Nov. 2—I cannot attest to a broader “China problem” that so many media and political commentators characterize. Sometimes, it seems as though the People’s Republic of China and President Xi Jinping’s government bear the greatest responsibility for our cybersecurity woes. At other times, China’s contributions to our technological landscape are invaluable, particularly when it comes to the manufacturing of technologies solutions. To ensure the complexity of the situation, when this yin and yang meet—e.g., China’s manufacturers build IT hardware with baked-in security offensives at the chip level (see a former column under this banner, related)—any positive that comes from the China factor goes by the wayside due to the cyber risks.
Then, you have the relationships between China and Russia and other U.S. adversaries. We will continuously have our own relationship with the Chinese government and its commercial outputs, though it must always be considered in the face of that nation’s other partnerships before evaluating the benefits we glean from our own connection to the socialist republic. When that calculus includes, as it does, both risks and rewards then it is the risks category deserving of our greatest cautions. Otherwise, all we see is the goodness, and that blinded eye on the vulnerabilities gives license for those exposures and losses to ensue.
Chinese technologies’ cybersecurity risks are known to even casual observers. Throughout the past years we’ve seen some of their most expansive firms, such as ZTE and Huawei, come under the U.S. government’s scrutinous security eyes. Bans against importing technology from just those two firms have gone up and down the chain, particularly from the FCC’s offices, and again another ban was recently voted on in the affirmative. As common knowledge as these cases seem to reflect, alongside even commoner knowledge of China’s oftentimes dastardly deeds, done quite brazenly, it should follow that the thousands of lower-level governmental agencies—those at state and local levels—would also exercise caution, and carefully assess whether the positive column calculated when eying up a contract with Chinese tech is truly worth the risks.
In a report compiled and published last week by the Center for Security and Emerging Technology, based out of Georgetown University’s School of Foreign Service, the findings were quite the contrary. The study looked at “information and communications technology and services,” a distinct term in the supply chain marketplace that includes computer hardware, software, and cloud services that facilitate data processing and storage. Whenever the issue of ICTS purchasing relates to Chinese firms and their exported tech, special rules apply at the federal level. Numerous laws and regulations have been enacted to mitigate the risks in the face of the benefits of doing business in Chinese tech. But, how about the local and state governmental customers?
The CSET study of state and local governmental spending on ICTS showed that nearly 1,700 distinct agencies made purchases that would be, if in the federal domain, illegal. Think about that. Amongst the 50 states and the District of Columbia, it’s not that 1,700 federally banned devices, or contracts altogether, ran afoul of the standards. It’s that 1,700 individual agencies made these risky purchases for computing technologies to run transportation systems, hospitals, the offices of the agencies making the risky purchases … What else? You should feel excited at these risks not only because the rationale behind banning them at the federal level is clear and known, especially to lower governmental procurement offices. It’s also because despite their knowing about the risks, the transactions occurred nonetheless. That count, by the way, amassed over just six years of the data analyzed, from 2015 to 2021. How much else is out there, riding along the same network as you and me, and the federal government agencies that transact with those now-compromised state and local government entities.
The study was even more limited than you may think. It analyzed purchases from just the five named Chinese firms that the federal laws cite: Huawei, ZTE, Hikvision, Dahua, and Hytera. There were around $45 million in deals between states and these five suspect tech firms. While that amount, to me at least, seems trite as compared to the overall U.S. spending on foreign tech, the more meaningful data point is the sheer number and expanse of the risky state buyers. You cannot escape this risk if you are an American who interacts with their state government, no matter the arena of services you are transacting within. The lion’s share of transactions related to education systems. Next in line, volume-wise, were the governmental offices, themselves; again, a sort of pivot-point working with countless other factions and constituents. Transportation, healthcare, the judicial systems, and utilities represented other categories of business dealings with China.
Few states have enacted laws or signed executive orders that fall in line with the federal laws prohibiting these trade deals, although the only two that have averted the risks altogether during these past six years have been D.C. and Vermont. Others’ laws are so new that the poison’s already reached their wells.
Our government leaders, both at federal and closer levels, need to coordinate their security efforts when it comes to protecting us from China’s insidious cyber-threats. Sure, the federal lever-pullers in the District have the most resources, money, time, authority, talent. They should lead the charge because of those truisms. State and local governments should heed that good work. They should follow those leads. They may contend that the benefits—read, “cost savings”—of doing business with China guide their procurement decisions. That, too, is a truism. When budding entrepreneurs pitch their Shark Tank products, Mr. Wonderful almost religiously steers their production to China for this sole reason.
The governmental version, though, needs more precaution. State and locals need to find the balance, and consider the risks, risks we’re each bound to take in turn, eventually.
Ed Zuger is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
