A think tank is recommending state and local governments align their rules on buying technology from companies with federal guidelines that prevent agencies from purchasing certain prohibited foreign technology, such as ones from Chinese companies.
The Center for Security and Emerging Technology at Georgetown University notified the Federal Communications Commission late last month of a report released that month regarding what it said was a concerning trend of state and local governments having outdated procurement policies that are seeing them purchase equipment banned for federal purchase.
“State and local policymakers should not be expected to independently analyze and address the threats posed by foreign technology, but it would behoove them to align their own procurement practices with the rules set by the federal government,” the report recommends.
The FCC has a list of companies, as required by the Secure and Trusted Communications Networks Act of 2019, that it updates on a rolling basis through commission votes that it says pose a national security threat to the country’s networks. It last updated the list in September, when it added Pacific Network Corp. and China Unicom Operations Ltd. to the growing list that already includes Huawei and ZTE.
Chinese companies and following Communist Party directions
U.S. officials and experts have warned that Chinese companies operating anywhere in the world must follow directions of the Chinese Communist Party, which they say could mean anything from surveillance to American data falling into the hands of that government.
The report notes at least six state governments had their networks breached by a state-sponsored Chinese hacking group between May 2021 and February 2022.
The only states that have enacted local regulations aligned with federal provisions are Florida, Georgia, Louisiana, Texas, and Vermont, the report said. Provisions in Georgia and Texas prohibit private companies from entering into agreements with the covered companies. Vermont, Texas and Florida provisions block state entities from purchasing equipment from countries like China, Russia, Iran, North Korea, Cuba, Venezuela and Syria. Louisiana and Georgia provisions ban public-funded schools from buying prohibited technology.
The remaining 45 states do not explicitly target the equipment and services they produce, nor are they directly responsible for following federal provisions, the report said, leaving state entities vulnerable in obtaining equipment from third party contractors that could pose a security risk.
“Many government entities also lack the in-house technical expertise and procedures to understand and address such threats in the first place, and those that do may prioritize addressing immediate threats like ransomware over the more abstract risks posed by foreign ICTS,” the report said.
Section 889 of the 2019 National Defense Authorization Act is one out of four federal provisions addressing the issue, prohibiting federal agencies from using equipment and services from Huawei, ZTE, Hikvision, Dahua and Hytera as well as working with contractors that use the equipment.
Prohibited products finding their way in
In some cases, the report said, the listed companies will sell their products to third party contractors that are not listed on Section 889 to bypass regulations, according to the report. Due to the low cost of Chinese equipment, public schools and local governments will purchase from the third-party entities that are unknowingly selling prohibited equipment, it added.
“These ‘middle-man’ vendors can mask the origin of their products, which creates major challenges for organizations aiming to keep certain equipment and services off their networks”, the report reads.
“Currently, contractors are responsible for self-certifying that their products and internal networks do not contain covered [products]” and “… inspecting the IT infrastructure—equipment, services, and components – of every contractor that does business with the federal government would require a staggering level of resources, making it difficult for agencies to conduct effective oversight.”