I. Introduction
Supply chains for information and communications technology (ICT) goods and services were not a topic of concern for many consumers in the United States until 2020. Before then, businesses and consumers assumed that most goods would always be available when they wanted to purchase them, and would be safe to use, largely ignorant of how state or private malicious actors might use the information generated by their use of such products. For example, retailers relied on just-in-time supply chains believing it would consistently deliver efficiencies and products. Workers in the private and government sectors delighted in TikTok videos on the phones they brought to work, which may have also contained programs that provided access to their work enterprise email, calendar, contacts, document edits, and location, without thinking about how a foreign government or actor could aggregate and use such data for espionage or crime. However, the COVID-19 pandemic and associated shut-down of businesses, empty shelves and delays in the delivery of items due to supply chain disruptions, and the rise of international nationalism, including in China and Russia, along with a rise in very public software supply chain cyberattacks have tested those assumptions.
Consumers may not have been concerned until store shelves were bare, or reports of the espionage by Russia and China were regularly featured in news reports, leading Congress to ban ICT hardware, software, and services developed or provided by Kaspersky Lab. Their interests may have been piqued when certain Chinese-manufactured telecommunications and video surveillance services and equipment were subjected to federal bans. Despite the public’s often trusting attitude and unhesitating embrace of the latest technology, private sector companies have long been apprehensive regarding the risks associated with their supply chains and have attempted to manage that risk. The COVID-driven scarcity demonstrates that these attempts have not always been successful.
Modern commercial supply chains are complex. The Department of Homeland Security (DHS) and Department of Commerce (Commerce), in their recent Report on Recommended Best Practices, defined the “supply chain” within the context of computer software as
the entire sequence of events that impacts software from the point of origin where it is designed and developed, to the point of end-use. Each sequence and element in this chain affects the software in some manner and can contribute to its assurance level or introduce a weakness that can be exploited. The supply chain includes the software code itself as well as the systems and tools used by developers, proprietary and open-source software repositories, signing keys, compilers, and download portals. The entities that comprise the software supply chain can include multiples of developers and technology providers. In many instances, the author of a given open-source software component is unknown. It is also unusual to find a single company responsible for the entirety of a software code base.
“Supply Chain Risk Management” (SCRM) is a systematic approach to address and resolve issues surrounding supply chain risk and the results of a SCRM review are an important factor that an industry considers when determining where to manufacture or obtain goods. The Chief Executive Officer of Siemens Energy said supply chains “will be a really core competence of companies like us, making sure that you can manage these scarcities and issues.”
The federal government has also been concerned with supply chain risks, but its focus ultimately must remain on protecting U.S. national security. National security “underpins the system in which Americans live. National security is essential to an environment and geographical space in which people can reside without fear.” While private industry, including its ICT commercial products, commercial services, and commercially available off-the-shelf (COTS) items play a role in the protection of national security, not all such commercial products and services are in fact secure. Accordingly, national security considerations must take precedence over supply chain efficiencies for certain ICT hardware and software purchases. Ultimately, how to address these risks in the ICT supply chain, known as cybersecurity risk management (C-SCRM), is a vital concern for both the private and public sectors.
As the discussion below reflects, each sector has different goals in the procurement of ICT. The private sector’s focus is commercial gain. While profit might be higher if a product or service is believed to be secure, the private sector also must weigh whether security interferes with the use and utility of the product or costs more than the market will bear.
In contrast, the United States federal government is charged with the responsibility for the protection of national security. When the government purchases ICT, it must have a reliable way to assure security, even if the solution results in higher costs to the government. Finding solutions that incentivize business to close security gaps and allow the government to reliably assess security risks of technology that is changing practically at the speed of light are important as federal employees tasked with purchasing ICT products and services might not be familiar with or have the time to become familiar with the cyber risks posed to their ICT systems.
This paper will first identify various terms surrounding cybersecurity and supply chain risk. Next, it will identify specific risks associated with the procurement and use of ICT common to both the private and public sectors. Then, the paper will discuss how the U.S. private and federal public sectors view those risks. From those differences in perspectives, the paper will discuss the risks to U.S. national security and how different approaches could mitigate the risks from procurement of ICT hardware and services.
II. Background
As a starting point, numerous terms need to be defined to provide a common baseline for this discussion. These definitions will ensure uniformity in the basic terms and concepts.
A. Definitions
First, with respect to executive agencies, federal law defines Information Technology (IT) as any equipment or interconnected system for the automatic acquisition, storage, display, or transmission of data or information, which includes computers. Second, the Cybersecurity and Infrastructure Security Agency (CISA) expanded on the definition of IT to specifically address communications technologies as part of ICT—a commonly used designation worldwide. CISA defined ICT as “those hardware, software, and services critical to communicating . . . .” Additionally, the National Institute of Standards and Technology (NIST) defined ICT as “the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer, and interchange of data and information.” These definitions apply to common electronically-based functions in the private sector such as e-commerce, banking, education, medicine, and transportation.
Generally, a “supply chain is a network of individuals and companies who are involved in creating a product and delivering it to the consumer. Links on the chain begin with the producers of the raw materials and conclude when the van delivers the finished product to the end user.” A supply chain can also represent the steps necessary to manufacture a product, starting from its original raw state to a finished product sold to a customer. Often, firms design their supply chains to optimize lean manufacturing to require just-in-time component delivery to help reduce costs.
Fundamentally, “risk” means “the uncertainty of a result, happening, or loss.” In the context of a supply chains, risks are presented by anything that might adversely affect the movement of materials from the initial supplier to the final customer or disrupt the planned flow of materials. Risks are also increasingly present as the complexity of the supply chain increases. Complex supply chains may include having many suppliers in many different locations, differentiation among those suppliers, and challenges associated with new technological and computer systems used by those various suppliers. Furthermore, risks can be presented by the extent of product availability, industrial capacity, changes in technology and labor markets, and supplier financial instability.
The private sector generally defines SCRM as the processes and procedures implemented by a firm to reduce or eliminate operational risk (changes in customer demand, supply, or costs), disruptions (natural or man-made), and losses caused by economic crises. The use of SCRM can reduce overall firm costs by recognizing and attempting to mitigate risk, even though SCRM cannot eliminate every risk given resource constraints (money, time, and personnel).
For the federal government, NIST created a standard definition of ICT SCRM as the “process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of information and communications technology product and service supply chains.” This definition also applies to the private sector as a means of “prevent[ing] the infiltration of counterfeit and tainted ICT products into the chains.”
Finally, NIST provides a government-centric definition of C-SCRM as a “systematic process for managing exposure to cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes, and procedures.” These risks can be found at any level of the supply chain and not just at the final production location prior to sale to the ultimate customer. NIST treats C-SCRM and SCRM as the same concept in its publications, and this paper will follow NIST’s lead.
With these terms defined, this paper will address how both the private and public sector implement SCRM principles. Further, this paper will place a special focus on the national security risk aspects of ICT procurements and incorporation of C-SCRM into decision-making.
B. Potential Problems Inherent in ICT Procurements
Especially within ICT procurements, there are numerous cybersecurity challenges and issues. As one author stated, “Modern federal information systems are complex: a diverse set of suppliers provides many individual software and hardware components integrated into a single overall system.” This complexity represents a risk that increases when a firm depends on IT supply chains outside the United States.
The risks in federal ICT procurement include possible insertion of counterfeit parts, insertion of malicious software and hardware, poor product manufacturing, and poor employee security practices. In the private sector, supply chain cybersecurity addresses the “management of cybersecurity requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the Advanced Persistent Threat (APT).” A NIST study found that eighty percent of all information breaches occurred in the supply chain. Such a high percentage of breaches resulting from the supply chain drives concerns about access to information up and down the chain. The following examples illustrate various cyber risks.
1. Imbedded Malware
Malware is software that attempts to alter, delete, remove access to data, or take over an individual computer or a whole network. Creation and production of ICT hardware outside the United States present opportunities for both state and non-state actors to embed spyware or malware in those products. The Director of the National Counterintelligence and Security Center determined that foreign adversaries are attempting to access the United States’ key supply chains “by inserting malware into important information technology networks and communications systems.” With this access, foreign adversaries can “compromise the integrity, trustworthiness, and authenticity of products and services that underpin government and American industry.”
Threat actors have malicious intent to compromise an organization’s security and can be state-sponsored organizations or individuals, “hacktivists” seeking political or social change, or even organized cybercriminals. Malware allows the threat actor to have future access to networks containing the infected ICT so it can shut down the system, delete stored data, or steal data. Ransomware is one prevalent and specific form of malware that attempts to encrypt (or scramble) a firm’s data so it cannot be accessed without an unlock key that will be provided only after payment to the cyber thief.
A defining moment illustrating the power of ransomware attacks to impact the general public was the 2021 attack on Colonial Pipeline, a U.S. oil and gas company. The malware shut down the primary gas pipeline supplying the United States East Coast, leading to a short-term gasoline shortage and a spike in prices. Cyber actors utilized a weakness in Colonial Pipeline’s IT network to install malware that locked the network and forced the firm to pay nearly $5 million in cryptocurrency to regain access to its computer data and systems. Another example occurred in 2017 when Russian military hackers gained access to dozens of Ukrainian government organizations and companies and installed malware that created a “backdoor” for the hackers to install software named NotPetya. This malware spread far beyond the intended Ukrainian networks and affected computers worldwide, paralyzing companies for weeks. Total estimates of the damage caused by NotPetya exceeded $10 billion. These types of attacks can cripple a firm, a firm’s supply chain network, as well as an entire nation’s computer network.
2. Altered Hardware
Ensuring delivery of a genuine product that has not been altered is a key emphasis for companies and customers. Counterfeiting is defined as imitating “a well-known product in all details of construction and appearance so as to deceive customers into thinking that they are getting genuine merchandise.” Companies counterfeit products or allow counterfeits for many reasons including increased profits. Conversely, counterfeits harm legitimate companies through lost profits and reduced incentives to innovate. Counterfeit ICT parts create risk of failure, substandard manufacturing or performance, tampering, and malicious software and are a major concern for the federal government. A congressional study of Department of Defense (DoD) purchases over a two-year period uncovered approximately 1,800 suspected counterfeit electronic parts.
Use of counterfeit products create national security risk since such parts can lead to fatal equipment failures and provide an avenue for foreign espionage. Specifically, in a 2013 policy directive, the Director of National Intelligence (DNI) highlighted a need for policy within the Intelligence Community (IC) to manage national security risk from the “introduction of counterfeit or malicious items into the IC supply chain.” This risk applies equally to the entire federal government.
Hardware risks come in many forms. One example is counterfeit routers made in China and sold to the United States military allowing China to spy on those organizations using the bogus routers. Another example is counterfeit semiconductor chips containing malware or viruses allowing potential adversaries to infiltrate U.S. government systems, alter or destroy data, or make data unavailable. In addition to these national security risks, companies providing counterfeit parts face economic risk from non-payment, reputational risk, as well as criminal and civil liability.
3. Foreign Country Access to Data
With so much of the ICT supply chain overseas, the United States must consider two policy matters. First, it must protect the privacy rights of its citizens. Second, many overseas firms are controlled by foreign governments, which creates additional national security risk. For example, companies owned by Chinese nationals are “controlled” by China because Article 7 of the People’s Republic of China National Intelligence Law of 2017 requires Chinese companies to “support, assist and cooperate with the state intelligence work.” These two considerations do not necessarily apply to all nations or foreign companies. However, as noted above, some countries, specifically Russia and China, seek to use their companies as an extension of the state according to executive branch and congressional reports. These foreign firms involved in the U.S. supply chain may present risks to U.S. firms and to the federal government by implanting malware in ICT components that are hard or impossible to detect. This allows for the exfiltration of the stolen data back to the foreign country, which has already occurred with China, according to government assessments.
For example, the People’s Republic of China reportedly has co-opted its technology industry, which includes Huawei, and uses it as an extension of the state with laws requiring “every company doing business in China—Chinese or foreign—to make every bit and byte of data available to the government.” These laws also apply to all Chinese companies and their foreign subsidiaries wherever they do business around the world. Chinese government access to all the data stored on a firm’s computer network presents a tremendous risk to national security if government data is stored on a contractor’s network.
A separate, but related issue, is that some countries, including Russia and China, require data stored on networks of foreign companies doing business in that country to be mirrored and stored in that country. This mandate allows for potential exploitation of the data by the foreign government. While that might be an acceptable risk to a firm when deciding whether to do business or use a supplier in that country, the federal government should not accept that same level of national security risk.
C. Private U.S. Sector
The U.S. private sector is motivated by profit. In 1970, economist Milton Friedman argued that the “social responsibility of business . . . [is] to increase profits” and that, so long as done lawfully, other concerns are secondary. Over the ensuing decades, this corporate guiding principle has been challenged as companies determine that corporate best interests are more than mere profitability. They have determined that their companies will be socially responsible and good citizens even if profits suffer. Social responsibility means “a business’s obligation to pursue achievable and good long-term goals for its people and the world at large.”
One aspect of corporate responsibility is to properly manage its supply chains These wide-ranging supply chains serve many purposes including accessing new markets, enabling business growth, and reducing costs. In fact, “[s]ome authors have gone to the point of suggesting that [a firm’s organizational] success largely depends upon the performance of the supply chains in which the firm functions as a partner.” Supply chain success drives corporate success.
1. Price as a Consideration of Supply Chain Risk
When selecting a supplier “[p]rice is always a significant factor,” but it remains only a factor. A company can improve operational performance and reduce production costs through outsourcing, but it still may not provide stable profit. Achieving “strategic performance” in a supply chain “is about delivery of the right product, the right quantity, at the right price, to the right place, on time.” Ensuring the functionality of a supply chain is critical to overall profitability and resilience.
Another method that firms utilize to reduce the price of materials, goods, and products is to shrink the number of items that must be stored for future use in the manufacturing process. Fundamentally, just-in-time manufacturing seeks to create long-term business relationships that drive down waste of overproduction, limit wait time, decrease storage costs, and streamline production. It also allows companies to build products that customers actually purchase (versus making products the customer might not want) and to be paid for those products as they are made, thereby improving corporate cashflow.
2. Availability as a Consideration of Supply Chain Risk
A second consideration is availability of the materials, suppliers, and services. Materials and products must be available to a firm at the time that it needs the items and in sufficient quantities to fulfill requirements for sale. In years past, many companies completed most, if not all, of the required manufacturing in-house; not so today with much of the process outsourced to other companies, which often are located across the globe. A robust and diversified supply chain network can enable better risk management by finding and utilizing alternative supply sources during times of emergency or shortages.
Availability refers to many different concerns. The first availability consideration for a firm is the accessibility of the raw materials necessary to produce the end product. Raw materials that are not available at the time needed may shift the demand to a different good or to different supply chain. For example, in the late 1970s, access to cobalt, a key metal in aircraft engines, turbines, and magnets, was limited due to war in Zaire (now known as the Democratic Republic of Congo), the country primarily responsible for cobalt mining and led to price increases of over 380%. As a result, other countries such as China and the United States increased domestic mining operations to compensate for the lost access. This demonstrates how both companies alter behavior to account for the lack of a commodity’s availability at a reasonable price.
A second type of availability issue a firm must address is the vulnerability of that supply to disruption. Disruption means “interruptions in business operations that result in undesirable consequences such as delayed deliveries or lost sales.” For example, when an earthquake hit Taiwan in September 1999, where, at the time, ten percent of the world’s computer chips and eighty percent of the world’s motherboards were manufactured, plant shutdowns resulted in over $200 million in lost sales. In 2023, Taiwan produced “over 60% of the world’s semiconductors and over 90% of the most advanced ones.”
Unavailability of an item at the time of production need creates a risk to the firm’s profits. Private firms create a network of diversified suppliers to attempt to minimize that risk. Additionally, to mitigate this risk, companies proactively communicate with their suppliers to avoid “surprises that may disrupt the program and reduce customer satisfaction.”
Finally, another type of availability relates to information availability or integrity. In this instance, companies that cannot access data on product availability or trust the accuracy of that data, cannot place or fill orders. A seamless flow of information is critical to reduce total inventory, improve customer order fill rates, reduce transportation costs, and stimulate revenue growth. Data must be available and accurate for supply chains to operate efficiently as this type of quality information sharing drives down supply chain risk.
3. Quality as a Consideration of Supply Chain Risk
Another important consideration for the private sector is the quality of the materials, products, and goods purchased as “quality impacts nearly every step in the process for final product assembly or services provided.” Producing quality products builds trust with a firm’s customers, improves its reputation as a high value firm, and allows corporate growth. Conversely, poor quality control can result in the sale of damaged products that hurt a firm’s reputation and create customer dissatisfaction.
Therefore, at its core, quality drives profitability. When a firm outsources the acquisition of materials, production, and shipment, risk increases as the firm attempts to maintain quality. If a firm focuses exclusively on the prices that it pays and ignores quality, the initial low cost can become illusory as the firm must pay for the reworking of shoddy products. Therefore, a firm must consider quality along with price when selecting its supply chain partners.
4. Private Sector Response to C-SCRM Challenges
To address some of the above concerns as they relate specifically to cybersecurity in the supply chain, firms have undertaken numerous steps to reduce those risks by making C-SCRM a strategic focus. For example, companies have created formal C-SCRM programs and policies, and NIST conducted a study that determined that the use of executive-level C-SCRM programs is a common and effective commercial practice. Creation of such working groups or assignment of senior leadership for SCRM is a firm’s first step to respond to C-SCRM challenges, but more needs to be done to address and mitigate the risk. The following list is not intended to be comprehensive, but simply a sampling of some policies and procedures firms can implement to manage cyber risk.
First, firms should vet all their worldwide suppliers to ensure that each implements proper cybersecurity protections and to determine how well each secures its own computer networks. If a firm at any level of the supply chain is not employing proper cybersecurity hygiene, that failure can create unnecessary risk. In addition, firms can use detailed questionnaires to evaluate the current security controls of their third-party suppliers, noting weaknesses in those firm’s cybersecurity programs, and assisting in correcting the deficiencies. As one author wrote, “Cyber security of any one organization within the chain is potentially only as strong as that of the weakest member of the supply chain.”
Second, companies need to build resilience into their supply chains by diversifying the number of suppliers utilized. This diversification reduces the firm’s risk that a failure by one supplier (either from a cybersecurity breach or lack of parts availability) will cause the firm’s effort to come to a halt. Diversifying and using multiple suppliers, however, goes against private industry’s practice of just-in-time production and manufacturing. Without redundancy in the supply chain to handle disruptions, either from cyber-attacks that shut down a firm or a natural disaster such as a hurricane or earthquake, risk increases. While implementing redundant supply chains may reduce profits, it affords greater capability to withstand supply shocks and disruptions.
The danger of a lack of redundancy came to the forefront with the COVID-19 pandemic that strained, and, in some cases, broke several industries’ supply chains. As a result of COVID and to address long-term supply chain risk, companies are electing to reduce its reliance on foreign manufacturers by utilizing domestic companies to shorten the supply chain. Others are looking to diversify their supply chains from a single country (often China) to more regional locations in Asia or closer to the United States in Canada or Mexico. Whether re-shoring of manufacturing will continue post–COVID is an open question as a partner at PwC stated that “[r]isk [of supply chain disruption] usually falls further down on decision making behind cost,” and he did not believe companies would bring back production to the United States. A partner at the consulting firm McKinsey & Company stated that industry should push for greater supply chain resiliency by abandoning lean-focused just-in-time production, but that he is skeptical it will do so. The bottom line is that just-in-time production is not ending and will remain a top priority for industry.
Finally, firms need to be able to distinguish between trustworthy products and counterfeit parts. One U.S. government organization recommends use of an existing government database where all parties are able to share data about product integrity. The website contains information on parts, to include those suspected of being counterfeit, and assemblies. It must be noted that it is unclear what protocols are used to prevent firms from using the database to disparage a rival firm’s products as counterfeit. The Federal Acquisition Regulation (FAR) Council and the DoD have established regulations requiring firms to create procedures to monitor, detect, and eliminate counterfeit parts at all levels of the supply chain for electronic parts.
5. National Security as a Consideration
Private sector companies, especially those primarily selling commercial ICT to consumers in the private sector, are concerned with innovating, reducing costs, maximizing profits, and producing high quality products. As such, while such companies generally seek to create a safe and secure environment for individual users, they may overlook how the data stored and transmitted by ICT, when aggregated, may impact national security.
Cybersecurity can affect national security and is a challenge for both the private and public sectors. The congressionally mandated Cyberspace Solarium Commission shares this view through a review of the DHS’s ICT Supply Chain Risk Management Task Force. That Task Force brought together industry and relevant federal departments to develop “a framework for information sharing, build threat-based evaluation schema for ICTs . . . and evaluation criteria for government procurement . . . .” The Commission determined that the Task Force’s plan to bring the private and public sectors together, since previously they had not, would help address national security in ICT procurements.
Ultimately, however, both sectors have different values and interests that limit the ability of the private sector to agree with and work toward the same goals as the public sector. For example, a firm that agrees to continue to work with China, notwithstanding the risks to U.S. national security, may suffer reputational loss in other markets such as the United States, while voluntarily agreeing not to work with China may cost the firm access to the world’s second largest economy. Therefore, it may become necessary for the federal government to force the private sector to take actions that a firm might not otherwise agree to undertake, such as reducing market access or sales in order to create superior cybersecurity standards for ICT procurements.
D. Federal Government
While the private sector is often concerned with price, availability, and quality of the components and goods produced, the federal government must add national security to that list. Supply chain risk for the federal procurement process arises when it purchases goods and services from the private sector. Often, the private sector has not sufficiently addressed national security in the supply chain, and the federal process must add that consideration. Prior to a discussion of how that consideration is added, a review of the methods and requirements for the government to purchase goods is necessary.
1. Federal Supply Chain and Federal Procurement
Executive branch acquisitions are governed by numerous federal statutes and regulations. In Fiscal Year (FY) 2020, the executive branch spent over $665 billion on contracts, of which the DoD accounted for $421.8 billion. As reported by the Government Accountability Office (GAO), “the federal government spends more than $90 billion annually for information technology (IT), including over $50 billion on contracts for products and services.” For FY 2021, IT hardware and services purchases were approximately 8.3% of all federal contracts. While not directly addressing issues surrounding supply chains, the government is required to obtain goods and services at a fair price that meets the needs of the customer and are available when needed. These requirements affect private supply chains as “U.S. government contractors often rely on global supply chains to support their U.S. government contracts . . . .”
The federal government is generally concerned with meeting three key objectives with its procurement system: competition, integrity, and transparency. These competing priorities can be in tension with the need to obtain the lowest price or best value and may have to give way for other considerations. The federal government has numerous other competing priorities when determining what IT to purchase and from whom. The FAR establishes:
(b) The Federal Acquisition System will-
(1) Satisfy the customer in terms of cost, quality, and timeliness of the delivered product or service by, for example-
(i) Maximizing the use of commercial products and commercial services;
(ii) Using contractors who have a track record of successful past performance or who demonstrate a current superior ability to perform; and
(iii) Promoting competition;
(2) Minimize administrative operating costs;
(3) Conduct business with integrity, fairness, and openness; and
(4) Fulfill public policy objectives.
As noted by statute, the FAR, and GAO case law, all federal contracts must consider price. Consideration of price is unsurprising when an agency has a limited budget provided by Congress and the need to preserve public funding. As demonstrated above, the private sector is also concerned about price, and often this is a preeminent concern to industry. The FAR, however, states when it relates to “satisfy[ing] the customer,” price is but one factor to consider, along with quality and timeliness.
When price will not be the only consideration to determine contract award, the federal government seeks out quality products and services though the acquisition process, but the FAR does not mandate quality be an evaluation factor in every acquisition. For example, purchases utilizing the Federal Supply Schedule do not necessarily require the award to be based on considerations other than price so long as the purchase meets the customer’s needs.
Nevertheless, when it is in the “best interest of the government to consider to award to other than the lowest price offeror,” the government may use a trade-off process. Trade-off allows the Contracting Officer (CO) to pay a higher price in exchange for higher rated non–price factors such as quality, past performance, and intellectual property than that offered by the lowest price offer. This process provides an agency with authority to evaluate the quality of a product and price to determine the awardee.
Within the framework of a negotiated procurement, an agency may award the contract to the lowest priced, technically acceptable (LPTA) offeror. This process sets the minimum technical requirements a contractor must meet, and, if met, the lowest overall priced contractor wins. Use of LPTA has not been without its critics, especially for IT services and hardware. A common complaint is that firms “design their products so cheaply that they cannot afford to design products or plan their services in a way that is outside-of-the-box and potentially more efficient than previous products or service modes.” This concern is especially relevant for higher risk IT goods and services where technical ability and capability should play a larger role in the award determination.
2. Cases of Private Sector Companies Creating a Risk to National Security
In recent years, there have been several instances where a firm, or its products and services that would otherwise meet customer needs, was determined to create an unacceptable risk to national security. As a result, both the President, through executive action and Congress, through statutory changes, determined that part of the qualitative review of IT purchases would include a review of a proposed firm’s foreign ties and the nature of their supply chains. At least two different corporate situations have occurred that raised alarms that the private sector might not be taking national security concerns into appropriate consideration: Kaspersky Labs and Huawei.
a. The Case Against Kaspersky Labs
Kaspersky Labs (Kaspersky) is an IT cybersecurity firm founded in 2004 that provides customers a host of various cybersecurity products such as anti-virus software for computers (business, personal, and government) and servers. Kaspersky North America is a U.S. corporation and is a wholly owned subsidiary of Kaspersky’s Limited. Kaspersky is a Russian company with worldwide subsidiaries and customers, all linked back to the Russian parent company. Kaspersky’s worldwide annual revenue was over $640 million in 2016.
In 2017, based on classified information, U.S. intelligence and law enforcement agencies began to raise national security concerns about the company’s ties to the Russian government and its intelligence services. While Kaspersky’s Chief Executive Officer denied any such connections, the federal government found evidence that the company worked closely with the Federal Security Service (FSB), the successor organization to the Soviet Union’s Committee for State Security (KGB). Additionally, U.S. officials believed some Kaspersky executives were former Russian intelligence officers with continuing ties to Russian government officials.
Senator Jeanne Shaheen (D-NH), in an opinion piece, expressed her concerns raised by Kaspersky’s corporate structure and ownership after a public hearing of the Senate Intelligence Committee in May 2017. She alleged that the firm’s owner graduated from a KGB school and was a software engineer for Soviet military intelligence. Furthermore, Kaspersky created a proprietary operating system designed for electrical grids, pipelines, and telecommunications that the Defense Intelligence Agency (DIA) warned could “enable Russian government hackers to shut down critical systems.”
Additionally, once installed, Kaspersky’s software allows Kaspersky complete access to a user’s computer network including all files, emails, and data within the company’s computer servers operating in Russian, including access to sensitive U.S. government data. This unfettered ability to access data by Kaspersky created a concern for U.S. officials as approximately fifteen percent of federal agencies in 2017 used Kaspersky software. Finally, Russian law required Kaspersky to assist the FSB and provide access to all company data. At that same public Senate hearing, six U.S. intelligence officials, including the heads of the Federal Bureau of Investigations (FBI), the Central Intelligence Agency (CIA), and the National Security Agency (NSA), were asked if they were “comfortable with Kaspersky Lab software on their agencies’ computers. Each answered with an unequivocal no.”
The question posed by Kaspersky was how industry and the United States government should respond to these alleged risks. On the one hand, the private sector, perhaps unsurprisingly, did not see the risks to its supply chain and continued to sell and utilize Kaspersky software. The federal government, on the other hand, determined the risk to national security too great to ignore and elected to act.
b. Government Response to Kaspersky
To help ensure uniformity in how the federal government addresses, mitigates, and remediates potential risk to computer networks, Congress passed the Federal Information Security Modernization Act of 2014. Congress provided DHS with the authority to “provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.” To carry out that mission, DHS is authorized to issue a Binding Operational Directive (BOD), a compulsory direction to any federal executive branch, department, and agency for purposes of safeguarding federal information and information systems. This authority, however, does not apply to national security systems.
In September 2017, in response to the Senate hearings and other classified information, the DHS issued BOD 17-01 addressing the procurement of Kaspersky products and services by federal agencies (but it did not apply to the DoD, the IC, or classified computer networks). The Directive required all agencies to take three actions: (1) within thirty days, DHS would receive a report from each federal agency that identified “the use or presence of Kaspersky-branded products on all Federal information system”; (2) within sixty days, DHS would receive a detailed plan from each agency to “remove and discontinue present and future use of all Kaspersky-branded products”; and (3) within ninety days, each agency would begin to implement the plan of action to remove and discontinue the use of all Kaspersky-branded products. Prior to issuing BOD 17-01, DHS provided Kaspersky an opportunity to respond to the allegations of undue Russian influence. Kaspersky provided a lengthy written rebuttal and met with DHS officials, but DHS elected to continue with BOD 17-01. In response to the Directive, at least one U.S. company removed Kaspersky products from sale to the public.
Concurrent with the actions of DHS, and to address any potential loopholes with the scope of BOD 17-01, as neither the DoD nor national security systems were covered, Congress debated a law prohibiting Kaspersky products and services from use on all federal IT systems. On December 12, 2017, Congress enacted Section 1634 of the National Defense Authorization Act (NDAA) of 2018 banning Kaspersky software, hardware, and services from purchase throughout the federal government. The law was more expansive than BOD 17-01 as it (1) applied to all Kaspersky products and services, and (2) applied the ban to all federal agencies.
As this ban was not self-executing, on June 15, 2018, the FAR Council issued an interim FAR rule imposing the NDAA’s ban on contracting for “hardware, software, and services developed or provided by Kaspersky Lab or its related entities, or using any such hardware, software, or services in the development of data or deliverables first produced in the performance of the contract.” After receiving comments on the interim FAR rule, on September 10, 2019, the FAR Council issued a final rule, without change from the interim rule, implementing the permanent ban on Kaspersky products and services.
An open question remained regarding the scope of both the BOD 17-01 and the NDAA of 2018 as it was unclear if the ban applied to a firm’s own computer systems when working on federal contracts. Kirstjen Nielsen, then DHS Secretary, stated during testimony before the Senate Appropriations Committee that she considered the ban as applying to contractor networks as well.
After unsuccessfully challenging BOD 17-01 and failing to prevent the passage of the NDAA of 2018, Kaspersky challenged both actions in federal court. It raised three issues in two different lawsuits filed against DHS: (1) BOD 17-01 violated the Administrative Procedures Act, (2) BOD 17-01 violated due process, and (3) the NDAA of 2018 was an unconstitutional Bill of Attainder. Both lawsuits were heard by the same district court. The court denied Kaspersky’s challenges, finding that the NDAA of 2018 did not amount to a Bill of Attainder as the law did not inflict punishment on Kaspersky. Additionally, the court dismissed the remaining two grounds to BOD 17-01 for lack of standing to prove an actionable harm. On appeal, the appellate court affirmed the district court’s rulings.
Soon after the Kaspersky controversy, the executive and legislative branches would be confronted with the issue of Huawei, in which a similar national security risk of ties for foreign governments, data exfiltration, and compromised hardware arose. The federal government acted in a similar manner as it did with Kaspersky.
c. The Case Against Huawei
Huawei Technologies Co. Ltd. (Huawei) is a Chinese company headquartered in Shenzhen, China. The company asserts that it is privately held and owned by its Chinese employees. Many U.S. government analysts, however, believe that Huawei has “strong links with the Chinese government, including the Chinese People’s Liberation Army (PLA), and has not published a full breakdown of its ownership structure.” Huawei is China’s largest telecommunications manufacturer, “the world’s largest provider of telecommunications equipment” and, in 2019, surpassed “Apple to become the second [largest] smartphone seller.”
The initial concerns arose in 2012 when the House of Representatives Permanent Select Committee on Intelligence held a hearing on the potential national security risks associated with Huawei. The Committee investigated the suitability of Huawei to bid on U.S. telecommunication contracts as it could not be “free of influence from Beijing and could be used to undermine US security.” The Investigative Report by the Permanent Select Committee on Intelligence stated that the United States “must pay particular attention to products produced by companies with ties to regimes that present the highest and most advanced espionage threats to the U.S., such as China.” Furthermore, the Committee found that “Chinese intelligence agencies [have] the opportunity to insert malicious hardware or software implants into critical telecommunications components and systems.” Finally, it determined that Huawei did not provide sufficient information to dispel the fact that it is involved with the Chinese government.
Huawei disagreed with the Committee and alleged that the report “failed to provide clear information or evidence to substantiate the legitimacy of the Committee’s concerns.” The Committee asserted that Huawei failed to refute these allegations to its satisfaction with the Committee concluding that “Huawei, in particular, provided evasive, nonresponsive, or incomplete answers to questions at the heart of the security issues posed. The failure of these companies [Zhongxing Telecommunications Equipment Corporation (ZTE) and Huawei] to provide responsive answers about their relationships with and support by the Chinese government provides further doubt as to their ability to abide by international rules.” Additionally, “[b]ased on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.” As a result of its investigation, the Committee recommended that the United States “view with suspicion the continued penetration of the U.S. telecommunications market by Chinese telecommunications companies,” but did not call for Huawei to be banned from federal procurements or the United States market.
In early 2019, bipartisan bills were introduced in Congress to attempt to hold China accountable for its trade policies and the alleged actions of its companies. During a February 13, 2018, hearing of the Senate Select Committee on Intelligence, Senator Tom Cotton (R-AR) asked FBI Director Christopher Wray to comment on the perceived national security risks posed by Huawei. Director Wray stated:
[W]e’re deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks that provides the capacity to exert pressure or control over our telecommunications infrastructure. It provides the capacity to maliciously modify or steal information, and it provides the capacity to conduct undetected espionage.
When asked by Senator Cotton, NSA Director Mike Rogers concurred with Director Wray’s assessment of the risk. Finally, Senator Cotton asked the six Directors testifying (DNI, CIA, NSA, DIA, FBI, and National Geospatial-Intelligence Agency) if they would use products or services from Huawei or ZTE; none said yes.
d. The Government Response to Huawei
After the early 2018 hearing, on August 13, 2018, Congress passed and the President signed the NDAA of 2019. Section 889(a) of the Act prohibited any executive agency from procuring or obtaining “any equipment, system, or service that uses covered telecommunication equipment or services” or entering into a contract “with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services.” The term “covered telecommunications equipment or services” was defined as any equipment or services produced by Huawei or ZTE as well as other companies and entities. Finally, the law provided an executive agency head with the authority to waive the Section 889(a) prohibitions on a one-time basis for no more than two years with DNI Director approval in order to provide private industry additional time to implement the ban. The law was not self-executing and required a change to the FAR. On August 13, 2019, the FAR Council published an interim rule implementing the Section 889(a)(1)(A) ban with an effective date of the rule’s publication.
Other than immediate implementation, another significant aspect of the rule change was to make the ban applicable to acquisitions below the simplified acquisition threshold (SAT) as well as commercial items (as of January 2022, now known as commercial products and services), including commercial off-the-shelf (COTS) products. The FAR Council determined that even for commercial products and services under FAR Part 12 and purchases below the SAT under FAR Part 13, “there is an unacceptable level of risk for the Government in buying equipment, systems, or services that use covered telecommunications equipment or services as a substantial or essential component of any system.” The final rule has yet to be published.
Just as Kaspersky did not accept the ban imposed by DHS and Congress, Huawei also fought the prohibitions. First, in a BBC interview, the founder of Huawei, Ren Zhengfei, asserted that the ban was politically motivated, an unusually blunt comment about the United States from a leader who had not spoken out previously. Second, on March 6, 2019, Huawei filed suit in the Eastern District of Texas alleging that the ban imposed by Section 889 was unconstitutional as singling out an individual (or in this case, a firm) for “punishment” and that the action “was imposed without due process and with no proof provided that Huawei poses an espionage threat to the United States.” Specifically, Huawei raised three grounds: (1) the law violated the Bill of Attainder Clause, (2) the law violated Huawei’s due process, and (3) the law violated the Vesting Clauses.
On February 18, 2020, the district court granted the Government’s Motion to Dismiss. Specifically, the court held the law did not amount to a Bill of Attainder as Section 889 is a statute that “represents no more than a customer’s decision to take its business elsewhere.” Second, Huawei’s due process was not violated as Section 889 was “rationally related to a legitimate congressional purpose.” Finally, the law did not violate the Vesting Clause as it did not prevent either of the other two branches of government (executive and judiciary) from performing their constitutional functions. Huawei did not appeal the court’s ruling.
In addition to Congress, President Trump issued an executive order prohibiting any acquisition, transfer, installation, dealing in, or use of any ICT or service with respect to any property subject to the jurisdiction of the United States when an interagency group determines that the entities involved are, among other reasons, controlled by or subject to the jurisdiction or direction of a foreign adversary or pose an unacceptable risk to United States national security. The order did not name any specific companies, organizations, or entities but left the determinations to the Secretary of Commerce. On January 19, 2021, the Department of Commerce issued a final rule implementing Executive Order 13873 that banned ICT and services from any firm controlled by a foreign adversary, defined in the rule to include the People’s Republic of China. Again, even though the regulation did not name Huawei, the executive order was a much broader restriction than Congress imposed in the NDAA of 2019.
3. Recent Developments to Protect the Supply Chain
While the above examples are important indicators of how the federal government addresses apparent national security risk from the ICT supply chain, the changes mandated by law, executive order, or regulation were undertaken only in response to concerns raised in the media, by an executive branch agency, or by Congress during committee hearings. There was no systematic federal government-wide approach to attempt to address these ever-present risks to national security from ICT supply chains.
a. Congressional Action to Protect the Supply Chain
In 2018, to address this lack of a systematic approach, Congress debated and passed the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (SECURE Technology Act). One of the main purposes of the Act was to establish “requirements for supply chain security in products purchased by the Federal Government” through the creation of an interagency council to identify items that “pose unacceptable risk to these [IT] systems.” Furthermore, the creation of the interagency council would move the government “away from an ad hoc approach to dealing with unacceptable products offered to the Federal Government.”
The SECURE Technology Act created two new laws directly relating to procurement of ICT. Section 4713 stated that “the head of an executive agency may carry out a covered procurement action.” The Act defined a “covered procurement” as, among other actions, a source selection for a “covered article” that includes either a performance specification, an evaluation factor relating to supply chain risk, or where supply chain risk considerations are included in the agency’s determination of a contractor’s responsibility. A “covered article” refers to the purchase of IT or other hardware, system, devices, or software which include embedded or incidental IT. Finally, a “covered procurement action” means a head of an agency may exclude a source (i.e., a firm) that fails to meet qualification requirements or fails to achieve an acceptable rating for supply chain risk or a determination that a source is not responsible based on consideration of supply chain risk. The head of an agency may take a “covered procurement action” only after providing the affected firm notice, the basis of the determination, and an opportunity to respond. A head of an agency who takes a “covered procurement action” has, effectively, prohibited that source from an award of a contract or subcontract. This decision applies only to the agency that made the exclusion order.
The second law created the interagency Federal Acquisition Security Council (FASC). The FASC consists of seven executive branch agencies including the Office of Management and Budget (OMB), the General Services Administration (GSA), DHS, ODNI, the Department of Justice, the DoD and Commerce. Among other responsibilities, the FASC shall identify and recommend development by NIST of SCRM standards, guidelines, and practices for executive branch agencies to use when developing mitigation strategies to address supply chain risk.
The FASC also has authority, when in the national interest, to recommend the issuance of exclusion of source orders or removal of covered articles. The approval authority for any FASC recommendation depends on the federal agency involved. For civilian agencies, the authority rests with the Secretary of DHS; for the military, with the Secretary of Defense; and, for the Intelligence Community, with the DNI, and any approved exclusion or removals orders will apply to the entire executive branch. One commentator noted that “[a] fully operational council could have a significant impact on how the executive branch addresses alleged national security threats posed by foreign-owned supply-chain products.”
To address due process issues, the law provides notice and the right to submit information and arguments by any firm subject to a potential exclusion or removal order. Finally, any orders issued under the SECURE Technology Act “shall not be subject to administrative review or judicial review, including bid protests before the Government Accountability Office or in any Federal court” other than before the United States Court of Appeals for the District of Columbia Circuit and only to the extent the firm claims the order was unlawful.
On August 26, 2021, the FASC issued its final rule implementing the SECURE Technology Act. In part, the regulation established policies and procedures for how the FASC would carry out its responsibilities. Specifically, it addressed the referral process, provided a non–exhaustive list of relevant factors the FASC should consider, the required content of a recommendation, the required content for a notice or recommendation provided to a source, the requirement of how the FASC would respond to a firm’s rebuttal, and how the approving authority processes a recommendation for final action. The regulation declined a commentor’s request to exempt COTS items from the rule’s applicability. Notably, the regulation failed to explain how executive agencies would comply with these orders.
b. Executive Branch Action to Protect the Supply Chain
Shortly after assuming office, President Biden issued an executive order supporting the need for resilient, secure supply chains to protect national security. He sought to accomplish this goal by creating a task force that would make recommendations within 100 days that would result in greater domestic production, increase the range of supplies, build in redundancies, and provide for safe and secure digital networks. The executive order addressed several key industrial sectors, including semiconductor manufacturing.
The 100-day report required by the executive order highlighted that “structural weaknesses in both domestic and international supply chains threaten America’s economic and national security.” Much of the report’s focus related to bringing production and supply chains back to the United States from overseas locations as a means of risk reduction. At the one-year review, the White House announced numerous steps taken to strengthen the supply chain.
Additionally, President Biden issued an additional executive order on “Improving the Nation’s Cybersecurity.” Among the executive order’s many requirements, it mandated sharing of cyber threat information between the private and public sectors to help deter, prevent, and respond to cyber-attacks. To accomplish this goal, the FAR Council will be required to update the FAR to add contractual requirements for information sharing between the federal government and contractors. On October 3, 2023, the FAR Council issued a draft rule implementing the executive order’s requirements to share information.
In 2020, under the prior Administration, ODNI began work on securing streamlined legal authorities in the acquisition process to exclude high-risk vendors from federal contracts; however, ODNI has not yet obtained such authorities. In addition, ODNI has announced its intent to focus on ensuring SCRM is a top priority for the federal government and is “present throughout the acquisition process.” ODNI is working with CISA to implement policies to strengthen the ICT supply chain.
These steps by both the legislative and the executive branch are important to fill the gap between the goals of private industry and the need for the federal government to protect national security. These actions, though, have been insufficient, and more must be done.