By Spencer E. Ante
International Business Machines Corp. and Lenovo Group Ltd. are
grappling with ways to resolve U.S. security concerns over IBM's
proposed $2.3 billion sale of its computer-servers business to the
Chinese company.
The deal, struck in January, remains in limbo as the U.S.
government investigates security issues around IBM's x86 servers,
which are used in the nation's communications networks and in data
centers that support the Pentagon's computer networks, say people
familiar with the matter.
U.S. security officials and members of the Committee on Foreign
Investment in the U.S.--a panel that screens deals with possible
national-security implications--are worried that the servers could
be accessed remotely by Chinese spies or hackers or compromised
through maintenance, said people familiar with the matter.
Lenovo faced similar pushback when it bought IBM's
personal-computer business in 2005. The company describes itself in
marketing materials as a trusted global supplier, but certain
sensitive arms of the U.S. government have shied away from using
its technology.
CFIUS ultimately approved Lenovo's PC deal, but the U.S.
military later alerted Defense Department officials to security
incidents involving the PCs, and the State Department banned their
use on its classified networks in the U.S. and abroad, according to
current and former officials.
Government officials also are somewhat uneasy about the
potential sale of part of the x86 portfolio that ties clusters of
servers together to make them act like a more powerful machine,
these people said.
Lenovo and IBM say that x86 servers are a low-end technology
made by other U.S. companies, and that the majority of the servers,
including IBM's, are made in China and contain Chinese components.
Lenovo also has said that its products are reliable and secure, and
that its only objectives are commercial ones.
To buy more time, IBM and Lenovo last month refiled their
application for approval of the deal. Bloomberg News reported the
move earlier.
The companies are mainly trying to address CFIUS concerns about
server maintenance, the people said. They have said IBM will
continue to provide maintenance on Lenovo's behalf "for an extended
period" after the sale.
CFIUS, however, is worried that if IBM's service contract for
the servers lapses, the maintenance might fall to Lenovo, which
they fear could leave the machines more vulnerable to being
compromised by Chinese agents. Maintenance could range from
remotely updating software to the physical upkeep of the hardware
by a technician.
Lenovo is proposing that maintenance be handled like it was for
the 2005 PC deal, one of the people said. IBM agreed to maintain
the PCs for five years after the deal, and has had its contract
renewed several times since.
A Lenovo spokesman said the deal remains on track to close by
year-end. An IBM spokesman said both companies support the review
process and look forward to a positive outcome.
One potential outcome is that the U.S. government could stop
buying IBM x86 servers, said one of the people familiar with the
matter.
Chris Padilla, IBM's vice president for governmental programs,
said in January that the government accounts for a relatively small
part of IBM's $4.7 billion x86 business. He didn't say which
agencies use the machines.
A CFIUS spokeswoman said the Treasury Department, which oversees
the panel, doesn't comment on specific CFIUS cases.
The proposed acquisition would be the largest by a Chinese
company in the U.S. tech sector, according to Dealogic, and comes
amid rising tensions between Beijing and Washington. In recent
years, the U.S. has criticized China for its alleged involvement in
computer attacks against U.S. companies and the federal government.
China, meanwhile, has expressed concerns over revelations in
documents leaked by former National Security Agency contractor
Edward Snowden that a U.S. computer spying operation had hacked
Chinese computers.
After IBM sold its PC business to Lenovo in 2005, the U.S. Air
Force received a shipment of Lenovo laptops but promptly returned
them, said a former senior military cyber official with direct
knowledge of the incident. During a test, officials discovered that
the machines were connecting to China, the official said. The
purpose of the connection was unclear, but it concerned officials
because it was unauthorized, the former official said.
"It was the last time I ever saw a Lenovo laptop," the official
said.
Linton Wells, the Pentagon's chief information officer at the
time of the PC deal, said there were concerns at the Pentagon about
continuing to buy PCs from Lenovo. "The answer was we would shift
to Hewlett-Packard or some other U.S. supplier," he said.
Lenovo has said the U.S. government has approved it to bid on
certain government contracts, and some technology resellers have
reported winning small contracts to sell Lenovo computers to the
military, though it is unclear if the government used the
machines.
In April 2006, more than a year after CFIUS approved the PC
deal, two members of the U.S.-China Commission wrote Rep. Frank
Wolf urging the Virginia Republican to look into reports that the
State Department was planning to use Lenovo computers on classified
computer networks. The commission was created by Congress to
investigate the national-security implications of commercial
relations between the two countries.
The letter said CFIUS had raised concerns about Lenovo's
affiliation with a Chinese state entity. The Chinese Academy of
Sciences owns 36% of Legend Holdings Corp., which owns 32% of
Lenovo.
Lenovo has said a majority of its shares are held by
institutional and retail investors.
A few weeks after the letter, Rep. Wolf released a statement
saying the State Department wouldn't use Lenovo computers on its
classified systems.
A State Department spokesman said the department couldn't
comment on its classified-equipment vendors, but said it tries to
minimize any security vulnerabilities.
Lenovo has since passed two other CFIUS reviews, so it and IBM
expected approval for the server deal would be a relatively smooth
process. "We are pretty confident for a positive outcome," IBM's
Mr. Padilla said in a January interview.
But when the U.S. began an investigation of the deal, it
realized the servers were used more extensively in sensitive areas
than it thought, said one of the people familiar with the
matter.
IBM x86 servers are widely used by the U.S. Air Force and in
large data centers run by the Defense Information Systems Agency,
which provides the computing and communications networks that
support the military, said the former senior military cyber
official.
The servers also are embedded in the communications networks of
U.S. phone carriers such as AT&T Inc. and Verizon
Communications Inc., said people familiar with the matter.
Spokesmen for AT&T, Verizon and the Pentagon declined to
comment.
Dana Mattioli and Will Mauldin contributed to this article.
Write to Spencer E. Ante at spencer.ante@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires