This Note argues that the current contracting ban procedures aggravate already delicate foreign relations and confuse contractors and government agencies alike. Nowhere is this phenomenon clearer than in the contracting bans on Chinese telecommunications (telecommunications or telecom) giants ZTE and Huawei and Russian cybersecurity firm Kaspersky Lab. Kaspersky was formally banned from contracting with the federal government in December 2017, shortly after accusations swirled that the Russian government meddled in the 2016 presidential election. ZTE and Huawei were formally banned from contracting with the federal government in August 2018. Those bans came on the heels of a massive trade war the Trump administration began in early 2018.
With these issues in mind, this Note proposes that the United States adopt a standardized method for enacting government contracting bans of indefinite length on foreign companies that pose national security threats. Part II of this Note lays the groundwork for the federal government’s authority to enact these bans. Part III provides information on the ZTE, Huawei, and Kaspersky sagas and compares the methodology of each ban. Part IV discusses what was successful and what went wrong in each of the three case studies. Part IV then proposes a new way forward: a standardized procedure for the U.S. Government to follow in the event of a future need for a contracting ban on an international company. In brief, the proposed procedure borrows aspects from all three case studies but remains conscious of their many pitfalls. Once a federal agency or the executive branch believes that a foreign company should be precluded from contracting with the federal government, the company should be given an opportunity to be heard and to defend itself in front of the Secretary of Homeland Security. If, during this opportunity, the company does not sufficiently assuage Homeland Security’s concerns, Congress should proceed to enact a contracting ban through the upcoming fiscal year’s appropriations bill. If the national security concern is urgent and cannot wait until the passage of the next appropriations bill, the Department of Homeland Security (DHS) should immediately enact a binding operational directive. Part V concludes and looks to the future of foreign relations with Russia and China.
II. The Federal Government Posseses the Authority to Enact Permanent Federal Contracting Bans on International Companies
Discussion of ZTE, Huawei, and Kaspersky first necessitates an overview of the source of the federal government’s authority to ban an international company from contracting with the government. This Note defines a “ban” as an indefinite, complete preclusion of a company from contracting with any federal agency or department of the United States. An important source of authority is the Federal Information Security Management Act of 2002 (FISMA), which established IT security standards for the federal government. FISMA was later amended in 2014 to provide the DHS with broad authority to safeguard the federal government’s IT systems.
A. The Federal Information Security Management Act of 2002
1. The Original FISMA
Generally, the federal government finds the authority to suspend or debar contractors within the Federal Acquisition Regulation (FAR). In the cases of Kaspersky, Huawei, and ZTE, however, the government relied on its authority grounded in federal statute. FISMA is a foundational statute in terms of providing the government with the power to ensure federal cybersecurity. FISMA “mark[ed] the culmination of two decades during which Congress addressed . . . information security problems piecemeal through a scattered mosaic of legislation.” The statute combined key portions of its predecessors: “the Government Information Security Reform Act, the Computer Security Act of 1987, the Clinger-Cohen Act, and the Paperwork Reduction Act of 1980.” The statute also “established standard IT security requirements for federal systems.” In addition, it mandated the creation of the Federal Risk and Authorization Management Program, which ensured that “contractors providing cloud services to the [g]overnment were compliant with FISMA requirements.”
The early years under the FISMA regime were relatively unsuccessful: from 2002 to 2006, despite federal agencies spending around $4.2 billion on safeguards for IT systems, “none of the [twenty-four] major agencies . . . fully implemented agency wide information security programs as required by FISMA.” One of FISMA’s most glaring problems was its treatment of IT systems whose installation or maintenance was contracted out to private companies. The statutory language was unclear as to whether a federal agency bore the responsibility of safeguarding data that was stored on a private contractor’s IT system. Moreover, enforceability and oversight were weak because it was uncertain what an agency’s responsibility was in general. Lastly, FISMA allocated no new appropriations to agencies; thus, agencies were mandated to strengthen IT systems within “the constraints of their [meager] preexisting budgets.”
2. FISMA’s 2014 Amendments
In recognition of the gaps in the original statute, Congress amended FISMA in 2014. The amendments provided a much more comprehensive framework for the federal government’s cybersecurity practices. For example, in response to the lack of clear enforcement authority under the 2002 statute, the 2014 amendments delegate to the DHS the power to “administer the implementation of [agency] information security policies” for non-national security agencies. Under the updated law, the authority to “oversee the federal information security scheme” is delegated to the Director of the Office of Management and Budget (OMB), and the Director, in turn, is tasked with “work[ing] in conjunction with” the DHS Secretary. In essence, “OMB provides oversight and policy direction, while DHS has operational responsibility for civilian agency information security.” The amended FISMA also gives DHS heightened authority to implement security policies in emergency situations.
For the purposes of this Note, the most important amendment was one that conferred authority upon the Director of OMB and the DHS Secretary to issue binding operational directives (BOD). Pursuant to their BOD authority, the Director and the Secretary may give a federal agency a “compulsory direction” to take steps to safeguard their IT system “from a known or reasonably suspected” security threat. A threat or “incident” is an occurrence that “actually or imminently jeopardizes . . . the integrity, confidentiality, or availability” of an agency’s IT system. FISMA provides:
The [DHS] Secretary, in consultation with the Director [of OMB], shall administer the implementation of agency information security policies and practices for information systems . . . including . . . developing and overseeing the implementation of binding operational directives to agencies to implement the policies, principles, standards, and guidelines developed by the Director . . . including . . . requirements for reporting security incidents . . . requirements for the mitigation of exigent risks to information systems . . . monitoring agency implementation of information security policies and practices . . . convening meetings with senior agency officials to help ensure effective implementation of information security policies and practices . . . [and] other actions as the Director or the Secretary, in consultation with the Director, may determine necessary to carry out this subsection.
Thus, as the law stands now, the DHS and OMB wield fairly broad authority to issue BODs and ensure the security of federal IT systems. There are only minor limits to this discretion. First, when implementing a BOD, the DHS Secretary must consider any guidelines instituted by the National Institute of Standards and Technology (NIST) and issued by the Secretary of Commerce. Second, the DHS Secretary and the Director of OMB generally do not oversee IT safety for non-civilian national security systems — the responsibility for safeguarding those systems falls instead to the Secretary of Defense or the Director of National Intelligence.
Despite this robust statutory framework, federal government cybersecurity continues to be lacking. For example, in 2015, the U.S. Office of Personnel Management “discovered that the background investigation records of current, former, and prospective [f]ederal employees and contractors had been stolen.” The attack, reportedly carried out by Chinese hackers, exposed the social security numbers of 21.5 million federal employees. Therefore, the current cybersecurity statutory framework is far from foolproof and may fail to function in certain situations.
B. Congress’s Legislative Power and the National Defense Authorization Acts
Congress, too, has a role to play in protecting federal agencies from cybersecurity threats. Congress, of course, always retains the power to legislate and may therefore pass a law, such as a National Defense Authorization Act (NDAA), banning certain international contractors. Congress typically passes an NDAA each fiscal year, pursuant to its constitutional mandate to provide for the common defense and its constitutional power of the purse. An NDAA “is a law that authorizes appropriations and sets policies for Department of Defense programs and activities.” NDAAs not only authorize “the policies under which funding will be set by the appropriations committees,” but, in the Trump years, have also acted as “a [c]ongressional expression of concern . . . on the president’s policies toward Russia, China and the Koreas.” Together, FISMA and the Congress’s legislative power provide a foundation for a contracting ban on an international company.
III. Background: The Three Companies
This Note now turns to how the U.S. Government has exercised its authority to ban companies posing cybersecurity threats from contracting with the federal government. The Note focuses on three foreign contractors: ZTE, Huawei, and Kaspersky. Part III will provide a basic background on the series of political and economic events that led to these companies’ eventual contracting bans.
A. Zhongxing Telecommunications Equipment Corporation
Zhongxing Telecommunications Equipment Corporation (ZTE) is a telecommunications company based in Shenzhen, China. It is one of two major Chinese companies currently banned from contracting with any U.S. federal agencies. While best known for selling inexpensive smartphones in developing markets, the company has also made a name for itself in the production of cloud-computing products and 5G network technology. 5G networks are expected to be immensely important for the development of “smart devices such as self-driving cars, home appliances, . . . automated and semi-automated manufacturing, . . . and utilities, like water and sewage systems” and are already a major point of competition between U.S. and Chinese tech companies. ZTE’s smartphones are also sold by American telecom heavyweights such as AT&T, Verizon, and T-Mobile.
While ZTE has long been on the radar of U.S. companies because of patent infringement accusations, U.S. national security concerns over ZTE began when federal agents discovered that it had sold almost “$40 million worth of U.S.-origin goods” to Iran and North Korea, “in knowing violation of” U.S. sanctions laws. The Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010 imposes a ban on U.S. Government procurement for any person that exports sensitive technology, such as telecommunications equipment, to Iran. The United States enforces a similar sanction regime on North Korea, which includes an import and export ban to or from North Korea on (among other items) technology, in part to hamper North Korea’s development of nuclear weapons. The danger of ZTE’s sanctions violations is that “[t]ech supply chains are so intertwined these days that just about every product that ZTE makes has some American components or software in it. . . [s]o if ZTE sells a smartphone to North Korea [or Iran], it might also be selling a [United States brand] Qualcomm chip inside that phone.” ZTE’s illegal export plot was accomplished by utilizing third-party “isolation companies” to feed the products through China before their sale to Iran and North Korea and by employing a “team of internal information technology employees who deleted references to Iran in the company’s internal database.” ZTE senior managers also misled counsel from 2014 through 2016 about the company’s involvement in the scheme, which caused “counsel to unknowingly give false information to investigators.”
In March 2016, following investigations by agents from the DHS, the Department of Justice (DoJ), the Office of Foreign Assets Control, the Treasury Department, the Federal Bureau of Investigation (FBI), and the Commerce Department, the Commerce Department placed ZTE on the Entity List. The Entity List designates companies that pose national security or foreign policy threats to the United States and imposes strict licensing requirements on those companies; placement on the Entity List essentially meant that ZTE could not buy U.S.-made technology that is critical to its business. On March 7, 2017, ZTE reached a settlement agreement with the Commerce Department in relation to its sanctions violations. It agreed to pay an $892 million fine (which had the potential to expand to $1.19 billion if ZTE violated the settlement terms). ZTE also agreed to abide by audit and compliance requirements.
In April 2018, U.S. officials took further action after discovering that ZTE had failed to comply with the terms of the original settlement agreement. Officials implemented additional penalties, which were two-fold — additional monetary fines were coupled with a ban on ZTE importing United States-origin goods for at least seven years. The import ban “threatened to cripple ZTE’s global telecommunications business” and deprived ZTE of necessary U.S.-brand components used to manufacture its mobile phones, such as a chip produced by San Diego’s QualComm. ZTE’s manufacturing plants even temporarily suspended all major operations in May of that year.
Around this time, concerns about ZTE as a serious national security threat began to gain traction. At an April 2018 hearing at which the Federal Communications Commission (FCC) voted “in favor of banning federal funds from being spent with companies determined to be a risk to U.S. national security,” FCC Chairman Ajit Pai stated:
For years, U.S. [G]overnment officials have expressed concern about the national security threats posed by certain foreign communications equipment providers in the communications supply chain . . . Hidden “backdoors” to our networks in routers, switches, and other network equipment can allow hostile foreign powers to inject viruses and other malware, steal Americans’ private data, [and] spy on U.S. businesses.
Despite the devastating nature of the second round of sanctions, the ZTE ordeal was far from over. Throughout May and June 2018, as steam picked up in Congress and among defense officials to institute a permanent ban on ZTE purchasing American products, President Trump appeared to temporarily mend his tumultuous relationship with President Xi Jinping. After a personal plea from Xi, Trump announced that he would rescind the penalties on ZTE, effectively saving the telecom giant from closing. He confirmed this change in policy via the popular platform, Twitter: “President Xi of China, and I, are working together to give massive Chinese phone company, ZTE, a way to get back into business, fast. Too many jobs in China lost. Commerce Department has been instructed to get it done!” The decision induced bipartisan backlash.
The ZTE saga culminated in August 2018, when Congress passed the 2019 John S. McCain National Defense Authorization Act (2019 NDAA). Section 889 of the bill included a provision banning ZTE from contracting with the U.S. Government. However, the final bill’s language removed some of the harsher sanction language that was apparently present in earlier drafts. This was allegedly due to an aggressive lobbying campaign helmed by the law firm Hogan Lovells. Since the ban, ZTE has kept a relatively low profile in the United States; it has instead focused on its global and China-based market and remains a viable player in emerging 5G technology.
B. Huawei Technologies Co. Ltd.
Huawei Technologies Co. Ltd. (Huawei), also headquartered in Shenzhen, China, is China’s largest telecommunications manufacturer and the world’s second-largest manufacturer of smartphones, with over $90 billion in revenue in 2017 alone. It is one of two major Chinese companies currently banned from entering into contracts with any U.S. federal agency.
Suspicion surrounding the telecom giant dates back to 2012, when the House Intelligence Committee issued a report that concluded that both ZTE and Huawei were national security threats because of a sketchy record of respecting U.S. intellectual property laws and their ability to tamper with U.S. telecom through “malicious hardware or software implants.” The Committee also warned of the corporations’ loyalty to the Chinese government and pointed out that both receive subsidies from Beijing. Notably, despite its harsh criticism of the companies, the Committee did not go so far as to call for a boycott of their products.
Six years later, however, national security leaders changed their tune. During a Senate Intelligence Committee hearing in February 2018, FBI Director Christopher Wray voiced concerns that the Chinese government could easily harness Huawei to collect intelligence on the United States. When asked whether he would recommend that U.S. citizens use Huawei or ZTE products or services, Director Wray — among other heads of federal agencies present at the hearing, including Mike Pompeo, then of the Central Intelligence Agency (CIA) and Michael Rogers of the National Security Agency (NSA) — indicated he would not. Shortly thereafter, news emerged that the DoJ was investigating Huawei for allegedly selling U.S.-origin equipment to Iran and other countries, in violation of sanctions laws. In August 2018, Congress passed the 2019 NDAA. Section 889 of the 2019 NDAA codified the Huawei ban. Huawei has since filed suit against the U.S. Government, asking a Texas district court to find the 2019 NDAA unconstitutional.
The turmoil between Huawei and U.S. authorities raged on into early December 2018, when the company’s Chief Financial Officer (and daughter of the founder), Meng Wanzhou, was arrested in Canada. The arrest was carried out at the request of U.S. officials. U.S. officials also requested her extradition, though at the time, no reason for the request was provided to the public. The arrest took place on the same day that President Trump and President Xi agreed to a ninety-day cease-fire in the ongoing trade war, which had been a positive sign of ameliorating tensions between the United States and China. As of late September 2019, Meng remains on house arrest in Vancouver, pending further extradition hearings in Canadian court.
Chinese retaliation against Canada was swift and unyielding. In an arguably purely political move, a Chinese court re-tried and re-sentenced a Canadian man to death for a drug trafficking conviction — the original sentence, decided prior to Meng’s arrest, was fifteen years in prison. In a separate incident, China detained two Canadians on charges of endangering national security. In a show of how the arrest also created a strain between Canada and the United States, Canada’s ambassador to China claimed that it would be “great” if the United States rescinded Meng’s extradition request. Canadian Prime Minister Justin Trudeau promptly fired the ambassador.
On January 28, 2019, the DoJ unsealed a thirteen-count indictment against Huawei, its affiliates, and Meng. The charges “outlin[ed] a decade-long attempt by the company to steal trade secrets, obstruct a criminal investigation and evade economic sanctions on Iran” and included charges of bank fraud, wire fraud, violations of the International Emergency Economic Powers Act, conspiracy to commit money laundering, and conspiracy to obstruct justice. These criminal charges, coupled with FBI Director Wray’s statement during the unveiling of the charges — that Huawei is both an economic threat and a national security threat— certainly didn’t help mend the strain between the United States and China. Beijing’s Foreign Ministry responded by calling the charges an “unreasonable suppression of Chinese companies.” It remains to be seen whether the DoJ will actually pursue the charges: then-Acting Attorney General Matthew Whitaker declined to say “whether the White House would interfere in the criminal case against” Meng. President Trump, how- ever, said that he would consider “using her case for leverage in . . . trade negotiations, which fueled speculation that the United States may be more interested in . . . Meng’s value in winning trade concessions than in obtaining a conviction.” Secretary of State Mike Pompeo later contradicted the president by implying that Meng would not be used as a “bargaining chip” in the ongoing trade war.
Overlapping with the ongoing Meng controversy, in mid-May 2019, President Trump issued an executive order effectively banning Huawei from being involved with U.S. carrier networks — a huge blow to the Chinese telecom giant. That same month, the “Commerce Department put Huawei on a trade blacklist [called the Entity List] that [for all intents and purposes] bans [U.S.] companies from doing business with the Chinese firm,” unless the U.S company has a special license. In response, Huawei ordered employees to cancel meetings with U.S. contacts and sent away some U.S. citizens working at its Shenzhen headquarters.
These restrictions were far from absolute, however: almost immediately, the Commerce Department temporarily “scaled back its restrictions on Huawei’s access to American components and software that go into its devices.” Creating even more confusion for both American companies and Huawei itself, the Commerce Department extended its original grace period (which allowed companies with special licenses to do business with Huawei even after the announcement of the blacklist) for another ninety days, meaning the grace period now would not end until mid-November 2019. While the future of foreign relations with China remains volatile and unclear, it appears likely the fate of Huawei will play an important part in that relationship for years to come.
C. Kaspersky Lab
Kaspersky Lab (Kaspersky) is a Russian cybersecurity firm that sells antivirus and cybersecurity software. It is currently banned from contracting with all federal agencies. Before the ban, about fifteen percent of federal agencies had Kaspersky software in their computer systems. In most cases, the agencies did not directly purchase Kaspersky software; rather, the products were “obtained . . . as part of a larger package of digital protection services.”
In recent years, particularly since the 2016 election, concerns have grown that the Russian government may be using Kaspersky products to collect information from the U.S. Government. While no specific non-classified evidence of interference has been revealed to the U.S. public, the concern generally centers around founder and CEO Eugene Kaspersky’s ties to the Kremlin. Before founding Kaspersky, he was a graduate of the KGB’s cryptology institute and “a software engineer for Soviet military intelligence.” Another concern is that, under Russian law, the company is required to assist the Federal Security Service (FSB) in its operations; that is, telecommunications service providers are required to install software or hardware “needed by the FSB to engage in ‘operational/ technical measures,’” and the FSB has the power to intercept all Russian telecommunications. Kaspersky, of course, denies the accusations that it is a national security threat — and in its defense, it has, in the past, demonstrated good faith efforts to protect U.S. security: in 2016, for example, it reported to the NSA that it received messages from a former NSA contractor asking to speak to Eugene Kaspersky. That contractor was later arrested and charged with stealing fifty terabytes of data from the NSA “that included highly sensitive hacking tools.”
Despite this, U.S. officials remain skeptical of Kaspersky; in September 2017, the DHS issued BOD 17-01, which directed executive departments and agencies to identify Kaspersky products in their information systems and to develop a plan to remove and discontinue use of those products. The agencies were given ninety days to implement the plans. Kaspersky had a chance to respond to the accusations before the DHS made a final decision on whether to officially implement the BOD. On the same day that the BOD was issued, then-DHS Secretary Elaine Duke sent a letter to Eugene Kaspersky informing him of the BOD and providing him “an opportunity to provide [DHS] with any information that [he thought was] relevant to [DHS’s] ongoing deliberations concerning [Kaspersky] products and services.” The letter also informed Mr. Kaspersky that he could “initiate a review by DHS by providing the [d]epartment with a written response to the BOD and supporting evidence.” Kaspersky was given forty-five days to respond. Despite Eugene Kaspersky’s response, and his efforts to convince DHS officials that the company’s products were safe, Acting Secretary Duke issued a final decision confirming BOD 17-01. On December 12, 2017, Congress enacted the National Defense Authorization Act for Fiscal Year 2018 (2018 NDAA). Section 1634 prohibited all federal agencies, departments, and organizations from using Kaspersky products. The 2018 NDAA “effectively superseded” the BOD.
Over the course of 2018, Kaspersky Lab, Inc. (Kaspersky’s American entity) and Kaspersky Lab, Ltd. (Kaspersky’s U.K.-based holding company) filed two lawsuits against the United States, alleging, in relevant part to this discussion, (1) that the 2018 NDAA was a bill of attainder and (2) that BOD 17-01 violated the Due Process Clause of the Fifth Amendment. The District Court for the District of Columbia found that the 2018 NDAA was not a bill of attainder because while punishment was indeed inflicted specifically on Kaspersky, the company is not “a flesh and blood individual” and thus cannot be the target of such a bill. Moreover, the court held that only a fraction of Kaspersky’s U.S. sales were to the federal government, so the harm was not sufficiently severe to amount to a bill of attainder. The court also stated that Congress is well within its rights to pass a “law of general applicability” when a perceived national security risk calls for “real-time need to take action.” It further noted: “[t]hese defensive actions may very well have adverse consequences for some third-parties. But that does not make them unconstitutional.” On the due process claim, the court held that Kaspersky lacked standing because there was no redressability — because the 2018 NDAA was already in effect, there was no evidence that Kaspersky’s alleged injury would be cured if the BOD was repealed.
In implementing the 2018 NDAA, in June 2018, the Department of Defense (DoD), NASA, and the General Services Administration (GSA) issued an interim rule imposing the ban on federal contractors and agencies. The final rule (implemented without change) was published in the Federal Register in early September 2019. With the ban extending to even the minute aspects of IT systems, such as payroll systems for federal contractors, the rule was a “clear message from the U.S. [G]overnment[:] . . . just get [Kaspersky] out of your systems.”
IV. Analysis: The United States Should Implement a Standardized Method for Enacting Contracting Bans on Foreign Companies
While the Kaspersky, Huawei, and ZTE bans were all carried out in different manners, they do share some core similarities. Part IV will identify these similarities and differences and analyze which aspects of the bans were successful and which were problematic.
A. The Commonalities between the Bans: All Three Bans Were Codified in Appropriations Bills and Were Accompanied by Calls for Increased Cybersecurity
First, all three contracting bans were finalized in appropriations bills: the 2018 NDAA (Kaspersky) and the 2019 NDAA (ZTE and Huawei). The language of the 2018 NDAA stated that “[n]o department, agency, organization, or other element of the [f]ederal [g]overnment may use . . . any hardware, software, or services developed or provided, in whole or in part, by . . . Kaspersky Lab.” Likewise, the 2019 NDAA included language that singled out ZTE and Huawei, instituting a prohibition on heads of agencies from entering into contracts for the purchase of “covered telecommunications equipment or services” and a bar on entering into or extending or renewing a contract with a covered entity. Those covered entities included Huawei and ZTE, among other smaller Chinese tech companies. The prohibition applied as long as “a substantial or essential component” of the system contained a covered entity’s equipment or service.
Second, the NDAAs called for heightened cybersecurity within the federal government. The 2018 NDAA stressed the importance of cybersecurity efforts, particularly efforts related to the protection of U.S. election systems. For example, the law called for the Secretary of Defense and the DHS Secretary to carry out “[c]yber [g]uard [e]xercise[s]” relating to election cybersecurity. It also directed the DoD to set up a “[s]trategic [c]ybersecurity [p]rogram” to bolster U.S. “[o]ffensive cyber systems” and “[n]uclear deterrent systems.” Similarly, the 2019 NDAA included calls to reinforce cybersecurity and represented “a more aggressive posture on U.S. cybersecurity policy.” The statutory language also covered foreign cyber-attacks which “significantly disrupt the normal functioning of [U.S.] democratic society or government (including attacks against critical infrastructure that could damage systems used to provide key services to the public or government).” In addition, the 2019 NDAA directed the Secretary of Defense to “create a list of countries that pose a risk to the cybersecurity” of the U.S. “national security systems and infrastructure.”
B. The Differences among the Bans: Not All Companies Were Provided an Opportunity to Defend Themselves, and Differences in Enactment Created Confusion and Hardship for All Parties Involved
First — and most importantly — there is a difference in the foreign contractors’ opportunity to “plead their case” with the federal government before the contracting bans were actually put into place. After BOD 17-01 was announced, the DHS gave CEO Eugene Kaspersky an opportunity to respond to the agency’s allegation that his company’s products posed a cybersecurity threat. He, accompanied by counsel, met with DHS officials in November 2017 and discussed the ban and its potential effects on Kaspersky’s business, the company’s corporate structure, and potential mitigation proposals. It was only after Mr. Kaspersky had an opportunity to defend his products that the final BOD was officially enacted.
In contrast, Chinese officers from ZTE and Huawei were not given the same opportunity to provide evidence of their companies’ “innocence,” for lack of a better term. A tenuous argument could be made that ZTE actually did have an opportunity to rebut claims that it was a threat to national security when President Trump temporarily lifted the ban in June 2018 after a phone conversation with President Xi. Regardless, this Note argues that no truly formal opportunity to be heard by DHS officials was granted to ZTE or Huawei. This fact may have influenced China’s over-the-top reaction to the Huawei ban — China’s foreign minister Wang Yi called the United States’ punitive treatment of Huawei “not only unfair but also immoral.”
Second, one significant issue with the Kaspersky ban was that originally, it was not clear to government contractors or agencies if contractors were prohibited from using Kaspersky products and services. The 2019 NDAA is clearer in that regard because it specifically states that contractors are restricted from purchasing and using Huawei and ZTE products.
Third, the 2018 NDAA required agencies to remove any Kaspersky products or services from existing systems. The 2019 NDAA did not contain such a requirement (though reports do indicate that agencies are working to remove Chinese tech from their systems). From a cybersecurity perspective, “rooting out [these products] from federal computers and networks . . . [is] absolutely vital to national security.” Yet, despite the federal government’s best intentions, the actual Kaspersky removal was a logistical nightmare: the effort to completely remove Kaspersky from federal agency systems has been largely ineffective. Former DHS Secretary Kirstjen Nielsen admitted before the Senate Appropriations Committee’s Homeland Security panel in May 2018 that the removal process was still incomplete because many federal contractors were unaware that the company’s anti-virus software was even running on their products. This problem likely stems from the fact that Kaspersky products were often not purchased directly from the company but rather bought in IT packages containing many brands.
Lastly, while the Kaspersky ban was largely enacted by the 2018 NDAA, it was not carried out solely in that single appropriations bill. In September 2017, well before the 2018 NDAA was signed into law, DHS issued BOD 17-01, which, as previously discussed, directed agencies to develop a plan to remove Kaspersky from their IT systems. Besides the BOD, amendments to the FAR via the Federal Register were also a key component of the federal government’s effort to implement the Kaspersky ban and to extend the ban to contractors, not just agencies. In July 2018, the DoD, GSA, and NASA published an interim rule in the Federal Register requiring contracts to include FAR Clause 52.204-23 (“Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab or Other Covered Entities”). The final rule was issued just over a year later. In contrast, the Huawei and ZTE bans were conducted in one fell swoop: the 2019 NDAA.
C. A New Method for the Future: The United States Should Implement a Standardized Procedure for Banning International Contractors
Given the tumult caused by the Kaspersky, ZTE, and Huawei bans, along with the failures and uncertainties of the current cybersecurity statutory framework, a standardized method for implementing a contracting ban on foreign companies is long past due. And considering that these contracting bans often target companies that have ties to countries with which the United States has unstable foreign relations, this Note argues that a go-to standard is even more crucial. A standardized procedure would hopefully ensure that these countries do not believe there are being singled out or treated differently because of external political or economic situations.
This Note proposes that the standardized procedure draw from the successful parts of the Huawei, ZTE, and Kaspersky bans. It should also recognize the faults of those bans and seek to avoid them. The standardized banning procedure should have two key components: (1) an opportunity to be heard for the company; and (2) when, practicable, a single enactment mechanism.
The procedure should begin with a “pre-ban” process, which should follow the steps taken by the DHS prior to enactment of BOD 17-01 against Kaspersky. Once a federal agency determines that a foreign contractor is a threat to U.S. national security, the head of that agency should notify the Secretary of Homeland Security, and a DHS official (Secretary or otherwise) should be charged with moving forward with the pre-ban mechanisms. Appointing a DHS employee as the officiator of the pre-ban process mirrors the responsibilities relegated to the DHS under FISMA (i.e., to ensure cybersecurity within federal agencies). This mirroring of responsibilities would streamline and simplify the entire process because the DHS should already (theoretically, at least) be adept at understanding cybersecurity issues concerning federal agencies. The DHS should then immediately contact the foreign contractors’ officers to provide notice and explanation of the potential of a ban. Next, the DHS should offer the company’s officials an opportunity to provide evidence of “innocence” at an oral hearing. The company should be given roughly forty-five days — a reflection of the time afforded to Kaspersky to respond to the DHS BOD letter — to decide if it would like to participate in such a hearing.
At this point, this Note assumes that the DHS will have compelling evidence that the company’s products or practices are a cybersecurity risk; thus, the hearing need not be a full oral evidentiary hearing akin to a trial. Rather, the DHS could base the hearing on debarment procedures found in FAR 9.4. FAR 9.4 requires that before a contractor is debarred, the debarring agency affords the contractor “an opportunity to submit, in person, in writing, or through a representative, information and [an] argument in opposition to the proposed debarment.” Because the foreign contracting bans are quite similar to a debarment, this Note argues that drawing on existing debarment procedures is a logical maneuver.
The “opportunity to be heard” is so crucial because it will provide a semblance of “rights” to the companies, just as, under the FAR, contractors are afforded a right to oppose their debarment. Typically, a company may not be debarred from contracting with the U.S. Government unless and until the government provides it with (1) notice and (2) an opportunity to respond in some way to allegations that it is an unfit contractor or that it has committed errors in performance. While this Note does not advocate that the government follow FAR debarment procedures “to a T,” the procedures do provide a helpful guideline for the proposed pre-ban process because they emphasize fairness. Finally, the goal of the hearing should be for the DHS to ensure that it has no reason to doubt that the company in question poses a cybersecurity risk.
If, in this opportunity, the company does not sufficiently assuage the DHS’s national security concerns, the Secretary should notify Congress of its decision that the company should be indefinitely precluded from federal contracting. When coming to a final decision, the DHS should consult with the heads of agencies that would be affected by a ban. A collaborative decision would be in the spirit of FISMA’s mandate that DHS consult with OMB, NIST, and the Commerce Department. Ultimately, however, the authority to make a final call should rest with the DHS.
As for the ban itself, it should be enacted in a single law if at all possible. This Note recommends that Congress do so through the upcoming fiscal year’s appropriations bill. This is consistent with the Huawei method, where Congress included a clear contracting ban on Huawei, ZTE, and other Chinese companies in the 2019 NDAA. This Note argues that the Huawei method is preferable to the Kaspersky method because the original Kaspersky banning mechanism (BOD 17-01) contributed to the uncertainty of the scope of the ban, i.e., whether, for example, contractors were also precluded from contracting with Kaspersky. The Huawei method is also preferable to the ZTE method because, in the case of ZTE, President Trump took measures into his own hands and temporarily lifted the ZTE ban before the 2019 NDAA was actually codified. This tinged the entire ZTE saga with political favoritism, and, in this Note’s view, made the eventual 2019 NDAA ban appear like a part of a larger political game. The ban should be indefinite in length until the DHS makes a finding that it is no longer necessary.
The language of a future ban within the NDAA should largely mirror the language of the Russian and Chinese bans. It should preclude agencies and contractors from purchasing or possessing products in whole or in part manufactured by the foreign company in question, as the previously discussed bans do. The language of the ban should also direct agencies to develop an action plan within a specified amount of time to remove existing products. Admittedly, that specified amount of time may not be sufficient to entirely rid federal agencies of a specific product, but it is important to set firm deadlines nonetheless. OMB, in conjunction with the DHS, should oversee the removal process because OMB already holds similar responsibilities under FISMA.
The proposed method can be enacted under existing legislation. FISMA provides the DHS with fairly broad authority to protect federal agencies’ cybersecurity. Moreover, because the proposed method is largely a combination of the ZTE, Huawei, and Kaspersky bans, along with existing debarment procedures, it is well established that the federal government has the authority to carry out this Note’s proposal. Nevertheless, it would be beneficial for both agencies and contractors for the DHS to promulgate a press release or memorandum when it adopts this new method that details the procedural steps.
D. Benefits of the Proposed Method
A standardized banning mechanism would be beneficial for a number of reasons. First, it would provide direction for U.S. contractors that provide IT services to federal agencies. As stated earlier in the Note, when the government first banned Kaspersky products, U.S.-based government contractors experienced confusion as to whether they were required to adhere to the ban or whether they were still free to purchase Kaspersky products. The proposed method would provide essential clarity to U.S. contractors on when they can and cannot use products from banned companies in their maintenance of agencies’ IT networks.
Second, a standardized banning method would be useful to the agencies themselves. The effort to completely remove Kaspersky products from agency IT systems can be fairly characterized as a disaster, given that many contractors were not even aware that their systems contained Kasperskyand that evidence suggests Kaspersky software still lingers on both military and civilian agency systems. The proposed method would help solve this issue by providing clear directions to agencies about banned products.
Lastly, the proposed method would help to make bans appear less politically retaliatory. This Note argues that lack of standardization among the ZTE, Kaspersky, and Huawei bans means that the bans appear specially “tailored” to a specific country, like Russia or China. China in particular has interpreted the Huawei ban as a personal affront. While the proposed method wouldn’t by itself mend strains in foreign relations between the United States and China and Russia, it would not exacerbate tensions further. Foreign relations considerations are especially important when the banned company has a substantial effect on its country’s economy (e.g., Huawei is one of the largest companies in all of China) or when the company enjoys close ties to its government.
It is important to map out the current challenges of United States-China relations in order to understand what consequences another haphazard contracting ban could have. ZTE and Huawei already have a history of patent infringement litigation against U.S. technology companies. The trade war continues, despite a brief respite in late 2018. U.S. tariffs on Chinese goods reached $250 billion in 2018, and Vice President Pence has indicated that he would have no problem counseling President Trump to double that amount in the future.
United States-Russian relations are equally fraught. While President Putin and President Trump appear to be on good personal terms, ongoing accusations by U.S. officials that the Russian government meddled in the 2016 presidential elections have strained relations. In one recent incident, among many others, Russian diplomats were expelled from the United States after Russian nationals conducted a nerve agent attack in the United Kingdom.
When contracting bans are lifted by the U.S. president at the request of a foreign leader, or when contracting bans are enacted in multiple acts staggered over periods of time that may correspond with political turmoil between the United States and that company’s country (with increasingly dire results for the company), this Note believes the bans appear more like reactions to certain political or economic events. A standardized method helps control that unwanted consequence.
E. Potential Issues with the Proposed Method
Admittedly, this Note’s proposed method may not completely avoid the pitfalls of the previous Russian and Chinese bans. Given that these companies are very much tied to their respective governments, a standardized method can never completely take away the political nature of such a ban. As an example, the Chinese central government backs Chinese companies like ZTE and Huawei and has directed state-controlled banks to provide financial assistance in times of loss. Thus, any ban on a Huawei or a ZTE may necessarily be viewed by a leader like Xi Jinping as an attack on the government itself.
A second problem not initially addressed by the proposed method is what to do in the event of a national security crisis necessitating an immediate ban. Because appropriations bills are passed once each federal fiscal year, in some circumstances it could be upwards of several months before an appropriations bill could respond to an imminent national security crisis. If, for example, a foreign cybersecurity or telecommunications company was found to be interfering in an election occurring in the very near future, it would not be sensible for the DHS to wait until the passage of the upcoming NDAA to enact a ban. In an absolute emergency like this, this Note recommends that the DHS be allowed to bypass the proposed method and enact a BOD, which empowers the DHS to take “swift action . . . to address constantly evolving cyber-threats.” The temporary BOD could then be superseded by a permanent ban in the following fiscal year’s NDAA.
V. Conclusion
Political and economic conflict between the United States and Russia and China show little sign of resolution. The battle to be the leader of 5G technology is just ramping up, which likely means relations between the United States and China will actually worsen. On the Russian side of things, President Trump’s abrupt withdrawal of U.S. troops from Syria has given Russian troops an opportunity to advance, assist Bashar Al-Assad in rgaining territory, and further cement its place “as a rising power broker in the Middle East” at the expense of the United States. Because of these political realities, it is vitally important that the United States take every step possible, however small, to de-politicize bans involving international contractors with strong ties to their governments. The proposed standardized method will help to achieve de-politicization while ensuring U.S. national security interests are protected.