The General Services Administration (GSA) has come under scrutiny for its procurement of 150 Chinese-made video conferencing cameras, which were found to be non-compliant with U.S. trade standards, according to a report from the agency's Office of Inspector General (OIG).
Flawed Market Research and Security Risks
The OIG report, released Tuesday, criticized the GSA's use of "egregiously flawed" market research in its decision to purchase the cameras. The equipment, provided by a U.S.-based firm referred to as "Company A," was manufactured in China and did not comply with the 1979 Trade Agreements Act. Additionally, the report highlighted known security flaws in the cameras, which could potentially turn them into "rogue wireless network gateways" and allow unauthorized access to the camera owners' networks.
Andrew Borene, Executive Director for Global Security at Flashpoint, commented on the issue, stating: “The GSA's procurement of unauthorized Chinese-made cameras with known vulnerabilities is a matter of concern. These cameras, like any technology that connects to IT systems, can become a potential vector for espionage, malware, or maintaining a persistent presence in federal networks."
Government's Efforts Against Chinese-Made Equipment
This incident underscores ongoing concerns in the U.S. government regarding the use of Chinese-made communications equipment. Borene further added, "Given the PRC’s history of espionage, and the increasingly intertwined relationship between the state and private enterprises, the use of these cameras in federal settings poses a significant risk, not just due to their known vulnerabilities, but also due to the potential for hidden backdoors or other compromised elements in their hardware or software."
GSA CIO's Decision and Procurement Process
The procurement, overseen by GSA CIO David Shive, was executed through the Federal Acquisition Service’s Federal Systems Integration and Management Center (FEDSIM) in two separate orders in March and October 2022. This decision was made despite a June 2022 IT security company analysis that identified five vulnerabilities in the equipment.
Complexity of Supply Chains and the Need for Diligence
Borene emphasized the complexity of supply chains and the difficulty in thoroughly vetting every component for security risks. "The challenge in keeping these products out of federal networks lies in the complexity of supply chains and the difficulty in thoroughly vetting every component for security risks," he said. This reflects the multifaceted issue of unauthorized Chinese-made technologies in government agencies, despite known risks.
The GSA's decision to purchase non-compliant video conferencing cameras has raised significant cybersecurity concerns, highlighting a potential lapse in the federal government’s cybersecurity apparatus. This incident calls for more rigorous compliance checks and balanced consideration of alternatives in government procurement processes to ensure the security and integrity of U.S. government operations.