Chinese Tech: Banned in DC, but not in the States
There’s a massive loophole in the federal ban on Chinese technology from sus firms such as Huawei and ZTE: It doesn’t stop states from buying it.
For example, the National Defense Authorization Act only stops federal agencies from buying proscribed kit. Same story with the SECURE Technology Act and the Secure and Trusted Communications Networks Act. Scary.
It’s almost as if states had some sort of constitutional independence—who’d a thunk it? In today’s SB Blogwatch, we go hunting for heffalump.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Stayin’ Alive.
‘Oh, Bother,’ Said Pooh
What’s the craic? A few days ago, Ana Swanson reported—“Administration is weighing further controls on Chinese technology”:
“National security threat posed by China”
The Biden administration is mulling further export controls that would clamp down on China’s ability to gain access to cutting-edge technologies … to protect U.S. national security. … Alan F. Estevez, the under secretary of Commerce for Industry and Security who oversees U.S. export controls … said that his department would enforce the restrictions to their fullest extent, including applying civil and criminal penalties.
…
Mr. Estevez, who described himself as the chief technology protection officer of the United States, also said that the administration was working to convince allies that play an important role in the semiconductor supply chain, like the Netherlands and Japan, to issue their own restrictions on Chinese technology. [He] said that U.S. allies understood the national security threat posed by China … adding, “We expect to have a deal done in the near term.”
That’s all very well, but state governments aren’t exactly toeing the line when it comes to importing Chinese tech. So it’s not a good look. Here’s Jude Karabus—“Bans aren’t stopping US states from buying forbidden Chinese kit”:
“Problematic equipment bought by state organizations”
Only a “handful” of US states have stopped buying Chinese technologies deemed by the government to pose security threats. [A] Georgetown University think tank paper … says that “thousands” of public officials are still purchasing prohibited tech from “Huawei, ZTE, and other Chinese companies” and that most state and local governments simply haven’t [made] any changes to their procurement policies.
…
The authors say only five states — Florida, Georgia, Louisiana, Texas, and Vermont — have put in place measures to limit the procurement of foreign [tech] on national security grounds [and that] the purchases are “significant in terms of potential risk. Each piece of covered equipment represents a potential entry point into users’ networks.”
…
In order to solve the problem of state spending on prohibited tech, the think tank recommends the Feds publish a “master list” of untrustworthy foreign [tech], as well as kick in with help for “rip and replace” programs for problematic equipment bought by state organizations, similar to the FCC’s 2020 rip and replace program for … equipment from Huawei and ZTE in the nation’s comms network.
Problematic how exactly? Jack Corrigan, Sergio Fontanez and Michael Kratsios suggest three ways—“Banned in D.C.”:
“Compromised by a foreign adversary”
Keeping untrustworthy foreign technology out of government networks requires a more harmonized effort across all levels of government. … Most proponents of … procurement bans have justified their position on the grounds that covered technologies could contain secret backdoors, or vulnerabilities that are deliberately baked into the technologies.
…
Foreign technologies can pose other hazards, such as human vulnerabilities: Most hardware and software must be serviced over the course of its life cycle, and the technicians who perform replacements, upgrades, and other maintenance may find themselves … compromised by a foreign adversary [and] potentially install malware, exfiltrate data, or conduct other nefarious activities on their behalf.
…
Foreign technologies can also pose economic risks: … As Chinese companies gain market share, the United States and its allies may find themselves relying on their biggest geopolitical competitor for access to key technologies.
Are we buying that? martinusher ain’t:
The “threat to national security” notion has been wearing a bit thin lately: … Members of the Administration now openly state that the purpose of their restrictive measures is to kneecap Chinese competition.
So what’s a procurement person to do? Go without or pay extra for kit of dubious provenance (which may well be rebadged and significantly marked up Chinese kit anyway) or just carry on with what they were doing anyway?
It’s either funny or worrying. u/Independent_Pear_429 breaks out the popcorn:
It’s hilarious just how weak the US federal government is sometimes.
It must be someone’s fault—right? u/Aviator-Moe1967 lets you fill in the blanks:
When are government employees going to be held accountable? Lose their jobs? If there is no consequences for their inaction …
Risk or no risk, this Anonymous Coward takes a long-term moral stand:
A bigger and more likely risk is, in the looming conflicts, that the supply and support of gear for either could be cut off with little or no notice. As a company I don’t want to be saddled with gear that may never receive another essential update, has no support or warranty, and may be at higher risk of … attack.
…
Even if these things aren’t compromised today, are you equipped to audit the updates that come out in the future? I appreciate that risk management is part of my job, and that has a part to play in the bottom line, especially for essential services. So there are vendors I am avoiding solely because the money saved … isn’t as important as something I can set up and park in the corner without losing sleep over.
…
There is a bigger picture to this conflict, including ethnic cleansing, genocide, and forced sterilizations. … I am not putting that low a price on my conscience either.
Are we worrying about nothing? u/Explorer335 thinks not:
Huawei, Hikvision, and Dahua [IP CCTV] gear are really prevalent in my field. The prices are so low on some of the stuff that I swear they must be subsidizing it somewhere.
I know those cameras check in with a server in China periodically, and some of them have facial recognition. I’m curious about what all they can do.
As does Binraider:
Our recently installed network control centres has video conferencing hardware within scope. And within about 30 mins of the office going live, they detected traffic attempting to go back to China.
The supply chain is screwed; if you want zero espionage then don’t use the internet. Accepting the NSA and MI6 use the same tactics—at least they are on the right side (mostly).
Meanwhile, u/LoserAntics alleges an allegation:
The NSA is just concerned that it will ask for a TikTok login instead of Facebook on the next update.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: EH Shepard (public domain)