What GAO Recommends
GAO recommends that CBP take steps to develop a streamlined enforcement approach against counterfeit goods in small packages. CBP concurred with the recommendation.

This report to President Donald J. Trump has identified a set of strong government actions that DHS and other federal agencies can begin executing immediately to address a crisis that is undermining America’s trust in e-commerce even as it is exposing the American public to undue and unacceptable risks.

Additionally, this report has proposed a set of best practices for private sector stakeholders that DHS believes should be adopted swiftly. As the longstanding experiences of brick-and-mortar stores demonstrate, the private sector is capable of operating businesses that sell legitimate, not illicit, goods to American consumers. We should expect the same level of care from online third-party marketplaces that we expect from the stores physically located in our communities.

The List includes several previously identified markets because owners, operators, and governments failed to address previously stated concerns. Other previously identified markets may not appear in the present List for a variety of reasons, including that: the market has closed or its popularity or significance has diminished; enforcement or voluntary action has reduced or eliminated the prevalence of IP-infringing goods or services; market owners or operators are cooperating with right holders or government authorities to address infringement; or the market is no longer a noteworthy example of its kind. In some cases, online markets in the 2017 List are not highlighted this year but improvements are still needed, and the United States may continue to raise concerns related to these markets on a bilateral basis with the countries concerned.

DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems. Cybersecurity—the process of protecting information and information systems—can reduce the likelihood that attackers are able to access our systems and limit the damage if they do. GAO was asked to review the state of DOD weapon systems cybersecurity. This report addresses (1) factors that contribute to the current state of DOD weapon systems’ cybersecurity, (2) vulnerabilities in weapons that are under development, and (3) steps DOD is taking to develop more cyber resilient weapon systems. To do this work, GAO analyzed weapon systems cybersecurity test reports, policies, and guidance. GAO interviewed officials from key defense organizations with weapon systems cybersecurity responsibilities as well as program officials from a nongeneralizable sample of nine major defense acquisition program offices.

Infringement of IPR through the illegal importation and distribution of counterfeit goods harms the U.S. economy and can threaten the health and safety of U.S. consumers. CBP leads IPR enforcement at U.S. ports of entry by detecting and seizing counterfeit goods that enter the United States. CBP works with ICE, which investigates IPR violations and builds cases for prosecution. GAO was asked to review CBP’s and ICE’s IPR enforcement at U.S. borders. In this report, GAO examines (1) what is known about counterfeit goods entering the United States and the challenges they present, (2) efforts CBP and ICE have undertaken to enhance IPR enforcement and the extent to which they have assessed the results, and (3) the extent of CBP’s and ICE’s collaboration on IPR enforcement and ways they coordinate with the private sector. GAO reviewed agency data and documents, interviewed agency officials, and conducted field work at port locations selected on the basis of factors such as the volume of IPR seizures and variety of modes of transportation at each location. GAO also conducted undercover purchases of commonly counterfeited consumer goods on popular consumer websites, using investigative tools and techniques.

DOD has an extensive network of suppliers that provide millions of parts needed to sustain its weapon systems. Some parts are provided by a single source of supply (e.g., one manufacturing facility), and if that single source were no longer able to provide the part, DOD could face challenges in maintaining systems. Senate Report 114-49 directed DOD to report on risks associated with single sources of supply. DOD completed its report in October 2016. House Report 114-102, accompanying a bill for the National Defense Authorization Act for Fiscal Year 2016, included a provision that GAO review single sources of supply for major defense acquisition programs. This report evaluates the extent to which (1) DOD's 2016 report addressed the direction in the Senate report and (2) DOD’s weapon systems program offices have information for identifying and managing single source of supply risks. GAO reviewed DOD policy and procedures, analyzed DOD’s report, and interviewed officials from a non-generalizable selection sample of nine program offices.

The "Counterfeit Materiel Process Guidebook" is a follow-on effort to underscore the critical importance of counterfeit materiel prevention. The purpose of the guidebook is to equip DON activities with a practical tool for implementing a risk-based counterfeit materiel prevention program and provide implementing guidance to address the requirements delineated in the DON policy. Through a risk-based approach, DON activities will be able to apply engineering and sustainment principles for selection, assessment, and procurement of materiel; and mitigate the risk of counterfeit materiel plaguing our supply chain. The continual practical application of these principles minimize risks while ensure that additional resources are not expended for items or applications that are of lower risk. The guidebook demonstrates our continuous focus on counterfeit materiel prevention and serves as a practical hands-on tool for all functional communities to combat the risks and impacts of counterfeit materiel on our weapon systems.

The DOD supply chain is vulnerable to the risk of counterfeit parts, which have the potential to delay missions and ultimately endanger service members. To effectively identify and mitigate this risk, DOD began requiring its agencies in 2013 and its contractors in 2014, to report data on suspect counterfeit parts. A Senate report included a provision for GAO to review DOD’s efforts to secure its supply chain from counterfeit parts. This report examines, among other things, (1) the use of GIDEP to report counterfeits, (2) GIDEP’s effectiveness as an early warning system, and (3)DOD’s assessment of defense contractors’ systems for detecting and avoiding counterfeits. GAO analyzed data from GIDEP for fiscal years 2011 through 2015; reviewed DOD policies, procedures, and documents; and met with agency officials and seven selected contractors based on dollar value from contracts that included a new counterfeit clause.

On September 18, 2015, US Customs and Border Protection published a final rule regarding the disclosure of information about goods suspected to bear counterfeit trademarks or trade names. This rule finalizes an interim rule issued April 24, 2012 and is an amendment to the Code of Federal Regulations(19 CFR parts 133 and 151). In order to provide businesses the opportunity to make adjustments to their practices, the CBP has set the effective date for the final rule at 30 days from the date of publication in the Federal Register.

In July 2011 the UK Ministry of Defence formed a Counterfeit Awareness Working Group (CAWG) to assess whether or not counterfeit components had been incorporated in aircraft or military equipment manufactured in the United Kingdom.

In July 2014 the UK MOD released Defence Standard 05-135 – Avoidance of Counterfeit Materiel Issue 1. This Defence Standard defines the arrangements that a supplier is required to establish to demonstrate that they are actively planning and managing the risk of counterfeit materiel in their supply chain to prevent delivery of such materiel to the MOD.

In July 2015 the Working Group produced the Counterfeit Avoidance Maturity Model. This support document is intended for auditors assessing compliance with the requirements of DEF-STAN-05-135.

On July 13, 2015 (80 FR 40087) the U.S. Nuclear Regulatory Commission (NRC) released Regulatory Issue Summary (RIS) 2015-08, “Oversight of Counterfeit, Fraudulent, and Suspect Items in the Nuclear Industry.” This RIS is intended to heighten awareness of existing NRC regulations and how they apply to the nuclear industry stakeholders’ oversight of counterfeit, fraudulent, and suspect items (CFSI). This RIS is addressed to all NRC’s licensees and certificate holders, Agreement State radiation control program directors, and state liaison officers, as well as addressees’ contractors and vendors.

On July 6, 2015, DCMA issued Instruction 1205 that provides the framework the government will use to assess compliance with DFARS 252.246-7007 (May 2014), which requires certain contractors to design and deploy systems to avoid and detect counterfeit electronic parts. The instruction assigns roles and responsibilities for DCMA functions, establishes a risk-based approach that will drive the types of oversight and surveillance contractors can generally expect, and details the reporting that may occur if counterfeit materials or suspected counterfeit materials are identified.

Continuity of operations at DOD installations is vital to supporting the department's missions, and the disruption of utility services—such as electricity and potable water, among others—can threaten this support. House Report 113-446 included a provision that GAO review DOD's and the military services' actions to ensure mission capability in the event of disruptions to utility services. This report addresses (1) whether threats and hazards have caused utility disruptions on DOD installations and, if so, what impacts they have had; (2) the extent to which DOD's collection and reporting on utility disruptions is comprehensive and accurate; and (3) the extent to which DOD has taken actions and developed and implemented guidance to mitigate risks to operations at its installations in the event of utility disruption. For this review, GAO evaluated DOD guidance and policies, interviewed appropriate officials, and visited or contacted 20 installations within and outside the continental United States, selected based on criteria to include those experiencing multiple disruptions, disruptions of more than one type of utility, and each military service.

The Secretary of the Navy issues SECNAV Instruction 4855.20 to establish Department of the Navy (DON) policy to prevent the introduction of counterfeit materiel into DON systems. It applies to all phases of life cycle management, from identifying an operational requirement, introducing an item into the supply chain, system operations and maintenance, through phase out and retirement. This instruction applies to all DON organizations. It applies to all phases of life cycle management, from identifying an operational requirement, introducing an item into the supply chain, system operations and maintenance, through phase out and retirement.

The 2015 Situation Report on Counterfeiting in the European Union is a joint project between Europol and the Office for Harmonization in the Internal Market.

The aim of this report is to inform the public, industry and other stakeholders, as well as policy makers and practitioners at EU and national level, about the current situation of criminal networks that are active in the production and distribution of counterfeited goods in the territory of the EU. This document will provide information on routes, entry points, criminal modus operandi and current activities of law enforcement and the private sector. The report will also show links between counterfeiting and other crime areas, using various case studies provided by EU Member States and private stakeholders.

Why GAO Did This Study

Federal facilities contain building and access control systems—computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning—that are increasingly being connected to other information systems and the Internet. The increased connectivity heightens their vulnerability to cyber attacks, which could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or their occupants.

GAO’s objective was to examine the extent to which DHS and other stakeholders are prepared to address cyber risk to building and access control systems in federal facilities. GAO reviewed DHS’s and other stakeholders’ authorities to protect federal facilities from cyber attacks; visited selected FPS-protected facilities to determine what stakeholders were doing to address cyber risks to these systems; and interviewed experts about the cyber vulnerability of building and access control systems and related issues. GAO also reviewed GSA’s security assessment process and a sample of reports.

What GAO Found

The Department of Homeland Security (DHS) has taken preliminary steps to begin to understand the cyber risk to building and access controls systems in federal facilities. For example, in 2013, components of DHS’s National Protection and Programs Directorate (NPPD) conducted a joint assessment of the physical security and cybersecurity of a federal facility. However, significant work remains.

• Lack of a strategy: DHS lacks a strategy that: (1) defines the problem, (2) identifies the roles and responsibilities, (3) analyzes the resources needed, and (4) identifies a methodology for assessing this cyber risk. A strategy is a starting point in addressing this risk. The absence of a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to a lack of action within the Department. For example, no one within DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014. According to an NPPD official, DHS has not developed a strategy, in part, because cyber threats involving these systems are an emerging issue. By not developing a strategy document for assessing cyber risk to facility and security systems, DHS and, in particular, NPPD have not effectively articulated a vision for organizing and prioritizing efforts to address the cyber risk facing federal facilities that DHS is responsible for protecting.
  
  
• Cyber threat not identified in report for federal agencies: The Interagency Security Committee (ISC), which is housed within DHS and is responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyber threats to building and access control systems in its Design-Basis Threat report that identifies numerous undesirable events. An ISC official said that recent active shooter and workplace violence incidents have caused ISC to focus its efforts on policies in those areas first. Incorporating the cyber threat to building and access control systems in the Design-Basis Threat report will inform agencies about this threat so they can begin to assess its risk. This action also could prevent federal agencies from expending limited resources on methodologies that may result in duplication.
  
  GSA has not fully assessed the risk of building control systems to a cyber attack in a manner that is consistent with the Federal Information Security Management Act of 2002 (FISMA) or its implementation guidelines. Although GSA has assessed the security controls of these systems, the assessments do not fully assess the elements of risk (e.g., threat, vulnerability, and consequence). GSA also has not yet conducted security control assessments for many of its building control systems. GSA information technology officials said that GSA has conducted security assessments of the building control systems that are in about 500 of its 1,500 FPS-protected facilities and plans to complete the remainder in fiscal year 2015 or when systems are connected to the network or the Internet. Further, our review of 20 of 110 of the security assessment reports that GSA prepared during 2010 to 2014 showed that they were not comprehensive or fully consistent with FISMA implementation guidelines. For example, 5 of the 20 reports we reviewed showed that GSA assessed the building control device to determine if a user’s identity and password were required for login but did not assess the system to determine if password complexity rules were enforced. This could potentially
  
  What GAO Recommends
  
  GAO recommends that DHS (1) develop and implement a strategy to address cyber risk to building and access control systems and (2) direct ISC to revise its Design-Basis Threat report to include cyber threats to building and access control systems. GAO also recommends that GSA assess cyber risk of its building control systems fully reflecting FISMA and its guidelines. DHS and GSA agreed with the recommendations.

The Special 301 Report is the result of an annual review of the state of intellectual property rights (IPR) protection and enforcement in U.S. trading partners around world, which the Office of the United States Trade Representative (USTR) conducts pursuant to Section 182 of the Trade Act of 1974, as amended by the Omnibus Trade and Competitiveness Act of 1988 and the Uruguay Round Agreements Act (19 U.S.C. § 2242).

This Report reflects the Administration’s continued resolve to encourage and maintain adequate and effective IPR protection and enforcement worldwide. It identifies a wide range of concerns, including: (a) the deterioration in IPR protection, enforcement, and market access for persons relying on IPR in a number of trading partners; (b) reported inadequacies in trade secret protection in China, India, and elsewhere, as well as an increasing incidence of trade secret misappropriation; (c) troubling “indigenous innovation” policies that may unfairly disadvantage U.S. rights holders in China; (d) the continuing challenges of copyright piracy over the Internet in countries such as Brazil, China, India, and Russia; (e) market access barriers, including nontransparent, discriminatory or otherwise trade-restrictive measures, that appear to impede access to healthcare; and (f) other ongoing, systemic IPR enforcement issues in many trading partners around the world.

Trademark counterfeiting and copyright piracy on a commercial scale cause significant financial losses for rights holders and legitimate businesses, undermine critical U.S. comparative advantages in innovation and creativity to the detriment of American workers, and can pose significant risks to consumer health and safety. The Notorious Markets List ("List") identifies select online and physical marketplaces that reportedly engage in and facilitate substantial piracy and counterfeiting.

The Office of the United States Trade Representative ("USTR") has developed this List under the auspices of the annual Special 301 process, taking into account public comments solicited by USTR through the Federal Register and the input of other Federal agencies. The List identifies marketplaces that have been the subject of enforcement actions or that may merit further investigation for possible intellectual property rights ("IPR") infringements. These markets have been selected for inclusion both because they exemplify concerns about trademark counterfeiting and copyright piracy on a global basis and because the scale and popularity of these marketplaces can cause economic harm to U.S. and other IPR holders. They may also pose health and safety risks to consumers as well as provide inadequate safeguards for consumer privacy and security.

This document constitutes the final report of the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience through Acquisition. The report is one component of the government-wide implementation of Executive Order (EO) 13636 and Presidential Policy Directive (PPD) 21. It was developed in collaboration with stakeholders from Federal agencies and industry and with the assistance of the Department of Homeland Security's Integrated Task Force.1 The Working Group also coordinated development of the recommendations closely with the Department of Commerce, National Institute of Standards and Technology's (NIST) development of a framework to reduce cyber risks to critical infrastructure2 (Cybersecurity Framework), and in parallel to the Departments of Commerce, Treasury, and Homeland Security reports on incentives to promote voluntary adoption of the Cybersecurity Framework. This jointly issued report is the culmination of a four-month process by an interagency working group comprised of topic-knowledgeable individuals selected from the Federal government.

One of the major impediments to changing how cybersecurity is addressed in Federal acquisitions is the differing priorities of cyber risk management and the Federal Acquisition Systems The Acquisition Workforce is required to fulfill numerous, sometimes conflicting, policy goals through their work, and cybersecurity is but one of several competing priorities in any given acquisition. The importance of cybersecurity to national and economic security dictates the need for a clear prioritization of cyber risk management as both an element of enterprise risk management and as a technical requirement in acquisitions that present cyber risks. The importance of cybersecurity relative to the other priorities in Federal acquisition should be made explicit.

The purpose of this report is to recommend how cyber risk management and acquisition processes in the Federal government can be better aligned. The report does not provide explicit implementation guidance, but provides strategic guidelines for addressing relevant issues, suggesting how challenges might be resolved and identifying important considerations for the implementation of the recommendations.

Air Force Pamphlet 63-113 provides Program Managers (PM) with recommended protection planning activities for the integrated management of systems security risks. Risks to Air Force systems’ advanced technology and mission-critical functionality can come from foreign intelligence services, design vulnerability, supply chain compromise, cyber or advanced persistent threats, or battlefield loss at any point in the system’s life cycle. This pamphlet provides the procedures for the identification and protection of Critical Program Information (CPI) and critical components.

DOD Instruction 4140.67 establishes integrated DoD policy and develops implementing guidance in appropriate issuances; maintains DoD enterprise focus on counterfeit materiel risk reduction as the designated office of primary responsibility for coordinating the development and implementation of an integrated DoD enterprise anti-counterfeit strategy; develops acquisition and procurement policies, procedures, regulations, and guidance to prevent, detect, remediate, and seek restitution for the procurement and delivery of counterfeit materiel; develops and implements workforce education and training programs to deter, detect, analyze, report, and manage the disposition of counterfeit materiel; ensures collaboration and consultation with other federal agencies and international coalition partners on anti-counterfeit measures; coordinates with DoD Components to establish a risk-based approach to identify materiel susceptible to counterfeiting and to procure authentic materiel; avoids establishing DoD-unique anti-counterfeiting procedures; and identifies and establishes standardized guidelines for contractors to employ in their processes for the detection and avoidance of counterfeit materiel into the DoD supply chain.

During the Senate’s consideration of the National Defense Authorization Act for Fiscal Year 2012, Chairman Carl Levin and Ranking Member John McCain offered an amendment to stop the importation of counterfeit electronic parts into the United States, address weaknesses in the defense supply chain, and to promote the adoption of aggressive counterfeit avoidance practices by DOD and the defense industry. The amendment was adopted in the Senate and a revised version was included in the final bill signed by President Barack Obama on December 31, 2011. The Committee’s findings, described in this report, are stark evidence of the importance of the reforms contained in that law.

Specifically, all 12 of the parts received after GAO requested rare part numbers or postproduction date codes were suspect counterfeit, according to the testing lab. Multiple authentication tests, ranging from inspection with electron microscopes to X-ray analysis, revealed that the parts had been re-marked to display the part numbers and manufacturer logos of authentic parts. Other features were found to be deficient from military standards, such as the metallic composition of certain pieces. For the parts requested using postproduction date codes, the vendors also altered date markings to represent the parts as newer than when they were last manufactured, as verified by the parts’ makers. Finally, after submitting requests for bogus parts using invalid part numbers, GAO purchased four parts from four vendors, which shows their willingness to supply parts that do not technically exist.

Why GAO Did This Study

Counterfeit parts—generally the misrepresentation of parts’ identity or pedigree—can seriously disrupt the Department of Defense (DOD) supply chain, harm weapon systems integrity, and endanger troops’ lives. In a November testimony (GAO-12-213T), GAO summarized preliminary observations from its investigation into the purchase and authenticity testing of selected, military-grade electronic parts that may enter the DOD supply chain. As requested, this report presents GAO’s final findings on this issue. The results are based on a nongeneralizable sample and cannot be used to make inferences about the extent to which parts are being counterfeited. GAO created a fictitious company and gained membership to two Internet platforms providing access to vendors selling military-grade electronic parts. GAO requested quotes from numerous vendors to purchase a total of 16 parts from three categories: (1) authentic part numbers for obsolete and rare parts; (2) authentic part numbers with postproduction date codes (date code after the last date the part was manufactured); and (3) bogus, or fictitious, part numbers that are not associated with any authentic parts. To determine whether the parts received were counterfeit, GAO contracted with a qualified, independent testing lab for full component authentication analysis of the first two categories of parts, but not the third (bogus) category. Part numbers have been altered for reporting purposes. GAO is not making recommendations in this report.

For more information, contact Richard J. Hillman at (202) 512-6722 or hillmanr@gao.gov or Timothy Persons at (202) 512-6522 or personst@gao.gov.

According to experts and literature GAO reviewed, counterfeiting and piracy have produced a wide range of effects on consumers, industry, government, and the economy as a whole, depending on the type of infringements involved and other factors. Consumers are particularly likely to experience negative effects when they purchase counterfeit products they believe are genuine, such as pharmaceuticals. Negative effects on U.S. industry may include lost sales, lost brand value, and reduced incentives to innovate; however, industry effects vary widely among sectors and companies. The U.S. government may lose tax revenue, incur IP enforcement expenses, and face risks of counterfeits entering supply chains with national security or civilian safety implications. The U.S. economy as a whole may grow more slowly because of reduced innovation and loss of trade revenue. Some experts and literature also identified some potential positive effects of counterfeiting and piracy. Some consumers may knowingly purchase counterfeits that are less expensive than the genuine goods and experience positive effects (consumer surplus), although the longer-term impact is unclear due to reduced incentives for research and development, among other factors. Three widely cited U.S. government estimates of economic losses resulting from counterfeiting cannot be substantiated due to the absence of underlying studies. Generally, the illicit nature of counterfeiting and piracy makes estimating the economic impact of IP infringements extremely difficult, so assumptions must be used to offset the lack of data. Efforts to estimate losses involve assumptions such as the rate at which consumers would substitute counterfeit for legitimate products, which can have enormous impacts on the resulting estimates. Because of the significant differences in types of counterfeited and pirated goods and industries involved, no single method can be used to develop estimates. Each method has limitations, and most experts observed that it is difficult, if not impossible, to quantify the economy-wide impacts. Nonetheless, research in specific industries suggest that the problem is sizeable, which is of particular concern as many U.S. industries are leaders in the creation of intellectual property.

DOD is limited in its ability to determine the extent to which counterfeit parts exist in its supply chain because it does not have a department wide definition of the term "counterfeit" and a consistent means to identify instances of suspected counterfeit parts. While some DOD entities have developed their own definitions, these can vary in scope. Further, two DOD databases that track deficient parts--those that do not conform to standards--are not designed to track counterfeit parts. A third government wide database can track suspected counterfeit parts, but according to officials, reporting is low due to the perceived legal implications of reporting prior to a full investigation. Nonetheless, officials we met with across DOD cited instances of counterfeit parts, as shown in the table below. A recent Department of Commerce study also identified the existence of counterfeit electronic parts within DOD and industry supply chains. DOD is in the early stages of developing a program to help mitigate the risks of counterfeit parts. DOD does not currently have a policy or specific processes for detecting and preventing counterfeit parts. Existing procurement and quality-control practices used to identify deficient parts are limited in their ability to prevent and detect counterfeit parts in DOD's supply chain. For example, several DOD weapon system program and logistics officials told us that staff responsible for assembling and repairing equipment are not trained to identify counterfeit parts. Some DOD components and prime defense contractors have taken initial steps to mitigate the risk of counterfeit parts, such as creating risk-assessment tools and implementing a new electronic parts standard. Also facing risks from counterfeit parts, individual commercial sector companies have developed a number of anti counterfeiting measures, including increased supplier visibility, detection, reporting, and disposal. Recent collaborative industry initiatives have focused on identifying and sharing methods to reduce the likelihood of counterfeit parts entering the supply chain. Because many of the commercial sector companies produce items similar to those used by DOD, agency officials have an opportunity to leverage knowledge and ongoing and planned initiatives to help mitigate the risk of counterfeit parts as DOD develops its anti counterfeiting strategy.

Purpose: The purpose of this study is to provide statistics on the extent of the infiltration of counterfeits into U.S. defense and industrial supply chains, to provide an understanding of industry and government practices that contribute to the problem, and to identify best practices and recommendations for handling and preventing counterfeit electronics.