The Trump administration’s decision to block American companies from providing software and components to Huawei will not actually make the U.S. more secure, according to a majority of experts surveyed by The Cybersecurity 202.
The Commerce Department imposed that ban last month as part of a broad government effort to punish Huawei over concerns it’s helping the Chinese government spy on U.S. companies. But cybersecurity experts worry the ban will hurt U.S. tech companies more than it hurts the Chinese telecom giant -- and will diminish U.S. influence over the security of new technologies.
“Not only does this hurt the immediate bottom line of U.S. companies, it will simply lead to Huawei turning elsewhere for its supply needs to the long-term detriment of our technology sector,” said Tor Ekeland, an attorney who specializes in defending hackers.
He was among 61 percent of respondents to The Network — an ongoing, informal survey of more than 100 cybersecurity experts from government, academia and the private sector — who said the ban was a bad idea. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
Others were similarly concerned that China would simply build up its domestic technology industry so it doesn’t have to rely on U.S. suppliers. “This will only accelerate China's technological independence and end up impacting the U.S. economy longer term,” warned Mark Weatherford, a former Department of Homeland Security cybersecurity official who’s now a global information security strategist at Booking Holdings.
Alex Stamos, a former Facebook chief security officer, warned that the ban “seems much more likely to embolden the [Chinese government] than deter the misuse of its technology industry.”
If the effort “to reduce [China’s] overall dependence on the U.S. tech sector is successful,” warned Stamos, who’s now a Hoover fellow at Stanford University, China “could emerge as the indispensable nation in consumer technology."
And China might retaliate with similar bans against U.S. technology “that ultimately stagnates our tech leadership around the world," Katie Moussouris, founder of Luta Security, warned. “The balkanization of software and hardware is a game the U.S. cannot win in the long run,” she warned.
Some critics of the ban argued that it wouldn’t actually help reduce Chinese spying and theft of U.S. companies' intellectual property as the Trump administration hopes — but may even increase it.
Chris Finan, cybersecurity director on the National Security Council during the Obama administration who’s now CEO of Manifold Technology, called the ban an “act of self-immolation in the name of security” and argued it “will do nothing to change Huawei’s or Chinese government behavior over the long term.”
The ban, coupled with the Trump administration’s ongoing trade disputes with China, could prompt “a significant rise in cyberattacks on U.S. companies," said Tony Cole, chief technology officer at Attivo Networks.
Supporters of the ban, however, argued that Chinese digital spying on U.S. companies had gone on for too long with impunity — and that the Trump administration was right to take bold action against a company they believe is tightly tied to the Chinese state.
“Huawei has acted in bad faith for many years, and it's no surprise it is finally catching up to them,” said Dave Aitel, a former NSA researcher and chief security technical officer at Cyxtera Technologies.
“Huawei is a tool of the Chinese state and has close ties with the intelligence services,” said Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
Some were optimistic about the effect of U.S. economic pressure. “It is necessary to put economic pressure on China to change its practices that have been gravely damaging to our national security and economic security," said Michael Daly, chief technology officer for cybersecurity and special missions for Raytheon Intelligence, Information and Services.
Even some supporters of the ban, however, worried it might have some negative outcomes for global cybersecurity. Betsy Cooper, a policy director at the Aspen Institute and a former DHS attorney, worried we might be “entering a world in which big powers build their own technology in-house, and smaller states have to choose between them.”
Some experts both for and against the ban are concerned about the effect of its implementation on American companies. Jamil Jaffer, vice president for strategy and business development at IronNet Cybersecurity, supports the Trump administration's decision but warned that the government can wield its authority to cut off Huawei’s American suppliers “as a cudgel or a scalpel” -- and urged “using the scalpel approach.”
Others less sanguine about the ban said it was an extreme outcome that could have been avoided. Suzanne Spaulding, who led DHS cybersecurity efforts during the Obama administration, faulted the Trump administration for not demonstrating “what specifically Huawei and China could do to overcome our security concerns.”
The Commerce Department ban came down the same day that President Trump signed an executive order banning Huawei from the United States’ next-generation 5G wireless networks and U.S. officials have been urging allies to impose similar bans.
Huawei has consistently denied assisting Chinese government spying and the U.S. government has never produced smoking-gun evidence to prove otherwise. U.S. officials have argued that hard evidence is unnecessary, however, because, under the Chinese communist system, Huawei would be forced to help Chinese spying efforts if the government demanded it.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
— More responses to The Network survey question on banning Huawei suppliers:
- NO: “There is good reason to ban Huawei equipment in U.S. 5G networks because of the potential risk it poses that are difficult to mitigate. Banning U.S. supplies to Huawei, on the other hand, hurts U.S. businesses and encourages Huawei to accelerate development of technology independent of a U.S. supply chain.” — Chris Painter, former State Department cybersecurity coordinator
- YES: “The best analogy is that instead of riding in a boat with 1000 holes in it, we now have 100.” — Geoff Hancock, principal at Advanced Cybersecurity Group
- NO: “Barring U.S. companies from transacting with Huawei has nothing to do with security and everything to do with flexing the U.S. technology muscle, demonstrating that there are repercussions to stealing trade secrets and IP.” — Jay Kaplan, co-founder of the cybersecurity company Synack
- YES: “The United States needs to be able to function in cyberspace on terms that conform to our strategy and interest, not those of China.” — Sam Visner, director of the National Cybersecurity Federally Funded Research and Development Center operated by MITRE
- NO: “Whatever threat Huawei poses pales in comparison to the threat vectors created by the U.S. government's security policies.” — Sascha Meinrath, a Penn State University professor and founding director of X-Lab, a think tank focusing on the intersection of technologies and public policy
- NO: “Going after one company without a comprehensive plan for supply chain security will accomplish very little.” — Chris Wysopal, chief technology officer at Veracode
PINGED: An independent analysis of the malicious software that has locked up Baltimore city networks for nearly a month showed no signs of EternalBlue, a hacking tool stolen and leaked from the National Security Agency in 2016, cybersecurity blogger Brian Krebs reported Monday.
That contradicts a New York Times report, which said the Baltimore hackers used the stolen NSA tool after they’d gained access to Baltimore’s systems to move more easily through the city’s networks. But it jibes with NSA’s statements to Rep. Dutch Ruppersberger (D-Md.) that EternalBlue was not included in the malware.
Some cybersecurity researchers have cited the alleged use of EternalBlue in the Baltimore attack as evidence the NSA isn’t doing enough to secure its hacking tools — and that U.S. cities are suffering for it. Others have cautioned that Baltimore had two years to install a software patch that would have protected it against EternalBlue and should bear the responsibility if it didn’t.
The analysis was conducted by Joe Stewart, “a seasoned malware analyst now consulting with security firm Armor” who “obtained a sample of the malware that he was able to confirm was connected to the Baltimore incident,” Krebs reported.
“Stewart said while it’s still possible that the EternalBlue exploit was somehow used to propagate the Robbinhood ransomware, it’s not terribly likely,” Krebs reported.
Ransomware is a type of hacking tool that locks up a victim organization’s computers unless the victim pays to have them unlocked. Numerous cities have been hit with ransomware in recent years, including a major attack on Atlanta in 2018.
Here’s some of Armor’s earlier research on the Baltimore ransomware attack.
PATCHED: Apple announced a bevy of new privacy protections during its Worldwide Developers Conference on Monday, including the ability for users to allow an app to track their location only once rather than anytime they use the app, my colleague Reed Albergotti reported.
“That feature was aimed at people who grant apps permission to track them and then forget about them, sending their location to the app for no reason,” Reed explained.
The tech giant also announced a new way for people to use Apple credentials to log onto third-party sites that it said was more privacy friendly than competing services from Facebook and Google.
The company is also imposing stricter standards barring app developers from allowing third parties to track children through apps, TechCrunch’s Zack Whittaker reported.
PWNED: The medical testing company Quest Diagnostics confirmed Monday that a data breach affected nearly 12 million patients, compromising financial, credit card and medical data as well as Social Security numbers, my colleague Christopher Rowland reported.
The breach did not, however, compromise laboratory test results.
“The breach was a result of malicious activity on the payment pages of the American Medical Collection Agency, a third-party collections vendor for Quest," TechCrunch’s Zack Whittacker reported.
The company does not have details about which patients were affected, it said.
“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information,” the company said in a statement.
-- The Senate unanimously passed a bill late Monday making election interference punishable by deportation -- one of the few bipartisan election security proposals in Congress. Details from National Journal's Zach Cohen:
The bill is one of the many proposals backed by Democrats (and one of the few bipartisan ones) to address election security. https://t.co/32QeJO1znC— Zach C. Cohen (@Zachary_Cohen) June 3, 2019
More cybersecurity news from the public sector:
-- “Walmart is…expanding its $1-a-day college education program to include degrees in cybersecurity, computer science and other technology fields for its 1.5 million U.S. workers,” my colleague Abha Bhattarai reports.
More cybersecurity news from the private sector:
Cybersecurity news from abroad: