Industry Wants More Legal Cover for Sharing Supply Chain Threats

Companies can’t protect their IT supply chain unless they know which vendors to avoid, but current laws discourage firms from sharing information about potential bad actors, according to industry cybersecurity experts.

On Wednesday, representatives from the tech and telecom industry told Congress that companies could face significant legal penalties if they voice concerns about vendors or products that they believe present cybersecurity risks. Sharing that sort of information is critical to locking down the IT supply chain, panelists said, but companies won’t do so unless the government gives them more legal cover.

Companies already have some leeway to flag digital threats posed by other firms under the Cybersecurity Information Sharing Act, passed in 2015. The law created a system for sharing information about specific “cyber threat indicators,” like suspicious emails or network activity, though it largely doesn’t cover supply chain threats, like vulnerabilities intentionally built into a specific product, panelists said.

“What we don’t have is a situation where an organization has a piece of equipment where they discover some software or malware or pattern of activity that makes them feel very suspicious,” and they can share their concerns with other companies, Robert Mayer, senior vice president for cybersecurity at USTelecom, told the House Homeland Security Committee.

Enabling that sort of information sharing with providers further up or down the supply chain “would be very beneficial,” he said.

Mayer’s sentiment was backed by the other two witnesses—John Miller, senior counsel and vice president of policy at the Information and Technology Industry Council, and Bob Kolasky, director of the National Risk Management Center at the Cybersecurity and Infrastructure Security Agency. Mayer and Miller currently serve as co-chairs of CISA’s supply chain risk management task force.

“We want something in place to encourage private sector firms to share information they may not have trust in based on due diligence work they do,” Kolasky said. Similarly, he added, the intelligence community also needs a more efficient channel to share information they acquire on potentially compromised vendors with federal acquisition officials.

During the hearing, lawmakers also questioned panelists on how they could push companies to adopt more comprehensive supply chain security practices. While financial incentives and other rewards could work, witnesses noted such policies must be applied carefully so as not to skew the market in favor of bigger, better-resourced firms.

Beyond direct incentives, the government could also use is significant purchasing power to drive companies toward more secure supply chain practices, Kolasky said. In its widely circulated “Deliver Uncompromised” report released last year, MITRE recommended the Defense Department make cybersecurity a major factor of its acquisition process. If the Pentagon and other federal agencies adopted such a standard, which includes supply chain security requirements, a large chunk of the tech industry would get on board, Kolasky said.

“You see that contract incentives can drive a lot of change in performance,” Kolasky said. “I think that’s going to be a real driver ... of behavior down supply chains.”