Congress v. China on Cybersecurity

Stewart Baker points to a provision in Congress’s continuing resolution that is the first serious attempt I have seen to punish (as opposed to rail against) China for its cybersecurity practices.    Section 516 of what Stewart describes as “the continuing resolution that funds the federal government and is now awaiting the President’s signature” provides:

Sec. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China. (b) None of the funds appropriated or otherwise made available under this Act may be used to acquire an information technology system described in an assessment required by subsection (a) and produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China unless the head of the assessing entity described in subsection (a) determines, and reports that determination to the Committees on Appropriations of the House of Representatives and the Senate, that the acquisition of such system is in the national interest of the United States.

This broad provision is directed at the supply chain end of the cyber-snooping problem.  Stewart comments:

This could turn out to be a harsh blow for companies like Lenovo that have so far escaped the spotlight trained on Huawei and ZTE. But it may also bring some surprises for American companies selling commercial IT gear to the government.  It’s not clear that they even know which of their suppliers and assemblers are directed or subsidized by the Chinese government. Where the IT system is manufactured doesn’t answer the question; sanctions will depend not on where the system is made but on whether the company that supplies it is tainted by close ties to China’s government. It will make life equally awkward for the Obama Administration, which has been slowly and hesitantly toughening its stance on Chinese cyberespionage.  The CR language will force the pace of retaliation, probably faster than the administration would like.  But the statutory alternative to implementing the ban is for the administration to certify purchases as in the national interest — possibly over the objections of FBI analysts who mistrust the gear. The continuing resolution passed both houses with this provision in it; the President could in theory refuse to sign it.  But this is a much-anticipated funding bill that heads off a government shutdown.  With Congress having for once avoided a Perils-of-Pauline crisis, it’s politically impossible for the President to put Pauline back on the railroad tracks — especially so the government can buy suspect equipment from China.  A veto is even less palatable than living with the provision.