State Department Telecommunications:
Information on Vendors and Cyber-Threat Nations
GAO-17-688R: Published: Jul 27, 2017. Publicly Released: Jul 27, 2017.
Federal telecommunications systems can include a variety of equipment, products, and services which may be produced by foreign manufacturers—and may potentially be vulnerable to manipulation by a cyber-threat nation like China, Iran, North Korea, or Russia.
We examined foreign manufacturers of the State Department’s critical telecommunications equipment and services to identify those that might be closely linked to these nations. We did not identify any reported close links. We did identify some manufacturers, software developers, and contractors that had suppliers that were based in one of these nations.
Some Manufacturing Locations of Common Telecommunications Equipment
World map identifying some locations where common telecommunications components are manufactured.
What GAO Found
Based on GAO's open source review of generalizable samples of (1) 52 telecommunications device manufacturers and software developers supporting the Department of State's (State) critical telecommunications capabilities and (2) 100 of State's telecommunications contractors, GAO did not identify companies in either sample reported to (a) be headquartered in, or (b) have any military ties, intelligence ties, or low-interest loans, with leading cyber-threat nations.
GAO was able to identify 16 companies--12 equipment manufacturers and software developers and 4 telecommunications contractors--with suppliers reported to be headquartered in cyber-threat nations. All of these suppliers were reported to be headquartered in China or, in one case, Russia. The data did not establish whether State's telecommunications capabilities were supported by equipment or software originating from suppliers linked to companies in GAO's samples. GAO did not identify any reported military ties, intelligence ties, or low-interest loans involving cyber-threat nations among any of the suppliers.
Why GAO Did This Study
Federal telecommunications systems can include a multitude of equipment, products, and services, each of which may rely on one or more global supply chains and may be vulnerable to manipulation or damage by foreign cyber-threat nations. Many of these products, or their subcomponents, originate in Asia, with China as the largest importer and exporter of information technology hardware globally.
The Department of State Authorities Act, Fiscal Year 2017 (State Authorities Act), includes a provision for GAO to review State's critical telecommunications equipment or services obtained from manufacturers or suppliers that are closely linked to the leading cyber-threat nations of China, Iran, North Korea, and Russia, as established by the Office of the Director of National Intelligence. The State Authorities Act defines "closely linked" as, with respect to a foreign supplier, contractor, or subcontractor and a cyber-threat nation,
- incorporated or headquartered in the territory;
- having ties to the military forces;
- having ties to the intelligence services; or
- the beneficiary of significant low-interest or no-interest loans, loan forgiveness, or other support of such nation.
To address the State Authorities Act provision, GAO examined generalizable samples of State's critical telecommunications device manufacturers and software developers, as well as State's telecommunications contractors, to identify potential links between these vendors and cyber-threat nations, as reported in open sources. To identify the manufacturers of critical telecommunications equipment acquired or used by State, GAO asked State to create a list of current device manufacturers and software developers that support the agency's telecommunications capabilities. To identify State's telecommunications contractors, GAO queried all State telecommunications-related contracts in the Federal Procurement Data System-Next Generation (FPDS-NG) awarded from January 2014 through March 2017. To determine whether the State-identified device manufacturers and software developers and State telecommunications contractors had potential close links, as defined by the State Authorities Act, to cyber-threat nations, GAO conducted an open source review of publicly available information for each of the sampled vendors.
For more information, contact Michael J. Courts at 202-512-8980 or CourtsM@gao.gov.