Motor carriers working with the federal government had to send a request to find and purge telecommunications equipment made by five different Chinese companies involved in their operations before the deadline of August 13th.
Earlier this month, American Trucking Associations’ Government Freight Conference hosted a webinar aiming to help carriers become clear on what they needed to do in terms of this provision, which is included in the fiscal year 2019 Defense Authorization bill. This mandate was implemented in an effort to decrease any national security threats within Chinese-made technology–including everything from cell phones to GPS systems to cameras.
“There is likely going to be significant impacts that will be felt across the federal sector,” said a government official who wished to remain anonymous in order to speak candidly. “It’s very clear that the Defense Department and other agencies fully support the intent of the rule. We all know there is a lot of information about how China transmitted data and stole intellectual property, so the intent of the rule to protect our national security is good. But, there will be unintended consequences because of how the specific language was written.”
The Chinese companies believed to include hackers who broke into systems within the U.S. intelligence and defense agencies’ information systems are Dahua Technology, Hikvision, Huawei, Hytera, and ZTE Corp. All affiliates of these companies are included in the provision.
Truckers will need to search for and get rid of any prohibited products within their technology systems, although the tech targeted may be extremely difficult to find within current corporate tech. The industry is still navigating how the government will enforce this requirement and what exactly is covered by the provision.
“I think we’re all catching on to what an incredibly potent statute Sec. 889 of the 2019 National Defense Authorization Act is,” said ATA’s Government Freight Conference executive director, Bill Wanamaker. “As a carrier or broker, how do you know whether any of this covered technology is in your electronic inventory?”
The law incorporates “essential” and “substantial” parts of covered equipment, according to Harold “Buzz” Bailey of Bailey FedK Consulting, and these parts include microelectronic data-routing components. “[When] most telecommunication equipment OEMs can’t ‘fix’ their components to make them Sec. 889 compliant, you have to buy new ‘NDAA-compliant’ equipment,” he explained.
These are the key points Bailey insisted carriers understand:
-Government contractors do not need to perform an audit of a supplier, and only need “reasonable inquiry” regarding its equipment purchase documents.
-Contractors should review their equipment purchase records and determine whether or not records show that the equipment is made by an OEM, installer, or distributor. Carriers should keep in mind that essential OEM components are not the ones in question.
-A trucking company can respond “no” to Part 2 of Sec. 889 if it has not received complete supplier survey answers but has finished a reasonable inquiry of its purchase record.
-Carriers need to expand their inquiries to both distributors and installers, and should contact OEMs about essential components.
Additionally, Bailey suggested carriers request a delay to the mid-August deadline and contact their congressional delegation despite any congressional reluctance.
“If your existing equipment is not on the list, then it’s probably not compliant,” said Bailey. “This could lead to an expensive ‘rip and replace.’ The government may not mount aggressive enforcement early on, but they may look to make an example of a company blatantly misrepresenting use of covered equipment. There is a waiver process available, but that process will take time and money. It’s best to discuss waivers with government customers sooner rather than later.”
A broad waiver was indeed requested by the Office of the Director of National Intelligence due to the Defense Department’s lack of clarity. Agencies have been able to request waivers either from ODNI or through a tedious internal process.
The Department of Defense has also set up a task force that includes all Defense agencies and services with cybersecurity experts in order to bring about more efficient waiver-issuing coordination.
The task force is meant to ensure consistency so that one service isn’t issued a waiver while another is denied, according to the government official.
“The real insidious part of this is that it’s a marketing opportunity for a lot of companies,” said Bailey. “That’s what really worries me, because these companies would normally say, ‘You’re going too far, government, you shouldn’t cover this and you shouldn’t cover that.’ But the equipment providers are just as happy.”