Red scare or red herring?

Federal computer purchase from Chinese company raises security questions

Rep. Frank Wolf's letter

Related Links

The State Department has altered its information technology procurement policies after a lawmaker publicly questioned whether the department’s purchase of computers from a Chinese company with ties to the Chinese government poses a security risk.

Computer security experts, however, said they doubt the department’s procurement was ever a serious cause for concern.

The computer maker in question is Lenovo. State bought 15,000 Lenovo computers with nonremovable hard drives in September 2005 for use on its unclassified networks, said Justin Higgins, a spokesman for the department.

State also bought 937 computers with removable hard drives for use on its classified network, which carries restricted information ranging to the secret level. The purchases were part of a modernization program that upgrades 25 percent of State’s desktop computers every four years, Higgins said.

In multiple letters this month to top Bush administration officials, Rep. Frank Wolf (R-Va.) expressed alarm that using the computers would put State’s and other departments’ classified networks at risk of Chinese espionage.

Wolf echoed the concerns of the U.S.-China Commission (USCC), a congressionally mandated group that evaluates the effects of the United States’ trade relationship with China. In an April 25 letter, USCC officials told Wolf about their fears.

Lenovo purchased IBM’s computer division in 2005. Jeffrey Carlisle, vice president of government relations at Lenovo, rebuffed the suggestion that the company’s computers are not trustworthy. “The [IBM] ThinkPad brand was founded on integrity, security and reliability,” he said. “Lenovo spent money to buy this personal computer division. It is not going to give away that brand for any reason whatsoever, so there’s no reason to think that these computers have any security issues in them.”

Wolf’s alarm about Chinese intrusions into classified networks are backed by recent history. Retired Army officers and industry officials say Chinese hackers, possibly with government connections, have successfully probed and penetrated Defense Department networks thousands of times in the past five years. DOD tallied almost 75,000 incidents on department networks in 2004.

The Chinese have also already obtained the technology to challenge the U.S. military and its evolving network-centric warfare strategy, DOD officials say. The People’s Liberation Army is developing modern, integrated command, control, communications, computers, intelligence, surveillance and reconnaissance systems, according to “Annual Report to Congress: The Military Power of the People’s Republic of China 2005.” The Chinese military is bolstering its ability for computer network attacks, defense and exploitation, the report states.

The Committee on Foreign Investment in the United States criticized the 2005 Lenovo deal because of the Chinese government’s large investments and influence in the company.

Lenovo got 67 percent of its start-up capital from Legend Holdings, a Chinese company, said USCC Chairman Larry Wortzel. The Chinese Academy of Sciences, an arm of the Chinese government, has 65 percent ownership of Legend.

“This transaction will potentially give the Chinese access to Department of Defense intelligence information as well as the inner workings of the Department of State on issues ranging from human rights to Taiwan to arms control negotiations to countless other areas,” the USCC letter states.

“The fact that these computers may be assembled outside of China or that the software is produced in the U.S. does not eliminate the opportunity for covert means to gain access to some of our nation’s most important data,” the letter continues.

Counterintelligence and IT security experts and experts from State, the FBI, the National Security Agency and the CIA all have concerns about the purchase, Wortzel said. At least one security expert warned that a security breach could go completely unnoticed, he said.

State recognizes concerns
Richard Griffin, assistant secretary of State for diplomatic security, wrote in a May 18 letter to Wolf that State is changing its procurement process in light of the changing ownership of IT equipment providers. The changes, made in concert with the General Services Administration, will guarantee information security and compliance with federal procurement law, he said.

“We’re taking steps to meet his concerns,” Higgins said. “We will make sure that [the computers] pose no security risk, whether used for classified or unclassified use.” He declined to say how State would accomplish that.

State had installed about one-third of the 937 computers with removable drives at facilities in the Washington, D.C., area by the time Wolf expressed his concerns, Higgins said. State yanked those computers by May 18, he said. He did not know the status of the other 15,000 computers.

State followed GSA’s standard procurement procedures in buying the computers, Higgins said. “We now look to GSA to ensure that a situation like this doesn’t arise again,” he said.

Experts doubt serious threat
The fears Wolf and the USCC expressed about the Chinese penetrating classified U.S. systems are appropriate, computer security experts say. But they say the belief that buying Chinese-manufactured computers increases that risk may be a bit far-fetched.

“Unless the U.S. government wants to start paying $10,000 each for a substandard, custom-built laptop that nobody likes, they will have to use machines with components built in other countries,” said Paul Proctor, research vice president of the security and risk group at Gartner.

The attacks that worried Wolf are technically feasible and potentially devastating if performed on classified networks, but the business risks of carrying them out make them highly unlikely, Proctor said. Industry and security experts could find the secret additions, and publicly revealing them could sink Lenovo’s $9 billion computer business, he said. “Who would ever purchase from them again?” he asked.

However, Proctor said, if some subtle technology were in use on a small number of laptops, it would be much less likely to be detected.

“It makes sense for State to be sensitive to the subject, especially where classified laptops are concerned,” he said.

Ray Bjorklund, senior vice president and chief knowledge officer at Federal Sources, agrees that the chances are slim that the Lenovo computers could be covert Chinese operatives. “I don’t want to belittle any potential threat, but I think this is a bit of a red herring,” he said.

Can unclassified information pose a risk?

To remove any chance that the Chinese government could somehow manipulate Lenovo computers to tap into U.S. classified networks, Rep. Frank Wolf (R-Va.) and the State Department’s Bureau of Diplomatic Security have recommended that the 937 Lenovo computers that State bought for use on classified networks instead be used for unclassified purposes only.

Wolf suggested that State give the machines to another agency that doesn’t use classified information, his spokesman Dan Scandling said.

But using compromised computers on unclassified systems still poses security risks, especially because gaining access to unclassified information, such as travel schedules and personal communications, can cause damage, said Paul Proctor, research vice president of the security and risk group at Gartner.

Unclassified systems usually connect to the Internet, making them more prone to malware infections and other attacks, Proctor said. The straight line to the Internet makes it easier to communicate sensitive information to a foreign agent, he added.

Wolf spies reform opportunity

Rep. Frank Wolf’s (R-Va.) inquiry into whether using Chinese computers on U.S. classified networks poses a national security risk has produced many suggestions on how to protect the networks from spying.

Wolf thinks Congress needs to rethink controls on all information technology purchases that will handle classified information, his spokesman Dan Scandling said.

The federal government should only buy from top-tier U.S. companies and providers, said Larry Wortzel, chairman of the U.S.-China Commission. The purchases should be blind, in that no provider or supplier would know who would use the computers, he said. In addition, only federal employees should load software, he said.

Justin Higgins, a State Department spokesman, said State will further inspect and verify the safety of the Lenovo systems but declined to say how. Paul Proctor, research vice president of the security and risk group at Gartner, said State is probably looking for new hardware and monitoring it for unauthorized communications and content.

The U.S. government appears to be spending its money wisely on inspection and verification to build trust in commercial equipment, Proctor said. The standard for that trust should be higher for classified systems, he added.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above