When States Buy Chinese, America Is Put at Risk | Opinion
As a former Army Intelligence general, I shared Americans' contempt at the sight of a Chinese spy balloon floating above the United States earlier this month. It was a brazen symbol of disrespect for American sovereignty and our world-class detection capabilities. More troublingly, it was just the tip of a Chinese espionage iceberg inside the U.S.
China is everywhere—operations targeting American politicians and theft of commercial information from American companies are just two deeply established (and frankly, successful) lines of effort. While American leaders are thankfully working to close these security gaps, they are still paying inadequate attention to a major vulnerability at the state level: U.S. state governments have purchased millions of dollars' worth of technology manufactured by companies beholden to Beijing.
That the Chinese Communist Party (CCP) is actively penetrating state government systems isn't new information. Last year, cybersecurity firm Mandiant reported that Chinese hacking groups working at the CCP's direction had hacked six state government computer networks. Mandiant noted that the intruders were able to conduct this cyber breach by exploiting, in the words of the Associated Press, "a previously unknown vulnerability in an off-the-shelf commercial web application used by 18 states for animal health management." Cybersecurity expert Joseph Steinberg commented on the incident: "If we know that six states were breached by Chinese spies, it means we know 44 states probably have Chinese spies operating on their network that we don't know about."
As this incident shows, the CCP can exploit almost any technology to spy, steal, and harvest data, and is positioned organizationally, financially, and politically to make that happen. But the fact that Chinese-owned and operated companies such as Lexmark, Lenovo, Hikvision, and DJI have millions of dollars' worth of state government contracts makes the situation even more dangerous. China's 2017 National Intelligence Law obligates all Chinese companies to cooperate with any Chinese government directive to hand over information in their possession. That means any U.S. user data and sensitive knowledge—including health and financial data—can be in Beijing's possession. This concern is the main reason so many nations have banned the Chinese telecom giant Huawei from their 5G networks.
Federal national security agencies understand the risks of companies such Lexmark, Lenovo, Hikvision, and DJI. The Marine Corps discovered in 2008 that Lenovo laptops were sending data back to China. A Marine network operations officer testifying in court about the matter stated, "A large amount of Lenovo laptops were sold to the U.S. military that had a chip encrypted on the motherboard that would record all the data that was being inputted into that laptop and send it back to China....That was a huge security breach." In 2019 the Department of Defense Inspector General labeled Lenovo and Lexmark products "known cybersecurity risks." The entire federal government was banned from purchasing Hikvision products – primarily surveillance cameras—that same year. In 2018 the Pentagon banned purchases from drone maker DJI, and the Department of Homeland Security warned that DJI was "providing U.S. critical infrastructure and law enforcement data to the Chinese government."
But state governments haven't kept pace with the federal government. The organization of which I am a principal, China Tech Threat (CTT), recently updated research initially published in 2020 on how U.S. states have entered into contracts to purchase IT equipment made by Chinese-owned and operated companies. The sum total spent is staggering: CTT's latest review of contract information and public databases from 28 states found that states have cumulatively bought a total of at least $230 million worth of Lexmark or Lenovo equipment since 2015, with individual states spending up to $47 million.
The Delaware Department of Elections, the Hawaii Department of Taxation, and the South Dakota Department of Emergency Management are just a few state government entities to have unwittingly abetted CCP access to Americans' data by buying either Lexmark or Lenovo products. The financial disincentives to ending these relationships can be strong: Just this past weekend, I observed a Lenovo sponsorship prominently displayed at North Carolina State University's basketball arena.
The good news is that momentum to confront these threats is building at the state level. By CTT's count, in 2020, only a single state (Vermont) had pursued legislation to restrict U.S. states from buying technology manufactured by a Chinese owned or operated company. In 2022, that number had risen to five, and today it is at least 11.
New policies launched in Georgia and Florida in 2022 have fueled the flurry of states working on legislation prohibiting Chinese owned or operated companies from participating in state contracts. Georgia S.B. 346 has even served as model legislation which the American Legislative Exchange Council (ALEC)—the nation's largest network of state legislators—has promulgated to its members. But both the Georgia law and the ALEC legislation retain a loophole that allows third-party vendors to continue selling Chinese gear to the states. That flaw must be remedied, and legislators in other states must be careful not to repeat that mistake as they draft their own new bills. When it comes to defending America from the Chinese Communist Party, Sacramento and Bismarck are no less a locus of competition than Shanghai and Beijing.
Retired U.S. Army Major General James "Spider" Marks is a principal at China Tech Threat. His final posting in uniform was as the Commanding General of the U.S. Army Intelligence School in Fort Huachuca, Arizona.
The views expressed in this article are the writer's own.
