This is the web version of Data Sheet, a daily newsletter on the business of tech. Sign up to get it delivered free to your inbox.
Some U.S. companies may be violating a federal law, the so-called anti-Huawei rule, that went into effect in August to protect against Chinese spying threats.
Basically, any company that wants to sell products or services to the federal government must certify that it’s not using equipment or services from five Chinese tech firms: Huawei, ZTE, Hytera, Hikvision, and Dahua. (The exact terms are contained in Section 889, Part B, of the 2019 National Defense Authorization Act and a related “interim rule” that features additional guidance.)
But the government-blacklisted tech is widely embedded across corporate America. At least 1-in-5 Fortune 500 companies have devices potentially subject to the ban on their I.T. networks, says Expanse, a cybersecurity firm that scans the public Internet for signatures of the connected devices companies are using. (Anything on a private network or behind a corporate firewall is excluded from Expanse’s view.)
The equipment found through the survey ranged from web cameras and digital video recording systems (38% of all the Chinese-made devices detected) to W-Fi access points (21%) to core routers (11%) to building control systems, firewalls, VPNs, and web servers (30%). Expanse did not reveal identities of the companies, citing security reasons.
I personally viewed a half dozen login screens for such potentially risky devices originating everywhere from major U.S.-based research universities to healthcare and financial firms to airports. Here are two examples, scrubbed of identifying details, also for security reasons.
Screenshot of a login screen for a Huawei-linked device hosted by a North Carolina-based research university. Foscam cameras run on chips made by HiSilicon, a Huawei subsidiary.
Screenshot of a login screen for a Hikvision camera on the public network of a Fortune 500 healthcare company based in Pennsylvania.
The risk the U.S. is trying to ward off with its ban is Beijing forcing Chinese tech companies to abuse their access to I.T. systems to spy or steal American data and intellectual property, says Tim Junio, Expanse’s cofounder and CEO, who just agreed to sell his company to cyber-giant Palo Alto Networks for $800 million.
“The optics are not great” that so many companies are still using government-barred technology wide out in the open, says Matt Kraning, Expanse’s chief technology officer, of his team’s findings.
If companies fail to disclose their use of banned Chinese tech when applying for federal contracts, they could be breaching the law, whose penalties could include criminal and civil liabilities related to fraud or negligence. (Companies can request two-year waivers or special exemptions from the offices of the Director of National Intelligence.)
“A lot of large companies, particularly if they’re multinationals, are struggling because they will have ZTE hotspots and they do have Huawei servers in their server farms,” says Angela Styles, a partner at the Washington, D.C., law firm Akin Gump, who coauthored a blog post about the new law in August. The pain is particularly acute for overseas offices, especially in Asian countries, where Chinese tech is often deeply rooted in the telecom networks of local internet service providers, she says.
The new Section 889 rules are “indicative of a new approach the federal government is taking to protect its supply chain,” says Townsend Bourne, who leads the aerospace, defense & government services team at law firm Sheppard Mullin. “I think we’re going to see more of this” scrutiny applied to the geopolitical risk factors associated with particular companies, she says.
In other words, expect the U.S. government increasingly to force businesses to make a choice. “You can either do business with the Department of Defense, or you can do business with places like Huawei,” as Kraning puts it. “You can no longer do both.”