THE KEY

Huawei, which is at the center of a titanic struggle over whether Chinese companies can be trusted with U.S. data, will defend itself for the first time in a U.S. courtroom this week.

The specific legal case deals with a ban on government agencies buying Huawei products that Congress passed last year. But Huawei probably will use the public showdown as an opportunity to punch back against a slew of other U.S. restrictions, experts told me.

Those restrictions include a presidential order banning the company from the United States’ next-generation 5G wireless networks, a Commerce Department ban on U.S. companies selling parts to Huawei and a public campaign urging U.S. allies to impose similar restrictions. They're all based on U.S. government claims Huawei can’t be trusted not to help Beijing spy on U.S. targets.

The public hearing offers Huawei a plum opportunity to argue to the world — including U.S. allies who may be on the fence about working with the embattled telecom firm — that those restrictions aren’t really about protecting U.S. national security but about a fear of Chinese economic competition and the Trump administration trying to gain leverage in trade negotiations.

“The message Huawei wants to send is that it’s a victim being attacked by the U.S. government across the board…that the security risks are nonexistent or overblown and that the U.S. is a bad actor in this space,” Adam Segal, a cybersecurity and China policy expert at the Council on Foreign Relations, told me.

Huawei has gotten some help in that argument from President Trump, who has repeatedly suggested on Twitter and elsewhere that he might roll back some restrictions on the company in exchange for concessions in the U.S.-China trade dispute.

“If I was Huawei’s attorney, I’d be pushing hard on that, saying this is not a security thing, it’s a trade thing,” Eric Crusius, an attorney at the Holland & Knight law firm who focuses on government contract disputes, told me.

But that argument might not be very effective with the judge in the case, Judge Amos L. Mazzant III of the U.S. District Court for the Eastern District of Texas.

“I wouldn’t be surprised if the judge knows the president is kind of a free agent when it comes to Twitter and gives the Justice Department some slack with respect to that,” Crusius told me.

The company's legal defense is also part of a broader campaign to push back against the United States outside the courtroom, including by accusing the U.S. government of hacking its systems and threatening its employees, and with a Twitter feed named @HuaweiFacts that routinely disputes claims the company assists Beijing spying.

“My sense is they never really thought they were going to win this case, but it’s part of a broader PR campaign, probably directed both domestically inside of China and to potential Huawei partners in Europe, Latin American and other places,” Segal told me. “They want to paint the picture that the U.S. is trying to crush Huawei and Huawei is fighting back.”

During the oral arguments scheduled for Thursday, Huawei attorneys will argue against a Justice Department request to dismiss its case challenging the government ban. Huawei’s main argument is that Congress unfairly singled it out for punishment by barring it from government systems.

The Justice Department, meanwhile, says Congress has every right to ban companies that pose national security threats. In the case of Huawei, Congress's concerns the company could help Chinese spying date all the way back to 2012 when the House Intelligence Committee produced a report about Huawei seemingly transfering U.S. companies' data to China. 

The DOJ argument prevailed in a highly similar case last year when a federal judge dismissed a challenge from the Russian anti-virus company Kaspersky Lab, which Congress also banned from U.S. governmnt computer networks. But some think Huawei might have a better chance of beating the motion to dismiss because it will be easier to cast doubt on U.S. motives.

“There’s certainly a tug of war with policy vis a vis the Chinese now, and Huawei’s been in the middle of that. Kaspersky didn’t have the benefit of making that argument because there was no Russian economic policy we were debating at the time,” he said. 

Mazzant may rule on the case immediately after the oral arguments or defer the ruling. Huawei and the DOJ both declined to comment because their litigation is ongoing. 

PINGED, PATCHED, PWNED

PINGED: Colorado’s top election official will stop allowing voting machines that use printed bar codes to count votes in 2021, CNN's Kevin Collier reports. The concern is hackers could theoretically alter those bar codes to say something other than what the voter intended.

“A voter can verify the ovals, the candidates they chose, but how it gets tabulated is actually through an encrypted QR code,” Colorado Secretary of State Jena Griswold said to CNN. “Is it really a voter-verified paper trail if a voter cannot verify the encrypted QR code?"

Under the new system, voters will still vote electronically, but the printed receipts will show darkened ovals similar to a hand-marked ballot so the voter can verify everything is recorded accurately before the machine counts the ballot. The machine will tally votes based on those ovals rather than a bar code.

But some cybersecurity researchers say the major issue isn't machine tallies that rely on bar codes, but rather whether people are conducting audits to ensure those machine counts are accurate. "So long as the human-readable part of the paper ballot can be reviewed by each voter for mistakes and a post-election audit is conducted to verify the outcome based on the paper ballots, whether or not there's a bar code does not matter,” voting security researcher Matt Bernhard told Kevin.

PATCHED: Sen. Mark R. Warner (D-Va.) wants U.S. Customs and Border Protection to provide more information on the cybersecurity practices of its contractors following a June data breach that resulted in the theft photos of thousands of travelers. 

Warner described the breach as just the latest in a series of failures by government agencies to hold their contractors to strong cybersecurity standards. He wants to know whether CBP requires contractors to encrypt their data and monitor potential digital vulnerabilities. The CBP contractor breach also revealed gigabytes of sensitive government documents, including schematics of technology installed at various points of entry as well as at U.S. military bases, my colleague Drew Harwell reported

“It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data,” Warner wrote to acting CBP commissioner Mark Morgan. “Americans deserve to have their sensitive information secured, regardless of whether it is being handled by a first or a third-party.”

PWNED: A bipartisan pair of U.S. senators is asking the Federal Communications Commission to reevaluate two Chinese-state owned telecom companies’ U.S. operations over cybersecurity concerns, David Shepardson at Reuters reports. The request comes as both lawmakers and the White House are raising red flags about how China may be using its telecommunication presence in the United States for espionage.

China Telecom and China Unicom's access to communications infrastructure including fiber-optic cables and satellites could give China a way to “target the content of communications of Americans or their businesses and the U.S. government, including through the ‘hijacking’ of telecommunications traffic by redirecting it through China,” Senate Minority Leader Charles E. Schumer (D-N.Y.) and Sen. Tom Cotton (R-Ark.) said in a letter sent yesterday to FCC Chairman Ajit Pai. The senators also sent the letter to the Defense Department, and the Department of Homeland Security, Reuters reported.

The FCC confirmed it was already reviewing the companies. In a similar case, the commission voted unanimously in May to deny Chinese telecommunications company China Mobile Ltd. the right to provide services in the United States over concerns of espionage risks.

PUBLIC KEY

A Los Angeles-based nonprofit called LA Cyber Lab is offering local businesses two new tools to help defend themselves against hacking, the organization is announcing this morning. One of the tools is a mobile app that shares information about new digital threats and another filters suspicious emails. The nonprofit is getting help from IBM Security on the project.

— More cybersecurity news from the public sector:

A widely-used political campaigning tool employed by Boris Johnson, Donald Trump, and the SNP has been buying data on British voters from a company accused by Facebook of violating its users' privacy.
The Telegrah
A Russian hacker at the center of an alleged scheme to steal financial data on more than 80 million JP Morgan Chase & Co. clients will plead guilty later this month, according to a U.S. court filing.
Bloomberg
California legislators adjourned for the year without watering down a sweeping privacy law set to take effect in January, although they passed a handful of amendments intended to clarify parts of the legislation.
Wall Street Journal
A 19-year-old man has been arrested for allegedly hacking the websites and “cloud-based accounts” of “world-famous” musicians, stealing their unreleased work, and selling the music for cryptocurrency, U.S. and British authorities announced Friday.
CyberScoop
PRIVATE KEY

— Cybersecurity news from the private sector:

Hundreds of computer servers worldwide that store patient X-rays and MRIs are so insecure that anyone with a web browser or a few lines of computer code can view patient records. One expert warned about it for years.
Pro Publica
"If the nerds don’t show up and work on the mission of national defense...then I’m not sure who will," says Chris Lynch, of Rebellion Defense.
Defense One
Google Project Zero finds and reports flaw in widely used password manager.
Ars Technica
THE NEW WILD WEST

— Cybersecurity news from abroad:

Elasticsearch server leaks personal data on Ecuador's citizens, their family trees, and children, but also some users' financial records and car registration information.
ZDNet
Protesters in Hong Kong fear they are being monitored by the local government and potentially by China, a country at the cutting edge of mass surveillance. So demonstrators have developed hacks to avoid arrest and hide their digital tracks.
Wall Street Journal
ZERO DAYBOOK

—Today:

  • PEN America, the Global Digital Policy Incubator at Stanford University’s Cyber Policy Center, and the Chair of the U.S. Federal Election Commission, Ellen L. Weintraub, will convene a half-day symposium in Washington, D.C. to examine the challenge that digital disinformation poses to  the 2020 elections. 

—Coming up:

  • The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency will host its second annual National Cybersecurity Summit this Wednesday through Friday in National Harbor, Maryland.
  • The International Association of Privacy Professionals hosts a conference September 24-25 in Las Vegas.