New Cyber Brief: Improving Supply-Chain Policy for U.S. Government Procurement of Technology

The Digital and Cyberspace Policy Program has launched its fourth Cyber Brief. This one is authored by Danielle Kriz, cybersecurity fellow at New America and formerly the director for global cybersecurity policy at the Information Technology Industry Council.

Policymakers around the world are increasingly concerned about the security of information and communications technology (ICT) supply chains. As governments rely more on ICT to conduct services, they worry about the proliferation of counterfeit products and malicious code, as well as the growing number of cyberattacks on these ICT systems. Within this context, governments are demanding that vendors improve the security of ICT products sold to the government, with a particular focus on vendors’ supply chains.

Danielle argues that recent policy proposals threaten to do more harm than good. She proposes a number of recommendations to develop effective supply-chain risk management policies. Namely policymakers should ensure the policies address clearly identified gaps, build on existing best practices, promote solid risk management practices, work globally, improve the government’s own ICT procurement practices, and facilitate more actionable cyber-threat information sharing with affected vendors. In addition, she argues that U.S. trade negotiators should discourage discriminatory, country-of-origin-focused prohibitions emerging from China and India.

You can find the full brief here.