The US has taken its first real swipe at China following accusations that the Beijing government is behind a widespread and systemic hacking campaign targeting US businesses.
Buried in a spending bill signed by US President Barack Obama on Tuesday is a provision that effectively bars much of the US government from buying information technology made by companies linked to the Chinese government.
It is unclear what impact the legislation will have, or whether it will turn out to be a symbolic gesture.
The provision only affects certain non-defense government agency budgets between now and Sept. 30, when the fiscal year ends.
It also allows for exceptions if an agency head determines that buying the technology is “in the national interest of the United States.”
Still, the rule could upset US allies whose businesses rely on Chinese manufacturers for parts and pave the way for broader, more permanent changes in how the US government buys technology.
“This is a change of direction,” said former US Homeland Security Department official Stewart Baker, now with the legal firm Steptoe and Johnson in Washington.
“My guess is we’re going to keep going in this direction for a while,” he said.
Earlier this month, the US computer security firm Mandiant released details on what it said was an aggressive hacking campaign on US businesses by a Chinese military unit.
Since then, US Treasury Secretary Jack Lew has used high-level meetings with Beijing officials to press the matter. Beijing has denied the allegations.
Congressional leaders have promised to push legislation that would make it easier for industry to share threat data with the government. However, those efforts have been bogged down amid concerns that too much of US citizens’ private information could end up in the hands of the federal government.
As Congress and privacy advocates debate a way ahead, lawmakers tucked “section 516” into the latest budget resolution, which enables the government to pay for day-to day operations for the rest of the fiscal year.
The provision specifically prohibits the US Commerce and Justice departments, NASA and the National Science Foundation from buying an information technology system that is “produced, manufactured or assembled” by any entity that is “owned, operated or subsidized” by the People’s Republic of China.
The agencies can only acquire the technology if, in consulting with the FBI, they determine that there is no risk of “cyberespionage or sabotage associated with the acquisition of the system,” according to the legislation.
Last year, Ruppersberger and US House Intelligence Committee Chairman Mike Rogers, a Republican, released a report urging US companies and government agencies to drop any business with Chinese telecommunications companies Huawei Technologies Ltd and ZTE Corp because of the security risks they pose.
However, a blanket prohibition on technology linked to the Chinese government may be easier said than done. Information systems are often a complicated assembly of parts manufactured by different companies around the globe. Investigating where each part came from, and if that part is made by a company that could have ties to the Chinese government could be difficult.
Huawei, the third-largest maker of smartphones, says it is owned by its employees and rejects claims that it is controlled by the Chinese government or military.