After the midterm elections tomorrow, Congress is expected to act on the closest thing to cybersecurity legislation it can pass without running into gridlock.
The National Defense Authorization Act, an annual must-pass package, typically includes several items intended to shore up federal computer systems. For the most part, the bill sidesteps the divisive issues, such as the regulation of private networks and domestic cyberspying.
This year, the House version of the bill would prejudice computer systems proposed for federal contracts that contain components from “a company suspected of being influenced by a foreign country, or a suspected affiliate of such a company.”
It also would disfavor contractors located near military facilities whose own private, internal networks contain such parts.
Vendors are warning lawmakers the mandate could equate to a ban on U.S. multinational companies and an invitation for the U.S. government to surveil their private communications.
“We don't know if they are after Huawei or who they are after,” Pamela Walker, senior director for homeland security with the IT Industry Council, said on Monday, referring to the Chinese telecom giant accused of cyber espionage. “What were they trying to solve with this language?”
The measure "could sweep into the bill’s scope a whole range of multinational companies -- including U.S.-based ones -- who have R&D, manufacturing and sales activities all over the world, and often related relationships with various governments," council officials stated in recommendations submitted to Congress last month. "The economic impact from the exclusion of any one reasonably sized innovative commercial IT or telecommunications company under such conditions could easily have an impact in the hundreds of millions and cost countless jobs."
House, Senate Still Haggling Over Final Version of Bill
House and Senate staff currently are reconciling differences in their two bills so that lawmakers can pass the bill by year’s end.
The clause in question would require the Pentagon and the Director of National Intelligence to inform lawmakers each time there is a contract proposal containing a part made by a company “influenced by” a foreign nation. Think firms in Russia, or even India.
The government would also have to flag corporate networks “in proximity to Department of Defense or intelligence community facilities” that might be influenced by another country. Perhaps a sandwich shop near a military base that uses routers made by Huawei.
All contracts for Defense and intelligence community IT would be affected.
The council generally backs federal efforts to bake cybersecurity into the contracting process to bolster the nation's resiliency and protect corporate intellectual property. But the group opposes the foreign manufacturing clause, which it views as too broad and vague.
The provision, industry fears, could provoke foreign backlash, cutting off U.S. companies from overseas markets.
Following revelations by ex-intelligence contractor Edward Snowden about mass online spying, many countries are already concerned about the security of U.S. products.
American cloud companies face losses as high as $180 billion by 2016 as a result of the leaks, James Staten, principal analyst at Forrester, said in 2013.
"Product security is a function of how a product is made, used and maintained, not only by whom or where it is made, or by the relationship a vendor has with any particular government," council officials said.
Law Could Slow Down Procurements
Geographic restrictions might actually prevent an agency from buying the best, most-secure systems, they added.
Walker said industry is “very hopeful,” based on feedback from congressional staff, the provision will be refined, though she would like it removed altogether. “It sounds like it is going to be a compromise,” she said.
The IT community raised similar objections last year when a fiscal 2014 spending package mandated the inspection of various agency systems for, specifically, malicious Chinese parts.
The measure passed and now the departments of Commerce and Justice along with NASA and the National Science Foundation must assess “any risk of cyber-espionage or sabotage" in computer systems "produced, manufactured or assembled" by entities "that may be owned, directed, or subsidized by the People’s Republic of China."
Walker said the law has “slowed down some of the procurement" in the IT realm.