Outgoing Republican Gov. Larry Hogan banned Maryland state employees from using a range of Chinese and Russian equipment and software, citing national security and the potential for such technologies for be leveraged for hacking and foreign espionage.
In an emergency cybersecurity directive issued Tuesday and signed by Maryland Chief Information Security Officer Charles “Chip” Stewart, the state flagged technologies from eight companies that present “an unacceptable level of cybersecurity risk to the State” and prohibited state government employees from using them for official business.
The companies include Huawei Technologies, ZTE Corp., Alibaba-owned AliPay, Tecent-owned Tencent QQ, WeChat and QQWallet, as well as Russian-owned cybersecurity and antivirus firm Kaspersky.
The order starts the clock on a two-week timeline for state employees to remove any known hardware or software from the companies from state networks and put in place measures that would prevent the future installation or access to such systems. The order recommends automated tools to scan for known desktop applications, the use of mobile device management software to keep track of phones issued to workers and a restriction in administrative privileges for state employees.
“There may be no greater threat to our personal safety and our national security than the cyber vulnerabilities that support our daily lives,” said Hogan in a statement. “As the cyber capital of America, Maryland has taken bold and decisive actions to prepare for and address cybersecurity threats. To further protect our systems, we are issuing this emergency directive against foreign actors and organizations that seek to weaken and divide us.”
The order comes one day after an NBC News story detailed how APT41, a hacking group linked to the Chinese government, stole $20 million in federal COVID relief funding from the Small Business Administration, in part by attacking at least a dozen of the state government IT networks responsible for distributing the money. The story was cited in Hogan’s press release announcing the order and is believed to be the first known instance of a foreign hacking group stealing COVID economic stimulus funds.
Federal government skeptical of security of foreign technology
Kaspersky, Huawei and TikTok have all come under scrutiny in recent years as Washington has become more aware of cybersecurity vulnerabilities in the technology supply chain and as the cloud computing revolution has stored increasingly amounts of American data overseas.
U.S. officials have repeatedly accused Kaspersky and Huawei of having formal or informal working relationships with the Russian and Chinese governments and claim that domestic laws in both countries legally obligate those companies to store data within their borders and assist the government in national security investigations.
All the companies in the order have been subject to previous restrictions or sanctions from the federal government and have repeatedly denied working with the Chinese or Russian governments, or intentionally facilitating hacking, espionage or surveillance.
In court documents submitted by the Department of Homeland Security in a lawsuit filed by Kaspersky, U.S. officials cited domestic laws in Russia and the exquisite access that antivirus software like Kaspersky’s give to customer systems, saying the potential risk to national security more than justified their federal contracting ban and removal order.
A judge later agreed with that argument when dismissing the case, and national security officials have made similar accusations about many of the Chinese-owned companies named in Maryland’s order.
ZTE Corp, a Chinese-owned telecommunications firm, has also been banned from federal contracting and has repeatedly run afoul of U.S. regulations. Both Huawei and ZTE were included in new regulations adopted by the Federal Communications Commission last month that banned authorizations of new equipment for the companies.
In March 2017, ZTE agreed to pay a $1.19 billion fine for violating a U.S. trade embargo against two heavily sanctioned countries: Iran and North Korea. The company was required to discipline certain employees as part of that agreement and, according to U.S. officials, ZTE failed to punish employees who destroyed and concealed evidence related to the violations, and some were even rewarded with bonuses.
In 2018, the U.S. Department of Commerce banned U.S. firms from doing business with the company.
"ZTE made false statements to the U.S. government when they were originally caught and put on the Entity List, made false statements during the reprieve it was given, and made false statements again during its probation," then-Secretary of Commerce Wilbur Ross said in a statement at the time.