New York Spent $28 Million On Restricted Chinese Tech. It’s Time To End These Risky Contracts.

The State of New York is a leader in many industries. The third largest economy in the country and the eleventh largest globally, New York is home to world’s financial markets, a hub of biotech innovation, a leader in modern optics and electronics, and, potentially the next Silicon Valley of semiconductor design and manufacturing.  New York’s diverse base of cutting-edge industries make it a lucrative target for state-sponsored cyber-criminals—namely the Chinese military hackers—who are actively working to pilfer U.S.-made technology, government secrets and consumer data. Yet, the New York’s Office of General Services (OGS) provides little insight into what, if any, guardrails exist to prevent government purchases from Chinese state-owned manufacturers, whose products may contain built-in backdoors and other vulnerabilities.

I contacted New York’s Office of General Services to determine whether the state’s procurement policy considers federal restrictions on technology makers; whether it weighs the impact of foreign adversarial state-owned enterprises; and how the office evaluates data security. While that request remains outstanding, data collected by China Tech Threat finds that New York has invested significantly in products made by Chinese state-owned companies, including vendors blacklisted by federal agencies, which may contain vulnerabilities hackers can use to access sensitive information.

According to China Tech Threat’s analysis, the New York State Government spent nearly $15 million on Lenovo computers, systems and IT services, and over $13 million on Lexmark printers and services. These manufacturers are among the Chinese government-owned companies that have been restricted by U.S. military and intelligence agencies over evidence that their products could enable espionage, surveillance or sabotage.

Public records show New York’s purchases include $6.3 million on Lenovo microcomputers; $5 million on Lenovo microcomputer systems and services; $2.9 million on Lenovo umbrella services; $7 million on Lexmark printers; $1.3 million on Lexmark printing and imaging; $1 million Lexmark print management services; and $3.8 indeterminate services from Lexmark.

A 2019 audit by the U.S. Department of Defense (DoD) Inspector General named Lenovo and Lexmark among the Chinese state-owned entities that pose a threat to supply chain security and national security interests. The report notes that Lenovo, which is nearly 30% owned by state-controlled Legend Holdings Corp., presents a “cyberespionage risk” and Lexmark, which is “state-influenced,” has a “history of security vulnerabilities.” The DoD’s auditor found that in 2018 DoD employees purchased $32.8 million of products known to include security vulnerabilities. The report highlights that Lexmark printers had been exploited more than 20 times, “including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer.”  

In 2006, the U.S. State Department banned Lenovo computers on its classified networks after reports surfaced that the computers were built with hidden hardware or software used for cyberespionage. In 2010 testimony in federal court from a U.S. Marine in Iraq revealed, “A large amount of Lenovo laptops were sold to the U.S. military that had a chip encrypted on the motherboard that would record all the data that was being inputted into that laptop and send it back to China. “That was a huge security breach. We don’t have any idea how much data they got, but we had to take all those systems off the network.” In 2015, the  Department of Homeland Security issued a warning in 2015 about Lenovo computers containing pre-installed spyware. In 2016, the Joint Chiefs of Staff Intelligence Directorate released an alert that Lenovo handheld devices could introduce compromised hardware into the DoD supply chain, creating a cyber-security risk on classified and unclassified networks.

While federal agencies have taken action to remove potentially compromised components from their systems and reinforce supply chains, there is no public evidence New York has taken corrective measures.

New York is not alone. Many states have significant contracts with Chinese government owned manufacturers. The National Association of State Procurement Officers (NASPO) negotiates contracts with corporations to validate product and service contracts for members. Security is not a parameter of NASPO’s evaluations.

However, New York is unique in the size of its contracts and the target value to state-sponsored cyber-attackers. The state plans to allocate $23.5 billion in federal American Rescue Plan funding, much of which will be used to upgrade its IT systems. There are little to no controls to keep these precious federal funds from being used for malign Chinese government-owned equipment. The situation could be a repeat of the rip and replace effort which left US taxpayers footing the bill to rid networks of Huawei equipment.

The good news is that this adverse outcome is entirely avoidable by not buying the malign equipment in the first place.  An ounce of prevention is worth a pound of cure, and there are many trusted vendors from allied countries.

Originally published in Forbes.