Lawmaker sounds alarm on supply chain risk

Rep. Mike Gallagher (R-Wis.) wants the U.S. government to take its supply chain security problems more seriously.

On a conference call with reporters, Gallagher, a co-chair of the Cyberspace Solarium Commission and a member of the House Armed Services Committee, cited a recent oversight report that showed that Defense Department personnel used government purchase cards to buy off-the-shelf technology with known vulnerabilities.

The congressman's cybersecurity concerns are part of an increasingly fierce debate over the defense supply chain security in the past two years that has everyone from regulators to contractors yearning for clearer, stricter rules and bans of products and manufacturers.

Gallagher recently introduced a bill that would require congressional approval for Huawei to be removed from the tech blacklist. But for DOD to better secure its supply chain, a cultural schism between the Pentagon and the tech industry must be addressed.

"One of the most consistent things we've been discussing amongst the commissioners is finding a way to bridge the cultural divide between the private sector and the Pentagon," Gallagher said, in reference to Google pulling out of DOD's AI-powered Project Maven because of employee concerns, while continuing to do business in China.

"We need a more flexible model by which the private sector can work with the Pentagon. And if we remain culturally divided," he said, "then we're going to lose the competition with China."

The Cyberspace Solarium Commission is a bipartisan effort for a governmentwide approach to cybersecurity and the protection of technologies that are key to U.S. national security and military preeminence. It focuses on offensive strategy, defensive deterrence and regulating threats through global norms.

DOD CIO Dana Deasy has been targeting improvement of the organization's security posture. Deasy told Congress earlier this year the goal was to strengthen compliance and enforcement by shifting from a self-certification process to one where DOD's undersecretary for defense acquisition and sustainment would evaluate and validate the self-assessments, then assign confidence scores.

But the key will be closing cybersecurity gaps before DOD is seriously compromised. Roslyn Layton, co-creator of ChinaTechThreat.com and visiting scholar at the American Enterprise Institute, told reporters via teleconference the defense industrial base is the "path of least resistance" for hackers and supply chain vulnerabilities are reminiscent of the circumstances around the Office of Personnel Management hack in 2015.

"OPM ignored the recommendations that their IG had made for years, which included among other things, the need for an accurate centralized inventory of all servers, databases and network devices that reside on the network," Layton said. 

This article first appeared on FCW, a partner site to Defense Systems.