Peter Navarro Interviewed About Defense Industrial Base

YouTube: Fox Business: "Peter Navarro: We look at China as a strategic competitor"
Published on Oct 5, 2018

"Assistant to President Trump for Trade and Manufacturing Policy Peter Navarro on efforts to improve the U.S. defense-industrial base."

New York Times article by Peter Navarro: "America’s Military-Industrial Base Is at Risk. And here’s what the White House is going to do about it."

More about Peter Navarro the Director of the Office of Trade and Manufacturing Policy.

DoD-Led Interagency Report on the Industrial Base and Supply Chain Resiliency

From the September 2018 report "Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States":

VII. A Blueprint for Action

President Trump’s historic EO 13806 provided DoD and its interagency partners a unique opportunity to assess the manufacturing and defense industrial base – one of the most critical assets to our national security. The work conducted by the over 300 members of the DoD-led Interagency Task Force lays the groundwork for important actions, mitigations, and ongoing monitoring that will result in America’s ability to continue supporting a secure, robust, resilient, and ready industrial base.

Current Efforts

The DoD-led Interagency Task Force recognizes and supports ongoing efforts to address the challenges identified in the EO 13806 assessment, including:

• Increased near-term DoD budget stability with the passage of the Bipartisan Budget Act of 2018, providing stable funding through FY2019
• Modernization of the Committee on Foreign Investment in the U.S. and investigations under Section 301 of the Trade Act of 1974 into Chinese intellectual property theft, to better combat Chinese industrial policies targeting American intellectual property
• Updates to the Conventional Arms Transfer policy and unmanned aerial systems export policy to increase U.S. industrial base competitiveness and strengthen international alliances

More Current Efforts continue in the report and are followed by Future Efforts and Recommendations.

Here is a statement from the White House on the report.

Interagency Task Force in Fulfillment of Executive Order 13806
= "Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States" https://t.co/NJTU8uQuL7 pic.twitter.com/9sLyfVsGJN

— AmericanMadeHeroes (@AmeriMadeHeroes) October 8, 2018

The China Challenge: Economic Sticks and What To Do About Them

The Senate Foreign Relations Committee is holding a three-part hearing series under the 'Subcommittee on East Asia, The Pacific, and International Cybersecurity Policy' on a topic it calls "The China Challenge." The first hearing "The China Challenge, Part 1: Economic Coercion as Statecraft," was held on July 24, 2018, the second "The China Challenge, Part 2: Security and Military Developments" was held on September 5, 2018 and the third is pending.

The first hearing was attended by two witnesses, Dan Blumenthal of American Enterprise Insititute (AEI) and Ely Ratner of Center for a New American Security (CNAS). During his testimony, Mr. Ratner presented a report prepared by CNAS titled "China's Use of Coercive Economic Measures." For a better understanding of what is meant by coercive economic measures, here is part of the introduction from Chapter 1 of the report:

China has long used economic statecraft as a pillar of its foreign policy. Historically, Chinese leaders used economic inducements ranging from gifts to the promise of loans and investments to solidify relationships with foreign governments and advance Chinese influence. [...]

In 2013, China launched the Belt and Road Initiative (BRI), a potentially $1 trillion, almost 70-country global infrastructure development initiative that is likely to significantly expand Chinese influence from Asia to Europe. [...]

Over the past decade, however, China has also used the “sharp end” of its economic statecraft, turning to coercive economic measures as a tool. The authors define coercive economic measures as China’s restrictions on trade or investment intended to impose financial or economic costs on a target in pursuit of a foreign policy objective or to influence a foreign government to offer policy concessions to China. As used here, coercion indicates the use, or threatened use, of economic “sticks,” but not the use of positive inducements or other tools, as commonly included in academic definitions.

Supply Chain Vulnerabilities from China in U.S. Federal ICT - Report & Recommendations

The U.S.-China Economic and Security Review Commission published a research report on supply chain vulnerabilities:

Summary: The U.S.-China Economic and Security Review Commission released a report entitled Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology, prepared for the Commission by Interos Solutions, Inc. The report examines vulnerabilities in the U.S. government information and communications technology (ICT) supply chains posed by China, and makes recommendations for supply chain risk management.

Here are the recommendations from the report:

• Embrace an Adaptive Supply Chain Risk Management (SCRM) Process
• Centralized Federal ICT SCRM Efforts
• Link Federal Regulations to Appropriations
• Promote Supply Chain Transparency and Partnership with Industry
• Craft Forward-Looking Policy

• Embrace an Adaptive Supply Chain Risk Management (SCRM) Process

Federal ICT modernization efforts have increased reliance on the private sector and commercial off-the-shelf (COTS) products. These new products have increasingly complex, globalized, and dynamic supply chains, many of which include commercial suppliers that source from China at multiple points within a single supply chain. These supply chains change over time as companies develop new technologies and partner with new suppliers, and effective SCRM policies must be able to adapt as well.

Nefarious actors linked to China have targeted the networks of private sector entities and private sector government contractors in order to obtain sensitive government information and to exploit vulnerabilities within federal information systems. Thus, weaknesses in the networks of industry partners pose a threat to the U.S. government and U.S. national security.

Defending against supply chain attacks by nefarious actors linked to China requires communication and collaboration with private sector actors. The National Institute of Standards and Technology (NIST) has been effective in partnering with the private sector to produce high-quality, implementable standards to improve supply chain security and cybersecurity of ICT systems, including the widely adopted NIST Cybersecurity Framework.

Although NIST has been effective in these efforts, supply chain controls developed by NIST apply only to “high-impact” federal information systems.4 Future work by NIST could include expanding supply chain standards to a broader range of federal information systems, including systems operated by private sector contractors.

Partnering with industry also means learning from experience with efforts such as the Bush-era Comprehensive National Cybersecurity Initiative (CNCI). The CNCI’s effectiveness was limited by the classified nature of its deliberations and decisions, which prevented the U.S. Department of State and the National Cyber Security Center from engaging with outside organizations, including the private sector.

Policymakers must empower rather than hinder the efforts of successful collaborative entities such as NIST and keep as much discussion of the supply chain threat as possible in the unclassified public sphere. These steps will ensure that new SCRM policies can be adaptive, be collaborative, and achieve buy-in from all relevant parties.

• Centralized Federal ICT SCRM Efforts

The U.S. government lacks a consistent, holistic SCRM approach. Additionally, most federal SCRM-related intelligence gathering activities are people based rather than technology based. This makes it difficult for federal SCRM programs to address the global threat comprehensively, or to scale as demand increases. The conflicting and confusing laws and regulations result in loopholes, duplication of effort, and inconsistently applied policies.

Congress and the Executive Branch should encourage information sharing and the consolidation of federal SCRM leadership to optimize collection and dissemination efforts. Centralized leadership for SCRM would need to be resourced and staffed appropriately and tasked with vetting to a prescribed level the suppliers and value-added resellers of products entering the federal IT network.

The Office of Management and Budget (OMB) could, through modifications to Circular A-130,6 assign centralized SCRM authority to the General Services Administration (GSA), the U.S. Department of Homeland Security (DHS), or another federal agency. This SCRM center would provide comprehensive and authoritative data and continuous monitoring, which would reduce the need for agency-specific SCRM and allow agencies to focus their efforts on particular configurations and implementation situations; how agencies use technology directly relates to how they apply risk mitigations.

Last, such an office would need to function in the unclassified world, while at the same time having direct connections and reach-back authority into the classified environment to ensure it remains in alignment with known threats. As illustrated by the experience of the CNCI, the relationship should not be reversed and come entirely under classified control.

• Link Federal Regulations to Appropriations

Along with modifications to policy—such as Circular A-130—Congress should tie policy revisions to a funding strategy that ensures federal agencies take action in ways that are auditable. One recommendation is to expand the Wolf Provision, or Section 515 of the Consolidated and Further Continuing Appropriations Act, to apply to all federal agencies and entities. A near-term opportunity is to tie the SCRM requirements of this regulation to agency funding for the Modernizing Government Technology Act of 2017 in ways that require a SCRM program review for new ICT investments and modernization efforts.

One improvement to the provision would be to require agencies to annually present (1) information about their established SCRM program, (2) the activities that have taken place within that program, and (3) the mitigations used. These annual reports will help build a best practices library for all federal government entities, increasing information sharing and awareness of evolving risks. The current reporting is compliance oriented and does nothing to share information or increase the security posture of federal ICT networks.

• Promote Supply Chain Transparency and Partnership with Industry

Supply chain transparency increases the security of the federal ICT supply chain by enabling the federal government to source responsibly and securely, and by improving the government’s ability to respond to, and reduce the impact of, cybersecurity incidents in an environment where supply chain attacks are ongoing.

Directly in relation to the impact on national security, the federal government should promote the public listing—or at least the disclosure to the government customer—of federal ICT providers and primary or tier-one suppliers in line with actions already taken by companies such as Dell, Hewlett-Packard (HP), and Microsoft as part of their corporate responsibility efforts.

The government should also push for transparency on the part of all suppliers within its own supply chain according to the level of risk management rigor required (not all programs and suppliers present the same level of risk and therefore this level of transparency may not be needed). This information does not always need to be publicly released, though audit measures should be in place to ensure the transparency exists.

In taking these measures, policymakers should learn from previous supply chain transparency efforts, such as Section 1502 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which required some companies to document their suppliers of “conflict minerals” in order to decrease violence in the Democratic Republic of the Congo (DRC) by limiting U.S. procurement from actors fueling conflict in the DRC.

By partnering with industry and sharing information, the government customers and industry will have increased awareness of risks present in multi-tiered supplier relationships, as well as potentially effective mitigations that are already in place.

• Craft Forward-Looking Policy

Increasingly, any ICT component’s physical structure pales in importance compared with the firmware and software operating within in it. Future risks will involve software, cloud-based infrastructures, and hyper-converged products rather than hardware. A vendor’s, supplier’s, or manufacturer’s business alliances, investment sources, and joint research and development (R&D) efforts are also sources of risk that are not always covered in traditional SCRM. Identifying these risks and addressing them creatively as part of the adaptive approach to supply chain risk management will be important to the success of federal policy efforts.

New report just released, entitled "Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology." Read it here: https://t.co/bpIiGQE2c0 #supplychain #china

— US-China Commission (@USCC_GOV) April 19, 2018

New ICT Supply Chain Task Force

The Department of Homeland Security (DHS) held its first National Cybersecurity Summit on July 31, 2018. During the summit DHS's Christopher Krebs announced the creation of the Information Communications Technology Supply Chain Task Force and spoke with a panel of experts on what the task force should focus on for its first 90 days. The panelists included NSA's Rob Joyce, AT&T's John Donovan, and Palo Alto Network's Mark McLaughlin. The task force will be a part of the newly created DHS National Risk Management Center which launched with the task force in August. To add to that Congress is currently considering several pieces of legislation to protect the supply chain. One bill "Securing the Homeland Security Supply Chain Act of 2018" (HR 6430) was passed in the House on September 4, 2018 and has been sent to the Senate for debate.




Video: "Department of Homeland Security National Cybersecurity Summit" (Panel starts at 2:04) Source: YouTube

Supply Chain Risk Management and Testimony from Jennifer Bisceglie

Jennifer Bisceglie testifies for a Homeland Security Hearing
Source: www.hsgac.senate.gov

Jennifer Bisceglie testified for the Senate Homeland Security Committee hearing "Evolving Threats to the Homeland" on September 13, 2018. She specifically reviews supply chain risk management (SCRM) as it relates to information and communications technology (ICT), a security domain covered by her company Interos. 

Her company recently supported the US China Economic and Security Review Commission with regards to their report on supply chain vulnerabilities from China "which outlines several recommendations, the most important being that the U.S. establish a “National Strategy for Supply Chain Risk Management (SCRM) in U.S. ICT” with supporting policies, so that the Nation’s security posture is forward-leaning vs reactive and based on incident response."

She organizes her written testimony to address six key areas related to the report and to the topic of the hearing. Here are a few of the topics she addresses:

1. A brief assessment of the emerging economic and national security risks from next generation connectivity and devices (particularly the IoT and 5G networks) for the U.S. with specific reference to the risks posed by other economies such as China, Russia and other sensitive countries. What additional risks, if any, does use of IT, standards, and/or equipment developed in sensitive countries pose to U.S. security? Are existing authorities and regulations adequate to address these challenges?

Software supply chain attacks will become easier – and more prevalent - as developing technologies such as fifth generation (5G) mobile network technology and the IoT exponentially increase the avenues for attack.1 [,,,] Relevant to the Report, increasing IoT installations will expand the attack surface of federal ICT networks while decreasing the time required to breach them, yet to date, the time required to detect breaches is not decreasing. The responsibility of both the public and private sector in improving their approach to risk awareness and management in the commercial technology supply chain cannot be overstated.