China unhappy with equipment risk audits

Chinese officials have hit out at a new US law restricting IT imports for government agencies.

The new restrictions came as part of a larger appropriations bill, Consolidated and Further Continuing Appropriations Act of 2013, which outlines government spending for the upcoming fiscal year.

It forces US agency heads to assess risks imposed on government users and data when assessing the purchase of Chinese IT equipment.

China's foreign ministry spokesman Hong Lei told reporters in Beijing the law “used cyber security as an excuse to take discriminatory steps against Chinese companies,” according to a China Daily report.

Spokesman for the Ministry of National Defense Yang Yujun said the origin of cyber attacks was not definitive enough to warrant legislative action, noting the attacks were a "global issue".

The 240-page bill, signed by US President Obama, means NASA, the National Science Foundation and the Commerce and Justice departments must review the “associated risk of cyber espionage or sabotage associated with the acquisition of [IT] systems, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidised by the People's Republic of China.”

The new bill came on the heels of several incidents that fueled US Government leaders' suspicions of China's role in cyber espionage attacks against private companies and the public sector.

Of particular note were assertions in February from Mandiant that a secret Chinese military unit was behind the theft of hundreds of terabytes of data from 141 organisations, mostly in the United States.

So far, Sprint and Japanese telecommunications firm SoftBank have already said they will no longer buy equipment from Chinese networking equipment provider Huawei Technologies, which has been the focus of digital spying concerns expressed by the U.S. government.

In Australia, the Federal Government has banned Chinese-based Huawei from bidding on the country's National Broadband Network following advice from intelligence agencies.

The law may have been borne from a US House Permanent Select Committee on Intelligence held last September, according to EastWest Institute vice president Dave Firestein.

“My sense is that what's happened with this law may be the natural outgrowth of the September 2012 hearing,” Firestein said. “[Government leaders] signaled or foreshadowed that they were prepared to legislate some solutions for the problem.”

Firestein added that the goal of the law is to provide oversight of potentially high-risk equipment in the China supply chain – not to ban business relationships forged between the countries.

“It's no surprise that this rule has generated a lot of attention in China, but one shouldn't overstate what the law seeks to do," he said. "It puts in a quality control premise. It doesn't seek to ban, but to [implement] a vetting mechanism.”

[An earlier version of this story incorrectly stated the government arm that led the September hearing on Chinese telecommunication companies].

This article originally appeared at scmagazineus.com