With a frequency greater than the visits of a comet’s to our heavens, warnings flow out of the US Department of Defense on the use of computers and other endpoint devices manufactured by China-based Lenovo. In late-October 2016, Bill Gertz of the Washington Free Beacon advises that the DoD’s J-2 intelligence directorate has issued a report as to how Lenovo devices could compromise hardware within the DoD supply chain and bring about cyber espionage risks.
Not the first time
Readers will recall, in February 2015, we shared actionable information concerning Lenovo Laptop Adware Issues and how the spyware embedded within the Lenovo laptops would have a deleterious effect on the operational integrity of the laptop.
Who is Lenovo?
In December 2004, IBM sold their PC division to Lenovo. A quick review of Lenovo’s history, shows its roots evolve from the Chinese Academy of Science funded enterprise known as the Legend Group. The Legend Group owns a 31 percent stake in the Lenovo Group per the 2015-2016 Lenovo annual report. The Chinese Academy of Sciences is a state entity.
is Lenovo selling to the US Government?
Yes they are, and doing it quite successfully. The Gertz piece quotes a Pentagon spokesperson as saying, “the Defense Department has not imposed a “blanket ban” on all Lenovo products and does not blacklist suppliers or individual products.”
Indeed, one will find Lenovo has a robust group specifically focused on bringing innovation to the US government, with Lenovo products within, “70 military and civilian federal agencies” and on the GSA schedule.
Furthermore, Lenovo devices are readily available for “discounted purchase” by defense personnel. Indeed, Lenovo has a portion of their website dedicated to these sales. Visitors may choose their branch of the service (Army, Navy, Air Force, Marines, Coast Guard) or DoD.
Is this smoke or is there a fire?
Smoke
In April 2016, President of Lenovo North America, Emilio Ghilardi, wrote a letter to the editor of the Washington Post. He wrote “protecting information security is a top priority. All global information technology suppliers depend on non-U.S. components and foreign manufacturing locations. So, rather than rumors and fear-mongering, policy in this area should be based on facts and common standards.”
In the same piece, Ghilardi points out that five separate investments by Lenovo in the US have been approved by the Committee on Foreign Investment in the United States (CFIUS). Lenovo argues, why would CFIUS approved Lenovo’s ownership if Lenovo posed a security threat?
Fire
On the other hand, in July 2016, National Counterintelligence and Security Center (NCSC) director, William Evanina provided sensitive and classified briefings to US telecom operators on the threat to their supply chain. The following month the Office of the Director of National Intelligence (ODNI) publicly urged all US entities to be particularly vigilant when it comes to supply chain security. Indeed, the ODNI created a four and one half minute video “Know the Risk – Raise Your Shield: Supply Chain Risk Management” focused on mitigating supply chain risks.
It is in the realm of the possible that Lenovo is indeed caught in the middle of the US-China cyber security tussle. The ODNI warnings may, or perhaps may not, reference a threat posed by Lenovo. What is for certain, the supply chain of the US entities – to include the DoD – is at risk.