IBM, Lenovo Tackle Security Worries About Server Deal


By Spencer E. Ante

International Business Machines Corp. and Lenovo Group Ltd. are grappling with ways to resolve U.S. security concerns over IBM's proposed $2.3 billion sale of its computer-servers business to the Chinese company.

The deal, struck in January, remains in limbo as the U.S. government investigates security issues around IBM's x86 servers, which are used in the nation's communications networks and in data centers that support the Pentagon's computer networks, say people familiar with the matter.

U.S. security officials and members of the Committee on Foreign Investment in the U.S.--a panel that screens deals with possible national-security implications--are worried that the servers could be accessed remotely by Chinese spies or hackers or compromised through maintenance, said people familiar with the matter.

Lenovo faced similar pushback when it bought IBM's personal-computer business in 2005. The company describes itself in marketing materials as a trusted global supplier, but certain sensitive arms of the U.S. government have shied away from using its technology.

CFIUS ultimately approved Lenovo's PC deal, but the U.S. military later alerted Defense Department officials to security incidents involving the PCs, and the State Department banned their use on its classified networks in the U.S. and abroad, according to current and former officials.

Government officials also are somewhat uneasy about the potential sale of part of the x86 portfolio that ties clusters of servers together to make them act like a more powerful machine, these people said.

Lenovo and IBM say that x86 servers are a low-end technology made by other U.S. companies, and that the majority of the servers, including IBM's, are made in China and contain Chinese components. Lenovo also has said that its products are reliable and secure, and that its only objectives are commercial ones.

To buy more time, IBM and Lenovo last month refiled their application for approval of the deal. Bloomberg News reported the move earlier.

The companies are mainly trying to address CFIUS concerns about server maintenance, the people said. They have said IBM will continue to provide maintenance on Lenovo's behalf "for an extended period" after the sale.

CFIUS, however, is worried that if IBM's service contract for the servers lapses, the maintenance might fall to Lenovo, which they fear could leave the machines more vulnerable to being compromised by Chinese agents. Maintenance could range from remotely updating software to the physical upkeep of the hardware by a technician.

Lenovo is proposing that maintenance be handled like it was for the 2005 PC deal, one of the people said. IBM agreed to maintain the PCs for five years after the deal, and has had its contract renewed several times since.

A Lenovo spokesman said the deal remains on track to close by year-end. An IBM spokesman said both companies support the review process and look forward to a positive outcome.

One potential outcome is that the U.S. government could stop buying IBM x86 servers, said one of the people familiar with the matter.

Chris Padilla, IBM's vice president for governmental programs, said in January that the government accounts for a relatively small part of IBM's$4.7 billion x86 business. He didn't say which agencies use the machines.

A CFIUS spokeswoman said the Treasury Department, which oversees the panel, doesn't comment on specific CFIUS cases.

The proposed acquisition would be the largest by a Chinese company in the U.S. tech sector, according to Dealogic, and comes amid rising tensions between Beijing and Washington. In recent years, the U.S. has criticized China for its alleged involvement in computer attacks against U.S. companies and the federal government. China, meanwhile, has expressed concerns over revelations in documents leaked by former National Security Agency contractor Edward Snowden that a U.S. computer spying operation had hacked Chinese computers.

After IBM sold its PC business to Lenovo in 2005, the U.S. Air Force received a shipment of Lenovo laptops but promptly returned them, said a former senior military cyber official with direct knowledge of the incident. During a test, officials discovered that the machines were connecting to China, the official said. The purpose of the connection was unclear, but it concerned officials because it was unauthorized, the former official said.

"It was the last time I ever saw a Lenovo laptop," the official said.

Linton Wells, the Pentagon's chief information officer at the time of the PC deal, said there were concerns at the Pentagon about continuing to buy PCs from Lenovo. "The answer was we would shift to Hewlett-Packard or some other U.S. supplier," he said.

Lenovo has said the U.S. government has approved it to bid on certain government contracts, and some technology resellers have reported winning small contracts to sell Lenovo computers to the military, though it is unclear if the government used the machines.

In April 2006, more than a year after CFIUS approved the PC deal, two members of the U.S.-China Commission wrote Rep. Frank Wolf urging the Virginia Republican to look into reports that the State Department was planning to use Lenovo computers on classified computer networks. The commission was created by Congress to investigate the national-security implications of commercial relations between the two countries.

The letter said CFIUS had raised concerns about Lenovo's affiliation with a Chinese state entity. The Chinese Academy of Sciences owns 36% of Legend Holdings Corp., which owns 32% of Lenovo.

Lenovo has said a majority of its shares are held by institutional and retail investors.

A few weeks after the letter, Rep. Wolf released a statement saying the State Department wouldn't use Lenovo computers on its classified systems.

A State Department spokesman said the department couldn't comment on its classified-equipment vendors, but said it tries to minimize any security vulnerabilities.

Lenovo has since passed two other CFIUS reviews, so it and IBM expected approval for the server deal would be a relatively smooth process. "We are pretty confident for a positive outcome," IBM's Mr. Padilla said in a January interview.

But when the U.S. began an investigation of the deal, it realized the servers were used more extensively in sensitive areas than it thought, said one of the people familiar with the matter.

IBM x86 servers are widely used by the U.S. Air Force and in large data centers run by the Defense Information Systems Agency, which provides the computing and communications networks that support the military, said the former senior military cyber official.

The servers also are embedded in the communications networks of U.S. phone carriers such as AT&T Inc. and Verizon Communications Inc., said people familiar with the matter.

Spokesmen for AT&T, Verizon and the Pentagon declined to comment.

Dana Mattioli and Will Mauldin contributed to this article.

Write to Spencer E. Ante at spencer.ante@wsj.com

Subscribe to WSJ: http://online.wsj.com?mod=djnwires


  (END) Dow Jones Newswires
  06-25-141816ET
  Copyright (c) 2014 Dow Jones & Company, Inc.