When is a ban not a ban? Ask the Australian Department of DefencePosted: August 1, 2013 Filed under: Uncategorized | Tags: australia, australian financial review, backdoor vulnerabilities, china, cyber crime, cyber security strategy, Defence Signals Directorate, department of defence, five eyes, lenovo, the register Leave a comment
Well that was a messy week, made significantly messier by news that broke in Australia that I covered for The Reg on Lenovo. This story has taken enough twists and turns in the past few days to satisfy even the most ardent F1 fan.
The original piece in the well-respected Australian Financial Review claimed that intelligence agencies in the “Five Eyes” allied countries of US, UK, Oz, New Zealand and Canada had banned Lenovo from top secret networks since the mid-2000s (when the firm acquired IBM’s PC biz) after finding serious backdoor vulnerabilities.
Although it didn’t claim Lenovo was in cahoots with the Chinese government, or that it had used such vulnerabilities to spy on foreign powers, the article rightly stated that the PC giant’s biggest shareholder is part-owned by Beijing.
Although it used unnamed sources to corroborate the ban across intelligence agencies like GCHQ and the NSA, the story also quoted an Australian Department of Defence spokesman as saying Lenovo “never sought accreditation” for use of its kit in secret and top secret networks at the department.
Now, whether the firm didn’t seek accreditation because it knew it wouldn’t get it is conjecture at this stage, although IBM servers and mainframes are accredited for such use.
In a carefully worded statement, Lenovo said it was “not aware of any sort of a restriction of sales”, and bigged up its “strong relationship” with the Australian government. Strange then that it didn’t seek accreditation for use on the department’s most secure networks.
The story got more murky when a Lenovo spokesperson emailed me a couple of days later with a hard-to-find link to a Department of Defence statement on the story which said the following:
Reports published on 27 and 29 July 2013 in the Australian Financial Review allege a Department of Defence ban on the use of Lenovo computer equipment on the Defence Secret and Top Secret Networks.
This reporting is factually incorrect. There is no Department of Defence ban on the Lenovo Company or their computer products; either for classified or unclassified systems.
As we reported in an update at The Reg, the original AFR story didn’t claim a department-wide ban had been instituted at all, only that Lenovo hadn’t sought accreditation. The ban piece related to the Five Eyes intelligence and security agencies – a different entity altogether.
Just why the DoD decided to release a statement contradicting an assertion no-body made remains to be seen.
It’s possibly just down to plain old incompetence and human error – after all it’s easy to misread a sentence which refers to “multiple intelligence and defence sources in Britain and Australia” as instituting a ban, but then goes on to clarify that in the case of Australia’s defence department it is just the “non-accreditation” piece that was officially confirmed.
However, the conspiracy theorists will claim it did so after pressure from Beijing, after all the DoD statement was not widely publicised – it appeared to have been filed away on a little visited part of the site – but Lenovo was very quick to alert journalists to it.
I also understand that Fairfax Media, which owns the AFR, has received complaints from senior Chinese officials in the past over a certain controversial story.
The AFR has quite rightly written a follow-up piece to clarify the mix-up, which includes clarification from “subject matter experts” stating that intel agency the Defence Signals Directorate doesn’t use Lenovo kit, despite having previously used IBM gear.
Aside from all of this though is another question: if intelligence officials in the UK and elsewhere knew something about serious backdoor vulnerabilities in Lenovo gear, whether deliberate or accidental, did they share such information with the private sector and if not why not?
That kind of information could seriously hurt a company’s bottom line, although Lenovo remains the world’s biggest PC vendor.
This is exactly the sort of thing the UK government’s much lauded Cyber Security Strategy launched in 2011 was meant to promote – improved information sharing between public and private sector. GCHQ should be an asset exploited for the benefit of UK PLC.
China, where the links between government and private business are more secretive and certainly more pervasive, remains streets ahead in this regard.
Not all bad: Huawei outlines corporate social responsibility pushPosted: March 21, 2013 Filed under: Uncategorized | Tags: australia, china, CSR, environment, green IT, huawei, ICT education, mobile, smartphones, telecoms equipment 1 Comment
Not content with breathing down Ericsson’s neck in the telecoms equipment space and making huge gains in the global smartphone market, Chinese giant Huawei now has its sights set on becoming a leader in corporate social responsibility, but maintains it’s definitely not part of a soft power push.
Speaking at a media event in Hong Kong on Wednesday, the firm’s head of CSR, Holy Ranaivozanany, revealed that it would be extending its Telecoms Seeds for the Future project to Australia this year.
“We thought that we needed to use the expertise in the company to bring something to the community. After stakeholder dialogue we saw there was a high expectation on us to help local schools and universities improve ICT education,” she said of the genesis of the project.
“There’s a gap between what is learned at school and what is learned in the industry, so we looked at how to bridge that gap. That’s why we launched this program in 2008.”
The project could involve scholarships and internships at local Huawei offices where students get mentored by a Huawei engineers, lectures by Huawei staff at local universities and even the creation of training centres. In Malaysia the firm is spending $30m over several years to build out such a centre, she said.
However, head of international media affairs, Scott Sykes, refuted any suggestions that this global CSR strategy might be part of an effort to soften the image of the company abroad, especially in countries like Oz which have been rather hostile to it in the recent past.
“Our top objective is not soft diplomacy but us realising our responsibility as a leading ICT company. We’re not just selling kit, we’re benefitting the communities we operate in,” he argued.
“In one sense our technology is enriching lives, making affordable high quality broadband services. Beyond that we bring jobs. 150,000 work at Huawei including 50,000 non-Chinese outside China – and that number is growing each day. In addition there’s the ecosystem. Last year we spent $6bn in the US, $3bn in Europe, $3bn in Taiwan and $1bn in Japan, so when we win this ecosystem around our business wins.”
Still, it can’t hurt the firm to show it has the interests of local communities at heart, after all the negative stories of it as a national security risk and shadowy agent of the Chinese government that usually follow it and Shenzhen rival ZTE around, especially in Australia and the US.
Ranaivozanany was even magnanimous enough to say that the firm wasn’t necessarily hoping to train up future Huawei engineers with its Telecom Seeds program, but simply “nurture a pool of talent to … keep the industry going”.
In many ways, Huawei is still learning the ropes when it comes to CSR – something that doesn’t come naturally to Chinese companies.
Ranaivozanany admitted there was “no specific measure of RoI” on Huawei’s CSR efforts, but that it was now “integral to what we do”, while Sykes emphasised that the firm was simply coming good at last on expectations of what a large multi-national industry-leading vendor should be doing in this area.
“We’re still a young company. We were only founded about 25 years ago while some of our competitors were founded 100 years back. Our focus on our core business has probably been to the detriment of other things, like communicating properly,” he admitted.
“We’re not saying we have the best ideas regarding CSR. We acknowledge we’re a newcomer in this area, but we’re building our muscle.”
For the record, Ranaivozanany outlined the “four pillars” by which Huawei defines its CSR activities as follows .
Creating and maintaining reliable networks, especially in the event of natural disasters; helping close the digital divide by connecting those in rural areas; building greener products; and the rather wooly “realising common development with stakeholders”, which basically means improving the livelihoods of employees and citizens in the countries it operates.