Cybersecurity company Fortinet settles DOJ case over sale of Chinese network security devices to U.S. military disguised as American made

Security vendor Fortinet has agreed to pay the equivalent of $545,000 to settle allegations it illegally sold the U.S. military Chinese technology disguised as American-made equipment, the U.S. Department of Justice announced.

The Sunnyvale, California-based cybersecurity company agreed to pay the government $400,000and provide the U.S. Marine Corps with equipment valued at $145,000 to resolve charges it violated the False Claims Act from January 2009 until the fall of 2016, according to a statement.

Fortinet acknowledged that an employee responsible for supply chain management altered labels on products to make them appear compliant with the Trade Agreements Act, a law prohibiting federal agencies from acquiring products in specific countries. The unnamed employee directed others at Fortinet to include the phrases “Designed in the United States and Canada” or “Assembled in the United States” before those products were sold to distributors and resellers who resold the technology to the government.

“Contractors that supply the U.S. Government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,” Bryan D. Denny, the defense criminal investigative service special agent in charge, said in a statement.

Fortinet, in a statement to CRN, said the settlement was the result of an isolated incident involving a rogue employee who had been terminated.

Officials from the Air Force Office of Special Investigations, the Department of the Navy, Coast Guard Investigative Service, the Department of Homeland Security, the General Services Administration, and other agencies were involved in the investigation.

The settlement resolves allegations in a 2016 lawsuitfiled by Yuxin “Jay” Fang, who said he formerly worked as a logistics specialist in Fortinet’s Vancouver office. Fang alleged that Fortinet manufactured its products in Taiwan and China, while certifying that those products were built in TAA-designated countries. In one case, the security vendor sold its products to Arrow Enterprise Computing Solutions, which re-sold them to the U.S. Air Force, according to Fang’s complaint.

The lawsuit also cites the sale of 32 units of Fortinet products to Fintec Computer at a price of $390,302.40. The bottom of the sales invoice listed those products as “TAA Compliant Inventory,” when in fact the Fortinet product, a network security device, was “exclusively produced in China,” according to the suit.

Fang alleged in the suit he was told by superiors to “rework” shipments of products, instructions he understood to mean relabeling products containing “Made in China” logos.

“This was done on both individual products and on the packages they arrived in,” the suit states. “The products would then be designated as TAA compliant and shipped to vendors for sale to the U.S. Government. [Fang] complained to his supervisors about the practice but was told to do it anyways.”

The settlement coincides with ongoing U.S. government scrutiny of technology supply chains. U.S. intelligence officials have consistently warned against the use of products built by the Chinese telecommunication vendor Huawei and Russian antivirus-maker Kaspersky, arguing such procurement would make Americans vulnerable to foreign espionage or disruption.

According to the settlement agreement , Fortinet acknowledged that during the more than seven years between January of 2009 and the fall of 2016, a Fortinet employee responsible for supply chain management (the “Responsible Employee”) arranged to have labels on certain products altered to make the products appear to be compliant with the TAA.  A portion of the products were resold through distributors and subsequent resellers to U.S. government end users.

“Today’s announcement illustrates the continuing commitment of the U.S. Attorney’s Office and our law enforcement partners to identify and prosecute fraudulent schemes relating to the sale of goods to the United States,” said U.S. Attorney Anderson.

“Contractors that supply the U.S. Government with Chinese-made technology will be pursued and held accountable when violating the Trade Agreement Act,” said DCIS Special Agent in Charge Denny.  “The DCIS and its law enforcement partners are committed to combatting procurement fraud and cyber risk within U.S. Department of Defense programs.”

“This settlement displays the steadfast commitment of our agents and our federal law enforcement partners,” said USACIDC Director Robey. “This settlement is a clear signal to the supply community doing business with the Department of the Army—fraud will not be tolerated in any way, shape or form.”

“Contractors who undermine American trade interest and pose a security risk by selling unauthorized foreign-made devices to the United States will be held accountable,” said DHS-OIG Special Agent in Charge Thandi.  “Contracting companies that conduct business with the federal government must uphold our trade laws; any misrepresentation during this process undercuts its integrity.”

“This settlement reflects the GSA OIG’s commitment to work with our law enforcement partners to aggressively investigate and prosecute those who seek to fraudulently sell products to the federal government that do not meet the standards set by law,” said GSA OIG Special Agent in Charge Theresa Quellhorst.

The TAA generally prohibits certain government contractors from purchasing products that are not entirely from, or “substantially transformed” in, the United States or certain designated countries.  Fortinet sells network security devices, some of which may be sold through distributors and subsequent resellers to U.S. government end users.  In this case, Fortinet acknowledged the Responsible Employee directed certain employees and contractors to change product labels so that no country of origin was listed, or to include the phrases “Designed in the United States and Canada,” or “Assembled in the United States.”  Fortinet acknowledged that the Responsible Employee’s actions involved products sold to certain distributors that subsequently sold them to resellers, which in turn sold a portion of them to U.S. government end users.  The Responsible Employee has since been terminated from employment with Fortinet.

To settle the allegations, Fortinet has agreed to pay $400,000 and to provide the United States Marine Corps with additional equipment valued at $145,000.

The lawsuit was filed by Yuxin “Jay” Fang under the qui tam provisions of the False Claims Act.  Under the act, private citizens can bring suit on or behalf of the government for false claims and share in any recovery.  The act also permits the United States to intervene in and take over a whistleblower suit, as was done here.

This matter was investigated by the U.S. Attorney’s Office of the Northern District of California, along with the DCIS, GSA-OIG, Air Force Office of Special Investigations, USACIDC, DHS-OIG, the Department of the Navy, and the Coast Guard Investigative Service.  Fortinet cooperated in the government’s investigation, including by sharing the results of its internal investigation in this matter.  The settlement reflects Fortinet’s cooperation with the government in this and other matters.

Assistant U.S. Attorney Ellen London is handling the case with the assistance of Garland He, Jacqui Hollar, and Tina Louie.