With a recent report citing at least 1,600 state and local agencies still buying IT and communications equipment from China, one researcher advised they follow federal guidance more closely.
States should more closely link their procurement policies to federal guidelines so they do not acquire foreign-made IT and communications technology that is banned on national security grounds, a researcher said in a recent webinar.
An October 2022 report from Georgetown University’s Center for Security and Emerging Technology (CSET) found that at least 1,681 state and local agencies purchased equipment between 2015 and 2021 that is prohibited in the 2019 National Defense Authorization Act (NDAA). That number could be far higher given the inconsistencies in state-level procurement data, the report noted.
And while federal agencies are prohibited from using technology from companies deemed to pose national security risks and can prevent state and local governments from doing the same, federal authorities have not yet wielded that power effectively.
Jack Corrigan, a research analyst at CSET and a co-author of the report, said rather than wait for the federal government to issue stronger guidance or more stringent bans, state governments should align their procurement policies with those issued by federal agencies like the Department of Commerce and the Federal Communications Commission, as well as with the prohibitions outlined in the 2019 NDAA.
“If the goal is to keep this untrustworthy foreign technology from entering our critical systems and networks more broadly, we need to have a more cohesive, nationwide approach that involves the federal government, as well as other levels of government and then private industry,” Corrigan said during a GCN webinar.
The report notes that only five states—Florida, Georgia, Louisiana, Texas, and Vermont—ban the procurement of certain IT and communications technology on national security grounds. Those prohibitions come amid concerns that those hostile governments could steal personal information on U.S. users by tapping into the vendors’ data, concerns that were magnified last year during a probe of whether Huawei telecom equipment installed on cellular towers near military bases could steal sensitive information.
Corrigan warned that while state-level bans are “great in spirit,” they should target the right companies and technologies. For example, Maryland bans the use of products from e-commerce company Alibaba, but it does not ban those from other firms listed by the federal government, something he said shows the “inconsistencies” in the state’s approach. And Georgia’s ban, which prohibits any company owned or operated by China from bidding on a state contract, is too broad and vague, Corrigan said.
Separate from discussions about banning purchases of foreign-made IT and communications technology, many states have outlawed the use of social media app TikTok on government devices, with Mississippi Gov. Tate Reeves (R) and Wisconsin Gov. Tony Evers (D) among the latest to institute state-level prohibitions. Similarly, Congress banned the app from federal devices, on the grounds that its parent company ByteDance could be using it to share the data it collects with the Chinese Communist Party.
While Corrigan said it is encouraging that states are thinking about the risk of certain technologies, they should note that these bans may have only a “marginal benefit” to user privacy, given that a lot of personal data is already available online and able to be accessed by China.
“When you're thinking about these types of bans, you need to be aware of the specific risks that the technology poses, how that risk is different than some of the others, and whether it's greater than some of the other risks that we might already be facing, and then act accordingly,” he said.
Meanwhile, states also must consider the financial cost of banning Chinese technology or replacing any that is already in place, as it often is less expensive than comparable products made in the U.S. or by competitors from other countries. The federal government could help ease that financial burden by subsidizing so-called “rip and replace” programs to help states replace unsafe technology, as the FCC has done with its Supply Chain Reimbursement Program that helps carriers replace insecure telecommunications equipment.
While state procurement officials are aware of the costs associated with choosing alternatives to Chinese-made technology, Corrigan said he is encouraged that they understand the potential risks associated with that technology. Federal officials can further help state leaders better understand the “tangible risks” with more transparency around what they know, Corrigan said, and so make state and local government concerns a little less “abstract.”