By Price Sukhia
A Department of Defense security audit found that Lexmark International, a prominent printing company directed by Senator Dianne Feinstein’s late husband Richard Blum, is a Chinese “State-Influenced” company with connections to China’s military, nuclear and cyberespionage programs.
The 2019 audit found that the U.S. Army and Air Force had spent more than $30 million on thousands of Lexmark printers for use on Army and Air Force networks despite these devices having known cybersecurity risks.
It also referenced twenty cybersecurity vulnerabilities within Lexmark devices listed by the National Vulnerability Database from 2001 to 2017, including using plain text to store and transmit sensitive network passwords and a weakness that allowed for the enactment of malicious code on Lexmark printers. As stated in the report, “These vulnerabilities could allow remote attackers to use a connected Lexmark printer to conduct cyberespionage or launch a denial of service attack on a DoD network.”
Additionally, the audit cited a 2018 congressional report listing Lexmark alongside a number of other Chinese companies of concern, including Huawei, ZTE and Lenovo. That congressional report describes Lexmark as a Chinese “state-influenced” company, meaning it holds ties to the Chinese government through “strategic partnerships or leadership connections,” despite its public identity as an American firm.
The company raised eyebrows when it was acquired by Chinese investors several years ago after the Committee on Foreign Investment in the United States (CFIUS) approved the deal under intriguing circumstances.
How Blum, the husband of a sitting U.S. senator, came to be a board member and representative for Lexmark may be understood by examining the details of that acquisition.
In 2016, Lexmark, the printing company that was spun off by IBM in the early 90’s, was on track to be acquired by a consortium of three Chinese investors: Pacific Alliance Group (PAG), Apex Technology, and Legend Capital.
PAG, which was gunning for a 43 percent stake in Lexmark, is one of the largest private investment firms in Asia. According to its website, the company is led by three businessmen, one of whom was an associate of Mr. Blum named Weijian Shan. Shan previously served as a partner and co-managing director of Blum’s Newbridge Capital, which was later acquired by TPG Capital and renamed TPG Newbridge.
Prior to its sale in 2016, Lexmark’s board was composed of former executives from IBM and other prominent tech companies. Richard Blum was not among them. However, according to Lexmark’s website, Blum was listed as a member of the company’s board of directors until his passing last month. That position is also confirmed in a recent bio of Mr. Blum on the web page of a non-profit called the Milken Institute with which Blum was affiliated.
Interestingly enough, Blum’s Milken bio also lists him as a current director of PAG. While PAG’s website only discloses Weijian Shan (founder and chairman of the firm) and two others as board members, Blum’s name is listed in financial documents as a Non-Executive Director for PAG Holdings Limited. While it is unclear exactly when Blum was appointed to serve in this capacity, one of the documents is dated December of 2010. That means he would’ve been serving as a PAG director at the time of the Lexmark acquisition, which as it turns out, was not going as smoothly as both parties had likely hoped.
In May of 2016, a group of some 13,000 Lexmark employees embarked on a campaign to block the acquisition, claiming serious national security and hacking concerns would result from the deal. In a letter sent to U.S. President Barack Obama, the consortium wrote that “the overall risk to (U.S.) national security is real, immeasurable and unpreventable unless the sale of Lexmark to a Chinese firm is disallowed.”
The letter stated that Lexmark devices were particularly vulnerable to hacking, noting that Lexmark printers and copiers use “smart” technology to create a digital copy of all scanned documents before printing. It also highlighted the fact that these devices were widely used by the U.S. Department of Defense (DOD), the Pentagon, NSA, CIA, FBI, Homeland Security, TSA and Special Operations Command as well as U.S. state and local governments.
According to the letter, “Allowing a communist country access to Lexmark hardware and firmware allows them direct access ‘behind the firewall’ to any of these offices,” Additionally, the authors stressed that “Should any company (or government) have access to our hardware PCBA designs or firmware source code, they could easily install malicious code, viruses, or malware into these MFPs” and that “there would be no way to detect this malicious code or prevent wide-scale digital virus infections.”
This prophetic warning could not have come at a worse time for the Lexmark board and the Chinese consortium, who were preparing to submit a joint voluntary notice for regulatory approval to the Committee on Foreign Investment in the United States (CFIUS).
CFIUS is a government oversight committee that analyzes the national security implications of foreign investments in the U.S. and determines whether or not any given investment may occur. It is headed by all of the directors of the President’s cabinet, including the heads of Treasury, State, Defense, and Commerce, among others.
In the summer of 2016, CFIUS had the Lexmark deal in its crosshairs at a time when the company’s own employees had just sounded the alarm on national security concerns. If there was ever a chance of killing the deal, this was it.
But that never happened. In spite of the Lexmark employees’ alert of imminent dangers to national security posed by the acquisition, CFIUS granted its approval in the following months.
So, what was the rationale of the Administration? Was CIFIUS convinced that the Lexmark employee’s objections were unfounded or was there some other factor at play?
The answers to these kinds of questions are not always clear, especially when it comes to CFIUS, whose process has long been described as opaque and shrouded in secrecy. However, there are some clues that can help reveal how and why Obama’s cabinet approved the deal, one of which points towards Richard Blum’s nomination to Lexmark’s Board as a potential influence.
According to a Lexmark financial disclosure from September 2016, CFIUS conducted a thirty-day review followed by a forty-five-day investigation. This is significant because a forty-five-day investigation is only undertaken if there is evidence that a hazard to national security exists or if CFIUS members fail to reach an agreement on proof of a threat. Evidently, at least one CFIUS member agency had deemed that there was in fact a real danger to national security posed by Lexmark’s covenant with PAG and the others. But that wasn’t all.
The disclosure also stated that, as a precondition of approval, CFIUS would require both Lexmark and the Chinese buyers to enter into a National Security Agreement (NSA) with the Department of Defense and Homeland Security. That kind of agreement is arranged as a way to alleviate national security risks posed in a given partnership by laying out certain provisions and mitigation measures to which both parties must adhere.
The details of the Lexmark NSA with CFIUS were not disclosed to the public but one common mitigation measure involves appointing a United States Government-approved security officer to the board of the company in question. According to an annual CFIUS report to Congress, this specific measure was taken for at least one of the CFIUS transactions in 2016.
With this in mind, it is possible that Blum was appointed to the Lexmark board of directors as a way to overcome the regulatory approval of CFIUS. An annual report from Lexmark lists Blum as a member of the board for the financial year of 2017. The previous report from 2016 does not list Blum but was made prior to the Chinese acquisition.
If CFIUS did want an insider on Lexmark’s board, Blum would have been the ideal candidate. Not only was he well positioned as a PAG director to have unique insight and familiarity with the operational end of the acquisition, his relationship with Dianne Feinstein had already granted him access to close connections with U.S. government officials, including Barack Obama, who had appointed Blum to the President’s Global Development Council.
Some of Blum’s associates even ended up joining Lexmark’s board alongside him after the sale was completed. They include Mickey Kantor, a former U.S. Trade Representative and Secretary of Commerce under Bill Clinton, and Steven Chu, the former Secretary of Energy under President Obama who was at the heart of the Solyndra solar fiasco. Chu is also a board member of the Blum Center at UC Berkeley, an educational institution founded by Blum in 2006 that has collaborated with the U.S. Agency for International Development (USAID) and the Clinton Global Initiative. Other Lexmark members affiliated with the Blum Center include Shankar Sastry and Laura D’Andrea Tyson.
With Richard Blum and his associates at the helm of Lexmark, it’s likely that CFIUS would have been content to grant the deal so long as Blum and the others kept an eye on the operations at Lexmark and reported back to the Treasury department for any additional inquiries.
Blum already had experience participating in the CFIUS process, as is detailed in Peter Schweizer’s bestselling book “Red Handed.” In 2005, while CFIUS was reviewing the sale of IBM’s Personal Computer division to Lenovo Group, Blum was asked by IBM to participate as an investor in Lenovo so that an American would be part of the ownership group. As it happens, Lenovo is a subsidiary of Legend Holdings, the third member of the Chinese consortium that purchased Lexmark.
While it is unclear whether or not Blum’s wife, Dianne Feinstein, had any influence on the CFIUS approval for the Lenovo or Lexmark investigations, Feinstein did have a seat on the Senate Intelligence Committee while both deals were under review.
Incidentally, the Lenovo Group was also listed in the U.S. DOD’s 2019 audit as a Chinese company of concern alongside Blum’s Lexmark International. It appears, in both the Lexmark and IBM acquisitions, CFIUS underestimated the severity of the risks posed to national security while overestimating the effectiveness of their mitigation efforts. In any case, Richard Blum and Dianne Feinstein once again managed to find themselves in the right place at the right time in order to benefit from yet another deal involving a former IBM business and a Chinese buyer.
