Security experts: US Lenovo ban misguided

Concerns about Lenovo's connection to China don't make sense, say some computer security experts

A U.S. Department of State decision last week to back away from its plan to use Lenovo Group Ltd. computers on a classified network shows a lack of understanding of the global nature of PC manufacturing, security experts say.

Under political pressure, the State Department aborted its plan to use about 900 Lenovo PCs on a network connecting U.S. embassies. Critics raised security concerns because Lenovo has strong connections to a Chinese government accused of being heavily involved in cyberspying.

The Chinese government's Academy of Science is Lenovo's largest single stakeholder, owning about 27 percent of the company. Its share in Lenovo raises questions about the potential for computer back doors that could transmit secret U.S. government information to China, said U.S. Representative Frank Wolf and two members of the U.S. government's U.S.-China Economic and Security Review Commission.

Complaints from the three officials prompted the State Department to dump its plan to use Lenovo computers on the classified network.

"There is no company or individual in China that is immune to the pressures of the Chinese government when it comes to facilitating the interests of the state," wrote U.S.-China Commission members Michael Wessel and Larry Wortzel in an April letter to Wolf. "The fact that these computers may be assembled outside of China or that the software is produced in the U.S. does not eliminate the opportunity for covert means to gain access to some of our nation's most important data."

The concern about Lenovo, a company with most of its operations in China, isn't an isolated case in the current U.S. political climate. In March, Dubai Ports World, a United Arab Emirates company, said it would sell off six recently acquired U.S. ports after members of Congress raised concerns about the UAE government's ownership of the company. Critics of the company's purchase of the ports objected because the UAE has been friendly in the past with anti-U.S. groups in the Middle East.

And between 2000 and 2002, Chinese leaders tried to push the Chinese government into avoiding the purchase of software from Microsoft Corp., in part because of concerns that Microsoft would build in back doors accessible to U.S. spies.

But concerns about Lenovo's connection to China don't make sense, say some computer security experts. Lenovo officials also say the Chinese government has no influence on how the company is run.

Most U.S. computer makers use overseas manufacturing plants, and it's nearly impossible to make a computer without using many foreign-made parts, said James Mulvenon. Mulvenon focuses on Chinese computer warfare at the Center for Intelligence Research and Analysis, an intelligence research organization.

"Of the top security concerns I have about China, this wouldn't be in the top 100," Mulvenon said. "It's an attitude that ... does not accept globalization as a reality."

Many U.S. officials believe that Chinese government hackers target U.S. agency networks. While Chinese penetration into U.S. government networks is "enormous," worries about the nationality of computer manufacturers are misguided, added Alan Paller, research director at the SANS Institute. Regardless of where a company is based, it would be relatively easy for spies to get jobs at computer makers in the U.S. or elsewhere, he said.

Instead of focusing on where computers are made, the U.S. government should work on better security for its systems after they are purchased, Paller added. "If you know you have a threat from a source, you can focus resources on testing," he said. "We need to do a much better job of looking for hidden back doors in systems."

But a representative of Wolf, the chairman of the House subcommittee that controls the State Department budget, said security concerns should not be quickly dismissed. "If the Chinese government owns 1 percent of the company, it should be cause for concern," said spokesman Dan Schandling. "You've got a government actively spying against the United States that is a part-owner of this company."

The State Department's plan to use the 900 Lenovo computers, part of a larger purchase of 16,000 Lenovo computers through U.S. contractor CDW Corp., raises security questions because it was a more direct purchase than buying computers from a retailer's shelf, added a spokesman for the U.S.-China Commission. Lenovo knew where these computers were going when the State Department deal was announced in March, he said.

Lenovo officials say the concerns are unfounded. The State Department's computers were manufactured in the U.S. and Mexico, at third-party plants that Lenovo kept doing business with after the company purchased IBM Corp.'s PC business last year, said Jeff Carlisle, Lenovo's vice president of government relations. Like nearly all major PC vendors, Lenovo uses parts made in many countries and uses assembly plants across the globe, he said.

"If the argument is, 'We don't trust China,' then it's not just us," he said. "It's everybody that sells computers to the U.S. government. Something doesn't ring true here."

Even though The Chinese Academy of Science gave Lenovo about US$25,000 in seed money when 11 Chinese computer scientists founded the company in 1984, the Chinese government has been a silent stakeholder, Carlisle added.

To install back doors in Lenovo computers, Chinese spies would need access to Lenovo computers, then defeat an extensive quality-testing process partly developed by IBM and conducted by U.S. computer engineers at the company's headquarters in Raleigh, North Carolina, Carlisle said. Lenovo's quality testers were recently able to detect when a Lenovo supplier replaced a $0.03 capacitor with a cheaper part, he said.

Lenovo operates a $13-billion-a-year business and has a responsibility to its investors, Carlisle added. "All of the sudden, we're going to give that all up to spy on 900 computers in the State Department?" he said. "It boggles the mind that something like that could happen. It's not going to happen."

Carlisle disputed Wolf's contention that Lenovo is "China-owned." But the company's ownership continues to be a topic of debate because the shares are held by a number of stockholders, many based in China.

In addition to the Chinese Academy of Science's stake of about 27 percent, about 34 percent of the company's stock is traded on the Hong Kong Stock Exchange, 15 percent is owned by the company's Chinese founders, and 13 percent is owned by IBM. Another 10 percent is owned by three private equity firms, two U.S. based and one Hong Kong based.

The debate over whether Lenovo is owned by the Chinese government or based in China obscures a larger issue about general computer security, said Carlisle and China expert Mulvenon. The U.S. government has significant cybersecurity problems, but those are largely caused by insecure software, Mulvenon said.

"Lenovo by itself doesn't represent a threat to U.S. national security," Mulvenon said. "However, Lenovo bundled with Windows does."

Instead, a U.S. government limit on Lenovo may cause a trade war that could hurt U.S. vendors, such as Hewlett-Packard Co. and Dell Inc., that have operations in China, he said. "This could cause no end to problems," he said. "This threatens American companies' access to the China procurement market."

Copyright © 2006 IDG Communications, Inc.

How to choose a low-code development platform