The Federal Communications Commission is taking further steps to prohibit blacklisted Chinese IT vendors from doing business with U.S. telecommunications providers.
Federal cybersecurity agencies, meanwhile, are working with industry partners to mitigate the risk of supply chain threats.
The Cybersecurity and Infrastructure Agency released a new tool Monday meant to help vendors identify and mitigate risks associated with software supply chains by applying risk management and software development frameworks.
Acting CISA Director Brandon Wales said the aftermath of the SolarWinds breach should serve as a “wake-up call” to the threat of supply chain vulnerabilities. In the months since the SolarWinds breach was discovered, Wales said Russian-based hackers are scanning and exploiting vulnerabilities to compromise networks tied to national security and government IT systems.
In response to these threats, Wales said the federal government needs modern cyber tools that “provide us a better chance of detecting the most sophisticated attacks.”
“It’s essential that we don’t look at these as isolated incidents, and we work together to take a whole-of-nation approach to securing our supply chains. We must raise our game,” Wales said during a virtual supply chain integrity workshop hosted by the FCC and the Office of the Director of National Intelligence’s National Counterintelligence and Security Center.
Darrin Jones, the FBI’s executive assistant director for science and technology, said the rise of 5G connectivity presents new opportunities with internet-connected devices, but also increases the scope of supply-chain cyber threats. The FBI stood up a 5G working group in 2019 specifically to mitigate these threats within government and industry.
“Whether it’s combating cybercrime from nation-state actors or detecting 5G-related threats, we need to be sure we understand what new vulnerabilities are being presented as we shift to software-defined networks and anticipate the continued explosion of the Internet of Things,” Jones said.
FCC considers steps to bar IT vendors deemed an ‘unacceptable risk’
The FCC is also looking to take proactive steps to secure the supply chain of U.S. networks by applying more scrutiny to a list of IT vendors linked to the Chinese government and pose a national security risk.
The FCC officially declared Huawei and ZTE as threats to national security last June, and prohibited U.S. telecommunications companies from using federal subsidies made available in the $8.3 billion Universal Service Fund to purchase equipment or services from these blacklisted vendors.
FCC Commissioner Brendan Carr said those actions didn’t go far enough to prevent telecom providers from using these prohibited products. The agency’s action last year, he said, only prevented these providers from spending federal dollars to put that network gear into their communications networks.
“You can have the exact same unsecured gear that can continue to go into our networks today, as long as a provider is using private funds for that initiative. That makes no sense to me. The national security threat comes from the gear itself, not the source of funding that’s used to put that gear into the network,” Carr said.
Carr said he supports revoking FCC approval for these prohibited IT products. Nearly every electronic device sold in the U.S. goes through this vetting process.
Acting FCC Commissioner Jessica Rosenworcel said she is considering moves in that direction. She said the FCC is “putting the finishing touches” on a program to replace this equipment in U.S. networks.
The FCC last month published a first-of-its-kind list of communications equipment and services that pose an “unacceptable risk” to national security. Rosenworcel said the FCC is also exploring “additional consequences” for companies on this list.
“Going forward, we are working with other federal agencies to maintain this list and ensure it is providing the private sector with the most up-to-date information they need to make the right decisions about security,” Rosenworcel said.
Under the 2021 spending bill, Congress approved $1.9 billion to reimburse telecom providers to replace, remove and dispose of equipment on their networks from the five Chinese government-linked IT companies identified in Section 889 of the 2019 NDAA.
Roseworcel said the FCC has reestablished its Communications Security, Reliability and Interoperability Council and updated how the agency reviews matters related to national security.
She said the FCC has also stood up a National Security Policy Council that works closely with CISA, the National Telecommunications and Information Administration and Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology.
“There can be no question when it comes to network security. The threats are real, the stakes are high and our defenses need to constantly evolve and improve. This is especially vital as we transition to next-generation 5G networks that will connect so much more in the world around us,” Rosenworcel said.