Yesterday China Tech Threat sent 29 emails to the Tennessee, New Jersey and Maine congressional delegations.
In the emails, China Tech Threat explained that these states have unwittingly purchased vulnerable equipment from Lenovo and Lexmark, vendors restricted by US military and intelligence authorities because of risk of cyber intrusion from actors in the People’s Republic of China (PRC). China Tech Threat’s 2019 Report “Stealing from the States” provides background on the risk as identified by the Department of Defense for Lenovo laptops, Lexmark printers, and other “common off the shelf” items and in depth reporting about individual US states. Further, our recent October 2021 memo gives even information on specific states.
China Tech Threat has made multiple Freedom of Information Act (FOIA) requests for information about these purchases, but the requests go unanswered. China Tech Threat hopes that Congress can intervene to protect the security of residents and enterprises in these states when the state level leaders won’t.
While federal policy directs information security for federal agencies, states determine their own information security standards. This has unwittingly led to the purchase of items from insecure vendors on the Federal Communications Commission (FCC) Covered List like Huawei, Hikvision, Dahua, Hytera and others. As a related matter, Congress has just passed the Secure Equipment Act (which now sits on the President’s desk) which empowers the FCC to restrict communications equipment authorizations (e.g. laptops, servers, phones etc) from companies which pose unacceptable national security risks. This list will likely be expanded to include drones from DJI and potentially Lenovo