A key obstacle to reducing cyber security risks in the information and communications technology (ICT) supply chain is potential legal action stemming from sharing information about suspect suppliers, industry and government officials told a House panel on Wednesday.
The legal concerns about sharing information on suspect suppliers were outlined in a recent interim report by ICT Supply Chain Risk Management Task Force, a public-private partnership co-chaired by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and information technology and communications critical infrastructure coordinating councils.
"I do want to bring to the committee's attention some insights from the information sharing group as legislative proposals are likely to emerge," Robert Mayer, senior vice president for Cybersecurity at the broadband association USTelecom and co-chair of the task force, told the House Homeland Security Committee. "This group has identified one of the most serious obstacles to effective supply chain risk management. Information about suspect suppliers cannot be freely exchanged with other parties operating in the same space. Why? Because doing so could subject enterprises to a variety of legal actions, including violations of federal or state anti-trust laws, anti-competitive behaviors or deceptive trade practices."
Rep. Bennie Thompson (D-Miss.), chairman of the House panel, said legal obstacles impeding the sharing of information about bad actors in the supply chain means the task force is providing Congress with "additional problems" to address "and not enough solutions."
Robert Kolasky, assistant director for CISA's National Risk Management Center, which also co-chairs the ICT Supply Chain Risk Management Task Force, said the task force has approved one of its working groups' recommendations to establish another working group of industry and government lawyers "to address these hurdles and make recommendations for legal and regulatory changes."
Kolasky also said in his written statement that the "Task Force is likely to identify the necessary components of an enhanced information sharing environment that can take advantage of factors that contribute to understanding as to whether vendors can be trusted."
Mayer highlighted that Congress has made important progress already enabling the sharing of information, pointing to the law that allowed DHS to create its Automated Indicator Sharing portal to share cyber threat indicators between the government and private sector. The law created liability protections for the private sector to share these threat indicators, he said.
But when it comes to sharing information about bad actors in the supply chain, "the lawyers are going to be very reluctant to allow that company to make those kinds of remarks or evidence without liability protections because there are laws in place and private causes of action that could result in litigation," Mayer replied to Thompson.
The task force is now in its second year. It approved a series of recommendations of its working groups, including one calling for a federal acquisition rule to incentivize the procurement of ICT products from original equipment manufacturers and authorized resellers to prevent the purchase of counterfeit items.