
I made it into a list. You’re welcome.
1. Huawei Technologies Company
2. ZTE Corporation
3. Hytera Communications Corporation
4. Hangzhou Technology Company
5. Dahua Technology Company
The US Department of Defense's "do not buy" list of foreign software and equipment turns out to be about as long as the list of bug-free Windows releases or privacy-focused Facebook apps. In other words, it doesn't exist. According to news reports in July, there is such a list, and the Pentagon has been adding to it in an …
The Register asked the Department of Defense if anyone cared to elaborate on the criteria for being added to the non-existent list. We've not heard back.
It's super simple:
1. You must be a non-US competitor to one or more US companies.
2. Said US companies need to have bought appealed to a sufficient number and combination of US lobbyists, politicians, and civil servants.
Could the list could be expressed as "not made in Murica". EC procurements have a similar constraint that requires components related to security to be manufactured in the EU, which can create a few compliance problems. [Exactly how many firewalls, IPS/IDS, etc. are manufactured in EU27? Not many, that meet the other requirements]
You asked the wrong people.
Send a bunch of FOIAs to NSA/CSS, DIA, 902d MI Brigade (especially 902d, they're the Army's counterintelligence folks), ARCYBER, and the G-2s of the service branches and ask for restricted product and party lists. You probably won't get anywhere because its undoubtedly TS//SCI and operational, but there are lists which exist. And there are plenty of companies from the US and other NATO countries as well as the Major Non-NATO allies that are on it for a variety of reasons. Its not just because the Chinese are backdooring everything they possibly can, because everyone else does the same damned thing.
However, acquisitions won't know a damn thing about it because they're not read in to the Special Access Programs which control them. They'll put in a request for funding for the purchase via DFAS and it'll get denied for security reasons and no other explanation. DFAS might also have a list that they reference but getting anything out of them is a fool's errand.
Acquisitions at the DoD level won't have anything because that part of DoD doesn't control it, its not an acquisitions concern at the department level, its a security concern at the Agency, Service branch and functional command (SOCOM, STRATCOM, TRANSCOM, etc) level and a financial concern for DFAS.
Ask the actual security people and not the buyers. The beancounters may also have something but good luck knowing what they call it (not my monkey, not my circus, maybe ask someone late of Finance or Supply, they might know).
They'll all turn you down for operational reasons, but you'll at least be asking the right people.
The Register asked the Department of Defense if anyone cared to elaborate on the criteria for being added to the non-existent list. We've not heard back. ®
Why would The Register expect the criteria for updating a nonexistent list to be anything other than nonexistent?
Seriously, since World War II the US government has had more procurement regulations than anyone can possibly keep track of, much less comply with. As a result, the rules are ignored or are applied more or less randomly. It seems plausible to me that there is, somewhere in the federal bureaucracy, at least one do not buy list. Could be several. All will be assiduously maintained. But since no one knows where to find them, the content will not be consistent and compliance will be spotty.
Like with other countries the government is something that we have to put up with rather than something that's useful or helpful. Its been clear for many years -- decades, even -- that they're pretty clueless about what constitutes threats but then with populist politicians driving the agenda, lots of money at stake and not very competitive local companies wanting a piece of the action you'd not expect anything other than confusion.
You can see how this goes down with the recent story about Chinese military hackers stealing billions of dollars worth of secrets from Micron technology. Sounds real scary but you find that what happened is that the Chinese wanted to build a DRAM fab, the company running it didn't have the knowhow so it partnered with a Taiwanese company that does. There's a need to staff up with skilled staff so out come the headhunters who go recruiting in all the obvious places like existing DRAM companies like Micron. This is all normal commercial give and take, its how business is done (and it wasn't too long ago that nobody took any notice of trade secrets and the like). However, once word gets to the Cold Warriors i DC the story starts to sound like a Le Carre novel. Its embarrassing because you know that the real reason why a company like Micron is a bit worried is the same reason we all get a bit worried when we discover that the Chinese are about to enter our line of business --- things are about to get a whole lot harder for us.
This doesn't mean that trade secrets aren't stolen and so on, but then its a naive company that doesn't have people looking at competitors' products, analyzing them, reverse engineering them even (because sure as hell, if your stuff is any good, someone will be picking it apart....)
There is or was a federal law on the books that goes something like this: "Products purchased for government user must be bought from US companies." or something to that effect. So a list like this is probably classified, which means el Reg can FOIA it till they are blue in the face and they response will always be "We can neither confirm nor deny that any such list exists."
Frankly, I'm quite surprised they didn't outright ignore your request.
I once opened a huge box from Cisco that came with a packing note that ran to 5-6 pages with lots of legalese about WMDs and a ban on exporting to THE AXIS OF EVIL (but you could export to THE AXIS OF NOT VERY NICE just as long as it's not going to a government entity)... for a single ethernet cable! Of course I did make sure the end user was aware of all this and the potential ramifications of a failure to comply, namely the free holiday in Cuba.