Should U.S. limit China-government influenced IT systems?

New federal restrictions now preclude four U.S. agencies from buying information-technology (IT) systems from manufacturers "owned, directed or subsidized by the People's Republic of China" due to national-security concerns. But is this a smart tactic?

Stuck into the massive spending bill passed by Congress and signed by the President are two short paragraphs about these new IT-purchasing restrictions that have been placed on the Department of Commerce, Department of Justice, the National Aeronautics and Space Administration (NASA) and the National Science Foundation (NSF). These restrictions represent a U.S. backlash against what many believe to be evidence over the last decade of massive cyber-espionage and theft of intellectual property by China. It comes amid rising fears that IT equipment produced, assembled or manufactured by a company "owned, directed or subsidized by the People's Republic of China" could be used to somehow sabotage the U.S. But it remains to be seen if this will be a short-lived backlash brought by Congress or it becomes the foundation for U.S. policy moving forward.

[RELATED: China slams U.S. for discriminating against nation's tech vendors

RELATED: Is EVERYTHING made in China?]

It's clear that some in the U.S. government, including the House Intelligence Committee -- which issued a scathing report last fall that called Huawei and ZTE a threat to national security -- and the Treasury Department's Committee on Foreign Investment in the U.S. are also working in other ways behind the scenes to keep technology made by China-based manufacturers out of U.S. commercial networks as well.

Sprint Nextel is being pressured by federal regulators to not integrate equipment from Chinese suppliers, such as Huawei and ZTE, into its network as a condition for approving Japan-based Softbank Corp's $20 billion acquisition of it. And since as part of the deal, Sprint Nextel wants to acquire wireless carrier Clearwire, which uses Huawei equipment to some extent, that's become an issue. Rep. Mike Rogers, chairman of the House Intelligence Committee, said Sprint and Softbank are giving the government assurances they will phase out Chinese-supplied equipment, including Huawei's, in Clearwire's network. Sprint declines to discuss the details.

Huawei's Vice President of External Affairs William Plummer commenting on the new federal provision related to procurements, simply stated, "The provision does not apply to Huawei or Huawei products" and that Huawei does "not fit the criteria outlined in the section of the bill." He added Huawei doesn't sell to the federal government.

The Chinese government -- which has long had its own bias toward supporting and acquiring home-grown information technologies in China -- has shot back against the new U.S. procurement rule for the four federal agencies that appears to make China-related purchases suspect in terms of national security.

"The contents of the U.S. Congressional act sends a very wrong signal, and could directly affect normal trade between Chinese enterprises and U.S. business partners," the country's Ministry of Commerce said in a statement earlier this week. "This abuse of 'national security' measures unfairly treats Chinese enterprises." The Chinese Ministry said the U.S. stance presumes all Chinese companies are guilty of security risks, and thus in China's view, violates fair-trade principles.

According to these new anti-China IT equipment restrictions, none of these four agencies may use funds available under the spending bill that just passed to purchase IT equipment "produced, manufactured or assembled" by entities "owned, directed, or subsidized by the People's Republic of China" unless the agency consults with the Federal Bureau of Investigation (FBI) or "other appropriate Federal entity" to assess whether there's "any associated risk of cyber-espionage or sabotage associated with the acquisition of such system." There would need to be a determination made that the desired Chinese-related purchase is "in the national interest of the U.S." and a report back to the House and Senate on it.

But is this ban on China-connected IT systems purchases by the four agencies a viable move to confront a U.S.-China relationship severely strained over cyber-espionage? A relationship that is nonetheless held together through billions of dollars in electronic parts A sent back and forth by the two countries that both make them. And what of all those Chinese parts in U.S.-based manufacturers' gear why are they not a security threat, too?

Even some who've worked diligently over the long term to raise awareness about the national-security issues related to Chinese hacking have questions about the impact of the new procurement rules.

"The new restrictions do not represent a viable long term policy, but they are an important part of the new effort to make cyber-security issues a matter for practical, bilateral discussions," says Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, a research institute that examines the nature of cyberattacks and supply-chain issues.

"Over the long term, it is very important to have China as a collaborative partner in research and manufacturing," says Borg. "In addition to the huge size of its economy, China has a great cultural tradition that will one day make important new contributions to technology and science, just as it did in earlier times."

But he emphasized that "the Chinese thefts of technology and competitively important business information have become arrogantly and outrageously blatant. The Chinese counterfeiting of electronics products, sometimes with added circuitry, constitutes a direct security risk."

Saying "China's current behavior should not be tolerated," Borg said the damage to the economy and security of the U.S. will be great of China is allowed to keep expanding these activities, but he acknowledged, "Getting China to give up these harmful activities in the near future is probably not realistic," though it should be possible to get China to scale them back.

The step by Congress, signed into law by the President, as pertains to the four agencies and China-related acquisitions is "an important first step," Borg concluded. "It's a first step that's long overdue."

However, it could also be a step fraught with more legal difficulty ahead, warns one attorney with long experience in national-security issues.

Stewart Baker, attorney at Washington-based law firm Steptoe & Johnson, said in his own comments on the topic that while the U.S. government's new rule "doesn't prohibit purchases of Chinese-government-influenced systems, it makes such purchases politically difficult."

He noted "China has spent years trying to curtail its own purchases of IT from outside its borders, but that won't stop it from calling the bill protectionist and claiming a violation of US WTO [World Trade Organization] obligations," though China itself has not officially signed onto WTO government procurement rules.

The Geneva-based WTO is a forum where countries, as members, establish foundational trade agreements or try to settle disputes.

Baker says since the new U.S. procurement rule concerns "Chinese-government-influenced entities, no matter where they manufacture their products," the provision "could prevent purchases of Lenovo computers manufactured in Germany, or Huawei handsets designed in Britain." These countries have joined the WTO government-procurement code, he noted. The irony is that "this means the U.S. could see WTO challenges to the provision from its own allies (unless they're so sick of Chinese hacking that they decide to emulate the new provision rather than attack it)," Baker points out.

Baker went on to say that if the U.S. government is drawn into this kind of WTO dispute, it could be a hard fight to defend its new procurement rules. The U.S. could "make a good case that attacks on the Commerce Department or the Justice Department information systems threaten national security, but it's hard to argue that the IT systems those departments buy are themselves indispensable for national security."

At any rate, Baker predicts the likelihood is there will be more to come, perhaps with the U.S. Trade Representative's (USTR) office weighing in. But any decision by the U.S. government to have waivers for IT systems falling under the new China-related procurement rules would put the President in an awkward position, he pointed out.

There could be a path taken in which a narrower definition of "Information technology system" is put forward that would spare American contractors supplying Chinese-sourced routers, for example, Baker suggested. But he added that would so clearly flout the intention of the provision, that it would raise serious political problems all around for both sides of the aisle in Congress and the Obama Administration, "which could find itself painted as an apologist for Chinese cyberespionage something it has worked hard to avoid in the past."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)