While a consensus has emerged in Washington, D.C. that securing the federal and commercial ICT supply chain is a U.S. priority, many questions remain on how to address the current patchwork of disparate and duplicative compliance regimes. On June 15, ITI brought legislative and executive branch stakeholders together with industry experts to explore these questions in an interactive conversation, “Facilitating a Secure, Competitive, and Resilient ICT Supply Chain.”
The event featured a keynote address by Brian Scott, Director for Critical Infrastructure Security at the National Security Council followed by a conversation between Representative Yvette Clarke (D-NY) and Gordon Bitko, ITI's SVP for Public Sector Policy. Afterward, a panel featuring ITI member representatives Don Davidson, Director, Cyber-SCRM Programs at Synopsys and Jim Richberg, VP of Information Security and Public Sector Field CISO at Fortinet was moderated by Courtney Lang, ITI’s Senior Director of Policy for Trust, Data and Technology.
Scott’s opening remarks focused on the Biden Administration’s efforts to combat cybersecurity threats and ensure the resiliency of critical supply chains through two initiatives: the Executive Order on America’s Supply Chains, and the Executive Order on Improving the Nation’s Cybersecurity. “The [cybersecurity executive order] reflects the need to shift our thinking from response to prevention. We’ve come to accept... constant response as a mode of doing business. We need to step back and challenge that idea,” said Scott. He also noted that collaboration between government and industry was paramount: “We need the private sector. We need your expertise, and you need us. We need your input to develop the most effective best practices as we move forward."
Rep. Clarke and Bitko had the opportunity to discuss two ITI publications from earlier in 2021: a white paper on federal ICT supply chain risk management (SCRM), and a principles document urging a strategic reset on ICT supply chain policy. From her position as Chair of the U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, Rep. Clarke provided valuable insights on the need for a streamlined federal ICT supply chain framework that embraces private sector partners. “There are so many lines of effort underway, and I’m concerned that they’re not coordinated and may cause confusion among stakeholders," she said. “That’s why we need to leverage the ICT SCRM Task Force at CISA.”
Rep. Clarke also indicated that she was looking for the U.S. Senate to introduce companion legislation for state and local cybersecurity grants that were recently authorized by the U.S. House of Representatives. “There’s no doubt that the [cybersecurity] crisis on the state and local level is an urgent call to us to action,” said Rep. Clarke. She also noted that investing in cybersecurity is crucial: “This is the time for us to make these investments, this is time for us to cross into the 21st century clear eyed and understanding that our way of life is under attack, and the only way for us to maintain and build upon the successes we’ve had as a democracy is by building out a 21st century infrastructure that is reflective of what we know are threats to our way of life.”
The discussion between industry experts centered on ways the U.S. government can incentivize strong SCRM practices from both federal contractors and companies operating commercially. “The government has carrots and sticks—start with your carrot, incentivize people before you think about liability and punishment," Richberg sugested. The group also addressed how the government can use industry best practices to source from trusted suppliers. “It used to be that a "trusted supplier" was a snapshot in time…we’re now approaching a world of zero trust, where we should be able to do a better job of collecting information,” said Davidson.