The Importance of Buying American IT Products
Without inferring political gamesmanship, the last week brought mixed messages on the purchase and use of American technology products from the new administration. Regardless of mixed messaging, buying American-made technology products should be a top priority for any American business.
The mixed messages stem from two conflicting executive orders issued by the new Presidential Administration:
1. On January 20, 2021, President Biden inked Executive Order on Protecting Public Health and the Environment and Restoring Science to Tackle the Climate Crisis in which he suspended former President Trump’s May 1, 2020 Executive Order 13920 (Securing the United States Bulk-Power System), for 90 days. Executive Order 13920 prohibited foreign adversaries from using manufacturing capabilities to exploit or create vulnerabilities in the bulk U.S. power system by prohibiting the “any acquisition, importation, transfer, or installation of any bulk-power system electric equipment … [from adversarial national] interest… [that] poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing… of the bulk-power system in the United States” etc.
2. On January 25, 2021, President Biden signed “Executive Order on Ensuring the Future Is Made in All of America by All of America’s Workers,” of which the title is self-explanatory and included a reference to IT products and government contracts.
While current guidance is ambiguous, the reality is clear. Purchasing American-made technology is exceptionally important as pandemic research, vaccine production, and vaccine research dominate the healthcare market. Further, financial institutions continue to issue Small Business Association loans to distressed businesses, mortgage payments are postponed, and the eviction moratorium continues. In short, neither healthcare nor finance, the two most heavily targeted industries by cyber-criminals, are in a steady state. Therefore, purchases of foreign-made informational technology equipment is an unnecessary risk.
As stated in a 2019 DoDIG report, items as seemingly innocuous as foreign-made printers can be dangerous:
According to a Congressional report on supply chain vulnerabilities from China, Lexmark is a company with connections to Chinese military, nuclear, and cyberespionage programs. The National Vulnerabilities Database lists 20 cybersecurity vulnerabilities for Lexmark [printers], including storing and transmitting sensitive network access credentials in plain text and (U) allowing the execution of malicious code on the printer. These vulnerabilities could allow remote attackers to use a connected Lexmark printer to conduct cyberespionage or launch a denial-of-service attack on a DoD network.
Unfortunately, the presence of foreign-made component parts in IT equipment are also a concern. When Amazon began developing its Prime Video streaming service in 2015, it evaluated several potential partners to launch the new platform. One such partner was an Oregon-based software company with prior and existing U.S. Government contracts with the Central Intelligence Agency, the Department of Defense, and the Olympics. When Amazon inspected the software company’s servers, which were assembled in San Jose, California by a local business, Amazon uncovered a tiny microchip buried within the servers, which was not included in the original server design. The presence of the microchip was reported to the U.S. authorities and investigated by third-party professionals and authorities. The results of the investigation were stunning. The chips were inserted in the servers at the factories by Chinese operatives in San Jose, creating a supply chain attack that nearly impacted all Amazon Prime customers. Instead, this microchip only (sarcasm intended) infiltrated the Department of Defense, Apple, and 30 other private entities and public agencies.
In addition to microchip planting, the Secretary of Defense’s “2020 China Military Power Report describes hacking groups targeting industries associated with the People’s Republic of China’s (“PRC”) economic priorities: tech groups developing machine learning, autonomous vehicles, medical imaging, semiconductors, processors, and enterprise cloud computing software. And, in 2015, the PRC announced the “Made in China 2025” plan, which is increasing China’s domestic manufacturing of robotic, power equipment, and information technology products.
Therefore, U.S. businesses, particularly those in high-target markets, are besieged by both the alluring price of foreign information technology equipment and the hidden defects (intentional and otherwise) that create information security and cybersecurity vulnerabilities. Recommendation: require third-party vendors to purchase information technology products from American-based manufacturers and further require proofs of purchase. Purchasing “Made in America” products is not just about patriotism or supporting job growth for skilled labor – it is a serious security issue.