Federal officials are putting sensitive materials in foreign-owned buildings, making them vulnerable to cyberattack and espionage, senators warned Friday.
Their alarm bells were set off by a report that said the General Services Administration has been placing FBI agents and other “high-security” government officials in buildings owned by foreign entities in China and other countries. The GSA didn’t tell the tenants, according to the government report, so the officials aren’t taking addition security precautions.
“Yet, in some cases the space is used for classified operations and to store sensitive data,” Sen. Steve Daines, R-Mont., and Sen. Tammy Duckworth, D-Ill., wrote in a Thursday letter to acting GSA Administrator Timothy Horne. “Given the highly sensitive information that is often stored at high-security leased sites, we are concerned with the lack of policies and procedures concerning the ownership of these sites.”
The foreign-owned buildings have national security and privacy implications, as they house agencies ranging from FBI and Drug Enforcement Agency field offices to a Social Security Administration office in Seattle, Wash. Even the U.S. Secret Service rents space from companies based in Germany and China, according to the Government Accountability Office, which is the research arm of Congress.
The GAO warned that “foreign ownership of government-leased space can pose security risks particularly regarding cybersecurity,” with particular reference to China. The report noted that “companies in China are likely to have ties to the Chinese government,” as well as federal government warnings about Chinese government hackers targeting private and federal U.S. entities. “China is the leading suspect in the cyber intrusion into the Office of Personnel Management’s (OPM) systems affecting background investigation files for 21.5 million individuals which OPM reported in July 2015,” the GAO added.
Although the buildings are leased formally from companies based in foreign countries, GSA can’t be sure that those private companies are the true owners of the buildings. “GSA lacks complete information regarding foreign-owned leased space including beneficial owner information (which GAO defined as the person who ultimately owns and controls a company),” the senators noted.
Federal agencies took extra precautions after realizing they were in a foreign-owned building, but nine of the 14 agencies contacted by the GAO didn’t have any of that information. “Federal agencies are among the top targets for cyber criminals, with many agencies experiencing thousands of attempted attacks daily,” Duckworth and Daines wrote. “Agencies must have the information necessary to assess and address the risks to their high-security facilities, including cybersecurity vulnerabilities that exist in foreign-owned buildings.”
The lawmakers want an update on how GSA will change its leasing procedures and “notify tenants that their leased space is foreign owned.” But they also need to learn more about which buildings are foreign-owned, according to the GAO. “The real property database did not include information on all of the buildings in which GSA leases high-security space,” the GAO report says. “Therefore, the results of our analysis are likely understated and GSA may be leasing more high-security space than what we identified in the 25 leases.”