A large number of states in the U.S. have contracts with two Chinese firms — Lenovo and Lexmark — which are required to report data and information they receive to the communist government in Beijing, security analysts say.
The use of Chinese equipment makes the states and other entities which use Lenovo and Lexmark equipment vulnerable to theft of sensitive data, a Feb. 24 report by China Tech Threat said.
The report said 30 states have contracts with Lenovo and 12 with Lexmark. They include Delaware, Florida, Hawaii, Massachusetts, New York, Ohio, Oklahoma, Rhode Island, Tennessee, West Virginia, Wisconsin and Arkansas.
Lenovo was founded in China in 1984 and purchased IBM’s ThinkPad division in 2014. Its computers at one time were integrated into the defense infrastructure, including within the Air Force and Navy, security correspondent Bill Gertz noted for the Washington Times.
Current and past U.S. government clients of Lenovo include the Army and Air Force, the Agriculture Department, the Social Security Administration, the Transportation Department and the IRS.
Under a 2017 Chinese law, Lenovo and Lexmark are required to send data and information they receive from state and local government work to China. The companies a required to cooperate with Beijing’s intelligence services, including granting access to the data the companies collect overseas, the report said.
Lexmark and Lenovo are “banned by multiple military and intelligence agencies in the U.S. and around the globe,” according to the report.
“Chinese hardware and software can facilitate the transfer of data to China where it can be collected, inspected, and processed by the Chinese Communist Party or related actors,” the report said. “While this can be done illicitly, the contracts of Lenovo and Lexmark and larger Chinese information security laws stipulate as much.”