THE KEY

The preliminary deal in President Trump’s trade war with China didn’t loosen any of the tough restrictions on Huawei. And the delay is likely to make the battle over the telecom firm's future far more blistering.

A decision on whether to lift the ban on American companies from supplying Huawei -- designed to help curtail Chinese spying -- is still up in the air. It wasn’t part of the first-round trade deal, Trump trade adviser Robert Lighthizer said Friday. 

But the stakes will be much higher when the ban is taking serious toll on Huawei’s bottom line and China is fighting for the survival of one of its flagship companies. By kicking the can down the road on Huawei, it could be far tougher for the United States and China to reach consensus on tariffs, ways to protect intellectual property of American businesses, and all the other major issues left unaddressed in the mini-deal Trump brokered with Chinese Vice Premier Liu He.

Huawei is facing two deadlines next month that could prompt a make-or-break moment for the telecom giant that wants to dominate building the world’s next-generation 5G wireless networks. 

First, the clock will run out Nov. 19 on the second of two 90-day reprieves that allow it to keep buying a limited number of U.S. products, forcing the company to shift to Chinese versions that analysts say aren’t as good for running super-fast 5G equipment.

The Commerce Department has carved out some exceptions to that ban but hasn’t announced them and could still reverse course, the New York Times’s Ana Swanson reported.

Second, also in mid-November, Huawei probably will run out of other U.S. components that are vital for its 5G operations and that the company stockpiled before the ban hit, as my colleague Jeanne Whalen reported.

One big concern for Huawei is running out of technology from the San Jose company Xilinx, without which it will be a lot tougher for its customers to update their 5G software remotely, Jeanne reported.

Huawei has consistently denied that it aids Chinese spying and said it would refuse any spying request.

Meanwhile, pressure will also ratchet up on the Trump administration to refuse any concessions to Huawei.

Lawmakers from both sides of the aisle have savaged Trump’s hints that he might roll back restrictions as part of a trade deal, arguing that he is gambling with national security, and lawmakers in the House and Senate have even introduced legislation that would block such a move.

Senate Minority Leader Chuck Schumer (D-N.Y.) described the absence of Huawei concessions as the only good part of the preliminary trade agreement, which basically swapped a U.S. pledge not to raise tariffs on $250 billion of Chinese goods for China buying $50 billion in U.S. agricultural products.

“The good in President Trump’s ‘deal’ with China is not what’s in it — there isn’t much — but what isn’t in it: any loosening of restrictions on Huawei,” he said in a statement.

In a tweet before details of the deal were public, Schumer said any Huawei concessions would show “tremendous weakness.”

Rep. Jim Banks (R-Ind.) also railed against the idea of including Huawei in the deal, tweeting that “Our national security shouldn’t be up for negotiation with China.”

Meanwhile, there could be some good news for Huawei hawks. A new nonpublic European Union analysis warns of serious security risks the company poses to 5G networks and that could steer some EU members away from the company, Anna Isaac and Parmy Olson of the Wall Street Journal report.

“These vulnerabilities are not ones which can be remedied by making small technical changes, but are strategic and lasting in nature,” a person familiar with the report told the Journal.

U.S. officials have crisscrossed the globe urging allies to ban Huawei from their networks but with limited success. Only Japan, Australia and New Zealand have enacted full bans and even close allies such as England have previously suggested they’ll allow Huawei to build some parts of their 5G networks.

An earlier EU report warned against relying too heavily on a single 5G supplier but stopped far short of calling out Huawei.

PINGED, PATCHED, PWNED

PINGED: The resignation of acting Department of Homeland Security secretary Kevin McAleenan over reported conflicts with the White House will prolong a leadership crisis at the government's lead civilian cybersecurity agency.

McAleenan, who did not have a significant cybersecurity background, had been leading the agency since former DHS secretary Kirstjen Nielsen resigned in April. He spent the greatest share of his time focused on immigration and border security, but spoke at a number of cybersecurity events recently and told reporters during a recent tour of DHS’s cybersecurity innovation lab that cybersecurity was one of his top priorities. 

House Homeland Security Committee Chairman Bennie G. Thompson (D-Miss.) slammed Trump for creating “chaos” at the department and urged the president to find a permanent secretary who will focus on top threats including “securing our elections.”

 Amit Yoran, who used to run DHS's cybersecurity division, however, was skeptical that McAleenan’s departure would harm the department’s digital security mission. 

“I think the department has a number of cyber leaders in [the Cybersecurity and Infrastructure Security Agency] and elsewhere,” he told me by email. “I don’t think that recent leadership changes will significantly distract or divert the cyber team from their cyber mission.”

Ken Cuccinelli, acting director of U.S. Citizenship and Immigration Services, is viewed as a potential replacement for McAleenan, my colleagues Josh Dawsey and Nick Miroff report.

PATCHED: U.S. Customs and Border Protection will allow a contractor whose breach this summer exposed hundreds of gigabytes of classified documents to resume working with the agency after just three months of suspension, my colleague Drew Harwell reports

Perceptics must appoint an officer to oversee a number of security changes being mandated by CBP as part of the agreement, and pay for an independent monitor to evaluate its compliance with the changes. The company must also launch a tip line for employees to report potential violations.

CBP called the breach, which included photos of travelers and license plates, “completely unacceptable” but not unethical or illegal, Drew reports.

The weak punishment highlights the problem of lax cybersecurity standards for government contractors that are collecting more and more highly sensitive information about U.S. citizens, Dave Maass, a researcher studying government surveillance for the Electronic Frontier Foundation, told Drew.

“I’d like to see agencies — when they find the technology they’re dealing with is vulnerable, and that the contractors have acted irresponsibly — revisit not just who they’re contracting with but how they use the technology in general. … Bigger and bigger breaches are going to happen,” he said. 

PWNED: An Alabama hospital chain has resumed normal operations after paying the ransom demand of hackers who were holding its systems hostage, the Associated Press reports. The hospital revealed its decision in a news conference, a rare public admission that a company paid hackers' ransom demand. 

“We had to gain access to our system quickly and gain the information it was blocking,” DCH Health System Chief Operating Officer Paul Betz told reporters. Betz did not disclose the sum the hospital paid, but said it was covered by insurance.

The FBI and other law enforcement agencies warn ransomware victims to not pay, saying it encourages further attacks. But failing to do so can lead to more costly recovery efforts. The city of Baltimore, for example, paid more than $18 million in recovery costs after refusing to pay a $76,000 ransom.

PUBLIC KEY

— Cybersecurity news from the public sector:

The House will vote on legislation later this month aimed at limiting foreign interference in U.S. elections after a bipartisan report from the Senate Intelligence Committee this week called on Congress to take action on the issue.
The Hill
The NSA's new Cybersecurity Directorate is now at initial operating capability, furthering the reorganization of the agency's defensive efforts.
CyberScoop
Civil liberties and technology groups have been sharply critical of a draft bill from House Homeland Security Committee Democrats on dealing with online extremism, saying it would violate First Amendment rights and could result in the surveillance of vulnerable communities.
The Hill
As technology advances, so do the complexities of the cyber threats targeting the nation.
Nextgov

PRIVATE KEY

— Cybersecurity news from the private sector:

Sophos said it is fixing a vulnerability in its Cyberoam firewall appliances, which a security researcher says can allow an attacker to gain access to a company’s internal network without needing a password.
TechCrunch
Researchers warn about the risks of computer-generated articles—and release tools that ferret out fakes.
Wall Street Journal

THE NEW WILD WEST

— Cybersecurity news from abroad:

“Companies like these like to pretend that they do not have a responsibility for what dictators do with their spyware."
Bloomberg
Beijing is putting in place new tools that make it ‘much more difficult for companies to keep their information private’, cybersecurity expert says.
South China Morning News Post

ZERO DAYBOOK

— Coming soon:

  • The House Committee on Homeland Security will host a hearing on “Public-Private Initiatives to Secure the Supply Chain” on Wednesday at 10 a.m.