SHARING AMERICA'S TECH NEWS FROM THE VALLEY TO THE ALLEY
Since at least 2006, personal computers manufactured by Lenovo have been banned from being used to access classified government networks in the United States, as well as in Australia, Britain, Canada and New Zealand.
That revelation was first reported by Australia’s Financial Review (AFR), which said the blanket ban on using Lenovo’s equipment to access “secret” or “top secret” government networks stemmed from fears that the Chinese government may have altered the equipment’s firmware or added back doors to the hardware to allow it to be monitored by its own espionage agencies.
Those fears started after Beijing-based Lenovo acquired IBM’s personal computing division for $1.25 billion in 2005.
In 2006, the U.S. State Department purchased 16,000 Lenovo PCs, at least 900 of which were to be used on classified networks. But after facing pressure from Congress, the State Department said that it would restrict the devices for use on “unclassified” networks and alter future procurement policies to reflect that change.
[ How far can the National Security Agency go in monitoring cellphone use? Read Can The NSA Really Track Turned-Off Cellphones?. ]
Today, the Lenovo ban is reportedly being practiced by multiple government agencies, including the intelligence agencies that participate in the “five eyes” electronic eavesdropping alliance, which comprises the U.S., U.K., Canada, Australia and New Zealand. According to AFR, the dominant suppliers of PCs used by the five countries’ intelligence services that participate in the eavesdropping program are Dell and Hewlett-Packard.
Those five countries’ intelligence agencies have reportedly configured their networks to handle classified data in similar ways. Notably, the agencies have connected parts of their top-secret and secret networks to allow for communication between them. Previously, access to each network was blocked, using an “air gap” model, which ensured that a single system could only access one particular confidential network. Now, however, intelligence agencies use a data diode, which allows a single system to access either network.
Despite the Lenovo ban, equipment sold by U.S. PC manufacturers is often built using chips produced in China. Accordingly, it’s not clear if the ban would fully mitigate the risk of Chinese intelligence agencies sneaking firmware alterations or back doors into hardware. Prof. Farinaz Koushanfar at Rice University’s Adaptive Computing and Embedded Systems Lab, notably, told AFR that the National Security Agency was “incredibly concerned about state-sponsored malicious circuitry and the counterfeit circuitry found on a widespread basis in U.S. defense systems.”
“I’ve personally met with people inside the NSA who have told me that they’ve been working on numerous real-world cases of malicious implants for years,” she said. “But these are all highly classified programs.”
The revelation that intelligence agencies both in the U.S. and abroad have banned the use of Lenovo systems comes just one week after Michael Hayden told AFR he believed that Chinese telecom equipment maker Huawei actively spied for the Chinese government.
Fears of the Chinese government using equipment manufactured by Huawei or ZTE to spy on Western businesses and government agencies lead to the publication of a House of Representatives Permanent Select Committee on Intelligence report in October 2012 that prohibited U.S. government agencies from purchasing or using equipment from either vendor. It also strongly recommended that U.S. businesses rethink their use of equipment from either Huawei or ZTE.
UPDATE, 7/31/2013: In response to the AFR story, Australia’s Department of Defense called the report of a ban on Lenovo “factually incorrect.” It said in a statement: “There is no Department of Defense ban on the Lenovo Company or their products; either for classified or unclassified systems.” Lenovo, meanwhile, declined to comment on the AFR report, except to reference the Australian government’s statement.
The cybersecurity challenge on college campuses lies as much with the students as with malicious outsiders. Also in the new, all-digital Hacking Higher Ed issue of InformationWeek Education: Students can use technology to undermine the integrity of education. (Free registration required.)
Thank you, TiA