[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
ACCESS DENIED: KEEPING ADVERSARIES AWAY FROM THE HOMELAND SECURITY
SUPPLY CHAIN
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
COUNTERTERRORISM AND
INTELLIGENCE
AND THE
SUBCOMMITTEE ON
OVERSIGHT AND
MANAGEMENT EFFICIENCY
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
JULY 12, 2018
__________
Serial No. 115-71
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
34-348 PDF WASHINGTON : 2019
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
__________
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Sheila Jackson Lee, Texas
Mike Rogers, Alabama James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania William R. Keating, Massachusetts
John Katko, New York Donald M. Payne, Jr., New Jersey
Will Hurd, Texas Filemon Vela, Texas
Martha McSally, Arizona Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York J. Luis Correa, California
Mike Gallagher, Wisconsin Val Butler Demings, Florida
Clay Higgins, Louisiana Nanette Diaz Barragan, California
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Don Bacon, Nebraska
Debbie Lesko, Arizona
Brendan P. Shields, Staff Director
Steven S. Giaier, Chief Counsel
Michael S. Twinchek, Chief Clerk
Hope Goins, Minority Staff Director
------
SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE
Peter T. King, New York, Chairman
Lou Barletta, Pennsylvania Kathleen M. Rice, New York
Scott Perry, Pennsylvania Sheila Jackson Lee, Texas
Will Hurd, Texas William R. Keating, Massachusetts
Mike Gallagher, Wisconsin Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Mandy Bowers, Subcommittee Staff Director
Nicole Tisdale, Minority Staff Director/Counsel
------
SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY
Scott Perry, Pennsylvania, Chairman
J. Luis Correa, California
John Ratcliffe, Texas Kathleen M. Rice, New York
Clay Higgins, Louisiana Nanette Diaz Barragan, California
Thomas A. Garrett, Jr., Virginia Bennie G. Thompson, Mississippi
Ron Estes, Kansas (ex officio)
Michael T. McCaul, Texas (ex
officio)
Diana Bergwin, Subcommittee Staff Director
Erica D. Woods, Interim Subcommittee Minority Staff Director
C O N T E N T S
----------
Page
STATEMENTS
The Honorable Peter T. King, a Representative in Congress From
the State of New York, and Chairman, Subcommittee on
Counterterrorism and Intelligence:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Kathleen M. Rice, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Counterterrorism and Intelligence:
Oral Statement................................................. 3
Prepared Statement............................................. 4
The Honorable Scott Perry, a Representative in Congress From the
State of Pennsylvania, and Chairman, Subcommittee on Oversight
and Management Efficiency:
Oral Statement................................................. 5
Prepared Statement............................................. 6
The Honorable J. Luis Correa, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Oversight and Management Efficiency:
Oral Statement................................................. 7
Prepared Statement............................................. 8
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 9
WITNESSES
Panel I
Ms. Soraya Correa, Chief Procurement Officer, Office of the Chief
Procurement Officer, U.S. Department of Homeland Security:
Oral Statement................................................. 10
Joint Prepared Statement....................................... 12
Mr. John Zangardi, Chief Information Officer, Office of the Chief
Information Officer, U.S. Department of Homeland Security:
Oral Statement................................................. 15
Joint Prepared Statement....................................... 12
Ms. Jeanette Manfra, Assistant Secretary, Office of Cybersecurity
and Communications, National Protection and Programs
Directorate, U.S. Department of Homeland Security:
Oral Statement................................................. 17
Joint Prepared Statement....................................... 12
Panel II
Mr. Gregory C. Wilshusen, Director of Information Security
Issues, Government Accountability Office:
Oral Statement................................................. 19
Prepared Statement............................................. 20
APPENDIX
Question From Chairman Scott Perry for the Department of Homeland
Security....................................................... 39
Questions From Honorable James R. Langevin for the Department of
Homeland Security.............................................. 39
Questions From Honorable Ron Estes for Gregory C. Wilshusen...... 48
ACCESS DENIED: KEEPING ADVERSARIES AWAY FROM THE HOMELAND SECURITY
SUPPLY CHAIN
----------
Thursday, July 12, 2018
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Counterterrorism and Intelligence,
and
Subcommittee on Oversight and
Management Efficiency,
Washington, DC.
The subcommittees met, pursuant to notice, at 10:05 a.m.,
in room HVC-210, Capitol Visitor Center, Hon. Peter King
[Chairman of the Subcommittee on Counterterrorism and
Intelligence] presiding.
Present: Representatives King, Perry, Hurd, Donovan, Rice,
Correa, Barragan, and Keating.
Mr. King. Good morning. The Committee on Homeland Security
Subcommittees on Counterterrorism and Intelligence and
Oversight and Management Efficiency will come to order.
The subcommittees are meeting today in a joint hearing to
examine threats in the Department of Homeland Security's supply
chain and assess tools and authorities for DHS to mitigate
those threats. I now recognize myself for an opening statement.
There is no question that nation-states and criminal actors
are constantly trying to exploit U.S. Government and private-
sector systems to steal information or insert potentially
harmful hardware or software. The recent cases involving
Kaspersky, ZTE, and Huawei underscore the threats posed to the
Federal supply chain and the urgency in developing stronger
mechanisms to secure it.
In March 2017, the Office of the Director of National
Intelligence, ODNI, released a background paper on the supply
chain risk management, stating: ``Even as the U.S. Government
and private sector have implemented programs to mitigate and
counter supply chain threats, the evolution of directed,
sophisticated, and multifaceted threats threatens to outpace
our countermeasures. Traditional remedies such as trade
agreements, economic sanctions, and legal actions are
reactionary in nature and cannot keep pace with the evolution
of threats.''
The Federal Government is behind the curve in establishing
robust supply chain security measures. It is clear that
additional tools, policies, resources, and legal authorities
are urgently needed to address this challenge. I am pleased
that the White House released a legislative proposal on Tuesday
developed through the interagency process that was initiated in
April.
The proposal seeks to strengthen SCRM's efforts across the
Government, enhance information sharing, and harden the Federal
procurement process to identify and mitigate threats.
Additionally, I want to highlight that DHS is making great
strides to implement SCRM measures throughout the Department.
Last year, DHS issued policy directives for high-value
assets requiring that all DHS components develop and implement
SCRM strategies for sensitive payments, educate and train staff
and contractors about supply chain risks, and enforce good
supply chain hygiene by establishing contractual requirements
and audit mechanisms for suppliers.
The purpose of today's hearing is to review current
capabilities and authorities and assess whether additional
authorities are needed to better protect the Department of
Homeland Security's supply chain.
The Department of Defense and the intelligence community
have existing authorities to block certain procurement efforts
if security risks are identified. Even now, more is being done
to protect our sensitive supply chain. The recently-passed
National Defense Authorization Act enhances DOD's authorities,
and the Intelligence Authorization Act which is on the floor
today further strengthens the intelligence community's SCRM
toolkit.
As a National security agency, it is vital that DHS also
have robust supply chain risk management practices and tools to
identify, mitigate, and remove potential threats to our systems
and contracts. In addition to reviewing the OMB proposal, both
subcommittees are working on specific legislation to provide
DHS with similar SCRM authorities to DOD.
At the end of the day, the ability of any agency to address
supply chain risk survives on a robust intelligence framework.
The foundation of any SCRM program is the ability to
proactively identify entities seeking to exploit the DHS
acquisition process, become trusted vendors, and then steal
from or otherwise harm the Homeland Security enterprise.
In order to fully understand DHS intelligence SCRM
capabilities and specific threats to the supply chain, I expect
that after an initial round of questions in the open session,
we move to a closed session to better discuss those issues.
I again want to thank the witnesses for being here and
express appreciation for Chairman Perry and Ranking Member
Correa for working with us on this joint hearing.
[The statement of Chairman King follows:]
Statement of Chairman Peter T. King
July 12, 2018
There is no question that nation-states and criminal actors are
constantly trying to exploit U.S. Government and private-sector systems
to steal information or insert potentially harmful hardware or
software. The recent cases involving Kaspersky, ZTE, and Huawei
underscore the threats posed to the Federal supply chain and the
urgency in developing stronger mechanisms to secure it.
In March 2017, the Office of the Director of National Intelligence
(ODNI) released a background paper on the supply chain risk management
stating: ``Even as the U.S. Government and private sector have
implemented programs to mitigate and counter supply chain threats, the
evolution of directed, sophisticated, and multifaceted threats
threatens to outpace our countermeasures. Traditional remedies such as
trade agreements, economic sanctions, and legal actions are reactionary
in nature and cannot keep pace with the evolution of threats.''
The Federal Government is behind the curve in establishing robust
supply chain security measures. It is clear that additional tools,
policies, resources, and legal authorities are urgently needed to
address this challenge.
I am pleased that the White House released a legislative proposal
on Tuesday developed through the interagency process initiated in
April. The proposal seeks to strengthen SCRM efforts across the
Government, enhance information sharing, and harden the Federal
procurement process to identify and mitigate threats.
Additionally, I want to highlight that DHS is making great strides
to implement SCRM measures throughout the Department. Last year, DHS
issued policy directives for high-value assets requiring that all DHS
components develop and implement SCRM strategies for sensitive systems,
educate and train staff and contractors about supply chain risks, and
enforce good supply chain hygiene by establishing contractual
requirements and audit mechanisms for suppliers.
The purpose of today's hearing is to review current capabilities
and authorities and assess whether additional authorities are needed to
better protect the Department of Homeland Security's supply chain.
The Department of Defense and the intelligence community have
existing authorities to block certain procurement efforts if security
risks are identified. Even now, more is being done to protect their
sensitive supply chain. The recently-passed National Defense
Authorization Act enhances DOD's authorities and the Intelligence
Authorization Act, on the Floor today, further strengthens the
intelligence communities SCRM toolkit. As a National security agency,
it is vital that DHS also have robust supply chain risk management
practices and tools to identify, mitigate, and remove potential threats
to its systems and contracts.
In addition to reviewing the OMB proposal, both subcommittees are
working on specific legislation to provide DHS with similar SCRM
authorities to DOD. At the end of the day, the ability of any agency to
address supply chain risk survives on a robust intelligence framework.
The foundation of any SCRM program is the ability to proactively
identify entities seeking to exploit the DHS acquisition process,
become trusted vendors, and then steal from or otherwise harm the
homeland security enterprise.
In order to fully understand current DHS intelligence SCRM
capabilities and specific threats to the supply chain, I expect that
after an initial round of questions in the open session we will move
into a closed session to better discuss those issues.
I again want to thank the witnesses for being here and express
appreciation for Chairman Perry and Ranking Member Correa for working
with us on this joint hearing.
Mr. King. I am pleased to recognize the Ranking Member of
the Subcommittee on Counterterrorism and Intelligence, the
gentlelady from New York, Miss Rice, for her opening statement.
Miss Rice. Thank you, Chairman King and Chairman Perry, for
holding this important hearing, and thank you to the witnesses
for coming to testify today.
The Department of Homeland Security has the enormous
responsibility of securing the Federal Government's vast supply
chain, particularly information technology, from a wide variety
of foreign threats. Today the most pressing threats come from
Chinese and Russian IT companies that until recently were used
widely throughout the United States and by several Federal
agencies. For example, last year we learned that the Russian
cybersecurity company Kaspersky Lab was operating compromised
antivirus software on U.S. Government computers. Despite being
a long-time Government vendor, the FBI had reason to believe
the Kaspersky programs contained back doors that could be
accessed by Russian intelligence. Thankfully, DHS acted to wipe
the software from all Government systems.
Additionally, Members of Congress have long been warned
that the Chinese telecommunications companies Huawei and ZTE
also pose risks to our National security. ZTE and Huawei are
two of the world's largest telecommunication companies and were
used widely in the United States. However, the companies have
close ties to the Chinese Government and were believed to be
possible vehicles for cyber threat and espionage.
In 2016, we imposed stiff penalties on ZTE for violating
U.S. sanctions by making hundreds of shipments of
telecommunications equipment made with U.S. parts to Iran,
Sudan, North Korea, Syria, and Cuba. After yet another breach
in April, ZTE faced additional U.S. penalties, including a ban
on U.S. suppliers selling equipment to ZTE. The following
month, both ZTE and Huawei were also banned from being sold on
U.S. military bases.
These bans were not only warranted but, in my opinion, long
overdue. These companies and their government clearly pose a
threat to our National security and we had a responsibility to
act, which makes the actions of President Trump all the more
surprising. It appears President Trump has placed his own
business interests above our National security. Not long after
a soon-to-be Trump-branded resort in Indonesia received loans
from the Chinese Government, the President tweeted a promise to
save ZTE from the punishing penalties. Just yesterday, the
Trump administration and the Chinese Government signed an
agreement to end the ban on U.S. exports to ZTE.
The President's lack of candor and leadership on this
issue, coupled with the urgent threats facing our supply
chains, calls for the Federal Government to develop a
comprehensive strategy to protect our supply chains from
foreign threats. During this hearing, I hope to learn more
about what the Department of Homeland Security is doing to
advance their counterintelligence programs, specifically with
the proposed use of section 806 authority.
I think it is also important that we know whether the White
House is playing an active role in coordinating supply chain
security across the Federal Government. But most importantly,
this committee needs to know what additional resources and
support are needed by supply chain risk management programs to
carry out its mission effectively. As I understand, there are
only two employees dedicated to the SCRM program, which seems
completely inadequate, given the task ahead.
It is time that we finally listen to the intelligence
community and create a comprehensive strategy to counter the
mounting threats facing our supply chains. I look forward to
hearing from our witnesses today and I do hope this will be a
constructive conversation. Thank you, Mr. Chairman.
[The statement of Ranking Member Rice follows:]
Statement of Ranking Member Kathleen Rice
July 12, 2018
The Department of Homeland Security has the enormous
responsibility of securing the Federal Government's vast supply
chain--particularly information technology--from a wide variety
of foreign threats. Today, the most pressing threats come from
Chinese and Russian IT companies, that until recently were used
widely throughout the United States and by several Federal
agencies.
For example, last year we learned that the Russian
cybersecurity company Kaspersky Lab was operating compromised
anti-virus software in U.S. Government computers. Despite being
a long-time Government vendor, the FBI had reason to believe
the Kasperksy programs contained back doors that could be
accessed by Russian intelligence. Thankfully, DHS acted to wipe
the software from all Government systems. Additionally, Members
of Congress have long been warned that the Chinese
telecommunications companies Huawei and ZTE also posed risks to
our National security.
ZTE and Huawei are two of the world's largest
telecommunications companies and were used widely in the United
States. However, the companies have close ties to the Chinese
government and were believed to be possible vehicles for cyber
theft and espionage.
In 2016, we imposed stiff penalties on ZTE for violating
U.S. sanctions by making hundreds of shipments of
telecommunications equipment made with U.S. parts to Iran,
Sudan, North Korea, Syria, and Cuba. After yet another breach
in April, ZTE faced additional U.S. penalties, including a ban
on U.S. suppliers selling equipment to ZTE. The following month
both ZTE and Huawei were also banned from being sold on U.S.
military bases. These bans were not only warranted but, in my
opinion, long overdue. These companies and their Government
clearly pose a threat to our National security and we had a
responsibility to act.
Unsurprisingly however, President Trump appears to have
placed his own business interests above our National security.
Not long after a soon-to-be Trump-branded resort in Indonesia
received loans from the Chinese government, the President
Tweeted a promise to save ZTE from the punishing penalties.
Just yesterday, the Trump administration and the Chinese
government signed an agreement to end the ban on U.S. exports
to ZTE.
The President's lack of candor and leadership on this
issue, coupled with the urgent threats facing our supply
chains, calls for the Federal Government to develop a
comprehensive strategy to protect our supply chains from
foreign threats.
During this hearing, I hope to learn more about what the
Department of Homeland Security is doing to advance their
counterintelligence programs specifically with the proposed use
of Section 806 authority. I also want to know whether the White
House is playing an active role in coordinating supply chain
security across the Federal Government.
But most importantly, this committee needs to know what
additional resources and supports are needed by the Supply
Chain Risk Management program to carry out its mission
effectively. As I understand, there are only two employees
dedicated to the SCRM Program. That seems completely inadequate
given the task ahead. It is time that we finally listen to the
intelligence community and create a comprehensive strategy to
counter the mounting threats facing our supply chains.
Mr. King. Thank you, Miss Rice.
I now recognize the Chairman of the Subcommittee on
Oversight and Management Efficiency, Mr. Perry, for an opening
statement.
Mr. Perry. Thank you, Mr. Chairman.
Good morning. I thank you, Chairman King, for holding this
hearing today and including the Oversight and Management
Efficiency Subcommittee in this very important timely
discussion on the Department of Homeland Security's efforts to
secure its supply chain.
In today's interconnected world, the Federal Government is
increasingly reliant on the procurement of products and
services with supply chains that originate from outside our
borders. DHS is no exception. Global supply chains are integral
to the Department's ability to carry out the mission of
securing the homeland. However, recent incidents involving
Government contractors and foreign-based suppliers, like
Kaspersky Lab, ZTE, and Huawei, have shed light on the security
risks associated with the global nature of supply chains.
Potential threats to international supply chains, ranging from
interference by foreign adversaries to poor product
manufacturing practices, present a unique and complex challenge
for both DHS and National security.
To assess and counter supply chain threats, organizations
employ supply chain risk management strategies which leverage
risk assessments to neutralize threats associated with the
global and distributed nature of modern supply chains. Risk
assessments are made by utilizing open- and closed-source
research, to allow organizations to better understand their
supply chain and identify the threats specific to it. To assist
the Federal Government in this effort, the National Institute
for Standards and Technology has released Government-wide best
practices for agencies to use as a model for their own supply
chain risk management strategies.
Agencies like DHS rely on contracts for products and
services to carry out their daily operations. As such, in the
case of the Department, ensuring supply chain security is
intrinsic to the mission of ensuring National security.
Unfortunately, given the threat environment, I too am concerned
that the Department does not currently possess the sufficient
tools to effectively carry out supply chain risk management.
Under the regulations governing Federal procurements, DHS
maintains limited authority to terminate procurement contracts
for unforeseen circumstances and to bar irresponsible entities
from doing future business with the Federal Government for up
to 3 years.
Additionally, the Federal Information Security
Modernization Act of 2014 granted the Department the authority
to issue binding operational directives, which are compulsory
orders for Federal agencies to take action to safeguard
information in IT systems when a security vulnerability has
been identified. Unfortunately, these authorities are generally
viewed as reactive measures that open the Department up to
costly liability and litigation and are not agile enough to
address today's supply chain threats.
DHS needs the proper authorities to be able to decisively
act when a threat to its supply chain has been identified. That
is why in the near term, I will be joining with my colleague
Chairman King in introducing legislation to provide DHS with
the tools to effectively carry out supply chain risk management
in order to secure its supply chain. Modelled after statutory
authority given to the Department of Defense in 2011, this
legislation will empower the Secretary of DHS to block entities
who pose a security risk from being a DHS vendor. This
legislation will also encourage information sharing across the
Department when a supply chain risk has been identified.
Again, I thank our distinguished panel for testifying this
morning and I look forward to learning more about supply chain
risk management at the Department. It is my intention to use
today's discussion to help further shape a legislative solution
for securing DHS's supply chain.
Thank you, Mr. Chairman. I yield the balance.
[The statement of Chairman Perry follows:]
Statement of Chairman Scott Perry
july 12, 2018
Good morning. I would like to thank Chairman King for holding this
hearing today and including the Oversight and Management Efficiency
Subcommittee in this very important and timely discussion on the
Department of Homeland Security's efforts to secure its supply chain.
In today's interconnected world, the Federal Government is
increasingly reliant on the procurement of products and services with
supply chains that originate from outside our borders. DHS is no
exception. Global supply chains are integral to the Department's
ability to carry out the mission of securing the homeland.
However, recent incidents involving Government contractors and
foreign-based suppliers like Kaspersky Lab, ZTE, and Huawei have shed
light on the security risks associated with the global nature of supply
chains. Potential threats to international supply chains ranging from
interference by foreign adversaries to poor product manufacturing
practices present a unique and complex challenge for both DHS and
National security.
To assess and counter supply chain threats, organizations employ
supply chain risk management strategies, which leverage risk
assessments to neutralize threats associated with the global and
distributed nature of modern supply chains. Risk assessments are made
by utilizing open- and closed-source research to allow organizations to
better understand their supply chain and identify the threats specific
to it. To assist the Federal Government in this effort, the National
Institute for Standards and Technology has released Government-wide
best practices for agencies to use as a model for their own supply
chain risk management strategies.
Agencies like DHS rely on contracts for products and services to
carry out their daily operations. As such, in the case of the
Department, ensuring supply chain security is intrinsic to the mission
of ensuring National security.
Unfortunately, given the threat environment, I am concerned that
the Department does not currently possess the sufficient tools to
effectively carry out supply chain risk management. Under the
regulations governing Federal procurements, DHS maintains limited
authorities to terminate procurement contracts for unforeseen
circumstances and to bar irresponsible entities from doing future
business with the Federal Government for up to 3 years. Additionally,
the Federal Information Security Modernization Act of 2014 granted the
Department the authority to issue binding operational directives, which
are compulsory orders for Federal agencies to take action to safeguard
information and IT systems when a security vulnerability has been
identified. Unfortunately, these authorities are generally viewed as
reactive measures that open the Department up to costly liability and
litigation and are not agile enough to address today's supply chain
threats.
DHS needs the proper authorities to be able to decisively act when
a threat to its supply chain has been identified. That is why, in the
near term, I will be joining with my colleague Chairman King in
introducing legislation to provide DHS with the tools to effectively
carry out supply chain risk management in order to secure its supply
chain.
Modeled after statutory authority given to the Department of
Defense in 2011, this legislation will empower the Secretary of DHS to
block entities who pose a security risk from being a DHS vendor. The
legislation will also encourage information sharing across the
Department when a supply chain risk has been identified.
I want to thank our distinguished panel for testifying this morning
and I look forward to learning more about supply chain risk management
at the Department. It is my intention to use today's discussion to help
further shape a legislative solution for securing DHS's supply chain.
Thank you and I yield back the balance of my time.
Mr. King. Thank you, Mr. Perry. I am pleased that our two
subcommittees are working together to address this vital issue.
I now recognize the Ranking Member of the subcommittee, Mr.
Correa, for an opening statement.
Mr. Correa of California. Thank you, Chairman Perry,
Chairman King, and Vice Chairperson Rice, for today's hearing.
This morning the two subcommittees will hear from witnesses on
DHS's current authority on mitigating threats to our supply
chain. We urgently need a National strategy for supply chain
risk management.
Foreign nation-states like Russia and China view
information and communication technology as a strategic sector
in which they have invested significant capital and exercise
tremendous influence. IT products and services through the
global supply chain are threats that continue to evolve every
day. Bad actors continue to target U.S. Government contractors
and other private-sector entities that do business with the
Government and try to gain advantage and undermine our
security.
Over the past year, DHS has mitigated the risks and secured
the Government supply chain. DHS launched a new supply chain
risk management, or SCRM, program. While the goals of the
program are commendable, its mission far exceeds its resources.
As of this May, there are only two employees dedicated to the
program. I hope to work with the Department and my colleagues
across the aisle to provide this office with the proper
resources and manpower it deserves.
Last, I look forward to hearing from today's witnesses on
how the DHS SCRM program fits into the Federal Government's
overarching approach to supply chain security. Without a
cybersecurity coordinator within the administration, I am also
concerned about consolidation efforts underway within multiple
Federal agencies to address the National security implications
of supply chain vulnerability.
The Federal Government supply chain is a target for our
adversaries and we need to ensure that commercial off-the-shelf
goods and services are not the subject of manipulation. It is
imperative that we streamline these efforts to better protect
against supply chain threats, and I hope to work with the
administration to that end.
With that, I yield.
[The statement of Ranking Member Correa follows:]
Statement of Ranking Member J. Luis Correa
July 12, 2018
This morning the two subcommittees will hear from several
distinguished witnesses on DHS's current authority related to
mitigating threats to its supply chain. As previously mentioned by my
colleagues in their opening statements, the United States needs a
National strategy for supply chain risk management--and it needs it
now.
Foreign nation-states like Russia and China rely on information and
communication technology as a ``strategic sector,'' in which the two
countries' governments have invested significant capital and exercise
substantial influence.
In 2012, the House Permanent Select Committee on Intelligence found
that the risks posed by China's largest telecommunications
manufacturers, ZTE and Huawei, ``could undermine core U.S. National
security interests.'' In 2017, after ``concern[s] about the ties
between certain Kaspersky officials and Russian intelligence,'' DHS
directed all Federal agencies to remove the Russian-based firm's
products from their networks.
The exploitation of IT products and services through the global
supply chain is a threat that continues to evolve each day. Bad actors
continue to target U.S. Government contractors and other private-sector
entities that do business with the Government to try to gain advantage
and pursue other state goals.
Over the past year, DHS has taken several steps to mitigate the
risk and secure the Federal Government's supply chain. Just recently,
DHS launched a new Supply Chain Risk Management (SCRM), or ``SKRIM''
Program, within its National Programs and Protection Directorate. This
new office was established to examine security concerns arising from
the use of certain vendors and subcontractors.
However, while the goals of the program are laudable, its mission
far exceeds its resources. As of May, there were only 2 employees
dedicated to the program.
Considering that the risk is great, I hope to work with the
Department and my colleagues across the aisle on providing this office
with the proper resources and manpower that it deserves. Especially
when we are considering expanding DHS's authority related to denying
procurements based on National security concerns.
Last, I look forward to hearing from today's witnesses on how the
DHS SCRM Program fits into the Federal Government's overarching
approach to supply chain security.
Without a Cybersecurity Coordinator within the Trump
administration, I am concerned about the White House's ability to
consolidate the numerous efforts underway within multiple Federal
agencies to address the National security implications of supply chain
vulnerabilities.
The Federal Government's supply chain is a target for our
adversaries, and we need to ensure that commercial off-the-shelf goods
and services are not subject to manipulation. Hence why it is
imperative that we streamline these efforts to better protect against
supply chain threats, and I hope to see the administration work towards
this.
Mr. King. I thank the gentleman. I thank Mr. Correa.
Other Members of the subcommittee are reminded that opening
statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
July 12, 2018
The threats to the United States from China and Russia are not new.
For years, it has been reported that Chinese companies like ZTE and
Huawei could be used to carry out cyber theft, spying, and espionage.
Last year, Kaspersky Labs demonstrated the Russian government's
capability to use anti-virus products to compromise Federal information
and information systems, directly affecting U.S. National security.
In a letter to Mississippi's Secretary of State in September, I
spoke of ``an unacceptable amount of risk'' to our National security
posed by these products, not only to the supply chain but also to the
security of our elections.
I am reiterating that concern today, especially since the threat
from Russia and China to the United States has become more complicated
and troubling in the wake of on-going actions by President Trump.
After the blatant violation of U.S. sanctions in 2016 by ZTE and
its subsequent breach this year, the Department of Defense initiated a
ban on the sale of ZTE and Huawei products on military bases due to
security concerns.
Despite these concerns, in May, the President took to Twitter to
commit to saving ZTE and Chinese jobs days after a Trump-branded resort
received a substantial loan from the Chinese government to build
property in Indonesia.
This sent a clear message: the U.S. President will do business with
you if you do business with him.
These policies continue to erode U.S. institutions and interests
abroad, downplaying the seriousness of U.S. sanctions and National
security to the global community.
The Federal Government supply chain is a target for our
adversaries.
And while the threats from our adversaries are great, so is the
opportunity to identify vulnerabilities and mitigate the risks.
Today, we are considering expanding DHS's authority to address
supply chain risk by excluding contractors based on National security
concerns.
Such authority would provide DHS with additional opportunities to
mitigate supply chain risk during the acquisition phase.
The Defense Department currently has authority, known as Section
806 authority, to exclude contractors from information technology
procurements if evidence of National security risk is identified and
mitigation measures are not available. It has only been used this
authority once.
Although the legislation is a good first step, we should consider
whether refinements are necessary based on DOD's lessons learned.
Providing the authority won't address the fact that the Trump
administration lacks a coherent, Government-wide strategy to adequately
address the challenges we continue to face from Russia and China.
National Security experts, business associations and Members of
this committee have communicated their concerns to the administration,
about the need to secure Federal supply chains.
Mr. King. I now would like to ask unanimous consent that
the Chairman of the Emergency Preparedness Subcommittee, Mr.
Donovan, be able to sit on the dais and participate in today's
hearing. Without objection, so ordered.
We are grateful to have a very distinguished panel here
today to testify before us. And let me remind the witnesses
that their entire written statements will appear in the record.
Our first witness, Ms. Soraya Correa--did I get that right?
OK good. Serves as the chief procurement officer for the
Department of Homeland Security. Ms. Correa provides
leadership, policy, oversight, support, and professional work
force development for the DHS contracting work force of
approximately 1,500 individuals. As the senior procurement
executive, she also oversees a centralized certification and
training program for the DHS acquisition work force and also
assists the chief acquisition officer in managing major
acquisition programs.
Prior to being appointed to this position in January 2015,
Ms. Correa served as the associate director of the U.S.
Citizenship and Immigration Service Enterprise Services
Directorate.
The Chair now recognizes Ms. Correa for her opening
statement. Thank you.
STATEMENT OF SORAYA CORREA, CHIEF PROCUREMENT OFFICER, OFFICE
OF THE CHIEF PROCUREMENT OFFICER, U.S. DEPARTMENT OF HOMELAND
SECURITY
Ms. Correa. Thank you.
Chairman King, Chairman Perry, Ranking Member Correa, and
Ranking Member Rice and Members of the subcommittees, thank you
for this opportunity to discuss ways the Department of Homeland
Security can enhance its ability to effectively manage supply
chain risk in the procurement process.
As the chief procurement officer and senior procurement
executive for the Department, I am responsible for the DHS
procurement line of business. My DHS colleagues will speak to
supply chain risk and the Department's response to this risk. I
am here to discuss the additional authority needed to ensure
the procurement process can effectively and efficiently address
identified threats and vulnerabilities in the supply chain
while protecting intelligence information.
The DHS National security and cybersecurity mission
warrants additional authority in order to protect its systems
and networks. From a procurement perspective, it is essential
that we promote business processes and use authorities that
enable us to be more consistent in our training,
implementation, and management of those authorities across the
Government.
If we do, we can improve understanding and ease
implementation for industry, especially for new companies and
small businesses. Today, Federal agencies are finding
increasing similarities in the products and services that we
acquire, in the ways we work with the various industries, and
in National security considerations that impact our mission.
Therefore, providing certain authorities for use across the
Federal Government to ensure a fair and effective process for
addressing supply chain risks throughout the acquisition life
cycle is essential.
I would like to briefly describe how the rules governing
the procurement process impact DHS when the Department needs to
take action on intelligence information. Currently, DHS
contracting officers, or COs, regardless of their security
clearance level, are unable to receive specific intelligence
information. Instead, COs are advised broadly that there is a
risk and provided the potential mitigation strategies to offset
that risk, or they are advised if there is a risk that cannot
be mitigated. When a risk cannot be mitigated, there are
sufficient authorities in a Classified procurement to take
immediate action. However, in an unclassified procurement,
where the vast majority of DHS procurements are actually
conducted and administered, the CO's actions are restricted,
because the process is designed to balance the equities of the
contracting parties, ensuring due process for contractors and
full disclosure of the Government's reasons for pursuing
contractual remedies in the event of a performance or integrity
failure.
The Federal acquisition regulation and underpinning
statutes were designed around the procurement of commodities
and services that were neither anticipated to be vulnerable to
nor the target of the sophisticated foreign intelligence
activities witnessed in recent years, especially those
associated with the globalized information and communications
technology supply chain.
In fact, during the preaward process or during the preaward
phase of the competitive procurement process, which includes
the evaluation of proposals submitted by competing vendors, a
CO cannot take action on intelligence information if it would
preclude the further participation of an interested vendor. The
competitive process is designed to ensure fair and equitable
treatment of participating vendors, thereby requiring
sufficient transparency in the Government's decision to exclude
a vendor.
Ideally, we need to anticipate risks in our planning phase
and find mitigation strategies before we begin the procurement
process. Unfortunately, sometimes risks are not identified
until a particular vendor or their proposed solution is
evaluated. While we will always turn to our DHS colleagues to
mitigate such risks, additional authority is needed for those
instances when the risk cannot be mitigated and the vendor or
particular product or service must be excluded.
There are existing authorities to manage risk on awarded
contracts. These include temporary stop work orders,
termination of contracts, and suspension and debarment actions,
as appropriate. However, these remedies were not designed to
address a security threat based on intelligence information.
I would like to make an important point before I close. As
the Department's chief procurement officer and senior
procurement executive, I take my obligations to maintain the
integrity of the procurement process seriously. This is why I
support strong safeguards against the abuse of any authorities
granted to enhance our ability to protect the supply chain and
protect intelligence information used in the procurement
process. Therefore, I support ensuring accountability at a high
level within the Department for use of such authority as well
as appropriate fact-finding, resulting in well-documented
determinations.
Thank you again for your interest in this very important
matter and I look forward to any questions that you may have.
[The joint prepared statement of Ms. Correa, Mr. Zangardi,
and Ms. Manfra follow:]
Joint Prepared Statement of Soraya Correa, John Zangardi, and Jeanette
Manfra
July 12, 2018
introduction
Chairman King, Chairman Perry, Ranking Member Correa, Ranking
Member Rice, and Members of the subcommittees, thank you for this
opportunity to discuss with you ways to improve the Department of
Homeland Security's (DHS) ability to effectively manage supply chain
risk. The Secretary of DHS has two primary sets of supply chain risk
management responsibilities related to information and communications
technology (ICT). In one set, the Secretary is responsible for
procurement and supply chain risk management within DHS's ICT
environment. These responsibilities are carried out by the DHS chief
procurement officer (CPO) and DHS chief information officer (CIO). In
carrying out the other set of responsibilities, the Secretary of DHS,
in consultation with the Office of Management and Budget (OMB),
administers the implementation of Government-wide information security
policies and practices. These responsibilities are carried out by the
National Protection and Programs Directorate (NPPD).
ICT is critical to an agency's ability to carry out its mission
efficiently and effectively. Supply chain risks could contribute to the
loss of confidentiality, integrity, or availability of information or
information systems and result in adverse impacts to organizational
operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, and the
Nation. Cyber Supply Chain Risk Management (C-SCRM) is the process of
identifying, assessing, and mitigating the risks associated with the
global and distributed nature of ICT product and service supply chains.
C-SCRM spans the entire life cycle of ICT, including design,
development, acquisition, distribution, deployment, maintenance, and
product retirement.
current supply chain risks
The ICT supply chain is widely viewed as a source of significant
risk to ICT products, systems, and services. Vulnerabilities in ICT can
be exploited intentionally or unintentionally through a variety of
means, including deliberate mislabeling and counterfeits, unauthorized
production, tampering, theft, and insertion of malicious software or
hardware. If these risks are not detected and mitigated, the impact to
the ICT could be a fundamental degradation of its confidentiality,
integrity, or availability and potentially adverse impacts to essential
Government or critical infrastructure systems.
Increasingly sophisticated adversaries seek to steal, compromise,
alter, or destroy sensitive information on systems and networks, and
risks associated with ICT may be used to facilitate these activities.
The Office of the Director of National Intelligence (ODNI)
acknowledges, ``The U.S. is under systemic assault by foreign
intelligence entities who target the equipment, systems, and
information used every day by government, business, and individual
citizens.''\1\ The globalization of our supply chain can result in
component parts, services, and manufacturing from sources distributed
around the world. ODNI further states, ``Our most capable adversaries
can access this supply chain at multiple points, establishing advanced,
persistent, and multifaceted subversion. Our adversaries are also able
to use this complexity to obfuscate their efforts to penetrate
sensitive research and development programs, steal intellectual
property and personally identifiable information, insert malware into
critical components, and mask foreign ownership, control, and/or
influence (FOCI) of key providers of components and services.''
---------------------------------------------------------------------------
\1\ https://www.dni.gov/files/NCSC/documents/products/20170317-
NCSC_SCRM-Background.pdf.
---------------------------------------------------------------------------
managing information as a strategic resource
Current law governing information security of Federal information
resources requires agencies to implement an agency-wide information
security program that ensures that information security is addressed
throughout the life cycle of each agency information system (44 U.S.C.
3554(b)). On July 27, 2016, OMB released an update to Circular A-130,
Managing Information as a Strategic Resource, the Federal Government's
governing document for management of Federal information resources.
Among other things, the revisions require agencies to establish a
comprehensive approach to improve the acquisition and management of
their information resources. This includes requirements for agencies to
implement and oversee the implementation of supply chain risk
management principles to protect against the insertion of counterfeits,
unauthorized production, tampering, theft, and insertion of malicious
software throughout the system development life cycle. Moreover,
appropriate supply chain risk management plans to ensure the integrity,
security, resilience, and quality of information systems are described
in the National Institute of Standards and Technology (NIST) Special
Publication 800-161, Supply Chain Risk Management Practices for Federal
Information Systems and Organizations.
the current rules for unclassified procurements
C-SCRM is no longer an emerging threat, it is pervasive. However,
the rules under which procurements are conducted have not kept pace
with the evolution of this threat. The Federal Acquisition Regulation
is designed to balance the equities of the contracting parties,
ensuring due process for contractors and full disclosure of the
Government's reasons for pursuing contractual remedies in the event of
performance or integrity failure. These rules, however, were designed
around the procurement of commodities and services that were not
anticipated to be vulnerable to, nor the target of, the sophisticated
foreign intelligence activities witnessed in recent years, especially
those associated with a globalized ICT supply chain. For instance, the
current procurement rules and their underpinning statutes did not
imagine the need to use and protect intelligence information in
unclassified procurements. While there are tools available to pursue
correction of contractor performance issues or address integrity
failures, they do not provide the flexibility to react swiftly to or
protect intelligence information when exclusion of a source is the only
way to mitigate supply chain risk. In fact, some currently available
procurement tools that address performance issues, such as Government-
wide exclusion from doing business with any agency for a period of
time, are too harsh, unless an agency investigation deems the
contractor to be at fault for the performance issue. New rules are
needed to combat the threat to our Nation's Federal information
technology networks when intelligence information identifies risks that
cannot be mitigated.
using and protecting intelligence information
Gaps exist in the DHS's authority to use intelligence information
to support its procurement decisions when a significant supply chain
risk cannot be mitigated. Mitigation, which is an action initiated by
the Government to preclude a supply chain risk from causing a security
concern, is the preferred and least disruptive method of addressing
supply chain risk. However, in those exceptional cases where mitigation
is not possible, DHS does not have the capability to react swiftly
while appropriately restricting disclosure of intelligence and other
National security sensitive information.
dhs cyber supply chain risk management (c-scrm)
In order to appropriately manage supply chain risks, stakeholders
need increased visibility into, and understanding of, how the products
and services they buy are developed, integrated, and deployed, as well
as the processes, procedures, and practices used by ICT manufacturers
and purveyors to assure the integrity, security, resilience, and
quality of those products and services. The DHS Office of the Chief
Information Officer (OCIO) has initiated work focused on establishing a
C-SCRM effort executed Department-wide.
The effort will include a governance structure that will update
existing policy and procedures for C-SCRM. Documentation will be
developed that will align with current policies while providing
programmatic subject-matter expertise to DHS stakeholders and risk
owners. Integral to the success of these efforts will be the functions
and capabilities to conduct vulnerability and threat identification and
analysis. To accomplish this, a process will be established to produce
timely supply chain risk assessments of companies, products, and
services based on an analysis of publicly and commercially available
information about the company and product, or service being purchased
and information shared through liaisons with the U.S. intelligence
community (IC) threat assessment centers and DHS Office of Intelligence
and Analysis (I&A), as appropriate.
Working closely with NPPD and the DHS CPO, the initiative will
develop education and training to ensure the effective use of the new
authority. Guidance will also be provided to assist buyers in
determining criticality, priority, and risk tolerance for the product
or service to be purchased as well as assisting buyers and sellers with
determining mitigation actions where supply chain risks have been
identified.
The DHS CIO knows first-hand that all tiers of the supply chain are
targeted by increasingly sophisticated and well-funded adversaries
seeking to steal, compromise, alter, or destroy information and is
committed to establishing a robust enterprise approach to better
managing the risk and vulnerabilities associated with ICT components.
Although DHS is investing in C-SCRM with the goal to broaden and
further strengthen our approach, additional authority is needed to
ensure that risk is assessed and mitigated in a timely manner, and that
disclosure of intelligence sources and other information is restricted.
government-wide cyber supply chain risk management (c-scrm)
The administration has been working to establish a strategic
statutory framework to protect our Federal supply chain by conducting
supply chain risk assessments, creating mechanisms for sharing supply
chain information, and establishing exclusion authorities--both within
agencies and in a centralized manner--to be utilized when justified.
Earlier this week, the administration shared its proposed legislation
with Congress, the ``Federal Information Technology Supply Chain Risk
Management Improvement Act of 2018.'' We look forward to supporting the
administration's work with Congress on the bill and strengthening our
ability to help agencies execute Departmental missions in an
environment of changing vulnerabilities and threats.
NPPD carries out the DHS Secretary's responsibilities to administer
the implementation of Government-wide information security policies and
practices (44 U.S.C 3553(b)). These statutory responsibilities include
monitoring agency implementation; convening senior agency officials;
coordinating Government-wide efforts; providing operational and
technical assistance; providing, as appropriate, intelligence and other
information about cyber threats, vulnerabilities, and incidents to
agencies; and developing and overseeing implementation of binding
operational directives, among other actions. DHS leverages the full
range of authorities to address supply chain risks across the Federal
Government.
DHS is working with the Department of Defense (DOD), the
intelligence community, and other agencies to address key supply chain
risks. In January 2018, NPPD established a C-SCRM initiative to
centralize DHS's efforts to address risks to the ICT supply chains of
Federal agencies, critical infrastructure owners and operators, and
State, local, Tribal, and territorial governments. The mission of the
C-SCRM initiative is to identify, assess, prevent, and mitigate risks
associated with ICT product and service supply chains throughout the
life cycle. Initially this initiative will focus on identifying and
addressing supply chain risks related to the Federal Government's high-
value assets (HVAs), or those assets, Federal information systems,
information, and data for which unauthorized access, use, disclosure,
disruption, modification, or destruction could cause a significant
impact to U.S. National security interests, foreign relations, the
economy, or to the public confidence, civil liberties, or public health
and safety of the American people. Additionally, DHS, in partnership
with the General Services Administration, is working to bridge the gap
between the procurement and ICT professional by providing acquisition
professionals with awareness, training, and educational content to be
available through the Federal Acquisition Institute.
Since 2017, NPPD now requires Continuous Diagnostics and Mitigation
(CDM) vendors to complete a SCRM questionnaire as part of their
application to place a product on the CDM-approved products list. The
questionnaire provides information to agencies about how the vendor
identifies, assesses, and mitigates supply chain risks in order to
facilitate better-informed decision making. The information is intended
to provide visibility into, and improve the buyer's understanding of,
how the products are developed, integrated, and deployed; as well as
the processes, procedures, and practices used to assure the integrity,
security, resilience, and quality of those products.
intelligence support and countering illicit activity
Despite the gaps in DHS's ability to use intelligence information
to support its procurement actions, DHS has a variety of efforts
currently underway within our existing authorities to help address
these risks. One such effort is the strengthening of our
counterintelligence capabilities. These capabilities include resources
within DHS I&A as well as strengthening partnerships across other key
components of the U.S. IC. Additionally, DHS components, including the
U.S. Secret Service, U.S. Customs and Border Protection, and U.S.
Immigration and Customs Enforcement, play a critical role in
identifying and disrupting illicit activity impacting supply chain
risk. In collaboration with the Federal Bureau of Investigation, and
the Departments of State, Treasury, Commerce, and Defense, we are
actively leveraging our individual and collective authorities to
counter malicious actors and mitigate supply chain risks.
conclusion
As DHS looks at the current threat landscape and the risk posed by
increasingly sophisticated adversaries, we appreciate the committee's
interest in supply chain risk management and look forward to working
with the Members and your staff on these issues. Thank you for the
opportunity to testify before the subcommittees. We are happy to answer
any questions you may have.
Mr. King. Thank you very much, Ms. Correa. I appreciate
that.
Our second witness, Dr. John Zangardi, is the chief
information officer for DHS. Previously, Dr. Zangardi served as
the DOD principal deputy chief information officer and later
the acting chief information officer. Dr. Zangardi's background
includes acquisition, policy, legislative affairs, resourcing,
and operations. He is a retired Naval flight officer and served
in a variety of command and staff assignments.
The Chair now recognizes Dr. Zangardi. Thank you for being
here today.
STATEMENT OF JOHN ZANGARDI, CHIEF INFORMATION OFFICER, OFFICE
OF THE CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF HOMELAND
SECURITY
Mr. Zangardi. Chairman King, Chairman Perry, Ranking Member
Correa, Ranking Member Rice, and Members of the subcommittees,
thank you for this opportunity to discuss ways to improve the
Department of Homeland Security's ability to effectively manage
supply chain risk.
The Department's Secretary has two primary sets of supply
chain risk management responsibilities related to information
and communications technology. In one set, the Secretary is
responsible for procurement and supply chain risk management
within DHS's information and communications environment. These
responsibilities are carried out by DHS's chief procurement
officer and the chief information officer.
In carrying out the other set of responsibilities, the
Secretary of DHS, in consultation with the Office of Management
and Budget, administers the implementation of Government-wide
information security policies and practices. These
responsibilities are carried out by the National Protection and
Programs Directorate, or NPPD. My focus today will be on the
supply chain risk management activities within DHS's
information and communications technology environment.
Gaps exist in the Department's authority to use
intelligence to support its procurement decisions when a
significant supply chain risk cannot be mitigated. Mitigation
is the preferred and least disruptive method of addressing
supply chain risk. However, in those exceptional cases where
mitigation is not possible, the Department needs the capability
to react swiftly while appropriately restricting a disclosure
of other National security-sensitive information.
The administration has been working to establish a
strategic statutory framework to protect our Federal supply
chain by conducting supply chain risk assessments, creating
mechanisms for sharing supply chain information, and
establishing exclusion authorities, both within agencies and in
a centralized manner, to be utilized when justified. We look
forward to supporting the administration's work with Congress
on the bill and strengthening our ability to execute mission in
an environment of changing vulnerabilities and threats.
DHS needs flexibility while protecting the integrity of the
procurement process. DHS will ensure important safeguards, such
as requiring factual findings, written determinations, and
concurrences by specified senior DHS officials are in place
when the authority as proposed by the administration is used.
We do not see using this authority to drive sole-source
procurements. Competition, particularly in the IT space, is
critical to ensure that DHS gets the best solution at the right
cost.
DHS procedures will facilitate the timely assessment and
mitigation of risk and preclude compromising DHS systems. It is
key to ensure we have a strong process surrounding supply chain
risk management. A strong supply chain risk management process
needs to ensure that vendors are queried on supply chain risk
process, there is awareness of the systems on the network and a
rapid response to intelligence tippers, and there is a close
working relationship with the component CIOs and CISOs, the
chief procurement officer, the acquisition community,
intelligence, and NPPD.
As the IT technical authority for DHS, my chief information
security officer, or CISO, has initiated work to directly
support and execute technical assessments, providing subject-
matter expertise, and be the integration point for all
enterprise supply chain management efforts.
In addition, this team will develop program documentation
that will align with current policies and procedures while
providing programmatic subject-matter expertise to DHS
stakeholders and risk owners.
With the support of the DHS components and offices, my team
will continue to focus on governance by enhancing policy,
procedures, and compliance monitoring capability of SCRM
activities, services, by providing supply chain risk management
services such as informations and communications technology
assessments and intelligence analysis reporting and operations,
which includes the execution and implementation of supply chain
risk management recommendations and selected IT acquisitions.
DHS recognizes the importance of establishing an enterprise
approach to managing supply chain risk associated with
information and communications technology. The supply chain for
information and communications technology is complex. We have
our work cut out for us. Working closely with our partners, we
will find the best and most realistic approach for
strengthening our supply chain.
The Department appreciates the support of this committee on
these important matters. We will continue to work with Congress
to address existing gaps in authority where resources are
required to effectively manage supply chain risk within DHS.
Thank you for the opportunity to testify today, and I look
forward to your questions.
Mr. King. Thank you very much, Dr. Zangardi.
Our third witness, Ms. Jeanette Manfra, serves as the
assistant secretary of the Office of Cybersecurity and
Communications at the National Protection and Programs
Directorate within DHS. Ms. Manfra leads the Department's
mission of strengthening the security and resilience of the
Nation's critical infrastructure. Prior to this position, she
served as the acting deputy under secretary for cybersecurity
and the director for strategy, policy, and plans for the NPPD.
Ms. Manfra served in the U.S. Army as a communications
specialist and a military intelligence officer. I now recognize
Ms. Manfra for an opening statement. Thank you.
STATEMENT OF JEANETTE MANFRA, ASSISTANT SECRETARY, OFFICE OF
CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND
PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Manfra. Chairman King, Chairman Perry, Ranking Member
Correa, Ranking Member Rice, Members of the subcommittees,
thank you for today's opportunity to discuss the Department's
on-going efforts to assess and mitigate supply chain risk.
The information and communications technology supply chain
is a source of significant risk. The globalization of our
supply chain results in component parts, services, and
manufacturing from sources distributed around the world.
Vulnerabilities in technology can be created intentionally or
unintentionally through a variety of means, including
deliberate mislabeling and counterfeits, unauthorized
production, tampering, theft and insertion of malicious
software or hardware. If these risks are not detected and
mitigated, the result is adverse impacts to essential
Government or critical infrastructure systems.
The Office of the Director of National Intelligence
acknowledges that the United States is under systemic assault
by foreign intelligence entities, who target the equipment,
systems, and information used every day by Government,
business, and individual citizens. Our adversaries are able to
use the supply chain's complexity to obfuscate their efforts to
penetrate sensitive research and development programs, steal
intellectual property and personally identifiable information,
insert malware into critical components and mask foreign
ownership, control, and/or influence of key providers of
components and services.
Cyber supply chain risk management requires addressing
product security throughout its life cycle, including design,
development, acquisition, distribution, deployment,
maintenance, and product retirement. Current law governing
information security for Federal information resources requires
agencies to implement an agency-wide information security
program that ensures that information security, including
supply chain security, is addressed throughout the life cycle
of each agency information system.
At the National Protection and Programs Directorate, or
NPPD, we carry out the Secretary's responsibilities to
administer the implementation of Government-wide information
security policies and practices and to coordinate the overall
Federal effort to enhance the security and resilience of our
Nation's critical infrastructure. These statutory
responsibilities for Federal agencies include monitoring
implementation, convening senior officials, coordinating
Government-wide efforts, providing operational and technical
assistance, providing, as appropriate, intelligence and other
information about cyber threats, vulnerabilities, and
incidents, and developing and overseeing implementation of
binding operational directives, among other actions. We
leverage the full range of these authorities to address supply
chain risks across the Federal Government.
In January 2018, we at NPPD established a cyber supply
chain risk management program to facilitate National efforts to
address risks to the information and communications technology
supply chains of Federal agencies, critical infrastructure
owners and operators, and State, local, Tribal, and territorial
governments. We are working with DOD, the intelligence
community, and other agencies in these efforts.
Initially, this program is focusing on identifying and
addressing supply chain risks related to the Federal
Government's high-value assets. Additionally, in partnership
with the General Services Administration, we are working to
bridge the gap between procurement and information technology
professionals by providing awareness, training, and educational
content through the Federal Acquisition Institute. Through the
continuous diagnostics and mitigation program, NPPD procures
cybersecurity tools to deploy inside Federal agency networks.
Since 2017, NPPD has required CDM vendors to complete a
supply chain risk management questionnaire as part of the
product approval process. The questionnaire provides
information to agencies about how the vendor identifies,
assesses, and mitigates supply chain risks in order to
facilitate better-informed decision making. The information is
intended to improve the buyer's understanding of how the
products are developed, integrated, and deployed as well as the
processes, procedures, and practices used to assure the
integrity, security, resilience, and quality of those products.
Before closing, I would note that this administration is
working to establish a strategic framework to protect our
Federal supply chain by conducting supply chain risk
assessments, creating mechanisms for sharing supply chain risk
and mitigation information, and establishing exclusion
authorities, both within agencies and in a centralized manner,
to be utilized when justified.
As the Department works to address the risk posed by
increasingly sophisticated adversaries, we appreciate the
committee's interest in this topic and the work that you have
done and look forward to working with Members and your staff on
these issues.
Thank you for the opportunity to testify, and I look
forward to your questions.
Mr. King. Thank you, Ms. Manfra, I appreciate that.
Our fourth witness is Mr. Gregory Wilshusen, the director
of information security issues at the U.S. Government
Accountability Office.
Mr. Wilshusen leads information security-related studies
and audits of the Federal Government. He has over 30 years of
auditing, financial management, and information system
experience.
The Chair now recognizes Mr. Wilshusen for his opening
statement. Thank you.
STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR OF INFORMATION
SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Thank you. Chairman King, Chairman Perry,
Ranking Members Rice and Correa, and Members of the
subcommittee, thank you for the opportunity to testify at
today's hearing on the Homeland Security supply chain.
Information technology systems are essential to the
operations of the Federal Government. These systems are created
and delivered through a complex global supply chain that
involves a multitude of organizations, individuals, activities,
and resources.
My testimony today provides an overview of the information
security risks associated with the supply chains used by
Federal agencies to procure IT systems. As requested, I will
also discuss our 2012 assessment of the extent to which 4
National security-related agencies, the Departments of Defense,
Justice, Energy, and Homeland Security, had addressed these
risks. Before I do, if I may, I would like to recognize two
members of my team, Jeff Knott and Rosanna Guerrero, for their
efforts in developing my statement. Thank you.
In several reports issued since 2012, we have pointed out
that the reliance on complex global IT supply chains introduces
multiple risks to Federal information and communication
systems. This includes the risk that these systems are being
manipulated or damaged by leading foreign cyber threat nations,
such as Russia, China, Iran, and North Korea. Threats and
vulnerabilities created by these cyber threat nations, vendors,
or suppliers closely linked to cyber threat nations and other
malicious actors can be sophisticated and difficult to detect
and, thus, pose a significant risk to organizations and Federal
agencies.
As we reported in March 2012, supply chain threats are
present at various phases throughout a system's development
life cycle. These threats include insertion of harmful or
malicious software and hardware, installation of counterfeit
items, disruption in the production or distribution of
essential products and services, reliance on unqualified or
malicious service providers, and installation of software and
hardware containing unintentional vulnerabilities.
These threats can be exercised by exploiting
vulnerabilities that can exist at multiple points in the supply
chain. Examples of these vulnerabilities include weaknesses in
agency acquisition practices, such as acquiring products or
parts from sources other than the original manufacturer or
authorized reseller, incomplete information on IT suppliers,
and installing hardware and software without sufficiently
inspecting or testing them.
These threats and vulnerabilities can potentially lead to a
range of harmful effects, including allowing adversaries to
take control of systems, extract or manipulate data, or
decrease the availability of resources needed to develop or
operate systems.
In March 2012, we reported that the Departments of Defense,
Justice, Energy, and Homeland Security varied in the extent to
which they had addressed IT supply chain risks. Of the 4
agencies, Defense had made the most progress and had
implemented several risk management efforts. Conversely, the
other 3 agencies had made limited progress addressing supply
chain risk for their information systems.
We made 8 recommendations to Justice, Energy, and DHS to
develop and document policies, procedures, and monitoring
capabilities that address IT supply chain risk. The agencies
subsequently implemented 7 recommendations and partially
implemented the eighth. These actions better positioned the
agencies to monitor and mitigate their supply chain risks.
In summary, the global IT supply chain introduces a myriad
of security risks to Federal information systems that, if
realized, could jeopardize the confidentiality, integrity, and
availability of the systems and the information they contain.
Thus, the potential exists for serious adverse impacts on an
agency's operations, assets, and employees. These factors
highlight the importance of Federal agencies appropriately
assessing, managing, and monitoring IT supply chain risk as
part of their agency-wide information security programs.
Chairman King, Chairman Perry, Ranking Members Rice and
Correa, and other Members of the subcommittees, this concludes
my oral statement. I will be happy to answer your questions.
[The prepared statement of Mr. Wilshusen follows:]
Statement of Gregory C. Wilshusen
July 12, 2018
Chairmen King and Perry, Ranking Members Rice and Correa, and
Members of the subcommittees: Thank you for the opportunity to testify
at today's hearing on keeping adversaries away from the homeland
security supply chain. As you know, Federal agencies and the owners and
operators of our Nation's critical infrastructure rely extensively on
information technology (IT) and IT services to carry out their
operations. Securing this technology, its supply chain, and the
information it contains is essential to protecting National and
economic security.
Since 1997, we have identified Federal information security as a
Government-wide high-risk area. In 2003, we expanded this high-risk
area to include protecting systems supporting our Nation's critical
infrastructure.\1\
---------------------------------------------------------------------------
\1\ See, most recently, GAO, High-Risk Series: Progress on Many
High-Risk Areas, While Substantial Efforts Needed on Others, GAO-17-317
(Washington, DC: Feb. 15, 2017).
---------------------------------------------------------------------------
My statement provides an overview of the information security risks
associated with the supply chains used by Federal agencies to procure
IT equipment, software, or services.\2\ The statement also discusses
our 2012 assessment of the extent to which 4 National security-related
agencies--the Departments of Defense, Justice, Energy, and Homeland
Security (DHS)--had addressed these risks.\3\
---------------------------------------------------------------------------
\2\ The National Institute of Standards and Technology (NIST) has
defined the term ``supply chain'' as a set of organizations, people,
activities, information, and resources that create and move a product
or service from suppliers to an organization's customers. NIST defines
``information technology'' as any equipment or interconnected system or
subsystem of equipment that is used in the automatic acquisition,
storage, manipulation, management, movement, control, display,
switching, interchange, transmission, or reception of data or
information. This includes, among other things, computers, software,
firmware, and services (including support services).
\3\ GAO, IT Supply Chain: National Security-Related Agencies Need
to Better Address Risks, GAO-12-361 (Washington, DC: Mar. 23, 2012).
---------------------------------------------------------------------------
In developing this testimony, we relied on our previous reports,\4\
as well as information provided by the National security-related
agencies on their actions in response to our previous recommendations.
We also considered information contained in special publications issued
by the National Institute of Standards and Technology (NIST) and a
directive issued by DHS. A more detailed discussion of the objectives,
scope, and methodology for this work is included in each of the reports
that are cited throughout this statement.
---------------------------------------------------------------------------
\4\ See GAO-12-361; State Department Telecommunications:
Information on Vendors and Cyber-Threat Nations, GAO-17-688R
(Washington, DC: July 27, 2017); and Telecommunications Networks:
Addressing Potential Security Risks of Foreign-Manufactured Equipment,
GAO-13-625T (Washington, DC: May 21, 2013).
---------------------------------------------------------------------------
The work on which this statement is based was conducted in
accordance with generally accepted Government auditing standards. Those
standards require that we plan and perform audits to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions. We believe that the evidence obtained provided a
reasonable basis for our findings and conclusions based on our audit
objectives.
background
The design and development of information systems can be complex
undertakings, consisting of a multitude of pieces of equipment and
software products, and service providers. Each of the components of an
information system may rely on one or more supply chains--that is, the
set of organizations, people, activities, information, and resources
that create and move a product or service from suppliers to an
organization's customers.
Obtaining a full understanding of the sources of a given
information system can also be extremely complex. According to the
Software Engineering Institute, the identity of each product or service
provider may not be visible to others in the supply chain. Typically,
an acquirer, such as a Federal agency, may only know about the
participants to which it is directly connected in the supply chain.
Further, the complexity of corporate structures, in which a parent
company (or its subsidiaries) may own or control companies that conduct
business under different names in multiple countries, presents
additional challenges to fully understanding the sources of an
information system. As a result, the acquirer may have little
visibility into the supply chains of its suppliers.
Federal procurement law and policies promote the acquisition of
commercial products when they meet the Government's needs. Commercial
providers of IT use a global supply chain to design, develop,
manufacture, and distribute hardware and software products throughout
the world. Consequently, the Federal Government relies heavily on IT
equipment manufactured in foreign nations.
Federal information and communications systems can include a
multitude of IT equipment, products, and services, each of which may
rely on one or more supply chains. These supply chains can be long,
complex, and globally distributed and can consist of multiple tiers of
outsourcing. As a result, agencies may have little visibility into,
understanding of, or control over how the technology that they acquire
is developed, integrated, and deployed, as well as the processes,
procedures, and practices used to ensure the integrity, security,
resilience, and quality of the products and services. Table 1
highlights possible manufacturing locations of typical components of a
computer or information systems network.
TABLE 1.--POSSIBLE MANUFACTURING LOCATIONS OF TYPICAL NETWORK COMPONENTS
------------------------------------------------------------------------
Possible Manufacturing
Component Locations
------------------------------------------------------------------------
Workstations........................... United States, Israel, Spain,
China, Malaysia, Singapore,
United Kingdom.
Notebook computers..................... United States, Israel, Spain,
China, Malaysia, Singapore,
United Kingdom.
Routing and switching.................. United States, India, Belgium,
Canada, China, Germany,
Israel, Japan, Netherlands,
Poland, United Kingdom.
Fiber optic cabling.................... China, Malaysia, Vietnam,
Japan, Thailand, Indonesia.
Servers................................ Brazil, Canada, United States,
India, Japan, France, Germany,
United Kingdom, Israel,
Singapore.
Printers............................... Japan, United States, Germany,
France, Netherlands, Taiwan,
China, Malaysia, Thailand,
Vietnam, Philippines.
------------------------------------------------------------------------
Source: GAO analysis of public information/GAO-18-667T.
Moreover, many of the manufacturing inputs required for these
components--whether physical materials or knowledge--are acquired from
various sources around the globe. Figure 1 depicts the potential
countries of origin of common suppliers of various components in a
commercially available laptop computer.
Federal Laws and Guidelines Require the Establishment of Information
Security Programs and Provide for Managing Supply Chain Risk
The Federal Information Security Modernization Act (FISMA) of 2014
requires Federal agencies to develop, document, and implement an
agency-wide information security program to provide information
security for the information systems and information that support the
operations and assets of the agency.\5\ The act also requires that
agencies ensure that information security is addressed throughout the
life cycle of each agency information system. FISMA assigns NIST the
responsibility for providing standards and guidelines on information
security to agencies. In addition, the act authorizes DHS to develop
and issue binding operational directives to agencies, including
directives that specify requirements for the mitigation of exigent
risks to information systems.
---------------------------------------------------------------------------
\5\ FISMA 2014 (Pub. L. No. 113-283, Dec. 18, 2014) largely
superseded the Federal Information Security Management Act of 2002
(FISMA 2002), enacted as Title III, E-Government Act of 2002, Pub. L.
No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). As used in this
statement, FISMA refers both to FISMA 2014 and to those provisions of
FISMA 2002 that were either incorporated into FISMA 2014 or were
unchanged and continue in full force and effect.
---------------------------------------------------------------------------
NIST has issued several special publications (SP) that provide
guidelines to Federal agencies on controls and activities relevant to
managing supply chain risk. For example,
NIST SP 800-39 provides an approach to organization-wide
management of information security risk, which states that
organizations should monitor risk on an on-going basis as part
of a comprehensive risk management program.\6\
---------------------------------------------------------------------------
\6\ NIST, Managing Information Security Risk: Organization,
Mission, and Information System View, SP 800-39 (Gaithersburg, MD:
March 2011).
---------------------------------------------------------------------------
NIST SP 800-53 (Revision 4) provides a catalogue of controls
from which agencies are to select controls for their
information systems. It also specifies several control
activities that organizations could use to provide additional
supply chain protections, such as conducting due diligence
reviews of suppliers and developing acquisition policy, and
implementing procedures that help protect against supply chain
threats throughout the system development life cycle.\7\
---------------------------------------------------------------------------
\7\ NIST, Security and Privacy Controls for Federal Information
Systems and Organizations, SP 800-53, Revision 4 (Gaithersburg, MD:
April 2013).
---------------------------------------------------------------------------
NIST SP 800-161 provides guidance to Federal agencies on
identifying, assessing, selecting, and implementing risk
management processes and mitigating controls throughout their
organizations to help manage information and communications
technology supply chain risks.\8\
---------------------------------------------------------------------------
\8\ NIST, Supply Chain Risk Management Practices for Federal
Information Systems and Organizations, SP-800-161 (Gaithersburg, MD:
April 2015).
---------------------------------------------------------------------------
In addition, as of June 2018, DHS has issued one binding
operational directive related to an IT supply chain-related threat.
Specifically, in September 2017, DHS issued a directive to all Federal
Executive branch departments and agencies to remove and discontinue
present and future use of Kaspersky-branded products on all Federal
information systems.\9\ In consultation with interagency partners, DHS
determined that the risks presented by these products justified their
removal.
---------------------------------------------------------------------------
\9\ DHS, Removal of Kaspersky-Branded Products, BOD-17-01
(Washington, DC: Sept. 13, 2017).
---------------------------------------------------------------------------
Beyond these guidelines and requirements, the Ike Skelton National
Defense Authorization Act for Fiscal Year 2011 also included provisions
related to supply chain security. Specifically, Section 806 authorizes
the Secretaries of Defense, the Army, the Navy, and the Air Force to
exclude a contractor from specific types of procurements on the basis
of a determination of significant supply chain risk to a covered
system.\10\ Section 806 also establishes requirements for limiting
disclosure of the basis of such procurement action.
---------------------------------------------------------------------------
\10\ The act defines ``supply chain risk'' as ``risk that an
adversary may sabotage, maliciously introduce unwanted function, or
otherwise subvert the design, integrity, manufacturing, production,
distribution, installation, operation, or maintenance of a covered
system so as to surveil, deny, disrupt, or otherwise degrade the
function, use, or operation of such system.''
---------------------------------------------------------------------------
it supply chains introduce numerous information security risks to
federal agencies
In several reports issued since 2012,\11\ we have pointed out that
the reliance on complex, global IT supply chains introduces multiple
risks to Federal information and telecommunications systems. This
includes the risk of these systems being manipulated or damaged by
leading foreign cyber-threat nations such as Russia, China, Iran, and
North Korea.\12\ Threats and vulnerabilities created by these cyber-
threat nations, vendors, or suppliers closely linked to cyber-threat
nations,\13\ and other malicious actors can be sophisticated and
difficult to detect and, thus, pose a significant risk to organizations
and Federal agencies.
---------------------------------------------------------------------------
\11\ GAO-12-361, GAO-13-652T, and GAO-17-688R.
\12\ The Office of the Director of National Intelligence has
identified Russia, China, Iran, and North Korea as leading cyber-threat
nations in its Worldwide Threat Assessment of the U.S. Intelligence
Community (Washington, DC: Feb. 9, 2016 and Feb. 13, 2018).
\13\ The Department of State Authorities Act, Fiscal Year 2017,
defines ``closely linked'' as, with respect to a foreign supplier,
contactor, or subcontractor and a cyber threat nation: (1) Incorporated
or headquartered in the territory; (2) having ties to the military
forces; (3) having ties to the intelligence services; or (4) the
beneficiary of significant low-interest or no-interest loans, loan
forgiveness, or other support of a leading cyber threat nation. The Act
also included a provision for GAO to review the Department of State's
(State) critical telecommunications equipment or services obtained from
manufacturers or suppliers that are closely linked to the leading cyber
threat nations. Based on GAO's open source review of generalizable
samples of 52 telecommunications device manufacturers and software
developers supporting the State's critical telecommunications
capabilities and 100 of State's telecommunications contractors, GAO
identified 16 companies--12 equipment manufacturers and software
developers and 4 telecommunications contractors--with suppliers
reported to be headquartered in cyber threat nations. All of these
suppliers were reported to be headquartered in China or, in one case,
Russia. The data did not establish whether State's telecommunications
capabilities were supported by equipment or software originating from
suppliers linked to companies in GAO's samples. GAO did not identify
any reported military ties, intelligence ties, or low-interest loans
involving cyber threat nations among any of the suppliers. See GAO-17-
688R.
---------------------------------------------------------------------------
As we reported in March 2012,\14\ supply chain threats are present
at various phases of a system's development life cycle. Key threats
that could create an unacceptable risk to Federal agencies include the
following.
---------------------------------------------------------------------------
\14\ GAO-12-361.
---------------------------------------------------------------------------
Installation of hardware or software containing malicious
logic, which is hardware, firmware, or software that is
intentionally included or inserted in a system for a harmful
purpose. Malicious logic can cause significant damage by
allowing attackers to take control of entire systems and,
thereby, read, modify, or delete sensitive information; disrupt
operations; launch attacks against other organizations'
systems; or destroy systems.
Installation of counterfeit hardware or software, which is
hardware or software containing non-genuine component parts or
code. According to the Defense Department's Information
Assurance Technology Analysis Center, counterfeit IT threatens
the integrity, trustworthiness, and reliability of information
systems for several reasons, including the facts that: (1)
Counterfeits are usually less reliable and, therefore, may fail
more often and more quickly than genuine parts; and (2)
counterfeiting presents an opportunity for the counterfeiter to
insert malicious logic or back doors \15\ into replicas or
copies that would be far more difficult in more secure
manufacturing facilities.\16\
---------------------------------------------------------------------------
\15\ A ``back door'' is a general term for a malicious program that
can potentially give an intruder remote access to an infected computer.
\16\ Information Assurance Technology Analysis Center, Security
Risk Management for the Off-the-Shelf (OTS) Information and
Communications Technology (ICT) Supply Chain, An Information Assurance
Technology Analysis Center State of the Art Report, DO 380 (Herndon,
VA: August 2010).
---------------------------------------------------------------------------
Failure or disruption in the production or distribution of
critical products. Both man-made (e.g., disruptions caused by
labor, trade, or political disputes) and natural (e.g.,
earthquakes, fires, floods, or hurricanes) causes could
decrease the availability of material needed to develop systems
or disrupt the supply of IT products critical to the operations
of Federal agencies.
Reliance on a malicious or unqualified service provider for
the performance of technical services. By virtue of their
position, contractors and other service providers may have
access to Federal data and systems. Service providers could
attempt to use their access to obtain sensitive information,
commit fraud, disrupt operations, or launch attacks against
other computer systems and networks.
Installation of hardware or software that contains
unintentional vulnerabilities, such as defects in code that can
be exploited. Cyber attackers may focus their efforts on, among
other things, finding and exploiting existing defects in
software code. Such defects are usually the result of
unintentional coding errors or misconfigurations, and can
facilitate attempts by attackers to gain unauthorized access to
an agency's information systems and data, or disrupt service.
We noted in the March 2012 report that threat actors \17\ can
introduce these threats into Federal information systems by exploiting
vulnerabilities that could exist at multiple points in the global
supply chain. In addition, supply chain vulnerabilities can include
weaknesses in agency acquisition or security procedures, controls, or
implementation related to an information system. Examples of the types
of vulnerabilities that could be exploited include:
---------------------------------------------------------------------------
\17\ Supply chain-related threat actors include foreign
intelligence services and militaries, corporate spies, corrupt
government officials, cyber vandals, disgruntled employees, radical
activists, purveyors of counterfeit goods, or criminals.
---------------------------------------------------------------------------
acquisitions of IT products or parts from sources other than
the original manufacturer or authorized reseller, such as
independent distributors, brokers, or on the gray market;
lack of adequate testing for software updates and patches;
and
incomplete information on IT suppliers.
If a threat actor exploits an existing vulnerability, it could lead
to the loss of the confidentiality, integrity, or availability of the
system and associated information. This, in turn, can adversely affect
an agency's ability to carry out its mission.
four national security-related agencies have acted to better address it
supply chain risks for their information systems
In March 2012, we reported that the four National security-related
agencies (i.e., Defense, Justice, Energy, and DHS) had acknowledged the
risks presented by supply chain vulnerabilities.\18\ However, the
agencies varied in the extent to which they had addressed these risks
by: (1) Defining supply chain protection measures for Department
information systems, (2) developing implementing procedures for these
measures, and (3) establishing capabilities for monitoring compliance
with, and the effectiveness of, such measures.
---------------------------------------------------------------------------
\18\ GAO-12-361.
---------------------------------------------------------------------------
Of the four agencies, the Department of Defense had made the most
progress addressing the risks. Specifically, the Department's supply
chain risk management efforts began in 2003 and included:
a policy requiring supply chain risk to be addressed early
and across a system's entire life cycle and calling for an
incremental implementation of supply chain risk management
through a series of pilot projects;
a requirement that every acquisition program submit and
update a ``program protection plan'' that was to, among other
things, help manage risks from supply chain exploits or design
vulnerabilities;
procedures for implementing supply chain protection
measures, such as an implementation guide describing 32
specific measures for enhancing supply chain protection and
procedures for program protection plans identifying ways in
which programs should manage supply chain risk; and
a monitoring mechanism to determine the status and
effectiveness of supply chain protection pilot projects, as
well as monitoring compliance with and effectiveness of program
protection policies and procedures for several acquisition
programs.
Conversely, our report noted that the other three agencies had made
limited progress in addressing supply chain risks for their information
systems. For example:
The Department of Justice had defined specific security
measures for protecting against supply chain threats through
the use of provisions in vendor contracts and agreements.
Officials identified: (1) A citizenship and residency
requirement and (2) a National security risk questionnaire as
two provisions that addressed supply chain risk. However,
Justice had not developed procedures for ensuring the effective
implementation of these protection measures or a mechanism for
verifying compliance with, and the effectiveness of these
measures. We stressed that, without such procedures, Justice
would have limited assurance that its Departmental information
systems were being adequately protected against supply chain
threats.
In May 2011, the Department of Energy revised its
information security program, which required Energy components
to implement provisions based on NIST and Committee on National
Security Systems guidance. However, the Department was unable
to provide details on implementation progress, milestones for
completion, or how supply chain protection measures would be
defined. Because it had not defined these measures or
associated implementing procedures, we reported that the
Department was not in a position to monitor compliance or
effectiveness.
Although its information security guidance mentioned the
NIST control related to supply chain protection, DHS had not
defined the supply chain protection control activities that
system owners should employ. The Department's information
security policy manager stated that DHS was in the process of
developing policy that would address supply chain protection,
but did not provide details on when it would be completed. In
the absence of such a policy, DHS was not in a position to
develop implementation procedures or to monitor compliance or
effectiveness.
To assist Justice, Energy, and DHS in better addressing IT supply
chain-related security risks for their Departmental information
systems, we made 8 recommendations to these 3 agencies in our 2012
report. Specifically, we recommended that Energy and DHS:
develop and document Departmental policy that defines which
security measures should be employed to protect against supply
chain threats.
We also recommended that Justice, Energy, and DHS:
develop, document, and disseminate procedures to implement
the supply chain protection security measures defined in
Departmental policy, and
develop and implement a monitoring capability to verify
compliance with, and assess the effectiveness of, supply chain
protection measures.
The 3 agencies generally agreed with our recommendations and,
subsequently, implemented 7 of the 8 recommendations. Specifically, we
verified that Justice and Energy had implemented each of the
recommendations we made to them by 2016. We also confirmed that DHS had
implemented 2 of the 3 recommendations we made to that agency by 2015.
However, as of fiscal year 2016,\19\ DHS had not fully implemented
our recommendation to develop and implement a monitoring capability to
verify compliance with, and assess the effectiveness of, supply chain
protections. Although the Department had developed a policy and
approach for monitoring supply chain risk management activities, it
could not provide evidence that its components had actually implemented
the policy. Thus, we were not able to close the recommendation as
implemented. Nevertheless, the implementation of the 7 recommendations
and partial implementation of the eighth recommendation better
positioned the 3 agencies to monitor and mitigate their IT supply chain
risks.
---------------------------------------------------------------------------
\19\ GAO reviews agency actions to implement its recommendations
and may decide to close a recommendation as not implemented if an
agency has not implemented the recommendation within 4 fiscal years of
GAO making the recommendation. Fiscal year 2016 was the fourth fiscal
year after GAO made the recommendations to DHS in its March 2012
report.
---------------------------------------------------------------------------
In addition, we reported in March 2012 that the 4 National
security-related agencies had participated in interagency efforts to
address supply chain security, including participation in the
Comprehensive National Cybersecurity Initiative,\20\ development of
technical and policy tools, and collaboration with the intelligence
community. In support of the cybersecurity initiative, Defense and DHS
jointly led an interagency initiative on supply chain risk management
to address issues of globalization affecting the Federal Government's
IT. Also, DHS had developed a comprehensive portfolio of technical and
policy-based product offerings for Federal civilian departments and
agencies, including technical assessment capabilities, acquisition
support, and incident response capabilities. The efforts of the 4
agencies could benefit all Federal agencies in addressing their IT
supply chain risks.
---------------------------------------------------------------------------
\20\ Begun by the Bush administration in 2008, the Comprehensive
National Cybersecurity Initiative is a series of initiatives aimed at
improving cybersecurity within the Federal Government. This initiative,
which is composed of 12 projects with the objective of safeguarding
Federal Executive branch information systems, includes a project
focused on addressing global supply chain risk management.
---------------------------------------------------------------------------
In summary, the global IT supply chain introduces a myriad of
security risks to Federal information systems that, if realized, could
jeopardize the confidentiality, integrity, and availability of Federal
information systems. Thus, the potential exists for serious adverse
impact on an agency's operations, assets, and employees. These factors
highlight the importance and urgency of Federal agencies appropriately
assessing, managing, and monitoring IT supply chain risk as part of
their agency-wide information security programs.
Chairmen King and Perry, Ranking Members Rice and Correa, and
Members of the subcommittees, this completes my prepared statement. I
would be pleased to answer your questions.
Mr. King. You still had 17 seconds to go. Good job. Thank
you very much, Mr. Wilshusen.
I appreciate all of you being here today. I now recognize
myself for 5 minutes. A number of us on the panel believe that
DHS should have powers similar to DOD, similar to section 806.
Now, I guess I would ask the three representatives from DHS
how that would strengthen you if similar legislation was
adopted for DHS? But also, looking back on it, it appears that
DOD was given this authority in 2011, did not issue regulations
until 2015, and I don't even know if they have begun to
implement them yet. So if this authority is given to you, how
quickly would you be able to implement it and how would it
improve your capabilities? Ms. Correa.
Ms. Correa. So, sir, I have looked at the authority, and I
have also looked at the proposal that has been put before--the
latest legislative proposal. We would act very quickly and
swiftly to implement.
We would look at our business process to see how we can
immediately train our staff and ensure that they have a full
understanding of what this authority grants us to do, and we
would issue immediate guidelines and instructions, including to
our employees but also to share with industry, on how we would
use that authority. But the very specifics, the time line, I
would have to go back and look at how quickly we could actually
implement.
Mr. Zangardi. Sir, thank you. I concur with Soraya. The
need for this type of capability or authority is important from
a CIO's perspective. My responsibility that I have to take
under consideration and work very hard every day is the
security of the DHS network, just not for the headquarters but
for the components.
Having the ability to react swiftly to make the right
decisions with removal of network systems or IT systems that
are threatening is very important for us in carrying out our
mission. We will work very closely with the intelligence
community and NPPD on tippers, so we know what is going on. My
team will do the technical assessment and talk very closely
with the chief procurement officer, to make sure the lines of
communication and what we are doing is very clear and
understandable.
Mr. King. Ms. Manfra.
Ms. Manfra. The only thing I would add is to just note that
the administration proposal would be for this authority to be
granted Government-wide. So in addition to DHS having this
ability, we want all of the Executive branch to be able to have
this authority and this capability.
Mr. King. This is I guess the open question to you. Do you
have sufficient personnel on board now to carry out your
mission?
Ms. Correa. I am sorry. The question was? I want to make
sure I understood the question.
Mr. King. Do you have sufficient personnel on board now to
carry out this mission?
Ms. Correa. To carry out this mission? From a procurement
perspective, the answer is yes, because we would be relying on
our contracting officers, our policy and legislative team, who
actually implement any accompanying guidelines. We put out
guides. We do this on a very regular basis. So the answer is
yes, we have the staff that can do this right now.
Mr. King. Doctor.
Mr. Zangardi. Sir, from a CIO perspective and with regards
to my mission for protecting the DHS network, I feel that I
have sufficient folks on board in my shop. I also feel that the
communication between the technical folks and my CISO shop and
the component chief information security officers and CIOs is
more than adequate to carry this out.
Mr. King. Ms. Manfra.
Ms. Manfra. Our role would be different in that we wouldn't
necessarily be in charge of implementing this authority for the
Department. We are looking across the Federal Government and
building an initiative to ensure that supply chain risk
assessments are being done, that we are following up and
potentially providing continuous monitoring.
We have just started building that program, as noted. We
currently do only have 2 people solely identified for that, but
we are building that program and were recently appropriated
some additional program dollars. So that program will be built
over the next 2 years to get to full capacity.
Mr. King. I am down to 40 seconds. Mr. Wilshusen, based on
your studies of the departments, including DHS, over the years,
if we did give 806 authority to DHS, how long do you think it
would take them to implement it?
Mr. Wilshusen. That I wouldn't know exactly, but I would
say that one of the key things with the 806 authority given to
DHS is making sure that this committee and GAO and/or the
inspectors general have an opportunity to review the process
and the procedures that the Department implements in order to
effect that particular capability and authority that it has. It
is just making sure that one is able to review what DHS does in
implementing it and making sure it is done in accordance with
the law.
Mr. King. Thank you. Miss Rice.
Miss Rice. Thank you, Mr. Chairman.
Ms. Correa, I would like to start with you. This hearing is
about some of the threats we face from adversarial foreign
governments. I think in order to counter these threats, we must
first fully acknowledge them and their intentions. So, with
that in mind, do you agree with the intelligence community's
January 2017 assessment and the Senate Intelligence Committee's
findings that Russia interfered in the 2016 election to benefit
the Trump campaign?
Ms. Correa. So, ma'am, I am not intimately familiar with
that information. What I can tell you is that I agree that we
have to have the authorities in place----
Miss Rice. OK, I have to stop you there.
Ms. Correa. OK.
Miss Rice. In your position, you are saying you can't
answer this question?
Ms. Correa. Not directly, no, ma'am.
Miss Rice. How about indirectly?
Ms. Correa. That is what I was trying to do. That I believe
we have to have the mechanisms in place to address these
vulnerabilities and ensure that the threat assessments, the
risks, the vulnerabilities are properly addressed through the
procurement process.
Miss Rice. You are the chief procurement officer for the
Department of Homeland Security, and you do not have an opinion
about whether the Senate Intelligence Committee's findings and
the entire intelligence community's findings that Russia
interfered with the 2016 election to support President Trump,
you have no opinion about that?
Ms. Correa. Ma'am, unfortunately, no, not with respect to
this.
Miss Rice. That is frightening, frightening to me.
How about you, Doctor?
Mr. Zangardi. Yes, ma'am. Thank you for the opportunity to
respond.
Miss Rice. Yes or no, do you agree with the findings?
Mr. Zangardi. Ma'am, I am here to testify on this
authority.
Miss Rice. No, you are here to answer questions. You are
talking about actions that all of you are taking on behalf of
the Department of Homeland Security regarding interference,
whether it is procurement process or whatever it is. If we
can't get people here, all four of you, to acknowledge that
there was interference in the 2016 election, none of you should
be in the positions that you are in to protect us in 2018 or
2020.
So yes or no, do you have an opinion about whether Russia
interfered in the 2016 election, yes or no?
Mr. Zangardi. Ma'am, my responsibility is to protect the
DHS network----
Miss Rice. Your responsibility is to answer the question.
Yes or no? Say no.
Mr. Zangardi. Ma'am, I do not have an opinion.
Miss Rice. You have no opinion. Again, frightening.
OK, let's move on to Ms. Manfra. Yes or no, do you agree
with the opinion of the entire intelligence----
Ms. Manfra. I agree with the intelligence community
assessment, ma'am, and I have said so publicly previously.
Miss Rice. Thank you.
Mr. Wilshusen. I would also have to agree with the
Intelligence Committee, but, again, I haven't examined it.
Miss Rice. I appreciate your willingness to answer a
question that everyone on the panel should be able to answer.
Despite warnings from the Federal Communications
Commission, the Department of Commerce, the Department of
Defense, and other intelligence agencies, President Trump
publicly expressed support for the Chinese telecommunications
company ZTE.
Ms. Correa, I will start with you. Have you discussed your
concerns with the Chinese telecommunications companies with
President Trump?
Ms. Correa. No, ma'am, I have not had any discussions with
the President.
Miss Rice. Have you discussed it with the Secretary of the
Department of Homeland Security?
Ms. Correa. No, ma'am. No, I have not.
Miss Rice. You are the chief procurement, head of
procurement?
Ms. Correa. That is correct.
Miss Rice. Again, a frightening, frightening answer. Do you
think you should speak to her about that?
Ms. Correa. Ma'am, I work in conjunction with my colleagues
and look at what the risks are----
Miss Rice. OK. So again, you are not going to answer the
question.
Doctor, how about you, have you had any discussions about--
--
Mr. Zangardi. No.
Miss Rice. Do you have any concerns about the President's
approach to ZTE, whatever his motivations are? We don't even
have to go into them. Do you, in your position, have concerns
about the President's stated position about ZTE, yes or no?
Mr. Zangardi. Ma'am, I have made sure that the network has
no ZTE equipment on it.
Miss Rice. OK. So I am going to answer for you. That would
be yes, you do have concerns?
Mr. Zangardi. Ma'am, my responsibility is for the network
for DHS. I have ensured that the appropriate steps have been
taken to preclude the use of equipment----
Miss Rice. So is there a reason why you can't say, answer a
question in a way that might come across as being critical of
the President? Is there a reason? Because I have never heard an
inability from Ms. Correa and you to answer a simple yes-or-no
question. So I am just wondering why you can't or won't.
Mr. Zangardi. Ma'am, my position is to work and ensure that
the network is safe every day, and that is what I do.
Miss Rice. OK. What is frightening to me is that people
like you are in the positions that you are in, who will not
make statements of fact that everyone in the intel community
has made.
Mr. Chairman, I thank you for your indulgence. I want to
thank at least the 2 of you for being willing to answer what I
think is a pretty simple question.
Thank you, Mr. Chairman.
Mr. King. Thank you, Miss Rice.
Without getting into a debate--we can have it--first of
all, it was not only composed of the intelligence community. It
was the FBI and the CIA and DNI agreed in part. The other 14
did not take a position. There are legitimate questions about
the extent of the involvement. I have no doubt there was
meddling. We can debate it in another forum.
But having been through 65, 70 witnesses on the
Intelligence Committee on this, it is not as clear as you may
think as far as who they were favoring. There is no doubt there
was meddling. But, again, it was only Brennan and Comey who
agreed in full with that recommendation.
Mr. Perry.
Mr. Perry. Thanks, Mr. Chairman.
I thank the witnesses for their testimony in answering some
questions for us here. We are trying to get to the process, I
think, and understand the process that you all go through and
then find out how we, from a legislative and policy standpoint,
can support your efforts. I think all of us, regardless of our
political affiliation, don't want us to be on defense, don't
want us to be reactive, want us to be proactive. I think that
is what we are trying to get to. So I am trying to understand,
and so my questions will be in that vein.
I am wondering what the DHS does to recognize and address
that might already exist from products that are currently
implemented or being used by the Department. How does that
process work? Is there a continual reevaluation? I am thinking
in the context of, you know, I have got two of these things and
I have got a couple iPads and then desktop computers. I don't
know what the schedule is, but on a pretty regular basis, you
know, you have got to put in your code and update the software
and all that stuff.
I will be honest with you, I have no idea what is happening
in there. Something's happening, right? But I am hoping that
you folks do and deal with that, and I am trying to understand
how that works. If any one of you can answer that question, you
know.
Mr. Zangardi. So, sir, you know, the current IT
environment, as mentioned by another witness, is global. It is
complicated. It is characterized by mergers and acquisitions in
an ever-changing territory. So we have to work very hard to
deal with that. So intelligence tippers is really a key way in
which we start the process. But more importantly, backing up
within the whole acquisition process, we have to be involved at
the very beginning as the program is being looked at to
determine what systems, hardware components, software are going
in there. Then we have developed a set of questions that have
to be answered by every program.
We have also in our 4300A handbook developed a requirement
for the components and the programs to develop policies related
to supply chain management. So we have put those in place. My
chief technical officer also vets all software against the
State Department Committee on Foreign Investment in the United
States. So these are embedded in the process as we are going
toward to build something out.
So when we are notified about a risk, we look at it very
closely from a technical point of view and determine if it is
something that we should mitigate or remove. Removal takes
time. It isn't an overnight process. So mitigation might
involve something simple, like setting configurations or
settings on a firewall.
My ESOC, or my Enterprise Security Operation Center,
monitors this on a daily basis, looking for proxy signals. They
monitor it daily and they will tip off if they find anything.
We also do scans of our network and review the logs to ensure
that nothing is, you know, askew. We work very closely with the
CISOs and the component CIOs to ensure that the communication
and standards are set.
I think part of your question deals with making sure that
patches and other things are done to make sure the network is
modern and upgraded to the current standards.
I view cyber hygiene as part and parcel of what I do. What
I mean by cyber hygiene is ensuring that we are moving to
modern operating systems, that our patching is done up to date
and as soon as possible, and we are doing things like two-
factor authentication and PKI.
Mr. Perry. A lot of this is pretty technical for all of us,
and we just--I hate to say it, but we are counting on you folks
to have the technical expertise that is necessary.
Just out of curiosity, is DHS using software products with
Russian-based security codes, such as Kaspersky, NGINX, Nordic
ANT, Oxygen. I know I see a U.S. Secret Service request for
DHS, 20 licenses from Oxygen, which is a Russian-based company.
I am wondering, as a matter of protocol, does DHS look into--I
imagine but I just want to be sure--relationships with the
Russian government and--well, I will just leave it at that. If
you can answer those questions.
Mr. Zangardi. So, sir, we do, and we take that into account
as part of our technical assessment.
Mr. Perry. Wait. You use those?
Mr. Zangardi. No, sir. You asked if I take that into
account.
Mr. Perry. OK. Yes, I just want to be clear. Right.
Mr. Zangardi. Yes, sir. So we take it into account. To make
sure that it is part of our technical assessment, we consider
the leadership of companies, where the company is based, those
sort of qualitative factors, if you will.
Mr. Perry. Do you know if you use any of the companies that
I listed?
Mr. Zangardi. So, sir, I would have to take some of that as
a QFR. For companies like Huawei----
Mr. Perry. If you could, please, I would like to----
Mr. Zangardi. We do not have any Huawei or ZTE.
Mr. Perry. I am happy to know that. Let me ask you this: Do
you have a--does DHS have a requirement for the companies that
you procure from that determines what security standard they
have? Somebody is writing the code. Somebody is building the
piece of equipment.
Does DHS have a requirement? Is there a minimum standard, a
minimum security standard, background checks, et cetera, for
the vendors or the producers? Is that something that is a part
of what you do, Ms. Correa?
Ms. Correa. Yes. Yes, sir. We actually vet the vendors, and
we do have security standards that are specified in the actual
solicitation as well as we include cyber hygiene clauses that
are in the contracts and solicitations, as determined by the
program offices and the CIO for inclusion that identify the
different documentation and the standards that they have to
meet, the training that they have to take, and the documents
that they have to submit for us to validate that they are
meeting the security standards.
Mr. Perry. So one final question, with the Chair's
indulgence. I wonder why it took so long to identify Kaspersky
as a risk. It seemed to me--look, I come from Pennsylvania
State government. We used Kaspersky throughout the State
government as our security vendor, and through the complaints
we kept using it until finally the Federal Government said,
hey, there is a problem here. What took so long?
Ms. Manfra. I can take that one, sir. I can't comment in
detail about maybe why it took so long. I can tell you for when
I was in my position, we looked in--and working with our
intelligence analysis, looked into all the available
information, both Classified and unclassified. It just came to
a point that this was not a risk that we were willing to accept
on our networks, and that is when we began the process of
identifying tools available to remove them from our networks,
and that led to the binding operational directive.
Mr. Perry. So from a layman's standpoint, and I will close
with this, it seems to me that people like me would think as
soon as you see anything questionable, as soon as you see
anything questionable from a country like Russia, China, Iran,
or whatever that we are buying things like this from, that is a
problem and we should terminate it. But I will close with that.
Thank you, Mr. Chair, and I yield.
Mr. King. I would just join the gentleman in saying I know
for a number of years we were hearing about Kaspersky, and I
could never understand why we retained them, but in any event.
Mr. Correa, you are recognized.
Mr. Correa of California. Thank you very much. I only have
5 minutes here, so let me try to be succinct and I would
appreciate succinctness of your answers to my questions.
But, you know, recently the administration seems to have
changed its position on Huawei and ZTE. Does that change your
perspective, your view on the security threat that these
products pose on the supply chain? Meaning are we OK to buy
them now? Are you going to buy them, or does this not change
your perspective on the threat of ZTE and Huawei to our
National security?
Ms. Manfra. Sir, I am not exactly sure what you mean by
changing positions. If you are referring to the Commerce act on
ZTE----
Mr. Correa of California. Yes.
Ms. Manfra. So that is specific to ZTE, not Huawei. I would
say, similar to what we discussed with Kaspersky, what we are
looking at is less about the company and more about the laws
that that company is compelled to follow. Both Chinese and
Russian laws compel access that we are concerned about. So what
we are doing is a risk assessment on companies that are subject
to those laws and looking at the tools that we have available
to us to address that risk.
Mr. Correa of California. So when you say we are looking at
the risk assessment, what would change of that risk assessment?
It is my understanding that certain countries, Russia and China
being two, are generally their style of economy, so to speak.
Those companies are essentially controlled or are accountable
to their central government. So that model of operating would
never change, at least not in the short term.
So, I am trying to figure out, is I guess our
classification of ZTE would change, what would change in your
assessment of that company in how we would do business with
them in the United States?
Ms. Manfra. I want to separate the Commerce action on ZTE,
which was a specific action for something that they violated,
from our work in assessing risk. We can walk through some more
details in the closed session. But just at a high level, we are
looking at risk both now and in the future.
Mr. Correa of California. Let me pull back, given we will
go through that in closed session. But a bigger general
question is, mitigation versus removal. Chain of command. You
all operate under a chain of command, I presume. There are
certain issues you need to bring forth to the committee,
individuals that can respond to give you authority and so on
and so forth, respond to your concerns.
Do you have the ability to jump above the chain of command
should you feel that your issues are not being addressed to
bring your concerns forth?
Ms. Manfra. I haven't experienced that. I have the full
support of the Secretary.
Mr. Correa of California. The same question to all of you,
yes/no also?
Mr. Zangardi. Yes, sir, I feel that I have the full support
of the Secretary, and if there is an issue I can go up the
chain of command. In fact, I have a dual reporting chain to the
Secretary and to the under secretary for management.
Mr. Correa of California. Ms. Correa.
Ms. Correa. Similar to Dr. Zangardi. We are in the same
reporting chain. So I report to the under secretary for
management, who reports to the Secretary, and we do have the
ability to raise concerns on any procurement-related matters.
Mr. Correa of California. Would you say that your concerns
are responded to affirmatively, meaning they are addressed?
Ms. Correa. Yes. I can say yes, that my concerns are
addressed.
Mr. Zangardi. Yes, sir.
Ms. Manfra. Yes, sir.
Mr. Wilshusen. I am with GAO, and I certainly have the--can
go up to the Comptroller General if I have a concern about any
issue, but I haven't had that yet.
Mr. Correa of California. I only have less than a minute
and I wish I could delve into this a little bit more. But I
guess my concern in the back of my head here I am thinking
mitigation versus removing. You know what countries pose a
threat. You know geopolitically the challenges out there. They
are not new. They continue to be what they are.
So, to me, if you have a bad actor that has acted poorly or
badly in the past, mitigation versus removing, I am not sure
what the difference would be or why we would go back to dealing
with certain firms, knowing the threats that they present to
our country.
I have only 15 seconds. Let me make a closing statement and
then you can answer, which is, you know, a lot of the stuff
that has been going on, my thought in the back of my mind, at
what point do these intrusions by these foreign governments
represent a declaration of war on our country or not? Because a
lot of the stuff they are doing is, you know, essentially
posing a threat to us either today or in the future.
If you have any comments, Mr. Chair, I am going to stop my
comments, but I would like to see if anybody can address my
comments.
Mr. Zangardi. Sir, I would like to address the mitigation
versus removal. So I am going to specifically talk to
mitigation. That is preferred. Now, when we say mitigation, we
are not talking about continued procurement of the particular
hardware or software. What we are talking about is looking at
it and going, oh, is the threat major or minor? Are there
simple changes that I can make to some protocols or firewall
settings that preclude it from doing whatever it was going to
do? Then eventually remove it. Remember, everything has to be
balanced in a cost-benefit sort-of equation. So if you could
preclude it from being a threat with a simple mitigation, that
is the preferred course of action.
Mr. King. The gentleman's time has expired. Anybody else
have anything on this? No, OK.
Mr. Donovan.
Mr. Donovan. Thank you, Mr. Chairman.
I am a little bit older than Chairman Perry, so I really
don't understand this. I am not as old as Chairman King, but I
am older than Chairman Perry. I am sure every one of these
incredibly intelligent young folks behind you know a whole lot
more about this than all of us combined. I was told once that
there is more capability in this little machine than we had
when we put a man on the moon in 1969. It is just amazing to
me.
So, knowing that these items, whether it be a phone,
whether it be a 9-1-1 system, the component parts are made
elsewhere, sometimes they are even put together elsewhere, do
we have in place something that will secure our security before
we find a vulnerability, or do we wait for something to happen
before we realize there is a problem with the 9-1-1 system in
New York City or an iPhone that is being used by a Member of
Congress?
Mr. Zangardi. So, sir, it is impossible to build a perfect
defense. So we take prudent precautions to develop a security
infrastructure that protects us against known and anticipated
threats. We put that in place by looking at intelligence. We
put that in place by understanding the technology.
I will take it a step further. Every time we sit down with
a company--and we do meet with a lot of companies--we ask them
about their supply chain management process, because what you
are talking about is it is a global marketplace and for that
phone you have there, the parts come from many different
countries. So we have to understand how those suppliers of the
hardware and software we need are building out their product.
So that is an area we focus on.
As I mentioned earlier, we have procedures in our 4300
instruction that the components have to put this in place. We
address this during the acquisition process by putting in place
questions that the program office has to answer. My chief
technical officer and my chief information security officer are
very involved in the vetting of hardware and software
components that we procure.
Ms. Manfra. Sir, if I could just add, we model what we do
in cybersecurity similar to what is practiced in physical
security. So you don't just think about defense on your
perimeter. You think about putting a lot of different alerts
and warning capability. You think about what happens if an
individual gets past one perimeter, how do we deal with them
elsewhere? How do we secure very high-valuable assets in a
highly secure way, put resources toward that, extra protections
around that? That is similar to what happens in cybersecurity;
it just becomes very technical.
So there are a lot of different ways that as we learn about
what an adversary might be doing that is not necessarily
related to patching a specific vulnerability where we can put
what we call compensating controls in place.
So if we know that an adversary leverages legitimate
credentials, so they steal somebody's password and username,
for example, say through spear phishing or something like
that--we know that is a very common way--that they will then
masquerade as a legitimate user on a network. So what we do is
then we design our network so they can't just move laterally
across the entire system and have access to everything.
We also put in place identity monitoring as part of the CDM
program, so that we can see if there a user behaving in a way
that is not usual for that user to behave. That would alert a
SOC, for example.
So there are a lot of different practices and technologies
that are in place that can monitor for this sort of behavior
that we can take action on. But, again, like Dr. Zangardi said,
it is not perfect. You can never have that 100 percent
security. We just want to have a lot of layers, and we want to
raise the cost for the adversary to get to those highest-value
targets that we are working to protect.
Mr. Donovan. I remember speaking with Jamie Dimon at
JPMorgan, saying they are always concerned about the attack
that is already there laying dormant, not the ones that are
trying now, and thinking about if when this phone was made if a
component part was compromised and it is laying dormant in all
of our phones right now and is that able to be detected. But I
guess maybe we can talk about that in a closed setting as well.
Let me just ask, the Chairman was asking about 806
authority. Are there any other authorities? I mean, we are
lawmakers. We are supposed to listen to you, you are supposed
to tell us what you need, and then we are supposed to help you
get there.
Are there any other authorities that would help you to
secure, whether it be our equipment, our systems, that you
would like to see Congress pass?
Ms. Manfra. Congressman I can start with--no, I do not have
a laundry list. Of course, the committee has worked very hard
on the authorization for our Cybersecurity and Infrastructure
Security Agency, which is a name change for our organization.
We are hoping that we can get that passed into law.
We have the administration's legislation proposal, which
would have the 806-like authority in addition to codifying
sort-of the process by which the Department and other agencies
would be able to continuously share this information and act on
it. So that full legislative proposal is really what we are
looking for.
Ms. Correa. I would like to add that I am encouraged by
that kind of legislation, because what I think is extremely
important is that we have consistency across the Government in
how we apply our rules and how we are going to look at this
process.
I did want to touch on one other thing when Dr. Zangardi
was speaking answering your previous question. We also include
the assessment of what the technologies are that they are
using, what the composition of the products are, and even the
backgrounds of the companies as part of the proposal evaluation
process. So there is a process there where we do look at
companies.
Mr. Donovan. Mr. Chairman, my time has expired, so I yield
back the time that I don't have anymore.
Mr. King. Very generous of you.
I recognize the gentleman from Massachusetts, Mr. Keating.
Mr. Keating. Thank you, Mr. Chairman.
Yesterday, we had a hearing in full Committee on Homeland
Security about what the Department is doing to try and help our
local and State election apparatus to protect itself from a
cyber attack. The attack was obviously the attack that our
intelligence community has told us that President Putin, the
Russian government, aspired to do and did, indeed, do against
our country.
So I am sitting here and I am saying, we are trying to
reach out to our local and State election commissioners or
secretaries of state, saying, we are here to help you prevent
against this attack. We are the Department of Homeland Security
and we have grants to do this.
So how could you possibly expect them to take it seriously,
Ms. Correa, if the chief procurement officer for the U.S.
Department of Homeland Security, and Mr. Zangardi, as the chief
information officer, sit here in a public committee the very
next day, the very next day, and are saying, well, we can't
tell you this happened. How can that be taken seriously? What
do you say? Would you have that same comment to all our
election commissioners and secretaries of state and say, you
know, we can't tell you that that is happening? We are not
going to publicly admit that. Ms. Correa? No, Ms. Correa.
Ms. Correa. OK. Sir, what I am here to do is try to
identify how we can safeguard the procurement process to ensure
that there are no bad actors out there and that we address any
risks of vulnerability.
Mr. Keating. You are not prepared to say who did it?
Mr. Zangardi. No, sir, I am not.
Mr. Keating. You know, I sat here through the last Congress
with many of my colleagues saying, boy, we can't go get these
radical extremists unless we call them by name. But you are not
calling them by name, the people that gave a hostile attack on
our country's democracy. It is the same thing I heard all
through the last Congress.
It is just beyond me how we are being expected to be taken
seriously, the Department is expected to be taken seriously
when you won't even admit it publicly when we are trying to
prevent, less than 4 months away, another attack.
I just have a question on ZTE now. Mr. Zangardi said, well,
we are not going to consider any ZTE products or apparatus. But
I was listening to Ms. Manfra, who said, well, we really look
at the technical side and we evaluate it from that, regardless
of what the product would be, to see if it is safe.
Don't you think that it should be automatically excluded
from any procurement, not because of the technical ability of
the product, but because they twice broke the law on sanctions
against our country, again, with hostile countries like Iran,
North Korea? Isn't that enough by itself to say, no matter how
much it is technically reviewed, how much we feel comfortable
with it, can you sit here and say, we are not going to under
any circumstances use any ZTE products for Homeland Security
procurement? Can you say that, Mr. Zangardi, without
qualification?
Mr. Zangardi. So my intent is to keep ZTE hardware off our
network.
Mr. Keating. No, not your personal intent, but yes or no,
you are not going to do it. You are not going to use their
products. They have twice broken the law.
Mr. Zangardi. We do not use their product and it is based
upon a technical assessment.
Mr. Keating. Well, obviously, you are not using it now. But
now that things have changed, can you say you will exclude it,
period, going forward?
Mr. Zangardi. So our decisions need to be based on risk and
based on a technical----
Mr. Keating. So it is not based on their actions. OK. I
think we need to separate the question.
Quickly, Mr. Wilshusen. The conclusion in your report dealt
with the serious adverse impacts in risks here. Can you give us
like what you think are among the most serious quickly? This is
pretty serious stuff.
Mr. Wilshusen. Sure. If an adversary is able to install
malicious software or hardware into an information system, they
may be able to extract or change, modify, even delete very
sensitive information that may be residing on that system.
That, of course, depends upon the system and what type of
information it contains on that system. That could be
personally identifiable information, proprietary information,
or National security, public health----
Mr. Keating. National security and public health.
Mr. Wilshusen [continuing]. Related information.
Mr. Keating. Thank you. Thank you. That is something for us
all to think very carefully about in relation to my prior
questions.
I yield back.
Mr. King. The gentleman yields back.
Unless there are further questions, that concludes the
public portion of the hearing. I ask unanimous consent that the
subcommittees now recess for a brief period and reconvene the
hearing in a closed session, pursuant to House rule
XI(2)(g)(2), and we plan to reconvene in HVC-302 in 10 minutes.
Without objection, the subcommittees will recess.
[Whereupon, at 11:17 a.m., the subcommittees proceeded in
closed session and subsequently adjourned at 12:28 p.m.]
A P P E N D I X
----------
Question From Chairman Scott Perry for the Department of Homeland
Security
Question. Is the Department of Homeland Security currently using or
in the process of procuring any software products with Russian-based
source code (i.e. Kaspersky, NGINX, Nordacind, Oxygen)? If so, which
ones and for what purposes?
Answer. Response was not received at the time of publication.
Questions From Honorable James R. Langevin for the Department of
Homeland Security
Question 1a. On April 24, Assistant Secretary Jeanette Manfra
testified before the Senate Homeland Security and Government Affairs
Committee that the surge in risk and vulnerability assessments for
elections infrastructure created ``a significant backlog in other
critical infrastructure sectors and Federal agencies'' waiting for
similar assessments. The President's 2019 budget did not request an
increase in resources sufficient to overcome this backlog.
Are more resources necessary to support the increased requests from
State and local governments without delaying other assessments?
Answer. Response was not received at the time of publication.
Question 1b. What is the current RVA backlog? What is the prognosis
for that backlog over the next calendar year?
Answer. Response was not received at the time of publication.
Question 2a. Based on the RVAs that DHS has carried out for State
and local election officials, do most States and localities have the
resources required to sufficiently mitigate their cybersecurity
vulnerabilities (including equipment, staffing, training, and other
components that factor into security)?
Answer. Response was not received at the time of publication.
Question 2b. If not, how big is the shortfall?
Answer. Response was not received at the time of publication.
Question 3. In the guidance NPPD issued to election officials on
how to spend security funding, NPPD emphasizes the importance of
deploying auditable voting systems.
How important is it that States have auditable paper trails and
conduct post-election audits to verify the digital tallies of election
results?
Answer. Response was not received at the time of publication.
Question 4. Much of DHS's mission requires close coordination with
other agencies, especially with respect to cybersecurity.
How has the Department's ability to synchronize its cyber mission
with other agencies been affected by the elimination of the
Cybersecurity Coordinator position and the recent high rate of turnover
at the National Security Council?
Answer. Response was not received at the time of publication.
[all]