If US intelligence agencies ban the computers of a Chinese company from classified networks should companies also avoid the same products? What if the vendor is one of the world’s largest PC makers?
Those questions are not academic. Intelligence and defence agencies in the US and several other Western countries have banned computers from China-based Lenovo from networks deemed “secret” or “top secret,” says a recent report by The Australian Financial Review.
The ban has existed since the mid-2000s, when extensive testing found backdoor hardware and firmware in Lenovo chips that could be exploited by hackers and cyber-spies, the report said. Countries banning the company’s products include the US, Britain, Canada, New Zealand and Australia.
Lenovo did not respond to a request for comment. However, the company told The Australian Financial Review that it was unaware of the ban and that its enterprise and government customers have found its products to be “reliable and secure.”
The report is a reminder of the threats that exist within an organisation’s supply chain, which can span many countries, experts said Friday.
“The real issue is about the trustworthiness and integrity of hardware and software around the globe,” said Jacob Olcott, a principal consultant on cyber-security at Good Harbor Consulting.
Indeed, the China-based networking company Huawei, which has also had to defend the security of its gear, has pointed out that any IT vendor’s hardware could contain hidden backdoors. That’s because vendors buy chips and integrated circuits from manufacturers around the world.
“Huawei’s right,” said Murray Jennex, an assistant professor of information security at San Diego State University. “Many other [IT] companies are just as susceptible and other countries are probably doing the same thing – inserting backdoors.”
Chinese manufacturers in general are often cited as a security risk because US government officials have identified their homeland as a major source of cyber-espionage. Nevertheless, organisations need to take a broader view of the problem.
Peter Ludlow, a professor at Northwestern University and an expert in cyber-surveillance, said China is but one concern. “Focusing [only] on China is shortsighted and xenophobic,” he said.
Unfortunately, companies cannot guarantee their hardware is secure simply by running it through a battery of tests. Kevin Coleman, a senior fellow at the Technolytics Institute, recalls when a company asked him how they could be sure that each of the 812 computers they just bought was free of threats.
“I said you’d have to check every single computer down to the chip level and the BIOS level,” Coleman said. “It would be a horrendous task and then you’re not going to guarantee [security] 100 percent.”
Instead, companies should reduce the risk by measuring the cost of security against the data being protected. For storing and processing non-sensitive data, a company has more flexibility to shop for computers on price and features. For business-critical information, companies should favour US-based vendors, experts say.
In all cases, vendors should vouch for the security of their products in writing, he said.
Businesses also need to practice what experts call “security in depth.” Besides following best practices in purchasing hardware, companies should have technology in place to monitor networks for traffic that would indicate sensitive data is leaving an organisation without authorisation.
“No single point of security; no single point of failure,” Coleman said.
However, no matter how many layers of security a company has a breach is always possible. “Never say never,” said Danial Faizullabhoy, vice president of business development for Norwich University Applied Research Institutes.
Therefore, a company should always have policies and procedures that spell out how it should react when a breach occurs, Faizullabhoy said.