‘Hidden’ Law Could Hamper Gov’t Infosec

Apr 05

Agencies’ IT Security Might Suffer from Act Aimed at the Chinese

A mysterious lawmaker shielded by congressional rules covertly added language into a new law that could make the purchase of IT security wares very difficult for the departments of Commerce and Justice, NASA and the National Science Foundation.

The law – the Consolidated and Further Continuing Appropriations Act of 2013, commonly known as the continuing resolution – funds federal government operations through September and was enacted by Congress and signed by President Obama last month. The law contains a number of amendments that go beyond funding the government, including one that could complicate the process to acquire IT security wares for the four federal agencies.

Simply, the added provision requires that the agencies’ heads in consultation with the FBI or another appropriate federal entity (which weren’t identified in the legislation but presumably could include the Department of Homeland Security and National Security Agency) to conduct for the remainder of the fiscal year risk assessments on acquired technology to see if they pose a threat for cyber-espionage or sabotage.

The rider specifically mentions systems from Chinese manufacturers, which some lawmakers suspect produce computer and telecommunications equipment that can spy on IT systems at the request of the Chinese government, an allegation the manufacturers and China deny.

Grammar Matters

Though the amendment targets the Chinese, Brookings Institute Fellow Allan Friedman believes the law would cover technology manufactured anywhere, even in the United States, because of the way the legislation is worded. The reference to China in the law appears as a clause that augments the sentence establishing the assessment process. Take note of the comma appearing before the word “including” in the provision, which reads:

SEC. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.(b) None of the funds appropriated or otherwise made available under this Act may be used to acquire an information technology system described in an assessment required by subsection (a) and produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China unless the head of the assessing entity described in subsection (a) determines, and reports that determination to the Committees on Appropriations of the House of Representatives and the Senate, that the acquisition of such system is in the national interest of the United States.

If the law’s intent is to safeguard government IT systems, it might have the opposite effect.

“If there is a security component that an agency desperately needs, this would make it harder to buy because now you have to go through an additional layer of certification by getting the cognizant attention of senior leadership inside the organization,” said Friedman, research director of the Center for Technology Innovation at Brookings, a think tank. “It’s one thing [for a cabinet secretary or agency director] to sign off on an acquisition; it’s another to sign off on the security of the acquisition.”

Slowing Down the Acquisition Process

Complicating the process – and perhaps threatening the security of critical information systems – is the review process by the FBI or other entity. “Once you cross boundaries like that, especially without further funding, you’re adding workload [and] you’re making it work much more slowly,” Friedman said.

Read Complete Article