The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

FCC steps up campaign against Huawei and other Chinese tech companies

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! I hope you had a nice holiday break. Yesterday I ate turkey soup, a tradition with a couple friends of mine. Some of my co-workers didn’t know turkey soup is a thing. Weird.

Below: Chinese-language accounts spam Twitter amid protests, and hackers hit an Iranian news agency. First:

FCC brings out the banhammer for Huawei and other China-based companies

Last week’s long-awaited Federal Communications Commission ban of some Chinese telecommunications companies’ equipment is the latest step in a domestic and international push by the United States to isolate Huawei and other Chinese tech firms.

On Friday, the FCC said it voted unanimously to adopt rules banning U.S. sales and imports of Huawei and ZTE telecommunications equipment, Hytera digital radios and video surveillance systems made by Hikvision and Dahua, citing national security concerns. The ban focuses on equipment designed “for the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes.”

  • “The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” Chairwoman Jessica Rosenworcel said. “These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications.”

The long-expected vote came in response to legislation Congress passed last year. It continues a campaign against Chinese companies like Huawei — and there are limitations on what it can actually accomplish.

But it’s still significant, Dakota Cary, a China-focused consultant at Krebs Stamos Group, told me. “It allows them the ability to revoke previously authorized kit, which is important,” he said.

And here’s FCC Commissioner Brendan Carr on the decision’s importance:

It’s all part of a response to alleged national security risks posed by Chinese-owned tech. For instance:

  • Huawei reportedly helped African governments spy on encrypted communications of  political opponents.
  • In the United States, the FBI reportedly found Huawei equipment on cell towers in the rural Midwest located near U.S. military bases. The bureau determined the equipment could capture and disrupt restricted communications used by the Defense Department, such as U.S. Strategic Command, which is in charge of the nation’s nuclear weapons.
  • The companies have long denied being security risks.

And it’s a campaign that has stretched for some time, heating up during the Obama administration and intensifying during the Trump administration. Joshua Steinman, who served as senior director for cyber policy and deputy assistant to the president in Trump’s National Security Council, laid out that history in this Twitter thread.

It’s also important to note what the order can’t do. It doesn’t much pertain to consumer or small business sales, as the Verge’s Sean Hollister pointed out. It also doesn’t keep those companies from being able to brand their products differently. Carr acknowledged that as a potential worry.

The FCC must “vigilantly monitor compliance with the rules we’ve established today, including by ensuring that entities do not make an end run around our decision by ‘white labeling’ covered gear — a process that involves putting a benign or front group’s name on equipment that would otherwise be subject to our prohibitions,” Carr wrote.

Lastly, few states have followed the U.S. government’s lead on trying to prohibit procurement of foreign information and telecommunications technologies, as a recent report from the Center for Security and Emerging Technology catalogued.

The global picture

The international telecommunications market is growing increasingly split between a U.S./Europe tech ecosystem and a China-led tech ecosystem, Cary said.

The U.S. government has driven Huawei out of Europe, as Laurens Cerelus and Sarah Wheaton detailed for Politico recently. And it plans to keep pressing its case, as Eric Geller and Maggie Miller reported for the same publication.

Friday’s FCC announcement pairs with the U.K. banning Hikvision at “sensitive sites” last week. Meanwhile, Huawei continues to rack up allegations about how its tech is being abused in other nations.

Chinese-owned ByteDance, the company behind TikTok whose ownership is a subject of federal review, should probably be worried about the FCC decision, Cary said. On the other hand, it’s a fundamentally different company than those named in Friday’s announcement. TikTok has its devoted fans, whereas most Americans don’t care about which companies form parts of telecom backbones — making it politically harder to go after TikTok as aggressively as Huawei.

Lobbying

Several of the Chinese companies at the center of Friday’s announcement have spent significant amounts of money on lobbying this year:

  • Huawei has spent at least $2.4 million on lobbying aimed at Congress this year, according to filings. The company spent around $3.6 million on lobbying last year. The company paid Democratic lobbyist Tony Podesta around $1 million to lobby the White House in the second half of last year, according to lobbying filings. Podesta didn’t report any lobbying activity for the company from July to September.
  • ZTE has paid Akin Gump more than $1 million for lobbying so far this year, according to filings. ZTE paid the law firm $1.2 million last year for lobbying.
  • Hikvision has paid three lobbying firms more than around $2.8 million so far this year.
  • There’s been no recent lobbying by Hytera Communications and Dahua Technology.

Huawei has previously criticized the FCC’s proposals taking aim at Huawei equipment, but declined to comment on the latest action. Hytera Communications said in a statement on its website that the order doesn’t apply to the vast majority of its equipment.

“Dahua is continuing to review the FCC’s order, but based on our current analysis we believe that the actions taken in the order go far beyond the commission’s statutory authority, and will do little or nothing to protect U.S. national security,” the company’s press office said via email.  Still, the statement read, ”given that Dahua’s products are not currently marketed for those purposes and have not been for several years, we are reasonably confident that this order will allow us to continue to serve most of our U.S. customers for years to come.”

ZTE said it “strongly disagreed” with the decision and would ”gradually withdraw” from the U.S. market, which it said accounts for less than 1 percent of overall revenue.

“ZTE has made repeated attempts at constructive engagement with U.S. policymakers to understand any possible concerns about the products it now sells in the United States,” the company’s press office said in an emailed statement. ”At no time has the United States government identified any specific, addressable concerns with regard to products that ZTE sells in the United States or instances in which ZTE products have been used to impair either U.S. security or consumer privacy.”

Hikvision has criticized the FCC decision, saying its products don’t pose a security threat and that the vote “will do a great deal to make it more harmful and more expensive for U.S. small businesses, local authorities, school districts and individual consumers to protect themselves, their homes, businesses and property.”

Updated 11/30/2022: to include comment from Dahua and ZTE.

The keys

Twitter battles accounts trying to drown out posts about protests over pandemic lockdowns

The accounts started spamming Twitter with links to adult services alongside the names of Chinese cities, Joseph Menn reports

“The result: For hours, anyone searching for posts from those cities and using the Chinese names for the locations would see pages and pages of useless tweets instead of information about the daring protests as they escalated to include calls for Communist Party leaders to resign,” he writes. “It is not the first time that suspected government-connected accounts have used the technique, according to a recently departed Twitter employee. But in the past, it was used to discredit a single account or a small group by naming them in the escort ads.”

The former employee, who spoke on the condition of anonymity to avoid retribution for disclosing internal processes, said it was a “known problem” at Twitter. Sunday’s campaign was “another exhibit where there are now even larger holes to fill,” the former employee said. “All the China influence operations and analysts at Twitter all resigned.”

A company employee told an external researcher that Twitter was aware of the problem and was trying to resolve it.

Hackers hit Iranian news agency

The semiofficial Fars News Agency, which is affiliated with the Islamic Revolutionary Guard Corps, said it was hit in a “complex hacking and cyberattack operation,” Agence France-Presse reports. It comes as Iranians continue to protest in the wake of the death of Mahsa Amini in the custody of the country’s “morality police.”

“Removing possible bugs … may cause problems for some agency services for a few days,” Fars News wrote on Telegram.

The apparent hack came after an Iranian hacking group published surveillance video footage after twin bombings in Jerusalem that killed a teenager. Officials said the surveillance video footage was taken by a civilian company that works with Israeli authorities, the Times of Israel reports. An official told Army Radio that there wasn’t a “security breach or leakage of classified information.”

Law enforcement takes down phone-spoofing service

Scammers paid iSpoof in cryptocurrency for the service, which would let the criminals impersonate phone numbers, the Guardian’s Jess Clark reports. The arrests of more than 100 people represents U.K. authorities’ largest fraud operation.

Law enforcement also seized iSpoof’s website and began contacting victims, the Guardian reported. The service’s main administrator was arrested in the United Kingdom this month, Europol said. Police sent messages to 70,000 phone numbers that had spoken with fraudsters for more than a minute, BBC News reports.

U.K. police apparently also posted a tongue-in-cheek video making fun of the service on iSpoof’s Telegram channel.

Global cyberspace

Ransomware gang targets Belgian municipality, hits police instead (Bleeping Computer)

RCMP use of spyware warrants update to Canada's privacy laws, MPs say (Politico)

Cyber insecurity

Cincinnati State College one of several schools added to ransomware leak sites on Thanksgiving (The Record)

5.4 million Twitter users' stolen data leaked online — more shared privately (Bleeping Computer)

Securing the ballot

Brazil's electoral court rejects Bolsonaro election challenge (Reuters)

Daybook

  • Deputy national security adviser Anne Neuberger, Maryland Gov. Larry Hogan (R), National Institute of Standards and Technology Director Laurie Locascio and other officials speak at the Quantum World Congress in Washington on Wednesday and Thursday.

Secure log off

Thanks for reading. See you tomorrow.

Loading...