As the private sector grapples with security flaws in wi-fi devices that can be exploited by hackers to whip household gadgets into a zombie cyber army and ponders the role of Chinese manufacturers in creating millions of vulnerable components, the Pentagon has issued a blunt warning that some Chinese-made equipment could compromise military security.
“A recent internal report produced by the J-2 intelligence directorate stated that cyber security officials are concerned that Lenovo computers and handheld devices could introduce compromised hardware into the Defense Department supply chain, posing cyber espionage risks, said officials familiar with the report,” writes Bill Gertz at the Washington Free Beacon.
The vulnerabilities described in the Pentagon report from September 28 are serious, with one official reporting that Lenovo equipment has been caught “beaconing” in the past — that is, “covertly communicating with remote users in the course of cyber intelligence-gathering.” One of the more notable beaconing scandals was the recent discovery that a Chinese-made web browser called Maxthon, which has captured about one percent of the worldwide browser market, was secretly transmitting encrypted data back to China, disguised as JPEG images.
“There is no way that that company or any Chinese company should be doing business in the United States after all the recent hacking incidents,” this official stated bluntly, and he would have said that long before the massive bot onslaught that kneecapped the Internet last Friday.
But Lenovo is not only doing business in the U.S., they are looking to expand. Gertz notes the company, which is partly owned by the government-run Chinese Academy of Science, has been “seeking to purchase American information technology companies in a bid to gain access to classified Pentagon and military information networks.”
A Lenovo spokesman contacted by Gertz said he was “unaware of the Joint Staff concerns,” while a Pentagon spokesman said there were no current plans to impose a “blanket ban” on Lenovo products or blacklist any other suppliers.
Various military branches seem aware of the problem and have taken corrective measures, such as the Navy replacing the servers on Aegis guided missile destroyers after Lenovo bought the old product line from IBM in 2014. Intelligence agencies in the U.S. and allied nations have made a point of avoiding Lenovo computers due to spyware concerns.
There’s still confusion at the highest levels, however. Back in April, the Air Force sent an email indicating Lenovo had been stricken from the Approved Products List and stating Lenovo computers were being removed from Air Force networks, but the message was essentially retracted by the Pentagon.
Rep. Robert Pittenger told the Washington Post at the time:
My office received verifiable evidence that the Air Force intended on removing Lenovo as a supplier. However, the Defense Department is now claiming this Air Force directive was unapproved and inaccurate. Should the Air Force have legitimate concerns with Lenovo, I am troubled that the Defense Department would not take swift action in support of that evidence.
Tensions with China inject diplomatic concerns into these security issues as there can be little doubt China would object to, and perhaps retaliate against, blanket bans on products manufactured by its state and quasi-state industries. Political correctness would also make some bureaucrats uncomfortable with broad statements that Chinese computer products are riddled with back-door security flaws and spyware.
A glimpse of how a catastrophic security crisis might unfold from flawed computer components is provided by the novel Ghost Fleet, by P.W. Singer and August Cole, which made a big splash (if you’ll pardon the pun) at the Pentagon this past summer. Footnoted as extensively as any non-fiction work, Ghost Fleet spins a plausible near-future scenario about a naval war between the United States and China, beginning with a massive cyber attack that relies on security flaws deliberately introduced into Chinese-made computer parts.
The characters of Ghost Fleet’s near future often look back to events of the past — events that, in reality, are occurring right now as documented in the book’s footnotes — and wonder why no one heeded the warning signs in matters ranging from military budgets to cyber-security.
In the rapidly evolving world of cyberwarfare, nothing should be unthinkable, or unspeakable.