Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Reports
Risk & Compliance
Supply Chain Security
Technology & Solutions
Threat Landscape

GAO asked to audit national security risks posed by contractors used concurrently by US, Chinese governments

January 26, 2023
GAO asked to audit national security risks posed by contractors used concurrently by US, Chinese governments

The U.S. Senate Homeland Security and Governmental Affairs Committee have called on the Government Accountability Office (GAO) to examine the national security risks posed by private consulting companies that concurrently contract with the U.S. government, as well as the Chinese government or Chinese state-run enterprises. The bipartisan move also raised concerns that these contractors’ outside work with adversaries like the Chinese government could create conflicts of interest that undermine national security.

“Companies that carry out taxpayer-funded projects for the U.S. government should be working in the best interests of the American people, and we are concerned that companies that also contract with adversaries like the Chinese government could be creating unacceptable conflicts of interest,” U.S. Senators Gary Peters, a Democrat from Michigan and chairman of the Homeland Security and Governmental Affairs Committee, and Josh Hawley, a Republican from Missouri, wrote in a letter this week to Gene Dodaro, GAO’s Comptroller General.

The senators pointed out that for instance the Department of Defense and other federal agencies have awarded contracts to consulting firms that have simultaneously provided services to the Chinese government and associated entities. 

“In some instances, consulting firms have supported entities directly tied to the Chinese government, including by building artificial islands to position missiles, fighters and bombers in the South China Sea, and participating in exercises for an amphibious assault on Taiwan,” according to the senators. “We are concerned that the provision of such services simultaneously could create conflicts of interest that threaten American national security and undermine U.S. foreign policy,” they added. 

The move by the senators builds upon bipartisan law authored by Peters last Congress that will help identify and mitigate potential conflicts of interest in federal contracting. 

The senators also highlighted that apart from these potential conflicts of interest, such contract types could present other security risks that are not well understood. “Although firms doing business for the Chinese government or its associates may argue that structural divisions between corporate entities servicing the Chinese and American governments, respectively, are sufficient to eliminate security risks or conflicts of interest posed by their work – we remain concerned that information sharing within these companies may result in Chinese entities accessing or taking advantage of firms’ access to U.S. government data, classified or otherwise,” they added. 

The senators have requested the GAO to assess the extent to which federal agencies collect information on contracts performed on behalf of the Chinese government or its proxies or affiliates by consulting firms that hold or have held contracts with the U.S. Government, and whether this information includes specific projects and deliverables of such contracts.

They also called upon the watchdog to estimate the extent to which selected federal agencies, including at a minimum the Department of Defense and elements of the Intelligence Community, have assessed the risks posed by American consulting firms’ work for the Chinese government and its proxies or affiliates, including an assessment of the risk of deliberate or inadvertent sharing of U.S. government information that may be used for Chinese economic or military advantage.

The bipartisan move also sought to identify relevant contract clauses, procedures, and information used by federal agencies to identify, evaluate and resolve organizational conflicts of interest when awarding consulting contracts. 

The senators also seek an assessment of the extent to which agencies experience challenges when identifying, evaluating and resolving organizational conflicts of interest. Including determining whether the offeror/potential contractor also performs work for China. They also asked the GAO to identify steps that federal agencies take to monitor contractor compliance with any contract clauses, terms or conditions intended to resolve identified conflicts of interest.

There have been recent reports have shed light on potential conflicts of interest that were created by private consulting companies working with the U.S. and Chinese governments. “For example, for more than a decade, McKinsey & Company has received hundreds of millions of American taxpayer dollars to support sensitive national security projects,” the senators said. 

At the same time, McKinsey did not disclose to DOD that they were simultaneously contracting with Chinese state-owned companies, they added. “This has raised serious concerns about the reliability of advice provided by McKinsey consultants, and whether its work could give a foreign adversary insight into our national security strategies or other sensitive matters. In their letter, the senators also asked GAO to examine how federal agencies are working to address this issue and to identify steps the federal government can take to ensure that contractors are working in the best interest of the American people – not foreign adversaries.”

Data released by SentinelOne in December said that while attacks on businesses, healthcare providers, and educational and financial institutions make news headlines regularly, governments and their agencies have risen to the top as one of the most targeted sectors. 

“Research in Q3 said that the government was the second most attacked industry with an attack average sitting at 1564 cases each week. This marks a 20% increase compared to the same period last year,” SentinelOne wrote in a blog post. “This year, it was reported that only 32% of state and local governments paid out cybercriminals to restore their encrypted data; a marked decrease from 42% in 2020. Compared across all other sectors which averaged at 46% in 2022, this was the lowest reported rate.” 

The report added that though fewer government bodies are paying ransoms, the number of threat campaigns is still rising, indicating that threat actors have their eyes on goals other than monetary gain.

Last February, U.S. security agencies disclosed in a cybersecurity advisory that Russian state-sponsored cyber hackers have targeted over the last two years, compromised entities have included cleared defense contractors (CDCs) supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Intelligence Community programs. These intrusions have led to adversaries obtaining access to sensitive American defense information and technology, potentially exposing program developments and internal company communications, according to a joint cybersecurity advisory issued on Wednesday.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation