Lobby calls proposed rule to fight counterfeit products onerous

A leading technology lobby in Washington argued on Tuesday that a proposed rule to root out counterfeit and faulty technology products that find their way into government systems places undue liability on federal contractors.

The Technology Association of America submitted a letter to the Federal Acquisition Regulatory Council saying a rule change to the Federal Acquisition Regulation that requires contractors to certify IT products sold to the government are authentic, or be held liable if they are not, is "practically impossible to meet.

"Contractors cannot take apart every component to determine whether it is authentic," wrote Trey Hodgkins, vice president of federal government programs at the technology association. "Many contractors are only in a position to measure the performance of components and determine whether they meet contract requirements."

The lobby group submitted the letter in response to the council's notice of rule change, which the General Services Administration, Defense Department and NASA published on Nov. 19, 2008, in the Federal Register. The notice sought comments from government and industry on the proposed rule, which also would require contractors to demonstrate to agencies that they are authorized by the original equipment manufacturers to the sell the IT products they use in government systems.

The rule was developed in reaction to reports of counterfeit IT products that have shown up in government networks, creating the possibility that the networks could fail or that compromise security. In 2004, American Data and Computer Products Inc. unknowingly sold counterfeit Cisco network switches to the Navy. Gulfcoast Workstation, a computer equipment supplier in Largo, Fla., a division of Relational Technology Solutions, sold the switches to American Data, which purchased the goods outside Cisco's authorized distribution channel. But the company had documents showing that Gulfcoast claimed the switches came directly from Cisco.

A company's supply chain typically only tests for abnormalities in products, not to determine the authenticity of the product, which has no impact on performance, Hodgkins said. He noted that only the original equipment manufacturer is in a position to state with certainty that a product originated from its production lines.

"To ask a reseller to bear the full burden is quite ridiculous in my view. Short of me witnessing the equipment rolling off the manufacturer's assembly line and watching the chain of custody all the way to final destination, there literally is no way to detect if equipment has been tampered with or replaced with something other than what was ordered," said Robert Castro, president of American Data. "Whenever possible, the manufacturers themselves need to implement robust anti-counterfeiting measures to minimize such hazards ... and be much more proactive in protecting their trademark."

ITAA also argued the notice should specify whether the intent of the proposed rule is to mitigate security risks, such as computer viruses, or avoid performance issues that can be the result of a counterfeit product.

"Flowing 'unlimited liability' to [contractors] for faulty products will cause many parties to back away from federal business," said Bob Laclede, vice president and general manager of federal business at IT distributor Ingram Micro Inc.

He said faulty laptop batteries that appeared on the market years ago spurred a number of recalls from major manufacturers. The flawed designs were nearly impossible to identify.

"That responsibility must clearly reside with the original manufacturer and their warranty provisions," Laclede said. "The solution provider can only be responsible for the design of solutions that meet the government's specifications -- items like speed, bandwidth, capacity and so on.

"However, solution providers must be responsible for providing only true OEM certified products to the government to lessen counterfeit products or security attacks, such as Trojan horses, from reaching the end users," he added. "This means that they must ascertain that their sources of supply from the original manufacturer are valid."

ITAA also said the government should follow responsible procurement practices by purchasing only through authorized channels and relying less on a "lowest cost" purchasing model.

"If you're buying online anonymously, you don't know what you're getting, but if agencies are incentivized to buy lowest cost, they'll end up on eBay," Hodgkins said. "Government needs to ask whether that acquisition premise -- lowest cost for the sake of the taxpayer -- is actually beneficial and conducive to getting assurance of authenticity."