According to a report by a Washington-based political research group, only a “handful” of US states have stopped buying Chinese technology the government sees as a security threat.
The Georgetown University think-tank paper released this week says “thousands” of officials are still buying banned technology from “Huawei, ZTE and other Chinese companies” and that most state and local governments simply haven’t been buying into existing states Take action by making changes to their procurement policies.
The strategy paper landed just hours before reports that senior Biden administration officials were weighing whether to introduce further controls on Chinese technology.
The authors say that only five states — Florida, Georgia, Louisiana, Texas, and Vermont — have taken action to limit the procurement of foreign information and communications technology and services (ICTS) for national security reasons, and explain that sometimes even these existing policies are considered to contain loopholes that would allow “unreliable” technology to penetrate government networks.
Citing government procurement records provided by GovSpend, the Georgetown report says that “at least 1,681” state and local entities purchased equipment and services prohibited at the federal level under Section 889 (see box) between 2015 and 2021.
Measures to regulate the purchase of foreign ICTS for reasons of national security:
- Section 889 of the National Defense Authorization Act of 2019, which prohibited federal agencies from using devices and services from five Chinese technology companies (including Huawei and ZTE) or from working with contractors using covered devices.
- Title 2 of the SECURE Technology Act, which established a federal council to analyze supply chain security threats and recommended orders to remove or ban certain technologies from federal networks.
- The ICTS regulation, which allows the US Department of Commerce to block both public and private procurement and use of “certain foreign ICTS.”
- The Secure and Trusted Communications Networks Act, which allows the FCC to restrict the purchase of certain ICTS with federal funds.
They note that while the total value of these purchases was only around $45.2 million, the purchases are “significant in terms of potential risk. Each covered device represents a potential entry point into users’ networks, regardless of its cost.”
The report’s authors say the threats that the US legislates against fall into three categories: baked-in backdoors (or the possibility of later injecting security holes), human vulnerabilities, and economic risks.
Huawei and other Chinese companies on the list have always denied the existence of “hidden bugs” that would give attackers access, and the report acknowledges that the government doesn’t need to install backdoors if it’s run-of-the-mill Software Deals Bugs are an easier – and cheaper – way for most attackers to break into a network, whether it’s illicit software from Chinese companies or local software made by local people. The US government has previously claimed it has evidence of such backdoors.
“State and local governments must take foreign technology threats seriously, even if they don’t face the same risks as federal agencies like the Department of Defense,” the authors write. “Even if governments are not directly targeted, the ICTS they deploy could be used to compromise nearby critical infrastructure.”
The second category posited by the report is a little more interesting: it suggests that technicians brought in for maintenance and upgrades “could be compromised by a foreign adversary, they could potentially install malware, exfiltrate data, or engage in other nefarious activities in perform on their behalf. “
The third is the obvious — as “Chinese companies gain market share, the United States and its allies could rely on its largest geopolitical competitor for access to key technologies,” and the authors note that America began introducing federal laws to “some Chinese firms , like Huawei, dominated markets with no viable US competitors at all”.
The U.S. is also curbing exports to China of American technology considered a national security risk, but nonetheless, 2,652 restricted technology export licenses to China were granted by the Commerce Department in 2020, 94 percent of the total requested, according to an August report the WSJ — with America shipping a wide range of semiconductor, aerospace and AI/ML technology to China.
To solve the problem of government spending on banned technology, the think tank recommends the Feds publish a “master list” of untrustworthy foreign ICTS covered by various federal rules and laws, as well as step in with help for “rip and replace.” Programs for problem devices purchased by government organizations, similar to the FCC’s 2020 rip-and-replace program for private operators. Congress has spent about $1.9 billion on this project, dubbed the Secure and Trusted Communications Networks Reimbursement Program, whose initial focus was to “rip and replace” Huawei and ZTE devices on the country’s communications network. . The first wave of claimants, she adds, asked for “more than $5.6 billion in reimbursements.”
The US government has also pressured its allies to ban hardware from Huawei and other Chinese companies from rolling out 5G networks around the world, claiming it poses a security risk. Huawei has always denied these claims and has a presence in many countries in both 4G core and RAN network infrastructure.
The UK, which has come under intense pressure from its ally, earlier this month issued formal legal notices to operators directing them to remove Huawei technology from the country’s 5G networks by the end of 2027. However, carriers have already been given some grace periods, saying they will miss a January deadline to remove Huawei technology from their core networks (much of the country’s 5G deployment is on top of a 4G core, which is still filled with Huawei kits). The country’s largest telecom company, BT, expects it to cost about $658 million to remove and replace Huawei equipment on its networks.
Meanwhile, China is also in pain. Semiconductor imports fell 12.4 percent in September, according to the country’s official customs data.
That could get very expensive. ®
https://www.theregister.com/2022/10/28/federal_bans_china_law/ Federal bans won’t stop US states from buying Chinese kits • The Register