Biden signs executive order demanding supply chain security review
President Joe Biden signed an executive order on Wednesday directing federal agencies to conduct a review of supply chain security risks in industries including information technology.
While a significant goal of the order is to address shortages of a wide assortment of critical imported components such as electric batteries and pharmaceuticals, it does include a mandated review of the information and communications technology sector. A prominent justification for the review is a desire to rely less on semiconductors manufactured overseas.
Biden, at a news conference to herald his signing of the executive order, said “we need to make sure these supply chains are secure and reliable.” It’s an issue, he said, “of both concern for economic security as well as our national security.”
Espionage remains a significant concern, as well, after hackers leveraged access in a federal contractor to gather sensitive from throughout the U.S. government.
The supply chain danger that’s generated the most attention in the cybersecurity world for months is the SolarWinds hack, where suspected Russian hackers implanted malware into patches of the much-used Orion software, ultimately affecting nine U.S. federal agencies and roughly 100 companies, the White House said.
Biden’s order also comes as his administration is determining its own course on Chinese companies like Huawei. The Trump administration, deemed the Shenzhen-based telecommunication firm a national security threat, and largely barred Huawei from obtaining U.S.-made semiconductors.
Specifically, the order directs reports within one year from the the secretaries of Agriculture, Defense, Energy, Health and Human Services and Transportation — along with a joint Commerce/Homeland Security report — that include an assessment of cyber risks within key industry sectors that could disrupt the U.S. supply chain.
Biden signed the executive order after meeting with members of Congress from both sides of the aisle. Sens. Marco Rubio, R-Fla., and Chris Coons, D-Conn., urged Biden in a letter on Wednesday to expand usage of Defense Production Act, a law that allows the president to compel private sector industries to prioritize federal government orders, to address the semiconductor shortage that the senators said resulted from a decline in U.S. manufacturing.
“This loss has placed us in a precarious position, in which U.S. companies are faced with the prospects of relying on foreign suppliers to produce critical national security assets,” they wrote.
The Information Technology and Industry Council, which represents technology companies ranging from Apple to Zoom, praised the Biden administration order, although it said it must be paired with significant funding for a Commerce Department grant program to support investment in U.S. semiconductor manufacturing and design.
“The U.S. government and industry must work together to achieve the trusted, secure, and reliable global supply chain that is necessary to encourage economic growth, protect national security, and harness U.S. innovation,” said Jason Oxman, the council’s president and CEO.
Said Senate Intelligence Chairman Mark Warner, D-Va.: “Today’s Executive Order is a good first start but much more work remains to be done — and quickly including fully funding a number of enacted bills related to promoting supply chain security, resiliency and greater American competitiveness in key foundation technologies like semiconductors and wireless infrastructure.”
The Senate Intelligence Committee on Wednesday held a hearing on the SolarWinds hack. Warner and other senators criticized Amazon Web Services for declining an invitation to appear at the hearing, where lawmakers asked questions about the SolarWinds hackers launching attacks via U.S. servers.
AWS didn’t answer CyberScoop questions on Tuesday about why it declined the invitation, but in a statement on Wednesday it shed some light on how it was and wasn’t connected to the SolarWinds hack. The incident was the latest demonstration of how intruders can abuse access at one company to affect others.
“The actors used EC2 [Amazon Elastic Compute Cloud] just like they would use any server they could buy or use anywhere (on-premises or in the cloud),” an AWS spokesperson replied. “And, in fact, the actors did use several different service providers in this manner.”
“AWS is not affected by the SolarWinds issue, and we do not use their software,” the spokesperson said. “When we learned of this event, we immediately investigated, ensured we weren’t affected, and shared what we learned with law enforcement. We’ve also provided detailed briefings to government officials, including Members of Congress.”
Updated, 2/24/21: to include a link to the executive order and information on some of its specific language.