On November 16, 2020, the Homeland Security Advisory Council (HSAC) published two reports that were submitted to the Acting Secretary of the Department of Homeland Security (DHS) on Department policy.
These reports are noteworthy for several reasons. First, they take a broad and skeptical view of information and communication technology (ICT) risk and propose mitigations that could affect private supply chains and critical infrastructure sectors. Second, they promote a more directive government approach to procurement, merger reviews, and supply chain risk assessments. Third, they embrace recommendations from the Cyberspace Solarium Commission for private sector regulation. Fourth, they call for “industrial policy” and expanded roles for DHS in everything from export controls to economic regulation.
The HSAC is an independent advisory committee that operates under authority of the Homeland Security Act (Title 6 United States Code, Section 451). The HSAC functions like other federal advisory committees and is comprised of subject matter experts from state and local government, the first responder community, the private sector and academia. In April of 2020, the HSAC established sub-committees on economic security and on information and communications technology (ICT) risk. The reports from Economic Security Sub-Committee and the ICT Risk Reduction Sub-Committee contain recommendations that could have wide ranging impacts on how DHS interacts with the private sector.
Economic Security Report Calls for an Expanded DHS Role in Critical Areas
The Sub-Committee on Economic Security did not mince words. “In the face of a highly coordinated and well-financed strategic competitor — namely China — we cannot resort to bureaucratically siloed efforts.” Though it also calls out Russia, the report concludes that heavy reliance on China is a key failure and that “[t]he global supply chain has made U.S. industries globally competitive, but it has also become America’s greatest vulnerability.”
As a solution, the Report identifies an expanded role for DHS, observing that the Committee on Foreign Investment in the United States (CFIUS) is limited because “foreign companies that build their businesses in the U.S. from scratch, either through investment here or through imports” and are immune from scrutiny. It notes that expanding “DHS’s ability to use customs, sanctions, trade remedy, and export control enforcement authorities in a policy-sensitive fashion would be a valuable tool in economic security.” Notably, the Report also lauds the State Department’s Clean Network initiative, despite substantial uncertainties about its operation.
In its recommendations, the Sub-Committee offers several suggestions. Notably:
DHS should institutionalize and empower the Economic Security Council to identify risks, set priorities, and coordinate action on economic security.
DHS should augment procurement practices, including supply chain security and coordination between DHS and the Office of Management, the Office of Acquisition, CISA, the Chief Information Officer, and the Office of Science and Technology.
DHS should have a lead role with the intelligence community to create a supply chain intelligence center to influence intelligence collection priorities and provide feedback to improve the quality of supply chain intelligence.
The DHS economic security unit should lead in risk management analysis, scrutiny of industries identified by China as priorities, and conduct supply chain assessments of companies or industries based on referrals from CFIUS, Team Telecom, and the E.O. 13873 interagency process, and conduct security reviews upon referral from the Federal Acquisition Security Council and DHS components concerned about critical components.
DHS should take a key role in Hart-Scott-Rodino reviews where a merger could reduce competition or security in sales of equipment that is vital to DHS missions, such as icebreakers and cargo and traveler scanning equipment.
DHS should engage interagency partners to oversee the UAS industry, as well as passenger and cargo screening equipment from China.
DHS should identify global standard-setting activities likely to have an impact on DHS and determine whether Chinese government efforts to influence them require monitoring or action.
The Report on ICT Risk Reduction Targets the Private Sector for Scrutiny and Regulation by DHS
While the ICT Risk-Reduction report, in certain respects, focuses on DHS’s own procurement, it says that “DHS’s analysis of ICT risk must go beyond the impact adversaries could have on DHS’s own infrastructure and comprehensively address the risk carried by the private sector entities” that are key to National Critical Functions (NCFs).
The report notes overlapping federal ICT efforts: “[t]his duplication of effort, however well intentioned, results in imperfect information sharing about known risks and adversarial intentions and a tendency to over-focus on responding to the latest intellectual property (IP) theft rather than identifying future targets. As a result, the federal government has a less-than-holistic risk picture.”
The report embraces the Cyberspace Solarium Commission agenda and says that “[t]he United States may also need to develop a national strategy or industrial policy on technology risks. While there is debate that such policy may stifle innovation, the risks of not having such a policy also poses an existential security threat; a sustainable middle ground is imperative. DHS should help lead such an effort.”
The report calls for DHS to lead information-sharing on ICT but may overlook overlapping imperatives imposed by Congress, at least with respect to the communications supply chain information sharing program that the National Telecommunications and Information Administration created.
The Sub-Committee makes recommendations for DHS to:
Develop an effective management framework to guide ICT procurement across the government, with emphasis on unclassified systems;
Standardize the sharing and reception of threat data from the IC and across agencies;
Establish a joint National Supply Chain Intelligence Center (NSCIC) Center of Excellence within DHS to operationalize and mature ICT risk reduction efforts;
Conduct a comprehensive review of the DHS procurement office authorities to ensure and maintain capabilities adequate for reducing ICT risks for the department;
Include and integrate the private sector into the effort to secure the ICT supply chain.
2020 will close with a full agenda on supply chain and economic security. It remains to be seen whether a new Administration or Congress will move on these priorities or embrace to a more regulatory approach. DHS has the potential to remain a key player on cyber for the private sector, but policymakers need to embrace that role for it to be successful.