Connecting state and local government leaders
COMMENTARY | Finding and replacing Chinese-made equipment in state and local government networks will be challenging and expensive. But the threat is genuine and must not be ignored.
TikTok, the popular video app that is used by more than 135 million Americans, is facing an increasingly loud chorus of opposition from U.S. officials concerned about the company’s relationship with the Chinese government.
As of April, at least 34 states have issued some sort of prohibition on the app’s use on government-owned and -issued devices by agencies, employees and contractors. Montana, has gone so far as to pass legislation restricting the app on personal devices, though the measure is being challenged in court.
Driving all this action is concern that TikTok’s parent company ByteDance could be forced to share data on U.S. users, such as their profiles, contacts, messages and location information, with the Chinese government under the country’s 2017 National Intelligence Law. That law states that “any organization or citizen shall support, assist, and cooperate with state intelligence work,” and experts say that Chinese companies would have no choice but to hand over data if authorities in Beijing requested it.
TikTok isn’t the only Chinese-produced technology stirring concern. The Biden administration last November essentially barred the sale or import of new telecommunications and computer network equipment from China's Huawei Technologies and ZTE because of "an unacceptable risk" to U.S. national security. As with TikTok, government officials warn that China could leverage the gear as vectors for cyberattacks and espionage.
At the state and local level, however, low-priced IT equipment from Chinese companies remains widely used. According to an analysis of public procurement records by Foreign Policy magazine, nearly 1,700 state and local agencies bought products and services from Huawei, ZTE and three other Chinese companies on a federal blacklist between 2015 and 2021. The magazine said every state except Vermont appeared on the list and that the true number of buyers may be higher.
And yet ripping out and replacing the Chinese equipment installed in the U.S. is much easier said than done.
First, one of the biggest challenges in operating a network is knowing exactly what’s in that network. States and even many local computing enterprises are vast, complex and evolving, making it difficult to obtain a firm understanding of all the hardware and software in the environment.
Full network visibility into all the assets across their networks would require enterprises to maintain an accurate inventory. They also need a deep level of situational awareness about those assets: Where are they? What are they doing? Are they running critical applications or services? What other global networks are these connected assets potentially communicating with?
Acquiring this insight is very challenging. It’s nearly impossible to gain the right amount of contextual intelligence to fully assess potential risks and vulnerabilities—the understanding required to monitor for unusual activity and to plan for any necessary remediation.
The second reason these Chinese technologies remain installed across networks is money. Huawei and ZTE devices are often less expensive than American-made products. Plus, cash-strapped state and local agencies may view abstract risk posed by foreign technology as a threat not worth prioritizing.
So, what should state and local government leaders do?
The first and most important move must be cracking the situational awareness problem. If an agency can’t determine, say, whether it has Huawei chipsets in its routers or security cameras, it can’t possibly evaluate what vulnerabilities they pose and then plan accordingly.
This is especially true as computing infrastructures become even more complex with the infusion of internet-of-things, or IoT, devices to monitor roads, help manage traffic, save energy and improve law enforcement, to name a few examples.
Even a government that has a strong grasp on its core IT environment may have blind spots in understanding its growing, converging landscape of IoT and operational technology, the systems that run building management systems, fire control systems, physical access control equipment and industrial control systems found in water treatment and power plants. There’s a very good chance that equipment from Huawei, ZTE and other blacklisted Chinese manufacturers is part of that mix, but state and local tech leaders probably don’t know exactly what, where or how.
Closing the visibility gap isn’t easy if agencies approach this challenge manually, but with the right technology that can inventory assets and evaluate cyber risks with real-time and contextual insights, it can be done.
The second thing that state and local governments must do is put their money where their mouths are and pay to start replacing the foreign equipment, regardless of how seemingly challenging and costly this may be.
Despite extreme budget pressure, policy makers and budget appropriators must back up their rhetoric around securing IT environments with real action. Ultimately, increased cybersecurity and stronger peace of mind resulting from more trusted equipment are worth the investment—especially considering the cost of doing nothing. The City of Atlanta, for example, ended up having to spend at least $2.7 million to restore municipal computer systems after a cyberattack in 2018.
A hopeful sign emerged in early August from New York when Gov. Kathy Hochul announced the Empire State’s first cybersecurity strategy, including plans to modernize government networks, bolster cyber defenses at the county level and regulate critical infrastructure.
The devil will be in the details, but this initiative seems to address cybersecurity, including any threat from China, proactively rather than after an attack. Florida and Las Vegas are also taking an especially aggressive stance on cybersecurity, and I hope we will see many more governments step up.
State and local governments can’t afford to put off dealing with cybersecurity risks from TikTok, Huawei and others. The threat is genuine, which is why the federal government and several states have enacted restrictions. It’s time for substantive action beyond those rulings to make sure fears of Chinese malfeasance don’t become reality.
Tom Guarente is vice president, external and government Affairs, with Armis.