The Public Eye with Eric Chabrow

'Hidden' Law Could Hamper Gov't Infosec

Agencies' IT Security Might Suffer from Act Aimed at the Chinese
'Hidden' Law Could Hamper Gov't Infosec

A mysterious lawmaker shielded by congressional rules covertly added language into a new law that could make the purchase of IT security wares very difficult for the departments of Commerce and Justice, NASA and the National Science Foundation.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The law - the Consolidated and Further Continuing Appropriations Act of 2013, commonly known as the continuing resolution - funds federal government operations through September and was enacted by Congress and signed by President Obama last month. The law contains a number of amendments that go beyond funding the government, including one that could complicate the process to acquire IT security wares for the four federal agencies.

Once you cross boundaries like that, especially without further funding, you're adding workload; you're making it work much more slowly. 

Simply, the added provision requires that the agencies' heads in consultation with the FBI or another appropriate federal entity (which weren't identified in the legislation but presumably could include the Department of Homeland Security and National Security Agency) to conduct for the remainder of the fiscal year risk assessments on acquired technology to see if they pose a threat for cyber-espionage or sabotage.

The rider specifically mentions systems from Chinese manufacturers, which some lawmakers suspect produce computer and telecommunications equipment that can spy on IT systems at the request of the Chinese government, an allegation the manufacturers and China deny.

Grammar Matters

Though the amendment targets the Chinese, Brookings Institute Fellow Allan Friedman believes the law would cover technology manufactured anywhere, even in the United States, because of the way the legislation is worded. The reference to China in the law appears as a clause that augments the sentence establishing the assessment process. Take note of the comma appearing before the word "including" in the provision, which reads:

SEC. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People's Republic of China.

(b) None of the funds appropriated or otherwise made available under this Act may be used to acquire an information technology system described in an assessment required by subsection (a) and produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People's Republic of China unless the head of the assessing entity described in subsection (a) determines, and reports that determination to the Committees on Appropriations of the House of Representatives and the Senate, that the acquisition of such system is in the national interest of the United States.

If the law's intent is to safeguard government IT systems, it might have the opposite effect.

"If there is a security component that an agency desperately needs, this would make it harder to buy because now you have to go through an additional layer of certification by getting the cognizant attention of senior leadership inside the organization," said Friedman, research director of the Center for Technology Innovation at Brookings, a think tank. "It's one thing [for a cabinet secretary or agency director] to sign off on an acquisition; it's another to sign off on the security of the acquisition."

Slowing Down the Acquisition Process

Complicating the process - and perhaps threatening the security of critical information systems - is the review process by the FBI or other entity. "Once you cross boundaries like that, especially without further funding, you're adding workload [and] you're making it work much more slowly," Friedman said.

It's obvious, despite the language, the amendment takes aim at the Chinese government and IT and communications equipment makers. Last fall, after a congressional report and hearings, Rep. Mike Rogers, chairman of the House Permanent Select Committee on Intelligence, said he worries that the Chinese government could be using communications products manufactured in China and installed into U.S. government and American corporate IT systems to pilfer classified information and trade secrets [see House Panel: 2 Chinese Firms Pose IT Security Risks].

"Any bug, beacon or backdoor put into our critical systems could allow for a catastrophic and devastating domino effect of failures throughout our networks," the Michigan Republican said at the time when his committee issued an investigative report that recommends the U.S. government and American businesses stop conducting business with two Chinese telecommunications companies, Huawei and ZTE, because of long-term IT security risks.

Concerns over Chinese digital spying intensified in February when security provider Mandiant issued a report showing how the Chinese military stole secrets from the computers of governments and businesses, especially those in the United States [see 6 Types of Data Chinese Hacker Pilfer]. President Obama raised concerns about Chinese electronic spying with China's new president, Xi Jinping, on March 14 [see Obama Raises IP Theft with New China Leader].

Stewart Baker, Homeland Security's assistant secretary for policy during the second term of George W. Bush and a onetime general counsel at the National Security Agency, said the impact could reach beyond the Chinese manufacturers. "It may also bring some surprises for American companies selling commercial IT gear to the government," Baker wrote in his blog. "It's not clear that they even know which of their suppliers and assemblers are directed or subsidized by the Chinese government. Where the IT system is manufactured doesn't answer the question; sanctions will depend not on where the system is made but on whether the company that supplies it is tainted by close ties to China's government."

Boomerang Effect

Friedman said designating one country for special vetting, in this case China, sets a bad precedent that could come back to bite the United States by having other nations require American-made tech products to go through an extensive evaluation process before being purchased. That could lead to trade wars.

Questions about how the four agencies would comply with the new law were sent to their media contacts late afternoon April 4. A spokesman for the space agency said he was unaware of the new law and would look into it. An NSF spokeswoman said the foundation is reviewing the language so any discussions regarding implementation or impacts would be premature at this time. Commerce and Justice had not replied as of mid-morning April 5. The FBI acknowledged receipt of a request to explain whether the bureau has established processes to vet the technology to be purchased by the four agencies, but didn't provide an answer. A White House spokeswoman promised to respond to a request to comment on the new law. Those responses will be posted in this blog if and when they're received.

Congress should be concerned about the potential risks Chinese equipment could pose on the security of government IT systems and data. But Congress - with its rules that allow lawmakers to introduce amendments or block presidential nominees surreptitiously - should do so openly, with public hearings, to avoid legislation that could produce more problems for agencies already burdened with the job of protecting the nation's key digital assets.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.