WASHINGTON (Reuters) - Congress quietly tucked in a new cyber-espionage review process for U.S. government technology purchases into the funding law signed this week by President Barack Obama, reflecting growing American concerns over Chinese cyber attacks.
The law prevents NASA, and the Justice and Commerce Departments from buying information technology systems unless federal law enforcement officials give their approval.
A provision in the 240-page spending law requires the agencies to make a formal assessment of “cyber-espionage or sabotage” risk in consultation with law enforcement authorities when considering buying information technology systems.
The assessment must include “any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized” by China.
The United States imports about $129 billion worth of “advanced technology products” from China, according to a May 2012 report by the nonpartisan Congressional Research Service.
During a news conference on Thursday, Chinese foreign ministry spokesman Hong Lei urged the United States to abandon the law to help develop relations and trust on both sides.
“This bill uses Internet security as an excuse to take discriminatory steps against Chinese companies. It is not beneficial to mutual trust between China and the United States nor to the development of trade and economic relations,” Hong said.
The amendment to the so-called “continuing resolution” to fund the government through September 30 originated in the Commerce, Justice and Science subcommittee of the House of Representatives, chaired by Virginia Republican Rep. Frank Wolf.
It had gotten little attention until a blog post this week by Stewart Baker, a partner in the Washington office of Steptoe & Johnson LLP and a former assistant secretary in the U.S. Department of Homeland Security.
Writing in the “Volokh Conspiracy”, one of the country’s most prominent legal blogs, Baker wrote on Monday that the measure “could turn out to be a harsh blow” for Chinese computer-maker Lenovo and also “bring some surprises for American companies selling commercial IT gear to the government.”
Lenovo Group Ltd, which bought IBM Corp’s PC unit in 2005 and is now on track to become the world’s largest PC maker, said it was aware of the bill and reviewing the specific language.
“Depending on how the language is interpreted, it could in fact apply very broadly to many companies across the IT industry from all around the world,” Lenovo said in an emailed statement.
“We are very confident and comfortable that we will continue to be very successful in growing our business in the U.S. even as we and all of our competitors navigate new regulations.”
U.S. concern about Chinese cyber-attacks has mounted in recent months, with top officials, including President Barack Obama, vocally condemning the practice.
Obama raised the issue in a phone call with Chinese President Xi Jinping earlier this month, and told ABC News in an interview that some cyber-security threats are “absolutely” sponsored by governments.
“We’ve made it very clear to China and some other of the state actors that, you know, we expect them to follow international norms and abide by international rules,” he said.
Xi said the United States and China should avoid making “groundless accusations” against each other about cyber-security and work together on the problem.
The exchange came after U.S. computer security company Mandiant said a secret Chinese military unit based in Shanghai was the most likely driving force behind a series of hacking attacks on the United States.
Last year, the House Intelligence Committee released a report urging U.S. telecommunication companies not to do business with Huawei Technologies Co Ltd and ZTE Corp because it said potential Chinese state influence on the companies posed a threat to U.S. security.
Both companies took issue with the report, which Huawei spokesman William Plummer called “baseless.”
Plummer said in an email their reading of the bill is that it “does not apply to Huawei based on the description of covered entities.”
ZTE officials declined to comment on the latest U.S. law, while Huawei officials were not available for comment.
Baker, a technology security lawyer, said he believed the language would live on in future appropriations bills and possibly get tougher over time.
“Once a provision ends up in the appropriations bill...it tends to stay there unless there’s a good reason to take it out,” Baker said. “We could easily see (the appropriation committees) tighten up some of the language in the future.”
China could challenge the measure as a violation of World Trade Organization rules, but may have a tough time making that case because it is not a member of the WTO agreement setting international rules for government procurement.
The WTO agreement also contains a national security exemption that could be another U.S. line of defense against a possible Chinese challenge, Baker said.
It is possible other countries could raise objections because of the potential for the provision to prevent purchases of Lenovo computers manufactured in Germany or Huawei handsets designed in Britain, he said. But they may decide to tolerate it because of their own concerns about Chinese hacking, Baker said.
“The goal is not to hurt American and European companies that have operations in China,” said a congressional aide who worked on the House bill where the wording originated. “It was really targeting entities that are directed by Beijing,” said the aide, who asked not to be identified.
The federal government’s purchases, which are funded by taxpayers’ money, are often urged to give preference to vendors that offer the cheapest services.
The congressional aide said China may heavily subsidize some companies to present the U.S. market with a much lower price.
“It’s a helpful reminder to look at the supply chain” of U.S. firms, the aide said. “The cheap option may be artificially lowered because potentially there are ulterior motives.”
Additional reporting by Lee Chyen Yee in HONG KONG and Ben Blanchard in BEIJING; Editing by Fred Barbash, Bernard Orr and Matt Driskill
Our Standards: The Thomson Reuters Trust Principles.