There are times when I wonder if U.S. government officials are living in the same decade Im living in. Case in point: A recent New York Times story reports that government officials are "freaking out" that Lenovo might consider buying Seagate.
The concern is that Seagate has begun selling drives with hardware encryption capability, and that an acquisition by Lenovo would make this U.S.-developed technology available to Lenovo, which is based in China. But the encryption technology is part of the work that came out of the Trusted Computing Group, where Lenovo is not only a member, but also on the board. Does the U.S. government really believe Lenovo doesn't have access to it already?Let's take a moment and chat about how the world has changed over the last 30 years if only to prove that closing this particular barn door is a few years too late.
The Cold War Is Over
As a species, the threats we face are coming less from legitimate governments and more from criminals, including terrorists and organized crime. These are the folks that steal our identities, release viruses, and threaten citizens. Right now, China appears to be a better buddy to the U.S. than some western countries, and every U.S.-based multinational company I know is busting its hump to get into China and take advantage of the fastest growing market on the planet.
This is not consistent with the "China is a threat" scenario. The western world is clearly a greater threat to China's way of life than China is to the west. Anyone that has been to China over the last decade has seen massive changes that are effectively turning the country into a centerpiece of capitalism. But China doesn't seem to be changing the west at all.
You would think, given our growing business relationships, that we would be more interested in getting China to help us catch criminals and less interested in driving a nationalistic trend (given our trade deficit) that would further hurt our own economic strengths.
The Open Source Train Has Left the Station
We now largely operate in an open source world, something the U.S. government has actually been advocating. This concept of widespread sharing of information now permeates the software market. If the government believes there is some kind of magic cone of silence that keeps people from talking about encryption, I'd love to see the evidence to support it.
Much of the advanced hardware and software manufacturing and design work is already being done in Asia, and China's manufacturing capability is being used by virtually all of the major vendors. Is it likely that China hasn't already seen and studied the Seagate drives? There probably already are people in China who know as much or more about this technology as those of us in the west.
The Trusted Computing Group (TCG) was established as a geography- and vendor-independent group focused on the broad security problems related to protecting data. This is the organization that helped drive the encryption effort, and Lenovo is actually ranked higher in the group than Seagate is today.
There's nothing I know of that would prevent the two companies from working together under the TCG, and Lenovo would likely be one of the biggest potential customers for the resulting drives, which would go into systems sold worldwide.
The underlying point is that good encryption benefits are involved, and there are vastly easier and safer ways to get access to encrypted data than somehow compromising the encryption.
The Irony of Lenovo
The irony of all of this keep-security-technology-away-from-China discussion is that Lenovo has always been a leader in PC security. As an early backer of TPM and with a unique security stack built into its ThinkVantage Technologies platform Lenovo is already more aggressive with encryption than virtually any other PC vendor. In terms of actual implementation of encryption technology, Lenovo is likely ahead of most other vendors, except maybe the makers of fully-hardened PCs.
This makes the entire Seagate-Lenove flap and it's really only a rumor at this point seem a pointless political exercise that only distracts us from making progress in catching the real criminals currently attacking our citizens.
Easy Access to Encrypted Data
There was a time you needed to gain physical access to hardware to get access to the data. In today's networked world, it is vastly easier to remotely take control of the hardware through a platform defect, by phishing a password or ID, or by tricking the user into installing a piece of software.
Think about it. Breaching the encryption of a repository, even if you have the keys, still requires you to go through system passwords or gain physical access to the hardware. Why take that risk if you can profit much more easily through phishing or malware?
If China was caught compromising a system during manufacturing, it would likely bleed a massive amount of manufacturing business. Look how serious it was in addressing the toothpaste contamination and the lead paint in toys problems. It's unlikely that China would compromise its economic growth just to gain access to a few unique hard drives.
Getting Back to Reality
Even if Lenovo does buy Seagate and it seems far from a done deal I think we need to refocus on the real threats, which are far more likely to come from small groups than from legitimate governments. Security should not entail picking fights with existing partners like Lenovo, which is actually busting its hump to make us more secure.
In the end, folks in government are trying to create a problem where there is none, and this takes the focus away from problems that actually exist. That's crap, and I'd personally like it to stop, so we can get some real work done.