Cyber Supply Chain Task Force to Meet Soon

A task force focused on reducing cybersecurity risks in the nation’s technology and communications supply chain will meet for the first time in the next few weeks, the Homeland Security Department announced Tuesday.

Homeland Security Secretary Kirstjen Nielsen announced the task force’s creation during a cyber conference in New York in July during which she also announced the creation of a new Homeland Security division, the National Cyber Risk Management Center, focused on long-range cyber issues.

The task force will be chaired by private sector leaders but will be sponsored by the risk management center, according to a Homeland Security news release.

The task force will focus on government and industry supply chains and criminal and nation-state hacker efforts to compromise contractors and subcontractors deep within those supply chains, the department said.

This is the first major deliverable from the risk management center, which is focused on several efforts, including identifying the nation’s highest value digital assets so they can be better protected from cyberattacks and improving long-term election cybersecurity.

“The nature of supply chain threats, because they can encompass a product’s entire life cycle and often involve hardware, make them particularly challenging to defend against,” Homeland Security’s top cybersecurity and infrastructure security official Chris Krebs said in a statement.

The task force will focus on “holistic solutions across a broad set of stakeholders to develop near-and long-term strategies to address supply chain risks,” Krebs added.

The task force will be co-chaired by Robert Mayer, senior vice president for cybersecurity at the industry association US Telecom, which counts AT&T and Verizon among its members, and John Miller, vice president for policy and law at ITI, a tech industry association that represents Microsoft, Oracle and Twitter among others.

Homeland Security will release a full membership list and a roster of focus areas after the task force’s initial meeting.

An earlier information sheet said the task force will include industry and government members and will “develop consensus recommendations for action to address key strategic challenges to identifying and managing risk associated with the global [information and communications technology] supply chain and related third-party risk.”

Industry members will represent the energy, financial services and defense industrial base sectors among others, the fact sheet states.

Homeland Security is also working on a shorter-range effort to improve the government’s cybersecurity supply chain by addressing cybersecurity earlier in the contracting process.

Congress is mulling proposals that would expand Homeland Security’s ability to bar suppliers from civilian government contracts if they pose cybersecurity or national security risks. Congress earlier imposed governmentwide bans on the Russian anti-virus company Kaspersky Lab and the Chinese telecoms Huawei and ZTE, arguing their products could be used as spying tools by U.S. adversaries or infected to sabotage U.S. government operations.