The National Defense Strategy (NDS) emphasized the re-emergence of great power competition with Russia and China. Those concerns found legs in the 2019 National Defense Authorization Act (NDAA), which tasked government agencies and contractors to identify and remove hardware devices that may have been manufactured in other countries with the intent of attacking U.S. critical infrastructure. COVID-19 has ushered in its own supply chain issues, and only enhanced the realization that the U.S. faces ongoing and significant threats to its own supply chain, particularly in the area of telecommunications.
China’s Huawei is one of the most clear and successful examples, with a global footprint and a modis operandi of targeting companies and stealing their information. Section 889 of the 2019 NDAA requires government agencies and contractors to tasked to identify and remove these hardware devices manufactured by specific creators.
The federal government and private sector need to continue collaboration to prepare for the next generation of technology, AKA 5G for mobile communication networks. But the fifth generation is expected to introduce more national security risks as nefarious actors hope to exploit 5G technologies or infiltrate through hardware. In March 2020, the White House issued the National Strategy to Secure 5G of the United States of America . The strategy provides direction on how the government will secure 5G infrastructure domestically – and not through foreign enemy companies and their subsidiaries.
SEC. 889: PROHIBITION OF TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES
Section 889 prohibits the use or procurement of any equipment, system, or service that uses telecommunications equipment or services as an essential component of their critical technology from a few companies and their subsidiaries.
Among other technical details, it calls out the Secretary of Defense from procuring or obtaining or entering into contracts with these entities. The 2019 NDAA specifically calls out Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities, which is quite a long list).
In April of 2019, the Five Eyes intelligence nations agreed not to use telecommunications equipment from Huawei in the “sensitive” parts of their networks. But the British government opted to move forward with the company, allowing Huawei to have access to their 5G network.
While Huawei would be blocked from core parts of systems, the move caused a divide among the national intelligence of the US, its allies, and other nations allowing tech from the company to be used. Section 889 also doesn’t allow contractors or agencies to enter into contracts with anyone that uses this equipment or engages with these manufacturers – which is an important piece to be mindful of if you are engaging with foreign partners.
THE SECURITY RESEARCH LAB
Research labs are an important component of the DoD ecosystem. Managing Hardware Access Control (HAC) through these labs allows researchers to ‘fingerprint’ as many hardware devices from known, potentially nefarious manufacturers, including monitors, USB devices, routers, etc., to identify areas of compromise and maintain the most up-to-date knowledge base.
Yossi Appleboum mentions the SolarWinds attack and how it should be a reminder for our stance on overall cybersecurity posture: “A couple of weeks ago, everyone was stressed over the SolarWinds attack or incident around software supply chain. What we all learned is that every time we feel comfortable about our supply chain, we are actually in a greater danger than before.”