The U.S. General Services Administration (GSA) purchased 150 videoconference cameras manufactured in China that were not compliant with a 1970s trade law and justified the purchase using “misleading market research,” according to a GSA inspector general (IG) report published this week.

The report did not name the specific manufacturer of the cameras but did disclose that the cameras are not compliant with the Trade Agreements Act of 1979 (TAA) and that they have known security vulnerabilities that must be addressed with a software update.

“However, GSA records indicate that some of these TAA-noncompliant cameras have not been updated and remain susceptible to these security vulnerabilities,” the inspector general report explained.

In an interview with Security Management, the inspector general auditors declined to name the manufacturer of the cameras. Michelle Westrup, GSA regional inspector general for auditing, Heartland Region, said the IG’s office does not usually divulge the name of contractors in its reports. If names are disclosed, auditors are required to provide the opportunity for the contractor to comment on the report.

“We wanted to keep the name to ourselves,” Westrup says.

Daniel Riggs, audit manager, GSA IG’s Office for the Heartland Region, did clarify that the manufacturer in question is headquartered in the United States but the devices were assembled in China, making them not compliant with TAA.

“It doesn’t matter where they’re headquartered, it’s about the individual product,” Riggs says.

The auditors initiated their review of the GSA purchase after a GSA employee contacted the inspector general’s office in 2022. The office has a variety of means to report concerns, including a hotline, that are available to GSA employees and outsiders.

“An employee did come to us and was concerned that they started seeing these cameras within GSA’s buildings,” Westrup says. “They were concerned because they were manufactured in China and were wondering if they were TAA compliant.”

The IG’s office then began a review, which led to the discovery that GSA Office of Digital Infrastructure Technologies (IDT) employees “misled a contracting officer with egregiously flawed information to acquire 150-Chinese made, TAA-noncompliant videoconference cameras,” according to the IG report.

“Before completing the purchase, the contracting officer requested information from GSA IDT to justify its request for the TAA-noncompliant cameras, including the existence of TAA-compliant alternatives and the reason for needing this specific brand. In response, GSA IDT provided misleading market research in support of the TAA-noncompliant cameras and failed to disclose that comparable TAA-compliant alternatives were available,” the report continued.

The cameras were purchased in two installments: 70 in March 2022 and 80 in October 2022. They were used for a pilot program managed by the GSA Federal Acquisition Service’s Federal Systems Integration and Management Center (FEDSIM), which provides acquisition services for U.S. federal agencies. The cameras were then used in GSA conference rooms across the country.

The GSA did not return a request for comment on this story.

Security Issues

Mid-way through GSA’s purchase of the cameras—June 2022—an IT security company, which Riggs and Westrup declined to name, issued a public report that identified five security vulnerabilities with those cameras, including that they could be used to create a backdoor into users’ networks.

The camera manufacturer issued a software update in response to the company’s findings, which would be pushed to affected devices if they were connected to the Internet. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also issued a public alert about the vulnerabilities, encouraging users to update their cameras to avoid them being exploited to gain access to sensitive information.

The IG auditors found, however, that many of the cameras that GSA purchased were registered to GSA employees and had not been not updated regularly.

“GSA IT was not adequately monitoring software updates for the TAA-noncompliant cameras; in fact, GSA IT informed us that it placed restrictions on the use of GSA’s network with these cameras, making it more difficult to keep the cameras adequately updated,” according to the report.

Riggs says that these restrictions are common practice for GSA, which often restricts network access for devices at their locations or places them on a guest network.

A subsequent review by the auditors found that there were 210 active TAA-noncompliant cameras registered to GSA email addresses on 18 September 2023.

“Of the 210 cameras, 37 (18 percent) had not been updated with the most recent September 2022 security-related software version—released nearly 1 year prior,” the report explained. “Additionally, 29 of the 210 cameras (14 percent) had not been updated to the June and July 2022 software versions that addressed the prior security vulnerabilities.”

How the Purchases were Made

The TAA requires the U.S. federal government to purchase goods that are either manufactured in the United States or a TAA-designated country. China, India, Iran, Iraq, and Russia are some of the countries that are not considered TAA compliant.

There are exceptions, however, which allow contracting officers to determine that purchases can be made from non-U.S. companies if there are no products that meet their needs or if the products are considered insufficient to fulfill their requirements.

In the case of the GSA camera purchase, the FEDSIM contracting officer requested information from the GSA IDT team to support buying them. The inspector general auditors found that GSA IDT responded to the officer’s request by providing “inaccurate, incomplete, and misleading market research that favored the TAA-noncompliant camera over similar TAA-compliant alternatives,” according to the report. “Despite GSA IDT’s knowledge and evaluation of this TAA-compliant product, the market research provided to the contracting officer did not include information on this alternative.”

This misleading—or inaccurate—information also included that the cameras did not transmit data or have storage capacity, even though the cameras had Bluetooth and Wi-Fi capability and storage. When asked what was the source of the inaccurate information that GSA IDT provided, Westrup says that GSA itself would need to provide those details.

“We have to defer to GSA on that,” Westrup adds. “The information they provided to us was used in our report.”

Additionally, GSA IDT inaccurately stated that no TAA-compliant cameras existed that met the technical specifications of the procurement requirement. The auditors, however, found that at least one such camera existed in March 2022 and at least two in October 2022.

“When we interviewed GSA IDT officials about the flawed market research for both purchases, they told us that even though the TAA-compliant and TAA-noncompliant cameras are similar, the users preferred the noncompliant camera because of where it was able to sit on the table during a meeting,” according to the inspector general report. “The placement of the camera was not documented as a procurement requirement, nor was it made clear to us why that feature would justify purchasing TAA-noncompliant cameras.”

The GSA chief information officer (CIO), David A. Shive, than agreed with the decision to purchase the initial set of the noncompliant cameras (the March 2022 order), even though the contracting officer highlighted that the purchase conflicted with an executive order encouraging agencies to buy American-made products.

In interviews between the auditors and the FEDSIM contracting officer, who was not named, she acknowledged that it appeared she’d relied on “egregiously flawed information” from GSA IDT to make her determination to support the purchase of the cameras, the report said. She added that the intent to purchase the cameras to support a pilot program also influenced her decision to support the purchase. But, if she had been provided with accurate information, the contracting officer told auditors she would only have considered TAA-compliant cameras for purchase.

Shive was also questioned about his decision to sign-off on the purchase of the cameras. He acknowledged to auditors that “he had signed the memorandum because he trusted that his team had done its research,” the report explained. “When we asked about his knowledge of the market research, the GSA CIO said that he did not review it, but he believed his team when they said there were no TAA-compliant cameras that met the agency’s requirements.”

Recommendations for the Future

The inspector general report made several recommendations for GSA to act upon that the administration agreed to, including that it no longer purchase TAA-noncompliant cameras if there are compliant cameras that meet its needs and take appropriate action against GSA IT and GSA IDT personnel to address the misleading information provided as part of the purchasing process.

The auditors suggested that GSA strengthen controls to ensure TAA contracting officer determinations are adequately reviewed before approval, IT equipment is updated in a timely manner to reduce risk, and that TAA-compliant products are prioritized in future procurement decisions.

“If you prioritize TAA compliance at the beginning of this, it takes away the need to worry about that trust element,” explains Riggs, referring to the approval process used for these cameras. “If you start there and end there, you don’t have to worry about getting a signature to end all of that.”

The auditors also recommended that GSA return or dispose of the TAA-noncompliant cameras. The GSA administrator, however, only partially agreed to this recommendation.

“GSA is confident that the use of detailed video conference cameras are secure under our current security protocols,” GSA said in its response. “Part of this protocol includes having already discontinued use of a subset of these cameras that do not meet our standards. GSA is committed to ensuring the security of our technology environment, as well as prudently utilizing taxpayer money.”

In a statement shared with Security Management, Andrew Borene, executive director for global security at Flashpoint, said that using these cameras in a federal setting “poses a significant risk, not just due to their known vulnerabilities, but also due to the potential for hidden backdoors or other compromised elements in their hardware or software.”

GSA’s decision to purchase the cameras from a Chinese manufacturer is a matter of concern, Borene added, because of their potential to be used as a vector for espionage or maintaining a persistent presence in federal networks.

“The [People’s Republic of China’s] Communist government has passed a number of increasingly totalitarian laws mandating that all Chinese corporations share information with the government for national security purposes,” Borene said. “This creates an inherent risk when using their manufactured technology in sensitive environments.”

The GSA centralizes procurement and shared services for the U.S. federal government, overseeing more than $100 billion in products and services via federal contracts and delivering technology services to federal agencies.

“Today our mission has evolved to provide stewardship of the way government uses and provides real estate, acquisition services, and technology,” according to GSA’s mission and background statement. “Through our Public Buildings Service, Federal Acquisition Service, and various staff offices, we provide workspace to more than 1 million federal civilian workers, oversee the preservation of more than 480 historic buildings, and facilitate the federal government's purchase of high-quality, low-cost goods and services from reliable commercial vendors.”

 

MOST POPULAR ARTICLES

1. Publicly Humiliating Events: A Precursor to Workplace Violence?

2. Paris Olympics Officials Searching for Enough Security Contractors

3. U.S. Homeland Security Launches New Critical Infrastructure Security Guidance