The State of New York is home to world’s financial markets, a leader in modern optics and electronics, a hub for biotech innovation, and, soon, potentially the next Silicon Valley of semiconductor design and manufacturing.
Those industries also make it a prime target for state-sponsored cyber-attackers.
Yet, the state’s procurement policies provide little insight into what, if any, guardrails exist to prevent government purchases from Chinese state-owned manufacturers, whose products may contain built-in vulnerabilities.
Recently the New York Office of General Services requested bids for a significant hardware technology purchase, which will likely be decided in the weeks ahead. China Tech Threat contacted the office to understand whether they consider federal restrictions on technology makers and how they weigh the impact of products from foreign adversarial state-owned enterprises.
Our request is outstanding, but our analysis of the state’s procurement records reveals that the New York Government has spent more than $28 million of on Lenovo computers, systems, and IT services, and Lexmark printers and related services.
As has been well-covered on this blog, Lenovo and Lexmark are among the Chinese state-owned tech manufacturers banned by U.S. military and intelligence agencies. While federal agencies have taken action to remove vulnerable components from their systems and to reinforce supply chains, there is no evidence New York has taken corrective measures.
While other states have contracts with Chinese-owned companies, New York is unique because of the size of its contracts and the target value to state-sponsored cyber-attackers. Especially as New York plans to allocate $23.5 billion in federal American Rescue Plan funding, much of which will be used to upgrade its IT systems, authorities should proactively audit its networks, remove vulnerable components and source new products exclusively from trust vendors in democratic nations.