There’s an elephant in the room – and it’s in an authentic-looking box. We need to talk about the rise of the re-boxer – unscrupulous counterfeiters who are taking used products, re-packaging them in counterfeited boxes, with counterfeited labels, and passing them off as new.
US government, state governments and local governments have a “buy only new” policy for most of their network equipment, under the idea that a new boxed item will have a lower probability of being counterfeit.
But here’s the rub – most government systems are old – indeed, positively Jurassic in computing terms.
When you discover the US Strategic Automated Command and Control System, or SACCS, only dumped eight-inch floppy disks, moving to a “highly secure solid state digital storage solution” mid-2019, you begin to realize the problems of sourcing “new” parts for these creaking systems.
Given the ancient nature of many government enterprise information systems, and their reliance on old or near-obsolete parts and products, the market response is perhaps unsurprising: repackaging old parts as new.
A tsunami on the horizon
Finding ‘new’ parts for systems half a century old is difficult, driving prices for this elusive equipment up. There’s an ever-expanding chasm between used, tested, grade A products and “New in Box” product. This obvious opportunity for counterfeiters to take the “used, grade A, product”, switch over the labels and packaging materials and place it into a new, counterfeited box is gaining traction with every passing week, a tsunami on the horizon.
And catching counterfeited goods shipped from China, for example, is tough.
The hardware, software, manuals and labels can all be shipped separately, allowing for a seemingly more legitimate ‘Assembled in the US’ label. On top of this, law enforcement agencies suspect that e-waste shipped globally to China is disassembled, picked apart for useful components, then resold as ‘new’.
Cisco, which holds 80% of the US government router market, has been battling Chinese manufacturers over counterfeit versions of its products for the last two decades.
While it advises the government’s main acquisition arm, the General Services Administration (GSA) and other government departments, only deal with its highly trained and trusted Gold and Silver partner network, even these partners are (perhaps unwittingly) buying counterfeit goods from unscrupulous suppliers.
In too many recorded cases, contractors have even installed counterfeit goods in networks operated by the likes of the US military and the FBI.
The only workaround? Sellers must open the box and check the packaging, armed with detailed knowledge regarding exactly what a genuine new part should look like.
An unstoppable force?
Cisco won a court battle late last year ordering four major Chinese manufacturers to stop selling counterfeit networking equipment.
The injunction awarded in a New York court also requires online sellers – including Amazon, Alibaba, and eBay – to remove listings of the counterfeit Cisco-branded products.
But given the billion dollar size of the counterfeit market, Cisco’s injunction seems like something of a Pyrrhic victory; shutting down one lucrative counterfeiter will only leave room for another to start up.
The rise of the re-boxer seems almost unstoppable. Part of the problem lies in the fact that nascent government regulations require ‘new’ purchases only. If a supplier provides a seemingly new item in an authentic looking box, and everyone is happy, what’s the problem? It seems like a victimless crime.
The US government has announced it will no longer purchase used electronic equipment via its main acquisition arm, the General Services Administration, (GSA), which currently holds a 60-strong approved supplier list.
Citing a number of reasons for ending the legitimate purchase of so-called ‘grayware’ products, Lawrence Hale, director of the IT security subcategory in GSA’s Federal Acquisition Service, told FCW: “We want to be as proactive as possible about the provenance of the equipment” sold through GSA’s contracts to federal agencies…because you can’t guarantee the provenance of refurbished products.”
While a licensed reseller may make purchases in good faith, where the market demands extremely old or near-obsolete equipment, it’s highly unlikely a brand new product could be found. And remember, chances are that the repackaged item is likely real. It will have been meticulously cleaned up, dusted off, possibly even painted, and will look pristine.
Onus on contractors
Certain government agencies (that have adopted the AS5553 standard and/or are subject to the Defense Federal Acquisition Regulations (DFARS)) are required to only buy new equipment through authorized channels – trusted suppliers – unless the item has been discontinued by the manufacturer and is no longer available as new.
But the onus is on contractors, when they obtain electronic parts from sources other than a trusted supplier, to inspect, test, and authenticate the product provenance in accordance with existing applicable industry standards.
While governments search for the lowest price, the reseller chain is complex, with contractors working on government contracts legally allowed to utilise two or three levels of subcontractors. Throw in the murky world of ‘blind drop’ and ‘drop shipped’ purchases, and it becomes increasingly difficult for a primary contractor to ascertain the true provenance of every item in a often vast purchase orders.
A 2016 Government Accountability Office (GAO) Report, “Federal Agencies Need to Address Aging Legacy Systems” revealed that back in 2015, more than 75% of the federal government’s budget allocated to IT was spent on operations and maintenance investments. A spending trend which was also identified as increasing year-on-year; while spending on development, modernisation and enhancement has decreased by some $7.3 billion between 2010-2017.
US government agencies are running on equipment that is 50 or 60 years old, and while there are upgrade plans afoot in some areas, this is an environment ripe with assembly language, COBOL, IBM mainframes and soldering irons. Ergo, a clear need for a regular, reliable supply of parts, many of which no longer exist.
We are all victims
Updating these often outdated systems – many of which even seem to have outlived their effectiveness – is an obvious answer to solving the re-boxing issue.
But it’s more complicated than that. Cost looms large, with 2017’s federal government IT budget standing at more than $80billion – just to prop up the network status quo.
It’s not that new equipment isn’t being purchased.
GSA figures reveal that purchases of new electronics amount to between $1-$2 billion a year; while refurbished items purchased through approved GSA contracts amount to around $10-$20 million a year.
Halting the GSA deal on purchasing refurbished goods — set to come fully into force by 2024 – will see the government, in effect, forcing itself to replace legacy systems more frequently; meaning higher spend on new equipment.
These big, unwieldy systems and networks will take many years and billions of dollars to replace – so it seems we are stuck with the inconvenient truth that while struggling with legacy systems, government remains reliant on refurbished products. Refurbished products that are cleaned, polished, painted and passed off as new, that is.
The legitimate market for honestly-traded refurbished products is suffering at the hands of unscrupulous re-boxers, who are charging highly inflated prices to meet demand for seemingly new products which are difficult to source.
And while counterfeiters get better and better, they will catch up with legitimate new product providers, causing a price war which will leave everyone feeling the damage.
On top of being duped, there are questions of data protection, integrity, trust and international espionage. The US government lives in fear that counterfeit products might not only be motivated by profit – but could be driven by state-sanctioned espionage.
Should Cisco and other OEMs invest even more in anti-counterfeit measures? Should the reseller network do more? An obvious way to reduce counterfeit re-boxing is to understand the nature of the OEM’s packaging. Most used product resellers do carefully study the box, looking for clues, oddities in the boxes.
It’s in everyone’s interests to do so, of course, but we perhaps don’t fully comprehend the many motivations of OEM partners for sourcing their equipment not from the OEM, but from other sources.
A really well-reboxed used item could be heavily in demand by an OEM partner, with highly competitive pricing.
Whither the Cloud?
Old legacy systems could be replaced by a move to cloud-based services, right? Again, it’s not that simple. The cloud is expensive, and throws up a whole host of new security issues.
There are many local sites in the US and UK that can offer very good reasons not to use the cloud, not least of which is the understandable risk-averse nature of government.
And as Lt. Col. Jason Rossi, commander of the Air Force’s 595th Strategic Communications Squadron, discussing the IBM mainframe-based SACCS in an interview, puts it: “I joke with people and say it’s the Air Force’s oldest IT system. But it’s the age that provides that security. You can’t hack something that doesn’t have an IP address. It’s a very unique system — it is old and it is very good.”
While there remains a very real need for refurbished parts, what we cannot allow to happen is the continuing, unchecked rise of counterfeit reboxers, which will leave the market for legitimate used products forever damaged, and cause artificial price wars to the detriment of all.