RSA CONFERENCE 2020 - San Francisco -A tense discussion over supply chain risk management at this year's RSA Conference highlighted ongoing questions, but offered few conclusions, around how the nation can ensure the safety of foreign-made tech products used by the US government in critical infrastructure.
The Wednesday session, titled "How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei," saw panelists spar at times over the realities of preventing security flaws from making their way into technology during the manufacturing process. The concern is primarily around the ability of other nations that produce technology to insert back doors that can later be used to launch an attack or collect intelligence.
At the center of it was the question about whether China-based Huawei is being unfairly singled out after the Trump administration in August banned US government agencies from doing business with the telecommunications equipment manufacturer. The rule now prohibits federal purchases of telecom and video surveillance equipment and services from five Chinese companies, including Huawei. The legality of that ban was upheld by a federal district court judge earlier this month.
Katie Arrington, cyber information security officer of acquisitions at the Department of Defense, who oversees supply chain risk management for the agency, noted the move was made for good reason.
"The recommendation was made to take Huawei out for a very specific reason. The law is the law," she said. "Our job in the DoD is to make you safe. We are doing our best to buy down the risk. I don't want to be in a world where I wake up one morning and the banks don't work, and traffic lights don't work and break down. I want to make sure that control remains here, where I can touch you."
But Andy Purdy, CSO for Huawei Technologies USA, argued the ban was unfair given that many other companies based in other countries pose similar risks.
"Is it true or not true that at least five nations in the world have power to implant hidden functionality in hardware and software and launch an attack?" he said.
"That's ridiculous," Arrington retorted. "The bottom line is we are a democracy. We're different. When you have a product from a country that can take over, run, manipulate the most critical things in our country, why would you not want to be sure that country has all the right philosophical endeavors, which they don't."
Kathryn Waldron, a fellow with R Street Institute, argued that the supply chain is context-specific and questioned whether kicking Huawei out was a good model for both national and supply chain security going forward
"I think we need to have a much more holistic structure approach that looks at risk of moment, but [also] looks at what sort of policies we put in place that will have positive market growth and will provide market competitors," she said.
The panel also included Bruce Schneier, security technologist, researcher, and lecturer at Harvard Kennedy School. Schneier challenged Arrington on several points around the discussion of how the supply chain is tied to national security, arguing that conflating the two creates confusion.
"Tying national security to trade policy makes for impossible security trade-offs. Either this is a national security issue, in which case there are things we do and don't do, or this is a trade issue, in which case we negotiate on a variety of things," Schneier said. "It cannot be both. It just doesn't work."
Schneier also noted changing attitudes among government officials regarding device security: At one time US spy agencies were using vulnerabilities to their advantage to collect intelligence. But as other nations caught up in their own spying ability, now the US is more concerned about how they might exploit vulnerabilities. Ultimately, he said, supply chain security will continue to be what he called an "insurmountably hard problem."
"Can we build a trustworthy network out of untrustworthy parts?" Schneier said. "I don't know if they answer is 'yes' yet. We are going to be living in a world of untrustworthy parts."
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio