False Lenovo Security Report Only Strengthens World's Top PC Maker
- 02 August, 2013 20:20
Earlier this week, the Australian Financial Review reported that Australia and other Western countries were blocking Lenovo hardware from secure locations because investigations have discovered some kind of malicious vulnerabilities. Only one problem: The Australian Department of Defense says the report is false. This forced those who picked up the story to publish a disclaimer.
Something should have occurred to folks writing the story. Why, in the midst of a huge NSA dust-up on spying and during a time when folks were mostly focused on mobile devices, would there be an investigation on PCs from China? You'd think every investigator would be looking at American-sourced gear and services instead.
Think about it: You suddenly hear that the U.S. is likely spying on your citizens, so the first thing you do is open and fund an investigation on Chinese hardware. It's not impossible but, given how improbable it is, you'd think someone would check the source before the story was published, not after. The other issue: Lenovo actually has a better defense for this kind of problem than anyone else.
Why Target Lenovo? Everyone Aims at No. 1
I'm fascinated by the "why" of things, and I see two reasons Lenovo may have been targeted. Neither have anything to do with Lenovo exposure. The most likely, given the timing, is that someone wants the attention on the NSA actions shifted back to China; whoever it is doesn't know how PCs really work, so it seems like a logical story.
Why doesn't this person know how PCs work? Unlike smartphones and tablets, PCs are surrounded in companies and governments (particularly security organizations) by layers of security products. These products can discover a virus and other unauthorized transmissions from the hardware. Even if a PC has a root kit, which virus-checking products can't see, its transmissions will identify that it has been compromised. In short, in the agencies that allegedly did the work, there's virtually no chance a compromised PC wouldn't be caught.
Mobile devices, though, typically don't run this software and connect to external networks. An exploit like this could work. Since the NSA-Snowden disclosure mostly surrounded mobile networks, and since any discovery there would point back to the NSA story, I suspect PCs were chosen because the related story was less likely to have an NSA element. (The originating story didn't mention the NSA problem.)
The other likely cause: Lenovo is now ranked No. 1 in the world in PC shipments. This looks bad on the reviews of executives who compete with the company. Many of these executives have press access-but giving executives access isn't the same training them on how to properly use it. Passing on, or making up, a story such as this would seem credible-particularly in a blog world where folks write first and check facts later-and you could do a ton of damage to Lenovo and maybe improve your bottom line.
Related: 7 Ways to Get Your CEO Fired
Granted, since this was a false story, there's some risk the reporter would "out" that executive, in which case he'd likely lose his job. But folks often don't think through the downside to their comments. Look at Anthony Weiner's communications director.
With Execs in China and U.S., Lenovo Would Be Folly to Mess Around
Lenovo was a bad target. The company splits its leadership, with executives in the U.S. and China. As we saw, the NSA ordered American-led companies to compromise their security and not talk about it. Yes, the same could be done to companies wholly in China. However you can't be ordered to effectively not tell yourself. With leadership in both countries, the odds that U.S. or Chinese leadership would face criminal charges should machines be compromised by an overseas government are almost certain.
Chinese executives would therefore be heavily motivated to report this action by the U.S., and U.S. executives would be equally motivated to report should China do this. Both would know that such actions would cripple the companies and land peers in jail. Even the mere attempt faces the virtual certainty of being leaked or reported, due to the risks involved.
This, mind you, is very different than a company headquartered solely headquartered or manufacturing goods in the U.S. or China. In these cases, either the firm or the manufacturing entity could be successfully compromised and ordered under National Security laws not to report, as Google, Yahoo and Microsoft were.
Lenovo also has David Roman, one of the top CMOs in the world, and he can now market this relative strength against the NSA disclosure and make his U.S. competitors appear untrustworthy in world markets.
Coming up with this "story" about Lenovo was foolish. It showcased a unique strength, rather than a weakness, suggesting that whoever fabricated this story really didn't think it through. There's an old saying about not throwing rocks if you live in a glass house. That applies here.
That Which Doesn't Kill Lenovo Will Make It Stronger
Someone gave Lenovo one heck of an early Christmas present. Given that this story was sourced in Australia, it was unlikely sourced by a high-level politician or executive in a competing firm. It's likely that the source will eventually be discovered, with serious implications for his or her career; the disclosure involves several intelligence organizations and feels like a leak. These organizations aren't particularly understanding when it comes to leaks, true or not.
In the end, it does showcase a unique strength that Lenovo has. While I think compromising a PC in the way that the false report indicated is very unlikely, particularly in secure organizations, if you are concerned, then Lenovo could be the best choice, not the one to avoid.
Rob Enderle is president and principal analyst of the Enderle Group. Previously, he was the Senior Research Fellow for Forrester Research and the Giga Information Group. Prior to that he worked for IBM and held positions in Internal Audit, Competitive Analysis, Marketing, Finance and Security. Currently, Enderle writes on emerging technology, security and Linux for a variety of publications and appears on national news TV shows that include CNBC, FOX, Bloomberg and NPR.
Read more about cybercrime in CIO's Cybercrime Drilldown.