Friday, May 19, 2006

Complete Bloody Absurdity

From Slashdot:

"The BBC is reporting that the Chinese-made Lenovo PCs are not allowed inside secure US networks." From the article: "Assistant Secretary of State Richard Griffin said the department would also alter its procurement process to ensure US information security was guaranteed. His comments came after Rep Frank Wolf expressed national security concerns. The company Lenovo insisted such concerns were unwarranted and said the computers posed no security risk."

So since 2004 all think pads have been manufactured by Lenovo. The Chinese company secured the marketing trights to keep using the thinkpad name etc... and for the most part very little has changed, except driver downloads are easier now. Lenovo is about 80% privately owned, and 20% owned byu the government of China.

Honestly I think this is ridiculous; also probably not true. Lenovo is the single largest supplier of laptops to the FedGov (or was as of last year). Before the transfer IBM spent years, and billions of dollars developing special hardware features just for information security; which are now specified in policy for critical infosec uses, and which no-one else has.

Supposedly this is for security reasons, in fear that the chinese will insert chips which report back to them sensitive info etc... Of course the fact that the majority of our computers are currently at least partially made in china seems to have escaped the good congressperson. Or the fact that equipment in secured installations is audtied all to hell (I've been one of the auditors on netowrkign and security gear. It's no joke).

I can't think of any laptop makers in northern virginia so it can't be bribes from the district, but he is on appropriations, so he could be getting bribes from anywhere by now...

Ive seen this as a rumor around on the net, but none of the FedGov contracting mags, nor websites, nor major reputable security websites are reporting this has been substantiated. I call bullshit.

I have no problem with the idea that U.S. Government cintract money should go to U.S. companies. I can also get behind the fact that China is the main state enemy and we should avoid supporting them whenever possible. This seems to be enither of those cases, and this whole concept of the computer being a security risk because the company is chinese owned shows ana amazing ignorance of the computing and security world.

Update:

It is PARTIALLY bullshit, and partially not. The story itself isnt very accurate, and the details are off, but the concept isn't.

Here's the press release from Frank Wolfs office



Statement of Rep. Frank Wolf (R-VA) on State Department’s Decision
to not to use Computers Produced by Chinese-owned Company
to Transmit Classified Material

“Good afternoon. Thank you for coming.

&As chairman of the appropriations subcommittee that funds the operations of the State Department, I have worked to ensure that the department has received the necessary resources to operate in the post-9/11 world, particularly when it comes to information technology systems.

“Since 2001, my subcommittee has appropriated $1.4 billion for IT upgrades and infrastructure enhancements.

“This amount does not reflect the tremendous increase in personnel and consular technology enhancements.

“On April 25, I received a letter from the U.S.-China Commission raising concerns about the purchase of 16,000 personal computers by the State Department as part of its effort to modernize its IT systems.

“I was deeply troubled to learn that the new computers were purchased from a China-based company and that at least 900 of these computers were planned to be used as part of the classified network deployed in the United States and around the world in embassies and consulates.

“This decision would have had dire consequences for our national security, potentially jeopardizing our investment in a secure IT infrastructure.

“It is no secret that the United States is a principal target of Chinese intelligence services.

“We all remember the security situation with the construction of the U.S. Embassy in Moscow in the late 1980s.

“On May 4, I wrote a letter to the Secretary of State expressing my concerns regarding the purchase of these new computers from Lenovo, the same company about which CFIUS (the Committee on Foreign Investment in the United States) had significant security concerns last year.

“I wrote similar letters to the director of the Federal Bureau of Investigation, the director of National Intelligence, and the chief of staff of the White House urging them to look into this matter.

of these letters, and the April 25 letter to me from the US-China Commission are attached to my statement.

“Yesterday, I received word from the State Department that it has now taken the appropriate steps to ensure that classified information is not compromised by the purchase of these new computers.

“. . . that it is making changes to ensure that its procurement process keeps up with the changes of ownership of IT companies.

“. . . that it has identified the machines that have already been installed and will remove them.

“. . . and that it is briefing other government agencies on what it is doing to ensure that they don't find themselves in the same situation.

“This is all welcome news.

A letter from Richard Griffin, the Assistant Secretary of State for Diplomatic Security, is also attached to my statement outlining the department's changes.

“I appreciate the U.S. China Commission's effort to bring this very important issue to my attention and to the attention of the State Department and other government agencies. I also appreciate the State Department's quick attention to this issue.

“I will now turn the program over to the Larry Wortzel, chairman of the U.S.-China Commission, and Commissioner Mike Wessel to share specifics on the recent purchase of the personal computers.”"



Oh and if anyone is thinking about the Iraq Printer Virus, Snopes i your friend. Yes we palyed some interesting and fun dirty tricks over the years, but that wasn't one of them.