House Appropriations to consider extending anti-Chinese supply chain measure


A temporary anti-Chinese manufacturer supply chain measure currently in force for a handful of major agencies would stay in effect through fiscal 2014 under a provision included in a subcommittee spending bill.

The fiscal 2014 Commerce, Justice, Science appropriations bill (.pdf)--set to be considered by the full House Appropriations Committee Wednesday after a July 10 subcommittee mark up--would extend to Sept. 30, 2014 a law preventing the departments of Commerce, Justice, NASA and the National Science Foundation from acquiring an information technology system until the FBI makes an assessment of the cyber espionage or sabotage risk posed by that system. That assessment must include risk associated "with such system being produced, manufactured or assembled" by entities "owned, directed, or subsidized" by the Chinese government.

The provision's author, Rep. Frank Wolf (R-Va.), has long pushed against federal acquisition of IT made by Chinese companies--for example, preventing in 2006 the State Department from utilizing Lenovo laptops manufactured in the United States on its classified network because of Lenovo's financial ties to the Chinese government.

The House has grown increasingly hostile to Chinese-manufactured parts, with the House Armed Services Committee also inserting a provision into its version of the fiscal 2014 national defense authorization act that would require the Defense Security Service "to aid cleared contractors in identifying and reporting the presence of such technology in their classified and unclassified networks, and to reduce the likelihood of such technology being incorporated into these networks in the future," with "such technology" referring to information technology equipment manufactured by firms with links to the Chinese government.

The House Intelligence Committee issued an October 2012 report calling on federal agencies to avoid systems with parts from Chinese firms Huawei and ZTE, even at the component level.

Many cybersecurity experts say the measures won't decrease Chinese cyber espionage--which is driven by holes in network security rather than hard-coded vulnerabilities in hardware or software--and trade groups have warned that they could harm the export of American-made systems through implementation of equivalent regulations abroad targeting U.S. companies.

"Security comes from securing the production, maintenance and usage of a product, not by restricting where or who makes it," said Trey Hodgkins, a procurement expert at TechAmerica, a Washington, D.C.-based trade association.

TechAmerica sent a July 11 letter (.pdf) noting that existing law already gives the Defense Department and Intelligence Community authority to ban from procurements companies believed to have a faulty supply chain that poses a cyber risk.

For more:
- download the House Appropriations subcommittee draft of the Commerce, Justice, Science and Related Agencies fiscal 2014 spending bill (.pdf)

Related Articles:
Combatting China's cyber espionage: 'Hit 'em high, hit 'em low,' says Mulvenon
Healey: NSA undermines U.S. cyberpower
Cyber espionage 'at the center' of diplomacy with China