THE KEY

Trump administration officials have warned for months that Huawei’s global expansion into next-generation 5G wireless networks would amplify the threat of Chinese digital spying.

But now they’re taking the gloves off, accusing the Chinese government of running roughshod over international norms and its own laws to steal Western innovations. The stepped up rhetoric comes as President Trump imposed high tariffs on a wide range of Chinese imports, leading to a major escalation in trade hostilities between the two countries.

The move to 5G makes concerns about spying and sabotage significantly more pressing because its super-fast speeds will allow far more systems critical to public safety to run on wireless internet connections, such as high-tech medical equipment and driverless cars. 

If Huawei gains a foothold in U.S. allies’ 5G networks, the Chinese government could force the company to send software updates to spy on Western companies or sabotage critical infrastructure, Chris Krebs, director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, warned lawmakers during a Senate Judiciary Committee hearing Tuesday.

Beijing could also exploit hidden vulnerabilities that already exist in Huawei products to hack adversaries or it could plant spies inside Huawei teams that work abroad servicing the company’s technology, Krebs said.

“It’s not about overseeing Huawei. It’s about overseeing China,” Judiciary Committee Chairman Lindsey Graham (S.C.) said during the hearing.

Administration officials formerly attributed their concerns about Huawei to a 2017 cybersecurity law they said would force the company to cooperate with Chinese intelligence requests. But Krebs abandoned that nicety Tuesday.

“This is a single-party government. Everything that flows from the central party is a manifestation of their philosophy,” he said. “The [cybersecurity] law is important because it is telling you what they want to do. But they’re going to get what they want anyway, law or not.”

The U.S. and China stepped away from trade negotiations last week amid recriminations, and the heightened rhetoric on digital spying probably will make tensions worse.

The White House, which has struggled to convince allies to restrict Huawei from their 5G networks, may also impose its own ban on Huawei as soon as this week, Reuters reported Tuesday

Lawmakers are also taking a cue from the administration and moving to restrict China from access to U.S. technological innovations.

On Tuesday, Sen. Josh Hawley (R-Mo.) introduced a bill to bar exporting large categories of technologies to China including artificial intelligence, robotics, semiconductors and advanced construction equipment.

Hawley and five other Republicans also proposed another bill to bar Chinese students from science or engineering schools connected with the People’s Liberation Army from receiving U.S. visas.

“This is a strategy with multiple tentacles,” Sen. Thom Tillis (R-N.C.) said, describing Chinese digital spying efforts, “and we as members of Congress need to understand every one of those and chop them off.”

Huawei officials, meanwhile, described the company as caught in a big power dispute between the United States and China in which the risk the company poses is being mischaracterized and misunderstood.

Huawei’s argues U.S. officials’ concerns about back doors in Huawei products can be addressed with regular audits and risk assessments — and that wireless carriers can vet any software updates to ensure they're similarly free of back doors, Huawei Chief Security Officer Andy Purdy told me.

Similar assessments should be done on any 5G technology vendor because even technology that is designed to be as secure as possible probably will contain some bugs that sophisticated hackers can exploit, said Purdy, who was a top DHS cybersecurity official during the George W. Bush administration.

But those arguments have largely fallen on deaf ears, Purdy said.

“We'd welcome the opportunity to talk to these folks,” he said, “to talk about policy and to help them understand the nature of the risks.”

PINGED, PATCHED, PWNED

PINGED: Exclusive to the Cybersecurity 202: Sen. Ron Wyden (D-Ore.) plans to reintroduce today an election security bill that mandates paper ballots and post-election audits and would grant DHS broad authority to set mandatory cybersecurity requirements for voting machines, voter registration databases and election results websites.

It’s the first standalone Senate bill this Congress that would force major reforms to election security. It comes after Russian hackers probed numerous election systems in 2016 and penetrated a handful of voter registration databases.

The updated version of the Protecting American Votes and Elections Act, would authorize $500 million in grants to states to pay for new machines to count paper ballots. It would also authorize $250 million for ballot marking machines to be used by people with disabilities that can’t use paper ballots.

The bill has already been endorsed by numerous election security advocacy groups including the National Election Defense Coalition and the Brennan Center for Justice as well as by Stacey Abrams, a Democrat who narrowly lost a race to be Georgia’s governor in November. Georgia is considered a laggard on election security and was one of five states that lacked paper ballot record for all races in 2018.  

Wyden’s bill won numerous Democratic co-sponsors last Congress but didn’t get any support from Republicans who are far warier about imposing specific election security requirements on states.

This version of the bill comes with a dozen Democratic co-sponsors, including presidential candidates Elizabeth Warren (Mass.), Cory Booker (N.J.), Kirten Gillibrand (N.Y.), Bernie Sanders (I-Vt.) and Kamala Harris (Calif.).

PATCHED: Florida Gov. Ron DeSantis (R) confirmed after an FBI briefing Tuesday that Russian hackers gained access to voter registration databases in two Florida counties ahead of the 2016 election, the Associated Press’s Brendan Farrington reported.

“DeSantis said the hackers didn’t manipulate any data and the election results weren’t compromised,” Farrington reported. The governor was barred by the FBI from revealing the counties, but said officials there know about the breaches. 

The news helps explain a portion of the Mueller report, which stated that FBI officials believed Russian hackers penetrated the networks of “at least one” Florida county before the 2016 election. It doesn’t explain, however, why the FBI is only confirming the breaches now – or why they didn’t alert Florida state government officials at the time.

Sen. Rick Scott (R-Fla.), who was governor at the time and has said he was unaware of the breaches, will get an FBI briefing today, the AP reported.

Sen Bill Nelson (D), who Scott defeated for reelection, previously said Russian hackers were active inside Florida networks before the 2018 contest – a claim that has not yet been born out.

PWNED: Another bill introduced by four senators Tuesday would require that a DHS election security expert serve on an Election Assistance Commission panel that writes voluntary voting system security guidelines.

The EAC is drafting an updated version of those guidelines now in the leadup to the 2020 contest.

The Voting System Cybersecurity Act’s sponsors are Sens. James Lankford (R-Okla.) and Amy Klobuchar (D-Minn.), co-sponsors of a broader bipartisan election security bill that they plan to reintroduce this month, and Sens. Ron Johnson (R-Wis.) and Gary Peters (D-Mich.), chair and ranking member of the Senate Homeland Security Committee.

The Senate Rules Committee has an EAC oversight hearing scheduled today.

Here's more on the bill from The Hill's Maggie Miller.

PUBLIC KEY

Cybersecurity news from the public sector:

Secretary of State says Russian meddling in 2020 "would put our relationship in an even worse place"
The Hill
Huawei is willing to sign no-spy agreements with governments, including Britain,...
Reuters
Cybersecurity experts are worried about the fallout from a Supreme Court ruling allowing customers to sue Apple over the prices in its App Store, claiming it could eventually lead to more unsecured apps being sold to consumers.
The Hill
PRIVATE KEY

Cybersecurity news from the private sector:

Intel and a group of cybersecurity researchers published details on four new potential chip attacks that exploit the same “speculative execution” process
CyberScoop
A recent vulnerability in WhatsApp shows that there’s little defenders can do to detect and analyze iPhone hacks.
Motherboard
THE NEW WILD WEST

Cybersecurity news from abroad:

Middle East
A new report from Canadian internet watchdog Citizen Lab is linking Iran with a fake Twitter account unmasked by The Associated Press
Raphael Satter | AP
With the launch of the Google Safety Engineering Center, Google will double the number of privacy engineers it has in Munich.
ZDNet
Israel's webcast of the Eurovision Song Contest semi-final was hacked with ...
Reuters
CHAT ROOM

After WhatsApp’s disclosed that a sophisticated spyware agency had found a way to hack some of its users, it would be reasonable to conclude that no security system is perfect and that highly skilled hackers can find a way to breach almost any system given enough time and resources.

According to WhatsApp, the group that exploited the hacking technology was likely a government and the victims were likely human rights groups, as Reuters reported.

An unreasonable conclusion, however, would be the one drawn by a Bloomberg Opinion writer – that consumer cybersecurity protections such as end-to-end encryption are pointless marketing gimmicks.

Information security Twitter was quick to swat back the overblown claim.

Here’s Georgetown University cryptography professor Matt Blaze:

And here’s a take from privacy lawyer and AccessNow U.S Policy Manger Amie Stepanovich:

And TechCrunch writer Zack Whittaker: