Last year the Department of Defense Inspector General (DODIG) released an audit warning about the purchase of IT equipment manufactured by Chinese government-owned brands known to have security vulnerabilities. Two companies – Lexmark and Lenovo – have been banned by military and intelligence agencies in the US and abroad. (Read the DODIG’s partially-redacted, previously “Secret” security clearance report here.)
The Pentagon is not the only agency that needs to be concerned about insecure hardware, servers, and networks. State governments control vast amounts of sensitive data like records on taxes, students, courts and criminals, healthcare (especially seniors), and election voting.
Despite these bans, we found that the New York State Government has spent over $28 million on the two Chinese-owned companies in recent years, including $14,882,890 on Lenovo computers, systems, and services, and $13,198,852 on Lexmark printers. (See the State’s purchasing summary for Lenovo and Lexmark and our snapshot here.)
In all likelihood, New York has spent even more during the COVID pandemic, while state employees are forced to work-from-home with an even greater network security risk.
Keep in mind the DODIG report referenced above notes that Lenovo computers “were manufactured with hidden hardware or software used for cyberespionage” leading to bans and warnings by the State Department, Department of Homeland Security, and Joint Chiefs of Staff. As for Lexmark, the audit explains that the National Vulnerabilities Database lists 20 cybersecurity vulnerabilities related to their products. Obviously, these companies should not be trusted with New Yorker’s sensitive information.
Who can do something about this? Empire State data security begins with Sean Carroll, Chief Procurement Officer, and Jeremy Goldberg, Chief Information Officer. Both gentlemen play a crucial role in evaluating IT security and ensuring that New Yorkers’ data remains private.
At the same, time Members of Congress can help eliminate insecure equipment. For example, Senator Schumer and Representatives Katko, Engel, and Stefanik have all taken action to keep US user data out of the hands of the Chinese government.
We hope that state and federal policymakers can collaborate to keep New York data safe.
[See a compilation our New York findings here.]