Final public meeting on combating counterfeit technology this week

Civilian and defense acquisition councils will host a sixth and final meeting between industry and government on Thursday to discuss ways to prevent the sale of counterfeit technology to federal agencies without overburdening industry with sole responsibility for securing the supply chain.

The public-private discussions were scheduled after criticism that a rule proposed in January placed undue liability on federal contractors. The collaboration is a good example of how agencies and contractors can work together to strengthen information security, according to leading technology lobby group TechAmerica.

"Concerns about liability only reinforce the argument for more engagement in the partnership" between government and industry, said Phil Bond, president of TechAmerica during a news briefing on Tuesday. "You need to engage not only companies' products and services, but also their perspective, to understand where the hurdles may be to getting them into public service."

The General Services Administration, Defense Department and NASA published a notice in the Aug. 11 Federal Register, saying the Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council would host a final public meeting "to continue a dialogue with industry and government agencies about ways to develop greater assurances regarding the authenticity of IT products acquired by the government."

Reports have surfaced in recent years of counterfeit IT products that have shown up in government networks, creating the possibility that the networks could fail or compromise security. In a 2004 incident reported by Government Executive in September 2008, for example, American Data and Computer Products Inc. unknowingly sold counterfeit Cisco network switches to the Navy that were traced back to China.

In a March 2008 internal FBI briefing, the bureau placed much of the blame for fake equipment finding its way onto government computer systems on federal acquisition policies that encourage agencies to award IT contracts to companies offering the lowest possible price. Contractors seek out low-cost equipment, which can often be counterfeit.

Participants discussed the impact of counterfeit products on the performance and security of IT systems, as well as contractor liability and consequential damages. They also addressed whether agencies should buy equipment from manufacturers or authorized distributors, and how that would effect competition among companies. In addition, officials worked to find feasible ways to authenticate IT products and ensure that contractors comply with procurement requirements. Details of the meetings have not yet been released.

The meetings, which began on June 23, came seven months after the Federal Acquisition Regulatory Council sought comments from government and industry on a proposed rule requiring contractors to certify that their IT products are authentic, and be held liable if they are not. In a letter submitted to the council, TechAmerica and other industry groups argued that the requirement was "practically impossible to meet."

Trey Hodgkins, vice president of federal government programs at TechAmerica said participants are working to develop consensus among government and industry on how to reduce the risk of counterfeit IT goods infiltrating federal computer networks, without stifling contractors' ability to do business. While final rules have yet to be issued, Hodgkins expects a clause will be incorporated into federal contracts to confirm that contractors fulfilled reasonable risk assessments of their supply chain.

"It's not an easy task," Hodgkins said. "It won't happen overnight, and might not be something we will resolve at the public hearing on Thursday."

Still, such open public-private dialogue is exactly what's needed to enable necessary cooperation in all areas of information security, said Liesyl Franz, vice president for information security and global public policy at TechAmerica.

"No one element can do it all on its own," she said. "We need to look at the current environment and to make changes that can engage partnership in a way that removes obstacles. In the end, we might need to restructure or reconstitute what that partnership looks like to enable that interaction and remove the threat of liability that could have unintended consequences."