The Trump administration's failure to follow through on a key promise to punish Huawei is spiking fears among cybersecurity hawks.
The administration just issued a third three-month delay in blocking U.S. companies from doing business with the Chinese telecom firm. And those who support the administration's get-tough argument worry it might abandon the plan entirely.
Experts are concerned the delay could signal to Beijing that the United States — which has banned Huawei from its own 5G networks and from government systems — is unwilling to take more decisive action to punish Chinese spying and theft of U.S. companies’ intellectual property.
“It sends a message of toothlessness,” Paul Rosenzweig, a former top cybersecurity official at the Department of Homeland Security during the George W. Bush administration, told me. “If I threaten to send you to jail but I never actually do it, what message does that send?”
They're also concerned the delay, which means the ban won't be imposed for at least nine months since it was announced, could fatally undermine the United States’ credibility as it argues that Huawei poses an unacceptable threat to national security and urges other nations to ban its equipment from their next-generation 5G wireless networks. And that, in turn, could broaden Beijing's ability spy on data that crosses the super fast networks in countries where Huawei has a foothold, security hawks say.
Rosenzweig criticized Trump officials for launching the ban before they were prepared to implement it and speculated it could be more than a year before the ban fully takes effect. “The right way to do this would have been to prepare everything in advance and announce it with an implementation date in 30 days. But that isn’t what we did. The announcement, like so many things, was done impulsively,” said Rosenzweig, a senior national security and cybersecurity fellow at the conservative-leaning R Street Institute think tank.
This reprieve was officially aimed at helping rural U.S. telecom companies that rely on Huawei equipment to provide Internet and phone service, as my colleague Jeanne Whalen reported.
But it's redoubling fears that the Trump administration may be holding onto the export ban as a bargaining chip that it could swap away as part of a grand trade deal with China — a move critics say would severely damage U.S. national security.
“The bottom line is that the national security issues trump the trade questions long term and we’re already three months too late,” Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security and a Bush administration White House official, told me.
Lawmakers on both sides of the aisle were quick to attack the delay.
Senate Minority Leader Chuck Schumer (D-N.Y.) accused Trump of being “soft on Huawei” and sending a signal to China’s communist leaders they can keep threatening U.S. national security.
Every day President Trump is soft on Huawei, the Chinese Communist Party takes that as a signal that they can continue hurting American jobs and threatening our national security without any repercussions.https://t.co/P5zYzDgz74— Chuck Schumer (@SenSchumer) November 18, 2019
Rep. Mike Gallagher (R-Wis.), who co-chairs a congressional commission examining the future of U.S. cybersecurity, responded to early rumors of the delay, saying “every day we wait to exert maximum pressure on Huawei is a day it continues advancing the Chinese Communist Party's agenda.”
Every day we wait to exert maximum pressure on Huawei is a day it continues advancing the Chinese Communist Party's agenda. It's time to end the waivers and ensure US technology is not aiding Huawei's malevolent expansion. https://t.co/vbrqnEmiVC— Rep. Mike Gallagher (@RepGallagher) November 15, 2019
Huawei has consistently denied aiding Chinese spying and said it would refuse to do so if asked. U.S. officials have countered that, under China’s Communist Party system, the company would be unable to refuse a spying request.
In some ways the Trump administration is stuck between a rock and a hard place.
If it steps back from the export ban, that will make it easier for Huawei to boost its global presence in 5G networks and could create a field day for the nation’s spies.
But if it fully imposes the ban, that will hurt U.S. companies that make lots of money selling to Huawei — and a funding hit could make it tougher for those companies to invest in research and development that will help them dominate the next generation of telecommunications technology.
“This action is clearly double edged because in some ways it hurts U.S. manufacturers more than it hurts Huawei,” Chris Painter, the top State Department cybersecurity official during the Obama administration, told me.
And yet, there could be a bright side to delaying the ban, Jim Lewis, a top cybersecurity scholar at the Center for Strategic and International Studies, argued.
Right now, the administration is delaying any serious damage to U.S. companies but also signaling to allies that the 5G services Huawei is offering might not be as good once it runs out of U.S. components. And the administration could still withdraw or impose the ban when it suits its purpose.
“As the election draws closer, I think we’ll get an answer,” Lewis told me. “The administration will either give the Chinese something on Huawei to get trade concessions or they’ll appeal to people who worry about China and make the ban permanent.”
PINGED, PATCHED, PWNED
PINGED: A trio of Senate Democrats including Minority Leader Chuck Schumer (D-N.Y.) is asking DHS to increase funding for programs that help state and city governments and election offices protect against hacking, according to a letter out this morning. A shortfall in funding could lead to an increase in dangerous hacks including ransomware attacks, they warn.
The department's proposed fiscal 2020 budget for the programs covers less than 70 percent of the approximately $15 million required to maintain them at their current levels, according to the letter from Schumer and Sens. Maggie Hassan (D-N.H.) and Gary Peters (D-Mich.), ranking member of the Homeland Security Committee. The two programs, the Multi-State Information Sharing and Analysis Center and Election Infrastructure Information Sharing and Analysis Center, help share timely cybersecurity threat information with state and local governments among other missions.
In a separate letter yesterday, 39 Senate Democrats, led by Sen. Amy Klobuchar (Minn.), urged the Senate Appropriations Committee to increase funding for election security grants to meet levels proposed by the Democratic-controlled House. Senate Majority Leader Mitch McConnell (R-Ky.) has proposed $250 million in grants to help state and local governments improve election security, less than half the $600 million approved by the House.
PATCHED: A shortage of staff and high turnover in agency leadership is hurting DHS's efforts to protect election infrastructure ahead of 2020, a report from the agency's top watchdog found.
“DHS needs to address and resolve these issues to ensure effective guidance, unity of effort, and a well-coordinated approach to securing the nation’s election infrastructure,” the agency's Office of the Inspector General reports.
The report is a compendium of recent IG findings and is citing election security concerns first raised in February.
Democrats including House Homeland Security Chairman Bennie G. Thompson (D-Miss.) have slammed Trump for the high turnover at the top ranks of DHS during his tenure. The Trump administration swore in Chad Wolf as acting secretary of Homeland security last week, making him the fifth person to fill the top spot since Trump became president.
Clarification: This item has been updated to clarify that the inspector general concerns were first raised in February.
PWNED: A ransomware attack knocked a trove of Louisiana state government computer systems offline yesterday -- including the website of the top state election office, which was finalizing results of its recent gubernatorial election, Christopher Bing and Raphael Satter at Reuters report. The outage didn't affect the vote tally, Louisiana secretary of state spokesman Tyler Brey told Reuters. Several departments are still suffering computer outages, however.
There is no anticipated data loss and the state did not pay a ransom, Gov. John Bel Edwards (D) said on Twitter. The systems were knocked offline during that state's response to stop the attack, not the attack itself, he said.
OTS immediately initiated its security protocols and, out of an abundance of caution, took state servers down, which impacted many state agencies’ e-mail, websites and other online applications. #lagov #lalege— John Bel Edwards (@LouisianaGov) November 18, 2019
This is the second major ransomware attack to hit Louisiana this year. The state declared a state of emergency when ransomware disrupted several of its school districts this summer. Edwards says the same ransomware was used in both attacks
— National Security Council members expressed concerns early on that Trump's personal lawyer Rudy Giuliani ran diplomatic conversations over open cell lines and hackable communications apps, David E. Sanger at the New York Times reports.
— The international police agency Interpol appears to have backed off plans to publish a resolution urging tech companies to provide police back doors into encrypted communications. Here are details from Ars Technica’s Sean Gallagher.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
The Senate Homeland Security Subcommittee on Investigations will host a hearing to examine securing the United States research enterprise from China's talent recruitment plans at 10am
The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation will host a hearing on "The Road to 2020: Defending Against Election Interference" at 2pm.
— Coming up:
- The House Financial Services Committee will host a hearing on the role of big data in financial services on Thursday at 9:30 a.m.
- The 2019 International Conference on Cyber Conflict U.S. (CyCon U.S.) will take place 18-20 Nov 2019 in at the Crystal Gateway Marriott in Arlington, VA.
- CYBERWARCON takes place on Thursday in Arlington, Va.