Safeguarding the digital frontier

Please tell us more about your ThinkShield platform. Do you leverage AI and ML in this?

ThnkShield is our solution stack around cybersecurity, and we break it down into three layers. First, we have the supply chain layer, where our main focus is enhancing supply chain security capabilities. We do this by leveraging our trusted supplier program, which involves rigorous validation of all our suppliers. We’ve also developed a unique capability within our supply chain layer. This allows us and end users to validate critical components within a device. Instead of simply stating that a device is trusted based on its origin, we empower our customers to independently confirm the authenticity of components, such as Intel chips or AMD chips, as well as memory and other vital parts. This adds an extra layer of confidence and security.

Moving up the ladder, we have what we call “Below OS Security,” which encompasses everything beneath the operating system layer. This includes binaries, firmware, and drivers, ensuring the platform’s security. Importantly, this security is readily available out of the box when customers purchase a Lenovo ThinkPad product. It’s seamlessly integrated into the product, making it a hassle-free experience.

On top of this, we layer in our “Above OS Portfolio,” which addresses whether we incorporate generative AI or machine learning in our security measures. The answer is yes; we’ve been doing this for approximately three years. Our portfolio utilizes generative AI to detect and counteract attacks and malicious activities, even zero-day attacks. This showcases Lenovo’s extensive experience leveraging AI technology, particularly within the ThinkShield ecosystem.

To make these capabilities accessible to our customers, we offer two approaches. First, through a consultative engagement with our teams, we work closely with organizations to understand their specific risks, risk frameworks, and mitigation strategies. This allows us to provide tailored solutions that align with their needs. Second, we’ve designed solution bundles tailored to small and medium-sized enterprises (SMEs). We understand that SMEs may have limited human and financial resources for technical deployments, so we’ve made it as straightforward as possible for them to purchase and deploy comprehensive security bundles without requiring extensive day-to-day oversight.

Do you observe hackers using AI as well?

From an attacker’s perspective, AI offers several critical advantages. Firstly, it allows attackers to gain a deep understanding of their target environment after conducting reconnaissance. They can familiarize themselves with the network’s topology and layout, enabling them to simulate potential attack vectors. For instance, attackers can use AI to ask questions like, “How could I infiltrate this environment?” Interestingly, there have been instances where even relatively basic malware packages have been developed using programming languages like Python, all driven by GAI. While these AI-generated malware packages may not currently trigger high-level security alerts, it’s important to recognize that the rapid pace of technological advancement could soon lead them to a point where they pose a significant threat.

On the flip side, there is the application of generative AI in the security domain, which aims to counter such attacks. Essentially, generative AI is reducing the technical requirements and time needed to address these threats, at least for the time being.

Could you explain the concept of “Privacy by Design”?

The concept of “Privacy by Design” aligns with our approach to “Security by Design.” As I mentioned earlier, in the “Below OS” security realm, we actively incorporate security measures into our products. For instance, my team closely collaborates with our platform product managers in the development and innovation of our products, such as the X1 Carbon. We follow the same methodology when it comes to privacy.

Both privacy and security serve as the foundational principles of our operations. They are not just added features to our devices but integral to our business practices. This commitment is evident in various aspects, including data segregation to ensure that the right individuals can access the appropriate data. From my perspective, as well as our portfolios, we focus on building capabilities that safeguard our models, for example, AI PCs, and obfuscate datasets, thereby flagging personally identifiable information.

The “by design” aspect underscores our belief that security and privacy should not be considered as an afterthought or added later in the development phase. Instead, they should be seamlessly integrated from the very beginning, during the ideation stage of a new product or platform, and carried through the entire R&D process.