Mace: Protecting Government IT Systems is Critical to Federal Software Supply Chain
WASHINGTON—Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chairwoman Nancy Mace (R-S.C.) today delivered opening remarks at a hearing titled “Safeguarding the Federal Software Supply Chain.” In her opening statement, Subcommittee Chairwoman Mace emphasized the broad usage of information technology (IT) systems creates efficiencies and streamlines government service delivery, but warned reliance on digital services leaves vulnerabilities for cyber-attacks by bad actors. Cyber-based attacks, many originating from hostile foreign nations, have crippled large corporations in the U.S. and the federal government must ensure the software used in federal IT systems is safe.
Below are Subcommittee Chairwoman Mace’s remarks as prepared for delivery.
Good afternoon and welcome to this hearing of the Subcommittee on Cybersecurity, Information Technology and Government Innovation.
Today more than ever, federal agencies rely on information technology to carry out core functions of Government.
Digital information systems are used to help provide health care to veterans, pay social security beneficiaries, protect the homeland, and administer our system of justice.
The broad deployment of IT systems creates efficiencies and streamlines government service delivery.
So, there’s no disputing the gains from digital government are real.
But so too are the risks.
Our increasing dependence on computer hardware and software has created an irresistible target for malicious cyber actors. These include foreign enemies who seek to do us harm and domestic activists bent on disruption – along with criminals chiefly seeking to line their own pockets.
We know these risks from hard experience. A series of hacks have exploited vulnerabilities in software used to operate major federal and nonfederal computer systems. The 2020 Solar Winds breach – among the largest ever – was perpetrated by Russia-based cybercriminals who gained access to systems and data by injecting malware into a widely used software update.
More major software hacks have followed. That includes one involving Log4j, a common software component. And this past May, the popular file transfer software Moveit was compromised.
These intrusions disrupt operations. They are costly and time-consuming to address. And they risk the exfiltration of sensitive data, including the personally identifiable information of millions of Americans.
Ultimately, they erode trust in the ability of our government to execute its core functions reliably and securely.
So, we need to ensure the software we use is safe.
It’s a challenging task. The federal government spends $100 billion annually on IT goods and services, including software. When you acquire a product, you inherit any risks associated with its supply chain. And the software supply chain is often opaque. Its provenance is often unclear, including that of the underlying source code. And even if the origins are known, it could have been later altered or tampered with.
Congress has taken some steps to shore up the software supply chain.
Section 889 of the 2019 NDAA prohibited federal agencies from buying certain telecom and video surveillance equipment – including that made by specific companies tied to China. Congress also authorized the creation of the Federal Acquisition Supply Council – or FASC – as a centralized, interagency hub to identify and mitigate Government IT procurement risks.
One way to make the software supply chain more transparent is through SBOMs. An SBOM (“S-BOMB”) – or software bill of materials – is analogous to a food nutrition label. It reveals the origin and component elements of software – as well as modifications later made. An SBOM can help government purchasers identify software vulnerabilities – like source code originating in China or Russia.
The goal is to secure the software supply chain without unduly shrinking the pool of software providers and products available to the Government. We don’t want to give up the benefits we all gain from software-driven efficiencies – including the savings they yield to taxpayers.
That’s why we have a representative of the federal contractor community testifying today, along with experts on the methods and intentions of cyber-threat actors.
But before we hear from them, I will now yield to Ranking Member Connolly for his opening statement.