If U.S. intelligence agencies ban the computers of a Chinese company from classified networks should companies also avoid the same products? What if the vendor is one of the world's largest PC makers?
Those questions are not academic. Intelligence and defense agencies in the U.S. and several other Western countries have banned computers from China-based Lenovo from networks deemed "secret" or "top secret," says a recent report by The Australian Financial Review.
The ban has existed since the mid-2000s, when extensive testing found backdoor hardware and firmware in Lenovo chips that could be exploited by hackers and cyberspies, the report said. Countries banning the company's products include the U.S., Britain, Canada, New Zealand and Australia.
Lenovo did not respond to a request for comment. However, the company told The AustralianÃ'Â Financial Review that it was unaware of the ban and that its enterprise and government customers have found its products to be "reliable and secure."
The report is a reminder of the threats that exist within an organization's supply chain, which can span many countries, experts said Friday.
"The real issue is about the trustworthiness and integrity of hardware and software around the globe," said Jacob Olcott, a principal consultant on cybersecurity at Good Harbor Consulting.
Indeed, the China-based networking company Huawei, which has also had to defend the security of its gear, has pointed out that any IT vendor's hardware could contain hidden backdoors. That's because vendors buy chips and integrated circuits from manufacturers around the world.
"Huawei's right," said Murray Jennex, an assistant professor of information security at San Diego State University. "Many other [IT] companies are just as susceptible and other countries are probably doing the same thing -- inserting backdoors."
Chinese manufacturers in general are often cited as a security risk because U.S. government officials have identified their homeland as a major source of cyberespionage. Nevertheless, organizations need to take a broader view of the problem.
Peter Ludlow, a professor at Northwestern University and an expert in cybersurveillance, said China is but one concern. "Focusing [only] on China is shortsighted and xenophobic," he said.
Unfortunately, companies cannot guarantee their hardware is secure simply by running it through a battery of tests. Kevin Coleman, a senior fellow at the Technolytics Institute, recalls when a company asked him how they could be sure that each of the 812 computers they just bought was free of threats.
"I said you'd have to check every single computer down to the chip level and the BIOS level," Coleman said. "It would be a horrendous task and then you're not going to guarantee [security] 100%."
Instead, companies should reduce the risk by measuring the cost of security against the data being protected. For storing and processing non-sensitive data, a company has more flexibility to shop for computers on price and features. For business-critical information, companies should favor U.S.-based vendors, experts say.
In all cases, vendors should vouch for the security of their products in writing, he said.
Businesses also need to practice what experts call "security in depth." Besides following best practices in purchasing hardware, companies should have technology in place to monitor networks for traffic that would indicate sensitive data is leaving an organization without authorization.
"No single point of security; no single point of failure," Coleman said.
However, no matter how many layers of security a company has a breach is always possible. "Never say never," said Danial Faizullabhoy, vice president of business development for Norwich University Applied Research Institutes.
Therefore, a company should always have policies and procedures that spell out how it should react when a breach occurs, Faizullabhoy said.
Read more about data privacy in CSOonline's Data Privacy section.