NASPO contracts w/
Lenovo and Lexmark
NASPO contracts w/
Lenovo, but not Lexmark
Direct contracts w/
Lenovo and/or Lexmark
Contracts w/ either company plus verified payments
Chinese information technology vendors that have been banned from US military and intelligence networks still contract with state governments. Once the products from these vendors are installed, they can access sensitive personal and financial information held by courts, police departments, elections departments, education departments, children and family services, and other social service providers and agencies.
A sample of publicly-available contracts negotiated between state governments and Chinese technology vendors shows that information transmitted on the vendors’ equipment is now subject to collection, transfer, processing and inspection by the vendor, and could be transferred to any country where the vendor does business and to any entity with whom it works. For example, one basic sales agreement with technology manufacturer Lenovo notes that data can be transferred across international borders. In any event, China’s 2017 National Intelligence Law compels this.
The National Association of State Procurement Officers (NASPO) frequently negotiates contracts with large corporations for the purpose of validating product/service contracts for their members. However, security is not a parameter of NASPO’s evaluations. While federal policy directs information security for federal agencies, states must determine their information security standards. NASPO’s collective contract with Lenovo was initiated in 2015 and ends in March 2020 with Lexmark’s collective agreement with organization ending the following year.
States Should Review Current Contracts For Security Vulnerabilities
States should ask two key questions:
- Have procurement leaders unwittingly allowed China to access sensitive government and private citizen information?
- Should state procurement officials eliminate existing contracts with Chinese-owned manufacturers for the sake of maintaining data privacy and confidentiality?
NASPO Should Consider Incorporating Cybersecurity Evaluations into its Offering or Clarify its Role
As the standard-bearer and leading state procurement conglomerate in the United States, the National Association of State Procurement Officers (NASPO) should lead the way in mitigating the threat posed to public entities procuring IT products. This begins with NASPO leaders incorporating security vulnerabilities into the contracting process. This could include partnering with federal agencies like the Department of Commerce or Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) to develop for recommendations for assessing the security of products.
Teleconference Audio Recording
Stealing From States: China’s Power Play In IT Contracts
Florida Sen. Marco Rubio and ChinaTechThreat.com’s Dr. Roslyn Layton Discuss China’s Infiltration
In the NEWS
Joel Gehrke, The Washington Examiner | February 26, 2020
“’Printers, one of the least secure Internet of Things devices, store sensitive data on internal hard drives derived from the various printing jobs executed on a day-to-day basis’ …That observation punctuates a finding that dozens of state and local governments have contracted with two companies that federal officials have flagged as security risks, specifically Lenovo, a cellphone and laptop maker, and Lexmark, a laser printer company. The report demonstrates Beijing’s reach into U.S. society, to the point of alarming federal officials.”
Bill Gertz, The Washington Times | February 24, 2020
“The security report urged state and local governments to review all contracts with Chinese-controlled companies to determine the security risks. The federal government also needs to provide more guidance and support to chief information officers of state governments so they can better assess the risks of doing business with Chinese state-run companies.”
The CyberWire | February 25, 2020
“A report from China Tech Threat warns that many US state procurement officials are buying risky technology from Chinese vendors. The group’s report mentions Lexmark and Lenovo in particular, and urges the National Association of State Procurement Officers to help its members introduce greater security into their acquisition processes.”
Frank Konkel, Executive Editor, Nextgov | February 24, 2020
“The report, published by ChinaTechThreat.com, focuses predominantly on more than three dozen large tech contracts and purchase agreements with states held by Chinese-owned companies Lexmark and Lenovo, whose products are listed in the National Vulnerability Database. While products from those companies aren’t used by U.S. military, intelligence or federal agencies, the report suggests they’re being used by states, which could open their IT systems to attacks, data theft and other vulnerabilities.”
Rick Weber, Inside Cybersecurity | February 25, 2020
“I’m not necessarily interested in mandates on cities and counties per se, and I’m not sure that’s the initial approach we want to take, but I do think the creation of awareness is also important because once presented with the facts, and the reality [is] we have found that most institutions, from academia to governments, are willing to step up and take the action,” Rubio said.
Florida Sen. Marco Rubio and ChinaTechThreat.com’s Dr. Roslyn Layton Addressed China’s Infiltration
“The one area that China has been keen to exploit is at the state level because state governments largely are not aware of the threat it poises to them — to have within the backbone of their government system technology that has security vulnerabilities that are deliberate and can be exploited. We have never faced that sort of vulnerability before in the backbone of our country. It is something that we need to create more awareness about and that’s why reports like these are so valuable.” – Senator Marco Rubio
Roslyn Layton Interview with Jan Jekielek, Epoch Times| March 2, 2020
Host: “Why isn’t it so obvious that we shouldn’t be taking Chinese technology and using it in our networks?”
Dr. Layton: “When you consider that the intelligence agencies from 5 Eyes have known this for years that there are these backdoors in Chinese technology where they can siphon this data, it is concerning that this technology is still being purchased and used…and the issue ranges from Huawei, to ZTE, to Lenovo computers and Lexmark printers.”
Roslyn Layton Interview with Gary Franchi, NEWSVIDEO | March 3, 2020
“What I am saying is use a trusted vendor. The problem is the Chinese ownership – the government can direct these companies to do what they want them to do…The states do not even realize the risk they have created by using technology from companies owned by the Chinese government.” – Dr. Roslyn Layton
Roslyn Layton Interview with Tudor Dixon, America’s Voice News | February 28, 2020
“You can go into Best Buy and purchase a device that is banned on the federal level, and that is the example of the disconnect between federal regulation and consumer and state level purchasing….“Don’t buy it, don’t put it in your network – no Lenovo laptops, no Lexmark printers, no Huawei equipment – security is worth paying for, and these devices should not be allowed in your networks.” – Dr. Roslyn Layton
Roslyn Layton Interview with Frank Gaffney, Secure Freedom Radio | February 28, 2020
Host: “You are saying if you have a Lenovo laptop on your system, it is a compromised system?
Dr. Layton: “Absolutely; it could be a compromised system due to the contractual terms from Lenovo as that data can be transferred and collected by law. It doesn’t say what law, but we know that it is the Chinese Internet Surveillance Law.”
Roslyn Layton Interview with Ali-Jae Nicolai, Breitbart News | March 9, 2020