To Promote US Cybersecurity, Don’t Erect Borders in IT Procurement

Wrapped up in last year’s Federal funding bill is a creeping policy seeking to improve cybersecurity in federal procurements of information technology (IT).  Since becoming law, however, this policy has done the opposite: it has threatened the health of the U.S. economy, particularly the job-creating tech sector, and negatively impacted the ability of federal agencies to focus resources on significant cyber threats and procure much-needed IT products—effectively lowering, not raising, their security.

Specifically, Section 516 of Public Law 113-6 effectively prohibits the U.S. Departments of Commerce and Justice, the National Aeronautics and Space Administration (NASA), the National Science Foundation (NSF) and other key agencies from buying IT equipment, software, or services from any entity “owned, directed, or subsidized by the People’s Republic of China.”  The terminology in the law is so broad that nearly every global IT company has been swept up in this cumbersome requirement, which has effectively halted IT sales that support mission-critical projects at NASA, NSF, NOAA, and other federal agencies. 

Every stakeholder in the technology community believes the federal government should be secure from cyber threats. As providers of essential IT products and services to many vital sectors of the U.S. economy, ITI’s member companies understand that threats to our research, development and production supply chains are all too real.  However, there are effective ways to improve security in our government’s IT procurements without harming our businesses and eroding our economic recovery. 

Instead, companies grappling with this new law have been faced with contradictory and confusing paperwork, or been asked by agencies to attest that no widget or screw of the thousands of components that go into devices, or no single line of code in a massive and complex software program, have touched or been somehow subsidized by China, or its citizens, in any way. This is no small task, given the complexity of global supply chains.  Further, any attestation opens companies to liability in other areas of federal law, such as the False Claims Act.

After nearly a year since the law was enacted, the bigger question for Congress is:  Has it been worth it? This week, thirteen industry associations have come together to tell Congress that the unfortunate answer is no:

“Under Section 516 as-written, agencies cannot prioritize security resources on riskier IT systems, which spreads these resources thinly at the expense of important mission-critical systems. Instead, the law focuses limited federal cybersecurity resources on an arbitrary country-of-origin determination, rather than actionable cyber risks and threats, and the actual security profile of the IT product…Further, the law has unnecessarily slowed federal purchases of needed security technologies, putting key federal agencies behind the technology cycle and leaving them vulnerable.  Some U.S. companies have had to cease, or interrupt, work at agencies with which they partner on projects significant to national security.”  

“Finally, the provision is putting U.S. companies at risk of losing sales internationally, compromising U.S. economic security and U.S. job stability in our sector.  Some foreign governments have used Section 516’s country-of-origin discrimination to justify their own actions to keep U.S.-based companies out of their markets.”

Fortunately,  members of Congress, industry experts, government security professionals, and others have come together to support a common-sense alternative approach that would focus resources on real risks – an approach that can improve security of government information systems without putting unnecessary regulatory and economic burdens on industry.  This solution, Section 515 of S. 1329, was considered through the normal legislative process, including both a Subcommittee and full Senate Appropriations Committee markup, with S. 1329 passing out of Committee by a vote of 21 to 9:

“Opting for Section 515 of S. 1329 ensures the law will not undermine the long-term competitiveness of U.S. companies, and safeguards continued investment in U.S.-based research and development—including in leading-edge security products our government needs – while achieving the goal of a more assured government supply chain. Specifically, Section 515, indeed, would enable US agencies to prioritize security resources on IT systems. Moreover, by focusing on broad categories of cyber threats emanating internationally and domestically – rather than using a country-of-origin determination – Section 515 would avoid the unintended, but highly negative effects we gave seen in just a few months.”

It is time for an alternative that more effectively raises the level of security of the federal government without harming U.S. industry. 

Section 515 of S. 1329 is a robust, focused, and risk-based way to improve the security of government networks in response to cyber threats, and has the support of a broad cross-section of the innovation economy. The U.S. government has the ability, knowledge, and most certainly the impetus from congressional oversight, to protect itself- let’s not trip it up, and harm U.S. industry, for rhetoric’s sake.

Maryam Cope is the Director of Government Relations for the Information Technology Industry Council.  ITI’s Director for Global Cybersecurity Policy Danielle Kriz also contributed to this blog. The version that appears here has been edited by Jason Healey, director of the Cyber Statecraft Initiative.