If you haven’t followed the story that’s unfolded this week about hacking software found in personal computers made by China’s Lenovo company, you’ll appreciate this handy-dandy summary. You’ll also be astonished by how clueless the Obama administration’s cyber security strategy remains – despite the cyber-security summit just held at the president’s instigation.
First, some background. Lenovo is not only a Chinese company. It’s a Chinese company that, like most big Chinese companies, is part owned in a formal sense by the Chinese government. Just as important, like every commercial entity in China, it needs to serve the Chinese government’s interests whenever Beijing so desire.
Lenovo is also now the world’s largest producer of PCs and a major force in electronics generally – thanks in part to its purchase in 2005 of IBM’s personal computer arm and last year of the company’s low-end server manufacturing.
China, you may recall, is a country that for years has often acted in ways contrary or downright harmful to American national security interests, and its government has been officially accused by the Obama administration of sponsoring numerous cyber attacks on U.S. government agencies and businesses. So you may be surprised to learn that, despite these publicly stated concerns, and Lenovo’s close relationship with the Chinese government, the U.S. government has been using Lenovo PCs widely for many years.
Thankfully, Washington has been smart enough not to give Lenovo full access to the federal bureaucracy. Since the middle of the last decade, its products have been barred from secret and top secret networks at defense and intelligence agencies, and since mid-2013, other agencies like Justice, Commerce, and NASA have been required to obtain FBI or other law enforcement agency approval to buy any information technology equipment “being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.” But other official offices have been perfectly free to buy Lenovo and other goods sold by Chinese firms and, of course, sold by U.S.-owned businesses but made in factories in China, including those whose work may not be classified officially but could be awfully sensitive or otherwise important.
So it was more than a little interesting that, not even a week after the cyber-security summit, Reuters reported that software had been found in Lenovo computers that made them vulnerable to hacking. Lenovo’s initial response was to declare this past Thursday that “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” but also announced that it would no longer pre-install the program, called Superfish, which comes from a U.S. company, albeit one with a shady-sounding background. It was not until Friday that the Department of Homeland Security – which apparently never detected the threat – sent out a warning to all Lenovo customers about the software’s malicious capabilities.
Lenovo now says that it did not know about the security threat until Thursday – though a user reportedly filed a complaint on a company forum in late January (and Reuters reports the first concerns were expressed in June). But it also said that Superfish wasn’t designed to be malware, and there was no word on whether it would stop pre-loading into its products other programs by third-party producers. (Apparently the practice of selling this hard-drive space to unaffiliated software companies is common throughout the PC industry.) Lenovo also says that Superfish was installed only on devices shipped between September and December, though it hasn’t said how many computers were compromised. Nor is there any information on how many of these machines were bought by federal customers – as well as their counterparts on the state and local levels. They could still easily contain Superfish unless the owner found out about the problem and applied one of several technical fixes available. (Lenovo also says that it’s looking to work with companies like Microsoft and McAfee to deliver software to remove Superfish and related problems automatically.)
So on the surface, the Lenovo-Superfish threat now looks either contained or soon to be quashed. But the federal, state, and local agencies that bought the vulnerable computers no doubt include offices that are in constant contact, electronic and otherwise, with private businesses – including those that build, supply, and maintain all of the nation’s critical infrastructure systems. These companies themselves also buy Lenovo regularly, of course. Could Superfish have made its way into their networks? And what of other bugs that technology experts either inside or outside the government may not have detected yet?
A government truly serious about cyber-security would immediately require all government agencies at all levels and companies involved in critical infrastructure and national defense to use only computer-related products made outside China down to the component level within a specified time period. Given the massive offshoring of the electronics industry, including nearly the entire supply chain, over the last several decades, that would be a massive undertaking. But without removing equipment from China from official Washington and security-related industries, America will remain dangerously exposed to cyber aggression – no matter how many cyber-security summits presidents hold.