New Bill Aims to Prevent the Next Kaspersky, ZTE

Sen. Claire McCaskill, D-Mo.

Sen. Claire McCaskill, D-Mo. Carolyn Kaster/AP

The bill would establish an interagency commission to help vet supply chain cybersecurity risks.

Federal agencies would be required to more thoroughly vet products’ cybersecurity supply chains before buying them under bipartisan legislation introduced in the Senate Tuesday.

The bill from Sens. Claire McCaskill, D-Mo., and James Lankford, R-Okla., comes six months after Congress ordered agencies to scrub the Russian anti-virus Kaspersky from their systems because of concerns it could be used by the Kremlin as a spying tool.

In most cases, government agencies and offices did not contract directly with Kaspersky but received it as part of a package of services from a separate vendor. In other cases, government data and systems were exposed to Kaspersky software that was running on contractor networks.

The federal procurement system, though extremely complex, is ill-equipped so far to respond to those second- and third-order cybersecurity concerns.

The House and Senate have both passed provisions that would ban the Chinese tech companies Huawei and ZTE from government systems over similar spying concerns.

McCaskill and Lankford’s bill would establish an interagency Federal Acquisition Security Council that would develop cybersecurity supply chain criteria for government IT tools. The council would then mandate that agencies review new and existing IT tools for supply chain vulnerabilities.

The bill also mandates a governmentwide supply chain strategy.

“We can’t simply respond to supply chain threats piecemeal, we’ve got to have a system in place to assess these risks across the government,” McCaskill said in a statement.

McCaskill is the ranking Democrat on the Senate’s Homeland Security Committee. Lankford chairs the committee’s Regulatory Affairs and Federal Management panel.

The Homeland Security Department, which has authority to issue broad cybersecurity mandates to other agencies, has already launched a major review of supply chain cybersecurity. The department has not ordered any major public changes yet.

The acquisition security council envisioned in McCaskill and Lankford’s bill would include members from the White House, Homeland Security Department and intelligence community. It would also act as a pipeline for intelligence agencies to share concerns about specific vendors with civilian agencies that are not focused on national security.

The council would be required to submit an annual report about its efforts to Congress.