VA purchased technology from blacklisted, banned foreign companies, officials say

Abbie Bennett
February 13, 2020 - 1:36 pm

Photo courtesy of House Republicans

The Department of Veterans Affairs purchased equipment from federally blacklisted foreign companies, VA officials told Congress this week. 

But it’s unclear exactly what the department bought. 

Last fall, Rep. Jim Banks, R-Ind., asked VA’s Chief Information Security Officer Paul Cunningham where VA purchased an IT or telecommunications equipment from federally blacklisted companies.

Rep. Susie Lee, D-Nev., asked VA whether the department bans or has restrictions on purchases from certain manufacturers, including blacklisted companies, or on equipment, including video surveillance, telecommunications, GPS, printers and scanners, phones and tablets, drones, software and other tech.

The department took until this month to provide Congress any answers.

Yes, VA had made purchases from companies on a federal blacklist, officials said in their report to Congress.

Last year, the Department of Commerce added dozens of companies and organizations to a running blacklist of foreign firms, including Chinese companies, prohibiting or limiting their business dealings with the United States. The ban focused mainly on companies specializing in digital surveillance, artificial intelligence and other technology. Some of those companies were accused of installing equipment in sensitive United States locations, including military bases or government facilities.

The Commerce Department said many of the companies on the list had been implicated in human rights violations and the Chinese government’s efforts to repress and surveil. 

Lenovo -- which operates primarily in China -- is among other companies whose products have been banned by the federal government after reports that computers and other technology equipment were allegedly manufactured with hidden spyware and backdoors. 

The companies VA purchased equipment from were Huawei, Hytera and Lenovo, according to the database and VA’s report. VA did not immediately respond to requests for comment.

Last fall, Cunningham told Congress that it "is not exactly in the VA's mission to determine whether a company is allowed to do work with the federal government or not -- we will leave that to general counsel and certainly to (the Department of Homeland Security) and the intelligence community to tell us where we should not go or where we should not operate." 

This week, Cunningham said VA relied on the Federal Procurement Data System, a public online database, to track its purchases. While FPDS lists information on companies that federal agencies have purchased from, it contains limited, if any, information on the actual goods or services purchased. FPDS also does not note whether a company is blacklisted. 

Banks criticized VA’s report for lacking specifics of what was purchased. 

“We stand beside that as the best way for us to provide the definitive answer to you,” Cunningham said during a Congressional hearing on VA data security this week. “We were answering the question that you asked: Was the purchase (from) blacklisted companies inside VA? We used the source that was most relevant to us, and we feel we answered that question completely.” 

According to VA’s report of the purchases from blacklisted companies obtained by Connecting Vets, and the FPDS database: 

  • There is one record of a VA contract connected to Huawei, and that contract is still active;
  • There are three records of VA contracts connected to Hytera and all three have expired;
  • There are nearly 100 records of VA “contract actions” directly with Lenovo and none of those contracts are still active. 

The FPDS database contains only contracted purchases and does not include any purchases made by other means such as credit cards. 

The database only shows the name of the vendor or main contractor and a brief description of the contract, often with little-to-no detail. 

"VA's answer gives me no confidence," Banks said. "I don't believe anyone in the department actually knows what's going on." 

“I share Rep. Banks’ alarm about the safeguards VA has in place to prevent purchasing equipment from blacklisted Chinese companies,” said House Veterans Affairs ranking member Rep. Phil Roe, R-Tenn. “While our awareness, as a country, of the cybersecurity risks we face has come a long way, we clearly have a lot more work to do to understand the extent of state-sponsored cybercriminals’ infiltration of our government agencies, like VA.”

In December, Congress held a hearing specifically about foreign influences targeting veterans, including their private data. 

Reach Abbie Bennett: abbie@connectingvets.com or @AbbieRBennett.

Want to get more connected to the stories and resources Connecting Vets has to offer? Click here to sign up for our weekly newsletter.