Lenovo Denies Its PCs Are Security Risk

Last week the State Department announced that the Lenovo computers, part of a $13 million purchase by the agency, would be relegated to "unclassified" settings. The department was responding to criticism leveled by Rep. Frank Wolf (R-Va.) that at least 900 of the computers were destined for a classified-chore network.

"This decision would have had dire consequences for our national security, potentially jeopardizing our investment in a secure IT infrastructure," Wolf wrote to the State Department in early May. "It is no secret that the United States is a principal target of Chinese intelligence services."

On May 18, the State Department said it would pull Lenovo systems already deployed in classified settings, change its procurement procedures, and brief other federal agencies on the concerns.

Thursday, Yang Yuanqing, chairman of Lenovo, told reporters in Hong Kong that there was no reason to worry about the security of computers his company makes.

"The [Chinese] government isn't involved in any daily operation of the company, including our strategic positions, appointment of our CEO, or our financing," Yang told the Associated Press at a Hong Kong news conference. "Our management team is in charge of that. I don't believe because Legend Holdings is our biggest shareholder that this means we are a government-controlled company."

Legend Holdings is controlled by the Chinese government.

A U.S. security analyst doesn't think that Lenovo's PCs are a security threat -- not that a computer maker couldn't plant impossible-to-detect spyware on a system as it's built -- but believes any purchase of machines from a Chinese-controlled company is a bad idea.

"I don't see any existing security threat from Chinese-based computers," said Richard Stiennon, formerly a research director at spyware vendor Webroot, now a security analyst at his IT-Harvest consultancy.

"But I don't believe the government should be buying PCs from China," he continued. "We're at war with China."

That war, said Stiennon, is a behind-the-scenes cyber war. "The Chinese are actively hacking a lot of government sites," said Stiennon. "And some of it, I believe, is sanctioned and even backed by the Chinese government." Last year, reports circulated in newspapers such as the Washington Post and publications such as Time of a campaign dubbed "Titan Rain" in which Chinese hackers had broken into numerous U.S. military and government servers. Sources said that the recipient of stolen data was the Chinese government.

And while Stiennon doesn't think Lenovo is adding spyware to its systems, it would be simple for a computer manufacturer to embed malicious code, including keyloggers that would record every keystroke, in the machine on the factory floor. "You could embed a keystroke logger in the BIOS, or in a programmable chip."

In-PC spyware would be even more difficult to detect than the most sophisticated rootkit-using Trojan horse software, Stiennon said.

In January, a security researcher laid out how rootkits could be planted in a PC's BIOS flash memory, and noted that such tactics would be immune not only to most detection techniques, but even to a hard disk reformat and operating system reinstall.

"We're an international company driven by the market," Yang said Thursday. "Our operation is very transparent, and trust and honesty are very important to us."

But apparently not transparent enough for the State Department.