THE KEY

The United States’ top cyber diplomat just offered an unusually blunt warning to other nations: Allowing Huawei and other Chinese companies into their next-generation telecommunications networks would allow Beijing to expand its surveillance state around much of the globe.

The argument from Rob Strayer, the State Department’s top cyber official, was the most elaborate public case a U.S. official has made against Huawei’s inclusion in 5G networks. It follows a months-long pressure campaign by U.S. officials to ban the Chinese telecom giant from 5G in Canada, Britain, Europe and elsewhere.

“A country that uses data in the way China has — to surveil its citizens, to set up credit scores and to imprison more than 1 million people for their ethnic and religious background — should give us pause about the way that country might use data in the future,” Strayer said Wednesday at the Center for Strategic and International Studies think tank. “It would be naive to think that country, [given] the influence it has over its companies, would act in ways that would treat our citizens better than it treats its own citizens.”

The Trump administration is considering an executive order that would effectively allow it to ban Huawei and other Chinese companies from U.S. telecom systems, but even that wouldn't fully protect U.S. information because data moves so easily across national borders. Even sensitive U.S. government information would remain vulnerable if officials were communicating with allies who allowed Huawei on their 5G networks, Strayer said.

“There’s so much data flowing around the world, it’s impossible to just isolate one country’s networks and think: ‘That’s okay, I’m fine,' " he said.

The transition to 5G, which is in its earliest stages, will mark a massive development in mobile technology. It will offer far faster download speeds and the ability to run billions more devices on mobile networks, including smart devices such as autonomous vehicles and powerful artificial intelligence systems. While it will be five or more years before the sytem is fully operational, a lot of the contracts to create its basic building blocks will be negotiated this year. 

That exponential increase in connectivity, however, will also “dramatically increase the networks’ threat vectors and attack surfaces,” Michael Wessel, a member of the U.S.-China Economic and Security Review Commission, told me — especially if a U.S. adversary controls large portions of it.

China could leverage Huawei’s position in 5G networks to steal “trillions” of dollars of intellectual property, Strayer noted, or to implant malware on adversaries’ networks. It could even shut down parts of those networks amid geopolitical conflicts. Strayer’s concerns would apply to any Chinese company, he noted, though Huawei is, by far, the most prominent example.

The move against Huawei isn’t limited to 5G developments.  

Congress banned the company from U.S. government networks last year amid fears it would be used as a Chinese government spying tool and the Federal Communications Commission has proposed a rule that would allow it to ban the company from smaller networks that accept federal grants, where the company has its strongest foothold.

The Justice Department also indicted Huawei’s chief financial officer and two affiliates in January, alleging a host of crimes, including stealing robotics technology from T-Mobile and violating sanctions against Iran.

But the United States’ international lobbying campaign against Huawei goes a step further, seeking to restrict China from playing a key role in an entire generation of digital development. Its success or failure could determine the fate of Internet security for years, Strayer said.

“We’re talking to partners around the world about this as they upgrade to 5G. We’re raising it at the highest diplomatic levels,” Strayer said. “The generational nature of 5G, the transformational nature of it means there will be a whole generation of lock-in.”

PINGED, PATCHED, PWNED

PINGED: The Department of Homeland Security warned that a hacking group linked to the Chinese government remains a threat to U.S. businesses even though it has kept mostly quiet following the indictment last year of two of its members, FCW's Derek B. Johnson reported. The APT10 group has been targeting managed service providers — businesses that handle IT management on behalf of other companies, including cloud providers, Rex Booth, chief of cyberthreat analysis at the Cybersecurity and Infrastructure Security Agency, said during a DHS webinar. Penetrating the systems of such service providers can allow hackers to move into the networks of the client companies.

“Their strategies have shifted from labor-intensive, one-off compromises of individual targets to the use of the force-multiplier effects that enable them to compromise multiple targets through a single attack,” Booth said, according to CyberScoop's Sean Lyngaas. “That shift in strategies increases the risk for all of us.” As FCW reported, the hacking campaign mainly targets businesses whose activities fall within Beijing's “Made in China 2025” policy that aims to make the country a leader in emerging technologies, according to U.S. officials.

CyberScoop's Lyngaas tweeted a slide from the webinar:

PATCHED: Researchers from Recorded Future and Rapid7 provided an example of how APT10 operates when they released a report indicating that the hacking group penetrated the networks of Visma, a Norwegian software company. The researchers believe the hackers probably sought to compromise Visma in order to penetrate the company's clients rather than to steal Visma's own intellectual property.

Recorded Future and Rapid7 called APT10 “the most significant Chinese state-sponsored cyber threat to global corporations known to date." 

Espen Johansen, operations and security manager for Visma, told Reuters's Jack Stubbs that he thinks the hackers didn't sucessfully access the networks of the company's clients. “But if I put on my paranoia hat, this could have been catastrophic,” he said, according to Reuters. “If you are a big intelligence agency somewhere in the world and you want to harvest as much information as possible, you of course go for the convergence points, it’s a given fact.”

PWNED: Some hackers and scammers are taking part in an “underground industry” that focuses on removing a user's iCloud account from their iPhone so the device can be resold, according to Motherboard's Joseph Cox and Jason Koebler. If an iCloud user's account remains on a stolen device, that allows the victim to remotely lock the phone and track it down by using the Find My iPhone feature — which is why resellers and thieves often seek to remove the iCloud account.

“In practice, ‘iCloud unlock’ as it’s often called, is a scheme that involves a complex supply chain of different scams and cybercriminals,” Motherboard reported. “These include using fake receipts and invoices to trick Apple into believing they’re the legitimate owner of the phone, using databases that look up information on iPhones, and social engineering at Apple Stores.” For instance, hackers may target the original owner of an iCloud account with a phishing scam to get ahold of their password and then enter it to remove the iCloud account. 

PUBLIC KEY

— Metro said it has updated security provisions in a request for proposals for the next generation of subway cars following concerns from several senators about the risk of Chinese spying, CyberScoop's Lyngaas reported. “We are confident that these approaches will impose appropriate controls that limit any malicious actor’s ability to embed malware and for WMATA to monitor and enforce security requirements,” Metro General Manager Paul J. Wiedefeld told Sens. Mark R. Warner (D-Va.), Tim Kaine (D-Va.), Ben Cardin (D-Md.) and Chris Van Hollen (D-Md.) in a letter, according to CyberScoop. The Washington Post's Robert McCartney reported last month that the senators had asked Metro to take steps to prevent the risk of spying by China should the state-owned China Railway Rolling Stock Corp. win a contract to build new rail cars.

— The technology company Cisco said Congress ought to pass federal privacy legislation in part to avoid inconsistent privacy protection requirements if states across the country move to pass their own laws, the company said in a blog post this morning. Moreover, the absence of such general legislation at the federal level hinders the competitiveness of companies that are based in the United States but also do business abroad, the company said.

“Cisco calls for comprehensive US federal privacy legislation anchored to core principles of security, transparency, fairness, and accountability because privacy is a fundamental human right,” Chuck Robbins, Cisco's chairman and chief executive, said in a statement. 

— More cybersecurity news from the public sector:

Prosecutors in Northern California have charged two men with using unauthorized SIM swaps to steal and extort money from victims.
KrebsOnSecurity.com
PRIVATE KEY

— Telecommunications companies sold sensitive customer location information known as “assisted GPS” data to third-party companies that in turn sold it to bounty hunters, Motherboard's Joseph Cox reported. Such assisted GPS or A-GPS data is meant for use by first responders to locate people who call 911 during emergencies. Motherboard also reported that about 250 bounty hunters and other third-party companies had access to the location data of AT&T, T-Mobile and Sprint customers.

“This scandal keeps getting worse. Carriers assured customers location tracking abuses were isolated incidents. Now it appears that hundreds of people could track our phones, and they were doing it for years before anyone at the wireless companies took action,” Sen. Ron Wyden (D-Ore.) told Motherboard in an emailed statement. “That’s more than an oversight — that’s flagrant, willful disregard for the safety and security of Americans.” You can read Motherboard's full investigation here.

— Security researchers at Booz Allen Hamilton said in a report that state-sponsored hackers are improving their techniques to hide their identities, Nextgov's Jack Corrigan reported. As a result, the government could face more difficulties in identifying those who are behind cyberattacks. “Beyond improved deception tactics, researchers also expect foreign adversaries to double-down on information warfare over the next year, particularly as a means for economic gain,” Corrigan reported.

— More cybersecurity news from the private sector:

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps.
TechCrunch
It’s a lose-lose situation for Google’s Nest
The Verge
SECURITY FAILS
Youngster takes a bite out of Apple's keychain and isn't telling the Mac manufacturer how he did it.
Forbes
At least eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera.
CyberScoop
As auto makers roll out ever more sophisticated features to make your daily commute easier, the upgrades are also making your new car more vulnerable to cyberattacks, according to a new report.
CNBC
THE NEW WILD WEST
A $2 billion effort by China’s Huawei to address security issues raised in a British government report last year will take between three and five years to produce results, according to a company letter to British lawmakers seen by Reuters.
Reuters
ZERO DAYBOOK

Today:

Coming soon:

EASTER EGGS

Trump's remarks on ISIS, in one minute:

Was Trump’s State of the Union address bipartisan?

Conspiracy theorists are saying RBG is dead. She’s not.