U.S. Moving Closer To Banning Security Gear From China

A law signed this week prevents NASA, the Justice Department, and the Commerce Department from buying IT-related equipment from China without a “cyber-espionage” risk consultation with law enforcement. The story is worth a read.

The topic has been stewing for a while. In the past lawmakers wanted to ban it altogether.

The rationale: The U.S. is scared of buying electronics from China because its thinks it'll be buying gear with pre-loaded hardware or software that facilitates Chinese spying.

I’ve written about this topic in the past. Back then, lawmakers I talked to were toying with the idea of introducing legislation prohibiting the U.S. from buying any IT or security-related gear from Chinese companies. This included surveillance and any security-related gear, IT equipment, electronic parts for weapon systems, electronic aircraft parts and medical devices.

The new law shows the idea is gaining some traction, however, the law didn’t go as far as putting this requirement on law enforcement agencies like the FBI and DHS or venture into regulating where businesses can buy from (but it could be a precursor). It may not have much local impact immediately, but keep in mind that local politicians often mimic decisions from Washington when making their own city and state laws.

If something broader passes in the future, it could be a headache for the surveillance industry -- especially for people who do business with government agencies (federal, state and local).

Thoughts?


IT related equipment? Thats a pretty broad term. That would be a headache. Almost anything IP based comes from China.

Here's the actual text from the Consolidated and Further Continuing Appropriations Act of 2013:

Sec. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.

(b) None of the funds appropriated or otherwise made available under this Act may be used to acquire an information technology system described in an assessment required by subsection (a) and produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China unless the head of the assessing entity described in subsection (a) determines, and reports that determination to the Committees on Appropriations of the House of Representatives and the Senate, that the acquisition of such system is in the national interest of the United States.

Sec. 535. (a) None of the funds made available by this Act may be used for the National Aeronautics and Space Administration (NASA) or the Office of Science and Technology Policy (OSTP) to develop, design, plan, promulgate, implement, or execute a bilateral policy, program, order, or contract of any kind to participate, collaborate, or coordinate bilaterally in any way with China or any Chinese-owned company unless such activities are specifically authorized by a law enacted after the date of enactment of this Act.

However, the restrictions don't apply to items that the FBI checks out first:

(1) pose no risk of resulting in the transfer of technology, data, or other information with national security or economic security implications to China or a Chinese-owned company

I think this is a great move - I believe it will make many IP vendors wake up and up their game interms of product design and quality - in order to pass the FBI tests.

Rubbish IP gear is everywhere and a real nuisance.

Of course, the stupid thing about laws like this is, affected manufacturers will just move operations to "non-prohibited" countries. Or at least change their mailing addresses...

Actually, it sounds a lot like the Cuban embargoes that still exist to this day (AFAIK anyway). I believe it's still illegal to buy, import, and/or own Cuban cigars in the US? So of course, disciminating smokers pop over the line into Canada to buy their Cubans. And according to one story I read, the real irony of the whole thing is, the family that actually made the "famous" Cuban cigars moved to some other Caribbean island to escape the embargo anyway... so all those "Cubans" everyone's been so hot about for the past 50 years aren't the same "Cubans" that Cuba became famous for in the first place.

And Sean makes a great point: no matter where it's finally "built", almost anything electronic has at least SOME parts coming from China... if the Chinese wanted to get malicious code into US equipment that badly, a simple ban on direct shipments isn't going to slow them down at all.

Matt, I have a question for both you and Bohan: Why leading up to this have electronics (security, IT, etc.) manufacturers other than Huawei Technologies been so silent about the issue. I can't seem to find evidence of anyone serioulsy lobbying against it. Everyone seems to be just kind of letting it happen.

I have no problem with the US trying to protect Cisco from Huawei. China would be doing the same thing to protect Huawei from Cisco.

As for smaller manufacturers - who is going to listen to them?

There are so many crap manufactuers in China and a few very good ones - hoepfully laws like them will slow develop a culture where the manufactuers with no pride in their QA or design departments either die or wake up to the need for quality.

Carlton, it's possible that most don't really see this as a threat. Or maybe they've already figured out their "work-arounds" and are just keeping quiet to stay under the radar.