Recognizing Vendor Risks to National Security in the CFIUS Process

The Committee on Foreign Investment in the United States (CFIUS) protects U.S. national security by regulating against attempts by foreign commercial efforts to obtain control in a U.S. trade or business. Passed last year, the Foreign Investment Risk Review Modernization Act (FIRRMA) expanded CFIUS’s scope and jurisdiction in ways that reflect the evolution of commercial threat vectors, such as covering investments in critical technologies even if those investments do not result in control of the U.S. company. However, gaps in protecting U.S. national security remain, particularly for cybersecurity services and more broadly for vendor and other business-to-business relationships. As we discuss here, this may result in security risks like those CFIUS and FIRRMA are designed to prevent.

CFIUS and U.S. Critical Infrastructure Risk Management

CFIUS provides strong regulatory protection against foreign takeover and control of critical infrastructure companies, however, vendor-based risks are less vigorously policed across all critical sectors. CFIUS has traditionally evaluated and addressed national security concerns from any proposed or pending “merger, acquisition or takeover” of U.S. companies by foreign entities that could result in “control” of the company. Earlier this year, Congress passed the FIRRMA, which expanded the scope of CFIUS’s jurisdiction to include transactions for the purchase or lease of property near “sensitive” government property, such as U.S. ports and military facilities; non-passive investments in “critical technology,” “critical infrastructure” and “sensitive personal data of United States citizens” that can impact national security; changes in existing ownership rights that could result in foreign ownership or control; and any other transaction structured to evade CFIUS review.

FIRRMA identifies a number of factors that CFIUS should consider when evaluating national security risks, including: (1) whether the transaction involves a country of special concern with a strategic goal to affect U.S. technological leadership in a specific area; (2) national security effects of cumulative market share by the foreign entity; (3) whether the foreign entity has a history of compliance with U.S. law; (4) how the transaction may affect the U.S.’s capability and capacity to meet its national security requirements, including any reduction in U.S. person-employment with critical skills and the continued U.S. production of goods necessary for national security; (5) the extent to which the transaction may expose sensitive U.S. citizen data to exploitation by foreign entities and governments; and (6) whether the transaction exacerbates cybersecurity vulnerabilities or allows a foreign government to gain new capabilities to engage in malicious cyber activities against the U.S.

CFIUS’s scope does not include review of vendor relationships. Yet the potential national security risks from non-investment business-to-business relationships are also important to address, especially risks from foreign cybersecurity vendors. These vendor relationships can have significant impacts on U.S. national security interests in critical infrastructure companies.

Vendor and Cybersecurity Risks

Foreign vendors pose particular concerns for hardware, software and services due to cybersecurity risks. In the current age of global connectivity, foreign vendors can leverage capabilities to act remotely against U.S. infrastructure—such as installing backdoors or “phoning home.” For example, technical advancements in artificial intelligence and machine learning are poised to significantly affect both the tactics of malicious actors and the types of cybersecurity products and services available. Bad actors are able to use these technologies to better target spear-phishing attacks and identify weaknesses in security products and processes. Similarly, as security vendors begin to use these technologies to better identify and respond to malicious attacks, there may be an arms race in which bad actors are continuing to determine how best to mask their activities from detection.

These trends create two distinct problems for chief information security officers (CISOs) and chief technology officers (CTOs). First, the incentives for cybersecurity continue to be largely risk- and penalty-based, as money invested in cybersecurity spending does not generate returns in the same way that investment in other business areas does. Second, companies seeking to tailor their cybersecurity solutions to the perceived risks of U.S. regulator enforcement actions are also incentivized to stick to “tried-and-true” services, rather than being the first to try newer solutions that leverage state-of-the-art advances. These factors mean that CISOs and CTOs have strong incentives to look at lower-cost cybersecurity solutions that are defensibly adequate for their company’s risk profile. These incentives can lead to advantages for foreign-based cybersecurity vendors that can underbid competing U.S.-based companies.

The U.S. cannot assume that American companies are unique global leaders in cybersecurity. Cybersecurity skill levels in many foreign countries are competitive with the U.S., with Israel serving as one prime example. Cybersecurity vendors can also be bolstered by their respective governments, which have invested heavily in research and development areas such as artificial intelligence and machine learning. Russia and especially China, for example, have the ability to subsidize local companies, allowing them to offer lower bids to potential customers. These attractive offers allow them to outbid U.S. companies, including those in critical infrastructure sectors.

For U.S.-based critical infrastructure entities, the price point of these bids alone warrants consideration while the attendant risks can be less clear. For example, contracting with a cybersecurity service provider who is headquartered outside the U.S. can expose a company’s data to foreign powers. The company can face risks from the foreign country’s surveillance of incoming data, use of legal process to demand access to data under the service provider’s control or pressuring of the service provider to grant the government access to its data or systems.

National Security Risks from Business-to-Business Relationships with Foreign Companies

Three examples illustrate national security risks from vendor relationships in ways that are not addressed by the current CFIUS system.

1. CRRC and the Transportation Systems Sector

U.S. rail and metro systems are, of course, U.S. “owned” and “controlled,” and thus outside of CFIUS. However, the state-owned and -subsidized Chinese company CRRC Corporation Ltd. (CRRC) has made significant inroads in the United States, winning contracts to supply rail transit equipment and passenger rail cars in major American cities including Boston, Chicago, Los Angeles and Philadelphia. China has been assertively implementing its Made in China 2025 initiative, and rail development for Chinese companies is a direct target of the program’s goals.

Railways and metro systems are also increasingly connected, in terms of both railway assets (that is, signaling, communications and passenger cars) and services offered to riders (e.g., WiFi Internet connectivity). This connectivity also introduces new risks for railways and metros, including possibilities for surveilling and tracking passengers via WiFi connections, disrupting vehicle operations and even exercising command and control of assets. Recent attacks on connected railways have struck South Korea, the U.K. rail system, Deutsche Bahn and the Canadian Pacific Railway. As these systems become increasingly connected to open networks, the risk of these types of cyber attacks will also increase.

As a state-owned and -supported entity, CRRC has been winning U.S. procurements by bidding anywhere from 20 to 50 percent below bids from its non-subsidized, private sector competitors. In response in part to CRRC’s increased market manipulation and jump in market share, Congress is now considering legislation that would impose a one-year ban on any new procurements of mass transit rail cars or buses from companies based in non-market countries as defined in Section 771(18) of the Tariff Act of 1930, countries listed on the U.S. Trade Representative’s priority watch list report and countries subject to U.S. Trade Representative monitoring (including CRRC). The threat continues to expand as new contract opportunities in the passenger rail equipment sector arise. For example, Washington D.C.’s Washington Metropolitan Area Transit Authority (WMATA) has already begun the process of procuring next-generation rail cars, and New York City, Atlanta, and Toronto are also receiving similar bids.

WMATA trains are a high-value target for foreign intelligence gathering, as many government employees regularly commute by train, and the proximity of rail lines to the Pentagon, Capitol buildings, and other government offices. The proposed legislative ban demonstrates a real concern for securing this critical infrastructure sector from a viable risk. But there has been no systematic process to date to include these concerns in the CFIUS process. Because the bids being solicited are to provide products for purchase by WMATA, and would not result in any “merger, acquisition, or takeover” of WMATA by the bidding company, this transaction would fall outside the scope of CFIUS review, even as expanded by FIRRMA.

2. ZTE, Huawei and the Communications Sector

In the communications sector, Chinese companies ZTE and Huawei garnered headlines earlier this year when they placed a surprisingly low bid to construct cell towers in rural areas of the U.S. In rural parts of Michigan, ZTE and Huawei submitted bids that were priced lower than the cost of the raw materials needed to build the towers. In response to national security concerns from experts—including FBI Director Christopher Wray—about ZTE and Huawei’s activity, the House Committee on Small Business held a hearing of national security experts and cybersecurity firms on national security risks posed by ZTE, both to the telecom sector and to the small businesses that could not compete against the below-market bidding strategy of ZTE and Huawei.

Contracts to build telecommunications infrastructure create risks for sabotage and takeover of U.S. communications infrastructure. First, control of the towers, particularly for under-covered rural areas, means that a foreign government may be able to subvert the ability of the towers to serve the covered areas. In his testimony before the House Committee on Small Business, Prof. Andy Keiser explained that control of these cell towers could be used to sabotage the electrical grid as well. Finally, while control of the tower may not introduce an ability to access the content of encrypted voice calls, SMS or data, that traffic could still be intercepted and potentially redirected or otherwise disrupted.

These risks are not entirely hypothetical. A recent Australian report alleges that Huawei has hacked a foreign network to share information with the Chinese government and that Huawei officials have been pressured to provide access to foreign networks over the past two years. While the underlying intelligence reports for this activity are secret, there is no reason to believe the same pressure could not be exerted on Huawei to target U.S. networks in similar fashion.

3. Netcracker and the Telecommunications Sector

On December 6, 2017, the U.S. Department of Justice published a Deferred Prosecution Agreement with the cybersecurity and global software company Netcracker Technology Corp in response to Netcracker’s unauthorized use of foreign subcontractors, including Russian subcontractors, on two federal government contracts with the Department of Defense’s Defense Information Systems Agency. In its Statement of Facts, the Justice Department noted the specific risk of sending sensitive data to Russia where it can be intercepted by the Russian SORM (System for Operative Investigative Activities) surveillance system. Netcracker allowed itself to become a potential attack vector for the Defense Industrial Base Sector, which includes Department of Defense components and related private-sector industrial partners, by virtue of hiring contractors located in a jurisdiction with heightened risk. Likewise, sending sensitive data to contractors located in Russia puts the data within reach of criminal actors who may seek to compromise relevant systems or even the contractors themselves.

While Netcracker denied any wrongdoing, the company agreed to an Enhanced Security Plan to implement additional security protections to avoid similar national security risks in the future.

To safeguard against future potential cybersecurity risks to sensitive data that Netcracker handles, the Enhanced Security Plan requires that Netcracker: (1) not route or transfer sensitive data outside the U.S. except in limited circumstances; (2) not route or transfer data outside the U.S. without both anonymizing the data and receiving express written consent from its relevant U.S.-based customer; (3) record all access to sensitive data and activity on systems capable of accessing sensitive data and (4) ensure its U.S.-based customer can monitor and inspect the content of Netcracker data transfers, without assistance or notification from Netcracker, including having access to any relevant encryption keys.

The restrictions required in the Enhanced Security Plan highlight the potential risks of granting foreign countries access to sensitive networks and data, including the possibility for surveillance or interception of data and the ability to sabotage or even take command and control of critical systems. For example, if the contractor were to access confidential Department of Defense data as part of their work on the Netcracker contract, the Russian government could capture that data in the SORM system. Similarly, malicious actors could pressure the contractor to use valid credentials to obtain further information about the Department of Defense systems or provide intelligence to aid in other spear-phishing and account takeover attempts against the Department of Defense.

Recommendations for Bolstering National Security Protections

In summary, we document the growing importance of vendor risks for the national security concerns addressed by the CFIUS process. Those risks arise from our increasing reliance on hardware, software and online services to run our critical infrastructures, as illustrated by the Netcracker incident. They also arise specifically in critical sectors, including transportation and telecommunications. To address these risks, we propose three measures going forward, while keeping in mind risks of over-regulating:

(1) Examine existing models to help secure these gaps. There may be lessons learned from the export control system that regulates what types of data can be accessed by entities from specified foreign countries. In addition, consider how to better adopt the supply chain mapping best practices set forth in NIST’s Best Practices in Cyber Supply Chain Risk Management [REF: https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-SCRM-Vendor-Selection-and-Management.pdf]. Both public and private sector entities in critical infrastructure sectors can use these existing frameworks as a basis for more carefully analyzing their business-to-business contracts to better identify risk and intangible “hidden costs” from subsidized undercutting bids.

(2) Study the financial sector requirements for vendor cybersecurity risk management as led by the Federal Reserve and Office of the Comptroller of the Currency. The financial sector has been a primary target for malicious actors for many years and has invested significant resources in designing and developing its own security systems and processes. Other public and private entities should consider adopting these more-developed financial sector best practices. Doing so would likely improve the due diligence practices of other critical infrastructure sectors concerning risk management, particularly for sectors where cybersecurity has received less focused attention and resources until recently.

(3) Conduct more research, including pilot programs, for risk review procedures for vendor relationships, incorporating lessons learned from Netcracker, the financial sector and others. Additional research will help map these risks as they evolve and inform how best to mitigate those risks through improved best practices, enhanced security systems and processes, regulatory oversight or other means.

Congress helpfully expanded the CFIUS process last year with FIRRMA. There is more to do, however. Next, we should study and respond to national security risks from foreign vendors.

Funding for this research was provided by APCO Worldwide.