THE KEY

U.S. government officials used to balk at the mere idea that allied nations might allow the Chinese telecom company Huawei to build parts of their next-generation 5G wireless networks, saying it would pose an unacceptable risk of Chinese spying.

Now they’re game planning a future where that seems nearly inevitable.

The long-range plan, which officials outlined yesterday during a Senate Homeland Security Committee hearing, is basically to increase U.S. innovation around the “edge” portion of super-fast 5G networks — where Huawei has made the greatest inroads with European telecom companies — and to make those components more reliant on U.S. software than on Huawei’s hardware.

If such a move is successful, it should make it easier for nations that allow Huawei to build edge components — basically the link between devices and cell towers known as radio access networks, or RANs — to shift to a model where Huawei is less involved. It would also shift the playing field from 5G hardware, where U.S. companies aren't playing a significant role, to software, where those companies are world leaders. 

“This is a blip. This is just a temporal anomaly almost,” the Department of Homeland Security’s top cybersecurity official Chris Krebs told senators. “If we can unlock the open radio access network piece, the vendor base in the United States, the innovation base is going to explode.”

An open radio access network, or O-RAN, is basically a software-based version of the more hardware-focused RAN, which is more compatible with components from other vendors.

The government should consider funding some basic O-RAN research to make it more lucrative for U.S. tech companies to move into the space, Krebs told panel Chai Ron Johnson (R-Wis.), saying "the private sector is going to surge into the market if we can make it compelling."

Federal Communications Commissioner Jessica Rosenworcel suggested using FCC-sponsored 5G “innovation zones” in New York City and Salt Lake City as testing grounds for the components.

“We need an approach to supply chain security that recognizes that, despite our best efforts, secure networks in the United States will only get us so far,” Rosenworcel told lawmakers. “We need to start researching how we can build networks that can withstand connection to equipment [with] vulnerabilities around the world.”

That frank talk is a sea change from just six months ago when officials first began to publicly contemplate a future in which Huawei isn't barred from 5G by allies with whom the United States shares vital intelligence. 

Huawei has steadfastly maintained it has never aided Chinese spying and would refuse to do so if asked. Spying concerns are supercharged, though, because 5G will carry orders of magnitude more data than existing wireless networks and power a new generation of connected devices such as autonomous vehicles and automated factories.

U.S. officials also say Huawei is getting an outsize portion of the 5G market because Beijing’s subsidies help it undersell competitors such as Samsung and Nokia.

To be sure, U.S. officials haven’t given up on swaying European leaders. And they’ve had some success convincing them to restrict Huawei from “core” parts of 5G where it would have far more access to sensitive data.

Some European nations are also discussing restricting Huawei from edge portions of 5G in particularly sensitive geographic areas, such as around government buildings, Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies who works closely with international cybersecurity leaders, told me.

But most U.S. allies continue to push back on pleas to fully bar the company.

During the past few weeks, leaders in England and Germany inched ever closer to Huawei building portions of their 5G networks. And Huawei is already inking 5G contracts with telecom firms in England, Germany, Italy, Switzerland and Sweden — and hoping a good reputation in Europe will batter back U.S. claims that the company is untrustworthy.

“We’ll know in six months how it’s going to work out, and the money is on the Chinese side because Huawei is subsidized,” Lewis told me. “[European] security ministries are against Huawei and economic ministries are for it, and the political people are torn.”

PINGED, PATCHED, PWNED

PINGED: Rudy Giuliani took his iPhone to an Apple store to get it unlocked in early 2017 less than a month after being named President Trump’s cybersecurity adviser — a move that raises big questions about his understanding of basic cybersecurity best practices, Rich Schapiro at NBC News reports

As someone with a high-profile job in cybersecurity, Giuliani should have known it’s a bad idea to let anyone you don’t know handle a device that might have sensitive information on it. 

“There’s no way he should be going to a commercial location to ask for that assistance,” E.J. Hilbert, a former FBI agent for cybercrime and terrorism, told Rich.

“You’re trusting that person in the store not to look at other information that is beyond what you’re there to get assistance for,” said Michael Anaya, a former FBI supervisory special agent who led a cyber squad for four years. “That’s a lot of trust you’re putting into an individual that you don’t know.”

Forgetting his iPhone password isn't Giuliani's only tech gaffe. More recently, critics slammed the Trump confidante and former New York City mayor for pocket-dialing an NBC News reporter twice, leaving accidental voice mails where he bashed Joe Biden's son and discussed needing money.

PATCHED: Senior government officials in multiple U.S.-allied countries were targeted by hacking efforts using software from the Israeli spyware firm NSO Group, sources tell Christopher Bing and Raphael Satter at Reuters. The officials were targeted via their WhatsApp accounts and are among 1,400 of the messaging app’s users targeted with NSO spyware, according to a lawsuit filed Tuesday.

Some of the victims reside in the United States, Christopher and Raphael reported, though they could not confirm whether those victims included government or military officials. 

NSO maintains that it has no oversight over what governments do with its service, but the lawsuit and recent Motherboard reporting indicate that the company offers hands-on assistance to government clients using its hacking tools. That includes helping customers craft phishing messages, Motherboard reports. 

NSO also maintains that it requires government clients to use its software for legitimate purposes, including investigating terrorists and criminals. But WhatsApp found no overlap between the accounts NSO clients allegedly targeted and formal requests from those governments for information relating to criminal investigations, Christopher and Raphael report.

Israel's government, meanwhile, is denying any involvement in the hacks, Reuters reports

PWNED: China-backed hackers are using a powerful new kind of malware to steal the text messages of high-ranking military and government officials in other countries, Alyza Sebenius at Bloomberg News reports. While researchers don't name which countries were targeted, the aggressive new attack reinforces concerns raised by U.S. officials about China’s growing influence in telecommunications networks and its thirst for U.S. data.

The malware allows hackers to steal data from multiple phones at once and is virtually impossible to defend against, researchers at the cybersecurity firm FireEye report. Once a network is infected, hackers can use the tool to search and extract text messages from a list of phone numbers based on keywords.

“Espionage-related theft and intrusions have been long occurring, but what is new is the vast scale due to the use of this tool,” Steven Stone, FireEye’s director of advanced practices, said in a statement.

PUBLIC KEY

— Cybersecurity news from the public sector:

Asia & Pacific
As many as 10 million customers have reportedly signed up for super-fast data plans already.
Anna Fifield and Wang Yuan
A pair of Democratic lawmakers sent a letter to Attorney General William Barr on Thursday urging him to stop government requests for encryption backdoors, which allow the government to obtain certain user information from tech
The Hill
A Utah-based renewable energy company was the victim of a rare cyberattack that temporarily disrupted communications with several solar and wind installations in March, according to documents obtained under the Freedom of Information Act.
CyberScoop

PRIVATE KEY

— Cybersecurity news from the private sector:

Tiversa dominated an emerging online market—before it was accused of fraud, extortion, and manipulating the federal government.
The New Yorker
Like Patrol bills itself as a way to keep tabs on your partner's likes on Instagram. But the social network has sent a cease-and-desist order after CNET contacted the company.
CNET
A security researcher has found several vulnerabilities in the popular open-source Horde web email software that allow hackers to near-invisibly steal the contents of a victim’s inbox. Horde is one of the most popular free and open-source web email systems available.
TechCrunch

THE NEW WILD WEST

— Cybersecurity news from abroad:

India has asked Facebook-owned (FB.O) WhatsApp to explain the nature of a privacy breach on its messaging platform that has affected some users in the country, Technology Minister Ravi Shankar Prasad said on Thursday.
Reuters
It’s possible to scrape the biographical data of thousands of Palestinians from an exposed server.
Vice

ZERO DAYBOOK

—Coming up:

  • Point3 Security, WomenHackerz, Women in Security (WoSEC), Gatebreachers and Women's Society of Cyberjutsu will host a capture the flag competition online and in person in Baltimore on Saturday from 12 p.m.-4 p.m.
  • The Judiciary Committee’s subcommittee on crime and terrorism will host a hearing entitled “How Corporations and Big Tech Leave Our Data Exposed to Criminals, China, and Other Bad Actors on Tuesday at 2:30 p.m. EST.
  • The Senate Judiciary Committee will host a hearing on Reauthorizing the USA FREEDOM Act of 2015 on Wednesday at 2:30 p.m. EST.