Chinese intelligence agencies could have access to the most innocent-looking assets in state and local governments around the country: the office printer.
“Printers, one of the least secure Internet of Things devices, store sensitive data on internal hard drives derived from the various printing jobs executed on a day-to-day basis,” Roslyn Layton, an American Enterprise Institute visiting scholar and founder of the China Tech Threat, wrote in a report released this week.
That observation punctuates a finding that dozens of state and local governments have contracted with two companies that federal officials have flagged as security risks, specifically Lenovo, a cellphone and laptop maker, and Lexmark, a laser printer company. The report demonstrates Beijing’s reach into U.S. society, to the point of alarming federal officials.
“The one area that they’ve been keen to exploit is at the state level,” Sen. Marco Rubio, a Florida Republican who sits on the Senate Intelligence Committee, told reporters on Monday after reading Layton’s report. “Because they recognize that state and local governments do not have the same sort of awareness about this issue, they’re largely dealing with state and local issues.”
Secretary of State Mike Pompeo issued a similar warning in early February. “Competition with China is not just a federal issue,” he told the National Governors Association. “It’s happening in your states with consequences for our foreign policy, for the citizens that reside in your states, and indeed, for each of you. And, in fact, whether you are viewed by the CCP as friendly or hard-line, know that it’s working you, know that it’s working the team around you.”
Some of the information gathered by Chinese Communist officials could be obtained through something as mundane as the Lexmark printer, which has been purchased by governments in at least 10 states.
The suspect devices are embedded across a wide range of agencies. “Among the state agencies contracting with Chinese controlled firms are state Supreme Courts, Departments of Health, Departments of Corrections and other law enforcement agencies, Education Departments, agencies responsible for developing IT policies and distributing IT products, and others,” Layton’s report noted.
The information that passes through printers at those agencies could be added to the datasets procured from other major espionage operations, such as the background check documents for 22 million federal employees that Chinese hackers stole from the Office of Personnel Management in 2015.
“You put enough of this information together ... before you know it, you’re able to now begin to identify intelligence agents and people that are operating on behalf of our country,” Rubio said.
"It's absolutely the case that there is a cyber war going on in every state in the U.S. today,” Layton said.