Security vendor Fortinet has agreed to pay the equivalent of $545,000 to settle allegations it illegally sold the U.S. military Chinese technology disguised as American-made equipment, the U.S. Department of Justice announced.
The Sunnyvale, California-based cybersecurity company agreed to pay the government $400,000and provide the U.S. Marine Corps with equipment valued at $145,000Ā to resolve charges it violated the False Claims Act from January 2009 until the fall of 2016,Ā according to a statement.
Fortinet acknowledged that an employee responsible for supply chain management altered labels on products to make them appear compliant with the Trade Agreements Act, a law prohibiting federal agencies from acquiring products in specific countries. The unnamed employee directed others at Fortinet to include the phrases āDesigned in the United States and Canadaā or āAssembled in the United Statesā before those products were sold to distributors and resellers who resold the technology to the government.
āContractors that supply the U.S. Government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,ā Bryan D. Denny, the defense criminal investigative service special agent in charge, said in a statement.
Fortinet, in aĀ statement to CRN, said the settlement was the result of an isolated incident involving a rogue employee who had been terminated.
Officials from the Air Force Office of Special Investigations, the Department of the Navy, Coast Guard Investigative Service, the Department of Homeland Security, the General Services Administration, and other agencies were involved in the investigation.
The settlement resolves allegations in aĀ 2016 lawsuitfiled by Yuxin āJayā Fang, who said he formerly worked as a logistics specialist in Fortinetās Vancouver office. Fang alleged that Fortinet manufactured its products in Taiwan and China, while certifying that those products were built in TAA-designated countries. In one case, the security vendor sold its products to Arrow Enterprise Computing Solutions, which re-sold them to the U.S. Air Force, according to Fangās complaint.
The lawsuit also cites the sale of 32 units of Fortinet products to Fintec Computer at a price of $390,302.40. The bottom of the sales invoice listed those products as āTAA Compliant Inventory,ā when in fact the Fortinet product, a network security device, was āexclusively produced in China,ā according to the suit.
Fang alleged in the suit he was told by superiors to āreworkā shipments of products, instructions he understood to mean relabeling products containing āMade in Chinaā logos.
āThis was done on both individual products and on the packages they arrived in,ā the suit states. āThe products would then be designated as TAA compliant and shipped to vendors for sale to the U.S. Government. [Fang] complained to his supervisors about the practice but was told to do it anyways.ā
The settlement coincides with ongoing U.S. government scrutiny of technology supply chains. U.S. intelligence officials have consistently warned against the use of products built by theĀ Chinese telecommunication vendor HuaweiĀ andĀ Russian antivirus-maker Kaspersky, arguing such procurement would make Americans vulnerable to foreign espionage or disruption.
According to the settlement agreement , Fortinet acknowledged that during the more than seven years between January of 2009 and the fall of 2016, a Fortinet employee responsible for supply chain management (the āResponsible Employeeā) arranged to have labels on certain products altered to make the products appear to be compliant with the TAA. Ā A portion of the products were resold through distributors and subsequent resellers to U.S. government end users.
āTodayās announcement illustrates the continuing commitment of the U.S. Attorneyās Office and our law enforcement partners to identify and prosecute fraudulent schemes relating to the sale of goods to the United States,ā said U.S. Attorney Anderson.
āContractors that supply the U.S. Government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,ā said DCIS Special Agent in Charge Denny. Ā āThe DCIS and its law enforcement partners are committed to combatting procurement fraud and cyber risk within U.S. Department of Defense programs.ā
āThis settlement displays the steadfast commitment of our agents and our federal law enforcement partners,ā said USACIDC Director Robey. āThis settlement is a clear signal to the supply community doing business with the Department of the Armyāfraud will not be tolerated in any way, shape or form.ā
āContractors who undermine American trade interest and pose a security risk by selling unauthorized foreign-made devices to the United States will be held accountable,ā said DHS-OIG Special Agent in Charge Thandi. Ā āContracting companies that conduct business with the federal government must uphold our trade laws; any misrepresentation during this process undercuts its integrity.ā
āThis settlement reflects the GSA OIGās commitment to work with our law enforcement partners to aggressively investigate and prosecute those who seek to fraudulently sell products to the federal government that do not meet the standards set by law,ā said GSA OIG Special Agent in Charge Theresa Quellhorst.
The TAA generally prohibits certain government contractors from purchasing products that are not entirely from, or āsubstantially transformedā in, the United States or certain designated countries. Ā Fortinet sells network security devices, some of which may be sold through distributors and subsequent resellers to U.S. government end users. Ā In this case, Fortinet acknowledged the Responsible Employee directed certain employees and contractors to change product labels so that no country of origin was listed, or to include the phrases āDesigned in the United States and Canada,ā or āAssembled in the United States.ā Ā Fortinet acknowledged that the Responsible Employeeās actions involved products sold to certain distributors that subsequently sold them to resellers, which in turn sold a portion of them to U.S. government end users. Ā The Responsible Employee has since been terminated from employment with Fortinet.
To settle the allegations, Fortinet has agreed to pay $400,000 and to provide the United States Marine Corps with additional equipment valued at $145,000.
The lawsuit was filed by Yuxin āJayā Fang under theĀ qui tamĀ provisions of the False Claims Act. Ā Under the act, private citizens can bring suit on or behalf of the government for false claims and share in any recovery. Ā The act also permits the United States to intervene in and take over a whistleblower suit, as was done here.
This matter was investigated by the U.S. Attorneyās Office of the Northern District of California, along with the DCIS, GSA-OIG, Air Force Office of Special Investigations, USACIDC, DHS-OIG, the Department of the Navy, and the Coast Guard Investigative Service. Ā Fortinet cooperated in the governmentās investigation, including by sharing the results of its internal investigation in this matter. Ā The settlement reflects Fortinetās cooperation with the government in this and other matters.
Assistant U.S. Attorney Ellen London is handling the case with the assistance of Garland He, Jacqui Hollar, and Tina Louie.
