WASHINGTON, DC – The U.S. Senate unanimously approved bipartisan legislation introduced by U.S. Senators Gary Peters (D-MI) and Ron Johnson (R-WI), Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee to address cybersecurity while purchasing information technology equipment for the government. U.S. Senator Maggie Hassan (D-NH) also cosponsored the legislation. The Supply Chain Counterintelligence Training Act would ensure that all executive agency officials charged with managing supply chain risks, such as procurement or contracts officials, are trained to recognize and mitigate counterintelligence threats posed by foreign nations.
“Bad actors are constantly finding new ways to obtain sensitive government information, whether it’s through hacking, ransomware, or even by compromising the technology and equipment our government buys,” said Senator Peters. “We must stop adversaries from gaining access to sensitive information and undermining our nation’s cybersecurity. I’m pleased the Senate has approved this bipartisan legislation to help address these challenges, and I look forward to its swift consideration in the House of Representatives.”
“Counterintelligence training for the federal workers buying and selling goods and services for the government is critical at a time when our adversaries are seeking every possible entry point to breach our systems and steal information,” said Senator Johnson. “This type of training will help close a potential gap in our cyber and physical security defenses.”
“The federal government must do everything possible to prevent foreign adversaries from gaining access to national security secrets and other sensitive information stored on government systems,” said Senator Hassan. “As cybersecurity threats to our federal government evolve, this bipartisan bill is an important step forward.”
Training and preparing U.S. government personnel to recognize and mitigate supply chain cybersecurity threats is an essential first step in stopping bad actors from compromising America’s national security. The United States’ supply chains are vulnerable and should be proactively protected, including by training essential personnel who are in a position to prevent these attacks. In 2017, the Department of Homeland Security issued a Binding Operational Directive ordering U.S. agencies to remove Kaspersky-branded products from U.S. systems due to the nature of the products Kaspersky manufactures, the company’s close ties to Russian intelligence, and requirements under Russian law that can mandate Kaspersky pass information from U.S. systems to the Russian government. Later that year, President Trump signed into law a government-wide ban on all Kaspersky Lab software. More recently, security experts have expressed fear that Chinese-made rail cars and 5G telecommunications products are susceptible to similar supply chain risks. In order to prevent adversaries from gaining a foothold in the nation’s technological supply chain, all specialists with supply chain risk management responsibilities must be trained to identify and combat these growing threats.
The Supply Chain Counterintelligence Training Act requires the Director of the Office of Management and Budget (OMB), in coordination with the Director of National Intelligence (DNI), the Secretary of the Department of Homeland Security (DHS), and the Administrator of General Services Administration (GSA), to establish and implement a counterintelligence training program for officials with supply chain risk management responsibilities at executive agencies. The program would prepare designated personnel to identify and mitigate counterintelligence threats that arise during the acquisition process and throughout the lifecycle of information and communications technology, bolstering America’s national security. The legislation also directs the agencies to regularly update Congress on the program’s implementation, allowing the Senators to effectively oversee its progress.