Ongoing tech tensions between the US and China appeared to deepen this week after it was reported that the US Navy has “security concerns” with servers now owned by Lenovo which will likely lead to it choosing an alternative supplier. It’s not the first time the superpowers have clashed over this kind of thing and it certainly won’t be the last. But is there a chance it could also filter down into enterprise IT procurement?
The problem exists with the Navy’s Aegis Combat System – a Lockheed Martin-built guided ballistic missile naval weapons system fitted onto destroyer and cruiser fleets. IBM x86 BladeCenter HT servers were included in the Aegis Technical Insertion (TI) 12 hardware upgrade, which formed part of the Aegis Baseline 9 combat system upgrade, according to USNI News.
However, as of last autumn, IBM’s x86 server division has been owned by Lenovo, after a $2.1bn purchase by the Chinese PC giant.
“The Department of Homeland Defense identified security concerns with the IBM Blade Center sale and placed restrictions on federal government procurement of Lenovo Blade Center server products,” Navy spokesman Dale Eng told the site. The department – of Defense presumably, rather than the non-existent “Homeland Defense” – has concerns that the servers could either be compromised through routine maintenance or remotely, by Chinese spies, the report continues.
This is not the first time this kind of thing has happened to Lenovo. It was alleged by the Australian Financial Review in a 2013 article that the ‘Five Eyes’ intelligence agencies had stopped using Lenovo PCs in the mid-2000s after IBM sold that division to the Chinese firm. The reason? Serious backdoor vulnerabilities were allegedly discovered which could have allowed hackers to remotely access machines covertly. An Australian Department of Defence statement later denied it had instituted a ban, although the AFR countered that it was talking specifically about the Five Eyes-led Defence Signals Directorate, which may have its own unique rules, and that anyway Lenovo had never sought accreditation with the department, despite claiming an “excellent relationship.”
This isn’t just a Lenovo issue, however. The Navy’s stance brings to mind the decision of a US congressional committee in 2012 which effectively banned Huawei and ZTE from competing in the nation’s telecoms infrastructure market. On the Chinese side too, especially since revelations of NSA spying and tampering with US-made goods prior to export, Beijing has instituted much stricter vetting of American tech goods bound for the government market. This has already led to a de facto ban on certain products including Windows 8, although the full impact of the new policy has yet to be seen.
Guy Bunker, SVP of products at UK-based security firm Clearswift and a former chief architect at Symantec, argued that the US Navy’s decision was understandable given Lenovo’s recent security challenges – especially the Superfish adware fiasco. However, he told me it shouldn’t just be a case of “China bad, US good.”
“Security when lives are at risk is absolutely paramount, and all steps must be taken to ensure the lives of the service men and women, especially from data loss or system hacking. However, it does need to include all suppliers, not just the Chinese,” he said.
A new tech cold war?
Some commentators have argued that cyber security is only being used as an excuse to effect protectionism by the backdoor. And it’s not hard to see why, given the billions of dollars up for grabs, especially in China’s rapidly growing markets. But should enterprise buyers be worried? Well, it is true that a growing number of organisations previously under the radar are now at risk from state-sponsored snooping. But with Snowden’s revelations of NSA and GCHQ mass surveillance at home, how can IT buyers be sure if Western-built kit doesn’t contain backdoors?
In truth, you can’t. The best CISOs can do is minimise risk, and that requires following industry best practices. Roughly speaking, this means doing extensive due diligence on your prospective vendors; testing kit thoroughly and then maintaining good security housekeeping. That is, keeping up to date with patches and installing advanced anti-malware, firewalls, IPS/IDS and other tools.
To this, Piers Wilson, head of product management at Huntsman Security, adds monitoring system and user behaviour closely “so that any potential problem can be identified and stopped before it has chance to get off the ground”.
“While not every discrepancy will be an actual threat, organisations need to be able to identify every one and then determine which pose a genuine risk,” he told me.
Lenovo hadn’t responded to a request for comment at the time of writing.
PREVIOUS ARTICLE«IT Perspective: 50 years of Dune
Jon Collins’ in-depth look at tech and society
Phil Muncaster reports on China and beyond