In a letter sent to Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly this week, House House Homeland Security subcommittee leaders requested a briefing on any threats posed by the Chinese Communist Party (CCP) to the information and communications technology (ICT) supply chain.
“Given the role of the Department of Homeland Security (DHS), and specifically CISA’s role as the ISA on the FASC, we urge you to consider exploring the CCP’s use of source code, including where it is located, how it is updated, and who has access to it, to infiltrate and maintain access to federal civilian and critical infrastructure ICT supply chains,” the lawmakers wrote.
They turned to the 2023 Annual Threat Assessment of the U.S. Intelligence Community (IC), which found that certain states’ malicious use of digital information and communication technologies would become more pervasive, automated, targeted and complex sooner, rather than later. Republicans turned that statement onto China, emphasizing their belief that companies who wish to do business with the U.S. government and critical infrastructure must work to make certain their products are not compromised due to Chinese business dealings.
This could include the mandated sharing or review of source code by the CCP.
The letter, panned by Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) and Counterterrorism, Law Enforcement, and Intelligence Chairman August Pfluger (R-TX), called for more information regarding CISA and the Federal Acquisition Security Council’s (FASC) efforts to protect against CCP use of source code to infiltrate and access ICT supply chains.
They called out ByteDance – the parent company of TikTok America – in particular, noting that it, like all Chinese companies and companies doing business in China, are bound by Article 7 of the People’s Republic of China’s National Intelligence Law, which calls for all organizations and citizens to cooperate with national intelligence efforts and protect national intelligence work secrets.
“Under this law, Chinese companies and companies who do business in China, such as ByteDance, and therefore TikTok America, are required to hand all data in its possession to the Chinese government if asked, including source code,” the lawmakers wrote. “TikTok is just one example—the pervasiveness of this issue spreads far and wide within the ICT supply chain and has the potential to increase systemic risk across critical infrastructure sectors.”