Pages

Search This Blog

Translate

Search Tool




Dec 5, 2019

Analysis | The Cybersecurity 202: Huawei doubles down on legal fight with U.S.

By Joseph Marks




An illuminated Huawei sign is on display in Zurich. (Photo by STEFAN WERMUTH / AFP) (Photo by STEFAN WERMUTH/AFP via Getty Images)
THE KEY
Huawei last night opened up yet another front in its battle against the U.S. government, filing a legal challenge to a Federal Communications Commission order branding the Chinese telecom a national security risk and blocking rural phone and Internet providers from buying its gear.
The move underscores Huawei’s eagerness to publicly strike back against every assault from the U.S. government, which has called the company a communist spying tool — and to use democratic due process as one of its main weapons.
“We're using what processes are available to us to ensure that Huawei is treated fairly, and we don't think we've been treated fairly at the FCC,” Dennis Amari, Huawei’s Washington-based director of federal and regulatory affairs and a former Commerce Department official, told me.
The FCC order, which commissioners adopted unanimously last month, effectively bars U.S. phone and Internet providers that rely on federal subsidies from buying any new products from Huawei over fears the company could be compelled to spy for the Chinese.
The order also bars purchases from ZTE, another Chinese telecom firm. And commissioners are contemplating requiring rural telecoms to rip out and replace their existing Huawei and ZTE gear, which could cost more than $2 billion.
In a press conference at the company's Shenzhen headquarters, executives portrayed the order as one of a string of cases in which the U.S. government has tarred its reputation by accusing it of spying but not offered evidence to back up the claims.
“The FCC claims that Huawei is a security threat, but FCC Chairman [Ajit] Pai has not provided any evidence. This is a common trend in Washington these days,” Song Liuping, chief legal officer at Huawei, said. “This decision…is based on politics, not security.”
An FCC spokesman declined to comment on the legal petition.
Huawei’s challenge, filed in a federal appeals court in New Orleans, says the FCC lacks authority to make decisions based on national security grounds and rigged its review process to single out Huawei and ZTE for punishment.
“Instead of having standards and then applying them neutrally, they figured out the companies they wanted to hurt,” Michael Carvin, an attorney with the law firm Jones Day representing Huawei, told me. “Basically, they deprived [Huawei] of all the normal principles of due process and fairness.”
Carvin also dismissed U.S. fears the Chinese government holds too much sway over Huawei and could compel it to insert spying tools into its products, noting that numerous non-Chinese telecom firms are nevertheless closely linked with Chinese partners or depend on Chinese components.
“If that was really motivating what was going on here, presumably they wouldn't have picked Huawei and ZTE out of a hat,” he said. “They would have done something in a more global-neutral way.”
Huawei has spent most of the past two years in a pitched battle with the U.S. government, which has banned the company from government networks and contracts for next-generation 5G wireless systems and barred most U.S. companies from selling components to it.
Huawei launched a separate legal challenge against the government ban, which a federal judge in Texas is reviewing.
The pair is also locked in a titanic struggle over global 5G contracts, with U.S. officials urging allies to bar Huawei from the super-fast networks but with limited success. Only a handful of nations have followed the United States in outright banning Huawei from 5G while others, including England, have contemplated barring the company from only core parts of their networks.
Chinese influence in 5G is especially concerning to U.S. officials because the networks will carry orders of magnitude more data than previous generations and will connect to a new era of Internet-connected devices such as autonomous vehicles and smart factories.
The European Union adopted a set of 5G principles this week that urge member nations to consider the legal requirements 5G suppliers are bound by in their home countries, but is mum on the specific case of China and Huawei.
PINGED, PATCHED, PWNED

U.S. Census Bureau Director Steven Dillingham. (Adrian Sainz/AP)
PINGED: The company digitizing the U.S. census was hacked from Russian IP addresses during a 2018 test run, raising serious questions about the cybersecurity of the 2020 count, Reuters's Nick Brown reports.
The hackers bypassed a firewall and accessed parts of the software that should have been restricted to census staff, sources inside the bureau told Nick. In a separate attack, hackers caused a steep increase in traffic to census sites.
Staffers in charge of system security meanwhile “didn’t know how to access the cybersecurity defense tools that were in place, and they didn’t know what to look for,” a source told Nick.
The attacks were just one symptom of a project Reuters describes as “marred by security mishaps, missed deadlines and cost overruns.”
“The IT is really in jeopardy,” said Kane Baccigalupi, a security consultant who previously worked on the census project for two years. “They’ve gone with a really expensive solution that isn’t going to work.”
Census Bureau spokesman Michael Cook declined to comment on the alleged hacks. He said no data was stolen during the 2018 system test and that the bureau’s systems worked as designed.

A touch screen voting machine and printer are seen in a voting booth. (Mike Stewart/AP)
PATCHED:The vast majority of the nation’s largest county election offices aren’t protecting themselves against basic email phishing attacks that hackers could use to disable polling equipment and sow chaos on Election Day, a report out this morning finds. 
The company Valimail checked protections at election offices in the three largest counties in every state and found just 5 percent were set up to automatically reject or quarantine suspicious emails. Across six active swing states -- Arizona, Florida, North Carolina, Pennsylvania, Michigan, and Wisconsin -- none of the top three counties had the protection.
The fact that election officials aren’t using basic protections against email phishing suggests they’d be “staggeringly” vulnerable to a sophisticated foreign adversary, Seth Blank, director of industry initiatives at Valimail, told me.
“This is how Podesta got hacked,” he said, referring to a Russian phishing attack that compromised Hillary Clinton’s campaign manager and helped upend the 2016 contest. “It’s alarmingly effective.”
The study focused on a common anti-phishing tool called DMARC, which the U.S. government made mandatory for federal agencies in 2017. A recent TechCrunch review of political campaigns found only about one-third of the 2020 contenders were successfully using the tool.
“Cyber hygiene at the state and local level is critical because that’s where the votes get cast. If they’re not protecting against the primary threat vector, what else aren’t they protecting against?” Blank asked.

Smartphones with the Sprint logo. (Dado Ruvic/Reuters)
PWNED: A contractor left hundreds of thousands of phone bills for AT&T, Verizon and T-Mobile customers exposed on the Web for an unknown period of time, Zack Whittaker at TechCrunch reports.
The vast majority of documents discovered in the unprotected server were cellphone bills dating back to 2015 that included personal information such as addresses, names and phone numbers. A smaller number of the documents included bank statements, usernames, passwords and account PINS — information that could have been used to access customer accounts if it fell into the wrong hands.
Researchers traced the documents back to a marketing firm that worked for Sprint. The firm closed the security loophole on Wednesday and it's unclear whether hackers accessed any of the data.

PUBLIC KEY

— Cybersecurity news from the public sector:

The U.S. Senate Foreign Relations Committee will vote as soon as next week on legislation that would impose stiff new sanctions on Russia over its meddling in U.S. elections and aggression against Ukraine, a committee spokeswoman said on Wednesday.
Reuters

Senators from both sides of the aisle sounded the alarm Wednesday on the dangers posed to small businesses and government entities by ransomware cyberattacks following a classified briefing from a key Department of Homeland Security official.
The Hill

Senators argued for their dueling proposals for a federal privacy law during a highly anticipated hearing on Wednesday, marking the first time key Republicans and Democrats have taken their disputes public after months of closed-doors negotiations.

PRIVATE KEY

— Cybersecurity news from the private sector:

IBM’s security experts said Wednesday they have uncovered previously unknown malware developed by Iranian hackers that was used in a data-wiping attack against unnamed energy and industrial organizations the Middle East.
CyberScoop

Company security analyst sent session cookie allowing account take-over.
Ars Technica

CyrusOne data centers infected by REvil (Sodinokibi) ransomware.
ZDNet

THE NEW WILD WEST

— Cybersecurity news from abroad:

Failure to respond will only invite future state-sponsored cyberattacks on civilian targets.
Andy Greenberg

Australia on Thursday established an investigation into potential foreign politi...

Two years after the last attacks, the Great Cannon is up and running again.
ZDNet

A broad disinformation campaign of fake news and other tricks aims to turn the Baltic nation’s public against the alliance.
Nextgov

ZERO DAYBOOK

— Today:
  • The House Energy and Commerce Committee will host an Federal Communications Commission oversight hearing on Thursday at 10 a.m.
  • The Senate Commerce subcommittee on communications, technology, innovation and the Internet will convene a hearing titled “The Evolution of Next-Generation Technologies: Implementing MOBILE NOW” on Thursday at 10 a.m.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.