WASHINGTON — Amid intensifying warnings about foreign spies and criminals infiltrating new 5G networks and the military supply chain, the Pentagon has been considering publicly releasing a “blacklist” of companies it believes could pose risks to its weapons based on using risky suppliers.
The Defense Department is considering a long-debated proposal for publicly blackballing companies with risky supply chains, multiple sources in government and the private sector told Yahoo News. However, the sources cautioned that the blacklist, at least as discussed, isn’t likely to be implemented anytime soon, given the difficulties of enforcing it with an interconnected global military supply chain estimated at some $100 billion.
"The Department of Defense continually reviews and assesses various supply chain risk factors when deciding what courses of action to take in defense of our national security,” wrote Lt Col Mike Andrews, a department spokesman, in an email to Yahoo News.
“The Department of Defense continues to work through the interagency process to communicate on such matters with other Federal agencies, Congress, and industry for improved protection across the National Security Innovation Base."
The proposed blacklist comes as the U.S. government has doubled down in recent months on what it regards as a growing threat of foreign adversaries spying on private sector companies important to infrastructure and defense. One of the main concerns of the Trump administration has been about China’s growing dominance in 5G, the next generation of mobile communications, which will allow for lightning-fast downloads and futuristic “smart” cities.
China, officials say, is the primary threat and they point to a growing list of indictments for industrial espionage and theft of trade secrets from the Department of Justice that illustrates that reality.
“Supply chain cannot be that fuzzy word we’re uncomfortable with,” said Bill Evanina, acting director of the National Counterintelligence and Security Center, speaking in Washington at an event earlier this month. “The mistakes we’ve made for decades have to be fixed.”
Trying to guard the supply chain is no easy task. At Lockheed Martin, one of the Pentagon’s largest contractors, there are over 20,000 different companies in the supply chain, according to James Connelly, the company’s vice president and chief information security officer, speaking at the same event.
The threats appear to be growing as defense companies increasingly rely on a complex network of suppliers for both hardware and software. Last week, for example, Vice’s Motherboard reported that sophisticated hackers used Taiwanese technology company ASUS’s software to push malicious security updates to “thousands of its customers’ computers last year.”
In January, the Justice Department indicted Huawei for stealing data from T-Mobile, and in 2018, the FBI and the Department of Homeland Security warned that Russian hackers were targeting suppliers for energy utility companies to access and surveil the industrial control systems.
The administration appears to be making a concerted effort to focus on supply-chain issues. The Office of the Director of National Intelligence has designated April “National Supply Chain Integrity Month,” and the Department of Homeland Security in November formed a Supply Chain Risk Management Task Force. Also, a new Federal Acquisition Supply Chain Security Council will meet for the first time this month.
But blacklisting a company because of its supply-chain risks may prove to be difficult to implement. Although such a blacklist might be helpful for counterintelligence, naming and shaming U.S. companies will open up the government to lawsuits. An alleged offender determined to make a sale could disappear and reappear under a slightly different name months later, said one senior national security official.
But for companies operating in a global marketplace, the process for engaging with the Pentagon on mitigating supply-chain risks can be opaque. Since 2015, the Pentagon has reserved the power to block companies from getting military contracts based on what it deems a “supply chain risk” without providing transparency on how companies can allay those concerns.
For the government, whose national security officials see security threats around every corner, the “black box” strategy makes sense as a way to avoid tipping off the adversary on how to evade scrutiny. However, it has made life difficult for the many companies hoping to do legitimate business around the world.
In some ways, the desire to come up with a blacklist of companies with supply risks mirrors the White House’s approach to 5G. Although the issue of commercial 5G is distinct from that of the supply chain blacklist, which would be limited to Pentagon contractors, securing future networks and ensuring the supply chain for U.S. weapons are linked.
Both efforts have required a broad — but still undefined — strategy beyond bans and blacklists, say officials, who acknowledge there are few easy solutions.
The Trump White House has reportedly planned to place a ban on Chinese telecommunications companies Huawei and ZTE for their 5G development, but no executive order has been issued. More recently, senior U.S. national security officials have insisted that the Trump White House strategy on defending future 5G networks is “country and company agnostic.”
Meanwhile, rolling back China’s 5G dominance may prove difficult. Huawei and ZTE have already made deals with countries around the world to implement 5G technology for cheaper costs and with better technology — and key allies like the United Kingdom and Germany don’t appear to be onboard with the White House’s approach.
Although the U.K’s National Cyber Security Centre declared Huawei products insecure and open to possible vulnerabilities, the U.K. government has not come down hard against working with Huawei on 5G. German officials have also expressed public hesitation about banning Huawei from German networks.
Upal Basu, of NGP Capital, the investing arm backed by Nokia that has invested in companies in the United States and China, says the focus should be on the United States working to maintain its own advantage in 5G “instead of focusing on Huawei.”
Huawei, he argues, has become a “scapegoat” due to its murky connections to the Chinese government. “Our desire is that this network rolls out quickly and the policy does not slow this down,” he told Yahoo News.
The United States can try to “impose requirements on allies that ‘thou shalt not use Huawei,’” he said, but it’s hard to convince other countries of that position amid the ongoing trade war with China and the competitive package Huawei is offering. Instead, he argues, the United States should invest in its own 5G networks.
The resistance to an outright ban on Chinese companies and 5G may be making an impact on U.S. strategy. “It seems they are getting cold feet,” said retired Brig. Gen. Robert Spalding, a former National Security Council official focused on 5G and emerging threats.
“There is no agreement” within the White House on how to deal with the 5G issue, said James Lewis, the director of the technology policy program at the Center for Strategic and International Studies. “Just that Huawei is a risk that we need to do something about.”
The barriers to coming up with a solution to supply-chain security could prove similar to what happened with 5G: Bans and blacklists sound like easy fixes, but they end up being complex to implement and politically sensitive. Instead, top intelligence officials have been forced to turn to the private sector, where the vulnerable underbelly of government security is located.
“I hear CEOs say, ‘Hey, we have the best cyber program,’” said Evanina, the FBI official. “What about [human resources], your procurement and acquisition folks?”
“That’s your weakest link ... how much [counterintelligence] training do they get?”
Read more from Yahoo News: