The U.S.-China Economic and Security Review Commission
Lenovo has been linked to Chinese state-led cyberespionage efforts.
Interos Solutions , April 1, 2018
The U.S. government needs a national strategy for supply chain risk management (SCRM) of commercial supply
chain vulnerabilities in U.S. federal information and communications technology (ICT), including procurement
linked to the People’s Republic of China (China or PRC). This strategy must include supporting policies so that U.S.
security posture is forward-leaning, rather than reactive and based on responding to vulnerabilities, breaches, and
other incidents after they have already damaged U.S. national security, economic competitiveness, or the privacy of
This study uses a comprehensive definition of “U.S. government ICT supply chains” that includes (1) primary
suppliers, (2) tiers of suppliers that support prime suppliers by providing products and services, and (3) any
entities linked to those tiered suppliers through commercial, financial, or other relevant relationships. U.S. federal
government ICT supply chains are multi-tiered, webbed relationships rather than singular or linear ones. The supply
chain threat to U.S. national security stems from products produced, manufactured, or assembled by entities that
are owned, directed, or subsidized by national governments or entities known to pose a potential supply chain or
intelligence threat to the United States, including China. These products could be modified to (1) perform below
expectations or fail, (2) facilitate state or corporate espionage, or (3) otherwise compromise the confidentiality,
integrity, or availability of a federal information technology system.