Threat Intelligence, Incident Response, TDR

White House says new Chinese IT equipment rule may disrupt business without helping security

The White House and numerous tech industry groups have expressed concern over a newly signed law restricting government purchase of China-sourced IT equipment, calling the measure an ineffective response to security concerns between the countries.

The requirement is part of a larger 240-page bill, known as the 2013 Consolidated and Further Continuing Appropriations Act, which offers funds to keep the government running through the fall. A White House spokeswoman told The Hill on Friday that the portion of the legislation addressing Chinese tech equipment purchases would be “challenging” to implement.  

The provision, sponsored by Congressman Frank Wolf, R-Va., gives the FBI or heads of government agencies the power to stop the sale of imported Chinese equipment believed to pose a risk to the United States.

"The undefined terms of this provision will make implementation challenging," Hayden said via email. "It could prove highly disruptive without significantly enhancing the affected agencies' cyber security. While the administration has raised concerns about the cyber threats emanating from China, resolving this issue requires open dialogue between the U.S. and China,” she continued.

Worries over the legitimacy of Chinese equipment sold to the United States were bolstered by a detailed report released by Alexandria, Va.-based firm Mandiant, which determined that a secret Chinese military unit was behind the theft of hundreds of terabytes of data from American organizations.

The new provision states that NASA, the National Science Foundation and the Commerce and Justice departments can be barred from purchasing equipment with an “associated risk of cyber espionage or sabotage…being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People's Republic of China.”

In addition to the White House, technology groups have questioned the new requirement. Several of them last week sent a letter to lawmakers questioning the bill's language. Among the opposing groups was business-interest group TechAmerica, the Technology CEO Council, the U.S. Chamber of Commerce, the Software & Information Industry Association, and the Information Technology Industry Council.

According to the organizations, the law might slow the federal acquisition process, leaving federal agencies “behind the security curve” – and without access to the latest IT products that could protect government networks and equipment. 

The organizations also said that the Chinese government could retaliate by enforcing similar screening policies for IT equipment exported overseas.

“Fundamentally, product security is a function of how a product is made, used and maintained, not by whom or where it is made,” said the letter. “Geographic-based restrictions run the risk of creating a false sense of security when it comes to advancing our national cyber security interests.”

On Monday, Trey Hodgkins, the SVP of global public sector government affairs at TechAmerica, told SCMagazine.com that the law was "overly broad" by channeling its oversight into a purely geographical context.

"We are very concerned for the opportunity of retaliation this sets up," Hodgkins said. "[The law] basically says [to not] buy anything that is touched by the Chinese. You can't just look at this from what is sourced from China. You have to look at the entire global supply chain for information systems and discern what has been touched by the Chinese."

Some businesses have gone beyond the letter of the law, however, and severed business ties with Chinese-based companies providing IT equipment.

Last month, Sprint and Japanese telecommunications firm SoftBank announced their decision to no longer use Huawei equipment in Sprint's U.S. network after they merge.

Huawei, a Chinese telecom equipment provider, has been the subject of Congressional investigations, which stemmed from concerns that its equipment was being used for cyber espionage purposes against the U.S.

The allegations first surfaced in August 2010, when a group of eight Republican senators warned the Obama administration to be wary of Huawei winning a bid to sell equipment to American telecom giant Sprint Nextel. 

Last October, however, a White House-commissioned study concluded that Huawei did not pose a cyber espionage threat to the U.S., though it did highlight vulnerabilities in its products that could be exploited by attackers.

[This article was amended from a previous version to clarify the U.S. investigation into espionage concerns related to Huawei, as well as the Sprint deal.]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.