When is a ban not a ban? Ask the Australian Department of DefencePosted: August 1, 2013 Filed under: Uncategorized | Tags: australia, australian financial review, backdoor vulnerabilities, china, cyber crime, cyber security strategy, Defence Signals Directorate, department of defence, five eyes, lenovo, the register Leave a comment
Well that was a messy week, made significantly messier by news that broke in Australia that I covered for The Reg on Lenovo. This story has taken enough twists and turns in the past few days to satisfy even the most ardent F1 fan.
The original piece in the well-respected Australian Financial Review claimed that intelligence agencies in the “Five Eyes” allied countries of US, UK, Oz, New Zealand and Canada had banned Lenovo from top secret networks since the mid-2000s (when the firm acquired IBM’s PC biz) after finding serious backdoor vulnerabilities.
Although it didn’t claim Lenovo was in cahoots with the Chinese government, or that it had used such vulnerabilities to spy on foreign powers, the article rightly stated that the PC giant’s biggest shareholder is part-owned by Beijing.
Although it used unnamed sources to corroborate the ban across intelligence agencies like GCHQ and the NSA, the story also quoted an Australian Department of Defence spokesman as saying Lenovo “never sought accreditation” for use of its kit in secret and top secret networks at the department.
Now, whether the firm didn’t seek accreditation because it knew it wouldn’t get it is conjecture at this stage, although IBM servers and mainframes are accredited for such use.
In a carefully worded statement, Lenovo said it was “not aware of any sort of a restriction of sales”, and bigged up its “strong relationship” with the Australian government. Strange then that it didn’t seek accreditation for use on the department’s most secure networks.
The story got more murky when a Lenovo spokesperson emailed me a couple of days later with a hard-to-find link to a Department of Defence statement on the story which said the following:
Reports published on 27 and 29 July 2013 in the Australian Financial Review allege a Department of Defence ban on the use of Lenovo computer equipment on the Defence Secret and Top Secret Networks.
This reporting is factually incorrect. There is no Department of Defence ban on the Lenovo Company or their computer products; either for classified or unclassified systems.
As we reported in an update at The Reg, the original AFR story didn’t claim a department-wide ban had been instituted at all, only that Lenovo hadn’t sought accreditation. The ban piece related to the Five Eyes intelligence and security agencies – a different entity altogether.
Just why the DoD decided to release a statement contradicting an assertion no-body made remains to be seen.
It’s possibly just down to plain old incompetence and human error – after all it’s easy to misread a sentence which refers to “multiple intelligence and defence sources in Britain and Australia” as instituting a ban, but then goes on to clarify that in the case of Australia’s defence department it is just the “non-accreditation” piece that was officially confirmed.
However, the conspiracy theorists will claim it did so after pressure from Beijing, after all the DoD statement was not widely publicised – it appeared to have been filed away on a little visited part of the site – but Lenovo was very quick to alert journalists to it.
I also understand that Fairfax Media, which owns the AFR, has received complaints from senior Chinese officials in the past over a certain controversial story.
The AFR has quite rightly written a follow-up piece to clarify the mix-up, which includes clarification from “subject matter experts” stating that intel agency the Defence Signals Directorate doesn’t use Lenovo kit, despite having previously used IBM gear.
Aside from all of this though is another question: if intelligence officials in the UK and elsewhere knew something about serious backdoor vulnerabilities in Lenovo gear, whether deliberate or accidental, did they share such information with the private sector and if not why not?
That kind of information could seriously hurt a company’s bottom line, although Lenovo remains the world’s biggest PC vendor.
This is exactly the sort of thing the UK government’s much lauded Cyber Security Strategy launched in 2011 was meant to promote – improved information sharing between public and private sector. GCHQ should be an asset exploited for the benefit of UK PLC.
China, where the links between government and private business are more secretive and certainly more pervasive, remains streets ahead in this regard.