Back on August 2nd Rep. Slaughter (D,NY)
introduced HR 6277, the Keep America Secure Act (Note: it was just published
today by the GPO). The bill would protect national security by limiting the use
of foreign produced electronic devices in purchases made by the US Government.
One would like to assume that this is a supply chain security issue (as the
term is used by the cybersecurity community) and not a simple attempt to
protect some manufacturer in the Congresswoman’s District.
Prohibit Use of Foreign Electronic Components
The bill would require the Secretaries of Defense and
Homeland Security to ensure that their respective Departments do not “purchase
any equipment or military aircraft that contains electronic components that are
not manufactured in the United States” {§2(a)}. The term ‘electronic components’
is given a very wide definition; it would include {§2(e)(1)}:
• Any integrated chip or sensing
device;
• Communications systems and equipment;
• Search, navigation, and guidance
systems and equipment; and
• Software associated with the
items described
The only other area that would face similar restrictions
would be the civil aviation sector. The FAA would be required to issue
regulations that would require that “any passenger aircraft constructed after
such date [one year after passage of this bill] and any replacement of
electronic components on a passenger aircraft use electronic components (as
defined in section 2(e)) manufactured in the United States” {§3}.
Interestingly, DHS and DOD have been provided an escape
clause from their requirements if the Secretary determines that it would be “be
inconsistent with the public interest or would result in unreasonable costs to
the Department of Defense or the Department of Homeland Security” {§2(c)}. No
such provision is made in the requirements for FAA regulations.
The Inevitable Study
The bill would require that DOD and DHS conduct a joint
study into the “prevalence of counterfeit electronic components in the supply
chains of the Department of Defense and the Department of Homeland Security and
options for addressing the issue” {§2(d)(1)}.
Again, no such study is being required of the FAA.
The Joint report is required to be submitted to Congress
within 12 months of the adoption of the legislation. No word on whether or not the
report should be classified or not, so it almost certainly will be classified,
probably without an unclassified version for public consumption.
Sensitive Electronic Components
There is an odd provision in this bill. It requires the
establishment of a joint classification system by DOD and DHS to rank electronic
components on “how sensitive the components, and the final products containing
the components, are to national security” {§2(c)}. There is also, based upon
that classification system, a definition of ‘sensitive electronic components’
that would describe those components that are “the most sensitive to national
security” {§2(e)(2)}. This might prove interesting except that there is no
other mention of ‘sensitive electronic components’ in the legislation.
Analysis
This is one of the oddest, most incomplete pieces of
legislation that I have ever had the misfortune to read. There is no statement
of findings or sense of Congress that describes the problem that Rep. Slaughter
is trying to correct. While it is well understood in the cybersecurity
community that the manufacture of electronic devices in adversarial countries
leaves open the possibility of the insertion of back-doors, on-command defects,
or cyber-espionage controls into the practically undecipherable electronic
circuits of the devices, that potential problem goes well beyond DOD or DHS
electronics.
Even if you were to concentrate on the protection of weapons
systems, clearly a legitimate aim, why include DHS since it has no weapons
systems (the Coast Guard systems would more properly come under their DOD
mission)? And for heaven’s sakes, why burden the civil aviation system with
this impossible ban? Even if we suspect that State sponsors of terrorism would
engineer such systems to allow terrorist to gain control over an airliner (and
the FAA portion of this rule goes far beyond just airliners), there are any
number of industrial control systems that could be similarly engineered to
create a much larger catastrophe than the downing of a couple of airliners.
Furthermore, this bill would be unenforceable. The
international scope of the electronic engineering and manufacturing industry
makes it virtually impossible for even DOD and DHS to come anywhere near
implementing a realistic ban on foreign made electronic components and devices.
Besides there are any number of international agreements where various
components of weapons systems have been farmed out to companies in allied
countries; NATO, Japan, and Taiwan just to mention a few.
This is just another example of how ‘easy’ it is
for the technologically illiterate to solve problems involving electronic
devices.