recommended reading

Annual Defense Bill Likely To Slip in Cyber Clampdown on Contractors

Brandon Bourdages/Shutterstock.com

After the midterm elections tomorrow, Congress is expected to act on the closest thing to cybersecurity legislation it can pass without running into gridlock.

The National Defense Authorization Act, an annual must-pass package, typically includes several items intended to shore up federal computer systems. For the most part, the bill sidesteps the divisive issues, such as the regulation of private networks and domestic cyberspying.

This year, the House version of the bill would prejudice computer systems proposed for federal contracts that contain components from “a company suspected of being influenced by a foreign country, or a suspected affiliate of such a company.”

It also would disfavor contractors located near military facilities whose own private, internal networks contain such parts.

Vendors are warning lawmakers the mandate could equate to a ban on U.S. multinational companies and an invitation for the U.S. government to surveil their private communications.

“We don't know if they are after Huawei or who they are after,” Pamela Walker, senior director for homeland security with the IT Industry Council, said on Monday, referring to the Chinese telecom giant accused of cyber espionage. “What were they trying to solve with this language?”

The measure "could sweep into the bill’s scope a whole range of multinational companies -- including U.S.-based ones -- who have R&D, manufacturing and sales activities all over the world, and often related relationships with various governments," council officials stated in recommendations submitted to Congress last month. "The economic impact from the exclusion of any one reasonably sized innovative commercial IT or telecommunications company under such conditions could easily have an impact in the hundreds of millions and cost countless jobs."

House, Senate Still Haggling Over Final Version of Bill

House and Senate staff currently are reconciling differences in their two bills so that lawmakers can pass the bill by year’s end.  

The clause in question would require the Pentagon and the Director of National Intelligence to inform lawmakers each time there is a contract proposal containing a part made by a company “influenced by” a foreign nation. Think firms in Russia, or even India.  

The government would also have to flag corporate networks “in proximity to Department of Defense or intelligence community facilities” that might be influenced by another country. Perhaps a sandwich shop near a military base that uses routers made by Huawei.

All contracts for Defense and intelligence community IT would be affected. 

The council generally backs federal efforts to bake cybersecurity into the contracting process to bolster the nation's resiliency and protect corporate intellectual property. But the group opposes the foreign manufacturing clause, which it views as too broad and vague.

The provision, industry fears, could provoke foreign backlash, cutting off U.S. companies from overseas markets.

Following revelations by ex-intelligence contractor Edward Snowden about mass online spying, many countries are already concerned about the security of U.S. products.

American cloud companies face losses as high as $180 billion by 2016 as a result of the leaks, James Staten, principal analyst at Forrester, said in 2013.

"Product security is a function of how a product is made, used and maintained, not only by whom or where it is made, or by the relationship a vendor has with any particular government," council officials said.

Law Could Slow Down Procurements

Geographic restrictions might actually prevent an agency from buying the best, most-secure systems, they added.

Walker said industry is “very hopeful,” based on feedback from congressional staff, the provision will be refined, though she would like it removed altogether. “It sounds like it is going to be a compromise,” she said.

The IT community raised similar objections last year when a fiscal 2014 spending package mandated the inspection of various agency systems for, specifically, malicious Chinese parts.

The measure passed and now the departments of Commerce and Justice along with NASA and the National Science Foundation must assess “any risk of cyber-espionage or sabotage" in computer systems "produced, manufactured or assembled" by entities "that may be owned, directed, or subsidized by the People’s Republic of China."

Walker said the law has “slowed down some of the procurement" in the IT realm.

(Image via Brandon Bourdages/Shutterstock.com)

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.