Executive Summary
For nearly a decade, U.S. national security leaders have warned that information and communications technology and services (ICTS) produced by Huawei, ZTE, and other Chinese companies may serve as conduits for government espionage and other nefarious activities. In response, policymakers have sought to purge this untrustworthy technology from U.S. supply chains.
Over the last five years, the federal government has enacted a series of measures regulating the purchase of foreign ICTS on the grounds of national security, including:
- Section 889 of the 2019 National Defense Authorization Act, which prohibited federal agencies from using equipment and services from five Chinese tech companies and working with contractors that use covered equipment.
- Title 2 of the SECURE Technology Act, which created a federal council to analyze supply chain security threats and recommended orders to remove or exclude certain technologies from federal networks.
- The ICTS rule, which allows the U.S. Department of Commerce to block public and private procurement and use of certain foreign ICTS.
- The Secure and Trusted Communications Networks Act, which permitted the Federal Communications Commission (FCC) to restrict the purchase of certain ICTS using federal funds.
These measures aimed to provide federal policymakers with the authorities to identify and remove untrustworthy ICTS from critical federal networks and—where possible and appropriate—from critical networks owned and operated by state, local, and private sector entities. However, these authorities are still relatively new, and it remains to be seen whether they will be effectively scoped and implemented.
Defending U.S. networks against untrustworthy foreign ICTS also requires buy-in from state and local policymakers, but to date, they have largely not revised their procurement laws to address those threats. Only five states—Florida, Georgia, Louisiana, Texas, and Vermont—have enacted measures to limit the procurement of foreign ICTS on national security grounds, and some of these existing policies contain loopholes that would allow untrustworthy technology to slip into government networks. All the while, public officials have continued integrating untrustworthy technologies into schools, hospitals, prisons, public transit systems, and government offices around the country. Our analysis of public government procurement records provided by GovSpend found that at least 1,681 state and local entities purchased equipment and services prohibited at the federal level under Section 889 between 2015 and 2021.
Keeping untrustworthy foreign technology out of government networks requires a more harmonized effort across all levels of government. Given its resources and intelligence capabilities, the federal government must spearhead this effort. Under the SECURE Technology Act, government leaders can tailor federal procurement prohibitions for different environments and applications. By providing the Commerce Department with the funds and staff to implement the ICTS rule—through a sanctionsbased model—they can work to keep untrustworthy technology out of state, local, and critical private networks. Using these two authorities, policymakers can maintain effective procurement prohibitions that will remain current with the changing threat landscape. FCC regulators can further protect U.S. networks by blocking authorizations of untrustworthy technology.
Given their resource constraints and limited mandate, state and local governments should not be expected to independently grapple with the national security implications of foreign ICTS. However, by adhering to federal rules on foreign ICTS procurement, state and local governments can protect their digital infrastructure and keep procurement practices up to date without constant regulatory, administrative, or legislative interventions. This may entail following mandatory ICTS rule restrictions or, if the rule is not implemented effectively, enacting policies that prevent the use of ICTS prohibited by federal agencies. Federal policymakers can further enable state and local governments to address foreign technology threats by creating a master list of foreign ICTS covered by procurement prohibitions, strengthening existing information sharing channels, and increasing funding for rip and replace programs.