As China Tech Crackdown Continues, Don’t Overlook The Danger Of Lenovo
The Chinese government got a lump of coal for Christmas, as the U.S. Department of Commerce placed twenty-five Chinese companies and other organizations on the Entity List – essentially prohibiting them from using strategic American technologies. 2022 marked important developments toward the goal of protecting Americans from Chinese tech threats. In addition to the takedown of Chinese chipmaker YMTC in the latest export controls, TikTok is under greater scrutiny as a Trojan Horse. But there is one Chinese entity which has largely escaped policymakers’ notice, despite its presence in many American IT systems and its connection to one of the Chinese organizations which just landed on the Entity List. That company is Lenovo.
Many are familiar with the name Lenovo from the ubiquity of the company’s laptops – especially popular with many American businesses. Lenovo is the brainchild of the Chinese Academy of Sciences (CAS) – the Chinese-government’s crown jewel institution of scientific research. Since its founding at CAS in 1984, Lenovo has grown to be the world’s market leader in personal computer sales, and today controls roughly 15{38557cf0372cd7f85c91e7e33cff125558f1277b36a8edbab0100de866181896} of the PC market in the United States. The company’s purchase of IBM’s laptop business in 2005 gave it brand recognition and global revenue. Its purchase of Google and Motorola assets in 2015 further accelerated its rise. These acquisitions are unthinkable today as the reformed Committee on Foreign Investment in the US (CFIUS) now screens such deals for personal data risk.
Indeed some 900 US municipalities and states use Lenovo products today, potentially endangering the sensitive personal and enterprise data of millions of Americans and enterprises. While some US states have enacted rules on such equipment, Lenovo slips through the porous loopholes of federal security regulation. Lenovo’s popularity belies its danger as a data mining dream machine for the Chinese government. General James “Spider” Marks (Ret.) writes,
“Lenovo has unmitigated access to millions of Americans’ personal information. This should raise red flags, given the company’s history of security and privacy abuses. Lenovo’s Watch X sent user locations to a server in China without their knowledge; its Superfish adware installed in hundreds of thousands of computers allowed third-parties to spy on browser traffic, resulting in a settlement with the Federal Trade Commission; security researchers found that its Adups mobile data mining software o could collect personal data without consent. There are other examples that should give potential buyers pause, not just for the chance that sensitive information falls into the hands of third parties, but that the Chinese government obtains and exploits it.”
The U.S. military has long known Lenovo’s danger. In 2008, the U.S. Marine Corps in Iraq got rid of these machine after they were discovered transmitting data to China. In 2015, the U.S. Air Force, fearing China could access data on U.S. ballistic missile technology, immediately replaced $378 million worth of IBM servers purchased by Lenovo. And a 2019 DOD IG report found that Lenovo products – characterized as “known security risks” – were all over the Pentagon. Sadly, as of 2020 the U.S. government, including DOD, continued to purchase mass quantities of Lenovo laptops.
The Entity List update highlights the dangerous connection – Lenovo is an outgrowth of a Chinese organization now on the Entity List – the Chinese Academy of Sciences’ Institute of Computing Technology which seeded Lenovo. CAS is not a normal research institute producing knowledge for civilian application. According to the congressional U.S.-China Economic and Security Review Commission, CAS has “connections to Chinese military, nuclear, and cyberespionage programs.” It owns whole companies building technology for the Chinese military, as if the Pentagon and MIT teamed up.
The Commerce Department included CAS’ computing division on the Entity List for “a variety of activities related to acquiring and attempting to acquire U.S.- origin items in support of the PRC’s military modernization.” It raises the question: Why should a known security threat like Lenovo, in which CAS has a significant ownership stake via a subsidiary company, be allowed to operate freely inside the U.S.?
With bipartisan Congressional momentum to confront Chinese tech threats, the Commerce Department should close the loop on CAS and its military-aligned daughter companies. US policy which restricts some Chinese government-owned IT firms but not others is needlessly complex, invites exploitation, and endangers Americans. Lenovo is a textbook example of China’s techno-nationalist strategy to leverage its global companies for military gain. This is what YMTC had hoped to do, and what chipmaker CXMT still aspires to. Lenovo is deeply entrenched in American systems, but doesn’t mean it should get a pass. Adding CAS to the Entity List is long overdue, and Lenovo should be next in line.