About 4,000 devices are operating on federal, state and local public sector networks, according to security firm Forescout.
Thousands of devices from Huawei, ZTE and other foreign makers that were explicitly banned in the National Defense Authorization Act for fiscal 2019 are still operating in government networks, according to new data from the security firm Forescout.
The company recently counted 2,712 Huawei and 1,374 ZTE devices currently deployed in the public sector from local, state and federal government clients who opted to share their data.
But the NDAA’s Aug. 13 deadline to have those devices removed from federal networks is approaching.
“The bottom line is that they are not allowed to have these manufacturers on their networks so they’ll have to get on track to do that by the deadline,” Katherine Gronberg, Forescout’s vice president of government affairs, told Nextgov.
She said Forescout manages millions of federal devices and the number of those prohibited but still being used by the government are only in the thousands.
“In the grand scheme of things, if you are thinking about how large the agency environments are, this is probably progress,” she said. “But I am not going to say it’s not that much, because any potentially vulnerable piece of equipment is concerning.”
Security experts warn the banned companies’ devices could have pre-existing vulnerabilities that would allow the Chinese government to access their data or use them as doors to the networks they touch.
While the NDAA does not prohibit devices being used by state and local governments, Gronberg said security and telecommunications insiders are eager to see how expansive President Trump’s new executive order will reach in further banning the risky equipment. This will be determined in the coming months by the Commerce Department and other agency leaders.
Gronberg said she knows of some agencies that are working to enforce new controlling actions and processes like segmentation to mitigate the issues, but it is no easy feat. Agencies have to detect the equipment, determine the functionality and mitigate the risks efficiently until they can actually replace the devices, which they are now required to do by the law.
“It’s not something that happens overnight that an agency can just go in and rip everything out,” she said.
NEXT STORY: Why attribution is a means to an end