Stop risky government purchase of software from bad actors

The bipartisan $54 billion CHIPS Act was enacted to minimize risk to the USA, with an eye towards making us less reliant on foreign manufacturing. It was passed with enthusiasm, patriotism, and a healthy dose of paranoia. Over the past decades, a significant portion of semiconductor manufacturing has moved out of the USA to reduce costs. Over time, this expertise moved offshore along with associated infrastructure and supply chains making it difficult to build here in the USA.

However, the goal of self-reliance is not only about semiconductors. The Chinese government has poured billions into technology initiatives that are structured in a way that Chinese companies may act as an agent for the state. The Department of Treasury’s Office of Foreign Assets Control keeps track of the bad actors, and the federal government went so far as to say organizations should exercise caution when interacting with firms based in China. Chinese government investments include artificial intelligence (AI), telecommunications, and software. Weaponized AI and software are used in sophisticated cybersecurity threats.

Cybersecurity attacks, often originating from nation states, have shut down government software systems and in turn halted government services for constituents, often until ransom is paid. Despite such risk, government entities continue to utilize Chinese technology within their firewall. Why would government entities willingly put our government systems and their respective constituent services at risk by not buying American? Secondarily, why would we allow our tax dollars to indirectly support human rights violations such as the suppression of Hong Kong and the mass incarceration of the Uyghurs? Why support a country indirectly that lacks basic freedoms such as a free press?

Well, it is the same reason manufacturing left the USA: in order to save a buck. Simply put, this can be government procurement personnel wanting to save money, so they purchase software from nation states with governments we do not necessarily trust. Left unchecked, this is a risk to our government institutions and the constituents they represent. The cost and long-term ramifications of a cyber-attack exceed any one-time savings. This is penny wise and pound foolish.

Fortunately, we have elections, and we can elect candidates who prioritize security, risk mitigation, and buying American. Elected officials can dictate procurement policies such as environmentally sustainable products requiring government to purchase the pricier electric vehicle. Less expensive options exist; however, policymakers have placed a higher priority on the environment. So why not do the same for domestic technology?

Such practices influence the marketplace and show leadership locally. I remember when former City of San Jose Councilmember Jim Beall was upset during a city meeting when he realized thousands of City issued garbage bins were not made in the USA. I agreed with him. And it was his comments that made sure city staff responsibly sourced these bins from US companies from then on. If we can do it for garbage bins, we can do it for technology.

To be clear, government does not need to pass a law for every common-sense measure. However, it should certainly be the policy of every government entity when purchasing technology that the company and source code originates in the USA. An imported garbage bin cannot launch a cybersecurity breach, but Chinese software can.

American companies invest in our communities by employing tax-paying citizens who buy local goods, make philanthropic donations, and in many cases provide the investment returns for government pension funds. The foreign alternative does not provide the same value and opens our government and respective constituents to vulnerabilities that are avoidable. Let’s be strategic and patriotic with taxpayer revenue so government can remain self-reliant.

Published: September 15, 2022 Mercury News