This recap of a live conference call was posted for subscribers on 11/05/2019 by Michael B. Farrell, POLITICO Pro's Cybersecurity Editor. To learn more about a POLITICO Pro subscription visit our website.
POLITICO’s cybersecurity reporting team hosted a conference call on Tuesday for Pro subscribers to discuss some of the most significant cyber developments on the Hill and across Washington.
Reporters Eric Geller, Tim Starks and Martin Matishak pulled from their recent stories and their notebooks to give readers insights and perspectives on developments on supply chain security, the encryption debate, election security, ransomware and more. They also briefed Pros on developments at the DHS Cybersecurity and Infrastructure Security Agency, the Cyberspace Solarium Commission and the newly-launched NSA Cybersecurity Directorate.
Here are five big takeaways from the call:
1. The price of ridding the U.S. of Huawei tech will be steep
It remains to be seen what the Commerce Department’s rule stemming from President Donald Trump’s supply chain executive order will actually look like and how sweeping it may be when it comes to banning Huawei technology from U.S. networks. Eric previously reported the regulation has been delayed by politics and interagency squabbling. But that hasn’t swayed the State Department away from its campaign to convince allies to strip their networks of Huawei and other Chinese technology, he told Pros. They don’t want to see a world where the U.S. restricts access to Huawei, but the rest of the globe doesn’t, he said.
“The State Department has been trying really hard to make it clear to other countries that they shouldn’t trust equipment from companies like Huawei that are subject to essentially an autocracy with no rule of law,” he said.
But the cost of a Huawei ban is going to be steep, and many rural providers in the U.S. won’t be able to afford swapping out inexpensive Chinese technology.
2. This cyber legislation actually has a chance of passing
Eric, Tim and Martin agreed that it’ll be tough to pass any legislation related to cybersecurity in this Congress as impeachment and the 2020 presidential election have consumed lawmakers’ attention. But legislative proposals to help telecoms replace Huawei actually have a shot. The Secure and Trusted Communications Network Act of 2019 (H.R. 4459) in the House and the United States 5G Leadership Act of 2019 (S. 1625) in the Senate would offer $1 billion and $700 million, respectively. Senate Commerce has already approved the United States 5G Leadership Act, Tim pointed out, and both legislative proposals have bipartisan support.
3. DoD has gotten serious about supply chain
The number of vendors that sell technology and other services to the Pentagon is something like 300,000 to 600,000 suppliers, making it one of the biggest supply chains in the federal government, Martin said. The Pentagon has been out front in terms of putting in place more stringent guidelines that include banning Chinese-made parts from companies such as Huawei and ZTE and requiring that suppliers meet rigorous cybersecurity standards. In fact, Martin said, the Pentagon’s supply chain task force, which it launched last November, should start making its recommendations public in the near future.
Additionally, Martin pointed out, the Pentagon is taking public comments on its Cybersecurity Maturity Model Certification plan, which will set cyber metrics for vendors competing for DoD contracts. The idea is to grade vendors from one to five based on their cybersecurity standards and practices, with the most secure vendors having access to the most high-value contracts.
4. There’s some progress on election security, but still a lot of work to be done
Eric pointed out that Los Angeles County is taking an interesting approach when it comes to election security by developing voting machines that rely more on commercial, off-the-shelf equipment than the most commonly purchased voting machines do. “It means that you don’t have to completely re-engineer the machine as time goes by because you’re buying equipment that is being designed and re-engineered by the source company," he said.
One reason that LA Country, the largest county in the country, is able to experiment with voting equipment is that it has the money needed to invest in innovative solutions, Eric pointed out. One trend that emerged from POLITICO’s nationwide survey of election technology at the county level is that many poorer countries simply don't have the funding to upgrade their systems to more secure equipment.
5. Federal cyber efforts are ballooning — from CISA to the Cyberspace Solarium Commission to the NSA Cybersecurity Directorate — but DHS and industry still need to do more
Over the past year, there’s been tremendous growth in terms of developing new federal cybersecurity efforts. CISA will turn one year old on Nov. 16 and the newly launched Cyberspace Solarium Commission, a public-private initiative, is currently working on a set of cybersecurity recommendations that would apply to all federal agencies and beyond. Over at the NSA, its newly launched Cybersecurity Directorate is also working recommendations to bolster digital security protections in Washington.
But even with all this work in Washington, many of the federal officials working on cybersecurity say they still must improve one persistent issue: information sharing with and from the private sector. As Tim pointed out, CISA officials say they still need to provide more “value-added” information to industry partners, who are more inclined to share information back if they think they’ll get something out of it. Without that kind of data and partnerships with the private sector, everyone’s more blind to many of the biggest threats facing the U.S.