Responding to longstanding security concerns over Huawei and other Chinese companies, two U.S. senators have introduced legislation to boost oversight of hardware and software from China.
The Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property, and Supply (MICROCHIPS) Act would direct the director of national intelligence, the Department of Defense, and other agencies to come up with a new supply chain security plan within 180 days of the bill’s passage and establish a National Supply Chain Security Center within the Office of the Director of National Intelligence. As Sen. Mike Crapo of Idaho, who sponsored the bill along with Sen. Mark Warner of Virginia, explained in a statement: “Counterfeit and compromised electronics installed in U.S. military, government and critical civilian platforms give China potential backdoors to interfere with and compromise these systems.”
The bill is squarely aimed at Chinese companies, after President Trump threatened to end an export license that allows U.S. companies to sell to Huawei. Several U.S. policymakers have raised concerns that Huawei may be building in surveillance backdoors into its networking equipment.
On Aug. 19, Secretary of Commerce Wilbur Ross delayed planned penalties against Huawei for 90 days.
Crapo accused the Chinese government of giving the country’s tech vendors “an unfair and unsafe advantage” by subsidizing and investing in them.
The bill also attempts to combat intellectual property theft and counterfeit or compromised electronics from China, Warner added in a statement.
Huawei didn’t have an immediate comment on the legislation.
Some legal and security experts praised the move.
“Supply chain security has been under attack for the past decade, especially as it pertains to offshore supply of electronics and various components,” said Chris Hickman, chief security officer at Keyfactor, a vendor of digital identity management solutions. “The ability to interject software or other nefarious components into manufactured goods continues to allow the introduction of spyware into government, commercial and consumer environments.”
The legislation is a good start, added Braden Perry, a lawyer focused on cybersecurity and regulatory issues with the Kennyhertz Perry law firm near Kansas City.
“It’s Congress alerting foreign nations — specifically China — that it is taking the security threats from electronic manufacturers within the supply chain, and monitoring malicious chips or counterfeit parts that could create backdoors enabling the monitoring or stealing of sensitive data or cause broader system malfunctions,” he said.
Creating a central clearinghouse to assess equipment and prevent compromised technologies could help reduce threats to the U.S. government and military supply chains, he added.
Nationally coordinated efforts to improve supply chain security would be a positive step, added Justin Sherman, a cybersecurity policy fellow at the New America think tank.
“The bill is also right to point out China and Russia as countries with great interest in sabotaging the cybersecurity of American systems through compromises in the supply chain,” he said.
But there are other ways to attack the problem beyond the scope of the bill, he added. The U.S. government should work with allies to address the global problem, Sherman said.
Sherman also called for better messaging and handling of supply chain risks at the White House. The Trump administration has used legitimate national security risks related to Chinese equipment as bargaining chips in a trade war, and that’s “extremely problematic,” he said.
“It’s also unhelpful for the administration to conflate national security risks with public evidence that backdoors do in fact exist in certain equipment,” he added. “There is currently no public evidence that Huawei equipment has backdoors, for instance, despite evidence of pervasive security flaws.”
One cybersecurity expert questioned what the bill would accomplish. The 180-deadline for agencies to create a supply chain plan may not be enough time, said Zohar Pinhasi, CEO of cybersecurity vendor MonsterCloud.
“Potentially, as with anything that’s government led, it depends on how much bureaucracy and red tape is going to be tolerated,” he said. “A truly comprehensive plan might take up to a year to develop, and even longer to execute. History has shown that it’s not necessarily the ability to collect information and intelligence on threats but the ability to actually do something with that information — to thwart efforts we know are in the works.”
