In this episode of American Thought Leaders 🇺🇸, we sit down with Dr. Roslyn Layton, a visiting scholar at the American Enterprise Institute and the co-founder of China Tech Threat, to discuss the threat posed by Chinese-owned companies like Huawei, ZTE, Lexmark, and Lenovo, which are legally obligated to hand over information to the Chinese Communist Party, if asked. Many state and local government departments like the DMV have contracts with such companies.
Layton is also a visiting researcher at Aalborg University Center for Communication, Media, and Information Technologies and a vice president at Strand Consult, both in Denmark.
Jan Jekielek: Roslyn Layton, so great to have you on American Thought Leaders.
Roslyn Layton: Great to be back. Thank you.
Mr. Jekielek: I want to first start by highlighting your website, China Tech Threat. This is something new since we talked last. You’ve done some incredible work around this.
Ms. Layton: If you go to ChinaTechThreat.com, I have a series of reports covering threats in information technology. Most people have heard about Huawei. People think, if we ban Huawei, then everything’s fine. But there are Chinese technological threats in the computers that we use, the printers we attach to the networks, the software, and the services. There’s a lot of things, and what I’m trying to do is to pick apart those pieces one by one.
Mr. Jekielek: I read that a lot of statehouses actually have Lenovo equipment. Why would that be a threat?
Ms. Layton: This is an interesting Chinese strategy, where there are American companies, IBM and ThinkPad, for example, they’re purchased by Chinese owners or investors, which is a front for the government, the Chinese Academy of Sciences. As a result of that, all the laws of China apply to those companies. So they’re not using the transparency, the disclosures … we don’t know who their boards of directors are, and anything connected on a Lenovo computer can technically be transferred to China to be reviewed and processed by the Chinese government.
In fact, the contracts that US states are signing with Lenovo stipulate as much. They say Lenovo could take the data out to any country where they do business. Why would they need to do that? There’s no reason. If I go to the DMV, why does Lenovo need to take my data to another country or any country? There’s no reason for that, but their contract allows them to do that.
Mr. Jekielek: A Chinese company basically has to give its data carte blanche to the regime if it’s not already working with the regime on that data.
Ms. Layton: To me, it’s just an unnecessary risk. It would be one thing if it was just a one-off, but at least 43 states in the US have signed up for these kinds of agreements. We’re talking about departments of elections, DMV, Family and Children’s Services, courthouses—all of this sensitive financial information. The irony is, many of these states like California, they’re putting very draconian information privacy laws on companies. But the government doesn’t have to comply with those laws. The state government of California is basically opening the back door to China and saying “please come in and take all of our data.” It’s maddening.
Mr. Jekielek: It absolutely is. And of course, we know that the development of AI is basically contingent on large amounts of data.
Ms. Layton: That is absolutely in the future, but I think today. for example, different pharmaceutical companies or financial services are being hacked. Because they can study, by running scripts against the customer databases, what financial products they buy. They can look at what stocks different customers buy.
Mr. Jekielek: So this is a wild amount of free market research data.
Ms. Layton: Yes! They can just get it for free. It can be done by hackers. The Equifax hack was [done by] Chinese soldiers. Now the Department of Justice is going after them. But the other part is willingly giving it away. Countries try to infiltrate each other’s systems at the state level. It stands to reason whether our federal government is not protected on the state level and even on the federal level. We have major hacks. The Office of Personnel Management is one. But, this is a case where the contract allows—requires—that the data just be taken. And there’s no force…
Mr. Jekielek: Is it that they’re just not reading the fine print?
Ms. Layton: That might be one part, but they don’t realize what the Chinese intelligence law means. And they’re not connecting that Lenovo is a Chinese-owned company. Lexmark as well, they think it’s an American company, it’s based in Kentucky. Another one.
These companies are listed in the national vulnerability database. Of course, they would not market that, I understand. But, we have a clear and present danger today with China on so many fronts. We can barely manage the Huawei issue and there’s all these other things, how are we going to get around it? And of course, these companies could white label their technology under another name, but they’re going forth, supposedly as trusted vendors.
To me, I think the state procurement officers should do better. Their trade association is aware of this. I brought the research to their attention. I think that they’re willing to step up. Normally, NASPO (National Association of State Procurement Officials), they do a fiscal review. So of course, you can get this equipment at cheap prices because it’s artificially kept low by China, they don’t have to properly report their numbers, so they can do cut-rate pricing, and the Chinese government will subsidize them. So they’re checking the fiscal for its good use of taxpayers’ money, but they’re not doing a cybersecurity review, and they should. One of the things I call for is more support from the federal level to help the states do this. Also, the Federal Department of Commerce, which maintains this master list which is not easy to look at or easy to find.
Mr. Jekielek: Where does one find this?
Ms. Layton: You can go to the National Vulnerability Database https://nvd.nist.gov. But you have to wade through so much information. It’s written in gobbledygook that doesn’t make any sense to people. So part of what we’re trying to do with China Tech Threat is boil it down to help people understand. But at the very least, we shouldn’t be willingly buying companies that are owned by the Chinese government. We shouldn’t be buying their products at all. There’s nothing good about that.
Mr. Jekielek: For those administrators that might be watching the program, what are some of the most dangerous companies to watch out for?
Ms. Layton: Hikvision, that’s the security cameras, those are banned in the NDAA; DJI drones, the TCL smart TVs. In our China Tech Threat, we try to highlight them and we’re going off of the National Vulnerability Database where they’re listing the vulnerabilities. That’s one thing, let’s prioritize the threats. For example, the federal government or different branches of government, they will ban these particular products. There should just be an automatic memo out to all the states: do not buy. It’s not that hard to do. You could just post it on social media.
On ChinaTechThreat.com, we try to have distinct reports about the different issues. We have a report about Huawei, we have a report about Lenovo and Lexmark, we have a video on going into the Best Buy and where you can buy products with known vulnerabilities. We try to make it simple and boil it down and we do things one by one. It’s difficult to take the whole supply chain which is what we have to do at the end of the day, but at least we can start reducing the risk on known things so you don’t willingly buy those products.
Mr. Jekielek: I’m just going to reiterate this because it still blows my mind. By law, any Chinese company is required to provide any data it has within its systems to the regime.
Ms. Layton: To the Chinese government, yes. That’s the Chinese law, not an American law. And I actually think if they do that, it contravenes American law. I’m not exactly sure on that. … I think states are starting to come to grips with that, for example, the State of Georgia, has a very forward-thinking procurement officer and they got rid of Kaspersky Labs. It’s a known Russian service provider that presented a lot of risks. They (Georgia) got pushback, believe it or not. So for example with Huawei, the American semiconductor industry lobbies the Department of Defence and says no, no, no, we want to do business with them. We know they endanger national security, but we still want to make money. So, we should all be on the same page about this instead of trying to protect incumbent industries, which by the way, China wants to disrupt anyway. They don’t want there to be an American semiconductor industry. When 4G is done, they’re out of there. They don’t want to buy chips anymore from Qualcomm, but they don’t have to. So it’s underscoring the complexity. And also, I think, this is really about understanding what it means to be for America. We shouldn’t willingly be engaging in commerce that’s threatening our national security, our long term viability. And again, this is a real threat. … These are real things that can undermine our economy, undermine our safety, our privacy. So those are the things we should really be working on.
Mr. Jekielek: You’re saying any Chinese company is a risk.
Ms. Layton: Absolutely. Chinese IT company, I would say.
Mr. Jekielek: Last question, is there any specific kind of procurement that is, the highest risk in your mind?
Ms. Layton: Based upon the data we have, no Huawei, no ZTE, no Lenovo, no Lexmark, no DJI drones. To make it simple, that’s what we got to do. We got to start there.
Mr. Jekielek: Okay. Roslyn Layton. It’s such a pleasure to have you.
Ms. Layton: Great to be with you. Thanks again, Jan.