Lenovo seeking access to classified Pentagon networks, J-2 report says
The Pentagon’s Joint Staff recently warned against using equipment made by China’s Lenovo computer manufacturer amid concerns about cyber spying against Pentagon networks, according to defense officials.
A recent internal report produced by the J-2 intelligence directorate stated that cyber security officials are concerned that Lenovo computers and handheld devices could introduce compromised hardware into the Defense Department supply chain, posing cyber espionage risks, said officials familiar with the report. The “supply chain” is how the Pentagon refers to its global network of suppliers that provide key components for weapons and other military systems.
The J-2 report was sent Sept. 28, and also contained a warning that Lenovo was seeking to purchase American information technology companies in a bid to gain access to classified Pentagon and military information networks.
The report warned that use of Lenovo products could facilitate cyber intelligence-gathering against both classified and unclassified—but still sensitive—U.S. military networks.
One official said Lenovo equipment in the past was detected “beaconing”—covertly communicating with remote users in the course of cyber intelligence-gathering.
“There is no way that that company or any Chinese company should be doing business in the United States after all the recent hacking incidents,” the official said.
About 27 percent of Lenovo Group Ltd. is owned by the Chinese Academy of Science, a government research institute. In April, a Chinese Academy of Sciences space imagery expert, Zhou Zhixin, wasnamed to a senior post in the Chinese military’s new Strategic Support Force, a unit in charge of space, cyber, and electronic warfare.
China has been linked by the National Security Agency to large-scale cyber spying against both the Pentagon and American and foreign defense contractors.
Joint Staff spokesman Capt. Greg Hicks declined to comment on the J-2 report but said the military is wary of foreign nations’ cyber spying.
“Although we are concerned any time another nation or individual attempts to initiate intelligence collection against the Department of Defense, we do not discuss internal assessments,” Hicks said.
Lenovo spokesman Ray Gorman said he was unaware of the Joint Staff concerns.
On company efforts to acquire American information technology firms, Gorman said “we have stated many times that we continue to look worldwide for opportunities that make sense for our customers and shareholders, add value to our product portfolio, and help keep us on track for continued profitable growth.” He declined to comment on specific acquisition talks.
A Pentagon spokesman said the Defense Department has not imposed a “blanket ban” on all Lenovo products and does not blacklist suppliers or individual products.
Pentagon policy for protecting mission critical functions in securing computer systems and networks “requires the department to perform supply chain risk management functions when acquiring products for use in its national security systems,” the spokesman said, adding that the analysis is done on a case-by-case basis.
Rep. Robert Pittenger who has investigated Chinese cyber risks in the past, said he is concerned by the Joint Staff report.
“Chinese cyber security and supply chain concerns remain a significant problem for both the Defense Department and the remainder of the federal government,” Pittenger (R., N.C.) told the Washington Free Beacon.
Pittenger said it is important for Congress to press Pentagon acquisition officials “to act swiftly on perceived cyber-threats and remove IT vendors from our supply chain if evidence exists suggesting a security vulnerability.”
“I would be very disappointed to learn, however, if the Defense Department or the Air Force sought to obfuscate the facts regarding contracts with Lenovo when this issue was brought to my attention back in April,” he added.
On Friday the chairman of the House Judiciary Committee wrote to the FBI warning that secrets stored on former secretary of state Hillary Clinton’s private email server may have been compromised by a Clinton aide’s use of a Lenovo computer.
Rep. Bob Goodlatte (R., Va.) stated in a letter to FBI Director James Comey that Heather Samuelson, former White House liaison to the State Department, used two Lenovo laptops to sort some of the thousands of classified emails from Clinton’s server.
“Lenovo computers, and specifically the models used by Heather Samuelson for reviewing classified emails, have been shown by the Department of Homeland Security (DHS) to contain software, dating back to 2010, that permits remote hacking attacks,” Goodlatte stated.
Disclosure of the Joint Staff warning comes after a similar warning from the Air Force Cyber Command in April.
An email notice stated that “per AF Cyber Command direction, Lenovo products are being removed from the Approved Products List and should not be purchased for DoD use.”
“Lenovo products currently in use will be removed from the network,” the email stated.
The Air Force later sought to play down the warning in the email and a spokesman told reporters the email was “coordinated” and should not have been sent.
Lenovo equipment has been a major cyber espionage worry since the company first purchased IBM’s laptop computer business in 2005.
A congressional China commission report produced several years ago revealed that the Army Cyber Directorate in 2007 investigated a Lenovo-brand desktop computer that was engaged in “beaconing activity.” The report said the beacon was a “self-initiating attempt to establish a connection to a suspicious foreign entity.”
Rep. Mike Pompeo, a member of the House Permanent Select Committee on Intelligence, said the risks posed by Lenovo technology are serious.
“It is critical that the U.S. government, particularly the Pentagon, use the most secure technology available,” Pompeo (R., Kan.) said.
“The threat from cyber-attacks is real and demonstrated, as seen by China’s hack of the Office of Personnel Management, which impacted millions of Americans,” he added. “The U.S. must take all reasonable steps to ensure we are not an easy target for our enemies, competitors, or even partners.”
Larry Wortzel, a former military intelligence official and member of the congressional U.S.-China Economic and Security Review Commission, said he helped alert security officials to a plan by the State Department to purchase 900 Lenovo computers in 2006. The computers would have been used to handle classified information and the State Department canceled the sale over cyber spying concerns.
“The Chinese government has a major stake in Lenovo,” Wortzel said in an email.
“China remains one of the main threats to U.S. government and corporate information systems,” Wortzel added. “One way to keep those systems safe is to ensure you are not getting system updates that may have a back door that can be opened by a Chinese intelligence service.”
A National Security Agency document made public by renegade contractor Edward Snowden revealed that China has stolen sensitive military technology through cyber-attacks, including radar designs, engine schematics, and other data through a program code-named Byzantine Hades. The program caused “serious damage to DoD interests,” according to a briefing slide.
NSA detected more than 30,000 cyber-attacks, including more than 500 significant intrusions into Pentagon systems. The attacks broke into at least 1,600 network computers and caused more than $100 million in damage.
Data stolen included Pacific Command aerial tanker refueling schedules, Transportation Command logistics information, and Navy nuclear submarine and anti-aircraft missile designs.
In 2014, Lenovo purchased IBM’s BladeCenter line of computer servers for $2.1 billion. The sale prompted the Navy to replace the upgraded IBM servers within Aegis battle management systems deployed on guided missile destroyers and cruisers over concerns China could hack the Navy’s most advanced warships through the server.
Specifically, the equipment being replaced is IBM’s x86 BladeCenter HT server, a part of the Aegis Technical Insertion, or “TI,” 12.
The upgrades, first reported last year by USNI News, involve TI-12 hardware upgrades, and the Advanced Capability Build, or “ACB,” 12 software upgrades. The components make up the Aegis Baseline 9 combat system upgrade, which combines ballistic missile defense and anti-air warfare upgrades for the warships.
According to the Department of Homeland Security, Lenovo computers since September 2014 were loaded with adware called Superfish that could allow hackers to spoof encrypted security controls in what are called “man-in-the-middle” cyber-attacks. The attacks allow hackers to take over secure web browsers.
Lenovo purchased Motorola Mobility, the company’s cell phone division in 2014, and has sought to buy the Canadian cell phone maker BlackBerry in the past.
Lenovo in the past has denied its products are engaged in cyber espionage. “Lenovo has been a trusted supplier of information technology in the U.S. since 2005 when it bought the IBM ThinkPad PC business,” the company said in a statement. “Every single company selling technology to the U.S. government—including HP, Dell, Cisco, Apple, and Lenovo—use foreign components in their products. So it’s critical that the U.S. continue to follow a standards-based process that allows for procurement of technology that is both cutting edge and totally secure.”
U.S. intelligence agencies in August 2015 warned that Lenovo, along with another Chinese-government-linked firm, Huawei Technologies, had shipped some 80,000 computers to several nations in the Caribbean. The computers were found to contain spyware that can permit remote intrusions.
The cyber spying concerns are not limited to the Pentagon.
The Australian Financial Review newspaper reported in 2013 that all of the “Five Eyes” intelligence services—those in the United States, Britain, Australia, Canadian, and New Zealand—strictly prohibit the use of Lenovo computers over concerns about the potential for cyber espionage.