While federal agencies and the US military have rightly taken action to restrict the use of technology from Chinese government entities, U.S. states haven’t addressed this vulnerability with the same vigor. In October 2021, a China Tech Threat report found 40 states continue to use equipment from Chinese government owned Lenovo and Lexmark, despite federal security restrictions against these companies.
The Associated Press reported that at the Chinese government hacked at least six state governments last year. As cybersecurity expert Joe Steinberg rejoined, “Six states know that they were breached by Chinese spies; that means 44 states don’t yet know they’ve been breached.” While some post-purchase measures can secure systems from software hacks, hardware-based hacks are essentially impossible to thwart because backchannels and backdoors are built into hardware. As such, the US adopted rip and replace policies for Huawei base stations, Hikvision video cameras, and Inspur servers. The threat prevails for Lenovo laptops and YMTC chips so it’s better not to acquire the equipment in the first place.
Federalism does not require US states to mirror federal practices, but states can and should learn from federal security authorities. A new memo from China Tech Threat details four ways states can mitigate Chinese tech threats.
Don’t use state money to buy Chinese government tech
Georgia Governor Brian Kemp just signed SB 562 & 346 to prohibit state contracts with companies owned by the governments of Russia, Belarus, and China. SB 346 prohibits companies owned or operated by the Chinese government from providing tech products to state governments, universities, and local school districts. The bill’s sponsor Rep. Martin Momtahan has first-hand experience repairing Georgians’ computer equipment infected with Chinese malware. As he explained in an interview, Georgia’s new law is about keeping the data of people and enterprises safe, and it is already attracting new companies which want to move to the state because of the focus on protecting intellectual property from Chinese government theft. Georgia’s tech leadership was demonstrated with its innovative response to Covid-19 challenges as lead by Chief Technology Officer Steve Nichols, PhD, also recognized nationally as a top state CTO.
Restrict university partnerships with the Chinese military
American universities have best intentions in mind when forging high-tech research partnerships with Chinese universities, however the Chinese government uses these collaborations for military-civil fusion. Air University in Maxwell, Alabama details how the Chinese military runs at least 37 academic institutions whose express purpose is to use knowledge to strengthen and advance China’s armed forces. A new report identifies at least 3000 scientific studies were published in the West with at least one co-author from a Chinese military university. An estimated $600 billion annually in IP theft is attributed to Chinese government and military actors, some of which is pilfered from American universities.
In June 2021 Florida governor Ron DeSantis signed HB 701, which prohibits specific agreements between state/public entities and China (along with six other countries of concern) and strengthens requirements for disclosing foreign support for public entities and post-secondary institutions. Senator Marco Rubio (FL) denounced the Chinese government’s military-civil fusion strategy, sending letters to 22 U.S. universities in 17 states urging them to terminate their partnerships with Chinese universities because they “support the development of Chinese military technologies.”
States should end these dubious partnerships and not make them in future..
Invest in America’s cyber workforce
America’s cyber workforce is not large or skilled enough to address the rate and sophistication of cyber attacks. We need people who to strengthen our cyber defense. Idaho leads to close this gap with approval of $12 million for a new Cyber Response and Defense Fund and Governor Brad Little’s Cybersecurity Task Force Report. States must also invest in cyber training for state employees. Maryland’s Secretary of Information Technology Michael G. Leahy conducts cybersecurity training to spot phishing and other malicious tactics. This investment paid off when Maryland Department of Labor employees uncovered a massive scheme to defraud the Covid-19 unemployment insurance program. Quick action saved taxpayers over half a billion dollars.
Hold the federal government accountable
States have a powerful voice in Washington, and they should use it to protect their residents and enterprises. For some years, the US Commerce Department Bureau of Industry and Security (BIS) has lagged for years on adding known Chinese military fabs Yangtze Memory Technologies Corporation (YMTC), Hua Hong Semiconductor and ChangXin Memory Technologies (CXMT) to the Entity List. During this period, these companies have gained US knowhow in chipmaking, produced compromised chips for the US market, and planned market manipulation to displace US firms and workers. It is job of the federal government to ensure defense, and States must remind Congress and the Administration of their responsibilities.