The federal government can’t legislate or mandate its way out of the risk of foreign hackers compromising its networks, the top tech official in the government’s nuclear security agency said Tuesday.
Instead of banning software with a connection to China or other U.S. cyber adversaries, government tech shops should focus on installing safeguards that mitigate any risk the software poses for foreign spying or sabotage, said Wayne Jones, chief information officer at the National Nuclear Security Administration.
“You can’t think about it: ‘Well, I’m not going to use that product because it came from China.’ You have to figure out: ‘How do I use that product so it’s going to protect my information,’” Jones said during a panel discussion hosted by the Armed Forces Communications and Electronics Association, a professional association.
“How do you build an environment … that you can have these tools or products in to ensure that you’re not giving away the farm,” he said.
Jones declined to specifically discuss a governmentwide ban that Congress approved in December for anti-virus from the Moscow-based Kaspersky Lab or congressional bans that are likely to become law aimed at the Chinese companies Huawei and ZTE.
“I’m not going to say whether Congress has gone too far or not, because I do like my job,” he said.
Jones did note, though, that it would be exceedingly difficult to restrict the government to only hardware and software with no questionable foreign ties.
“We’re in a global economy whether we want to believe it or not,” Jones said.
He later added: “When we start pulling the onion back on all of the products and services that you have, you’re going to find a chip somewhere—let’s just be honest about it—from one of the nations we’re not happy about using.”
Even with the governmentwide ban in place, Jones noted, tech and cyber officials must still deal with Kaspersky’s risks.
“I know that, in my environment, I have scientists from other countries who come in to do work for us that have [Kaspersky]. So how am I protecting myself from that?” Jones asked. “Kaspersky is not one of the tools I use in my environment today, but there are people who connect to my guest networks that do have it. So how do I protect myself?”
Donald Purdy Jr., the chief security officer at Huawei’s U.S. division, made a similar argument in a Tuesday op-ed published in Fortune.
By banning particular software from specific countries, Congress fundamentally misunderstands the nature of cyber threats, Purdy, a former top government cyber official during the George W. Bush administration, argued.
“Members of Congress may sincerely believe that barring one or two Chinese companies from the U.S. market will significantly protect the country’s networks,” Purdy writes. “But today’s telecommunications industry is transnational and borderless. All of its leading players already use equipment developed or manufactured in China.”
Instead of “selectively banning one or two foreign companies from the U.S. market,” Purdy writes, the government should focus on improving cyber resilience and “implementing a comprehensive cybersecurity strategy.”
Purdy’s op-ed, while it discusses congressional efforts to ban Huawei from government networks, is focused largely on a Federal Communications Commission regulatory action that would restrict Huawei in U.S. telecommunications networks on a much broader scale.
The governmentwide Huawei and ZTE ban is included in both the House and Senate version of a must-pass annual defense policy bill. Those bills have passed both chambers and are now with a conference committee.
The Homeland Security Department, which has not yet taken any action against Huawei and ZTE, instituted a governmentwide Kaspersky ban in October, two months before the congressional ban. Kaspersky is challenging both of those bans now in the U.S. Court of Appeals for the District of Columbia.
Both Kaspersky bans cited a Russian law that officials believe could compel Kaspersky to help the Kremlin spy on U.S. government agencies.