Is Lenovo a blind spot in US anti-China security measures?

Questions raised as one of the world's largest PC makers joins America's critical defense team

Opinion Lenovo's participation in a cybersecurity initiative has reopened old questions over the company's China origins, especially in light of the growing mistrust between Washington and Beijing over technology.

Last week, Lenovo announced to the world that it is now involved in the Joint Cyber Defense Collaborative (JCDC) initiative, which was established by the US Cybersecurity and Infrastructure Security Agency (CISA) to enlist private sector help in addressing threats to US critical infrastructure.

On the face of it, there is nothing unusual in that. Lenovo is the biggest PC supplier in the world, with figures from market researchers putting its market share at almost a quarter of global sales.

Yet Lenovo is also a company of Chinese origin, founded 40 years ago as Legend, and is now dual-headquartered in Beijing and Raleigh, North Carolina. It is publicly-listed on the Hong Kong Stock Exchange. It gained greater market access partly thanks to its acquisition of IBM's PC division with its iconic Thinkpad laptops in 2005, then picked up Big Blue's x86 server business nearly a decade later in 2014.

The US government has taken an increasingly hostile stand towards Chinese companies for several years now, with Huawei perhaps the most visible example, although TikTok's owner ByteDance is being forced to sell its US operation to a government-approved buyer or face a ban, and various other Chinese companies have been sanctioned.

And the reasons behind all this are security fears, and no doubt more than a pinch of protectionism. An article published by the Heritage Foundation claimed that nation-state hackers present the biggest threat to the US, and that "Russia presents the most sophisticated cyber threat, with China as a close second."

As The Register has pointed out before, Article 7 of China's National Intelligence Law requires its citizens and organizations to function as covert operatives of the state if ordered to do so. So why is Lenovo not seen as a threat, and even invited to help defend US infrastructure?

We asked CISA itself, but the agency declined to answer other than by referring us to the FAQ on its website regarding the JCDC initiative.

Some commentators have previously made the point that Lenovo has a different management style and structure to many other Chinese companies. It went public on the Hong Kong Stock Exchange in 1994, for example, which it is claimed opened up Lenovo to global investors and scrutiny and nurtured "a transparent and accountable corporate culture."

A spokesperson for the company told The Register: "Lenovo is a publicly listed company governed and managed like other global corporations."

However, in October last year, the then Chairman of the House Select Committee on the Chinese Communist Party, Republican Mike Gallagher, wrote to the CEO of the US Navy Exchange (a retail store operated by the Navy) requesting the removal of Lenovo products from its discounted marketplace for service members.

Gallagher claimed that "Lenovo is a Chinese technology company with extensive ties to the People's Liberation Army and the CCP's state-directed espionage campaigns," further claiming that Lenovo's largest shareholder is the Chinese government.

The politician's letter and research were seemingly based on a report by China Tech Threat (CTT)

In January, Lenovo issued a statement in response to a Bloomberg article which found CTT to be an advocacy group funded by Dell Technologies and Micron. At the time, Lenovo said: "any suggestion that Lenovo is controlled by the Chinese government, or that our ties to China compromise our cybersecurity, is false."

Huawei has likewise denied being controlled by the Beijing government, yet that has cut no ice with the Washington security hawks.

Steve Brazier, Co-founder of Canapii and an Informa Fellow, bemoaned that geopolitical concerns are increasingly exerting a detrimental influence on the global economy.

"The truth around the nationality of a company is a complex one.  Lenovo, for example, is headquartered in Hong Kong, not China.  It probably has the most diverse (in terms of nationalities) leadership teams of any tech company, with executives from US,  Hong Kong, China, Italy and Taiwan to name a few," he told us.

Perhaps that partly explains it. Lenovo kept on much of the US staff when it acquired IBM's operations, and that might be where the trust comes into it based on existing long-standing relationships.

Brazier said Lenovo is publicly quoted in both Hong Kong and the US, where the public can buy a stake and have access to its financial performance.

"It has manufacturing plants across the world, including in Mexico and Eastern Europe, and makes a lower proportion of its products in China than Dell, HP or Apple, all of whom are now trying to increase the national diversity of their supply chains too," he said.

Brazier indicated he does not know the selection criteria used by CISA to vet JCDC participants, but said it is likely they looked at a range of the aformentioned factors, as well as the track record of the applicants in terms of compliance.

For its part, Lenovo sidestepped our question and instead pointed to itself being one of the first companies to sign up to the voluntary "Secure by Design" pledge announced by CISA in May. The pledge asks leading technology companies such as Lenovo to make "demonstratable and measurable progress" to make their products more secure.

(At that launch, CISA director Jen Easterly noted the threats to US critical infrastructure from Chinese government-backed cyber gangs.)

So there you have it. Lenovo is apparently trusted, while other Chinese companies are not, but nobody in a position to know why seems to want to talk about it. ®

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like