IN THE SENATE OF THE UNITED STATES
July 30, 2019
Mr. Crapo (for himself and Mr. Warner) introduced the following bill; which was read twice and referred to the Select Committee on Intelligence
To require a plan for strengthening the supply chain intelligence function, to establish a National Supply Chain Intelligence Center, and for other purposes.
This Act may be cited as the
Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property, and Supply Act of 2019 or the
MICROCHIPS Act of 2019.
Findings and sense of Congress
Congress makes the following findings:
Fifth generation telecommunications technology (commonly referred to as
5G), as well as other emerging technologies, will revolutionize the technology industry, becoming a vital part of day-to-day business and life, and requires secure supply chains for the national security of the United States.
An insecure supply chain for products supplied to the United States Government can lead to a degradation of critical infrastructure and technology items that are essential to the defense of the United States.
The United States Government confronts adversaries who seek to offset the military strength of the United States through asymmetric, nonkinetic actions that compromise and neutralize the decision-making systems, processes, and warfighting capabilities of the United States.
These adversaries take advantage of the open and democratic system of the United States that prioritizes governmental transparency to connect citizens with the actions of the Government.
The National Defense Strategy identified Russia and China as primary strategic competitors of the United States.
Russia and China seek to steal sensitive defense information from the United States through the use of blended espionage operations in the supply chain, supply chain activities, and cyberspace, and through insider threat human actors.
The actions of Russia and China go well beyond theft of critical military technology, threatening the integrity and readiness of information and weapons systems and potentially enabling key elements of the strategies of an adversary to defeat the Armed Forces of the United States across the spectrum of conflict.
According to some estimates, cybersecurity spending in the United States from 2017 to 2021 will exceed $1,000,000,000,000 among the public and private sectors.
Even with these large investments in cybersecurity, the United States remains vulnerable to advanced cyber actors like Russia and China.
Since 2013, more than 6,000,000 individual data records have been compromised every day through data breaches, with nearly half of these losses occurring in the Government sector.
Large expenditures of resources and a protective strategy that relies on firewalls and boundaries that can be breached by a persistent actor are clearly insufficient and completely ignore the supply chain vector.
Military weapons systems are not immune to cyber vulnerabilities.
An October 2018 Government Accountability Office report found that nearly all weapons systems of the United States have cyber vulnerabilities the scale of which the Department of Defense is
just beginning to grapple with.
Furthermore, the report stated that despite multiple warnings since the early 1990s,
cybersecurity has not been a focus of weapon systems acquisitions.
There have been numerous press stories about data breaches and theft of United States sensitive technology that prove that cyber vulnerabilities are real and not theoretical.
The Department of Defense will spend more than $1,600,000,000,000 to develop and field its current portfolio of weapons systems.
Conducting acquisitions without making security resiliency a key discriminator in capability development and contract award decisions could potentially lead to additional losses of technological advantages of the Armed Forces and negate efforts to improve the capabilities of the Armed Forces to meet the National Defense Strategy.
Software, hardware, and services supply chains have proven to be major means through which adversaries seek to gain access to weapons systems and information and communications technology platforms and systems of the United States.
Vulnerabilities in these critical areas introduce unacceptable risks to human life and the ability of the Armed Forces to execute the missions the public of the United States expects of them.
The establishment of the Protecting Critical Technology Task Force of the Department of Defense and the Information and Communication Technology Supply Chain Risk Management Task Force of the Department of Homeland Security is a welcome first step, but the United States Government requires a fundamental security culture change.
The innovative technologies that will help the Armed Forces, economy, and industry of the United States maintain competitive advantages over the competitors of the United States are developed in private industry and in academia.
Engagement to find solutions with industry stakeholders and allied countries to mitigate the clear, present, and rapidly evolving threats to the national security of the United States is necessary.
A national center to unify efforts across the whole of government to strategically warn of and support the mitigation of threats to supply chains and supply chain activities is vital to the cybersecurity, critical infrastructure, and national security of the United States.
Sense of Congress
It is the sense of Congress that—
the United States Government should endeavor to deliver warfighting capabilities to operational forces without having critical information or technology wittingly or unwittingly lost, stolen, or modified;
the Department of Defense and the whole of the United States Government should adapt to the challenges presented by adversaries while maintaining as much transparency with the people of the United States as possible;
stronger effort should be placed on securing the vast supply chains of the contractors responsible for developing and producing the defense related capabilities of the United States;
the efforts of the Department of Defense, the Department of Homeland Security, and the Federal Acquisition Security Council to protect critical technologies should be action oriented with clear outcome expectations and chains of accountability;
technology protection should begin long before a contract is signed between a contractor and the United States Government;
the United States Government should improve its ability to collaborate to protect both the open research environment and emerging military technologies; and
the United States Government should focus on supply chain security to ensure that military systems and systems required for sensitive activities are not acquired or operated in a compromised state.
Plan for strengthening the supply chain intelligence function
Not later than 180 days after the date of the enactment of this Act, the Director of the National Counterintelligence and Security Center, in coordination with the Director of the Defense Counterintelligence and Security Agency and other interagency partners, shall submit to Congress a plan for strengthening the supply chain intelligence function.
The plan submitted under subsection (a) shall address the following:
Such recommendations as the Director of the National Counterintelligence and Security Center may have with respect to—
the appropriate workforce model, including size, mix, and seniority, from the elements of the intelligence community and other interagency partners; and
the appropriate governance structure within the intelligence community and with interagency partners.
The budgetary resources necessary to implement the plan.
The authorities necessary to implement the plan.
Definition of intelligence community
In this section, the term intelligence community has the meaning given such term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).
Establishment of National Supply Chain Intelligence Center
Establishment of Center
Title IX of the Intelligence Authorization Act for Fiscal Year 2003 (50 U.S.C. 3382 et seq.) is amended by adding at the end the following:
National Supply Chain Intelligence Center
Establishment of Center
There is within the National Counterintelligence and Security Center in the Office of the Director of National Intelligence a National Supply Chain Intelligence Center.
Director of National Supply Chain Intelligence Center
There is a Director of the National Supply Chain Intelligence Center, who shall be appointed by the President, in consultation with the Director of National Intelligence and other interagency partners as the President considers appropriate.
The Director of the National Supply Chain Intelligence Center shall ensure that the senior management of the Center includes one or more detailees from each of the following:
The Department of Defense.
The Department of Justice.
The Department of Homeland Security.
The Department of Commerce.
Detail or assignment of personnel
With the approval of the Director of the Office of Management and Budget, and in consultation with the congressional committees of jurisdiction, the Director of the National Supply Chain Intelligence Center may request of the head of any department, agency, or element of the Federal Government the detail or assignment of personnel from such department, agency, or element to the National Supply Chain Intelligence Center.
Personnel detailed or assigned under subparagraph (A) shall assist the National Supply Chain Intelligence Center in carrying out the primary missions of the Center.
Personnel detailed or assigned under subparagraph (A) shall be assigned or detailed to the National Supply Chain Intelligence Center for a period of not more than 2 years.
Any Federal Government employee detailed or assigned under subparagraph (A) shall retain the rights, status, and privileges of his or her regular employment without interruption.
The primary missions of the National Supply Chain Intelligence Center shall be as follows:
To aggregate all-source intelligence relating to supply chains, including—
classified and unclassified information;
threat information; and
proprietary and sensitive information, including risk and vulnerability information, voluntarily provided by private entities.
To share strategic warnings relating to supply chains or supply chain activities, as the Director of the National Supply Chain Intelligence Center considers appropriate and consistent with security standards for classified information and sensitive proprietary information, among—
the elements of the intelligence community (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)), components of the Department of Justice and the Department of Defense, the Federal Acquisition Security Council, and other Federal agencies;
at-risk industry partners; and
governments of countries that are allies of the United States.
To serve as the central and shared knowledge resource for—
known and suspected threats to supply chain activities or supply chain integrity from international groups, companies, countries, or other entities; and
the goals, strategies, capabilities, and networks of contacts and support of such groups, companies, countries, and other entities.
To perform tasks assigned to the National Supply Chain Intelligence Center by relevant Government supply chain task forces, councils, including the Federal Acquisition Security Council, and other entities.
Annual reports required
The Director of the National Supply Chain Intelligence Center shall annually submit to Congress a report, with classified annexes as appropriate, on the state of threats to the security of supply chains and supply chain activities for United States Government acquisitions and replenishment as of the date of the submittal of the report.
Amounts used to carry out this section shall be derived from amounts appropriated or otherwise made available for the National Intelligence Program (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)).
The table of contents in section 1(b) of such Act is amended by inserting after the item relating to section 904 the following new item:
Sec. 905. National Supply Chain Intelligence Center.
Sense of Congress
It is the sense of Congress that the Director of the National Supply Chain Intelligence Center should implement the recommendations submitted under section 3(b)(1).
Investment in supply chain security under Defense Production Act of 1950
Section 303 of the Defense Production Act of 1950 (50 U.S.C. 4533) is amended by adding at the end the following:
Investment in supply chain security
The President may make available to an eligible entity described in paragraph (2) payments to increase the security of supply chains and supply chain activities, if the President certifies to Congress not less than 30 days before making such a payment that the payment is in the national security interests of the United States.
An eligible entity described in this paragraph is an entity that—
is organized under the laws of the United States or any jurisdiction within the United States; and
one or more critical components;
critical technology; or
one or more products for the increased security of supply chains or supply chain activities.
Not later than 90 days after the date of the enactment of the Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property, and Supply Act of 2019, the President shall prescribe regulations setting forth definitions for the terms supply chain and supply chain activities for the purposes of this subsection.
Scope of definitions
The definitions required by subparagraph (A)—
the organization, people, activities, information, and resources involved in the delivery and operation of a product or service used by the Government; or
critical infrastructure as defined in Presidential Policy Directive 21 (February 12, 2013; relating to critical infrastructure security and resilience); and
may include variations for specific sectors or Government functions.