GSA Sparks Security Fears After Buying Risky Chinese Cameras – Source: www.databreachtoday.com

Governance & Risk Management
,
Government
,
Industry Specific

Experts Warn Against Increasing Federal Reliance on Chinese Technology

Chris Riotta (@chrisriotta) •
January 24, 2024    

Experts are raising fresh concerns about the “significant risk” for Chinese espionage against U.S. federal networks after a government watchdog caught the government’s main acquisition arm purchasing unauthorized, Chinese-manufactured video conference cameras.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

The General Services Administration “misled a contracting officer with egregiously flawed information” in order to procure 150 Chinese-made cameras, according to an inspector general report published Tuesday. The report said the GSA had provided misleading market research to support the procurement after a contracting officer requested information to justify purchasing the cameras, some of which included unpatched security flaws. An existing statute prohibits federal agencies from buying Chinese-made products unless a narrow exemption applies.

The report comes amid growing fears that unauthorized Chinese-manufactured technologies increasingly find their way into federal systems and critical infrastructure sectors (see: Chinese Drones Pose Threat to US Infrastructure, CISA Warns). The difficulty in keeping unauthorized Chinese-manufactured products out of federal networks lies in “the complexity of supply chains and the difficulty in thoroughly vetting every component for security risks,” according to Andrew Borene, executive director for global security at Flashpoint.

Borene, who previously led counterintelligence and advanced technology initiatives at the Office of the Director of National Intelligence, told Information Security Media Group that the prevalence of unauthorized Chinese-made technologies in government agencies is in part due to “China’s dominance in manufacturing and global supply chains, making their products readily available and often more cost-effective.”

“This convenience comes with heightened risks, especially when considering critical infrastructure and national security,” he added. “The PRC’s significant role in technology production, combined with its aggressive espionage tactics, necessitates a more cautious approach.

The inspector general recommended that the GSA dispose of the noncompliant cameras and strengthen its oversight measures to prioritize the procurement of authorized technologies, including information technology equipment that is updated “in a timely manner to reduce the risk of overlooking identified vulnerabilities.” The report also urges the GSA to “take appropriate action” against the personnel responsible for providing misleading information in order to support the procurement request.

The GSA largely agreed with the recommendations in the report, but it said the agency had taken steps to ensure the secure use of the cameras, including discontinuing the use “of a subset of these cameras that do not meet our standards.” It remains unclear how many noncompliant cameras the GSA may still be using.

The GSA in an email to ISMG declined to provide any further comment, pointing to its response included in the IG report.

John Allison, director of the public sector for the security firm Checkmarx and a former threat analyst for the U.S. Air Force, said he wasn’t surprised by that GSA purchasing the unauthorized cameras.

“Incidences of either unauthorized or counterfeit items being purchased has haunted the U.S. government since it started buying commercial technology,” Allison said, adding that the federal government is the largest purchaser of IT products in the world. “The overall level of complexity and sheer volume of procurement provides multiple opportunities for someone to attempt to slip in unauthorized components into a procurement.”