“Up until now … the federal agencies have been prohibited from buying this kind of technology, but it's still been widely available to state and local governments, to private companies, individuals,” Jack Corrigan, research analyst at Georgetown’s Center for Security and Emerging Technology (CSET), told Government Technology.
Between 2015 and 2021, at least 1,681 state and local entities purchased tools and services from the five Chinese tech companies named in the FCC order, according to a recent CSET report on which Corrigan was the lead author. Many purchases came from public education entities, which accounted for three-quarters of the transactions.
In contrast, federal agencies have been banned from using such tools and services since August 2018, under Section 889 of the 2019 National Defense Authorization Act (NDAA).
State and local governments may not always be aware they’re using the technologies, because the tools may reach them as white-label products via third-party providers.
The new ban takes aim at that issue by targeting the technologies themselves, regardless of what name they’re sold under and who’s selling them.
The rule would not require state and local governments to give up the tools they’re already using or stop them from buying tech from the banned companies that’s already in the country. But it would gradually dwindle the available supply, by blocking new sales and imports of these companies’ offerings.
THE BAN
The ban prohibits marketing and importing telecom and video surveillance equipment from Huawei and ZTE. It also puts the same restriction on such tools from Hikvision, Hytera and Dahua that are used “for the purpose of public safety, security of government facilities, physical surveillance of critical infrastructure and other national security purposes.”
The latter three’s tools are being put under a “freeze” until the companies show FCC how they’ll prevent the tools being sold or marketed for those uses, FCC Chairwoman Jessica Rosenworcel said in a statement. Some suggest this may allow for continued sales and imports targeted for individual consumers and small businesses.
Companies based in China have sparked security concerns because the Chinese government is often able to compel companies to cooperate with it, and might push them to design insecure products that the government could exploit.
The CSET report notes that, “most proponents of foreign ICTS [information and communications technology and services] procurement bans have justified their position on the grounds that covered technologies could contain secret backdoors, or vulnerabilities that are deliberately baked into the technologies,” that could be used for cyber espionage or disruption.
“The cooperation between nominally once-private companies in China and the Communist Party is becoming systemic,” Matt Pottinger, chair of the China Program with the Foundation for Defense of Democracies, said during a September 2022 Senate hearing.
STATE AND LOCAL USE
Only five states — Florida, Georgia, Louisiana, Texas and Vermont — have policies limiting use of foreign tools and services on national security threats, per the CSET report, and approaches vary in scope. Texas, for example, prevents state agencies from giving critical infrastructure contracts to companies linked to China, Russia, Iran or North Korea, while Vermont forbids state agencies from buying tools and services from certain Chinese and Russian companies and requires them to phase out the products.
Several factors may drive the milder state and local reaction, report authors suggested.
In some cases, these jurisdictions may believe they are less desirable targets for China, and thus face fewer risks.
They have not been immune, however, and cybersecurity firm Mandiant said in March that Chinese government-sponsored hackers appeared to deliberately target six states. CSET’s report also argues that state and local agencies’ technology choices can impact federal security, noting that the FBI found that Huawei equipment used in the vicinity of military bases could put military communications at risk of interception or disruption. South Dakota turned focus on risks from China as well last week, when Gov. Kristi Noem signed an executive order banning use of TikTok on government devices.
There are practical and logistical reasons at play, too. For one, these Chinese technologies are often cheaper than alternative options, which can be compelling to organizations operating on tight budgets.
Additionally, procurement officers may struggle to discern technologies’ original manufacturers when buying through third parties — which is how most of these tools reach state and local governments, Corrigan said.
WHAT’S NEW FOR STATES?
The FCC rule “takes a lot of the burden off of state and local governments and private companies and individuals from having to kind of track developments in this space and make these security decisions for themselves,” Corrigan said. “It really just sets a baseline standard of security for everybody.”
The new ban blocks the sale of specific technologies, rather than banning sales from the Chinese companies. That distinction ensures that a Huawei device, for example, cannot just enter the market via a distributor or other third party. It also means that state or local agencies trying to avoid these tools wouldn’t have to do the legwork of tracing back supply chains to determine products’ origins.
However, the rule only goes so far.
The ban also solely prevents the products from continuing to enter the U.S. market. Products already available on the market can continue to be sold and purchased.
“It only applies to future equipment that comes out from these companies. So, like, all of the equipment that is already available on the marketplace is still legal to buy and sell,” Corrigan said.
Agencies also may continue using any of these tools that they’ve already adopted, meaning the problematic technologies could linger on government systems for years to come.
The sheer number of these tools already in use across the nation makes it untenably difficult and costly to fully remove and replace them, and efforts should focus on getting them out of the highest-risk areas, Corrigan said. Of course, that takes money and additional federal funding would be helpful.
The FCC provides some funding for small “advanced communications” providers to remove and replace Huawei and ZTE equipment and services. But several senators said in a September letter that demand has outstripped the provided funding.
PROCUREMENT OPTIONS?
It remains to be seen how deeply the ban will impact state and local procurements, but Corrigan said the new move raises financial questions.
Technologies from these Chinese companies are often compelling for their affordability, and agencies may struggle to find safer alternatives at the same price point.
Similarly low-cost products may be available from other Chinese companies not covered by the ban, but this does not remove the risk that the Chinese government might exert pressures on the companies to compromise their security, Corrigan said. He advocated for federal policymakers to provide funding support to ease shifts to more expensive but less risky offerings.
“The thing that I've just been trying to really hammer home with people is that … in terms of the additional costs of shifting from these kinds of untrustworthy-but-inexpensive technologies to more-trustworthy-but-more-expensive technologies that is there are financially constrained actors — whether they be private companies or state and local governments, what have you — that are going to face cost constraints when they make this switch,” Corrigan said. “Policymakers need to be considering that … that’s a really important piece of the puzzle.”
