“According to the Defense Critical Infrastructure Program documents, there is `no single solution to ensure the protection of information and the associated information infrastructure,’ and to address these mission assurance needs, the Department of Defense (DOD) has developed a `defense-in-depth’ strategy which includes a variety of tools to assess the robustness and security-readiness of DOD networks”, the report notes
Contained within the pages of the Committee Report 22 of 108 – House Report 113-102 – National Defense Authorization Act for Fiscal year 2014 are references to the urgent need “to ensure the protection of information and associated information infrastructure.”
“The committee is aware that critical infrastructure is not just physical, but also encompasses information and information systems, as well as supports infrastructure. According to the Defense Critical Infrastructure Program documents, there is `no single solution to ensure the protection of information and the associated information infrastructure,’ and to address these mission assurance needs, the Department of Defense (DOD) has developed a `defense-in-depth’ strategy which includes a variety of tools to assess the robustness and security-readiness of DOD networks.
The committee is aware of the many threats facing the mission assurance of critical aspects of the Department, and in the committee report (H. Rept. 112-479) accompanying the National Defense Authorization Act for Fiscal Year 2013, the committee included a requirement for the Secretary of Energy to report on the supply chain security and integrity of the nuclear weapons complex. In responding to that reporting requirement, the Secretary of Energy found the presence of specific information technology equipment manufactured by the firm Huawei, which has known links to the Government and military of the People’s Republic of China, at the Los Alamos National Laboratory (LANL). The Secretary of Energy informed the committee that, once technology linked to Huawei was found within the LANL network, steps were promptly taken to remove it from that network. The committee commends this action, but is concerned that such technology was incorporated into the LANL networks in the first place.
The committee is also aware of the bipartisan investigative report of the House Permanent Select Committee on Intelligence, `[t]he U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE.’ The committee notes that the bipartisan recommendations of the House Permanent Select Committee on Intelligence included:
- `(1) The United States should view with suspicion the continued penetration of the U.S. telecommunications market by Chinese telecommunications companies;
- (2) Private Sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services; and,
- (3) Committees of jurisdiction in the U.S. Congress should consider potential legislation to better address the risk posed by telecommunications companies with nation-state ties or otherwise not clearly trusted to build critical infrastructure.’
In addition, the Defense Security Service reported in its 2012 report, `Targeting U.S. Technologies’ that, `[t]he stakes are high in the battle against foreign collection efforts and espionage that target U.S. technology, intellectual property, trade secrets, and proprietary information.’ The report went on to state that East Asia and the Pacific accounted for 43 percent of the reported foreign attempts to obtain illegal or unauthorized access to sensitive (including proprietary information) and or classified information and technology residing in the cleared industrial base.
These findings only heighten the committee’s concerns about the security risks associated with the presence of information technology manufactured by firms with known affiliation to the military and Government of China. Therefore, the committee directs the Secretary of Defense to conduct a review of the telecommunications and information technology supply chain of select components of the Department of Defense, including the nuclear command and control infrastructure. Such a review should include an inspection of the critical assets, infrastructure, and key resources identified by the Defense Critical Infrastructure Program for presence of Huawei and ZTE telecommunications and information technology equipment. The Secretary should submit a report on the findings of the review, along with any recommendations for improving the mission assurance of the Department’s critical information and the associated information infrastructure, to the House Committee on Armed Services by July 1, 2014, with an interim report due by February 15, 2014″ (source: Congressional Record House Report 113-102 – NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2014 http://thomas.loc.gov/).
See video: Critical information infrastructure and cyber security issues http://www.youtube.com/watch?v=wPXfNkOW4j4
See article: U.S. GAO – High Risk Protecting the Federal Government’s information systems and Nation’s Cyber Critical Infrastructure http://www.gao.gov/highrisk/protecting_the_federal_government_information_systems/why_did_study