Are there Cybersecurity Risks in Your Supply Chain?
October 10, 2018
By: Lindsay Simmons
By now we all know that the Federal Government has dramatically increased its efforts to reduce threats to cybersecurity: witness a case in the Court of Federal Claims (COFC) where the Social Security Administration (SSA), in acquiring new printers, was determined to avoid supply chain risks it suspected were present in a bidder’s offer. The bidder protested, but the COFC agreed with the agency. Iron Bow Technologies, LLC v. United States, et al., No. 17-1250C, Mar. 27, 2018.
In Iron Bow, the SSA’s evaluation methodology, set forth in its solicitation, describes how the agency would investigate potential supply chain risks by examining foreign ownership or control over the prime contractor, the subcontractor, and the location of the manufacturing facilities. In this regard, all offerors, including Iron Bow, were required to submit detailed information about their proposed printers.
Iron Bow proposed to supply printers by Lexmark, a well-recognized printer manufacturer. Indeed, the SSA currently uses Lexmark printers. However, upon review of Iron Bow’s proposal, the SSA refused to award to Iron Bow, the apparent awardee. Why? Because, according to the SSA, Iron Bow’s offer presented an unacceptable supply chain risk – Lexmark is now wholly owned by several Chinese entities, some having close ties to the Chinese Government.
As our readers know, there have been numerous reports addressing Chinese Government cyber-espionage efforts, including the laws which enable the Chinese Government to obtain sensitive information (like source code). The SSA’s reasoning was that, because its printers would connect to the SSA’s Virtual Private Networks (VPNs), they could pose a security risk if compromised. Apparently printers can be hacked as easily as any other part. In addition, certain printers contain hard drives that hold extensive data even after the user is done printing.
In its protest Iron Bow argued that (i) Lexmark printers are already in use within the Federal Government (ii) Lexmark’s acquisition by the Chinese was reviewed and approved by the Federal Government under the Committee on Foreign Investment in the United States (CFIUS), albeit with a requirement to put a national security agreement in place; and (iii) Lexmark’s “Chinese” owners with ties to the Chinese Government were minority owners.
The COFC was not persuaded. It found that (i) Lexmark’s CFIUS agreement does not address the SSA’s supply chain risk and (ii) Lexmark’s 49% “minority” ownership was large enough to pose a potential security risk. Accordingly, the Court denied the protest.
Why is this case important? It emphasizes the supply chain hurdles faced by the Federal Government and contractors alike where commercial items are acquired from certain foreign-owned entities, where manufacturing takes place in certain foreign countries, and even where certain products have been sold to certain foreign governments.
In Iron Bow the Court sustained the agency’s decision based upon the potential – not actual –risk in using Lexmark printers. The take away: Iron Bow may signal trouble – even de facto debarment – for companies with “relationships” with China, such as Lexmark.
Lindsay Simmons is responsible for the contents of this article.
© 2018 Jackson Kelly PLLC