160 likes | 173 Views
Comments on behalf of Huawei Technologies Co. & Huawei Technologies USA advocating for a risk-based approach to address supply chain security challenges. Emphasizes the need for a comprehensive framework to manage cybersecurity risks effectively.
E N D
FY 19 NDAA Section 889 Public Meeting Comments on behalf of Huawei Technologies Co. Ltd. &Huawei Technologies USA, Inc. James E. Gauch Jones Day 51 Louisiana Ave., N.W. Washington, D.C. 20001 (202) 879-3939 jegauch@jonesday.com
section 889’S PURPOSES AND OBJECTIVES • According to the United States government – in the brief filed in defending against Huawei’s constitutional challenge to certain aspects of section 889 – the principal purported purpose of that provision is to further national and informational security against cyber-attacks and cyber-espionage. • Such threats are particularly serious in the telecommunications sector, and Huawei itself is committed to working with its customers and governments, including the U.S. government, to improve cybersecurity. • In implementing the statute, DoD, GSA, and NASA should consider what it will take to realize real gains in supply chain security, and how to do so without undue adverse effects.
Fulfilling § 889’S security PURPOSES requires a risk-based approach • Virtually all equipment manufacturers rely on a global supply chain and face security risks from a wide range of sources. • Excluding one or two vendors based on their national origin will not address these risks. • Indeed, consolidating the number of equipment suppliers hinders rather than helps cybersecurity. Creating a small number of dominant suppliers, regardless of national origin, reduces the incentives of those suppliers to embrace industry-leading standards and creates greater exposure to vulnerabilities of a single supplier.
Fulfilling § 889’S security PURPOSES requires a risk-based approach • Instead, supply chain risks should be addressed through a risk management framework that accounts for the full range of potential threats. • The National Institute of Standards and Technology (NIST) Cybersecurity Framework exemplifies government and private sector consensus on the need for a risk-based approach to manage cybersecurity risks, including supply chain risks. • NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, likewise sets forth a risk-based approach for promoting security of federal systems in accordance with the Federal Information Security Management Act (FISMA). • The cybersecurity firm Domain5issued a white paper, included in the Rural Broadband Alliance’s recent comments to the FCC, which underscores the need to consider the full range of supply chain threats and vulnerabilities and to adopt a risk-based framework in order to meaningfully advance cybersecurity.
Risk-based approach to supply chain security • With respect to supply chain security, a risk-based approach can include a number of steps, including: • Security by design • Product testing • Trusted delivery mechanisms • Limitations on access to the network by manufacturers • Operational steps by customers
Security by design • Proactively address security issues during the design phase of equipment and systems. • Principles include reducing the attack surface, making secure choices by users the default, and increasing resilience in case of an attack.
Product testing • Vendors submit their products to an approved independent evaluator for testing. • Such testing may include testing to uncover vulnerabilities, as well as integrity and reliability of development, design, management and security processes. • Example: Huawei Cyber Security Evaluation Centre in the United Kingdom that in cooperation with the U.K. government provides security evaluations of a range of products used in the U.K. telecommunications market.
Trusted delivery mechanisms • Use mechanisms to ensure that customers can trust that the hardware or software they receive has not been altered during delivery. • One approach is for software subject to independent testing to be delivered to the customer directly from the testing facility to ensure that the vendor has no opportunity to engage in alterations. • Trusted delivery mechanisms can be extended through the full product lifecycle and apply to all subsequent software releases and patches and hardware upgrades.
Limitations on access by equipment manufacturer • Once equipment is installed in a network, the manufacturer should have very limited access for specific purposes such as maintenance and support. • Any access to customer networks by a manufacturer should be verifiable and auditable. • Huawei, for example, mandates use of Secure Network Access Solution (SNAS): • Access to customer networks only by approved U.S.-based personnel using secure, configured laptops and servers over a network separate from the internal Huawei corporate network. • Logging system that permits customers to monitor and audit network access.
Operational steps by customers • Cybersecurity is a shared responsibility across the ecosystem. • Customers also can take steps to manage cybersecurity risks, including supply chain risks. • For example, network operators should monitor traffic patterns to detect anomalous behavior such as traffic being routed to unexpected destinations.
DoD, Gsa, and NASA can further § 889’S PURPOSES without imposing undue harm on stakeholders • Agencies routinely consider the costs imposed by their regulatory decisions, Michigan v. EPA, 135 S.Ct. 2699, 2707 (2015), and courts have cautioned against “read[ing] [a] statute to impose [harsh] consequences . . . without explicit statutory instruction.” Mecaj v. Mukasey, 263 Fed. Appx. 449, 452 (6th Cir. 2008) • The Government has already acknowledged serious concerns about the potential impact on stakeholders (OMB Letter, June 4, 2019), particularly: • “[A] dramatic reduction in the available industrial base” • “[T]he cost of the potential regulatory burdens” • “[D]isproportiona[te] impact[]” on “rural Federal grant recipients”
DoD, Gsa, and NASA can further § 889’S PURPOSES without imposing undue harm on stakeholders • By construing § 889’s prohibitions thoughtfully and relying on a holistic, risk-based framework for supply chain security as outlined above, DoD, GSA, and NASA can achieve the statute’s purposes while minimizing unnecessary costs and disruption to stakeholders. • That approach would further the Administration’s interests, as reflected in the June 4 OMB letter, in mitigating those costs and disruptions “without compromising desired security objectives.” • It is also consistent with the Administration’s overall approach, reflected in the recent Executive Order on “Securing the Information and Communications Technology and Services Supply Chain” (May 15, 2019), in which the President expressly authorized the Secretary of Commerce to develop similar approaches to risk mitigation.
Huawei is committed to advancing global cybersecurity standards and practices • Huawei has been at the forefront of ensuring the security and integrity of communications networks and the telecommunications supply chain. • Huawei conducts research into and publishes public white papers regarding improvements to industry standards for protecting the integrity and security of networked solutions. • Huawei is actively involved in the formulation of international standards, with membership in more than 360 standards bodies and industry organizations such as ETSI, 3GPP, and IEEE-SA. • Huawei has a strong track-record of network security. In more than 30 years there has been no serious network security issue involving Huawei, and there is no evidence that Huawei ever engaged in or been a party to malicious activity.
Huawei is committed to advancing global cybersecurity standards and practices • Huawei remains committed and ready to collaborate on sensible, even-handed and reliable systems to ensure a healthy and secure telecommunications ecosystem.