The U.S. federal government has enacted bans on equipment it deems a national security risk. The move should make CISOs wary of what products they bring into their organizations.
A recently passed federal law targeting hardware from Huawei and other manufacturers could have security implications for leaders in industries beyond the telecommunication companies that are the most common buyers of such products.
The new law, known as the Secure and Trusted Communications Networks Act, specifically targets equipment made by companies that federal officials consider "entities posing unacceptable national security risk."
On its surface, the new law may seem outside the realm of enterprise security leaders, but experts said CISOs -- particularly those who work with the federal government or may seek government contracts in the future -- need to pay attention.
"All CISOs and IT leaders, both inside and outside of the federal government, should take heed of the list to be published by commission because it will identify what equipment cannot be used when working with federal organizations," said Frank Downs, senior director of cybersecurity advisory and assessment solutions at ISACA, an international professional association focused on IT governance.
US ban Huawei, others from federal funds
The law essentially prohibits federal funds being used in any way to buy or maintain telecommunications equipment or services from untrusted suppliers and specifically names Chinese suppliers, including Huawei. It also provides federal funds to help small -- fewer than 2 million customers -- communications providers replace equipment from such suppliers. The measure also requires the government to compile and share a list of suppliers it considers security risks.
President Donald Trump signed the law on March 12, 2020. The House approved the measure in December, and the Senate unanimously voted to pass it in February 2020.
I believe that most cybersecurity professionals, myself included, would strongly recommend that a company adhere to the list [of prohibited vendors].
Frank DownsISACA
"The act prohibits the use of federal subsidies made available through programs administered by the FCC [Federal Communications Commission] from being used to do business with any entity on the list of suspected communications equipment providers," said Terry Dunlap, CSO and co-founder of ReFirm Labs, a security tech and services firm, and a former global network vulnerability analyst at the National Security Agency. Dunlop and other experts said the new federal law mostly impacts telecommunications companies. Small, rural carriers that look to buy equipment from Huawei because they can't afford other brand-name gear are likely to be the most significantly impacted, they added.
"Huawei has found a fertile market in rural America," Dunlop said.
Dunlop said he doesn't think this most recent federal action will directly impact many CISOs, "unless you're the CISO of one those companies who are buying, or have bought, the banned gear."
Still, CISOs should see the measure as reinforcing the need to thoroughly vet vendors and know which manufacturers are supplying the equipment coming into their organizations. "If a business can say, with a high degree of confidence, that they will never work with the U.S. federal government, then they could consider ignoring the list [of prohibited vendors]," Downs said. "However, I believe that most cybersecurity professionals, myself included, would strongly recommend that a company adhere to the list."
Politics, security drive US ban
The Secure and Trusted Communications Networks Act comes about 18 months after the 2019 National Defense Authorization Act, which prohibits federal agencies and contractors from buying equipment from Huawei, as well as several other Chinese firms.
The main elements of the bipartisan measure address U.S. concerns about the 5G supply chain and the potential that networking equipment made by foreign companies could include security vulnerabilities that hostile nations might use against the United States.
For instance, other countries have not shared the same level of concern, and despite the U.S. ban, Huawei and other Chinese manufacturers are still being used in these nations.
Additionally, Huawei challenged the National Defense Authorization Act; a U.S. judge rejected Huawei's lawsuit in February 2020. The company called the U.S. actions to ban it "political persecution" and charged that federal bans on its equipment will put the United States at a disadvantage.
There are also questions about whether it is a threat or what kind of threat Huawei and other foreign equipment makers pose.
"This is a geopolitical decision that does not necessarily have technical arguments backing it," said Dimitris Mavrakis, research director with ABI Research and manager of the firm's telco network coverage.
Mavrakis noted that it has not been proven that Huawei has been eavesdropping via its technologies or doing any intentional malicious activity, and operators all over the world are acting in good faith that Huawei is providing equipment and services to its clients without hidden backdoors.
"The U.S. government seems to think they are acting maliciously," Mavrakis said. "On the other hand, the U.S. government may have data and analysis that we cannot be aware of."
CISOs need to vet suppliers
Mavrakis said the laws have pushed Chinese equipment manufacturers out of the U.S. market. That means CISOs aren't easily able to buy from vendors like Huawei, even though it is the world's largest maker of telecommunications equipment and a leading smartphone brand. Huawei and ZTE manufacture and supply routers and switches, in addition to networking gear and smartphones. However, others said, CISOs should see federal concerns about vendor-related security risks as a reminder to include an expansive security review process as part of procurement practices.
"They should pay attention to their supply chain risks regardless," Dunlop said.
Similarly, Downs said, leadership should have a security vetting process in place that includes a thorough understanding of what they're buying, down to the components.
"Although each organization's requirements are different, they should have in-depth concerns about hardware or applications that may leverage multiple components," Downs said. "They should ask the vendors for a component list for the products that the implementing organization plans to use."
