The Looming Threat of Chinese Spyware

One of the great lessons of the past two years has been that the events poised to change our lives often percolate far from public consciousness.

Gain-of-function research on coronaviruses interested almost no part of the general public until it was far too late.

Critical race theory took over our classrooms long before parents began to notice, complain, and find themselves playing a late defense.

Street riots had been part of the American terrain since 2014, but most people other than those directly involved more-or-less shrugged them off until a massive wave engulfed urban America.

Few other than activists or election scholars thought much about the role of propaganda, or about balancing ballot access and election integrity, until the credibility of America’s elections came under attack.

Which is why it might be worthwhile to set these now-front-burner issues aside for a moment and consider another critical threat arising in a place that few Americans care to look: the Chinese Communist Party (CCP) spyware worming its way into our defenses, infrastructure, communities, schools, and homes courtesy of procurement policy and purchasing decisions.

Like the issues that dominate today’s front pages, this one is already visible—at least at the federal level—to those who are willing to look:

The National Institute of Standards and Technology (NIST) maintains a National Vulnerability Database (NVD). Relying in part on the NVD, a 2019 Inspector General report (pdf) singled out the Department of Defense’s procurement of Lenovo computers, Lexmark printers, and GoPro cameras as potential threats to national security—a threat that we have yet to address.

Sen. Tom Cotton (R-Ark.), in a February 2021 report (pdf) raising awareness about China’s economic long war against the United States, argued that “Chinese firms’ presence in Silicon Valley should not be treated as aboveboard commercial ventures but as spying outposts for the CCP.”

And just last week, a letter from representatives John Katko (R-N.Y.) and Andrew Garbarino (R-N.Y.) (ranking members of the House Committee on Homeland Security and Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, respectively) to Secretaries Alejandro Mayorkas (Homeland Security) and Gina Raimondo (Commerce), called for an inquiry into whether “civilian agency procurement of commercial off-the-shelf information technology items may pose cybersecurity risks for telecommunications infrastructure,” comparable to the national security vulnerabilities discussed in the IG report.

In a sign of the glacial pace that the federal government has set in addressing these critical issues, last week’s letter was essentially a followup of their inquiry dated last April 13 (pdf).

Still, the federal government deserves at least some credit for basic awareness of the issue. That’s more than can be said for the states. Lenovo, Lexmark, and other brands with CCP ties are used widely in state government offices around the country. Robert Chernin, my colleague at the American Center for Education and Knowledge (ACEK), recently called out the National Association of State Procurement Officials (NASPO) for its master contracts with Lenovo.

That contract is hardly the only problem at the state level. The procurement contracts that landed these Chinese products in government offices positions the CCP to track critical information on American infrastructure, energy, security, emergency awareness, and personnel. Perhaps hitting a bit closer to home, it also gives the Chinese regime a far better window into America’s classrooms than most American parents can claim.

It seems likely that most of these potential incursions are happening not because of corruption or maliciousness, but rather because of laziness, inattention, and the insularity of procurement decisions. If Lenovo or Lexmark makes your school district a compelling offer, why not take it?

We’ve all been there. Though we all know today that our devices and software spy on us, most of us can remember when we first learned that “if you’re not the customer, you’re the product.” Millions of us have simply accommodated ourselves to a world in which a few tech titans—and the various companies to whom they’ve sold their collected data—know the most intimate details of our lives.

Perhaps it’s time to consider that these giant and intrusive American corporations may be the least of our problems. According to a recent report in the Washington Post, China has been so pleased with its domestic surveillance network and social credit scores that it’s now expanding its reach across the globe. America’s wide open procurement policies and love of low prices is welcoming that expansion with open arms.

Taken together, the dissemination of Chinese technology products at all levels threatens the privacy and security of every American. It’s long past time to think about the implications of our purchasing and procurement decisions. As we learned the hard way with the issues that have dominated the past two years, the time to act is before things hit the front page.

See the article at Real Clear Policy

Bruce Abramson

Bruce Abramson has over thirty years of experience working as a technologist, economist, attorney, and policy analyst. Dr. Abramson holds a Ph.D. in Computer Science from Columbia and a J.D. from Georgetown. He has contributed to the scholarly literature on computing, business, economics, law, and foreign policy, and written extensively about American politics and policy.