THE KEY

Security experts are sounding alarm bells over President Trump’s statement Monday that he might reconsider harsh penalties the U.S. government imposed against Huawei as part of a trade deal with Beijing.  

Government officials said the danger of Huawei sabotaging or spying on U.S. networks posed a major national security threat when they imposed those penalties — which include barring the Chinese telecom giant from building the United States’ next-generation 5G wireless networks and restricting American companies from supplying Huawei with software and components. And U.S. diplomats have been crisscrossing the globe urging allies to impose similar restrictions. 

It would be a major blow to the government’s credibility if it bargained away those penalties to grease the wheels of a trade deal, experts told me.

“It’s either a security risk or it’s not. That doesn’t get ameliorated as part of a trade deal,” Chris Painter, the top State Department cybersecurity official during the Obama administration, told me.

If the Trump administration uses Huawei’s penalties as a bargaining chip now, it will raise questions among allies about whether U.S. national security assessments are objective, said Robert Spalding, a retired Air Force brigadier general and former National Security Council director for strategic planning. 

“That’s the first thing our allies and partners will say: Is this national security or is it trade related?” said Spalding, who worked on 5G policy for the White House before leaving last year

During a wide-ranging interview with CNBC on Monday, Trump raised the specter of a reveral of policy. "It could be very well that we do something with respect to Huawei as part of our trade negotiation with China," he said, while acknowledging he does see the company "as a threat." Treasury Secretary Steven Mnuchin made a similar claim during a Sunday interview.

“I think what the president is saying is, if we move forward on trade, perhaps he’ll be willing to do certain things on Huawei if he gets comfort from China on that and certain guarantees,” Mnuchin said. “But these are national security issues that we will want to make sure are resolved one way or another.”

A White House representative declined to comment on the statements.

But an official Huawei Twitter account quickly seized on the Mnuchin comments, prodding U.S. officials by asking: “Is it considered fair these days to use a single company as a pawn in political negotiations?”

Trump’s comments also sparked some deja vu. The president suggested during an earlier phase of trade negotiations with China in February that Huawei might be a bargaining chip. At that point, the United States had not imposed the 5G ban but was openly considering it.

It's not actually an outlandish idea that Trump administration officials could negotiate national security concerns with China at the same time they negotiate on trade, experts told me.

But, given the stark terms with which administration officials have described the Huawei threat — officials have repeatedly said the firm's links to the Chinese government pose an unacceptable security risk for Americans in any circumstance — it’s tough to see a way forward. It's unclear how China and the company, which have already insisted they have no intention of spying on the U.S., could remedy those concerns during trade negotiations. 

“The president sees himself as chief dealmaker and this is an opportunity to negotiate, but I think he should be doing it with intelligence agencies and national security in mind,” Betsy Cooper, a policy director at the Aspen Institute and a former Department of Homeland Security attorney, told me.

The issue is particularly concerning because U.S. officials have accused European allies that allowed Huawei to build portions of their 5G network of prioritizing an economic advantage over security, said Suzanne Spaulding, a top DHS cybersecurity official during the Obama administration. Because of Chinese state subsidies, Huawei vastly undersells its 5G competitors.

“If you're using your leverage to make [Huawei and China] make security changes, that's one thing,” Spaulding told me. “But, if what you're really saying is, 'We will give up our security concerns in exchange for an economic concession in the trade deal,' then that's really not much different from what we claim our allies are doing.”

The situation is also especially frustrating, because it’s not clear from the comments so far which Huawei punishment Trump is willing to negotiate — the 5G ban or the Commerce Department action, Painter told me. Painter and many other experts generally agree that the 5G ban is far more important for U.S. security than the Commerce action. 

That ambiguity will be extremely difficult for diplomats and other officials who have been arguing for both bans and are trying to stay in step with the administration, he told me.

“Strategic ambiguity can be helpful when you’re dealing with the other side,” Painter said. “But it’s not helpful when your own policymakers and your own team don’t know what you’re talking about. That’s destructive.”

PINGED, PATCHED, PWNED

PINGED: Hackers compromised a database of photos collected by U.S. Customs and Border Protection, including visa and passport photos and license plate photos, my colleagues Drew Harwell and Geoffrey A. Fowler reported.

The images were collected as part of the CBP's biometric entry-exit system, which is slated to use facial recognition technology on all domestic and international passengers traveling through the top 20 U.S. airports by 2021. "Fewer than 100,000 people were impacted," Drew and Geoffrey reported, and "the photographs were taken of people in vehicles entering and exiting the U.S. over a month and a half through a single land border entry port, which CBP did not name."

Perceptics, the contractor that allegedly managed the breached database, “was attempting to use the data to refine its algorithms to match license plates with the faces of a car’s occupants,” one U.S. official told Drew. That was “outside of CBP’s sanctioned use,” the official said.

CBP could not confirm whether Perceptics was the contractor involved in the breach, but a statement sent to The Post from CBP included Perceptics in the document title. And “reporters at The Register, a British technology news site, reported late last month that a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web,” Drew and Geoffrey reported. All the equipment related to the breach, which was discovered May 31, has been unplugged and the agency is “closely monitoring” the work by the subcontractor, according to CBP.

Lawmakers are demanding a moratorium on the use of the technology in light of the breach. Sen. Edward J. Markey (Mass.), top Democrat on the security subcommittee of the Commerce, Science and Transportation Committee said the breach “underscores the urgent need for the Department of Homeland Security to pause its deployment of facial recognition technology until it has instituted enforceable rules prioritizing cybersecurity and protecting travelers’ privacy.” 

Rep. Bennie G. Thompson (D-Miss.), chairman of the Homeland Security Committee, said he intends to hold hearings next month on DHS's use of biometric information. “Government use of biometric and personal identifiable information can be valuable tools only if utilized properly,” Thompson said.

PATCHED: The White House still isn’t adequately protecting against its emails being spoofed by hackers more than eight months after a government deadline, according to data shared with me by the email security firm ValiMail.

The Department of Homeland Security ordered government agencies to set up the tool, called DMARC, in 2017 — and to set it up so that phony emails that appear to come from the government would be blocked from recipients’ inboxes.

But phony emails that appear to come from the White House’s main email domain, eop.gov, are being diverted to users’ spam folders now. And emails with whitehouse.gov addresses aren’t being diverted at all. The White House doesn’t actually use whitehouse.gov email addresses, but people don't know that — which leaves them vulnerable to opening an official-looking email loaded with malicious code that infects their computer.

The rest of the government continues to show improvements in enforcing DMARC, ValiMail found. And it's doing far better than other industry sectors, such as technology, financial services and health care, the company found. Check out the full report here.

PWNED: The Justice Department has delivered a formal extradition request to the United Kingdom for Julian Assange, my colleagues Rachel Weiner and Devlin Barrett reported.

The move suggests prosecutors won’t pile on any more charges against the WikiLeaks founder, who they’ve controversially accused of violating the Espionage Act and for computer hacking crimes.

That means Assange won’t face charges for publishing a dump of leaked CIA hacking tools known as Vault 7 in 2017. Prosecutors worried that trying Assange for those crimes could further damage national security, officials told Rachel and Devlin.

“A U.S. official who spoke on the condition of anonymity to discuss a sensitive matter said the request was sent Thursday. The United States’ treaty with Britain required that the request be sent within 60 days of Assange’s April 11 arrest at the Ecuadoran Embassy in London,” Rachel and Devlin reported.

“The same treaty bars the United States from prosecuting Assange for any alleged crimes beyond those outlined in the extradition request, unless those acts occur after his extradition,” they reported.

PUBLIC KEY

-- Proposals from a growing number of states to require credit card readers at electric vehicle charging stations could put drivers at a greater risk for cybercrime, according to a new study from the nonprofit Digital Citizens Alliance. Fraud using small, hard-to-detect magnetic strip readers and chip readers has skyrocketed at gas stations and other point-of-sale terminals in recent years, the report states. The authors warn that electric vehicle charging stations could be the next target for scammers. You can check out the full report here.

More cybersecurity news from the public sector:

Facing criticism from the City Council, the head of the Baltimore IT office apologized for doing a poor job of sharing information after the ransomware attack.
Baltimore Sun
The House passed legislation by voice vote on Monday that would create “cyber incident response teams” at the Department of Homeland Security (DHS), which can be used to assist both government and private sector organizations after a data breach o
The Hill
The Joint Regional Security Stack (JRSS) program, a key part of the Department of Defense’s network consolidation and cybersecurity changes, is not being fully implemented properly, a Pentagon inspector general’s report found.
FedScoop
The House defense committee chair wants DOD to develop a process and criteria for suspending and debarring foreign tech companies that pose supply chain risks.
FCW
PRIVATE KEY

Cybersecurity news from the private sector:

Some of the world's biggest tech companies have told their employees to sto...
Reuters
Maybe we should have seen this one coming. Scammers are trying to dupe smartphone owners into turning over their personal information by clicking on push notifications that look like legitimate messages from well-known companies.
CyberScoop
THE NEW WILD WEST

Cybersecurity news from abroad:

British lawmakers questioned a Huawei executive on Monday about American allegations that the company poses a risk to national security.
The New York Times
ZERO DAYBOOK

Today:

  • The House Committee on Appropriations will markup the FY2020 Homeland Security Appropriations Bill and the FY2020 Financial Services and General Government Appropriations Bill.

Coming Soon:

  • Tomorrow the House Armed Services Committee will host a full committee markup of the National Defense Authorization Act for Fiscal Year 2020.
  • The House Intelligence Committee on Thursday hosts a hearing on the “National Security Challenges of Artificial Intelligence, Manipulated Media, and Deepfakes.”