THE KEY

You can add impeachment to the long list of controversies that have exposed President Trump's apathetic or clueless attitude toward cybersecurity. 

Gordon Sondland confirmed that both he and Trump knew they were talking on an unsecure phone line on July 26, when the U.S. Ambassador to the European Union was on his cell phone in a crowded Kyiv restaurant. Diplomats have testified that it was an especially colorful call on which the pair allegedly discussed a plan to pressure Ukraine to launch controversial investigations into the 2016 election and former Vice President Joe Biden. 

"He was aware that it was an open line, as well," Sondland said, noting he has "unclassified conversations all the time from landlines that are unsecured and cell phones. If the topic is not classified -- and it's up to the president to decide what's classified and what's not classified." 

That’s just the latest in a string of massive breaches of normal security procedures by the Trump administration that could be highly dangerous -- and potentially give spies from other nations a heads up on major U.S. policy decisions or open up officials to coercion and blackmail. 

The security lapses, which a slew of other top officials including Ivanka Trump and Jared Kushner have also reportedly committed, are especially striking given how the president rallied crowds during the 2016 campaign by attacking Hillary Clinton for playing fast and loose with security by using a private email server while she was secretary of state. "But her emails" was a regular refrain on Twitter soon after news of the Sondland call first broke from transcripts of closed door testimony. 

The fact that Sondland was in Ukraine when he took the call almost guarantees the Kremlin was listening in on the conversation, experts say. That also suggests a top U.S. adversary knew about the Trump pressure campaign on Ukraine that’s at the heart of the impeachment inquiry long before Congress did. 

“It would be highly unusual to have a call at that level on an unsecure phone that deals with U.S. policy because you can almost guarantee that it's going to be intercepted,” Chris Painter, the State Department’s top cybersecurity official during the Obama administration, told me. “It's absolutely essential that government officials have operational security when there's a chance our adversaries can pick up those communications because they will use them against us.” 

Sen. Robert Menendez (N.J.), the top Democrat on the Senate Foreign Relations Committee called the restaurant call “a serious security breach that raises significant counterintelligence concerns” and demanded the State Department launch an investigation. More news about the call could also break today with testimony from former White House adviser Fiona Hill, who described Sondand's cellphone use as a counterintelligence risk during closed door testimony. 

Former officials were quick to slam Sondland on Twitter.

Former CIA officer and independent presidential candidate Evan McMullin:

And Obama National Security Council official Samantha Vinograd:

But this is far from being an anomaly: The insecure phone call appears par for the course in this administration.

Trump himself has refused sophisticated security features on his personal cellphone and refuses to swap his phones out regularly because he finds it too burdensome.

Trump adviser Stephen Miller, former chief of staff Reince Priebus, former National Economic Council director Gary Cohn, former deputy national security adviser K.T. McFarland and former adviser Stephen K. Bannon have all been caught using personal phones, email accounts or messaging apps to conduct official business as have Jared and Ivanka Kushner.

And the revelations are still coming. Just yesterday The Daily Beast reported former United Nations ambassador Nikki Haley emailed about confidential information with aides on an insecure BlackBerry when she lost the password for her classified system.

“The government worked hard to secure a set of devices to enable communication because we know that foreign intelligence services strongly target the diplomatic communications of the United States,” Michael Daniel, Obama’s White House cybersecurity advisor and now president of the Cyber Threat Alliance, told me. “The government has invested a lot of money, time and effort in trying to secure those communications and you would want our diplomatic corps and others to be availing themselves of those capabilities.”

PINGED, PATCHED, PWNED

PINGED: Tech entrepreneur Andrew Yang, who received flak for taking a conciliatory tone over Russian election interference during last months' Democratic presidential debate, took a far firmer line during last night’s showdown. During his first call with Russian President Vladimir Putin, Yang said, he’d declare that “the days of meddling in American elections are over and we will take any undermining of our democratic processes as an act of hostility and aggression.”

That’s a big shift from October when his proposed message to Putin was: “We've tampered with other elections. You've tampered with our elections. And now it has to stop.”

The revamp came during a debate that largely ignored Russian hacking and election security in favor of immigration, race relations, climate change and other hot button issues. Sen. Amy Klobuchar (D-Minn.) touted her efforts to mandate election protections such as paper ballots and promised she’d deliver on them as president. Rep. Tulsi Gabbard (D-Hawaii), who is not known as an election security hawk, also pushed for paper ballots.

Sen. Cory Booker (D-N.J.), meanwhile, slammed China for stealing U.S. companies’ intellectual property and breaking other international rules of the road.

PATCHED: The Trump administration has begun issuing licenses to some U.S. companies to restart tech sales to the Chinese telecom giant Huawei, Jeanne Whalen, Ellen Nakashima and I report. The move comes more than six months after the Commerce Department barred most U.S. sales to Huawei over Chinese spying concerns but as it’s still delaying a final rule on how that ban will work. 

The waivers are for "limited and specific activities which do not pose a significant risk to the national security or foreign policy interests of the United States," Commerce said in an email. At least some of the waivers were for semiconductor companies, which manufacture the silicon chips that are critical to electronic devices, according to an industry association . 

The department also denied some of the roughly 300 waiver requests.

PWNED: Jeanette Manfra, one of the top cybersecurity officials at the Department of Homeland Security, could announce her resignation as soon as this week, sources tell Sean Lyngaas at CyberScoop. Manfra has been a key public face for the agency and led much of the civilian government’s work to share information about cybersecurity threats with industry and to rid the government of contractors that create cybersecurity and national security risks. 

She's logged nearly a decade at DHS focued on cyberscecurity, critical infrstructure security and emergecny communications. 

DHS didn’t respond to a request for comment.

PUBLIC KEY

A group of senators is concerned Amazon’s Ring home security system may be putting Americans' personal data at risk of foreign espionage, following media reports slamming the company's security practices.

"If hackers or foreign actors were to gain access to this data, it would not only threaten the privacy and safety of the impacted Americans; it could also threaten U.S. national security," Sens. Ron Wyden (D-Ore), Edward J. Markey (D-Mass), Chris Van Hollen (D-Md.), Chris Coons (D-Del.) and Gary Peters (D-Mich.) wrote in a letter to Amazon CEO Jeff Bezos yesterday. (Bezos also owns the Washington Post).

The senators want the company to provide answers on Ring's policies for disclosing digital vulnerabilities, if the company encrypts video footage, and how it audits its security practices. The letter also raises concerns about the access Ring provides to its Ukraine-based research team as well as how it vets foreign employees.

— More cybersecurity news from the public sector:

A key House committee on Wednesday advanced legislation that would ban the government from buying telecommunications equipment from companies deemed to be national security threats, such as Chinese telecom giant Huawei.
The Hill
The PROTECT Act would create a federal grant program to help small utility companies improve their digital defenses.
Nextgov
Researchers track surge in IRS phishing sites as filing extension deadline arrived.
Ars Technica

PRIVATE KEY

— Cybersecurity news from the private sector:

A decision in Ireland’s privacy investigation into Facebook’s WhatsApp has been delayed because the company’s lawyers raised concerns about how the regulator will share potentially sensitive commercial data with authorities in other European countries.
Wall Street Journal
Microsoft also knocks down rumor that hackers are using the BlueKeep exploit to install the DoppelPaymer ransomware.
ZDNet

THE NEW WILD WEST

— Cybersecurity news from abroad:

The tech giants’ business model is at odds with human rights, according to new report
The Verge
Deutsche Telekom on Wednesday declined to comment on a magazine report that it would phase out some equipment from Chinese vendor Huawei Technologies [HWT.UL] over time, saying only that it relies on multiple network providers.
Reuters

ZERO DAYBOOK

— Today:

  • The House Financial Services Committee will host a hearing on the role of big data in financial services on Thursday at 9:30 a.m.
  • The 2019 International Conference on Cyber Conflict U.S. (CyCon U.S.) will take place 18-20 Nov 2019 in at the Crystal Gateway Marriott in Arlington, VA.
  • CYBERWARCON takes place on Thursday in Arlington, Va.