma Krayem, vice president and chair of the Cybersecurity, Privacy and Digital Innovation Practice at Van Scoyoc Associates, said. “I think that’s important for the private sector to see that there is that theme.”
Taking a tough stance
Although Trump and Biden agree on few issues, they may share common ground regarding supply chain security. “Vice President Biden has seen what Russia and China and what nation-state actors can do,” Krayem said. Vice President-elect Harris will also likely continue the tough stance with China regarding supply chain threats because she “has obviously been sitting on the Judiciary and the Intel committees.”
“We have some really profound questions to address in the context of 5G, and we all know about them,” Robert Mayer, senior vice president for cybersecurity and innovation at US Telecom, said. “We have China, which by all expectations and all evidence plays to different rules and has different values.”
On top of that, the Chinese government subsidizes Huawei. Moreover, Chinese law requires companies to provide information to the country’s intelligence agencies. “All of these things make for a risky proposition for deployment on a global level,” Mayer said, suggesting that China’s role in the supply chain of all emerging technologies be closely watched. “We’re going to have to think about how serious a threat China is more broadly in technology, whether that’s AI, quantum or bio-engineering, telecom.”
Education, collaboration and coordination wanted
A key consideration in any supply chain shift under a new administration should be better communications with US industry and commercial players. “My advice to the next administration is that we are dealing with US companies and it’s so important that we have three main points in any issue that we’re dealing with: education, collaboration, and coordination,” Diane Rinaldo, senior vice president of the Open RAN Policy Coalition, said. “You need to provide US companies with as much insight as possible, whether it’s passing classified information through secure means or declassifying information to educate our private sector on what the threats are in the landscape.”
The Trump Administration has surprised the US business world a few times by springing wide-ranging supply chain executive orders on them with little consultation. “I work with global corporations, and you can’t just drop an EO, which is what happened [with Huawei bans and Department of Commerce export rules], which said effectively immediately you cannot be doing work with any of these companies,” Krayem said. “You can’t just flip a switch and away go the bad parts in your supply chain. You want to be sure you can call the CEO of that company and say ‘the Secretary of Commerce is about to come out with a determination. We highly suggest you move in another direction.’”
Supply chain security assessment needed
Mayer said the incoming administration should conduct a 360-degree assessment of all the diverse government agency actors who affect supply chain security. The White House, Congress, Department of Defense, the Department of Homeland Security, the Federal Communications Commission, National Institute of Standards and Technology, and many other government arms drive supply chain security policy.
Mayer thinks there is a need for a lead agency to hold the reins on the varied government initiatives. “We need to understand who’s doing what, where can they leverage each other’s work. I don’t think [a DHS supply chain task force which Mayer chairs] brings all that together. We are going to have challenges.”
Other changes in cybersecurity more generally could impact supply chain security activities, including those put forth by the Cyberspace Solarium Commission, an initiative composed of legislators and government officials, and outside experts to solve some of the thornier problems of cybersecurity. “We definitely need to restore the national cybersecurity director role within the White House,” Mayer said, echoing one of the Solarium Commission’s top recommendations.
In April 2018, the White House effectively eliminated the “cyber czar” role in the White House when it pushed out highly respected cybersecurity expert Tom Bossert. Bossert’s departure was quickly followed by that of cybersecurity coordinator Rob Joyce, another respected expert.
The future of FASC
One government entity that should be looked at closely under the Biden administration is the Federal Acquisition Security Council (FASC), created in 2018 after the Department of Homeland Security (DHS) concluded that Russian security company Kaspersky Lab posed security threats to government networks. The FASC is made up of representatives from seven agencies, including DHS, the Department of Defense, the Office of Management and Budget, the General Services Administration, the Office of the Director of National Intelligence (ODNI), the Department of Justice and the Department of Commerce. The federal CISO is the FASC chairperson.
Among the council’s chief functions are recommending supply-chain risk management standards and working on how to share information among agencies and other parties. Although it could become a powerful body, the FASC is new, with its interim final rule, an instantly effective final rule without a proposed rule open for comment in advance, published in early September.
“The challenge that we have right now is that the interim final rule that came out provided some structure, but for many in the private sector, there are more questions than answers,” Krayem said. She fears companies could be shut out of what might be a black box decision-making process. “If you’re told you can’t bid on a particular contract … you’re going to want to know what was said about you and what that means,” she said. “This could be almost a de facto debarment. There is a very limited appeals process. The information flow and protections are very unclear at this point.”
Copyright © 2020 IDG Communications, Inc.