Caroline Brehman/CQ-Roll Call, Inc via Getty Images

GSA used ‘egregiously flawed’ data to clear purchase of Chinese-made cameras, watchdog says

The inspector general's report noted that the acquired video conferencing cameras were not compliant with the 1979 Trade Agreements Act and contained security flaws that, in some instances, had still gone unpatched.

The General Services Administration used “egregiously flawed” market research in its decision to purchase 150 Chinese-made video conferencing cameras that did not comply with U.S. trade standards, the agency’s oversight office said in a report released Tuesday.

The U.S.-based firm, which was unnamed and designated only as “Company A” in the report, provided the agency with cameras manufactured in China that did not comply with the 1979 Trade Agreements Act, and includes known security flaws that still need to be addressed, according to GSA’s Office of Inspector General.

The agency’s OIG was contacted in 2022 by an unnamed employee concerned about the purchase and use of the equipment. The procurement was greenlit by GSA CIO David Shive, and was made through GSA’s Federal Acquisition Service’s Federal Systems Integration and Management Center — or FEDSIM — in two separate orders: 70 purchased in March 2022, followed by an additional 80 in October 2022. 

But a June 2022 analysis issued by an unnamed IT security company highlighted five vulnerabilities in the equipment, and added that the equipment can be turned into “rogue wireless network gateways” that can be used to secretly access the camera owners’ networks, according to the oversight report.

Shive concurred with the camera purchases, knowing that they didn’t meet standards, according to the report. “Per the market research conducted by GSA IDT, there are no available comparable products that are compliant,” a statement from an included purchase memorandum reads.

The findings highlight yet another potential security lapse in the federal government’s cybersecurity apparatus and follows recent headline-making cyberattacks that compromised  the Securities and Exchange Commission and Department of Health and Human Services.

Officials in recent years have been making efforts to jettison Chinese-made communications equipment from government networks and telecommunications service providers, on grounds that such hardware can exfiltrate sensitive data and conduct espionage on behalf of China’s central government.

The Chinese embassy in Washington, D.C. did not reply to a request for comment.

“In response to the IT security company’s report, Company A released software updates to address the identified vulnerabilities,” the report says. “These updates are typically pushed out to the cameras if they are consistently connected to the internet,” it adds, noting that, if not online, the cameras must be manually patched.

The research provided to the GSA contracting officer responsible for the camera procurement was “inaccurate, incomplete, and misleading” and ignored alternatives that were compliant with trade standards, the analysis adds. Such inaccuracies included claims that the purchased cameras did not have data transmission and storage capabilities, which were found to be false.

At least one alternative camera device was available to purchase and met standards, the report notes. That camera product was manufactured by a firm designated as “Company B” in the report, which said that the firm was headquartered in the U.S. and manufactured TAA-compliant cameras in several nations, including Taiwan. 

The Homeland Security Department’s Cybersecurity and Infrastructure Security Agency in June 2022 issued an alert regarding updates to TAA non-compliant camera equipment, according to the report, though it did not say which software or hardware was specifically flagged by CISA. A search of June 2022 CISA alerts connected to cameras only turned up one result, referring specifically to Owl Labs, a video equipment provider that sells tabletop conferencing devices.

Owl Labs did not return a comment by publishing time.

A CISA spokesperson referred Nextgov/FCW to GSA OIG, which declined to provide any additional information beyond what was included in the report.