US States Reconsider $230M On Restricted Lexmark, Lenovo Products

The sight of a Chinese balloon violating American airspace three weeks ago angered and concerned many Americans, and rightfully so. But they shouldn’t be distracted by a single high-profile incident of Chinese espionage – there is a far more prevalent threat persisting right now which is completely legal under most state laws. As a new report from China Tech Threat makes clear, state government contracts with Chinese-owned and operated companies Lexmark and Lenovo are giving the Chinese government an easy access point for spying, stealing, and launching cyberattacks. Getting serious about protecting the country from Chinese espionage must entail ending those deals.

The Chinese government is capable of exploiting technology of any provenance for nefarious purposes. But Chinese-owned and operated companies are especially dangerous. As companies either domiciled in China or substantially owned by China-based entities, companies such as Lexmark and Lenovo – two of the most popular markers of printers and laptops, respectively – are obligated under the 2017 National Intelligence Law to do what the Chinese government commands, including turning over reams of data in their possession to Beijing. This fear has motivated dozens of Western countries to keep Huawei out of their 5G networks.

Unfortunately, U.S. states have created a major vulnerability for themselves by purchasing tens of millions of dollars worth of Lexmark and Lenovo products over the years. As the new China Tech Threat report says, “Our latest review of contract information and public databases from 28 states found that states have cumulatively awarded a total of $230 million worth of contracts for Lexmark or Lenovo products since 2015, with individual states spending as much as $47 million.” State entities from the Arizona Board of Fingerprinting, to the Iowa Department of Corrections, to the New Hampshire state legislature have given Beijing an open doorway to harvest their citizens’ data – or worse.

Why states haven’t been more aggressive in counteracting these threats is mostly a matter of “money, ignorance, and political will,” according to the report. It continues:

“The lack of uniform best practices across U.S. states to mitigate the danger from these companies has allowed the threat to go relatively unchecked. State technology and procurement officers may believe that products recommended by the National Association of State Procurement Officials (NASPO) have legitimacy, but NASPO does not consider security in its vendor recommendations, even in an age when states have become more vulnerable. Additionally, state governments – many of them acting under tight budget constraints – are disincentivized from choosing technologies that are typically more expensive than their Chinese counterparts. “Rip and replace” campaigns to eliminate Chinese gear from their systems are also expensive.”

Troublingly, the states’ comfort with Lexmark and Lenovo runs contrary to the Pentagon’s assessment. In 2015, the U.S. Navy replaced $378 million worth of its IBM servers after Lenovo purchased them, out of fear China could access data on U.S. ballistic missile technology. The Air Force was also forced to ask Raytheon to rip-and-replace IBM hardware after the Lenovo purchase. A 2019 Department of Defense Inspector General’s report confirmed Lenovo and Lexmark products as “known cybersecurity risks.” The report also stated that Lexmark has “connections to Chinese military, nuclear, and cyberespionage programs.”

Thankfully, some states have begun to recognize the threat and take action. Comprehensive actions in Georgia (S.B. 346) and Florida (Executive Order 22-216) last year have kickstarted momentum for states to stop Chinese companies from participating in state contracts. Today at least eleven states are currently working on bills to stop state contracts with Chinese tech companies. The American Legislative Exchange Council (ALEC) likewise adopted a model policy based on the Georgia legislation in July of 2022 to help states stop using funds to “purchase technology products, and/or services from manufacturers or other providers that are owned by, affiliated with, and/or unduly influenced by the People’s Republic of China (PRC).”

Predictably, technology suppliers with entrenched interests are fighting back. It is of the utmost importance that states remain vigilant against lobbying efforts to keep open loopholes which allow third-party vendors to continue to sell Chinese gear. It completely defeats the purpose of the new laws if a state is banned from buying laptops direct from Lenovo but a technology wholesaler is free to sell them.

China has long made U.S. states a target – and they have a long way to go to clean up the problem of untrustworthy Chinese technology in their systems. Fortunately, momentum is shifting at the state level to combat these vulnerabilities, and not a moment too soon.