THE KEY

Lawmakers don’t just want to muscle Chinese telecom giants Huawei and ZTE out of doing business with the federal government. They’re also ratcheting up pressure on private organizations to sever ties with the companies, which they say help Beijing spy on Americans.

In a sharply worded letter to Google this week, lawmakers from both parties called on chief executive Sundar Pichai to rethink a long-standing partnership with Huawei in light of repeated warnings from the U.S. intelligence community that the company could use its products as a conduit for state-sponsored espionage.

A separate letter this week from an even larger group of lawmakers called on Education Secretary Betsy DeVos to press dozens of academic institutions for information about research relationships they’ve forged with Huawei. The lawmakers warned that Huawei could use its access to the U.S. education system to collect intelligence.

The missives mark an escalation in the bipartisan effort to purge the Chinese telecom companies from doing business with the United States, showing that lawmakers are willing to reach beyond legislation to make that happen. Coming amid a chaotic fight over the Trump administration's separation of immigrant families, it’s also further evidence that GOP lawmakers are willing to buck President Trump on high-stakes issues they consider worthwhile.

Sen. Tom Cotton (R-Ark.), one of the lawmakers leading the charge, wants Google to “stop doing business with Huawei entirely,” according to a spokeswoman. And it shouldn’t end there, she told me: Other companies “should follow suit and terminate any relationships they have with Huawei and ZTE.”

In their letter to Google, Cotton and several other members of the House and Senate say they're concerned about Google’s “strategic partnership” allowing Huawei, the world’s third-largest smartphone maker, to run a version of its mobile operating system on its devices. They cite recent congressional testimony from the Trump administration’s intelligence chiefs urging Americans not to buy products from Chinese telecom companies because they could be used to eavesdrop on citizens or even disrupt mobile networks.

“We want to make sure companies are aware of what Huawei, ZTE and, by extension, the Chinese government, are capable of and aim to do in regards to harming and undermining U.S. national security and U.S. businesses,” said a spokeswoman for House Intelligence Committee member K. Michael Conaway (R-Tex.), who co-wrote the letter.

Google told Reuters in a statement that it didn’t provide special access to user data as part of the partnership with Huawei and said it was looking forward to responding to the letter. 

A bipartisan group of 26 lawmakers is raising similar concerns in their letter to DeVos. They say Huawei’s Innovation Research Program, which provides funding to more than 50 universities in the United States, could undermine U.S. leadership in innovation and technology. The letter says DeVos should investigate the partnerships and order the universities to turn over details about their relationships with Huawei.

“China is using Huawei to position themselves to steal American research,” Sen. Marco Rubio (R-Fla.), who organized the letter, told my colleague Josh Rogin. “They are using so-called ‘research partnerships’ with over 50 American universities to exploit the openness of our schools.”

Social media organizations have come under congressional scrutiny, as well. Sen. Mark R. Warner (D-Va.) is examining whether Facebook allowed Huawei and ZTE to access user data, and earlier this month asked Twitter to turn over information about any data-sharing agreements it has with Chinese telecom companies. He made the same request of Google’s parent company Alphabet.

Fears that Huawei and ZTE pose national security risks are nothing new. Congressional investigators and intelligence officials have warned for years that Chinese telecom companies essentially operate as arms of the Chinese government. They claim that their access to U.S. communications infrastructure could allow Beijing to conduct espionage against Americans and American companies, steal trade secrets, hack sensitive computer networks and even help China wage cyberwar. Huawei and ZTE deny they do the Chinese government’s bidding.

But lawmakers have rallied against the companies with growing fervor in the weeks since Trump announced he would ease crippling penalties on ZTE for violating trade sanctions against Iran and North Korea. 

Bipartisan legislation sponsored by Rubio, Warner and others would reinstate the punitive actions from the Commerce Department that threatened to put ZTE out of business and prohibit the U.S. government from purchasing or leasing telecommunications equipment from ZTE and Huawei. Just this week, the Senate passed the measure as part of the massive defense policy bill.

But administration officials are fighting to keep Trump’s deal with ZTE intact. As my colleague Karoun Demirjian reported this week, Commerce Secretary Wilbur Ross has made multiple trips to the Capitol to plead the administration’s case with congressional Republicans in attempts to convince them to drop the provision before a final defense bill is approved by Congress.

PINGED, PATCHED, PWNED

PINGED: Homeland Security Secretary Kirstjen Nielsen on Thursday said the Trump administration wants perpetrators of cyberattacks to face consequences and suggested that previous administrations responded with “complacency” to hacking incidents. “For so long we've had these attacks, it's taken us over a year to attribute in some cases, then we attribute it and nothing happens,” Nielsen said at the Capitol Hill National Security Forum. “So this is one of those areas where deterrence has to be clear. We will no longer stand by while nation-states attack the government or our private sector entities.”

Nielsen also said cyberthreats are “ubiquitous,” and “hyperconnected” societies are all the more vulnerable to cyberattacks. “We’re way past the ability to prevent all attacks or to protect against them,” she said. "It’s no longer a question of if or when, but how long and how often can you withstand an attack?” This also means that everyone with Internet access can help thwart cyberattacks, according to Nielsen. “Truly it’s that hygiene, that basic patching, basic changing your passwords,” she said. “Don’t download things. Don’t open attachments from those senders that you don’t know. Those really, truly make a big difference. That’s about 80 percent of the attacks we see still come in that way.”

PATCHED: Tesla called a former employee a saboteur. The man said he is a whistleblower instead. Here is the latest on that story from The Washington Post's Drew Harwell: “Hours after Tesla sued its former employee on charges he had stolen company secrets, and days after chief Elon Musk had called him a saboteur, the Silicon Valley automaker made a startling claim. The company had received a call from a friend of the employee, Martin Tripp, saying he would be coming to Tesla's Gigafactory battery plant in Nevada to 'shoot the place up,' according to a Tesla spokesman.” Tripp told Harwell that Tesla's claim that he was threatening to open fire at the factory is “absurd! Insane is a better word.”

The former employee said he acted as a whistleblower over safety concerns about Tesla's car batteries. “Tesla's lawsuit, filed Wednesday in a Nevada federal court, accuses Tripp of hacking the company's computer systems in order to steal confidential photos and video of Tesla's manufacturing systems and other trade secrets,” Harwell writes. “The suit also accuses him of giving false information to journalists, being 'disruptive and combative' in the workplace and attempting to rope other co-workers into his scheme.”

PWNED: The biggest voting machine vendor in the country for years has cajoled state and local election officials to be part of an “advisory board” that meets twice a year at conferences across the United States, according to a McClatchy investigation by Greg Gordon, Amy Renee Leiker, Jamie Self and Stanley Dunlap. “As many as a dozen election officials attended the March 2, 2017 Las Vegas meeting, with a number of them accepting airfare, lodging, meals and, according to one participant, a ticket to a show on the Strip from their voting systems vendor, Nebraska-based Election Systems and Software (ES&S)," Gordon, Leiker, Self and Dunlap report. “Two other panel members said their state election boards paid for their trips.”

Virginia Canter, chief ethics counsel at the Citizens for Responsibility and Ethics in Washington, told McClatchy that the relationship between the vendor and the public officials raises ethical questions. “This is a massive promotional opportunity for ES&S,” Canter said. “It’s highly inappropriate for any election official to be accepting anything of value from a primary contractor. It shocks the conscience … I think it compromises their integrity.” Gordon, Leiker, Self and Dunlap report that Kathy Rogers, senior vice president for governmental affairs at ES&S, defended the advisory board as “immensely valuable in providing customer feedback.”

— More cybersecurity news from The Post and around the Web:

Morning Mix
Scraped from LinkedIn, the profiles of ICE employees include everyone from deportation officers to interns.
Meagan Flynn
Micron, an American chip maker, says its designs were swiped to help a new Chinese plant. Washington sees a larger pattern, fueling tensions with Beijing.
The New York Times
Foxconn, the world's largest electronics contract manufacturer, on Friday said the U.S. and Chinese governments are engaged in a technology war, not a trade war, describing the spat as the biggest challenge the Taiwanese company is facing.
Reuters
PUBLIC KEY

— Former National Security Agency contractor Reality Winner has reached a deal with prosecutors and plans to plead guilty, the Associated Press's Kate Brumback reports. Winner was charged with leaking classified information to a news organization and initially pleaded not guilty. A change of plea hearing has been scheduled for Tuesday, according to the AP. “Winner is a former Air Force linguist who speaks Arabic and Farsi and had a top-secret security clearance,” Brumback writes. “She worked for the national security contractor Pluribus International at Fort Gordon in Georgia when she was charged in June 2017 with copying a classified U.S. report and mailing it to an unidentified news organization.” The charges against Winner were unveiled after the investigative news site the Intercept published a report based on a top-secret NSA document.

— The Trump administration says it wants to address a shortage of cybersecurity professionals in the federal government. The White House Office of Management and Budget said in a report issued on Thursday that “the manner in which departments and agencies recruit, hire, train, retain, and compensate cybersecurity personnel varies by agency. This uneven approach has created internal competition for talent, which in turn creates disparities and discontinuities that degrade agencies’ ability to defend networks from malicious actors and respond to cyber incidents.” The report laid out the administration's plan to overhaul the federal government.

— More cybersecurity news from the public sector:

PRIVATE KEY

— A group of engineers at Google refused to work on a security feature to help the company secure military contracts, Bloomberg News's Mark Bergen reports. “The act of rebellion ricocheted around the company, fueling a growing resistance among employees with a dim view of Google’s yen for multi-million-dollar government contracts,” Bergen writes. “The engineers became known as the 'Group of Nine' and were lionized by like-minded staff.” The engineers in Google's cloud division declined to build an air gap because they thought the tech giant should not be involved in military projects, according to Bergen. It is unclear whether the company abandoned the endeavor or simply postponed it.

Additionally, Google has faced discontent from its staff recently over its involvement in a program with the Pentagon to use artificial intelligence to analyze drone video. Facing concerns from employees, the company decided to end its participation in Project Maven when its contract expires in March next year. After this episode, Pichai, Google's chief executive, said the company will not use artificial intelligence to develop weapons or for other projects that would aim “to cause or directly facilitate injury to people.” But Pichai also said Google won't stop working with the military. “We want to be clear that while we are not developing AI for use in weapons, we will continue our work with governments and the military in many other areas,” he said in a blog post this month. “These include cybersecurity, training, military recruitment, veterans’ healthcare, and search and rescue.”

— More cybersecurity news from the private sector:

The Switch
The social network will work to identify images that have been manipulated to depict something that did not occur and those taken out of context.
Hamza Shaban
The company is offering users personalized recommendations designed to help them to improve the security of their account.
The Hill
SECURITY FAILS
Turning around the fortunes of Dixons Carphone , the British electricals and mobile phone retailer, will take years, its new boss said on Thursday, with annual profit set to tumble again in 2018-19.
Reuters
Malicious Office documents are the weapon of choice among cybercriminals, who use files to access remotely hosted malicious components.
Dark Reading
THE NEW WILD WEST

— A prosecutor in Greece brought murder charges Thursday in the case of a telecom executive who died before a wiretap scandal broke out in the country in 2005, the Associated Press reports. “A software hack was used to monitor calls of then-Prime Minister Costas Karamanlis as well as dozens of senior political and military officials,” according to the AP. “No one has been named responsible for the wiretapping following subsequent investigations.” Costas Tsalikidis's death was initially considered a suicide. Greek authorities will now seek to find who was responsible for the death as the murder charges were brought against unknown perpetrators, the AP reported.

— More cybersecurity news from around the world:

BitFlyer said it is suspending account creation for new customers after regulators told it to improve its system security and management structure.
The Wall Street Journal
ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

The unanswered questions after Trump's immigration executive order:

Late-night laughs: Melania Trump's jacket has everybody talking:

Deputy shatters car window to free trapped bear: