Former Intelligence Director McConnell Urges Against SoftBank Sprint Purchase
Japanese-owned SoftBank should not be permitted to buy Sprint due to national security concerns, said former Director of National Intelligence Mike McConnell during the first of two House cybersecurity hearings Tuesday. SoftBank’s $20.1 billion bid to buy 70 percent of Sprint Nextel has recently been criticized because of allegations that SoftBank uses equipment from Chinese telecom manufacturers Huawei and ZTE (CD May 21 p12). “If you are in the intelligence business ... the one thing you would love to do is run the telecommunications infrastructure in another country ... so having a foreign country own and control a communications company inside the United States ... I would not be in favor of,” said McConnell, who was in George W. Bush’s administration and is now the vice chairman at Booz Allen Hamilton.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Lawmakers on both sides of the aisle agreed Tuesday that more work needs to be done to secure the supply chain for communications network equipment. The House Communications Subcommittee said it launched a supply chain security working group this week, co-chaired by Communications Subcommittee Ranking Member Anna Eshoo, D-Calif., and House Intelligence Committee Chairman Mike Rogers, R-Mich. Last year Rogers urged the U.S. government and American companies to avoid doing business with Huawei and ZTE because of what he said are long-term security risks associated with the companies (CD Oct 10 p4). Also participating in the working group are: Reps. Bob Latta, R-Ohio; Mike Doyle, D-Pa.; Lee Terry, R-Neb.; Ben Lujan, D-N.M.; Adam Kinzinger, R-Ill.; and Jim Matheson, D-Utah.
Communications Subcommittee Chairman Greg Walden, R-Ore., said in his opening remarks, “Supply chain risk management is essential if we are to guard against those that would compromise network equipment or exploit the software that runs over and through it.”
Eshoo said supply chain security should be a “key component” of cybersecurity framework being developed by the National Institute of Science and Technology (NIST). “The implications of foreign-controlled telecommunications infrastructure companies providing equipment to the U.S. market, I think, really presents a very serious threat,” she said. Rep. Doris Matsui, D-Calif., said it’s “critical for industry to continue to be vigilant in ensuring their manufacturing and distribution processes are not compromised.” She said lawmakers should also seek to address the security of mobile applications which she said are being used by hackers to infect consumers’ cellphones with malware.
America’s reliance on a global supply chain for communications equipment “introduces some degree of risk,” GAO said in a report on supply chain security (http://1.usa.gov/11WcKw4). “Risks include threats posed by actors such as foreign intelligence services or counterfeiters that may exploit vulnerabilities in the supply chain.” Several network providers and equipment manufacturers interviewed by GAO said supply chain security is a high priority because any breaches of security could affect their brand image and profitability, according to the report released Tuesday.
Several Republicans on the panel expressed their concerns that NIST’s forthcoming voluntary cybersecurity framework may be used later by the government to impose regulations upon the private sector. Rep. Marsha Blackburn, R-Tenn., said lawmakers must ensure the cybersecurity executive order “stays true to a voluntary, cooperative standard. Likewise, Congress and the executive branch should refrain from further exploring legislative regulatory proposals giving DHS [the Department of Homeland Security] authority to impose critical infrastructure requirements,” she said. “Our focus should be on developing consensus public policy that puts American businesses in the driver’s seat and allows cooperation and collaboration, not top-down and one-size-fits all mandates.”
NIST Director Patrick Gallagher said cybersecurity standards are not the same thing as regulations: Performance based cybersecurity standards are voluntary “agreed upon best practices, behaviors and norms,” he said. Such standards “are not static, they can be changed” and their development by the private sector can help promote cybersecurity innovation. Gallagher said some people “are equating the term voluntary with weak. That is not the case ... Industry is quite capable in putting forth performance assessment tools.” Gallagher said the successful development of a cybersecurity framework depends on an effective partnership across the federal government and must be developed by industry and public stakeholders. The goal is for “industry to take and update the cybersecurity framework themselves,” he said.
Gallagher said he’s been “very satisfied” with the amount of private sector participation in NIST’s development of a cybersecurity framework. “My biggest concern when the executive order was announced was -- would the concerns of potential regulation later deter private sector from participating?” he said. “A boycott would have been devastating” but “the opposite has happened,” he said. “We have so many leading companies participating in this effort ... it will make all the difference.”
Witnesses representing critical infrastructure industries praised the House-passed Cyber Intelligence Sharing and Protection Act (CISPA) (HR-624) and urged the Senate to pass similar information-sharing legislation. Robert Mayer, USTelecom vice president-industry and state affairs, commended CISPA’s passage in the lower chamber. “The single most important step that can be taken to combat this worldwide scourge is giving our companies’ security personnel access to real-time, actionable cyberthreat information.”
Mayer said he felt confident that the forthcoming cybersecurity framework will remain voluntary, but he said telecom groups have concerns about two specific sections of the President’s cybersecurity executive order. “Ultimately the interpretation and implementation of sections 9 and 10 of the order ... may spell the difference between the success and failure of this effort,” he said. Section 9, which he said seeks to determine which critical infrastructure sectors are at the biggest risk, could “undermine many of the elements of a successful framework.” Section 10 of the executive order, which he said requires federal agencies to determine if their cybersecurity regulatory requirements are sufficient, “arguably ... serves as a hunting license to regulate.”
Cybersecurity “legislation is required” to permit cyberthreat information sharing, said McConnell. “The question is whether you incentivize the private sector or whether you compel it.” The U.S. must develop cybersecurity standards that can evolve and be dynamic, he said. And Congress should put into law privacy and civil liberty protections that permit intelligence experts to complete their mission, he said: “Put it in law what you don’t want to happen.”
Phyllis Schneck, vice president and chief technology officer-global public sector at McAfee, also urged lawmakers to enact legislation that offers liability protections to companies who share cyberthreat information with the government. “We should never have to worry about protecting our country versus liability protections,” she said. Information sharing is “an enormous piece of this picture,” she said.