China is penetrating US state technology ecosystems. The case of Lenovo, Lexmark, Hikvision and DIJ

Chinese companies banned or restricted by the US military and national security networks continue to enter into contracts with state governments and various government agencies such as offices, schools and law enforcement agencies. This was revealed by the China Tech Threat report. Here are the highlights

Focus on National Security (paper)

G e N Iuvinale

“The Chinese government is penetrating US state technology ecosystems.” A recent report (1) published by China Tech Threat, an American research center specializing in the analysis of "threats to national security deriving from the partnerships of Beijing's technology companies with the Chinese army", begins with this warning, entitled: "States of denial vs. States of momentum: dangerous Chinese technology in US State Government systems and rising efforts to prohibit contracts supplying it”.

That document, which updates a previous work from March 2020 (2), managed to shed light on how Chinese companies "banned or restricted by US military and national security networks" continue to enter into contracts with state governments (3).

“Lexmark and Lenovo may access sensitive personal and financial information held by courts, police departments, election departments, education departments, children and family services, and other social service providers and agencies. In the case of Hikvision and DJI, they can also collect facial recognition and critical infrastructure data,” says China Tech Threat (5).

In addition, according to this research center, despite growing threats from China and increased awareness of national security vulnerabilities, state government purchases from Lexmark and Lenovo have continued and in some cases even increased significantly since 2020, the year publication of the previous report. For example, “The Delaware Department of Elections, the Hawaii Department of Taxation, and the South Dakota Department of Emergency Management have all used Lexmark or Lenovo products” (6).

However, there is also evidence of a shift at the federal level to take these threats more seriously, the think tank says. While in 2020 only one federal state limited contracts with Chinese-owned or operated technology manufacturers, today at least five of them have adopted restrictions and about 11 others are considering adopting ad hoc rules.

Actions such as Georgia Senate Bill 346 (7) and Florida Executive Order 22-216 (8) ushered in a new wave of state government action aimed at banning Chinese information and communications technology systems (ICTS) from state government contracts.

Understanding Chinese state cyber-espionage

Over the past decade, China has embarked on a massive buildup of its cyber capabilities, and today Beijing poses a formidable threat in cyberspace. The country has accomplished this transformation by achieving three objectives:

• Beijing has reorganized its cyber policy-making institutions;

• the PRC has developed sophisticated cyber offensive capabilities;

• Beijing implements cyber espionage to steal foreign intellectual property on an industrial scale.

Such cyber operations pose a serious threat to the governments of many countries, to businesses and to critical infrastructure networks.

Chinese cyber-espionage activities are increasingly sophisticated as they use advanced tactics, techniques and procedures (TTP) such as vulnerability exploitation and third-party compromise to infiltrate victims' networks. China's top spy agency, the Ministry of State Security (MSS), conducts the majority of global cyber espionage operations to acquire political, economic intelligence (such as the illicit acquisition of technology discussed later), and personal identification (10).

State computer espionage, therefore, is part of the genus of the various tools - Xi Jinping calls them Magic Weapons - implemented by the CCP to pursue a predatory economic strategy (11). Cybersecurity legislation, for example, is a weapon for China's cybersecurity research and industry by requiring companies and researchers to report all discovered software and hardware vulnerabilities to the government before reporting them to vendors. This policy, combined with internal hacking competitions and cooperation agreements with Chinese universities, provides Beijing's security services with a constant stream of vulnerabilities to exploit for state-sponsored operations (12).

According to intelligence experts, cyber espionage is "the activity of surreptitiously surveiling an organization's networks and exfiltrating data for economic gain, competitive advantage, for political or military reasons, or for academic purposes that can be accomplished even by independent contractors (or “paid hackers”) mandated by the state” (13). Furthermore, cyberespionage has advantages because it eliminates some of the risks associated with traditional espionage techniques and allows for an increase in the amount of information that can be collected at any given moment (14).

The cyber-expropriation of technology and big data is an example of how the CCP leverages its capabilities to achieve strategic goals (15). Beijing is generally considered the perpetrator of the most serious damage globally. In addition to clandestine espionage - carried out by government agencies, organizations, commercial entities, individual entrepreneurs, Chinese expatriates, Chinese and foreign researchers - the theft of technology and data takes place through IT raids.

Even the former director of the National Security Agency (NSA) - the body of the US Department of Defense which deals, together with the CIA and the FBI, with national security - US General Keith Alexander, defined this predatory activity as the "largest wealth transfer in history". Currently, all 56 FBI offices conduct China-related economic espionage investigations (17).

In 2017, the Commission on the Theft of American Intellectual Property estimated that intellectual property theft costs the US economy up to $600 billion a year, with a significant impact on jobs and innovation (18). This figure approaches the Pentagon's annual national defense budget and exceeds the total profits of the top 50 Fortune 500 companies (19).

A report from the CNBC Global CFO Council found that in 2019, one in five American companies had their IP stolen in China (20). Anything of commercial value can be illegally acquired by Beijing.

As for the dynamics, the non-traditional collection and theft of IP is not carried out randomly by individuals acting on their own behalf. Beijing has enacted at least two dozen laws that have created a state apparatus for the transfer of foreign technology to laboratories in China that operate on information provided by compatriots working abroad. The apparatus also maintains databases of foreign cooperatives and distributes salaries, treatments and money to foreign donors of high-tech innovations. In addition, the facility is responsible for looking after agents willing to serve China from outside the country. Beijing targets all foreign sources of innovation, including universities, companies and government laboratories, exploiting both their openness and ingenuity.

As we will see below, a potential threat to national security arises precisely from the purchases (and use) of "commercial off-the-shelf" (COTS) hardware and software from Chinese-owned or controlled companies. On this aspect, the United States already sounded the alarm in 2019 when a report by the Inspector General of the DOD identified the purchases of Chinese computers, printers and video cameras as a potential risk (21).

According to advisers to the US government, illegal collection activities cover four main areas (22):

• computer espionage, perpetrated on a global scale through an ad hoc program (23);

• large-scale technological espionage (24);

• non-traditional collection (25);

• new types of hybrid espionage between cyber and human technology.

The 2016 US China Economic and Security Review Commission report states: “China appears to be conducting a commercial espionage campaign against US companies that involves a combination of cyber espionage and human infiltration to systematically penetrate the information systems of US companies to steal their intellectual property, devalue it and acquire it at drastically reduced prices” (26).

The most damaging channel for intellectual property theft remains Chinese cyber espionage. In fact, cyberespionage is both a means of stealing science and technology from foreign states, and a method of gathering information for potential attacks against the military, governmental and commercial technical systems of target countries. These cyber intrusions, therefore, pose a fundamental threat to the economic competitiveness and national security of the affected states.

The FBI has consistently warned that China poses the greatest espionage threat to the United States (27). Its director, Christopher Wray, reiterated in June 2022 that the Chinese government is methodical and "hackers in support of long-term economic goals" (28).

“China operates on a scale that Russia does not come close to. They have a hacking program bigger than all other major nations combined. They have stolen more American personal and corporate data than all nations combined. And they show no sign of tempering their ambition and aggressiveness” (29). Currently, the FBI opens a new counterintelligence investigation into Chinese actions every 12 hours.

In March 2023, cybersecurity firm Mandiant reported that “Chinese cybercriminals have hacked US government departments and telecommunications companies” (30). Google's Mandiant cybersecurity division has released a report (31) on hacker techniques and practices, which reveals the use of a vulnerability in Fortinet software as part of this malicious campaign. The band is highly sophisticated and can reportedly remain within a system undetected for years. The criminal group, dubbed UNC3886 by Mandiant, has struck twice in the past six months, having previously used a VMware vulnerability to target the same victims in September 2022 (32).

There is no possibility to challenge the CCP's decisions in the Chinese Courts. And there is no mandate for data or due process if a plaintiff wants to challenge an illegal intrusion. Users who access China's technology providers such as TikTok, WeChat or AliPay expose themselves to Beijing's social credit system and other data processing. China also maintains a foreign nationals database for a variety of purposes. The risks, therefore, are incalculable.

Governments, therefore, should be aware that Chinese malicious actors are gaining access to their systems through loopholes in ordinary commercially available technologies, whether or not they are owned and operated in China. And Chinese companies are particularly dangerous, because the establishment of China's National Intelligence Law in 2017 increases the risk of them transmitting sensitive third-party data to Beijing (33).

We must prevent the CCP from infiltrating

“Procurement of critical components from China presents the risk of deliberately compromised or sabotaged products” reports the US-China Economic and Security Review Commission in its latest report sent to Congress (34). Chinese military writers, such as theorist Ye Zheng, consider sabotage and exploitation of an adversary's supply chains to be an effective military and espionage tactic (35). In 2020, a report by SOSI International found that the People's Liberation Army's strategic documents prioritize the “exploitation of enemy supply chains and other vulnerabilities,” including “covert hardware attacks with mines, interfaces or backdoors included in transport, information and communication infrastructures” (36). While not all hardware manufactured in China poses a threat to national security infrastructure, the People's Liberation Army (PLA) views sabotaging an adversary's supply chains as a tactic of warfare. Expert Jan-Peter Kleinhans has warned the US that “semiconductors are particularly vulnerable to sabotage and other exploits during back-end APT manufacturing stages where China claims substantial market share” (37). The fact that 90% of the world's telephones and almost 80% of computers are made in China makes the exploitation of technological products a serious threat (38). A 2019 US Department of Defense (DOD) Inspector General report found that the US had not developed controls to prevent the purchase of commercial off-the-shelf (COTS) information technology (IT) products with known cybersecurity risks (39). For example, the report stated that the US Army and Air Force had purchased more than $32 million of COTS IT items, including Chinese-owned Lenovo computers, with known cybersecurity vulnerabilities (40). In its assessment of threats from the use of Lenovo computers, the DOD lists cyber espionage, network access, and Chinese government ownership, control, and influence (41). Persistent procurement from Chinese suppliers such as Lenovo therefore poses serious risks to the defense supply chains of the United States and its allies (42).

The entry of any Chinese technology supplier (for example of 5G) into the internal market of a State is therefore equivalent to authorizing an infiltration of Beijing (43). In 2017, in fact, the law on national intelligence was adopted in China which establishes the obligation, for all Chinese organizations and citizens, to collaborate with the government for security matters (44). In the face of this "pervasive" regulation, the United States has reacted by adopting measures to limit the role of numerous Chinese companies, including Huawei (45).

A cursory reading of China's National Intelligence Law (NIL), adopted on June 27, 2017 at the 28th Standing Committee meeting of the 20th National People's Congress46, reinforces the argument that no country should allow Chinese companies to enter the national critical infrastructure.

• “Article 7: All organizations and citizens shall support, assist and cooperate with national intelligence efforts in accordance with the Law and protect the secrets of national intelligence work of which they are aware” (47);

• “Article 9: The State gives commendations and awards to individuals and organizations that 137 make important contributions to national intelligence efforts” (48);

• “Article 12: “In accordance with relevant state provisions, national intelligence work institutions may establish cooperative relations with relevant individuals and organizations and retain them to carry out related work (49).” Chinese companies and individuals can therefore receive assignments from national intelligence agencies (50); “Article 14: “National intelligence working institutions that lawfully carry out intelligence activities may request that relevant bodies, organizations and citizens provide the necessary support, assistance and cooperation.” These "requests" are real legal obligations as is evident from a combined reading of articles 14 and 7.

A report by the Swedish law firm Mannheimer Swartling further clarifies the breadth of the scope of application of this law (51):

• “The NIL applies globally to Chinese groups, so all subsidiaries, even those outside of China, may be subject to the NIL. Since the Chinese parent company is subject to the NIL, the NIL could, from the point of view of public international law, also have jurisdiction over the foreign subsidiaries of the group. Additionally, the Chinese parent company has governance powers over overseas subsidiaries, which could enforce their compliance with the NIL. […] The NIL applies to all organizations in China, a term which appears to include all types of companies established in China, regardless of ownership, i.e. private and public Chinese shareholders as well as foreign shareholders. […] The NIL applies to all Chinese citizens, and since it does not appear to have an explicit geographical limitation, it could be construed to apply to all Chinese citizens even when they reside outside of China.”

In such a context, all Chinese commercial actors become a potential extension of the CCP abroad (52).

The following are excerpts from remarks by a senior US government official, Christopher Ashley Ford, assistant secretary of state for international security and non-proliferation (53):

• “Huawei (54) is also a major player in Beijing's ongoing military-civilian merger effort to make available to the Chinese military as many technologies as it wants, among those to which the country's civilian sector could have access.

• […] products and technologies from Huawei, Tencent, Alibaba, Xiaomi, Lenovo and other companies have already been used in research, production and repair of weapons and equipment for the PLA. These companies have also provided support services for China's military industry in areas related to electronics, aerospace, shipbuilding, and weapons – all of which, incidentally, are all key areas of the military-civilian fusion goal when it is the acquisition of foreign technology - to enhance the core competitiveness of China's national defense science and technology fields.

• China's military-civilian merger highlights the worrying lack of a clear separation between government, national strategies for military modernization, and the companies that are implementing and enabling those strategies to succeed.

• […] by design, it is increasingly difficult to separate where commerce ends and government begins.”

For this reason, dozens of countries around the world have blocked Chinese telecommunications company Huawei from their 5G networks. In recent years, the US government has taken a series of measures and sanctions against Chinese technology companies. According to a study by the China Development Institute, from January 2017, that is, from when the Trump Administration took office, until Biden passed the United States Innovation and Competition Act (USICA) in June 2021, Congress, the government and the Major think tanks have published 209 bills and reports on China's science and technology policies (56). As one of China's top communications equipment manufacturers, Huawei bears the brunt of this. The United States has been cracking down on Huawei for more than a decade, ever since the proposed acquisition of 3Com Corporation was rejected in 2008 by the United States Committee on Foreign Investments (CFIUS). Since then, Huawei's equipment sales contracts or R&D partnerships with several US companies, including AT&T and Google, have been terminated. Starting in 2018, the crackdown on Huawei sharply increased.

In May 2019, the US Department of Commerce decided to add Huawei to the Entity List for export controls and started to sanction it globally. In May 2020, the Commerce Department expanded the scope of export restrictions, requiring foreign chip makers that use US equipment and software to get approval before they can give chips to Huawei. Three months later, the Commerce Department further restricted Huawei products made with US technology and software, adding 38 Huawei subsidiaries to the Entity List. In practice, the ban had already been intensified on September 15, with a new regulation that prohibited any entity from supplying Huawei with chips with US technology components. The Biden administration has remained consistent with the punitive measures taken against China under the Trump administration. The United States Innovation and Competition Act (USICA) of 2021 includes a provision that prohibits the Department of Commerce from removing Huawei from the Entity List without first demonstrating that it no longer poses a national threat (56). After the US, many countries have banned Huawei from 5G networks, especially Australia, Vietnam, New Zealand, North Macedonia, Bulgaria, Japan, Taiwan, the Republic of Nauru, the United Kingdom, India (de facto) and Canada, where also stipulated that local companies will have until June 28, 2024 to remove 5G equipment and until December 31, 2027 for 4G (57).

The US restrictions for Chinese products

The Lenovo case

The US State Department banned Lenovo systems from its classified network in 2006 (58). The DOD has also taken additional steps to keep such products away from its systems (59). In 2008, the US Marine Corps in Iraq discovered that Lenovo products, altered through the inclusion of covertly planted chips, were transmitting data to China, forcing the Corps to abandon the company's products (60).

Out of fear that China might access data on US ballistic missile technology, the US Navy replaced $378 million worth of its IBM servers in 2015 after Lenovo bought them. The Air Force was also forced to ask Raytheon to rip and replace IBM hardware after the Lenovo acquisition (61) and in 2016 decided to abandon Lenovo (62) routers.

In 2019, as mentioned, the Office of the Inspector General of the Department of Defense released an audit (63) regarding the purchase of commercial items off-the-shelf (COTS) by employees and the related consequences on national security. The report explicitly referred to the purchase of Lenovo laptops. The report, which called these products “known cybersecurity risks,” referred to persistent vulnerabilities in Chinese technology, including popular Superfish software that came pre-installed on Lenovo laptops sold in the United States in 2014 (64). This software billed itself as a means for advertising targeting, but actually acted as an information aggregator to identify user trends, track user credentials, and funnel related data to storage centers in mainland China (65).

“Lenovo is the world's largest personal computer maker with headquarters in China and a US headquarters in Morrisville, North Carolina. What is now Lenovo was founded in China in 1984 by Chinese computer scientist Liu Chuanzi and ten of his colleagues from the Chinese Academy of Sciences (CAS). According to its financial filings, a company called Legend Holdings owns a 32.5% stake in Lenovo. Legend Holdings boasts of being 'ranked in the top 10 of the '500 Best Private Enterprises in China by All-China Federation of Industry and Commerce'.

But Legend Holdings, like all companies in China, is only nominally private. Legend Holdings lists the Chinese Academy of Science Holdings as 'a substantial shareholder', and in fact CAS owns 63% of Legend's domestic shares and 29% of total issued shares.

As a result, the Chinese government is Lenovo's largest shareholder. Legend Holdings' venture capital arm, Legend Capital, has been an investor in the Chinese company iFlytek, which has supplied voice print recognition technologies to the Xinjiang Bureau of Prisons is [..] According to the Economic and Security Audit Commission US-China security Congressman, CAS has 'links to Chinese military, nuclear and cyber espionage programs'. Consistent with its strategy of acquiring PC, server and mobile communications businesses from major US companies, Lenovo solidified its position as the international leader in computer hardware in 2005 with the company's purchase of IBM's ThinkPad business.

At the end of 2022, Lenovo controlled about 16% of the PC market in the United States and at the end of 2019 it boasted of supplying more than 900 state and local governments. Relatively unknown in the global market prior to the purchase, Lenovo found itself among the major technology players, relying on the brand and name recognition of its newly acquired ThinkPad product line to compete for government contracts. Shortly after the acquisition, the US State Department moved to purchase Lenovo laptops for employees” (66).

The Lexmark case

As with Lenovo, various U.S. federal government agencies have restricted the use of Lexmark products. “The Social Security Administration, determined to mitigate supply chain risks in procurement practices, won its argument in Federal Court in 2018 that printers manufactured by Lexmark presented 'an unacceptable supply chain risk to the government' due to Chinese ownership of the company and ties to the Chinese government” (67).

In the aforementioned 2019 DOD Inspector General report, Lexmark products were labeled “known cybersecurity risks,” noting that the U.S. Army and Air Force had purchased 8,000 Lexmark printers. In the document, the inspector had also declared that Lexmark has "connections with Chinese military, nuclear and cyber-espionage programs" (69).

According to China Tech Threat, “Although nominally an American company headquartered in Lexington, Kentucky, Lexmark is 49% owned by a consortium of China-based companies, including Legend Holdings, the same state-funded Chinese company with a large stake in Lenovo. Lexmark has long been the subject of various reports regarding cyber threats and espionage risk, with the printer company facing allegations from various technology experts and conglomerates that the company's printers could be used as a means of computer intrusion. Printers, one of the least secure Internet of Things devices, store sensitive data on internal hard drives derived from the various print jobs performed every day. This sensitive data can be accessed through various software vulnerabilities in the printer, making sensitive documentation visible to adversaries and foreign actors” (70).

The Dij case

Regarding Da Jiang Innovations (DJI), in 2021 the Department of Homeland Security - which deals with internal security - warned that the Chinese company represents "a threat to national security" and "was providing critical US infrastructure and data on the forces of the order to the Chinese government” (71). In 2017, the U.S. Immigration and Customs Enforcement also issued a notice stating that “critical infrastructure and law enforcement agencies using DJI systems are collecting sensitive information that the Chinese government may use to conduct physical or cyber attacks against the United States and the its population". In 2018, the Department of Defense banned the purchase of all standard drone technology and in 2021 declared that “systems manufactured by Da Jiang Innovations (DJI) pose potential threats to national security” (73).

“Founded in 2006, Chinese drone maker Da Jiang Innovations, or DJI for short, has quickly grown into a behemoth, controlling an estimated 54% of the global drone market as of 2021 and 77% of the hobby drone market as of 2021. as of 2020. It has raised investment funds from China Chengtong Holdings Group, which is directly administered by the Beijing State Assets Supervision and Administration Commission (SASAC). In 2020, The Wire China reported that more than 900 US state and local governments and emergency services used DJI products.

DJI also helped carry out the acts of genocide that the Communist Party of China is perpetrating in Xinjiang by supplying equipment to the Xinjiang Public Security Bureau, thus resulting in the company being blacklisted by the Commerce Department in 2021” (74).

The Hikvision case

In November 2021, President Joe Biden passed a Secure Equipment Act that prohibits the Federal Communications Commission (FCC) from licensing network equipment to companies that pose a danger to national security. Huawei and ZTE immediately paid the price. In addition, section 889 of the John S. McCain National Defense Authorization Act prohibits government contractors from supplying the federal government with telecommunications or video surveillance equipment, systems, or services (or an essential component thereof), or other products supplied by five Chinese companies and their subsidiaries and affiliates. Separately, section 889 also prohibits government contractors from using these items or specific services, whether or not they are used in performing work under a federal contract. The five banned Chinese companies are: Huawei Technology Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company and Dahua (75) Technology Company. The Pentagon has also banned Hikvision from its systems (76).

“The United States could also place Hikvision on the list of Specially Designated Nationals (SDN), the most punitive “black list” ever. If this happens, it would represent a historic development in US-China relations, with the potential to negatively impact access to financial services or trade relationships globally. In fact, according to the Office of Foreign Assets Control (OFAC) of the United States Department of the Treasury, the assets of individuals who form part of the corporate structure and of companies classified therein would be immediately "frozen" and in the United States it would be absolutely forbidden to deal with them, for reasons of national security” (77).

The latest international investigations show that Hikvision also supplies surveillance equipment to Chinese structures for the repression of Uyghurs in Xinjiang (78). In fact, a recent report found, based on documents from Xinjiang police archives, that the cameras made by the Chinese surveillance company Hikvision are deeply integrated into an intelligence program, aimed at tracking down and detaining Uyghurs and people of other ethnic groups in Xinjiang. The report examines Hikvision's role in human rights violations, including surveillance of mosques and concentration camps, Xinjiang's massive mass surveillance networks, and AI detection of ethnic Uighurs (79).

Police in the Uyghur region check all 23 million residents for the generic hypothesis of "terrorism", with facial recognition and license plate cameras, flagging those with foreign ties, for "immediate arrest". The report shows that Hikvision technology, in some cases identified down to the serial numbers of some cameras, has captured footage that has led to the detention of specific Uyghur individuals. In one exemplary case, the police traced the car of a Uyghur man after a Hikvision camera filmed his license plate (80).

“China's mass surveillance program is one of the largest on Earth and is expanding rapidly. In 2017, China had 176 million surveillance cameras, and by July 2018, their number had risen to 200 million. Chinese policy makers believe that building smart cities is a vital component of the Belt and Road Initiative. The pairing of smart cities with BRI comes from the highest level of Chinese government: In a May 2017 speech, Xi Jinping said that BRI must 'promote big data, cloud computing and smart city construction'” (81).

“Hikvision, a manufacturer of surveillance equipment, is a subsidiary of the Chinese state-owned China Electronics Technology Group Corporation. The Commerce Department wisely added Hikvision to the Entity List in 2019 for complicity in the genocide (the legal term applied by the US government) that the Chinese Communist Party perpetrated against Uyghur Muslims in Xinjiang, China. The FCC has also added Hikvision to its covered list, which means that Hikvision products are prohibited from accessing the American radio frequency spectrum” (82).

Why don't states implement restrictions?

According to China Tech Threat (83), companies controlled by China-based entities such as Lenovo, Lexmark, Hikvision, and DJI have spread their products throughout US state government technology systems; this begs the question: why did states allow this?

While the US federal government has taken laudable steps in recent years to address Chinese technology threats, individual states have not kept pace. As a result, the misalignment of federal and state policies regarding Chinese technologies continues to grow. For example, the think tank adds (84), Section 889 of the National Defense Authorization Act prohibits the federal government from purchasing or using information and communications technology and services (ICTS) products and services from Chinese companies Huawei, ZTE, Hikvision, Dahua, and Hytera (85). Yet a study by Georgetown University's Center for Security and Emerging Technology (CSET) found that “in recent years, nearly 1,700 government agencies have purchased Section 889-covered ICTS, introducing potential vulnerabilities into networks of public schools, universities, hospitals, prisons, public transit systems and government offices nationwide” (86).

The reason why states have lagged behind the federal government is "mainly a matter of money, ignorance and political will," argues the American research center (87). In particular, the reasons for this delay can be found:

• in the lack of uniform national best practices important for mitigating the danger from these companies; which has allowed the related threat to national security to go relatively unchecked;

• in the fact that few state legislators have fully understood the national security implications of Beijing's malign activity within states;

• cost-effectiveness because state governments, many of which operate under tight budgetary constraints, are disincentivized from choosing technologies that are generally more expensive than their Chinese counterparts.

Some if some states have taken action – this is the case for example of Georgia (SB 346) and Florida (executive order 22-216) – in February 2023 China Tech Threat was able to discover that since 2015, out of a total of beyond $230 million in purchases, states had spent approximately $47 million on Lexmark or Lenovo product (88). Previous research from 2020 had already found that around 40 states had contracted and made payments with Chinese government-owned technology makers such as Lenovo and Lexmark (89).

The introduction of Lexmark and Lenovo equipment into state technology ecosystems therefore means that the intelligence-gathering operation of the Communist Party of China is better able to access some pools of more sensitive citizen information. Agencies that have purchased technology from Lexmark and/or Lenovo include the Arizona Board of Fingerprinting, Kentucky State Police, Delaware Department of Elections, Wisconsin Supreme Court, Ohio Department of Public Safety, Idaho Military Division, South Dakota National Guard Armory, and legislatures in Alaska, Colorado, Kansas and New Hampshire (90).

Furthermore, last January, Mississippi auditor Shad White warned in the Sun Herald that government offices in his state "could buy dangerous Chinese technology". Mississippi, China Tech Threat points out, between 2018 and 2022 spent more than $400,000 on Lexmark and Lenovo technology (91). “This dangerous technology,” the researchers add, “restricted by the federal government is used in state agencies including the Division of Medicaid, the Department of Rehabilitation Services and the Administrative Office of the Supreme Court. Health and personal data, as well as highly sensitive judicial and financial information, are made vulnerable to Chinese espionage by the use of this unreliable technology by manufacturers already restricted by US military and intelligence agencies due to their connection to the government and with the Chinese army” (92).

In response, Mississippi lawmakers have introduced bills to help safeguard state infrastructure and information from threats to national security from Chinese technology deemed unsafe. Specifically, Senator Angela Burks-Hill sponsored Senate Bill 2046, an act to ban technological equipment produced within the borders of foreign nations deemed hostile, including the People's Republic of China.

With this bill, Mississippi is currently one of about twelve US states that, to prevent the exposure of sensitive information to the Chinese government, is taking steps to prohibit its agencies from purchasing and distributing technology from Beijing (93).

However, warns China Tech Threat - which has been studying threats and risks from information technology (IT) produced by entities owned and/or affiliated to the Government of the People's Republic of China since 2019 - in the United States there is still a long way to go so that all States take note of the seriousness of the problem and adopt adequate solutions.

This paper published in the scientific journal: Agenda Digitale

Notes and bibliography

1. China Tech Threat, “States of denial vs. States of momentum: dangerous Chinese technology in US State Government systems and rising efforts to prohibit contracts supplying it” 2020, February 23, 2023

2. Dr. Roslyn Layton, “Stealing From the States: China’s Power Play in IT Contracts US State Governments’ Failure to Scrutinize the Purchase of Lenovo and Lexmark Equipment Jeopardizes Data Security”, China Tech Threat, March 2020

3. China Tech Threat, “States of denial vs. States of momentum: dangerous Chinese technology in US State Government systems and rising efforts to prohibit contracts supplying it”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit. Lenovo computers were banned by the State Department in 2006 following reports of covert hardware or software being used for cyber-espionage. The 2019 DOD Inspector General Report (https://www.oversight.gov/sites/default/files/oig-reports/DODIG-2019-106.pdf), for example, listed Lenovo computers, Lexmark printers and GoPro cameras as examples of unsecured equipment listed in the National Vulnerabilities Database. Lexmark printers and Lenovo computers are made in China and have links to state intelligence agencies, according to the report. With growing fears of Chinese counterintelligence and massive power competition, links to China are adding to the threats posed by vulnerabilities. See also: Jackson Barnett, DOD continues to buy products it knows have cybersecurity vulnerabilities, FEDSOOP, July 31, 2019.

4. China Tech Threat, “STATES OF DENIAL VS. STATES OF MOMENTUM:, cit.

5. Ibidem.

6. Ibidem.

7. Georgia Senate Bill 346, Department of Administrative Services; companies owned or operated by China to bid on or submit a proposal for a state contract; prohibit, Effective Date 2022-07-01.

8. State of Florida, Office of Governor, Executive Order number 22-216.

9. Gabriele e Nicola Iuvinale, “La Cina di Xi Jinping – Verso un nuovo ordine mondiale sinocentrico?”, Antonio Stango Editore, 2023.

10. MSS official site

11. Ibidem

12. Ibidem

13. National Counterintelligence and Security Center, “Foreign Economic Espionage in Cyberspace”, 2018, https://www.dni.gov/files/NCSC/documents/news/20180724-economic-espionage-pub.pdf; Recorded Future, “The Unfortunate Many: How Nation-States Select Targets”, 2017, https://www.recordedfuture.com/nation-state-cyber-threats; BAE Systems, “The Nation State Actor: Cyber Threats, Methods and Motivations”, https://www.baesystems.com/en/cybersecurity/feature/the-nation-state-actor.

14. Jon R. Lindsay, Tai Ming Cheung, and Derek S. Reveron (eds), “China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain” New York, 2015; online edn, Oxford Academic, April 23, 2015 https://doi.org/.

15. Gabriele e Nicola Iuvinale, “La Cina di Xi Jinping – Verso un nuovo ordine mondiale sinocentrico?”, pagg. 95, cit.

16. Office of Policy Planning, U.S Department of State, The Elements of the China Challenge, November 2020 (revised December 2020): https://www.state.gov/wp-content/uploads/2020/11/20 -02832- Elements-of-China-Challenge-508.pdf

17. Ibidem

18. The Commission on the Theft of American Intellectual Property, Update to the IP Commission Report: The Theft of American Intellectual Property: Reassessments of the Challenge and United States Policy, “The National Bureau of Asian Research”, 2017: https://www.nbr.org/wp-content/uploads/pdfs/publications/IP_Commission_Report_Update.pdf

19. Office of Policy Planning U.S Department of State, The Elements of the China Challenge, cit.

20. Eric Rosenbaum, “1 in 5 corporations say China has stolen their IP within the last year: CNBC CFO Survey”, CNBC, March 1, 2019: https://www.cnbc.com/2019/02/28/1-in-5-companiessay-china-stole-their-ip-within-the-last-year-cnbc.h

21. Nicola Iuvinale, “Tutti i Paesi assistono con superficialità al dilagare dello spyware del Partito Comunista Cinese”, “Extrema Ratio”, January 18, 2022

22. William Hannas, James Mulvenon e Anna Puglisi, Chinese Industrial Espionage: Technology Acquisition and Military Modernization, “Routledge”, May 15, 2013

23. See: U.S. Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011, https://www.dni.gov/files/documents/ Newsroom/ Reports%20and%20Pubs/20111103_report_fecie.pdf; Threat Connect, Project Camera Shy Closing The Aperture On China's Unit 78020, 31.1.2019: https://threatconnect. com/resource/project-camerashy-closing-the-aperture-on-chinas-unit-78020/; Dan McWhorter, “APT1: Exposing One of China's Cyber ​​Espionage Units”, “Mandiant”, https://www. mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units; Dmitri Alperovitch, Revealed: Operation Shady RAT, “McAfee”, Aug 2011: https://icscsi.org/library/Documents/ Cyber_Events/McAfee%20-%20Operation%20Shady%20RAT.pdf; McAfee Foundstone Professional Services and McAfee Labs, Global Energy Cyberattacks: ‘Night Dragon’, 2.10.2011: https://www.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon _wp_draft_to_customersv1-1.pdf; Bryan Krekel, Patton Adams, and George Bakos, Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber ​​Espionage, U.S.-China Economic and Security Review Commission, July 3, 2012: https://www.uscc.gov/sites /default/files/Research/USCC_Report_Chinese_Capabilities_for_ Computer_Network_Operations_and_Cyber_%20Espionage.pdf.

24. Peter Mattis, Chinese Human Intelligence Operations against the United States, U.S.- China Economic and Security Review Commission, June 9, 2016: https://www.uscc.gov/ sites/default/files/Peter%20Mattis_Written%20Testimony060916.pdf

25. William Hannas, James Mulvenon e Anna Puglisi, Chinese Industrial Espionage: Technology Acquisition and Military Modernization, cit;

26. U.S.-China Economic and Security Review Commission, 2016 Annual Report to Congress, novembre 2016: https://www.uscc.gov/sites/default/files/annual_reports/2016 %20Annual%20Report%20to%20Congress.pdf

27. Statement by FBI Director Christopher Wray, https://www.cbsnews.com/video/wray-china-is-biggest-counterintelligence-threat-facing-the-u-s/

28. Christopher Wray, “Director’s Remarks to the Boston Conference on Cyber Security 2022”, FBI Boston Conference on Cyber Security, 2022: https://www.fbi.gov/news/ speeches/directors-remarks-to-boston-conference-on-cyber-security-2022.

29. Ibidem

30. ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR and TINA JOHNSON, Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation, Mandiant, March 16, 2023, https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem.

31. Ibidem

32. Ibidem

33. National Intelligence Law of the People's Republic of China Adopted at the 28th Meeting of the Standing Committee of the 12th National People's Congress on June 27, 2017, https://www.12339.gov.cn/article/law_con.

34. U.S.-China Economic and Security Review Commission, “2022 REPORT TO CONGRESSof the U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION”, 2022

35. Ibidem

36. Ibidem; Pointe Bello, “Beijing’s Backdoors into Infrastructure Technology Have a Name …and a Far-Reaching Purpose,” February 2020.

37. Jan-Peter Kleinhans, testimony before the U.S.-China Economic and Security Review Commission, Hearing on U.S.-China Competition in Global Supply Chains, 2022

38. U.S. Department of Defense, Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, September 2018, 36

39. U.S. Department of Defense, Inspector General, (U) Auditof the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items July 26, 2019; See also sub note 3.

40. Ibidem

41. Ibidem

42. Ibidem

43. Gabriele e Nicola Iuvinale, “La Cina di Xi Jinping – Verso un nuovo ordine mondiale sinocentrico?”,137, cit.

44. Resolution of the European Parliament of 12 March 2019 on "Security threats related to the increase of Chinese technological presence in the Union and possible action at Union level to reduce these threats" (2019/2575(RSP): https://www europarl.europa.eu/doceo/document/TA-8-2019-0156_EN.pdf; Art. 14 National Intelligence Law of the People's Republic of China of 27.6.2017, revised on 27.4.2018: http://www. lawinfochina.com/display.aspx?id=23733&lib=law; Kadri Kaska, Henrik Beckvard and Tomas Minarik, Huawei, 5G and China as a Security Threat, NATO Cooperative Cyber ​​Defense Center of Excellence (CCDCOE), 2019: https:// ccdcoe.org/uploads/2019/03/ CCDCOE-Huawei-2019-03-28-FINAL.pdf.

45. Gabriele e Nicola Iuvinale, “La Cina di Xi Jinping – Verso un nuovo ordine mondiale sinocentrico?”,140, cit:“In May 2019, the US Department of Commerce decided to add Huawei to the Entity List for Export Controls and began to sanction it globally. In May 2020, the Commerce Department expanded the scope of export restrictions, requiring foreign chip makers that use US equipment and software to get approval before they can give chips to Huawei. Three months later, the Commerce Department further restricted Huawei products made with US technology and software, adding 38 Huawei subsidiaries to the Entity List. In practice, the ban had already been intensified on September 15, with a new regulation that prohibited any entity from supplying chips with US technological components to Huawei. The Biden administration has remained consistent with the punitive measures taken against China under the Trump administration. The United States Innovation and Competition Act (USICA) of 2021 includes a provision that prohibits the Department of Commerce from removing Huawei from the Entity List without first demonstrating that it no longer poses a national threat”; see also U.S. Department of Defence, DOD Releases List of People's Republic of China (PRC) Military Companies in Accordance With Section 1260H of the National Defense Authorization Act for Fiscal Year 2021, October 5, 2022, https://media.defense.gov/2022/Oct/05/2003091659/-1/-1/0/1260H%20COMPANIES.PDF

46. National Intelligence Law of the People’s Republic of China CLI.1.297110(EN)

47. Ibidem

48. Ibidem

49. Ibidem

50. Ibidem

51. Carolina Dacko and Lucas Jonsson, Applicability of Chinese National Intelligence Law to Chinese and non Chinese Entities, “Mannheimer Swartling”, January 2019: https://www.mannheimerswartling.se/app/uploads/2021/04/msa_nyhetsbrev_national-intelligencelaw_jan-19 .pdf

52. Gabriele e Nicola Iuvinale, “La Cina di Xi Jinping – Verso un nuovo ordine mondiale sinocentrico?”,138, cit.

53. Christopher Ashley Ford, "Huawei and its Siblings, the Chinese Tech Giants: National Security and Foreign Policy Implications," US Department of State, Sept. 11, 2019: https://2017-2021.state.gov/huawei-and- its-siblings-the-chinese-tech-giantsnational-security-and-foreign-policy-implications/index

54. Huawei has consistently denied allegations that it has ties to the CCP, claiming that the world is misinterpreting the NIL. According to Huawei's official statement, the company has no connection with the Chinese state, as evidenced by the FAQ (Frequently Asked Questions) posted on the company's official website: 8. “Q&A”, Huawei Facts, Huawei's corporate website Huawei: https://www.huawei.com/en/facts. However, US intelligence claims that the Chinese government helped fund Huawei (“U.S. intelligence says Huawei funded by Chinese state security: report”, Reuters, 4.20.2019), as well as allowing the theft of intellectual property (Dan Strumpf and Patricia Kowsmann, “US Prosecutors Probe Huawei on New Allegations of Technology Theft”, “The Wall Street Journal”, 8.29.2019: https://www.wsj.com/articles/us-prosecutors-probe-huawei-on- new-allegations-of-technology-theft-11567102622).

55. Dingding Chen and Wang Lei, “Where Is China-US Technology Competition Going?”, “The Diplomat”,May 2, 2002: https://thediplomat.com/2022/05/where-is-china-us-technologycompetition-going /.

56. Ibidem

57. For a complete discussion, see Gabriele and Nicola Iuvinale, “Xi Jinping's China – Towards a New Sinocentric World Order?”,140, cit.

58. Steve Lohr, State Department Yields on PC’s From China, 23.6.2006; China Tech Threat, “STATES OF DENIAL VS. STATES OF MOMENTUM: DANGEROUS CHINESE TECHNOLOGY IN U.S. STATE GOVERNMENT SYSTEMS AND RISING EFFORTS TO PROHIBIT CONTRACTS SUPPLYING IT”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit.

59. China Tech Threat, “STATES OF DENIAL VS. STATES OF MOMENTUM: DANGEROUS CHINESE TECHNOLOGY IN U.S. STATE GOVERNMENT SYSTEMS AND RISING EFFORTS TO PROHIBIT CONTRACTS SUPPLYING IT”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit;.

60. Jordan Robertson e Michael Riley, The Long Hack: How China Exploited a U.S. Tech Supplier, Bloomberg, 2021

61. Sandra Erwin, U.S. military doubles down on GPS despite vulnerabilities, SpaceNews, 2021

62. Hayley Tsukayama e Dan Lamothe, Come un’e-mail ha scatenato un battibecco sul ruolo di Lenovo di proprietà cinese al Pentagono, The Washington Post, April 22, 2016

63. 2019 DOD Inspector General Report

64. Ibidem

65. Roslyn Layton, New Pentagon Report Shows How Restricted Chinese IT Products Routinely Enter US Military Networks, AEI, 2019, https://www.aei.org/technology-and-innovation/new-pentagon-reports-shows-how-restricted-chinese-it-products-routinely-make-their-way-into-us-military-networks/

66. China Tech Threat, “STATES OF DENIAL VS. STATES OF MOMENTUM: DANGEROUS CHINESE TECHNOLOGY IN U.S. STATE GOVERNMENT SYSTEMS AND RISING EFFORTS TO PROHIBIT CONTRACTS SUPPLYING IT”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit.

67. Ibidem; Jason Miller, SSA bid protest win demonstrates power of acquisition to protect the supply chains, Federal News Network, https://federalnewsnetwork.com/reporters-notebook-jason-miller/2018/05/ssa-bid-protest-win-demonstrates-power-of-acquisition-to-protect-the-supply-chains/

68. 2019 DOD Inspector General Report

69. Ibidem

70. China Tech Threat, “STATES OF DENIAL VS. STATES OF MOMENTUM: DANGEROUS CHINESE TECHNOLOGY IN U.S. STATE GOVERNMENT SYSTEMS AND RISING EFFORTS TO PROHIBIT CONTRACTS SUPPLYING IT”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit.

71. Ibidem

72. U.S. Immigration and Customs Enforcement, “U) Da Jiang Innovations (DJI) Likely Providing U.S. Critical Infrastructure and Law Enforcement Data to Chinese Government”, UNCLASSIFIED//LAW ENFORCEMENT SENSITIVE, 2017, https://info.publicintelligence.net/ICE-DJI-China.pdf

73. DOD, Department Statement on DJI Systems, July 23, 2021

74. China Tech Threat, “STATES OF DENIAL VS. STATES OF MOMENTUM: DANGEROUS CHINESE TECHNOLOGY IN U.S. STATE GOVERNMENT SYSTEMS AND RISING EFFORTS TO PROHIBIT CONTRACTS SUPPLYING IT”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit; RICHARD LAWLER, US Treasury Says DJI Assists Chinese Surveillance of Uyghurs, Blocks Investment, The Verge, 12/16/2021

75. Gabriele e Nicola Iuvinale, “La Cina di Xi Jinping – Verso un nuovo ordine mondiale sinocentrico?”, cit.

76. China Tech Threat, “STATES OF DENIAL VS. STATES OF MOMENTUM: DANGEROUS CHINESE TECHNOLOGY IN U.S. STATE GOVERNMENT SYSTEMS AND RISING EFFORTS TO PROHIBIT CONTRACTS SUPPLYING IT”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit.

77. Ibidem

78. Gabriele e Nicola Iuvinale, “La Cina di Xi Jinping – Verso un nuovo ordine mondiale sinocentrico?”, cit.

79. Conor Healy, “Hikvision,Xinjiang, Uyghurs & Human Rights Abuses – White Paper”, IPVM, May 17, 2022

80. Gabriele e Nicola Iuvinale, “La Cina di Xi Jinping – Verso un nuovo ordine mondiale sinocentrico?”, cit.

81. Ibidem

82. China Tech Threat, “STATES OF DENIAL VS. STATES OF MOMENTUM: DANGEROUS CHINESE TECHNOLOGY IN U.S. STATE GOVERNMENT SYSTEMS AND RISING EFFORTS TO PROHIBIT CONTRACTS SUPPLYING IT”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit.

83. Ibidem

84. Ibidem

85. NDAA Section 889

86. Jack Corrigan, Sergio Fontanez and Michael Kratsios, “Banned in D.C. Examining Government Approaches to Foreign Technology Threats”, CSET, October 2022, https://cset.georgetown.edu/wp-content/uploads/CSET-Banned-in-D.C.-1.pdf.

87. China Tech Threat, “STATES OF DENIAL VS. STATES OF MOMENTUM: DANGEROUS CHINESE TECHNOLOGY IN U.S. STATE GOVERNMENT SYSTEMS AND RISING EFFORTS TO PROHIBIT CONTRACTS SUPPLYING IT”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit.

88. Ibidem

89. Dr. Roslyn Layton, “Stealing From the States: China’s Power Play in IT Contracts US State Governments’ Failure to Scrutinize the Purchase of Lenovo and Lexmark Equipment Jeopardizes Data Security”, cit.

90. China Tech Threat, “ States of denial vs. States of momentum: dangerous Chinese technology in US State Government systems and rising efforts to prohibit contracts supplying it”, REFRESH OF RESEARCH ORIGINALLY PUBLISHED IN MARCH 2020, cit

91. Ibidem

92. China Tech Threat, Mississippi State Auditor Issues China Tech Spending Warning, Legislators Respond, 2023, https://chinatechthreat.com/mississippi-state-auditor-issues-china-tech-spending-warning-legislators-respond/.

93. China Tech Threat, 2023 State Momentum, https://chinatechthreat.com/states-stop-china-tech/2023-state-momentum-map/.