State Governments ‘Weakest Link’ in Protecting America From ‘Enemy’ Cyberattacks

State Governments ‘Weakest Link’ in Protecting America From ‘Enemy’ Cyberattacks
A member of the hacking group Red Hacker Alliance uses a website that monitors global cyberattacks on his computer at an office in Dongguan, China's southern Guangdong province on Aug. 4, 2020. Nicolas Asfouri/AFP via Getty Images
John Haughey
Updated:
0:00

United States federal agencies and the Pentagon over the last decade have imposed a matrix of restrictions on purchasing technology from companies owned or influenced by China’s ruling Chinese Communist Party (CCP), but few of the nation’s 50 states have taken similar precautions.

In fact, many state governments apparently aren’t aware—or haven’t publicly acknowledged—how potentially vulnerable their electronic infrastructure is to CCP cyberattacks, espionage, and data theft.

According to an October 2021 China Tech Threat report, at least 40 states are now using hardware and software programs purchased from CCP-owned tech companies, such as Lenovo and Lexmark.

Georgetown University’s Center for Security & Emerging Technology (CSET) documents that between 2015-21, at least 1,681 state and local governments purchased technology from CCP-owned or controlled companies that federal agencies and the U.S. military are explicitly prohibited from doing business with.

A March 2022 analysis by Virginia-based cybersecurity firm Mandiant determined the CCP hacked at least six state government computer systems between May 2021 and February 2022 as part of “a dual espionage and cybercrime operation” that exploited “planted bugs” in Chinese-made hardware programs being used by at least 18 U.S. states.
According to Virginia-based cybersecurity company Mandiant, this building on the outskirts of Shanghai, China, is among sites where CCP hackers launch cyberattacks, including at least six successful infiltrations of state government computer systems in the U.S. between May 2021 and February 2022. (AP Photo)
According to Virginia-based cybersecurity company Mandiant, this building on the outskirts of Shanghai, China, is among sites where CCP hackers launch cyberattacks, including at least six successful infiltrations of state government computer systems in the U.S. between May 2021 and February 2022. AP Photo
Despite the clanging of alarm bells and ringing of alert whistles from technology and security experts, as noted in a July 2022 Epoch TV documentary, states have been slow to respond to a threat so insidiously ubiquitous, it is hiding in plain sight.
An October 2022 CSET analysis maintains that only five states—Florida, Louisiana, Vermont, Texas, Georgia—have adopted adequate procurement policies prohibiting their state agencies and local governments from purchasing technology and services from “scrutinized nations,” with communist China the primary focus.

With 2023’s legislative sessions kicking off in State Houses nationwide—45 will have convened by Jan. 18—proposed bills addressing the issue had only been filed by lawmakers in four states as of Jan. 11.

“State and local governments must take foreign technology threats seriously even if they do not face the same risks as federal agencies like DOD,” the CSET analysis states. “Even if governments are not targeted directly, the ICTs (information and communication technologies) they deploy might be used to compromise nearby critical infrastructure.”

“State governments really are the weakest link,” American Legislative Exchange Council’s (ALEC) Federalism and International Relations Task Force Executive Director Karla Jones told The Epoch Times. “The federal government has restrictions in place. It is up to each state to protect its own IT systems.”

Texas, Georgia Laws Provide Blueprints

ALEC and technology security advocates point to two recently adopted bills that provide paths other states can replicate in protecting their electronic systems from the CCP’s intrusions.
The Lone Star Infrastructure Protection Act (LIPA), which went into effect in June 2021, prohibits Texas businesses and governments from contracting with entities owned or controlled by individuals and companies from China, Russia, North Korea, and Iran relating to “critical infrastructure.”

The 2021 bill was sponsored by then-Rep. Tan Parker (R-Flower Mound), who was elected to the state Senate in November.

Parker filed the original legislation after Texas lawmakers became aware that Houston-based company GH America Energy—a subsidiary of China’s Xinjiang Guanghui Industry Investment Group Co. Ltd owned by billionaire and CCP member Sun Guangxin—had purchased 140,000 acres in Val Verde County and planned to build a 15,000-acre wind farm on the property.
A map of the 140,000-acres of agricultural land Chinese billionaire Sun Guangxin acquired in Val Verde County, Texas, and the locations of its three energy generation projects: Blue Hills Wind, Blue Star Solar, and Blue Valley Solar. (Courtesy of the Devils River Conservancy)
A map of the 140,000-acres of agricultural land Chinese billionaire Sun Guangxin acquired in Val Verde County, Texas, and the locations of its three energy generation projects: Blue Hills Wind, Blue Star Solar, and Blue Valley Solar. Courtesy of the Devils River Conservancy

The proposed wind farm would feature turbines up to 700 feet tall. Some feared those turbines could be used to eavesdrop on and monitor activities at Laughlin Air Base less than 70 miles away.

“This Chinese billionaire was going to purchase land to build a wind farm in one of the few locations in Texas that doesn’t have a lot of wind,” ALEC task force director Jones said. “The state legislature, when they found out it was being built, had a lot of questions” and subsequently adopted LIPA “as a way to protect Texas.”

The 2021 discussion by Texas lawmakers about how to respond “illustrates how CFIUS [Committee on Foreign Investment in the United States] is limited” in application for state and local governments, she said.

CFIUS is a congressional interagency panel that only reviews transactions involving foreign investments and real estate transactions in the United States that potentially pose a national security threat. State IT systems are not part of its purview.

Georgia Rep. Martin Momtahan (R-Dallas), an “IT guy,” sponsored a 2022 bill signed into law by Gov. Brian Kemp that technology security advocates praise as model legislation that other states should implement. (Georgia General Assembly)
Georgia Rep. Martin Momtahan (R-Dallas), an “IT guy,” sponsored a 2022 bill signed into law by Gov. Brian Kemp that technology security advocates praise as model legislation that other states should implement. Georgia General Assembly
This gap prompted Georgia Rep. Martin Momtahan (R-Dallas), a former IT contractor, to file a bill in 2022 that prohibits the state from accepting contract bids from “companies owned or operated by China.” The bill was adopted and signed into law by Gov. Brian Kemp in June 2022.

“He’s an ‘IT guy’ who recognized there were certain backdoors that allowed Chinese companies to record data” in technology they sell, Jones said. “He is the one that actually introduced the first ‘model bill’ on this particular issue.”

While communist-ruled China “has been on the radar” with state lawmakers for some time, few have really grasped how potentially exposed their state’s electronic infrastructure is to CCP intrusion, she said.

ALEC formed a task force to examine the issue and during a presentation last summer, and then-Rep. Parker explained why LIPA and Momtahan’s bill should be adopted by state lawmakers nationwide as soon as possible.

“A lot had been happening in tandem and parallel” with little coordination between states and the federal government, Jones said. “Both came up with legislation to protect states from Chinese influence more or less at the same time. Momtahan and Parker didn’t meet for the first time until this fall when I introduced them.”

Momtahan and Parker did not respond to repeated emails and phone calls from The Epoch Times as of Jan. 13, with legislative aides citing busy schedules during their first week in legislative sessions.

We Need Federal Coordination: Lawmakers

Parker’s LIPA presentation at ALEC’s July 2022 annual meeting in Atlanta prompted the legislative exchange council to develop a model policy mostly based on Rep. Momtahan’s bill that Jones said is necessary to thwart not just the CCP but all potential “strategic adversaries” from exploiting a relatively overlooked “vulnerability in our national security ecosystem.”

You are seeing these bills proliferating largely as a result of Parker’s presentation and Momtahan’s bill, Jones said. “If you are seeing” proposed bills addressing the issue, “they probably would have gotten it after 2022 legislative sessions” unless “they came up with it on their own,” which is what Florida, Louisiana, and Vermont did.

But although bills are still being filed in the early stages of 2023 legislative sessions, legislation that appear based on ALEC’s model policy have only been introduced in four states.

Those bills are Oklahoma Senate Bill 43 sponsored by Sen. Micheal Bergstrom (R-Adair); Mississippi SB 2046—‘The Mississippi National Security in Public Purchasing Act’—introduced by Sen. Angela Burks Hill (R-Picayune); New Hampshire House Bill 86 filed by Rep. Terry Roy (R-Deerfield); and South Carolina HBs 3509 and 3510 introduced by Rep. Steven Wayne Long (R-Boiling Springs) and 21 other co-sponsors.

Roy told The Epoch Times that he filed his HB 86 after receiving an email from ALEC last summer with a link to its model policy.

“I looked into it and saw that at the state level, we have to do something,” he said, noting while many states have prohibited the use of the TikTok by agencies and employees, the potential threat posed by the China-based parent company is nothing compared to the “ubiquitous software and hardware in common use” by New Hampshire state agencies.

“Based on what I have seen across the country, China has insidious and nefarious plans to infiltrate our technology,” Roy said. “This is a lot more dangerous than TikTok.”

Long told The Epoch Times that he and other South Carolina lawmakers filed 2022 bills addressing the technology infiltration threat posed by CCP-affiliated tech companies but “we weren’t able to make much progress.”

Of his 2023 bills, he said, “We’re a little bit later into the game but with better legislation.”

Long said there are two bills because the issue “is two-fold, partially an economic matter and partially a national security matter.”

Like most states competing for job-generating investment by offering “economic development incentives,” lawmakers want to ensure those inducements benefit South Carolinians, he said.

“If we’re going to be using state dollars, we want to support businesses that agree with American values or are headquartered in America or, if not, at least agreeable with U.S. interests,” Long said. “How can we make better use of state dollars so we are supporting our people? Who do we want to be investing in: Chinese-owned companies or American companies? We don’t want to be using taxpayers money to essentially subsidize Chinese companies.”

The bills also address national security. “We cannot be overly reliant on China,” he said, noting that Chinese companies operating under the thumb of the CCP produce a wide swath of products, including prescription medicines, that Americans use every day.

“We cannot allow our economy, our national security, to be overly reliant on China—they are our greatest threat,” Long said, noting that banning the use of technology produced by CCP-affiliated Chinese companies “should not be partisan” policy.

Intel Sharing Needed

Roy agreed but said that while “states are the weakest link” in protecting Americans from CCP-affiliated hackers, state lawmakers who want to shore up protections are getting little assistance from federal agencies under the Biden administration in how to do so.

“This is in the federal government’s bailiwick. I don’t get the intelligence to deal with it,” he said. “As a state legislator, I do not get intelligence updates. We’re not getting intelligence briefings” in State Houses across the country.

It doesn’t help that successive administrations have fudged in stating the obvious to the American public, although “Trump put his thumb on it”—that China under the CCP is not merely a difficult trading partner but an existential threat, Roy said.

“The problem is the federal government needs to tell the people, ‘Look, the Chinese government is an enemy—they are our enemy,’” he said. “People don’t understand that they are our enemy.”

Chinese soldiers work at computers. Cyberattacks from China have continued despite agreements from the CCP to stop. (mil.huanqiu.com)
Chinese soldiers work at computers. Cyberattacks from China have continued despite agreements from the CCP to stop. mil.huanqiu.com

Long cited similar frustrations, calling for more federal coordination and focus for states. “We are kind of in the early stages of this,” he said of increasing pressure on China. “Now that Trump is no longer in office, nobody on the national level is spearheading the effort.”

Roy was surprised his bill in New Hampshire was among only four 2023 state measures addressing the issue.

“It seems to me this should be a priority. It’s shocking that more states have not done it,” he said. “This is happening while we watch them buying up property in the United States. Nobody seems to be doing anything about it. That is on my radar, too.”

Jones said that acquisition of property, especially of agricultural land, by CCP shell companies will be a topic of an ALEC task force seminar in the coming months. Florida Gov. Ron DeSantis raised the issue during a July speech.

“DeSantis, by the way, is awesome,” she said. “Through executive orders and legislation, he is protecting the state of Florida from Chinese influence about as well as he can. In fact, ALEC has adopted some of its model policies from what Florida is already doing.”

John Haughey
John Haughey
Reporter
John Haughey is an award-winning Epoch Times reporter who covers U.S. elections, U.S. Congress, energy, defense, and infrastructure. Mr. Haughey has more than 45 years of media experience. You can reach John via email at [email protected]
twitter
Related Topics