WASHINGTON (Reuters) - Congress quietly tucked in a new cyber-espionage review process for U.S. government technology purchases into the funding law signed this week by President Barack Obama, reflecting growing U.S. concern over Chinese cyber attacks.
The law prevents NASA, and the Justice and Commerce Departments from buying information technology systems unless federal law enforcement officials give their OK.
A provision in the 240-page spending law requires the agencies to make a formal assessment of “cyber-espionage or sabotage” risk in consultation with law enforcement authorities when considering buying information technology systems.
The assessment must include “any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized” by China.
The U.S. imports a total of about $129 billion worth of “advanced technology products” from China, according to a May, 2012 report by the Congressional Research Service.
The amendment to the so-called “continuing resolution” to fund the government through September 30 originated in the Commerce, Justice and Science subcommittee of the House of Representatives, chaired by Virginia Republican Representative Frank Wolf.
It had gotten little attention until a blog post this week by Stewart A. Baker, a partner in the Washington office of Steptoe & Johhson and a former Assistant Secretary in the U.S. Department of Homeland Security.
Writing in the Volokh Conspiracy, one of the country’s most prominent legal blogs, Baker wrote on Monday that the measure “could turn out to be a harsh blow” for Chinese computer-maker Lenovo and also “bring some surprises for American companies selling commercial IT gear to the government.”
U.S. concern about Chinese cyber-attacks has mounted in recent months, with top officials - including President Barack Obama - vocally condemning the practice.
Obama raised the issue in a phone call with Chinese President Xi Jinping earlier this month, and told ABC news in an interview that some cyber security threats are “absolutely” sponsored by governments.
“We’ve made it very clear to China and some other of the state actors that, you know, we expect them to follow international norms and abide by international rules,” he said.
Xi said the United States and China should avoid making “groundless accusations” against each other about cyber-security and work together on the problem.
The exchange came after U.S. computer security company Mandiant said a secret Chinese military unit based in Shanghai was the most likely driving force behind a series of hacking attacks on the United States.
Last year, the House Intelligence Committee released a report urging U.S. telecommunication companies not to do business with Huawei Technologies Co Ltd and ZTE Corp because it said potential Chinese state influence on the companies posed a threat to U.S. security.
Both companies took issue with the report, which Huawei spokesman William Plummer called “baseless.”
Plummer said in an email their reading of the bill is that it “does not apply to Huawei based on the description of covered entities.”
Baker, a technology security lawyer, said he believed the language would live on in future appropriations bills and possibly get tougher over time.
“Once a provision ends up in the appropriations bill ... it tends to stay there unless there’s a good reason to take it out,” Baker said. “We could easily see (the appropriation committees) tighten up some of the language in the future.”
China could challenge the measure as a violation of World Trade Organization rules, but may have a tough time making that case because it is not a member of the WTO agreement setting international rules for government procurement.
A Chinese government spokesman was not immediately available for comment.
The agreement also contains a national security exemption that would be another U.S. line of defense against a possible Chinese challenge, Baker said.
It is possible other countries could raise objections because of the potential for the provision to prevent purchases of Lenovo computers manufactured in Germany or Huawei handsets designed in Britain, he said.
But they may decide to tolerate it because of their own concerns about Chinese hacking, Baker said.
“The goal is not to hurt American and European companies that have operations in China,” said a congressional aide who worked on the House bill where the wording originated. “It was really targeting entities that are directed by Beijing,” said the aide, who asked not to be identified.
The federal government’s purchases, which are funded by taxpayers’ money, are often urged to give preference to vendors that offer the cheapest services.
The congressional aide said China may heavily subsidize some companies to present the U.S. market with a much lower price.
“It’s a helpful reminder to look at the supply chain” of U.S. firms, the aide said. “The cheap option may be artificially lowered because potentially there are ulterior motives.”
Reporting by Alina Selyukh; Editing by Fred Barbash, Bernard Orr