The ongoing novel coronavirus pandemic is showing that global supply chains don’t always work in a country’s favor during a crisis, and the Department of Homeland Security has a role here including in helping to understand the origin of critical supplies, a former government official that is part of a task force advising DHS, said this month.

A lesson from the COVID-19 crisis is “a global supply chain is great for efficiency but when something unexpected and very bad happens, you can’t always count on a global supply chain to work in your national interests,” Stewart Baker, a lawyer with Steptoe and Johnson and former DHS policy chief general counsel with the White House National Security Agency, said last Thursday. “So, you have to ask the question that, ‘Where am I getting the things that I will depend on in an emergency?’”

Baker was speaking during a teleconference of the Homeland Security Advisory Council (HSAC) to update the group on the progress of the Economics Security Subcommittee, which was created in February by Acting Homeland Security Secretary Chad Wolf. The subcommittee, which is chaired by Frank Cilluffo, a homeland security expert and director of the McCrary Institute at Auburn Univ., is tasked with reviewing the department’s authorities related to economic security and making recommendations to ensure it is appropriately organized and resourced for this aspect of its responsibilities.

Cilluffo said his subcommittee plans to provide a report this fall that will provide a roadmap for the new economic security portfolio that is now part of the DHS Office of Strategy, Policy and Plans. The task force has received seven briefings so far, including from the DHS Cybersecurity and Infrastructure Security Agency, and from outside intelligence on various threat actors including China and Russia.

The supply chain is one of the areas the subcommittee is addressing, including regulatory authorities, DHS “equities,” particularly with the Committee on Foreign Investment in the United States and Team Telecom, which was formally established in April by the Trump administration to assess foreign participation in the U.S. telecommunications sector.

Baker, one of the subcommittee’s vice-chairs, highlighted that “DHS clearly is a central player in asking the question “’What do we need from our supply chain in an emergency and how do we make sure that we truly have economic security even in a crisis?’”

The COVID-19 crisis has highlighted supply chain challenges and the lack of adequate domestic production for some healthcare equipment when its urgently needed.

Baker said the DHS policy office can provide “perspective” and “strategic guidance” for all of government on the nation’s long-term supply chain needs.

Robert Rose, the other vice-chair on the panel, and who is also chairing a separate subcommittee on Information and Communications (ICT) Technology Risk Reduction, said during the HSAC meeting that his panel is looking closely hat how to mitigate ICT supply chain risk and said the work is “very complementary” to Cilluffo’s subcommittee.

Rose, who runs his own consulting firm, said the ICT subcommittee is “looking at how to increase security of ICT products and better using the full suite of cyber security and law enforcement trade and customs authorities to identify supply, and reduce, ICT risks.”

Cilluffo said the Economic Security Subcommittee isn’t “trying to boil the ocean here” but to come up with recommendations that in the short-term are achievable and “set us up for success in the long-term.”

ICT Review

Rose’s panel is taking on four questions posed by Acting Security Wolf. One is the current authorities that DHS has in the cyber space and in customs on reducing ICT risk. The second is what additional steps should the department take to identify and mitigate its ICT supply chain risks. Third is a focus on DHS procurement and fourth concerned the collaboration and better utilization of the private sector.

Steve Adegbite, the vice chair of the ICT Risk Reduction Subcommittee, is leading effort around current DHS authorities, for which he said a large and comprehensive set already exists. The group examining this question is looking for areas of misalignment, provide “minor additions,” and some guidance so that the existing authorities can be used more effectively, he said.

Jeff Moss, the founder of the Black Hat and DEF CON cyber security conferences, said his group within the ICT subcommittee is reviewing additional steps DHS should take to identify and mitigate ICT supply chain risks. Based on briefings the group has received so far, Moss said there are several strategies that DHS can implement to lower its risks.

One likely recommendation will be to take existing lessons learned in classified environments for acquiring products and services from trustworthy vendors and apply these lessons to the unclassified space so that procurement officers can make better informed purchasing decisions, Moss said.

Another recommendation will be around improvements to the ICT procurement process to “identify and simplify risks and to make sure that the products and services that the department is currently purchasing reflect best practices,” Moss said. Products purchased today will be in use for years so even “incremental improvements” instituted now will benefit DHS for years to come, he said.

Paul Stockton, managing director of Sonecon, LLC, said that for the procurement question, his group is looking at authorities elsewhere in the federal government that can be used by DHS. He said the “biggest areas for progress lies in establishing a risk management framework that’s better suited to deal with the incredible challenge of making sure that modernized ICT tools and technologies get to your workforce as fast as possible yet still provide for the adequate levels of security that are going to be needed.”

The group examining how to better work with the private sector is being led by retired Army Gen. Keith Alexander, who led the National Security Agency and U.S. Cyber Command and is the founder of IronNet Cybersecurity. Alexander wasn’t present to discuss his group’s progress.

Biometrics Subcommittee

The HSAC this year also established a Biometrics Subcommittee led by Robert Bonner, a commissioner of Customs and Border Protection during the administration of President George W. Bush. So far, the subcommittee has had two meeting and has received briefings from CBP’s Office of Field Operations and the Border Patrol, Immigration and Customs Enforcement’s Homeland Security Investigations and Enforcement and Removal Operations divisions, and U.S. Citizenship and Immigration Services on their uses and sharing of biometric data, he said.

The subcommittee is looking at the use and collection of biometrics, what modalities are being used and for what purposes, how data is stored and protected and shared within DHS and outside of DHS, Bonner said.

Later in May, the subcommittee will receive briefings from the Coast Guard, Transportation Security Administration and the Secret Service, and eventually presentations will be made by DHS Science and Technology, the Office of Biometric Identity Management, the policy and planning office, and possibly others, he said.

The panel doesn’t have any recommendations yet and a final report to the HSAC is planned for late September or early October. The subcommittee is looking for ways and recommendations for how DHS “can better coordinate the use of biometrics and also how they’re protected and how they’re shared both externally and internally,” Bonner said. “We hope to have recommendations that clarify roles and responsibilities where that is needed within the department and also recommendations to improve the department’s overall oversight and governance structure with respect to the uses and storage and purposes for which biometrics are used within DHS and components.”