The first shoe to get Chinese telecommunications out of the government dropped today and the second is coming next week.
The Federal Acquisition Regulations Council issued an interim final rule telling contractors that they can’t use ZTE and Huawei products or services on their networks. The regulation, which takes effect on Aug. 13, also requires agencies to modify existing contracts to ensure future task orders include the new prohibition of these potentially risky products.
The interim final rule implements the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), otherwise known as Section 889 of the 2019 Defense Authorization bill.
“FIRRMA is aimed at ensuring that the United States is protected from certain risks regarding foreign actors. In effectuating these protections, defining terms in a consistent manner, to facilitate consistent application, is crucial,” the council states in the document. “While there are elements of this definition that may not raise concerns regarding covered telecommunications equipment or services (for example, the inclusions of select agents or toxins), the majority of identified categories in the FIRRMA definition of ‘critical technologies’ include or could potentially include covered telecommunications equipment or services. Since the prohibition does not apply if no covered telecommunications equipment or services are present, a definition that includes categories that may be unlikely to include telecommunications equipment or services is over broad in a way that incurs no additional cost, and ensures the benefits of consistency with other government efforts.”
Insight by Exterro: Capt. John Henry, operations officer of the USCG Cyber Command, discusses how the Command prepares for and responds to cyber incidents. Justin Tolman, forensic subject matter expert at Exterro, will provide an industry perspective.
Since the council issued an interim final rule, industry, agencies and other stakeholders still have an opportunity to comment. Comments are due 60 days after the council publishes the regulation, which is expected on or around Aug. 12.
“The administration has a strong commitment to defending our nation from foreign adversaries, and will fully comply with Congress on the implementation of the prohibition of Chinese telecom and video surveillance equipment companies, including Huawei,” said Jacob Wood, a spokesperson with the Office of Management and Budget, in a statement.
The council states that agency secretaries or leaders can grant a one-time waiver on a case-by-case basis for up to two years. After that, the director of national intelligence will have the sole responsibility to approve any extension of the use of these products or services.
The second shoe comes next week when agencies must meet the deadline under the 2019 NDAA to remove all ZTE and Huawei products and services from their networks.
While agencies have been working on this problem for the better part of a decade, according to some industry sources, a recent survey by Forescout found more than 2,700 Huawei and nearly 1,400 ZTE devices still connecting to public sector networks.
An email to the Department of Homeland Security requesting an update on agency progress was not immediately returned.
In interim final rule, contractors now will have to attest in their bids that they are not offering “any covered telecommunications equipment or services” to the government.
“The FAR Council has determined that it is in the best interest of the Government to apply the rule to contracts at or below the simplified acquisition threshold (SAT) and for the acquisition of commercial items,” the interim final rule states. “The administrator for Federal Procurement Policy has determined that it is in the best interest of the government to apply this rule to contracts for the acquisition of COTS items.”
During a July 18 industry day focused on the rule, James Gauch, a partner with the law firm Jones Day, represented Huawei and said banning one or two vendors will not address the full threat contained in the supply chain.
“Indeed, consolidating the number of equipment suppliers hinders rather than helps cybersecurity,” Gauch’s presentation, which the General Services Administration’s site, stated. “Creating a small number of dominant suppliers, regardless of national origin, reduces the incentives of those suppliers to embrace industry-leading standards and creates greater exposure to vulnerabilities of a single supplier. By construing Section 889’s prohibitions thoughtfully and relying on a holistic, risk-based framework for supply chain security … DoD, GSA, and NASA can achieve the statute’s purposes while minimizing unnecessary costs and disruption to stakeholders.”
Gauch said Huawei has a “strong track-record of network security. In more than 30 years there has been no serious network security issue involving Huawei, and there is no evidence that Huawei ever engaged in or been a party to malicious activity.”
The fact the government is using its procurement muscle to send a message about the real and potential dangers of these products is relatively new.
The only other time concerns rose to this level is with Kaspersky Lab, a company owned by a Russian citizen, and Congress and DHS banned it in 2018.
Bob Kolasky, the director of the Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center in DHS, said sharing concerns similar to ZTE, Huawei and Kaspersky is what his organization is all about.
“We hope that places where the authorities lie to reduce risk will take action through our understandings,” he said after speaking at the FCW cyber summit in Washington, D.C. on Wednesday. “The Secretary of Commerce has different authorities than DHS and we work closely with them so when they apply their authorities to reduce risk directly, it fits into the overall equation.”
The threats from ZTE and Huawei came to a head over the last year, in part, because of the implementation of 5G and the excitement of agencies to begin taking advantage of the faster network.
Kolasky said IT and communications supply chain task force also will help Commerce and other agencies become more aware of threats.
He said the four working groups are developing initial recommendations and will present them publicly in September at CISA’s cyber conference.
“We are meeting again on Aug. 20 and will release our interim report by the end of the summer. We will vote on it as a task force in the next few weeks,” he said.