Senators debate how to minimize the security risks of federal contractors working with China

Amid the ongoing global competition between U.S. and China, a Senate panel debated placing new restrictions and safeguards on companies that perform work for both governments in a hearing on Tuesday, while also criticizing agencies that have not yet implemented policies that Congress has already passed to address the issue. 

“It goes without saying that major U.S.-based technology service providers working for foreign adversaries while performing multibillion-dollar contracts for the U.S. government risks exposing vulnerabilities that can be exploited by our adversaries,” said Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich. “We can and must stop this.”

Peters pointed to 2023 cyber espionage campaigns by China that breached several government email accounts partly through a flaw in Microsoft’s cloud-computing environment. 

“This attack has raised serious concerns that China-backed hackers were able to steal this information because of [Microsoft’s] partnership with a Chinese entity, while they were providing services to the U.S. government at exactly the same time,” Peters said. 

He also brought up reports that consulting firm McKinsey & Co. advised Chinese state-run enterprises while also contracting with the Defense Department. 

That incident is one reason why Sen. Josh Hawley, R-Mo., introduced legislation to prohibit federal consulting contracts from going to an organization that provides consulting services to the governments of China, Russia or any country that the Secretary of State determines has repeatedly provided support for acts of international terrorism. 

The Senate Homeland Security and Governmental Affairs panel advanced Hawley’s measure back in May in a 10-1 vote. The lone “no” vote came from ranking member Rand Paul, R-Ky., who criticized the purpose of Tuesday’s hearing. 

“People worry that contractors who work for the Chinese government will be influenced by Chinese communism. It's also that the reverse may be true — that American contractors contracting for the Chinese government may be bringing in influence from America and from American capitalism, as well,” he said. 

Bryan Riley of the National Taxpayers Union testified that Hawley’s bill represents a “slippery slope.” 

“This legislation, in particular, does not appear to require a demonstration of a specific national security threat resulting from covered transactions,” he said. “It is simply — you provide a service to the Chinese government, you get banned here.” 

Unimplemented laws 

The Government Accountability Office last week reported that the federal government has missed deadlines to put into effect three out of five laws or provisions regarding conflicts of interest in contracting: 

• The Defense Department has not followed a provision in the fiscal 2020 National Defense Authorization Act directing it to improve its procedures for assessing the risk of foreign ownership, control or influence for defense contracts and subcontracts that are more than $5 million. DOD officials told GAO that they are still in the earliest stages of the rulemaking. 
• DOD has not revised the Defense Federal Acquisition Regulation Supplement, in accordance with the fiscal 2024 NDAA, to prohibit the department from entering consulting contracts with vendors that provide such services to China and other certain foreign entities, unless the company maintains a conflict of interest mitigation plan that can be audited or a waiver is issued. The Defense Acquisition Regulations Council is currently working on an interim rule to promulgate the requirement. 
• The Federal Acquisition Regulatory Council has not implemented requirements in a 2022 law to update the Federal Acquisition Regulation with definitions, guidance and examples for contractor relationships with foreign entities that could cause conflicts of interest involving undue influence. Officials from the Office of Federal Procurement Policy, the administrator of which chairs FARC, said to investigators that the update is “complex and has required more time than normal to address.” 

Regarding the 2022 law, Peters, who sponsored the legislation, during Tuesday’s hearing criticized FARC for delaying implementation of the measure’s requirements. Jessica Tillipman, the associate dean for Government Procurement Law Studies at George Washington University, testified that, until the law is implemented, agencies will continue to use “uneven” practices for gauging contractor conflicts of interest. 

“[E]ach agency is basically left on their own to come up with their own approach to organizational conflicts of interest, which has led to severe inconsistencies among agency approaches,” she said. “Moreover, given the failure of [FARC] to update the FAR in several decades, we have outdated definitions and guidance that have not appropriately captured the many risks that continue to grow and create more conflicts of interest ranging from the security concerns we're talking about here to commercial conflicts of interest to even the risks associated with emerging technology.”

DOD and OMB agreed with GAO recommendations to set milestones in order to carry out the unimplemented laws in as timely a manner as possible, with the watchdog stressing the need for expediency in their action. 

“Without DOD and the Office of Management and Budget’s [OFPP] establishing milestones for completing the necessary and legally required steps to ensure these laws are implemented as expeditiously as possible, acquisition officials will continue to lack the knowledge that could help protect U.S. national security when awarding contracts to consultants,” the authors of the GAO report wrote. 

With respect to the two contracting conflict of interest laws that have been implemented, government officials told GAO that they are not aware of any foreign influence risks that have been identified as a result of their applications.  

DOD enacted a provision in the fiscal 2022 NDAA requiring contractors to disclose whether they have employees who will work in China on contracts worth more than $5 million, and agencies like DOD and the Homeland Security Department have implemented a 2022 law mandating a risk-based approach when assessing small businesses seeking certain research and technology awards. 

Federal agencies between fiscal years 2019 and 2023 spent more than $500 billion on contracts for consulting services. DOD and the Homeland Security Department accounted for more than half of that amount.