Despite increasing international disapproenation of Chinese IT products, Defence continues to use about 2,500 computers supplied by Lenovo that are partly owned by the Chinese state.
Western states should balk at buying equipment from Chinese manufacturers if they want to protect their data security. That’s the message from several prominent Nato partner countries, led by Britain and the US, whose intelligence and defence forces are increasingly actively opting out of Chinese suppliers such as Huawei, DJI and Lenovo.
You don’t get the same care at home. Products from both DJI and Lenovo are thus still used by the Danish armed forces, and the latter in particular takes up a great deal of space in the inventory lists in the Danish Defence and Defence. In fact, at the time of writing there are approximately 2,500 Lenovo PCs in the group’s area, says Press Manager Svend Olaf Vestergaard from the Ministry of Defence’s Material and Procurement Agency in an email to OLFI. The agency is not terribly concerned that our partner countries have serious concerns about the Chinese IT manufacturer.
‘Due to the network design and the specific use of the machines, there is no immediate risk associated with the use. We are aware of the debate on, among other things, the issue of the european union. Lenovo products and, of course, follow developments closely. There are ongoing assessments of the ability of products, services and suppliers to support the specific needs and conditions of the Danish Armed Forces,” writes Svend Olaf Vestergaard, explaining that the agency has no current plans for new acquisitions from Lenovo.
Increases the risk of espionage and cyber attacks
Abroad, however, the low level of confidence in state-owned Chinese companies has been reflected in a somewhat more consistent procurement policy. Lenovo is currently placed in the same category as a number of other Chinese suppliers that have long been blacklisted for fear of so-called back doors – a term for electronic cat-to-dog litters that enable espionage and hacker attacks. That is why it also caused political furore in the United States when it emerged last year that the US defence had nevertheless made dubious purchases from Lenovo and a number of other suppliers who have in common that they are considered to pose a potential threat to US interests.
The defence of Denmark has also not been completely spared from controversy. Camera manufacturer Hikvision was recently the subject of debate when it emerged recently that surveillance equipment was being purchased that is demonstrably used to monitor the Chinese population and the persecuted Uighursethnic minority. In this context, Defence Minister Trine Bramsen (Social Democrat) was clear:
“Of course, The Danish Armed Forces should not trade with suppliers who violate human rights,” she wrote in an email to Jyllands-Posten, which was the first with the story.
However, while the Danish Defence Minister emphasizes the moral imperative of doing business with Chinese companies, it is still particularly important that data security and the risk of state espionage have spurred British and US intelligence agencies to ban acquisitions from Chinese manufacturers.
This is especially true of DJI, which the US military already placed on its “blacklist” in 2017. Again, Denmark turned out to be less concerned than our alliance partner, and in 2019 it emerged in Berlingske that the Danish defense bought in from the Chinese drone manufacturer. Military analyst Hans Peter Michaelsen told Berlingske:
‘If you buy this technology for national security purposes, you’re taking a big risk. Because unlike military-developed drones, the data with these drones isn’t the same.’
Even then, the Defense Department’s own explanation was that the drones were used solely for operational purposes. It was therefore considered that there was no safety risk associated with the purchases and use of the Chinese drones.
Foreign intelligence services ban Lenovo
As for Lenovo, the explanation is about the same. However, if you believe our partners abroad, Lenovo is not much better than the aforementioned camera and drone manufacturers. Therefore, despite the assurances given by the Materiel Service about network constructions and low risk, it should be reconsidered whether Lenovo should continue to have a place in the offices of the Ministry of Defence and the offices.
That’s according to telecommunications analyst John Strand, who runs the consulting firm Strand Consult and including the site ChinaTechThreat. For many years he has followed developments in the telecommunications and IT markets and the apparently somewhat carefree Danish approach to the purchase of IT and equipment. Like the AMERICAN and British intelligence agencies, John Strand believes that Lenovo belongs in the same dubious category as the other state-owned Chinese companies.
‘There’s been a whole host of cases around the world involving Lenovo. There are a large number of authorities that have been warning against the use of Lenovo for many years, and there are many authorities that prohibit their employees from using Lenovo PCs and servers. These include parts of the Defence Department and the Department of State in the US (Us State Department, ed.), but so is the intelligence service MI6 in the UK and many other authorities around the world.’
John Strand draws parallels to the long-running societal debate over whether telecom giant Huawei should be allowed to deliver 5G technology.
‘Over the last few years, there has been a lot of focus in the media on the use of Chinese equipment in telecommunications networks, considering that telecommunications networks are part of the vital infrastructure of our society. Therefore, of course, we should not allow our own infrastructure to be built on the basis of Chinese infrastructure, in the same way that we do not use Chinese fighter jets in the Air Force or Russian submarines in the Navy,” Mr Strand said.
Not related to Trump’s trade war
The Lenovo issue is in many ways analogous to the wide-ranging Huawei debate, according to John Strand, who points out that it is the same Chinese state interests that are at stake in both cases. Therefore, Defence should also exercise greater vigilance towards Lenovo.
“From the start, Lenovo was owned 55 per cent by the Chinese government – now it’s only 29 per cent – and is essentially part of the Chinese system,” he said.
John Strand goes on to explain that us opposition to Lenovo has nothing to do with Trump’s trade war with China. The opt-out against Lenovo goes back more than a decade, far ahead of Trump’s economic sabre-rattling. It is only security concerns, not big politics and economic protectionism, that have led the United States to become tethered. Denmark should take note of this, he argues.
‘When I see the extensive material that exists from authorities around the world and has been made in the last 10 years, I have to say that it doesn’t look very good. So these are serious statements,” said John Strand, who notes, however, that the Department of Defense’s Equipment and Procurement Agency is following the ongoing debate about Lenovo.
‘It’s very reassuring that the Defense Department is aware of these things and that there’s a problem with Lenovo. Based on the answers you have received, we have to note that the Defense Recognizes that there is a challenge. It is a little strange that you then use them, but it may be that you have not had the knowledge you have today, and it does not appear that the Armed Forces intend to buy this equipment in the future,” notes John Strand, who nevertheless stresses that in his optics one should start a replacement process and buy equipment without threads for the Chinese dictatorship.
The authorities carry out their own risk assessment
Recently, the Danish Defence Intelligence Service’s annual assessment of the cyber threat to Denmark read that the threat to Denmark is considered to be very high and that the risk of cyber-attacks from, among others, China is an essential part of this threat. That’s why OLFI contacted the Defense Intelligence Agency’s Cybersecurity Center Cybersikkerhed (CFCS) to find out how the many Lenovo PCs match a recognized threat from their country of origin. In the written reply to OLFI, the CFCS does not specifically relate to Lenovo, but states:
‘The CFCS does not approve the purchase of general IT equipment in the Armed Forces. Såfremt However, in the case of classified IT systems, the IT system shall be security approved by the CFCS, which shall carry out a concrete assessment of the IT system to ensure that the IT system meets applicable security requirements before putting into service. In this context, an IT manufacturer may have to meet a number of requirements in order to be approved as a supplier, and there may be a number of security requirements that IT products must comply with.’
However, it is the Ministry of Defence’s Equipment and Procurement Agency itself that ultimately decides from where to buy IT equipment:
‘On the basis of, inter alia, the following: The CFCS threat assessment will have to carry out its own risk assessment by each authority as part of its workon cybersecurity , including in relation to supplier selection and the procurement ofIT products. The CFCS may not prohibit, on the basis of current legislation, a public authority from purchasing or using equipment from a specific supplier.’