Some of the sequestration uncertainty was removed at the end of March when Congress finally passed, and the President signed, a continuing resolution to fund federal agencies through the rest of FY 2013.1 However, the bill contains a surprise for U.S. federal contractors and even commercial companies that provide IT systems to the U.S. government. Reflecting Congress’s increased scrutiny on technology from the People’s Republic of China,2 the continuing resolution contains language that prohibits certain IT purchases using the funds appropriated under the resolution.3
The Departments of Commerce and Justice, NASA, and the National Science Foundation are prohibited from purchasing IT systems “produced, manufactured or assembled” by entities “owned, directed, or subsidized by the People's Republic of China” unless the head of the purchasing agency consults with the FBI and a determination is made that the purchase is “in the national interest of the United States.”4 These agencies must now make a formal assessment of “cyber-espionage or sabotage” risk for every IT system purchase.5
Supply chain verification challenges
The vague language of the provision is potentially problematic because it does not distinguish between supplier or subcontractor tiers, and could potentially apply to any part of a company’s supply chain. The language is not limited to entities that operate within China, but could include an entity that produces, manufactures, or assembles IT systems outside China, so long as that entity is “subsidized” by China. Companies that have diversified their sources of supply across the globe could find their sales to the U.S. government delayed or cancelled depending on the formal agency “assessment” of risk for each and every IT system purchase.
There is no further direction from Congress on how the “assessment” process will work or how the FBI will evaluate and rate the “associated risk of cyber-espionage or sabotage.” Section 818 of the National Defense Authorization Act for FY 2012 required the Department of Defense (DoD) to develop programs for the detection and avoidance of counterfeit electronic parts, including the risk of cyber-sabotage. The development of DoD policies and procurement rule-making is still ongoing, and the plodding pace of that earlier rulemaking effort does not bode well for an expeditious implementation of this new pre-screening requirement for purchasing IT systems for these four federal agencies.
Furthermore, it is unclear what role (if any) federal contractors and commercial IT suppliers will play in developing the risk assessment framework here. There is no statutory requirement in the resolution to develop this process in consultation with industry, although it presumably will be subject to notice and comment rulemaking.6 It is also unclear whether the FBI will communicate with a company about its findings and provide it with an opportunity to rebut the assessed risk. DoD’s counterfeit parts program is establishing trusted sources of supply and working with other agencies, including Customs and Border Patrol, to identify suspected counterfeiters and keep their products out of the supply chain. Without similar information sharing among federal agencies and companies undergoing a risk assessment, companies likely will carry on “business as usual” with entities “owned, directed, or subsidized” by China without having the benefit of the FBI’s assessment of the associated risks.
International trade issues
The new provisions raise potentially significant international trade issues. These include whether geographic trade restrictions have a constructive role in global cybersecurity best practices, the possibility of retaliation by China against U.S.-based companies active in the Chinese market, and the consistency of the new measures with various international obligations.
China has already reacted strongly to the new provisions, stating that they would “interfere with bilateral economic and trade relations” and constitute “unfair treatment of Chinese enterprises.”7 Several U.S. companies in the technology sector are concerned that China (or others) may seek to retaliate or emulate the approach of the new provisions with respect to purchases of U.S.-sourced goods. Lastly, while the new provisions may be subject to challenge in the World Trade Organization (WTO), China is not a signatory to the WTO’s Government Procurement Agreement (GPA) and the WTO has been hesitant to make determinations based on the contours of a Member’s invocation of national security.
Several outstanding issues will require clarification, including:
- What will the IT system “assessment” by the FBI involve? Will industry be able to play a role in developing the framework, as it has for DoD counterfeit parts and “trusted suppliers”?
- Since the resolution is limited to funds appropriated for the rest of FY 2013, the administration will need to act quickly to determine next steps for implementation.
- Although the restrictive language applies to only four federal agencies, it is possible that this requirement could be expanded to other agencies in the future. Were that to happen, this would significantly affect government purchases of IT systems. Concerned IT industry groups, including the Emergency Committee for American Trade, the Information Technology Industry Council, TechAmerica, the U.S. Chamber of Commerce, and the U.S. Council on International Business, have jointly submitted a letter to Congress.8
Michael Scheimer and Paul Otto