WASHINGTON, DC – U.S. Senators Gary Peters (D-MI) and Ron Johnson (R-WI), Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to address cybersecurity vulnerabilities in the government’s information technology procurement and lifecycle process. The Supply Chain Counterintelligence Training Act creates a government-wide approach to securing information and communications technology by ensuring that all executive agency officials with supply chain risk management responsibilities are trained to identify and mitigate counterintelligence threats.
“America’s adversaries use any means necessary to gain access to valuable and sensitive government information, including possibly inserting compromising code into products or enlisting untrustworthy IT support personnel to exploit government systems,” said Senator Peters. “Allowing an adversary to gain a foothold in America’s technological supply chain is a risk that simply cannot be tolerated. This bill will help to shore up our nation’s cybersecurity defenses by investing in training to prepare our IT professionals to recognize and defend against counterintelligence threats.”
“Counterintelligence training for the federal workers buying and selling goods and services for the government is critical at a time when our adversaries are seeking every possible entry point to breach our systems and steal information,” said Senator Johnson. “This type of training will help close a potential gap in our cyber and physical security defenses.”
Training and preparing U.S. government personnel to recognize and mitigate these threats is an essential first step in preventing hostile actors from compromising America’s national security. The United States’ supply chains are vulnerable and should be proactively protected, including by training key personnel who are in a position to thwart these attacks. In 2017, the Department of Homeland Security issued a Binding Operational Directive ordering U.S. agencies to remove Kaspersky-branded products from U.S. systems due to the nature of the products Kaspersky manufactures, the company’s close ties to Russian intelligence, and requirements under Russian law that can mandate Kaspersky pass information from U.S. systems to the Russian government. Later that year, President Trump signed into law a government-wide ban on all Kaspersky Lab software. More recently, security experts have expressed fear that Chinese-made rail cars and 5G telecommunications products are susceptible to similar risks. In order to prevent adversaries from gaining a foothold in the nation’s technological supply chain, it is imperative that all specialists with supply chain risk management responsibilities are trained to identify and combat these growing threats.
The Supply Chain Counterintelligence Training Act requires the Director of the Office of Management and Budget (OMB), in coordination with the Director of National Intelligence (DNI), the Secretary of the Department of Homeland Security (DHS), and the Administrator of General Services Administration (GSA), to establish and implement a counterintelligence training program for officials with supply chain risk management responsibilities at executive agencies. The program would prepare designated personnel to identify and mitigate counterintelligence threats that arise during the acquisition process and throughout the lifecycle of information and communications technology, bolstering America’s national security. The legislation also directs the agencies to regularly update Congress on the program’s implementation, allowing the Senators to effectively oversee its progress.