An internal audit conducted by the Office of the Inspector General of the U.S. General Service Administration (GSA) found this month that the agency had purchased and then used Chinese-manufactured videoconference cameras. Since these cameras were manufactured in China, they were not compliant with the Trade Agreements Act of 1979 (TAA). The IG was warned in 2022 that the purchase and use had occurred, resulting in the recently completed audit.
“GSA Office of Digital Infrastructure Technologies (IDT) employees misled a contracting officer with egregiously flawed information to acquire 150 Chinese-made, TAA-noncompliant videoconference cameras. Before completing the purchase, the contracting officer requested information from GSA IDT to justify its request for the TAA-noncompliant cameras, including the existence of TAA-compliant alternatives and the reason for needing this specific brand. In response, GSA IDT provided misleading market research in support of the TAA-noncompliant cameras and failed to disclose that comparable TAA-compliant alternatives were available,” the Office of the Inspector General announced last week.
It further warned that the TAA-noncompliant cameras have known security vulnerabilities that need to be addressed with a software update. The IG has recommended that the GSA no longer purchase TAA-noncompliant cameras if there are TAA-compliant cameras that meet the Agency’s requirements, and that the already-purchased cameras be returned or otherwise disposed of. It also recommended that IT equipment be updated in a “timely manner” to reduce any overlooked identified vulnerabilities.
THE DAMAGE IS DONE
The audit by the Office of the Inspector General of the U.S. General Service Administration highlights how easily such technology can be employed.
“The GSA’s procurement of unauthorized Chinese-made cameras with known vulnerabilities is certainly a matter of concern, echoing similar apprehensions we’ve had in the past about other technology products, such as drones, from China,” warned Andrew Borene, executive director for global security at threat intelligence researcher Flashpoint.
“These cameras, like any technology that connects to IT systems, can become a potential vector for espionage, malware, or maintaining a persistent presence in federal networks,” Borene told ClearanceJobs via an email. “The PRC’s Communist government has passed a number of increasingly totalitarian laws mandating that all Chinese corporations share information with the government for national security purposes. This creates an inherent risk when using their manufactured technology in sensitive environments.”
Given the PRC’s history of espionage, and the increasingly intertwined relationship between the state and private enterprises, the use of these cameras in federal settings poses a significant risk, not just due to their known vulnerabilities, but also due to the potential for hidden backdoors or other compromised elements in their hardware or software, Borene further explained.
BETTER DUE DILIGENCE REQUIRED
The audit’s findings also come just weeks after following the International CES trade show was held in Las Vegas. The show highlights how products are produced around the world. What is less obvious is that even those devices made in countries that are compliant with the Trade Agreements Act of 1979 could include components from around the world.
“Security is on the radar of individuals, companies and governments. Almost daily, we hear about yet another cyberthreat to one’s personal data and security,” explained Susan Schreiner, technology industry analyst at C4 Trends.
“Given the sensitivities of these times, it’s actually difficult to comprehend how the GSA could have purchased Chinese video conferencing systems,” Schreiner told ClearanceJobs. “Obviously, extreme and sweeping safeguards in purchasing decision systems needs to be put in place with severe penalties and consequences, so that something like this won’t ever re-occur. We’re living in an increasingly tumultuous world with unscrupulous actors on the world stage, and they are looking for ways to gain political advantage, instill fear, and disrupt the world order through nefarious means. The security vulnerabilities in video conferencing equipment could have tremendous national security implications.”
It isn’t just videoconferencing equipment that is of concern. This is why the U.S. has banned many computer-related products of Chinese origin in the government sector. The problem is that many smaller firms may not know or understand the risk.
“The prevalence of unauthorized Chinese-made technologies in government agencies, despite known risks, is a multifaceted issue. One primary factor is China’s dominance in manufacturing and global supply chains, making their products readily available and often more cost-effective,” said Borene.
However, this convenience certainly comes with heightened risks, especially when considering critical infrastructure and national security.
“The challenge in keeping these products out of federal networks lies in the complexity of supply chains and the difficulty in thoroughly vetting every component for security risks,” Borene continued. “The PRC’s significant role in technology production, combined with its aggressive espionage tactics, necessitates a more cautious approach. The focus should not only be on direct components but also on an extensive evaluation of the entire supply chain, acknowledging the -nth party risks.”