Lenovo caught up in US security panic

A US advisory commission has raised a red flag over a deal for 16,000 computers for the State Department manufactured by China's Lenovo Group. The hangup is security - specifically, the fear that the Chinese could equip the machines with chips that could spy on State Department dealings. It seems that the same national-security worries that fueled the hubbub surrounding the Dubai ports deal in the US - that allowing an Arab-owned firm to operate six key ports could facilitate terrorist access to them - are bubbling up again. The incident is also reminiscent of energy-security fears surrounding the attempted purchase of Unocal Oil by the China National Offshore Oil Corp (CNOOC) last year, which ultimately killed that deal. The US government is planning to spend roughly US$13 million on what the State Department says are unclassified systems, mostly ThinkCentre M51 desktops with LCD (liquid crystal display) monitors. The US-China Economic and Security Review Commission, which reports to the US Congress from a national-security perspective on China-US trade dealings, is behind the current questions. After all, reason its members, if a foreign government were so inclined, there is a real opportunity to gather intelligence in embassies worldwide by inserting extra hardware and software in the computers. But technology and PC (personal computer) industry experts generally have a quite different view. For starters, Lenovo finalized its purchase of IBM's PC business last year, thereby becoming the third-largest PC maker in the world. The systems in question are part of the Thinkpad line. "If you have a Thinkpad that you bought when it was an IBM Thinkpad, turn it upside down and you'll see that it says 'made in China'," noted Brian Gammage, a vice president and analyst at UK-based Gartner Research. The PC is truly a global device, he added, and the majority are manufactured in China no matter whose name is on the label. Many, if not most, Dell, Apple, Acer, Sharp, Toshiba and Hewlett-Packard computers also are assembled in China. Gammage also pointed to the standardized, commoditized nature of PC technology, which makes it more difficult to insert any "Trojan horse" circuits on to a motherboard for spying purposes. "IBM sold the PC business as a loss; it has such a thin margin of only 2%," he said. "The days of tinkering with the chipsets are 10-20 years gone. Today, the configuration is the same worldwide - maybe there's a different keypad or power supply, and maybe there's [a] lower- or higher-cost chipset being used, but standard components are the only way to go and still stay in business." Actually, with the hardware being standardized, the only security weaknesses could be in software, he continued, "and any organization [purchasing foreign-made PCs] would have the right security processes and tools in place for how it interacts with the outside world. It stands to reason that any government arm, especially, would be taking the necessary steps to make sure that nothing confidential and private is leaving its network." The US State Department's actual contract, in fact, is not directly with Lenovo but with a distributor, CDW Government, a subsidiary of CDW Corp, based in Vernon Hills, Illinois. According to CDW, the computers will help the department modernize its technology systems. Furthermore, the actual systems in question, surprisingly, are assembled not in China but in Raleigh, North Carolina, and Monterrey, Mexico, with chipsets produced in Taiwan. As Gartner's Gammage stated, the PC is indeed a global device. But the scrutiny of the deal may nevertheless gain momentum, encouraged by the result of the Dubai complaints: the company agreed to relinquish the port operations in question. According to an interview with the British Broadcasting Corp, Lenovo believes that "an open investigation or probe may negatively affect the way the company deals with future government contracts or bids". Lenovo isn't owned by the Chinese government, at least not fully. It's a publicly traded company derived from Legend Holdings, which was started with Chinese government backing in 1984. The government-controlled Chinese Academy of Sciences holds 65% of Legend and 27% of Lenovo. IBM has a 19% stake in Lenovo as well. While China would love to have a multinational PC maker with global brand recognition like Dell or Apple, the security flap has raised the company's profile in a way that it didn't want. Lenovo says its business in the United States completely complies with the requirements for suppliers set by the US government department responsible for government procurement. "We would rather not have to go through these issues every time we win a government contract," Jeff Carlisle, Lenovo's vice president of government relations, has said. That may be unavoidable given the current mood in the US. But trade watchers expect ultimate success. "Once everyone is assured that there's no security risk, this deal will go through," predicted Myles Matthews, president and chief executive officer of the Global Trade and Technology Center in New York. Politics were definitely behind the ports brouhaha - "It's an election year," he pointed out. Although the US has indisputably become dependent on low-cost Chinese consumer goods, and exports to China have been growing at double-digit rates in recent years, that still doesn't mean smooth sailing for Lenovo. The US advisory commission is expected to deliberate for the next few weeks and deliver its opinion to Congress, some of whose members are already grumbling. Donald Manzullo, a Republican from Illinois, sent a letter to Secretary of State Condoleezza Rice to complain about Lenovo's unfair advantage in the PC market, claiming that it's partially subsidized by the Chinese government. But Lenovo's CEO is William Amelio, an American, and most of its top managers are not Chinese. In fact, vice president of government relations Carlisle reiterated that China is a "completely passive" stakeholder in the company. How is the issue playing in cyberspace? Posts on Slashdot on the topic have run the gamut from seeing this as just the latest incident in the United States' outsourcing many crucial business and government operations to nations "that are at best neutral and more likely future enemies", to "you'll never be 100% sure the hardware isn't Trojaned", to "this is simple xenophobia, nothing more".