House Passes Bills on Both Supply Chain, Telecom SecurityLegislation Targets DHS SBOM, Further Chinese Telecom Restrictions
In a busy congressional day for cybersecurity legislation, the U.S. House of Representatives passed several bills Wednesday, targeting both software supply chain and telecommunication system security.
The Department of Homeland Security Software Supply Chain Risk Management Act of 2021, sponsored by Rep. Ritchie Torres, D-N.Y., the vice chairman of the House Homeland Security Committee, would require DHS' undersecretary for management to issue departmental guidance requiring DHS contractors to submit software bills of materials, or SBOMs, that identify the origins of each component of the software furnished to DHS.
It passed the lower house on Wednesday almost unanimously - by a vote of 412-2.
'DHS Must Set an Example'
The bill, Torres said, would help avoid incidents such as the SolarWinds attack, which is suspected to have been carried out by the Russia-backed group Nobelium. In it, threat actors mounted a supply chain attack by exploiting SolarWinds' Orion software, breaching some 100 organizations globally, plus nine federal agencies, including DHS. The threat actor behind the monthslong espionage campaign is believed to have specifically targeted government agencies involved in foreign policy, according to Microsoft.
In a statement, Torres said, "It is crucial that DHS has the capacity to protect its own networks and enhance its visibility into information and communications tech or services that it buys. As a federal leader in the cybersecurity space, DHS must set an example by modernizing how it protects its networks."
The legislation builds upon President Joe Biden's May 2021 executive order aimed at holistically enhancing the security of the federal government's supply chain to gain visibility and effectively manage potential threats (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
'Prevent, Detect and Respond'
"The security and integrity of software bought by DHS is integral to homeland security. My bill will ensure that the department has access to prevent, detect, and respond to future cyberattacks. … I urge my colleagues in the Senate to bring up and pass this important piece of legislation," Torres said.
Jake Williams, a former member of the National Security Agency's elite hacking team, tells ISMG, "This bill sets the stage for software bill of materials implementation across not only the federal government, but the entire IT industry."
Citing a 180-day deadline to comply with the requirements, and challenges with third-party components, Williams, the co-founder and CTO of the security firm BreachQuest, adds, "While this is definitely a step in the right direction for cybersecurity, initial compliance will both be difficult and costly. I expect we'll be horrified to learn some of the insecure components unknowingly baked into widely used enterprise software."
Neil Jones, a cybersecurity evangelist for the firm Egnyte, says: "Rep. Torres' bill will better position [DHS] to detect potential vulnerabilities and become more empowered to ask questions before a breach occurs."
In the SolarWinds campaign, threat actors reportedly accessed the email accounts of top DHS leaders, including former acting DHS Secretary Chad Wolf, according to The Associated Press.
In April, the Biden administration formally sanctioned Russia over the espionage operation. The administration also sanctioned more than 30 Russian companies and individuals accused of supplying tools, infrastructure and technologies for various cyber operations connected to federal elections, and it expelled 10 Russian diplomats from the U.S. (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
The House also passed a bipartisan bill sponsored by House Minority Whip Steve Scalise, R-La., and Rep. Anna Eshoo, D-Calif., on Wednesday. The bill would prohibit the Federal Communications Commission from reviewing or issuing new equipment licenses to companies on the FCC's "Covered Equipment or Services List" - that allegedly pose a national security threat. The measure passed by a vote of 420-4.
The Secure Equipment Act would prevent equipment manufactured by Chinese firms such as Huawei, ZTE, Hytera, Hikvision and Dahua from being further utilized and marketed in the U.S.
Huawei has previously refuted claims that it poses a national security threat to the U.S.
Both Congress and the Trump administration previously took steps to block entities it deemed dangerous from further accessing the U.S. market.
"The [bill] will prevent China from infiltrating America's telecommunications networks and threatening the safety and national security of the American people when sending data across the internet," Scalise said in a statement.
"[The bill] sends a strong signal to the Chinese Communist Party that America is committed to securing our networks and protecting the privacy and safety of our citizens," he added.
Sens. Marco Rubio, R-Fla., and Ed Markey, D-Mass., introduced similar legislation in the Senate in May, which remains pending.
"By restricting the use of network technology that's produced by Chinese state-backed firms, Rep. Scalise's bill will help to protect sensitive U.S. government data," Egnyte's Jones says.
Other Bills Passed
The House also passed a bill that would direct the FCC to create an advisory council for telecommunication network security. Another bill - the Information and Communication Technology Strategy Act - would require Department of Commerce officials to evaluate the competitiveness of companies within the technology supply chain, according to the House Energy and Commerce Committee, where the bills originated.
In a joint statement on Wednesday, House Energy and Commerce Committee Chairman Frank Pallone, D-N.J., and Mike Doyle, D-Pa., noted: "Together, these bills will boost network reliability, protect against suspect equipment that poses a risk to our national security, support small communications network providers, and bolster the economic competiveness of our technology supply chain."
If both the supply chain and telecommunication bills are ultimately passed, Egnyte's Jones adds, the government will need to ensure that new software requirements don't present "lengthy bureaucratic bottlenecks." But he says the bills "are a win-win for the government and U.S. citizens."