nito - Fotolia
The Trump administration's crackdown on supply chain security, followed by the U.S. Department of Commerce's announcement effectively banning sales to Chinese telecom giant Huawei Technologies Co., will have implications for a broad swath of U.S. businesses, according to tech sector experts.
"The goal of this action is clearly to target Huawei," said Laura Sallstrom, global head of data and trust at Access Partnership, a global public policy consultancy for the tech sector. "But its broad reference and vague writing open the door to broader inspection of the U.S. technology supply chain. Any executive whose company sources any part of his or her supply chain in China should be concerned about this."
The Trump administration, declaring a national emergency, issued an executive order (EO) on securing the information and communications technology critical infrastructure supply chain. The EO gives the government power to ban technology and services from "foreign adversaries" that pose "unacceptable risk" to national security, including economic and industrial espionage. The Commerce Department has 150 days to hash out regulations. In a separate action, the Commerce Department said it was adding Huawei to the Bureau of Industry and Security's Entity List, making it illegal for the company and its affiliates to buy American technology without U.S. government approval.
While the details and scope of the EO and follow-on announcement to ban Huawei sales are not known, the policy move -- coming amid a protracted trade war between China and the U.S. -- could affect U.S. businesses in a variety of ways, including new and stringent compliance regulations, tech experts and executives said.
At the outset, the administration's actions will set limits on U.S. companies selling chips and technology to Huawei. But regulations down the line could also restrict companies that might use Chinese products, from providers of critical infrastructure, such as water and electricity, to healthcare companies and telcos. The wording also suggests the EO could have ramifications for companies that have installed Huawei routers to replace more expensive Cisco equipment, Sallstrom said.
She said she is troubled by wording in the EO which references "services designed [and] developed" and which cites any foreign person "controlled by, or subject to the jurisdiction or direction of a foreign adversary." This could mean that the "great Russian engineer you just hired" could put your business in the line of fire, she said.
Charlie Dai, principal analyst at Forrester Research, underscored that the immediate impact of this week's actions will be on enterprises doing business with Huawei and ZTE, but down the line, U.S. consumers could find themselves paying more for a variety of goods.
"Chinese companies like Huawei and ZTE have very limited business presence in the U.S.; however, the hardware chipsets, devices and equipment from U.S. companies are very important for their business operations," Dai said. Last November, Huawei reported that 33 of its 92 core suppliers were from the U.S.
The EO could also impact other 5G equipment suppliers as well, Dai said. Huawei has extensive patent cross-licensing agreements across the 5G ecosystem. If these agreements are impacted by the EO, the performance and cost of equipment from providers that lose access to Huawei patents could be affected.
Huawei ban, EO a wake-up call
"Lack of supply chain security carries significant risks, and it's important for companies to take appropriate action to understand and mitigate such risks. For companies that have ignored supply chain security, the issuance of the executive order will likely serve as an uh-oh moment," he said.
Newfield noted that the U.S. government already has undertaken similar efforts to secure contractors' supply chain, and a key element of those efforts put the onus on contractors to understand and mitigate their supply chain risks. For IT executives to develop meaningful supply chain strategies, open communication between government and industry will be critical, Newfield said.
The regulations that will be hashed out in the coming months will need to be clearer about what types of equipment manufactured in China will be permitted. The U.S. government will also need to be more exact in communicating to industry what equipment or services are prohibited. The regulations will also need to be reconciled with ongoing regulatory efforts, and the final regulations will need to be crafted in a manner that results in understandable and implementable best practices.
"Ultimately, it's important for contractors to understand the risks that supply chain vulnerabilities pose to government missions," Newfield said. "Contractors exist to help support those missions in a secure fashion. So, we must view our role as a partner to government in achieving those goals, which includes contractor input on existing best practices that should be adopted."
New business opportunities: Supply chain audits
Mike O'Malley, vice president of strategy at Radware, a cybersecurity services provider, said the EO might ultimately end up affecting other Chinese vendors besides just Huawei. He said IT execs doing business with the federal government will likely need to verify that no equipment is coming from countries where the foreign government may force the supplier to spy on clients. They may also be required to verify through testing that there are no backdoors enabling a foreign entity to secretly tape voice and data payloads.
The new requirements could create business opportunities for IT services providers to both audit networks to verify compliance and upgrade services to replace potentially vulnerable equipment.
For example, Unisys is working on technology that will enable supply chain tracking down to the designer of a chip in a given device. This involves a certificate and ledger system in which each step -- chip design, chip fab, device assembly, purchase, use -- would be signed and included in a digital bill of materials with every device. Should regulators adopt such a system for critical infrastructure sectors, the vendor supply chain could easily adjust to comply, said Chris Blask, global director of industrial and IoT security at Unisys.
Katherine Gronberg, vice president of government affairs at Forescout Technologies, a security solutions provider, also pointed to the need for compliance technology to enforce policy. Creating prohibitions on specific products is one thing, but ensuring they are adhered to is another.
"We have observed federal and commercial customers that put in place specific, well-meaning policies that are routinely violated -- sometimes knowingly and sometimes unknowingly," Gronberg said.
Many businesses, for example, have rules against specific products, like Xbox or Windows 95, which are routinely found by Forescout's customers, she said. "The fact that we routinely find these devices on networks when we first deploy our product is evidence that policies are not perfect, and neither are the humans that implement them."
To mitigate the risk posed by the untrusted products that will inevitably make it onto their networks, Gronberg recommended enterprises supplement automated policy controls with well-known and NIST-recommended controls, such as network segmentation and cybersecurity tool integration/orchestration. This can ensure threat information can be shared and acted upon across all parts of the network, she said.
IT executives can be lured into a false sense of security because they think they are no longer procuring certain types of equipment, Gronberg said. A better strategy is to ensure systems remain secure and operational in spite of any vulnerable IT that makes it onto their networks. "This, more than bans of specific products, will enable true security and resiliency for our critical systems," she said.
A networking headache for Huawei customers
The EO could be particularly troublesome for IT execs that decided to replace Cisco networking equipment with cheaper Huawei gear, said Joel Vincent, CMO at Zededa, an edge computing provider.
"Part of the reason the government took this action is [because] Huawei's route to market for many years has been a direct assault on Cisco accounts," Vincent said. This has included making Huawei equipment intuitive for Cisco-trained engineers to use by basically copying the UI. This strategy has obviously worked extremely well, he noted, but it has also contributed to the allegations of intellectual property violations.
With an outright ban on Huawei products, the most obvious alternative for IT execs is to go with Cisco. "But a Cisco without an alternate supplier in Huawei will give pricing power to Cisco sales executives and reduce the negotiating ability of your average IT purchasing department and CIO," Vincent said.
Larger companies will be most affected by any pricing pressure resulting from any move to ban Huawei products. Purchasers of lower-end devices and networking equipment still have plenty of options, he said.
Selecting alternate equipment to Cisco to replace Huawei networking gear could also require training network engineering and support staff on different workflows, which could be a massive long-term effort.
"Should IT execs decide to integrate equipment other than Cisco, then there will be massive system integration opportunity, as well as certification required on new equipment," Vincent said.
But, if companies decide to buy new Cisco gear, the support and integration workflows are almost identical.
While the EO ultimately may not directly affect enterprises that don't do business with the federal government, it could still have a spillover effect, similar to the fallout from the government ban on Kaspersky, the Russian security provider, said John Vecchi, CMO of ColorTokens, a security tools provider. In late 2017, the Department of Homeland Security issued a ban on Kaspersky software products throughout U.S. federal agencies, citing risks to federal information systems. Soon, the use of Kaspersky antivirus, even in nongovernmental organizations, plummeted, with the EU labeling Kaspersky software as malicious.
"I suspect this move relative to Chinese and other nation-state-sponsored 5G vendors will take a similar path, albeit far greater in scope," Vecchi said.
The rollout of IoT edge technology enabled by 5G equipment is an important objective in industries ranging from electricity distribution and driverless cars/transportation to emergency healthcare and rapid response teams. A ban on Huawei and other "foreign adversaries" deemed a risk to security could open up tremendous opportunities for U.S. vendors, Vecchi said, as customers of any 5G vendor classified as a threat to national security will quickly try to replace that equipment with U.S.-sanctioned products.