Members of New York’s Congressional Delegation today issued a letter to New York Governor Kathy Hochul requesting details about the state’s “lax practices relating to IT cybersecurity and espionage protections” and purchases of restricted information technology equipment. It is being sent as the state looks to allocate new federal funding for IT systems after already spending tens of millions of dollars on technology products from Chinese state-owned and directed companies Lenovo and Lexmark, which have been restricted by federal agencies.
China Tech Threat was provided an exclusive preview of the letter signed by Representatives Chris Jacobs, Nicole Malliotakis, Elise Stefanik, Claudia Tenney and Lee Zeldin, which states:
“Recently, it has come to light that New York State has spent tens of millions of dollars on technology products from Chinese state-owned and directed companies. Several of these companies are prohibited from use and procurement by federal agencies due to the security risks they pose. In addition, State and local government agencies are reported to have purchased and currently use surveillance equipment from sanctioned Chinese technology firms. Failing to comply with, or even consider, restrictions set by the federal government.
“As New York State looks to allocate federal funding, including from recent COVID-19 legislation, for IT systems uses, we write to request further information about your plans to protect the security of our constituents and ensure that New York is not putting itself and the nation at risk.”
As part of China Tech Threat’s previously-released analysis of state procurement records, we found that the New York Government has spent more than $28 million on Lenovo computers, systems, and IT services, and Lexmark printers and related services. Both of these tech manufacturing companies have ownership ties to the Chinese government and Chinese Communist Party. While federal agencies have taken action to remove vulnerable components from their systems and to reinforce supply chains, there is no evidence those same safeguards have been adopted in New York and our repeated attempts to contact to the New York Office of General Services to determine how security is factored into technology vendor evaluations have gone unanswered.
The letter also highlights that dozens of state and local government entities have received state funding to procure Chinese surveillance equipment from Hikvision and Dahua, firms sanctioned by the federal government for their national security risks and participation in human rights abuses against Muslims and other ethnic minorities in Western China. The Federal Communications Commission’s Covered List includes Hikvision and Dahua, and the FCC, empowered by the new Secure Equipment Act, has begun to restrict equipment from these vendors, as vulnerable to PRC intrusion. The FCC should add Lenovo among others to the Covered List.
As home to the world’s financial markets; headquarters of many global companies and organizations; home to high net worth individuals and world leaders; a diverse base of cutting-edge universities and industries, including semiconductor design and manufacturing, New York is a prime target for cyber attack. Recent attacks highlight the state’s IT vulnerability. The New York Times described the ransom attack on the New York City Law Office as the work of state supported hackers. The Albany Times-Union reported on an April 2021 cyber attack at Rensselaer Polytechnic Institute which has contracts with research offices of the U.S. Army, Navy, Air Force and Defense Advanced Research Projects Agency, the Defense Department’s research arm.The leadership demonstrated by these New York members is a significant step in mitigating risks to state and national security and should be replicated by all states, especially the 38 states already found to have state contracts with risky manufacturers. With a surge in new federal spending in recent COVID-19 legislation and more potential funding in the Build Back Better plan, the time to clarify state IT safeguards and policies is now.