THE KEY

The Trump administration delayed for the second time yesterday a ban aimed at severing Huawei from U.S. markets, prolonging uncertainty for companies that rely on the Chinese telecom that U.S. officials say can’t be trusted not to spy for Beijing.

The Commerce Department order from May, which would restrict U.S. companies from selling software and other components to Huawei, now won’t take effect until November at the earliest. Alongside the delay, the department added 46 new Huawei subsidiaries to its list of companies subject to the ban — a move Commerce Secretary Wilbur Ross said was aimed at ensuring “there are no loopholes.”

The delay highlights the supreme difficulty of fully disentangling Huawei from its vast network of U.S. suppliers. It also extends the clock if the Trump administration opts to pare back the ban as part of a broader trade deal, which Trump has repeatedly suggested he might do.

The Commerce Department ban was the harshest of numerous actions the Trump administration took against Huawei this year — and the most controversial. Experts said the ban would unnecessarily harm companies that weren’t actually making it easier for Huawei to spy on U.S. targets and that it wouldn’t make the United States safer. They also objected that Trump openly pondered reversing the ban, which was ostensibly about national security, as a bargaining chip in trade negotiations -- which they said would undermine U.S. credibility anytime it cited national security concerns in the future. 

The experts generally favored a separate Trump administration action that banned Huawei from building the U.S. next-generation 5G wireless networks, which will carry hundreds of times more data than existing wireless networks and run a new generation of Internet-connected devices such as driverless cars. In the case of the 5G ban, the Huawei restriction was more clearly aimed at safeguarding Americans' cybersecurity, they said, and there wasn far less collateral damage to U.S. businesses. 

Trump suggested he was open to limiting the Commerce ban after meeting with Chinese President Xi Jinping in late June, but backed off when there was no progress on a broader trade deal. He struck a harsher chord this weekend but also left open some wiggle room.

“Huawei is a company we may not do business with at all,” Trump said. “At this moment it’s looking much more like we’re not going to do business. I don’t want to do business at all l because it is a national security threat.”

Some analysts, however, said it looked like Trump was wary of following through with the ban once U.S. companies were actually in danger of suffering.

Here’s a take from Michael Schuman, a former Time Magazine Beijing correspondent:

“US government blinks again in its trade-deal bluff-fest with … Huawei,” cybersecurity consultant Eric Vanderburg tweeted.  

Huawei, which has consistently denied spying for Beijing, lashed out at the addition of 46 subsidiaries to the ban — saying it had more to do with hurting Chinese companies than protecting U.S. cybersecurity.

“It's clear that this decision, made at this particular time, is politically motivated and has nothing to do with national security,” the company said in an email to reporters. “These actions violate the basic principles of free market competition. They are in no one's interests, including U.S. companies.”

The administration opted to grant the extension because of rural telecoms that rely heavily on Huawei and need more time to transition away, Ross said in a Fox Business interview. Those telecoms are trying to comply with a separate Federal Communications Commission action that restricts carriers that receive certain federal grants from using Huawei equipment, but their services could be affected if Huawei loses U.S. suppliers.

“Some of the rural [telecom] companies are dependent on Huawei, so we’re giving them a little more time to wean themselves off,” Ross said.

Ross also repeated administration talking points, warning that Huawei would be powerless to refuse an order from Beijing’s intelligence services to seed its U.S.-based telecom equipment with spying tools and warning that those tools are so sophisticated that there’s no guarantee U.S. investigators could find them.

“The only way you know when a side door has been put in [U.S. telecom equipment] is when they decide to open it,” he said. “And then it’s too late.”

Those rural carriers, meanwhile, are preparing to transition away from Huawei, but won’t be able to bear the cost – which could be as high as $1 billion, according to an FCC commissioner’s estimate – without some federal help, my colleagues, Jeanne Whalen and Felicia Sonmnez report.

“My members say, ‘We’re patriots, if you tell us it’s a national security issue, we’ll do it, but please provide us with the funding,’” Carri Bennet, general counsel to the Rural Wireless Association, which represents companies in rural parts of Montana, Wyoming, Alabama and other states, told my colleagues.

To readers: The Cybersecurity 202 will publish on Tuesday, Wednesday and Thursday this week and will take a break the week of Aug. 26 before returning full time in September.

PINGED, PATCHED, PWNED

PINGED: Twitter has removed nearly a thousand Beijing-backed accounts that were using the platform to spread propaganda undermining protesters in Hong Kong, where hundreds of thousands of people are calling for government and military reform,  the company announced yesterday. An additional 200,000 accounts in the network "were proactively suspended before they were substantially active on the service," according to the same announcement.

Facebook also identified a much smaller influence network of five accounts, three groups and seven pages run by Chinese state operatives who were pushing disinformation about protesters after being tipped off by Twitter. The takedown is the first by Facebook against a coordinated influence campaign tied to China, signaling that Beijing may be picking up on the kinds of influence tactics more often associated with Russia.

Examples of the kinds of posts provided by Facebook included memes comparing the protesters to members of the Islamic State and cockroaches. Here are details from cybersecurity researcher and Johns Hopkins University Professor Thomas Rid:

Some of the phony accounts tried to masquerade as American users by tweeting about U.S. television shows, as spotted by NBC's Ben Collins:

“Covert, manipulative behaviors have no place on our service,” Twitter said in a statement. 

PATCHED: Federal agencies were hith with 31,000 cybersecurity incidents in 2018, but no "major" ones, according to a new White House report. White House officials define "major" incidents as those that affect more than 100,000 individuals or cause demonstrable harm.

By contrast, "the government fell victim to five major incidents in 2017 and 16 in 2016," as Nextgov's Jack Corrigan reported

Overall, cyber incidents decreased 17 percent from fiscal 2017 to 2018, the report found. But there's still progress to be made, especially when it comes to email and phishing scams, which accounted for nearly 7,000 incidents, and improper usage of government systems, which increased between 2017 and 2018, the report states.

PWNED: Facebook is extending a special bug bounty program designed to sniff out the next Cambridge Analytica to Instagram, the company announced yesterday

The program will operate similar to a bug bounty program Facebook launched last April offering hackers up to $40,000 to identify the potential misuse of user data by third-party apps. Instagram did not disclose how much it would offer hackers. "Our goal is to help protect the information people share on Instagram and encourage security researchers to report potential abuse to us so we can quickly take action," Dan Gurfinkel, security engineering manager at Instagram, wrote. 

Even post-Cambridge Analytica, both Facebook and Instagram have struggled with protecting user privacy. Last month Business Insider revealed that a marketing firm, HYP3R, had exploited a technical glitch on Instagram to collect user data prohibited from marketers, including real-time location data. In May, a database of the contact information of millions of Instagram users was found unprotected online.

PUBLIC KEY

— Cybersecurity news from the public sector:

The attacks come after state and local ransomware strikes in New York, Louisiana, Maryland and Florida resulted in the loss of significant sums.
CNBC
The company outlined its findings in a letter to Sen. Ron Wyden (D-Ore.), who had sought more detail on how a reported misconfiguration in Capital One’s AWS server would have made it possible for a single individual to steal information about more than 100 million people.
CyberScoop
President Trump alleged Monday that Google manipulated millions of voters into supporting Hillary Clinton in the 2016 election, saying in his latest attack taht the company “should be sued.”
The Hill
A computer system outage that led to long passenger lines at international airports across the country on Aug. 19 was caused by a software bug, according to Customs and Border Protection.
Federal Computer Week
PRIVATE KEY

— Cybersecurity news from the private sector:

Apple accidentally unpatched a vulnerability it had already fixed, making current versions of iOS vulnerable to hackers.
Vice
Company doesn't know which locations were affected, but it's warning customers early so they can keep an eye out for suspicious transactions.
ZDNet
Users of 85 apps were spammed with relentless fullscreen advertising.
ZDNet
A popular hentai porn site that promises anonymity to its 1.1 million users left a user database exposed without a password, allowing anyone to identify users by their email addresses.
TechCrunch
THE NEW WILD WEST

— Cybersecurity news from abroad:

Despite some countries' reservations about Huawei, Greece is busy running 5G projects with the Chinese giant.
ZDNet
The European Central Bank (ECB) shut down one of its websites.
Reuters