SAN FRANCISCO – The battle over Huawei is taking place face-to-face here as officials from the U.S. government got a chance to debate directly with the Chinese telecom.
After spending months trading jabs through the media – and in court – both sides now get to make their case to a tech-savvy audience about whether or not the future of telecommunications should be built with Chinese technology.
Huawei’s Chief Security Officer Andy Purdy, in an interview on the sidelines of the RSA conference, insisted that the company is independent of Beijing – and that U.S. concerns are just a cover to smack China over trade and other issues.
“The U.S. is really pissed off at China on a number of issues and they want to hurt Huawei to hurt China,” Purdy told me. “They're very afraid of the competition between China and the U.S., so they're focusing on hurting Huawei.”
Purdy, a former Department of Homeland Security official, squared off against one of the Pentagon’s top cybersecurity executives during a panel discussion. He called the U.S. ban on Huawei gear from many telecom networks dangerously misguided, and said the block on American companies from selling it components would end up hurting the businesses more than Huawei.
Katie Arrington, the Pentagon’s top cybersecurity contracting official, shot back that Huawei presents such a huge risk of Chinese hacking that there’s no way “in good conscience” she could let it anywhere near military systems.
“The recommendation was made to take Huawei out for very specific reason,” she told a crowd of hundreds of security pros. “It's a ‘have to do’ because the risk is so high.”
The conference comes at a tense moment for U.S. officials who’ve been sounding alarms for more than a year that Huawei can’t be trusted not to spy for the Chinese government but have failed to convince key allies including the United Kingdom, which is allowing Huawei to build parts of its next-generation 5G wireless networks.
So it's no surprise there were numerous testy exchanges onstage. At one point, Arrington even slammed the quality of Huawei’s technology, saying “their programmers are where Microsoft was 25 years ago…not incredibly robust.” When Purdy scoffed, she said, “It’s your job Andy, I get it. That’s who you work for.”
Huawei's offensive continued offstage at the conference considered a must-go for the 40,000 technology pros who gather annually. Purdy told me he spent a good part of the week walking the conference floor urging government and industry leaders not to rush to judgment on Huawei.
“When you see the level of hostility in this toxic environment, you see people not thinking [things] through,” he said of Washington's moves against Huawei. “[Huawei] is going to be stronger because of this and America's going to be weaker and…that’s frustrating to me.”
Purdy is also pitching a transparency initiative in which Huawei and its competitors would publicly demonstrate their cybersecurity protections. He hopes that will quell fears that the company will be a backdoor for Chinese spying.
He’s reaching out to think tanks and industry groups that might host the initiative he said. And if he doesn’t get any takers, Huawei plans to run a public transparency program on its own where it displays its cybersecurity protections for anyone who wants to look at them, he said. That event will likely take place sometime in April – around the same time the White House is planning a 5G summit with global technology leaders as part of its efforts to combat the Chinese firm.
Officials from throughout government, meanwhile, lashed out at Huawei throughout the week, warning there’s still time to halt it from winning 5G contracts across Europe and with other U.S. allies. That’s despite the fact that France, Germany and Canada seem primed to follow the U.K.’s lead by allowing Huawei to build portions of their 5G networks.
“We haven't necessarily seen contracts cut yet, so I think there's still an opportunity to work with our partners,” Chris Krebs, DHS’s top cybersecurity official said. “We need to continue to push for a global market of trusted componentry in 5G technology.”
The Justice Department’s national security chief John Demers charged that some allies are overlooking Huawei’s cybersecurity problems because they’re seduced by the low prices of its 5G services, which are subsidized by the Chinese government.
“Foreign countries have been less convinced,” he said. “But…the choice for a foreign country whether or not to use Huawei equipment…is not a security choice alone. It's a political choice and an economic choice. And it's one that we're trying to win on security grounds and that's what makes it challenging for us.”
PINGED, PATCHED, PWNED
PINGED: Florida’s top election official, Secretary of State Laurel Lee, is requiring all of the state’s 67 election supervisors to sign non-disclosure agreements before they can review digital vulnerabilities that cybersecurity pros find in their systems, Jeffrey Schweers at the Tallahassee Democrat reports.
Officials were also required to sign the NDAs before receiving their share of $18 million in federal money to upgrade election systems after Russia's 2016 hacking attempts exposed vulnerabilities, Jeffrey reports. The NDAs, which public information experts described as “bizarre” and “unenforceable,” bar the officials from talking about any of the vulnerabilities experts found in their election systems or defensive measure they’ve taken to keep hackers out.
State officials said the NDAs were necessary to prevent information leaking out that could aid hackers. Some local officials, however, were less convinced. “It just felt coerced,” Polk County Supervisor of Elections Lori Edwards told Jeffrey.
The Mueller report revealed that Russian hackers breached computer systems in at least two Florida counties before the 2016 election, though the FBI has not disclosed which counties and didn’t tell state leaders there until after the report came out. The FBI recently changed its policy and said it will begin notifying both county and state-level officials about county-level election system breaches.
PATCHED: The facial recognition company Clearview, which has cooperated extensively with law enforcement, suffered a data breach in which a hacker stole its entire client list, The Daily Beast’s Betsy Swan reports.
Clearview gained notoriety last month when the New York Times reported it had scraped 3 billion images from the internet, including from Facebook, YouTube, and Venmo -- sometime in violation of sites’ terms of service. The company also sold access to that massive cache of images to help hundreds of state, local and federal law enforcement agencies solve crimes, including searching for missing and exploited children.
The hackers were able to view the number of user accounts Clearview customers had set up, and the number of searches they’d conducted but did not reach into Clearview’s own servers and did not access law enforcement agencies’ search histories, the company said. The company has fixed the vulnerability the hackers exploited, it said.
PWNED: U.S. Immigration and Customs Enforcement officials ran facial-recognition scans on millions of Maryland driver’s license records without first seeking state or court approval, my colleagues Drew Harwell and Erin Cox report. The agency’s unfettered access to the photos has concerned immigration and privacy activists, who worry it’s being used to target immigrants who obtained licenses after 2013.
Maryland has issued more than 275,000 such licenses to undocumented immigrants since 2013, when it became the first state on the East Coast to allow immigrants to obtain a license without providing proof of legal status. With this system, an ICE official could run a photograph of an individual through the system and see if it returns any potentially undocumented immigrants as a match.
"It’s a betrayal of immigrants’ trust for the [state] to turn around and let ICE run warrantless searches on their faces,” Harrison Rudolph, a senior associate at Georgetown University Law School’s Center on Privacy & Technology, told my colleagues. “It’s a bait-and-switch. … ICE is using biometric information in the shadows, without government notice or public approval, to hunt down the most vulnerable people.”
ICE officials recorded nearly 100 sessions in the state’s driver’s license database since 2018, according to a letter obtained by Drew and Erin. Each session may have included several searches of the Maryland Image Repository System database, which stores the photos, names, addresses and other personal information of about 7 million drivers.
— A group of 27 current and former national security leaders and top government and military officials sent a letter to Federal Communications Commission Chairman Ajit Pai this morning, applauding his plan to release more mid-range spectrum that will help U.S. companies run 5G services and saying it will help U.S. companies combat Huawei’s dominance in the field. “If we want to protect our allies and maintain an advantage over our enemies, we must put an end to Huawei’s increasing influence and win the race to 5G,” the letter states.
It was sent by 5G Action Now, an organization led by former Republican House Intelligence Committee Chairman Mike Rogers. Signers of the letter include Rogers, former New Jersey Gov. Chris Christie and former DHS chief and Pennsylvania Gov. Tom Ridge.
— Nearly three-fourths of 700 state and local government employees surveyed by IBM’s security division said they’re concerned about hackers hitting their governments with ransomware – a strain of malicious software that locks up computer systems and holds them for ransom. About one in six of those employees said their department has actually been hit with ransomware, IBM found. Check out the full report here.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- RSA Conference 2020 is scheduled for Feb. 24 to 28 in San Francisco.
- The Senate Commerce Committee will hold a hearing titled “5G Supply Chain Security: Threats and Solutions,” on March 4 at 10 a.m.
- The Carnegie Endowment for International Peace Cyber Policy Initaitive will hold a discussion on the forthcoming Cyberspace Solarium Commission report on March 4 at noon.
- The Senate Judiciary Committee’s panel on crime and terrorism will hold a hearing titled “Dangerous Partners: Big Tech and Beijing” on March 4 at 2:30 p.m.
- The Cyberspace Solarium Commission will release of its final report and recommendations during a public event on March 11 at 2:30pm.