THE KEY

Huawei is increasingly looking to Europe to challenge U.S. officials’ claims that it could be a rogue agent for Beijing surveillance that shouldn’t be trusted to build next-generation 5G wireless networks.

European nations have balked at joining the Trump administration in imposing an all-out ban on Huawei, even as they’ve imposed stringent security testing and other requirements and contemplated barring the Chinese telecom firm from certain sensitive portions of 5G networks.

And while most European nations haven’t given a final sign-off on Huawei’s security, telecom carriers there have already contracted with the company to build portions of 5G networks in parts of England, Germany, Italy, Switzerland and Sweden, Vincent Pang, the company’s senior vice president and director of the board, told me.

Many of those contracts deal only with peripheral portions of the network that officials say pose a lower risk for surveillance or sabotage. But some of them include the network core, which U.S. officials say is far more concerning. Pang declined to say which nations have which contracts.

Now, Huawei is hoping Europe’s trust-but-verify model will provide a counterbalance to the United States, convincing other nations that Huawei is a responsible provider of 5G infrastructure. And, once Huawei is a trusted 5G supplier in Europe, that may one day even prompt the United States to reconsider its blanket condemnation, Huawei officials hope.

“We're hoping that these activities will help inform the United States to have a more comprehensive approach,” Andy Purdy, chief security officer of Huawei’s U.S. division, told me. “Hopefully the kinds of things they come up with [in Europe] may be the kind of things that, in the long term, can address the U.S. government concerns.”

5G’s super-fast networks will carry orders of magnitude more data than previous generations of wireless systems and connect far more deeply into critical infrastructure such as hospitals, airports and energy plants. That offers a trove of new opportunities for commerce and research but also poses huge risks if an adversary nation can spy on or sabotage those networks, U.S. officials warn.

And with China’s Communist Party intent on stealing U.S. companies’ secrets, they say, it’s simply not safe to give a company that is beholden to that government a prime spot in 5G.

Huawei, meanwhile, has fiercely maintained it has never assisted Beijing in carrying out malicious activities and would refuse to do so if asked.

“We have been totally transparent and totally explained to them the situation,” Pang told me. “We have never received any order or requirements from the central government of China either to install any backdoors or to take any data back to China.”

Even in Europe there are still a lot of hurdles to overcome, however.

First off, Huawei had to rejigger its 5G products after the Trump administration barred U.S. companies from supplying the firm with software and other components in May. That order came the same day the Trump administration officially banned Huawei from U.S. 5G networks.

Huawei is prepared to ship to customers about 400,000 5G components that don’t contain U.S. parts, Pang told me. But analysts suspect those reconfigured components may not offer the same speed and quality as the earlier generation, as my colleague Jeanne Whalen has reported, and the changes will prompt new rounds of testing.

Trump has signaled he may roll back parts of the U.S. Huawei ban as part of a broader trade deal with China. But Huawei hawks in Congress have savaged the idea and even introduced legislation that would block it.

On Huawei’s side, the company would happily shift back to using some U.S. components if the ban were loosened, but isn’t counting on that happening, Pang told me.

There could also be new revelations from ongoing security audits. The European Union completed a public audit that stopped far short of warning against Huawei earlier this month, but a privately circulated report laid out far greater concerns about the company, the Wall Street Journal reported.

PINGED, PATCHED, PWNED

PINGED: President Trump withheld $400 million in military aid to Ukraine in part to compel the government to investigate a baseless conspiracy theory that the country was involved in hiding a Democratic National Committee server from U.S. investigators, acting White House chief of staff Mick Mulvaney said, my colleagues John Hudson and Karoun Demirjian reported

The comments, which Mulvaney later backpedaled, marked a stunning admission as House Democrats' impeachment investigation hoes in on whether Trump conditioned Ukrainian aid on the nation investigating the bizarre consiparcy theory and also the family of his 2020 rival former vice president Joe Biden. 

“Did he also mention to me the corruption related to the DNC server? Absolutely. No question about it,” Mulvaney said. “There's going to be political influence in foreign policy … That’s going to happen. Elections have consequences.” 

Mulvaney called the decision “absolutely appropriate,"

The ex-congressman later walked back his comments, saying “Let me be clear,...there was absolutely no quid pro quo between Ukrainian military aid and any investigation into the 2016 election. There was never any connection between the funds and the Ukrainians doing anything with the server . . . there was never any condition on the flow of the aid related to the matter of the DNC server.”

The initial comments refer to a bizarre conspiracy theory Trump has endorsed suggesting the DNC faked the 2016 data breach that helped propel Trump into office and that U.S. intelligence agencies have uniformly said was conducted by Russian spies. 

PATCHED: Sen. Ron Wyden (D-Ore.) wants corporate executives who play fast and loose with the security of Americans' data to face prison time and harsh fines. A new bill released by the tech and security hawk yesterday would empower the Federal Trade Commission to impose those punishments as well as establish “minimum cybersecurity and privacy standards” for companies that handle consumer data.

Right now, the FTC can sue companies after a data breach if they didn't have adequate cybersecurity standards, but it can't outline what those standards are up front. And it can’t impose penalties unless companies violate an earlier agreement with the agency to clean up their act. Wyden's bill would allow the agency to go after first-time offenders. 

“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences,” Wyden wrote in a statement, taking a shot at the Facebook CEO. 

The “Mind Your Own Business Act” also advances the idea of a national "Do Not Track System” allowing consumers to opt out of data tracking. Companies would have to provide privacy friendly alternatives for a reasonable fee. 

Privacy legislation has stalled in Congress despite ongoing bipartisan concerns over tech companies’ mishandling of consumer data. A more moderate privacy bill, which does not include jail time for CEOs or allow for states to introduce their own privacy laws, was endorsed by moderate Democrats in the House this week.

PWNED: The Russian hacking group accused of compromising DNC servers in 2016 has resurfaced, attacking victims including three European ministries of foreign affairs, researchers at the Slovakia-based security firm ESET report.

Cybersecurity investigators long thought the group had curtailed operations but it actually just got better at hiding its work, ESET reported. The targets also included the Washington embassy of an E.U. county. Hackers were likely looking to steal sensitive documents and emails, lead researcher Matthieu Frou told Thomas Brewster at Forbes.

“Our new research shows that even if an espionage group disappears from public reports for many years, it may not have stopped spying,” the researchers wrote."[Russian hackers] were able to fly under the radar for many years while compromising high‑value targets, as before.”

Correction: This item originally misstated the location of ESET. The security firm is based in Slovakia.

PUBLIC KEY

— Cybersecurity news from the public sector:

The Senate Commerce Committee on Thursday issued a report that found the Consumer Product Safety Commission (CPSC) failed to properly handle the data of thousands of consumers, leading to an accidental data breach.
The Hill
Russia and the United States are gradually starting to resume cooperation on cybersecurity.
Reuters
The agency said it is working on those policies while the technology is tested through pilot programs.
Nextgov

PRIVATE KEY

— Cybersecurity news from the private sector:

Tech Policy
Facebook chief executive Mark Zuckerberg said in an interview with The Washington Post that he worries “about an erosion of truth” online but defended the policy allowing politicians to peddle ads containing misrepresentations and lies on his social network, a stance that has sparked an outcry during the 2020 presidential campaign.
Tony Romm
The untold story of how digital detectives unraveled the mystery of Olympic Destroyer—and why the next big cyberattack will be even harder to crack.
Wired
A popular video downloader app for Android has been found generating fake ad clicks and unauthorized premium purchases from its users, according to a security firm.
TechCrunch

THE NEW WILD WEST

— Cybersecurity news from abroad:

Australia's national intelligence agency said in a report this week that it...
Reuters
Catalan independence activists looking for information on how to take part in the next protest against Spain can rely on a handy, two-day old app for details on when and where to go. The only catch: the app doesn’t work on iPhones.
Bloomberg
As pro-democracy protests continue in Hong Kong, the tech giant’s troubling relationship with an authoritarian regime has come into focus.
Wired

ZERO DAYBOOK

— Today:

  • The House Financial Services Committee will host a hearing on "AI and the Evolution of Cloud Computing: Evaluating How Financial Data is Stored, Protected, and Maintained by Cloud Providers" at 9:30am.

— Coming up:

  • The Cybersecurity Coalition, the Cyber Threat Alliance, and the National Security Institute at George Mason University’s Antonin Scalia School of Law will host the third annual CyberNextDC policy day in Washington on Thursday, Oct. 24, 2019.