Record ZTE fine spotlights weak links in supply chain

A case that saw a Chinese telecommunications firm plead guilty and agree to pay a record billion-dollar fine for violating U.S. sanctions on selling network gear to Iran is a landmark for supply chain security, said William Evanina, national counterintelligence executive in the Office of the Director of National Intelligence.

In March ZTE (the combined name for two large Chinese state-owned enterprises), agreed to a record-high combined civil and criminal penalty of $1.19 billion for shipping telecommunications equipment to Iran and North Korea.

Between 2010 and 2016, ZTE sold U.S.-made equipment and software to Iran for telecommunications infrastructure, according to the Commerce Department, which set the record settlement along with the Justice and Treasury Departments.

In addition, according to the Commerce Department statement, the company logged 283 shipments of controlled routers, microprocessors, and servers to North Korea despite knowing the sales and shipments violated U.S. sanctions.

In remarks at the April 10 Intelligence and National Security Alliance conference, Evanina said the case hasn't received the attention it deserves as a cautionary tale for supply chain vulnerability and economic espionage.

"Adversaries are more brazen than ever and less afraid" to probe the United States' critical infrastructure and the technology supply chain, he said.

More high-profile headlines on leaks of intelligence data or insider threat stories tends to cloud some of the more significant news, according to Evanina.

Secretary of Commerce Wilbur L. Ross Jr. said in a statement at the time of the settlement that the new administration "will be aggressively enforcing strong trade policies with the dual purpose of protecting American national security and protecting American workers. "

The technology involved in the case, particularly the equipment sold to North Korea, is "bound to be used against us," Evanina said in his remarks. The case points to the increasing importance of the acquisition community's awareness of cybersecurity.

The Commerce Department said that investigations showed ZTE planned to export controlled items to Iran through a series of shell companies to get around U.S. sanctions. The agency also said the company formed a 13-member team in early 2016 to wipe its records clean of the transactions' traces.

The case, said Evanina, shows how insidious economic espionage and insider threats can work their way into acquisition, leveraging contractors and subcontractors.

The solution to countering the threat, he said, is a "true public/private partnership" between the federal government and companies developing and selling advanced technology.