Rep. Wolf's Flawed Approach to Supply Chain Security
According to this article in today's Politico, Rep. Wolf has inserted language in a budget stopgap bill that is "meant to ensure Chinese companies certify their independence from official Beijing before they can sell their goods to the Commerce Department, among others, during the life of the continuing resolution." Furthermore, it excludes "American companies who do assembling in China".
This provision is stunning in terms of its utter uselessness as a cyber security measure. The problem that Rep. Wolf should be worried about is how easy U.S. companies who have offices in China can be compromised by the Chinese government in ways that go far beyond what is normally reported on by the press.
Yet another problem is how quickly U.S. companies open R&D labs in China which result in technology transfer and a rapid escalation of China's own technological innovation. As an example, I just tried to contact two Microsoft Asia researchers (both Chinese) whose work focused on a specific type of data analytics that my company is interested in. Both researchers had recently left Microsoft and are now continuing their research at Huawei. This revolving door happens all the time and represents just one small part of the vast threat landscape for U.S. companies and by extension the U.S. government that extends far beyond a spear phishing attack and the APT kill chain.
Not only is Rep. Wolf's language utterly useless from a security perspective, it's detrimental to U.S.-China relations which, like it or not, we depend on. We have the ability to handle this problem in a much smarter, more effective way if legislators would invite a broader base of experts in to testify and give guidance on this issue rather than the same anti-China cheerleaders time and again.