Think Tank Study Recommends “Broadening the Lens” on Cybersecurity with China and Russia

Last week the R Street Institute, a Washington DC-based, pro-free markets think tank released a study which said “Huawei and ZTE are not the only foreign companies that pose a risk to American national security. Other companies from China and Russia, such as Lenovo or Kaspersky, may also pose threats to American national security, given their countries’ problematic legal structures and history of cyber espionage.”

The authors, Paul Rosenzweig and Kathryn Waldron, examine the role of the Committee on Foreign Investment in the United State before reviewing several case studies including Huawei, ZTE, and Lenovo in China, plus Kaspersky and Speech Technology Center in Russia. (Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the U.S. Department of Homeland Security.)
For example, Rosenzweig and Waldron cite a long list of national security alarms with regard to Chinese government-owned Lenovo:

  • 2006: the State Department repurposed 900 Lenovo/IBM computers to protect them from classified networks
  • 2014: the U.S. Navy replaced Lenovo/IBM servers for the Aegis Combat System
  • 2015: the U.S. Department of Homeland Security issued a warning to Lenovo PC users to remove Lenovo’s Superfish tracking software
  • 2016: a leaked U.S. Air Force memo reflected security concerns about Lenovo
  • 2016: a classified internal report by the J-2 intelligence directorate (under the Chairman of the Joint Chiefs of Staff) “warned that Lenovo computers had been caught ‘beaconing’ or secretly communicating with remote devices.”

As an antidote, Rosenweig and Waldron list several proposed legislative responses such as (1) S. 29 / H.R. 618 to create an Office of Critical Technologies and Security, (2) S. 2391/ H.R. 4747 to prohibit federal agencies from procuring technology equipment owned by China, and (3) the Intelligence Authorization Act to establish a “Supply Chain and Counterintelligence Risk Management Task Force.” Finally, the authors suggest a series of steps to be taken by the Federal Acquisition Security Council, created by the SECURE Technology Act.
Read the full study here.