The U.S. thinks Huawei is a major threat to global security, but European allies aren’t convinced. These divergent attitudes, senior military leaders and lawmakers warn, could damage their alliance -- and collective security -- over the long term.
Chairman of the Joint Chiefs of Staff Joseph F. Dunford forecast a “broad, fundamental” threat to national security if the Chinese telecom was allowed to build U.S. allies’ next-generation 5G wireless networks -- which it could use as a perch to spy for the Chinese government.
“A foundational element of an alliance is the ability to share information securely and it will be much more difficult to have those kinds of assurances…. given the trends with China’s influence,” Dunford told the House Armed Services Committee yesterday.
Yet across the Atlantic, the European Commission issued long-awaited 5G security recommendations to European Union member nations. Those recommendations included an extensive “risk assessment” -- but no language about threats from Huawei or other Chinese companies. U.S. allies, including Germany, had already resisted a months-long lobbying effort by top U.S. officials who warned that working with Huawei could imperil U.S. intelligence sharing agreements.
If allies do not take U.S. officials' warnings about Huawei as seriously, there could be consequences to U.S. military operations, Rep. Mike Gallagher (R-Wis.) and Rep. Ruben Gallego (D-Ariz.) tell me. Most of the concern in the 5G debate so far has focused on the potential damage Huawei could cause by spying on intelligence agencies or stealing U.S. companies’ trade secrets, but as Gallagher notes, "if we can’t shore up our alliance structure with the Five Eyes and then NATO, it’s going to be hard to conduct interoperable military activities going forward."
The Five Eyes refers to a close intelligence-sharing relationship between the United States, the United Kingdom, Canada, Australia and New Zealand. Only Australia among that group has banned Huawei from its 5G networks so far.
The pair penned a letter to Dunford and Acting Defense Secretary Patrick Shanahan in advance of the hearing asking how allies’ Huawei 5G investments would affect U.S. war planning and information sharing -- and what the Defense Department could do to mitigate those threats.
China already has a long track record of stealing U.S. military technology and a firm footing in 5G could help them to steal even more, Gallagher said.
Or, during a military conflict, Huawei could help China spy on U.S. troop movements or planning, Gallego said. Without the ability to plan operations in secret, Gallego warned, “our next potential war could be lost without even one shot being fired.”
Huawei has firmly denied that it spies on behalf of the Chinese government and is suing U.S. government officials over a related ban on the compnay's technology in government networks.
Gallagher and Gallego also sponsored the House version of a bill that would prevent U.S. companies from supplying Huawei and other Chinese telecommunications companies with critical components. A companion bill was sponsored by Sens. Tom Cotton (R-Ark.) and Chris Van Hollen (D-Md.) in the Senate.
Shanahan demurred when Gallagher asked him his opinion of the bill during Tuesday’s hearing, saying merely that U.S. companies should be beating China in the race for the best 5G technology.
“It’s not only in our security interests, it’s in our economic interest to be able to have that kind of capability,” he said.
If the U.S. military can’t trust allies’ wireless networks, it will have to stay off them and manage its sensitive communications through specialized secure networks, Shanahan told lawmakers – a very big lift for a military with bases that span much of the globe.
Gallagher worries the military will still be forced to rely on wireless networks for some tasks because the volume of information flowing between the U.S. and its allies is simply too great, he told me.
Even if the military segregates all of its sensitive communications, troops will still be doing day-to-day emailing and web surfing on public 5G networks and personal devices, Gallagher warned. And if those devices become infected with malware that’s delivered over 5G networks, one of them may be accidentally be connected to a secure network and spread the infection.
“There’s no real way to mitigate the threat,” Gallagher said. "We deserve more clarity on the military and operational risks."
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Sens. Ron Wyden (R-Ore.) and Cotton plan to introduce a bill today that would authorize the Senate’s technology office to help senators and some Senate staff secure their personal accounts and devices against hacking.
That office, the Senate Sergeant at Arms, has said it's prohibited from using public funds to aid senators’ personal cybersecurity under current rules. That leaves a dangerous opening for hackers who can compromise a senator or staffer's personal device and then jump from there to office computers, Wyden and Cotton said.
The bill comes after hackers compromised computers in numerous congressional offices in the past two decades, including then-Rep. Frank Wolf (R-Va.) in 2006 and then-Sen. Bill Nelson (D-Fla.) in 2009. And that’s only the ones we know about. A cybersecurity firm also told Wyden’s office earlier this year that one of the Russian government hacking groups that breached the DNC was also targeting the personal email accounts of senators and Senate staff.
The Senate Cybersecurity Protection Act comes with pre-endorsements from numerous cybersecurity leaders, including Google Information Security Senior Director Heather Adkins and Lesley Carhart, principal threat analyst at the cybersecurity firm Dragos.
“It is ludicrous to expect individual senators and their staff to defend themselves from spies and hackers,” Harvard cybersecurity lecturer Bruce Schneier said in a statement about the bill. “Hostile foreign intelligence services do not respect the arbitrary line between work and personal technology.”
PATCHED: The Senate’s first major election security bill of this Congress will be introduced today – but the chances of it passing are basically nil.
Sens. Tom Udall (D-N.M.), Jeff Merkley (D-Ore.) and Senate Minority Leader Chuck Schumer (D-N.Y.) plan to introduce the Senate version of the For the People Act, a catch-all bill of progressive priorities that House Democrats passed out of that chamber with much fanfare earlier this month.
The Senate bill’s election security provisions are exactly the same as the House bill’s, a Udall spokesman told me – that means a requirement that states use paper ballots and conduct post-election audits to ensure those votes were counted correctly. Other provisions in the bill focus on making voting easier and making Election Day a national holiday.
The bill is unlikely to even reach the floor, though, in the Republican-controlled Senate. Majority Leader Mitch McConnell has already dubbed it the “Democrat Political Protection Act.”
Several senators have said they plan to reintroduce standalone election security bills from last Congress in the coming weeks.
PWNED: The Taiwanese computer-maker ASUS is trying to tamp down concerns a day after Motherboard revealed a major breach that resulted in the company sending malware-infected software updates that could seize control of computers to half a million of its customers.
“Only a very small number of specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted,” the company said in a statement and Q and A.
Information security Twitter was quick to throw shade on the company’s assurances, though – and to note it had originally tried to keep the breach quiet by asking Kaspersky, the company that discovered it, to sign a non-disclosure agreement.
They wanted Kaspersky to sign an NDA so I think it’s safe to say they would have remained silent about this if Kaspersky had not gone public with the info.— Kim Zetter (@KimZetter) March 26, 2019
Here’s a full rundown from Cyberscoop.
And here’s more from reporter Kim Zetter who broke the story for Motherboard:
.@ASUS has finally released statement. Says only small number of machines infected (researchers say 500k ); also says it’s finally begun to notify customers (@kaspersky told them about prob in Jan.) They don’t bother to thank Kaspersky at all in statement. https://t.co/QUCu7vfeio https://t.co/gzHfWe2tAR— Kim Zetter (@KimZetter) March 26, 2019
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: