The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Senate panel says U.S. telecoms failed for decades to prevent Chinese spying

Placeholder while article actions load

with Tonya Riley

The federal government failed for nearly two decades to properly guard against the cybersecurity risks posed by Chinese government-owned telecoms operating in the United States, a Senate report released this morning finds. 

That resulted in four of China’s largest such telecom companies being able to operate subsidiaries here with almost no oversight, according to the report from the Senate Homeland Security Committee’s investigations panel.

It might also have allowed them to help the Chinese government spy on reams of data from U.S. companies by routing their phone and Internet traffic through China, the report finds.  

The report is the latest in a series of reviews by Congress and elsewhere pointing out shoddy and haphazard U.S., preparation for the cybersecurity threats posed by China’s rise to global power. In a 2019 report, the subcommittee, led by Sens. Rob Portman (R-Ohio) and Thomas R. Carper (D-Del.), slammed U.S. companies including Equifax and Marriott for not protecting themselves against a barrage of Chinese data theft. 

In telecommunications, in particular, U.S. companies largely abandoned building the hardware that will run the next generation of super-fast telecom networks known as 5G. As a result, American officials have been fighting a rear-guard action for the past two years trying to stop China’s Huawei from dominating the global market. 

The failure to adequately review Chinese telecoms' national security risk was mainly due to an "informal" and "ad hoc" process.

That process was run by just a handful of people at the departments of Justice, Defense and Homeland Security that advised the Federal Communications Commission. The informal panel dubbed “Team Telecom” typically conducted years-long security reviews that FCC commissioners described as an “inextricable black hole.”

The panel also rarely followed up once those reviews were complete. For example, the group created security agreements to limit the risk of two Chinese government-owned telecoms’ U.S. operations — China Telecom Americas in 2007 and ComNet in 2009 — but did little to ensure the companies were abiding by them. 

The agreements authorized Team Telecom to conduct inspections of the companies’ U.S. operations, but the group only conducted two such inspections for each company over more than a decade. And none of those inspections occurred before 2017. 

Team Telecom never entered into a security agreement with another Chinese firm, China Unicom Americas, and so “ha[d] no oversight authority to assess the company’s operations in the United States,” the report notes. 

The group finally did recommend in 2019 that the FCC block another major Chinese telecom, China Mobile, from operating in the United States. But it was only after a seven-year investigation, and it was the first time Team Telecom had made such a recommendation. 

The panel similarly recommended banning China Telecom Americas last month, citing concerns that its state-owned parent company poses unacceptable risks of Chinese spying. 

The Senate report comes after the federal government has already started to clean up its act. 

President Trump issued an executive order in April that replaced the informal Team Telecom system with a far more stringent review process led by the attorney general. The new group is tasked with reviewing any foreign telecom requests to operate in the United States and reviewing any existing licenses that pose cybersecurity or national security risks. 

The FCC also wrote to China Telecom Americas, China Unicom Americas, ComNet and another Chinese firm, Pacific Networks, in April demanding they explain why they shouldn’t be banned over the same Chinese spying concerns as China Mobile. 

FCC Chairman Ajit Pai said the letter reflects the commission’s “deep concern … about these companies’ vulnerability to the exploitation, influence, and control” of the Chinese government. 

We simply cannot take a risk and hope for the best when it comes to the security of our networks,” he said. 

The report’s recommendations focus mainly on putting muscle behind the new review process and ensuring reviews move quickly. 

The panel wants Congress to mandate the government review all foreign telecom licenses periodically. It also wants the licenses to automatically expire if they don’t pass muster on national security grounds. Now, the licenses effectively exist forever unless the FCC revokes them.

Lawmakers also want Congress to set firm deadlines for how long reviews can last, though the report doesn’t offer a specific time frame. 

The keys

States that vote entirely by mail suffer minuscule amounts of fraud, despite Trump’s claims to the contrary. 

Officials found just 372 cases of possible fraud out of 14.6 million ballots cast in three states that voted entirely by mail in 2016 and 2018, according to an analysis by The Washington Post and the nonprofit Electronic Registration Information Center, which helps states spot duplicate voters. That's just 0.0025 percent of votes. It’s a far cry from the widespread fraud Trump and his allies have alleged, Elise Viebeck reports. 

For example, Trump, who voted by mail himself in Florida this year, tweeted in all caps last month: “MAIL-IN VOTING WILL LEAD TO MASSIVE FRAUD AND ABUSE. IT WILL ALSO LEAD TO THE END OF OUR GREAT REPUBLICAN PARTY. WE CAN NEVER LET THIS TRAGEDY BEFALL OUR NATION.”

The analysis covered five elections in Colorado, Oregon and Washington, where registered voters automatically receive ballots by mail.  

The low fraud rate is partially because vote-by-mail states have strong security processes to prevent fraud, current and former election officials say. But some of them worry that states that ramp up voting by mail in response to the pandemic won't have the same protections.

“We’ve had so much time to really fine-tune those processes,” said Washington Secretary of State Kim Wyman, a leading Republican advocate for mail voting. “Probably my biggest concern with this rapid ramp-up to expand absentee voting or move to a vote-by-mail model is: Do they have the time to build up that capacity?”

Advocates for voting by mail also note the penalties for voter fraud, which include fines and prison time, probably will deter the vast majority of fraud.

Voting security advocates are decrying online voting technology that West Virginia will use in its primary today.

West Virginia will be the third state to pilot the voting app offered by Democracy Live for voters with disabilities in its primary today. Security advocates say online voting is dangerous because there’s no way for voters to verify their ballots were recorded correctly. New Jersey and Delaware conducted similar pilots earlier this year and other states have used the app for military and overseas voters. 

"Even amidst a global pandemic, states simply cannot risk moving to Internet voting," said Marian K. Schneider, president of Verified Voting. 

The concern follows a new study from researchers at the Massachusetts Institute of Technology and the University of Michigan highlighting security vulnerabilities with Democracy Live's Omniballot system. (Alex Halderman, one of the authors of the report, is on Verified Voting's board of advisers.)

The Democracy Live technology could be manipulated to leave off candidates' names, remove races or send ballots to the wrong person, researchers found.

Other experts also cited serious concerns with voting using phones and laptops. 

“The biggest security problem with Internet voting is the insecurity of all the millions of voters’ computers and phones,” Princeton University computer science Professor Andrew Appel told freelance cybersecurity reporter Kim Zetter. “It’s not just one server that would need to be secure in addition to the millions of voters’ computers; it’s a whole ecosystem of connected companies.”

NSO Group is pushing a transparency initiative as it faces a lawsuit and an avalanche of criticism over its spyware business.

The Israeli company will begin issuing annual reports next year detailing its compliance with United Nations human rights guidelines, chief executive Shalev Hulio told Dan Williams at Reuters. The company says it has declined about half a billion dollars in deals because of ethical concerns.

But vetting those claims is difficult given the secretive nature of the company's government clients, Williams writes.

NSO has been pilloried by security and human rights activists who say the firm helps repressive regimes spy on their enemies and critics. Its Pegasus software has been tied to the surveillance of journalists, dissidents and human rights advocates in Mexico, the United Arab Emirates and Saudi Arabia. Facebook sued the company for allegedly hackingWhatsApp, its encrypted messaging service, and helping government customers snoop on about 1,400 people. NSO has denied any wrongdoing. 

NSO announced the new transparency measure while demonstrating a new system to counter surveillance drones purchased by 10 countries. The company has also been involved in efforts to help trace the spread of the novel coronavirus.

Hill happenings

The chairman of the House Intelligence Committee joined a chorus of Democrats concerned about government surveillance of protesters.

Rep. Adam Schiff (D-Calif.) wants to know whether military intelligence has been used to support federal law enforcement surveillance of protests over the death of George Floyd, Ellen Nakashima reports

“The sudden and impulsive manner in which the armed forces and law enforcement components from across the federal government have been mobilized to date, and the lack of public transparency regarding their orders . . . is deeply troubling,” Schiff wrote in a letter to Undersecretary of Defense for Intelligence and Security Joseph D. Kernan.

There is no indication that Pentagon intelligence agencies furnished such support, Ellen notes.

More surveillance news:

Agencies Spending Millions on 'Crossbow' Spy Tech, an Upgraded Stingray (Motherboard)

Democrats' new police overhaul bill would regulate law enforcement's use of facial recognition.

The sweeping reform legislation, which was introduced after a week of nationwide protests following Floyd's killing in police custody, would prohibit the use of facial recognition on real-time body camera footage and limit the use of the technology on existing footage unless a warrant is obtained. 

It would also more generally limit who has access to body camera footage and introduces oversight procedures for data collection.

Currently, 166 Democratic House members and 35 Democratic and independent senators are backing the bill, making it one of the most widely supported proposals to regulate police use of facial recognition.

Global cyberspace

China may be using fake Twitter accounts to boost its attacks against the United States, new research shows. 

Reporters at The New York Times found hundreds of accounts that have amplified Chinese diplomats and representatives online that have also demonstrated suspicious behavior. Of the approximately 4,600 accounts studied by the Times during a recent week, one in seven only shared content from Beijing officials. One-third of the accounts had been created just as China-U.S. rivalries heated up over the past three months. 

The U.S. State Department and Next Dim, a data firm in Israel, both found similar inauthentic-seeming accounts in March and April that promoted China's response to the coronavirus.

It's not clear whether the Chinese government is behind the swarms of accounts, though.

Industry report

Honda was hit by a cyberattack that forced it to suspend production of some cars and motorcycles. 

The attack was ransomware that struck yesterday and locked up the carmaker’s internal servers, Reuters reports. Most production had resumed this morning. 

More global news:

China’s Huawei launches ad blitz as UK reconsiders its role (Associated Press)

Chat room

A fun public records find:


Secure log off

John Oliver on policing: