HR 6277 Introduced – Cyber Supply Chain Security

Back on August 2^nd Rep. Slaughter (D,NY) introduced HR 6277, the Keep America Secure Act (Note: it was just published today by the GPO). The bill would protect national security by limiting the use of foreign produced electronic devices in purchases made by the US Government. One would like to assume that this is a supply chain security issue (as the term is used by the cybersecurity community) and not a simple attempt to protect some manufacturer in the Congresswoman’s District.

Prohibit Use of Foreign Electronic Components

The bill would require the Secretaries of Defense and Homeland Security to ensure that their respective Departments do not “purchase any equipment or military aircraft that contains electronic components that are not manufactured in the United States” {§2(a)}. The term ‘electronic components’ is given a very wide definition; it would include {§2(e)(1)}:

• Any integrated chip or sensing device;

• Communications systems and equipment;

• Search, navigation, and guidance systems and equipment; and

• Software associated with the items described

The only other area that would face similar restrictions would be the civil aviation sector. The FAA would be required to issue regulations that would require that “any passenger aircraft constructed after such date [one year after passage of this bill] and any replacement of electronic components on a passenger aircraft use electronic components (as defined in section 2(e)) manufactured in the United States” {§3}.

Interestingly, DHS and DOD have been provided an escape clause from their requirements if the Secretary determines that it would be “be inconsistent with the public interest or would result in unreasonable costs to the Department of Defense or the Department of Homeland Security” {§2(c)}. No such provision is made in the requirements for FAA regulations.

The Inevitable Study

The bill would require that DOD and DHS conduct a joint study into the “prevalence of counterfeit electronic components in the supply chains of the Department of Defense and the Department of Homeland Security and options for addressing the issue” {§2(d)(1)}.  Again, no such study is being required of the FAA.

The Joint report is required to be submitted to Congress within 12 months of the adoption of the legislation. No word on whether or not the report should be classified or not, so it almost certainly will be classified, probably without an unclassified version for public consumption.

Sensitive Electronic Components

There is an odd provision in this bill. It requires the establishment of a joint classification system by DOD and DHS to rank electronic components on “how sensitive the components, and the final products containing the components, are to national security” {§2(c)}. There is also, based upon that classification system, a definition of ‘sensitive electronic components’ that would describe those components that are “the most sensitive to national security” {§2(e)(2)}. This might prove interesting except that there is no other mention of ‘sensitive electronic components’ in the legislation.

Analysis

This is one of the oddest, most incomplete pieces of legislation that I have ever had the misfortune to read. There is no statement of findings or sense of Congress that describes the problem that Rep. Slaughter is trying to correct. While it is well understood in the cybersecurity community that the manufacture of electronic devices in adversarial countries leaves open the possibility of the insertion of back-doors, on-command defects, or cyber-espionage controls into the practically undecipherable electronic circuits of the devices, that potential problem goes well beyond DOD or DHS electronics.

Even if you were to concentrate on the protection of weapons systems, clearly a legitimate aim, why include DHS since it has no weapons systems (the Coast Guard systems would more properly come under their DOD mission)? And for heaven’s sakes, why burden the civil aviation system with this impossible ban? Even if we suspect that State sponsors of terrorism would engineer such systems to allow terrorist to gain control over an airliner (and the FAA portion of this rule goes far beyond just airliners), there are any number of industrial control systems that could be similarly engineered to create a much larger catastrophe than the downing of a couple of airliners.

Furthermore, this bill would be unenforceable. The international scope of the electronic engineering and manufacturing industry makes it virtually impossible for even DOD and DHS to come anywhere near implementing a realistic ban on foreign made electronic components and devices. Besides there are any number of international agreements where various components of weapons systems have been farmed out to companies in allied countries; NATO, Japan, and Taiwan just to mention a few.

This is just another example of how ‘easy’ it is for the technologically illiterate to solve problems involving electronic devices.