Due to a recently passed appropriations bill, which delineates government spending, federal agencies must now review Chinese IT equipment before purchasing to curb cyber espionage threats.
On Tuesday, President Obama signed the Consolidated and Further Continuing Appropriations Act of 2013, which outlined authorized federal spending for the fiscal year.
Buried in the 240-page bill was a section that said the Federal Bureau of Investigation, or another “appropriate federal entity,” must assess the risks that IT products sourced from China impose on organizations' security.
According to the new legislation, the National Aeronautics and Space Administration (NASA), the National Science Foundation and the Commerce and Justice Departments must review the “associated risk of cyber espionage or sabotage associated with the acquisition of [IT] systems, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People's Republic of China.”
Growing tensions about Chinese-led cyber espionage attacks on the U.S. motivated the legislation.
Last month, Mandiant, an Alexandria, Va.-based incident response and forensic firm, released a 60-page report revealing details of secret Chinese military unit 61398, believed to be behind a massively scaled data theft operation that is alleged to have stolen hundreds of terabytes of information from 141 organizations, primarily based in the United States. China denied the allegations about the group, dubbed “APT1” by Mandiant.
In October, a White House-commissioned probe of Chinese networking equipment provider Huawei Technologies temporarily squashed suspicions that the company was spying on behalf of the Chinese government.
The study found that Huawei did not pose a cyber espionage threat to the U.S., though a U.S. House Intelligence Committee report judged otherwise.
Sprint and Japanese telecommunications firm SoftBank have already announced their decision to no longer use Huawei equipment since the new legislation was passed, according to an article in Thursday's New York Times.
Stewart Baker, an attorney at Washington D.C.-based firm Steptoe & Johnson LLP, and former assistant secretary for policy at the U.S. Department of Homeland Security, said in a personal blog post that while China won't react well to the move, the legislation may not “directly” impact the country – at least as much as perceived.
“The provision doesn't hit China directly,” Baker wrote. “Instead, it restricts purchases from Chinese-government-influenced entities, no matter where those entities manufacture their products. This means that the provision could prevent purchases of Lenovo computers manufactured in Germany, or Huawei handsets designed in Britain.”
Baker believes that lawmakers may look for a “way out” of the legislation, which could be difficult to follow through on given the ties between the U.S. and China.
“The administration may look for another way out, perhaps by narrowing the definition of an ‘information technology system,'” Baker suggested.