Under the new bill, the federal government agencies would need to buy electronics from original equipment manufacturers and authorized resellers.
A U.S. House lawmaker has introduced a new bill aimed at preventing adversaries like China and Russia from attacking networks within the federal government.
Rep. Pat Fallon (R-Texas), who sits on armed services and oversight committees, said his legislation (H.R.9500) would require the federal government to buy electronic devices from trusted sources only.
“The proliferation of artificial intelligence has allowed our enemies to conduct offensive cyber-operations at an enormous rate, creating the possibility of a devastating attack on this country’s most sensitive networks,” Fallon said in a statement released by his office on Sept. 13.
“Simultaneously, our adversaries have been targeting our hardware and software systems by selling the US government counterfeit products through what are known as ‘grey market’ sellers. These products, although marketed as genuine hardware, allow our adversaries to gain access to US government systems, making it far easier to conduct subsequent cyber-attacks. This is unacceptable.”
The bill, known as the Securing America’s Federal Equipment (SAFE) Supply Chains Act, would prohibit the head of an agency from procuring or using a “covered product” from an entity other than an original equipment manufacturer or an authorized reseller. A covered product is defined as “an information and communications technology end-use hardware product or component,” according to the language of the bill.
The head of an agency may file a written notice with the director of the Office of Management and Budget to waive the restrictions for a covered product, according to the bill. The written notice shall include information such as justification for the waiver, security mitigations that have been implemented, and a plan of action to avoid future waivers for similar purchases in the future.
“The world is at peak instability and danger. Simply put, we are at an inflection point, which means we must do everything in our power to protect our vulnerable systems from cyber-attack and intrusion from our adversaries,” Fallon said.
The bill is a companion version of S.4651 introduced by Sens. John Cornyn (R-Texas) and Gary Peters (D-Mich.) in July.
“The federal government has a responsibility to purchase technology that will help keep Americans’ data secure and strengthen our defense against a potential cyberattack,” Peters said in a statement about the Senate bill. “This legislation takes an important step towards protecting our national security interests and securing our domestic supply chains.”
In February, the Cybersecurity and Infrastructure Security Agency (CISA) warned that China was pre-positioning malware in U.S. systems in preparation for a major conflict. The previous month, the FBI announced a multiagency operation had dismantled “Volt Typhoon,” a dangerous malware embedded in critical U.S. infrastructure by the Chinese regime that began targeting a wide range of networks in 2021.
In March, the Department of Justice charged seven Chinese nationals for their alleged involvement in a China-based hacking group that had spent about 14 years targeting U.S. and foreign critics, businesses, and political officials.
Earlier this month, the FBI, CISA, the National Security Agency, and foreign partners from nine countries issued an advisory about a clandestine Russian military unit responsible for cyber attacks against targets around the world.
In December last year, Fallon introduced the Protecting Military Servicemembers’ Data Act (H.R.6573), to prohibit data brokers from selling military personnel data to adversarial nations, including China and Russia.