Trump administration officials have warned for months that Huawei’s global expansion into next-generation 5G wireless networks would amplify the threat of Chinese digital spying.
But now they’re taking the gloves off, accusing the Chinese government of running roughshod over international norms and its own laws to steal Western innovations. The stepped up rhetoric comes as President Trump imposed high tariffs on a wide range of Chinese imports, leading to a major escalation in trade hostilities between the two countries.
The move to 5G makes concerns about spying and sabotage significantly more pressing because its super-fast speeds will allow far more systems critical to public safety to run on wireless internet connections, such as high-tech medical equipment and driverless cars.
If Huawei gains a foothold in U.S. allies’ 5G networks, the Chinese government could force the company to send software updates to spy on Western companies or sabotage critical infrastructure, Chris Krebs, director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, warned lawmakers during a Senate Judiciary Committee hearing Tuesday.
Beijing could also exploit hidden vulnerabilities that already exist in Huawei products to hack adversaries or it could plant spies inside Huawei teams that work abroad servicing the company’s technology, Krebs said.
“It’s not about overseeing Huawei. It’s about overseeing China,” Judiciary Committee Chairman Lindsey Graham (S.C.) said during the hearing.
Administration officials formerly attributed their concerns about Huawei to a 2017 cybersecurity law they said would force the company to cooperate with Chinese intelligence requests. But Krebs abandoned that nicety Tuesday.
“This is a single-party government. Everything that flows from the central party is a manifestation of their philosophy,” he said. “The [cybersecurity] law is important because it is telling you what they want to do. But they’re going to get what they want anyway, law or not.”
The U.S. and China stepped away from trade negotiations last week amid recriminations, and the heightened rhetoric on digital spying probably will make tensions worse.
Lawmakers are also taking a cue from the administration and moving to restrict China from access to U.S. technological innovations.
On Tuesday, Sen. Josh Hawley (R-Mo.) introduced a bill to bar exporting large categories of technologies to China including artificial intelligence, robotics, semiconductors and advanced construction equipment.
Hawley and five other Republicans also proposed another bill to bar Chinese students from science or engineering schools connected with the People’s Liberation Army from receiving U.S. visas.
“This is a strategy with multiple tentacles,” Sen. Thom Tillis (R-N.C.) said, describing Chinese digital spying efforts, “and we as members of Congress need to understand every one of those and chop them off.”
Huawei officials, meanwhile, described the company as caught in a big power dispute between the United States and China in which the risk the company poses is being mischaracterized and misunderstood.
Huawei’s argues U.S. officials’ concerns about back doors in Huawei products can be addressed with regular audits and risk assessments — and that wireless carriers can vet any software updates to ensure they're similarly free of back doors, Huawei Chief Security Officer Andy Purdy told me.
Similar assessments should be done on any 5G technology vendor because even technology that is designed to be as secure as possible probably will contain some bugs that sophisticated hackers can exploit, said Purdy, who was a top DHS cybersecurity official during the George W. Bush administration.
But those arguments have largely fallen on deaf ears, Purdy said.
“We'd welcome the opportunity to talk to these folks,” he said, “to talk about policy and to help them understand the nature of the risks.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Exclusive to the Cybersecurity 202: Sen. Ron Wyden (D-Ore.) plans to reintroduce today an election security bill that mandates paper ballots and post-election audits and would grant DHS broad authority to set mandatory cybersecurity requirements for voting machines, voter registration databases and election results websites.
It’s the first standalone Senate bill this Congress that would force major reforms to election security. It comes after Russian hackers probed numerous election systems in 2016 and penetrated a handful of voter registration databases.
The updated version of the Protecting American Votes and Elections Act, would authorize $500 million in grants to states to pay for new machines to count paper ballots. It would also authorize $250 million for ballot marking machines to be used by people with disabilities that can’t use paper ballots.
The bill has already been endorsed by numerous election security advocacy groups including the National Election Defense Coalition and the Brennan Center for Justice as well as by Stacey Abrams, a Democrat who narrowly lost a race to be Georgia’s governor in November. Georgia is considered a laggard on election security and was one of five states that lacked paper ballot record for all races in 2018.
Wyden’s bill won numerous Democratic co-sponsors last Congress but didn’t get any support from Republicans who are far warier about imposing specific election security requirements on states.
This version of the bill comes with a dozen Democratic co-sponsors, including presidential candidates Elizabeth Warren (Mass.), Cory Booker (N.J.), Kirten Gillibrand (N.Y.), Bernie Sanders (I-Vt.) and Kamala Harris (Calif.).
PATCHED: Florida Gov. Ron DeSantis (R) confirmed after an FBI briefing Tuesday that Russian hackers gained access to voter registration databases in two Florida counties ahead of the 2016 election, the Associated Press’s Brendan Farrington reported.
“DeSantis said the hackers didn’t manipulate any data and the election results weren’t compromised,” Farrington reported. The governor was barred by the FBI from revealing the counties, but said officials there know about the breaches.
The news helps explain a portion of the Mueller report, which stated that FBI officials believed Russian hackers penetrated the networks of “at least one” Florida county before the 2016 election. It doesn’t explain, however, why the FBI is only confirming the breaches now – or why they didn’t alert Florida state government officials at the time.
Sen. Rick Scott (R-Fla.), who was governor at the time and has said he was unaware of the breaches, will get an FBI briefing today, the AP reported.
Sen Bill Nelson (D), who Scott defeated for reelection, previously said Russian hackers were active inside Florida networks before the 2018 contest – a claim that has not yet been born out.
PWNED: Another bill introduced by four senators Tuesday would require that a DHS election security expert serve on an Election Assistance Commission panel that writes voluntary voting system security guidelines.
The EAC is drafting an updated version of those guidelines now in the leadup to the 2020 contest.
The Voting System Cybersecurity Act’s sponsors are Sens. James Lankford (R-Okla.) and Amy Klobuchar (D-Minn.), co-sponsors of a broader bipartisan election security bill that they plan to reintroduce this month, and Sens. Ron Johnson (R-Wis.) and Gary Peters (D-Mich.), chair and ranking member of the Senate Homeland Security Committee.
The Senate Rules Committee has an EAC oversight hearing scheduled today.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad:
After WhatsApp’s disclosed that a sophisticated spyware agency had found a way to hack some of its users, it would be reasonable to conclude that no security system is perfect and that highly skilled hackers can find a way to breach almost any system given enough time and resources.
According to WhatsApp, the group that exploited the hacking technology was likely a government and the victims were likely human rights groups, as Reuters reported.
An unreasonable conclusion, however, would be the one drawn by a Bloomberg Opinion writer – that consumer cybersecurity protections such as end-to-end encryption are pointless marketing gimmicks.
📱 Sorry, WhatsApp users: “End-to-end encryption” is a marketing device used to lull consumers into a false sense of security.— Bloomberg Opinion (@bopinion) May 14, 2019
📝 If you want truly secure communication, you'll have to resort to the old-fashioned analog world https://t.co/Uc62ZP7Euh
Information security Twitter was quick to swat back the overblown claim.
Here’s Georgetown University cryptography professor Matt Blaze:
End to end encryption does nothing to protect against attacks on your endpoint, true. And seatbelts and airbags do nothing to prevent your car from being hit by a meteorite.— matt blaze (@mattblaze) May 14, 2019
And here’s a take from privacy lawyer and AccessNow U.S Policy Manger Amie Stepanovich:
The difference between “probably won’t protect you if you’re individually targeted by a sophisticated actor” and “pointless” or “a marketing device” is basically gigantic. https://t.co/hwmfSxfrEO— Amie Stepanovich (@astepanovich) May 14, 2019
And TechCrunch writer Zack Whittaker:
This is downright irresponsible and dangerous to claim. End-to-end encryption isn't broken. If the device is pwned, the data is pwned. Saying end-to-end encryption is broken will deter people from using it — when it's perfectly fine to use. https://t.co/5hx6lLtpg6— Zack Whittaker (@zackwhittaker) May 14, 2019