False Lenovo Security Report Only Strengthens World's Top PC Maker

Earlier this week, the Australian Financial Review reported that Australia and other Western countries were blocking Lenovo hardware from secure locations because investigations have discovered some kind of malicious vulnerabilities. Only one problem: The Australian Department of Defense says the report is false. This forced those who picked up the story to publish a disclaimer.

Something should have occurred to folks writing the story. Why, in the midst of a huge NSA dust-up on spying and during a time when folks were mostly focused on mobile devices, would there be an investigation on PCs from China? You'd think every investigator would be looking at American-sourced gear and services instead.

News: Opponents of NSA Surveillance Aren't Giving Up After House Vote

Think about it: You suddenly hear that the U.S. is likely spying on your citizens, so the first thing you do is open and fund an investigation on Chinese hardware. It's not impossible but, given how improbable it is, you'd think someone would check the source before the story was published, not after. The other issue: Lenovo actually has a better defense for this kind of problem than anyone else.

Why Target Lenovo? Everyone Aims at No. 1

I'm fascinated by the "why" of things, and I see two reasons Lenovo may have been targeted. Neither have anything to do with Lenovo exposure. The most likely, given the timing, is that someone wants the attention on the NSA actions shifted back to China; whoever it is doesn't know how PCs really work, so it seems like a logical story.

Why doesn't this person know how PCs work? Unlike smartphones and tablets, PCs are surrounded in companies and governments (particularly security organizations) by layers of security products. These products can discover a virus and other unauthorized transmissions from the hardware. Even if a PC has a root kit, which virus-checking products can't see, its transmissions will identify that it has been compromised. In short, in the agencies that allegedly did the work, there's virtually no chance a compromised PC wouldn't be caught.

Mobile devices, though, typically don't run this software and connect to external networks. An exploit like this could work. Since the NSA-Snowden disclosure mostly surrounded mobile networks, and since any discovery there would point back to the NSA story, I suspect PCs were chosen because the related story was less likely to have an NSA element. (The originating story didn't mention the NSA problem.)

The other likely cause: Lenovo is now ranked No. 1 in the world in PC shipments. This looks bad on the reviews of executives who compete with the company. Many of these executives have press access-but giving executives access isn't the same training them on how to properly use it. Passing on, or making up, a story such as this would seem credible-particularly in a blog world where folks write first and check facts later-and you could do a ton of damage to Lenovo and maybe improve your bottom line.

Related: 7 Ways to Get Your CEO Fired

Granted, since this was a false story, there's some risk the reporter would "out" that executive, in which case he'd likely lose his job. But folks often don't think through the downside to their comments. Look at Anthony Weiner's communications director.

With Execs in China and U.S., Lenovo Would Be Folly to Mess Around

Lenovo was a bad target. The company splits its leadership, with executives in the U.S. and China. As we saw, the NSA ordered American-led companies to compromise their security and not talk about it. Yes, the same could be done to companies wholly in China. However you can't be ordered to effectively not tell yourself. With leadership in both countries, the odds that U.S. or Chinese leadership would face criminal charges should machines be compromised by an overseas government are almost certain.

Chinese executives would therefore be heavily motivated to report this action by the U.S., and U.S. executives would be equally motivated to report should China do this. Both would know that such actions would cripple the companies and land peers in jail. Even the mere attempt faces the virtual certainty of being leaked or reported, due to the risks involved.

Commentary: White House Warns China to Crack Down on Cyberattacks

This, mind you, is very different than a company headquartered solely headquartered or manufacturing goods in the U.S. or China. In these cases, either the firm or the manufacturing entity could be successfully compromised and ordered under National Security laws not to report, as Google, Yahoo and Microsoft were.

Lenovo also has David Roman, one of the top CMOs in the world, and he can now market this relative strength against the NSA disclosure and make his U.S. competitors appear untrustworthy in world markets.

Coming up with this "story" about Lenovo was foolish. It showcased a unique strength, rather than a weakness, suggesting that whoever fabricated this story really didn't think it through. There's an old saying about not throwing rocks if you live in a glass house. That applies here.

That Which Doesn't Kill Lenovo Will Make It Stronger

Someone gave Lenovo one heck of an early Christmas present. Given that this story was sourced in Australia, it was unlikely sourced by a high-level politician or executive in a competing firm. It's likely that the source will eventually be discovered, with serious implications for his or her career; the disclosure involves several intelligence organizations and feels like a leak. These organizations aren't particularly understanding when it comes to leaks, true or not.

In the end, it does showcase a unique strength that Lenovo has. While I think compromising a PC in the way that the false report indicated is very unlikely, particularly in secure organizations, if you are concerned, then Lenovo could be the best choice, not the one to avoid.

Rob Enderle is president and principal analyst of the Enderle Group. Previously, he was the Senior Research Fellow for Forrester Research and the Giga Information Group. Prior to that he worked for IBM and held positions in Internal Audit, Competitive Analysis, Marketing, Finance and Security. Currently, Enderle writes on emerging technology, security and Linux for a variety of publications and appears on national news TV shows that include CNBC, FOX, Bloomberg and NPR.

Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about cybercrime in CIO's Cybercrime Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags Lenovo vulnerablesecurityEdward SnowdennsaLegal | CybercrimelegalDesktop securityLenovocybercrimePC security

More about Australian Financial ReviewAustralian Financial ReviewBloombergCNBCFacebookForrester ResearchGiga Information GroupGoogleHPIBM AustraliaInformation GroupLenovoLinuxMicrosoftNSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rob Enderle

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place