If governments ban China-based Lenovo, should companies?

If U.S. intelligence agencies ban the computers of a Chinese company from classified networks should companies also avoid the same products? What if the vendor is one of the world's largest PC makers?

Those questions are not academic. Intelligence and defense agencies in the U.S. and several other Western countries have banned computers from China-based Lenovo from networks deemed "secret" or "top secret," says a recent report by The Australian Financial Review.

The ban has existed since the mid-2000s, when extensive testing found backdoor hardware and firmware in Lenovo chips that could be exploited by hackers and cyberspies, the report said. Countries banning the company's products include the U.S., Britain, Canada, New Zealand and Australia.

Lenovo did not respond to a request for comment. However, the company told The AustralianÃ'Â Financial Review that it was unaware of the ban and that its enterprise and government customers have found its products to be "reliable and secure."

The report is a reminder of the threats that exist within an organization's supply chain, which can span many countries, experts said Friday.

"The real issue is about the trustworthiness and integrity of hardware and software around the globe," said Jacob Olcott, a principal consultant on cybersecurity at Good Harbor Consulting.

Indeed, the China-based networking company Huawei, which has also had to defend the security of its gear, has pointed out that any IT vendor's hardware could contain hidden backdoors. That's because vendors buy chips and integrated circuits from manufacturers around the world.

"Huawei's right," said Murray Jennex, an assistant professor of information security at San Diego State University. "Many other [IT] companies are just as susceptible and other countries are probably doing the same thing -- inserting backdoors."

Chinese manufacturers in general are often cited as a security risk because U.S. government officials have identified their homeland as a major source of cyberespionage. Nevertheless, organizations need to take a broader view of the problem.

[Also see: Enterprises warned against using first true Google phone, Moto X |Ã'Â U.S. urged to take comprehensive action on Chinese cyberespionage]

Peter Ludlow, a professor at Northwestern University and an expert in cybersurveillance, said China is but one concern. "Focusing [only] on China is shortsighted and xenophobic," he said.

Unfortunately, companies cannot guarantee their hardware is secure simply by running it through a battery of tests. Kevin Coleman, a senior fellow at the Technolytics Institute, recalls when a company asked him how they could be sure that each of the 812 computers they just bought was free of threats.

"I said you'd have to check every single computer down to the chip level and the BIOS level," Coleman said. "It would be a horrendous task and then you're not going to guarantee [security] 100%."

Instead, companies should reduce the risk by measuring the cost of security against the data being protected. For storing and processing non-sensitive data, a company has more flexibility to shop for computers on price and features. For business-critical information, companies should favor U.S.-based vendors, experts say.

In all cases, vendors should vouch for the security of their products in writing, he said.

Businesses also need to practice what experts call "security in depth." Besides following best practices in purchasing hardware, companies should have technology in place to monitor networks for traffic that would indicate sensitive data is leaving an organization without authorization.

"No single point of security; no single point of failure," Coleman said.

However, no matter how many layers of security a company has a breach is always possible. "Never say never," said Danial Faizullabhoy, vice president of business development for Norwich University Applied Research Institutes.

Therefore, a company should always have policies and procedures that spell out how it should react when a breach occurs, Faizullabhoy said.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags The Australian Financial ReviewbackdoorapplicationsChinasoftwareLenovointelAFRdata protectionData Protection | Data PrivacyLenovo banKT

More about Australian Financial ReviewAustralian Financial ReviewGoogleHuaweiLenovo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts