WASHINGTON—The Subcommittee on Cybersecurity, Information Technology, and Government Innovation held a hearing titled, “Safeguarding the Federal Software Supply Chain.” Subcommittee members discussed ways the U.S. can better ensure federal software systems are protected from attacks by hostile foreign nations and other threat actors. Subcommittee members also explored the tools the federal government can use to prevent threat actors from infiltrating federal software systems.
The U.S. is critically dependent on software systems to carry out government processes and deliver services to U.S. taxpayers. This dependency comes with a risk that vulnerabilities in software used by the federal government can be accessed by hostile threat actors to harm America.
- Jamil Jaffer, Founder and Executive Director of the National Security Institute at the Antonin Scalia Law School at George Mason University, highlighted the threat posed to the United States by software supply chain vulnerabilities: “When it comes to the threat scenarios, it is worth noting that the exploitation or compromise of our software supply chain not only has national security implications because of its use for potential espionage or the delivery of destructive malware, but also because of it continued use to expand the massive economic impact of nation-state-enabled IP theft.”
While numerous areas of the federal supply chain are at risk, the software supply chain in particular is difficult to safeguard due to layered and interconnected systems. The U.S. must do more to hold threat actors accountable.
- Dr. James Lewis, Senior Vice President and Director of the Strategies Technologies Program at the Center for Strategic and International Studies, spoke to the specific cyber threats originating from China: “The United States faces a major challenge in securing digital technology. Over the last 35 years, it constructed a series of deeply interconnected industrial and technology supply chains with China, based on the assumption that China would become a trustworthy partner, making it safe to take advantage of the business opportunities China presented. At the time, there was some truth to this and companies in the United States and its allies made immense amounts of money, but ultimately it was a mistake. The United States and its allies have now learned that when it comes to cybersecurity and software supply chains, China is not trustworthy.”
- Roger Waldron, President of the Coalition for Government Procurement, discussed how the U.S. should prioritize buying commercial solutions where applicable as a way to better safeguard against untrustworthy foreign actors: “Buying commercial allows the federal government to leverage commercial expertise and investments in security and functionality. It also ensures that the government stays current with security solutions in a dynamic cyber-threat environment. As the federal cybersecurity framework continues to evolve and mature, maintaining long-held preferences for commercial items will mitigate risk, increase competition, and deliver functionality for the federal customer.”
Subcommittee Chairwoman Rep. Nancy Mace (R-S.C.) posed the question of whether the U.S. can and should draw redlines to deter enemy nations who conduct cyberwarfare against the U.S.
Chairwoman Mace: “My first question to you, Mr. Jaffer, this afternoon is should the U.S. draw a line in the sand to deter the cyber warfare launched from China, Russia, and other enemy nation states?”
Mr. Jaffer: “Thank you, Chairwoman and yes, I absolutely think we need to make very clear our redlines in the cyber domain. Part of the challenge I think that we face in this domain is that we talk about our concerns, but we don’t actually effectuate them. We don’t talk about what are abilities are in the cyber domain, we don’t talk about what our redlines are, we don’t talk about what we would do if those redlines are actually crossed, and then worst, the world is seeing on the rare occasion that the U.S. established redlines, we don’t actually enforce them.”
Rep. Nick Langworthy (R-N.Y.) delved into the role that software bill of materials (SBOMs) could play in better procuring federal software systems.
Rep. Langworthy: “Do you believe that the federal government should be implementing SBOM requirements?”
Mr. Waldron: “Yes, it is the right direction. The question is the execution on the contracting side and looking at developing some standard formats. The issue in federal procurement is that there is the federal acquisition regulation, agencies have all kinds of supplemental regulations, when you start developing an SBOM and a format, you have got to talk to industry. Come up with a common nomenclature, understanding, what is actually going to be reported as part of those ingredients…”
Rep. Langworthy: “Could SBOMs offer a viable solution for securing the federal software supply chain and additionally, what are some of the concerns or drawbacks associated with SBOMs as a potential solution.”
Mr. Jaffer: “Well a couple things, SBOMs can certainly help but only if you use them for a good purpose. Once you know what’s in the software, people have to do something about it. They have to actually design their software in a way that’s secure and resilient inherently and holding people accountable for that rather than what’s in your soup and what makes the soup good is important. The second thing is that by exposing everything that is an a SBOM, it gives our adversaries information what to go after.”