Amendments to S 2943, FY 2017 NDAA – 05-24-16

This afternoon the Senate officially began consideration of S 2943, the FY 2017 National Defense Authorization Act with a cloture vote of 98 – 0. The amendment offering process began on Monday with 13 amendments offered. Yesterday there were an additional 59 amendments offered. To date only one of those amendments may be of specific interest to readers of this blog; relating to the supply chain security of critical telecommunications equipment, technologies, or services.

Supply Chain Security

Sen. Gardner (R,CO) proposed SA 4130 (pg S3118). It would add a new §1641, “Comptroller General of the United States report on department of defense critical telecommunications equipment or services obtained from suppliers closely linked to a leading cyber-threat actor.”

The amendment would require a report to Congress on any critical telecommunications equipment, technologies, or services obtained or used by the Department of Defense or its contractors or subcontractors that is {§1641(a)(1)}:

• Manufactured by a foreign supplier, or a contractor or subcontractor of such supplier, that is closely linked to a leading cyber-threat actor; or

• From an entity that incorporates or utilizes information technology manufactured by a foreign supplier, or a contractor or subcontractor of such supplier, that is closely linked to a leading cyber-threat actor.

Two key terms are defined in the amendment; ‘leading cyber-threat actor’ and ‘closely-linked’. The cyber-threat actor term is linked to the identification as a ‘leading threat actor in cyberspace’ in the “Worldwide Threat Assessment of the US Intelligence Community”, dated February 9, 2016. The term ‘closely-linked’ is used to describe a relationship between one of the identified cyber-threat actors and a foreign supplier, contractor or subcontractor. The term is used to describe that relationship when the supplier, contractor or subcontractor {§1641(c)(2)}:

• Has ties to the military forces of such actor;

• Has ties to the intelligence services of such actor;

• Is the beneficiary of significant low interest or no-interest loans, loan forgiveness, or other support of such actor; or

• Is incorporated or headquartered in the territory of such actor.

Moving Forward

Tomorrow we will start to get some idea of what amendments will be taken up during the consideration of S 2943 and we will continue to see amendments offered tomorrow and (probably) a week from Monday when the Senate comes back from their very extended Memorial day weekend.

The cloture vote today was a good sign that there is nothing fatal in the current language of S 2943. Whether or not that will remain the case as the amendment process moves forward remains to be seen.

Commentary

While the report requirement in Gardner’s amendment is technically targeted at all four countries (Russia, China, Iran and North Korea) listed in World Wide Threat Assessment (pg 3) it would seem to me that Gardner is really expecting the report to focus on China and its telecommunication industry. I think that anyone would have concerns about the potential problems of having communications equipment provided by companies with close ties to the Chinese government or (in particular) the Chinese Army.

This amendment may be exhibiting a tad bit more than a normal amount of paranoia when it includes any company that is incorporated or headquartered in the territory of one of the big four countries of cyber concern (again China is the obvious main target). While it may be hard to identify all of the companies that fall under the first three standards for ‘closely-linked’, the sweeping inclusion of all Chinese chip and equipment makers in the reporting requirements would seem to ensure that it would be extremely difficult to separate the wheat from the chaff in the resulting report.

And it may be my paranoia seeping through, but I am more than a little concerned that the report being required in the amendment is limited to just telecommunications equipment. The universe of electronic and cyber equipment that includes Chinese made chips and components is way larger than just telecommunications equipment. Since this is an amendment to the Defense authorization bill the report should be expanded to include all critical electronic or computer control systems used by DOD and its contractors.

The other thing that is missing from this amendment is any definition of the type of information to be included in the report. The proposed language specifies what types of equipment from what sources should be addressed in the report, but nothing more about the content of the report. For example, Gardner might have required the report to identify:

• What military end equipment or systems contained parts manufactured by a company that is closely-linked with a leading cyber-threat actor;

• Identify if there are other sources of supply of those parts;

• What methods were available to verify that parts from ‘closely-linked’ suppliers met all of the safety, security and quality requirements of the military; and

• What techniques are available to adequately isolate components manufactured by ‘closely-linked suppliers’ from post-installation communications with the military or intelligence agencies of the ‘leading cyber-threat actors’.

This amendment is unlikely to be modified by the current process for consideration of S 2943. To see the types of changes described above, I’m afraid that we would have to see a completely new amendment if my concerns are to be addressed; I’m not holding my breath.

BTW: A real odd amendment was offered yesterday, SA 4141 would add a new division to S 2943. It would add the FY 2017 spending for the State Department to the spending approved in the bill. The State Department and DOD have always had a more than little strained relationship because of their nearly opposite way of dealing with foreign adversaries. Pairing these two departments would be just a tiny bit ironic.