While members of Congress and commentators over the past year increased scrutiny of the federal government’s purchase and use of Chinese-made information technology equipment, state procurement of such equipment has flown under the radar. On February 24th, China Tech Threat will release “State Governments’ Failure to Scrutinize the Purchase of Lenovo and Lexmark Equipment Jeopardizes Data Security,” a white paper that outlines the flawed contracting process, highlights the footprint and reach of flagged Chinese firms in dozens of states and suggests remedies for mitigating the threats posed to public agencies procuring information technology products.
Specifically, the paper builds off a July 2019 Department of Defense Inspector General report that highlighted military services’ vulnerabilities from using Lexmark and Lenovo products. This paper expands on these concerns by exploring the threats present within state governments that utilize these two vendors, both highlighted in the National Vulnerabilities Database.
A sample of publicly-available contracts negotiated between state governments and Chinese technology vendors shows that information transmitted on the vendors’ equipment is now subject to collection, transfer, processing and inspection by the vendor, and could be transferred to any country where the vendor does business and to any entity with whom it works. For example, one basic sales agreement with technology manufacturer Lenovo notes that data can be transferred across international borders. In fact, China’s 2017 National Intelligence Law compels this.
The paper also highlights how the National Association of State Procurement Officers (NASPO) frequently negotiates contracts with large corporations for the purpose of validating product/service contracts for their members. However, security is not a parameter of NASPO’s evaluations. While federal policy directs information security for federal agencies, states must determine information security standards. NASPO’s collective contract with Lenovo was initiated in 2015 and ends in March 2020 with Lexmark’s collective agreement with the conglomerate ending the following year.
A state-by-state breakdown shows how tens of millions of dollars in contracts and vendor payments have been made with and to Lexmark and Lenovo by departments of education, state school systems, corrections departments, agencies developing IT policies, offices providing financial services and handling sensitive financial information, offices overseeing elections, agencies administering health care services and law enforcement agencies, among numerous others.
The paper concludes with two suggested remedies. The first underscores how state procurement officials are gatekeepers to the data and privacy of the citizens and public entities under their purview and must understand and address the risks associated with the purchasing and use of Chinese equipment from Lenovo and Lexmark. While devices like laptops and printers seem innocuous to the average user, these network components can serve as springboards for foreign governments to spy on American citizens, collect sensitive information, and influence democratic elections. The first step in mitigating the risk associated with Chinese equipment is to take the equipment out of American networks, replacing it with trusted products that do not send data back to servers and storage centers under the jurisdiction of the Chinese Communist Party.
Alternately, NASPO should lead the way in mitigating the threat posed to public entities procuring IT products. This begins with NASPO leaders incorporating security vulnerabilities into the contracting process. This could include partnering with federal agencies like the Department of Commerce or Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) to develop for recommendations for assessing the security of products. This is especially important as NASPO renegotiates national purchasing contracts in the coming months.
Without the leadership of NASPO, state procurement officials lack the expertise and price negotiation power to deliver IT solutions to public entities without substantial cost increase – a daunting outcome for state leaders focused on curtailing cost in the face of growing budget deficits. It may be a good idea for NASPO to remind its members that security evaluation is a separate function not included in the NASPO review. On the other hand, given NASPO’s experience and credibility with its membership, it could likely create value for its members by developing competence in the information security assessment domain.