Federal bans aren't stopping US states from buying forbidden Chinese kit
Report claims thousands of orgs are still happily writing checks
Only a "handful" of US states have stopped buying Chinese technologies deemed by the government to pose security threats, according to a report from a Washington policy research group.
The Georgetown University think tank paper, published this week, says that "thousands" of public officials are still purchasing prohibited tech from "Huawei, ZTE, and other Chinese companies" and that most state and local governments simply haven't bought into existing federal actions by making any changes to their procurement policies.
The policy paper landed just hours before reports that senior Biden administration officials are weighing up whether to institute further controls on Chinese technology.
The authors say only five states — Florida, Georgia, Louisiana, Texas, and Vermont — have put in place measures to limit the procurement of foreign information and communications technology and services (ICTS) on national security grounds, stating that even these existing policies sometimes contain loopholes that would allow "untrustworthy" tech to slip into government networks.
Citing public government procurement records provided by GovSpend, the Georgetown report says "at least 1,681" state and local entities purchased equipment and services prohibited at the federal level under Section 889 (see boxout) between 2015 and 2021.
Measures regulating buying foreign ICTS on the grounds of national security:
- Section 889 of the 2019 National Defense Authorization Act, which prohibited federal agencies from using equipment and services from five Chinese tech companies (including Huawei and ZTE) or working with contractors that use covered equipment.
- Title 2 of the SECURE Technology Act, which created a federal council to analyze supply chain security threats and recommended orders to remove or exclude certain technologies from federal networks.
- The ICTS rule, which allows the US Department of Commerce to block both public and private procurement and use of "certain foreign ICTS."
- The Secure and Trusted Communications Networks Act, which permits the FCC to restrict the purchase of certain ICTS using federal funds.
They note that while the total value of these purchases was only around $45.2 million, the purchases are "significant in terms of potential risk. Each piece of covered equipment represents a potential entry point into users' networks, regardless of its cost."
The report's authors say the threats the US is legislating against fall into three categories: baked-in backdoors (or the possibility of the later insertion of security holes), human vulnerabilities, and economic risks.
Huawei and other Chinese companies on the list have always denied the existence of "hidden bugs" that would let attackers in, and the report concedes that one wouldn't really need backdoors installed at the government's behest when run-of-the-mill software bugs are an easier – and cheaper – way for most bad actors to get into a network, whether it's in prohibited Chinese companies' software or local software made by local people. The US government has previously claimed it has evidence of such backdoors.
"State and local governments must take foreign technology threats seriously even if they do not face the same risks as federal agencies like DOD," the authors write. "Even if governments are not targeted directly, the ICTS they deploy might be used to compromise nearby critical infrastructure."
The second category the report posits is a little more interesting: it proposes that techies hauled in to do maintenance and upgrades might be "compromised by a foreign adversary, they could potentially install malware, exfiltrate data, or conduct other nefarious activities on their behalf."
- EU infosec agency unveils 5G vendor security licensing scheme despite years of Huawei ambiguity
- Chips for Huawei are fried: TSMC stops shipping parts to Middle Kingdom mega-maker this September
- UK smacks Huawei with banhammer: Buying firm's 5G gear illegal from year's end, mobile networks ordered to rip out all next-gen kit by 2027
- USA adds two more Chinese carriers to 'probably a national security threat' list
The third is the obvious – as "Chinese companies gain market share, the United States and its allies may find themselves relying on their biggest geopolitical competitor for access to key technologies," and the authors note that as America began to put the federal laws into place, "some Chinese firms, like Huawei, commanded markets with no viable US competitors in the first place."
The US also curbs the export of American tech deemed a national security risk to China, but nevertheless, 2,652 export licenses for restricted tech to China were granted by the Commerce Department in 2020, 94 percent of the total requested, according to an August report in the WSJ – with America shipping a wide array of semiconductor, aerospace, and AI/ML tech to China.
In order to solve the problem of state spending on prohibited tech, the think tank recommends the Feds publish a "master list" of untrustworthy foreign ICTS covered by various federal rules and laws, as well as kick in with help for "rip and replace" programs for problematic equipment bought by state organizations, similar to the FCC's 2020 rip and replace program for private operators. Congress coughed up about $1.9 billion for that project, dubbed the Secure and Trusted Communications Networks Reimbursement Program, whose initial focus was on "ripping and replacing" equipment from Huawei and ZTE in the nation's comms network. The first wave of applicants, it adds, asked for "more than $5.6 billion in reimbursements."
The US government has also put pressure on its allies to exclude hardware from Huawei and other Chinese companies from 5G network buildouts across the world with claims that it is a security risk. Huawei has always denied these claims, and maintains a presence in both 4G core and RAN network infrastructure of many countries.
The UK, which came under enormous pressure from its ally to do so, earlier this month issued formal legal notices to operators instructing them to remove Huawei technology from the country's 5G networks by the end of 2027. However, network operators have already gained some reprieves as they say they cannot meet a January deadline to remove Huawei tech from their core networks (much of the country's 5G installation sits on top of a 4G core that is still full of Huawei kit). The nation's biggest telco, BT, says it expects the removal and replacement of Huawei equipment in its networks to cost about $658 million.
Meanwhile, China's feeling some pain too. Its semiconductor imports dropped 12.4 percent in the month of September, according to official customs data published by the country.
This could get very pricey. ®