Special Report: State Contracts with Banned Chinese Tech Manufacturers

AL AK AZ AR CA CO CT DE FL GA HI ID IL IN IA KS KY LA ME MD MA MI MN MS MO MT NE NV NH NJ NM NY NC ND OH OK OR PA RI SC SD TN TX UT VT VA WA WV WI WY DC

No contracts
or payments

NASPO contracts w/Lenovo and Lexmark

Threats persist with the unknown. States continue to dodge FOIA requests

NASPO contracts w/
Lenovo, but not Lexmark

Direct contracts w/
Lenovo and/or Lexmark

Contracts w/ either company plus verified payments


Cybersecurity Threats In The States: Risk Assessment Update Memo

NJ, ME, TN Continue to Dodge FOIA Requests

Read our recently released memo that provides an update on what our research has yielded to date and the process used, including the following:

  • There were 38 states with contracts with banned Chinese tech companies

  • FOIA responses from nearly 30 states revealed more than $50 million spent on risky tech contracts 

  • Even following formal legal requests, TN, ME and NJ have yet to release information which could leave residents and infrastructure vulnerable to cyber threats

Main Findings

Chinese information technology vendors that have been banned from US military and intelligence networks still contract with state governments. Once the products from these vendors are installed, they can access sensitive personal and financial information held by courts, police departments, elections departments, education departments, children and family services, and other social service providers and agencies.

A sample of publicly-available contracts negotiated between state governments and Chinese technology vendors shows that information transmitted on the vendors’ equipment is now subject to collection, transfer, processing and inspection by the vendor, and could be transferred to any country where the vendor does business and to any entity with whom it works. For example, one basic sales agreement with technology manufacturer Lenovo notes that data can be transferred across international borders. In any event, China’s 2017 National Intelligence Law compels this.

The National Association of State Procurement Officers (NASPO) frequently negotiates contracts with large corporations for the purpose of validating product/service contracts for their members. However, security is not a parameter of NASPO’s evaluations. While federal policy directs information security for federal agencies, states must determine their information security standards. NASPO’s collective contract with Lenovo was initiated in 2015 and ends in March 2020 with Lexmark’s collective agreement with organization ending the following year.

Recommendations

States Should Review Current Contracts For Security Vulnerabilities

States should ask two key questions:

  • Have procurement leaders unwittingly allowed China to access sensitive government and private citizen information?
  • Should state procurement officials eliminate existing contracts with Chinese-owned manufacturers for the sake of maintaining data privacy and confidentiality?

NASPO Should Consider Incorporating Cybersecurity Evaluations into its Offering or Clarify its Role

As the standard-bearer and leading state procurement conglomerate in the United States, the National Association of State Procurement Officers (NASPO) should lead the way in mitigating the threat posed to public entities procuring IT products. This begins with NASPO leaders incorporating security vulnerabilities into the contracting process. This could include partnering with federal agencies like the Department of Commerce or Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) to develop for recommendations for assessing the security of products.


Teleconference Audio Recording

Stealing From States: China’s Power Play In IT Contracts

Florida Sen. Marco Rubio and China Tech Threat’s Dr. Roslyn Layton Discuss China’s Infiltration


Our Take

Despite warnings, Tennessee leaders not taking cyberthreats seriously | Opinion

Roslyn Layton, The Tennessean | November 30, 2021

The infrastructure spending bill President Joe Biden recently signed into law includes $1 billion in cyberdefense grants for state and local governments, which shows an increasing awareness of vulnerabilities at all levels of government. States, however, should also take a close look at spending practices to mitigate threats, particularly spending on contracts with Chinese tech vendors that put government offices, infrastructure and individuals at risk.

New York Spent $28 Million On Restricted Chinese Tech. It’s Time To End These Risky Contracts.

Roslyn Layton, Forbes | April 1, 2021

Another day, another huge cyber security breach. Last week it was Twitch, Amazon’s live streaming platform, which suffered the public revelation of its source code, the income of its big stars and other sensitive information. Cyber attacks are rapidly becoming a large-scale, and thorny, global security problem. The US alone suffered an estimated 65,000 ransomware attacks last year, and the enormous Solar Winds hack exposed big gaps in cyber security at the heart of the federal government. That helps to explain why American experts polled recently by Axa cited cyber risk as their single biggest concern this year, and global experts placed it second behind climate change.

Stealing From States: China’s Power Play In IT Contracts

Roslyn Layton Interview with Gary Franchi, NEWSVIDEO | March 3, 2020

“What I am saying is use a trusted vendor. The problem is the Chinese ownership – the government can direct these companies to do what they want them to do…The states do not even realize the risk they have created by using technology from companies owned by the Chinese government.” – Dr. Roslyn Layton

Secure Freedom Radio Podcast With Andrew Mangione, Tom Van Grieken, and Roslyn Layton

Roslyn Layton Interview with Frank Gaffney, Secure Freedom Radio | February 28, 2020

Host: “You are saying if you have a Lenovo laptop on your system, it is a compromised system?

Dr. Layton: “Absolutely; it could be a compromised system due to the contractual terms from Lenovo as that data can be transferred and collected by law. It doesn’t say what law, but we know that it is the Chinese Internet Surveillance Law.”

1200x630_China-Tech-Threat_Twitter-for-Website

Report Warns of Tech Threats From ‘Other’ Chinese Companies

Roslyn Layton, China Tech Threat | February 27, 2020

While the federal government has cracked down on the use of Chinese-owned companies at the federal level in recent years over espionage and data safety concerns, at least 43 states hold important IT contracts with other Chinese-owned companies and could be at risk, according to a report released Monday.

1200x630_China-Tech-Threat_Twitter-for-Website

Stealing From States: China’s Power Play In IT Contracts

Florida Sen. Marco Rubio and China Tech Threat’s Dr. Roslyn Layton Addressed China’s Infiltration | February 24, 2020

“The one area that China has been keen to exploit is at the state level because state governments largely are not aware of the threat it poises to them — to have within the backbone of their government system technology that has security vulnerabilities that are deliberate and can be exploited. We have never faced that sort of vulnerability before in the backbone of our country. It is something that we need to create more awareness about and that’s why reports like these are so valuable.” – Senator Marco Rubio

In the News

The inescapable problem of cyber attacks

The Editorial Board, The Financial Times | October 11, 2021

Another day, another huge cyber security breach. Last week it was Twitch, Amazon’s live streaming platform, which suffered the public revelation of its source code, the income of its big stars and other sensitive information. Cyber attacks are rapidly becoming a large-scale, and thorny, global security problem. The US alone suffered an estimated 65,000 ransomware attacks last year, and the enormous Solar Winds hack exposed big gaps in cyber security at the heart of the federal government. That helps to explain why American experts polled recently by Axa cited cyber risk as their single biggest concern this year, and global experts placed it second behind climate change.

China-Linked Hack Hits Tens of Thousands of U.S. Microsoft Customers

Robert McMillan and Dustin Volz, The Washington Post | March 6, 2021

A cyberattack on Microsoft Corp.’s Exchange email software is believed to have infected tens of thousands of businesses, government offices and schools in the U.S., according to people briefed on the matter. Many of those victims of the attack, which Microsoft has said was carried out by a network of suspected Chinese hackers, appear to be small businesses and state and local governments.

The Long Hack: How China Exploited a U.S. Tech Supplier

Jordan Robertson and Michael Riley, Bloomberg | February 21, 2021

In 2010, the U.S. Department of Defense found thousands of its computer servers sending military network data to China—the result of code hidden in chips that handled the machines’ startup process. In 2014, Intel Corp. discovered that an elite Chinese hacking group breached its network through a single server that downloaded malware from a supplier’s update site. 

Beware the office printer: It may be a Chinese spy device, experts say

Joel Gehrke, The Washington Examiner | February 26, 2020

“’Printers, one of the least secure Internet of Things devices, store sensitive data on internal hard drives derived from the various printing jobs executed on a day-to-day basis’ …That observation punctuates a finding that dozens of state and local governments have contracted with two companies that federal officials have flagged as security risks, specifically Lenovo, a cellphone and laptop maker, and Lexmark, a laser printer company. The report demonstrates Beijing’s reach into U.S. society, to the point of alarming federal officials.”

Chinese tech in U.S. funnels data to Beijing’s intelligence services

Bill Gertz, The Washington Times | February 24, 2020

“The security report urged state and local governments to review all contracts with Chinese-controlled companies to determine the security risks. The federal government also needs to provide more guidance and support to chief information officers of state governments so they can better assess the risks of doing business with Chinese state-run companies.”

Rubio backs report warning states about cyber threats from China

Rick Weber, Inside Cybersecurity | February 25, 2020

“I’m not necessarily interested in mandates on cities and counties per se, and I’m not sure that’s the initial approach we want to take, but I do think the creation of awareness is also important because once presented with the facts, and the reality [is] we have found that most institutions, from academia to governments, are willing to step up and take the action,” Rubio said.