A bipartisan group of lawmakers wants to kill the Trump administration’s deal to ease penalties on ZTE over concerns that the Chinese telecom giant helps the country’s government spy on Americans.
Hours after the administration announced the agreement Thursday, senators floated legislation to reverse the deal and bar the government from buying equipment from ZTE, which the U.S. intelligence community believes could serve as a conduit for Chinese cyberespionage.
The move not only represents a stinging rebuke of the administration’s decision to allow ZTE to keep doing business with the United States after it violated trade sanctions against Iran and North Korea. It shows how Congress is trying to check President Trump over how to safeguard Americans' cybersecurity and adjust foreign policy to reflect warnings from intelligence officials who say ZTE's products could easily be used surveillance tools against American citizens.
“This ‘deal’ with #ZTE may keep them from selling to Iran and North Korea. That’s good,” Sen. Marco Rubio (R-Fla.) tweeted Thursday. “But it will do nothing to keep us safe from corporate & national security espionage. That is dangerous. Now Congress will need to act to keep America safe from #China.”
Rubio is one of three Republicans backing an amendment to the defense spending bill that would override Trump and reinstate the Commerce Department’s original penalties on ZTE for violating export controls. It would also prohibit the U.S. government from purchasing or leasing telecommunications equipment from ZTE and Huawei, another major Chinese telecom company.
"Huawei and ZTE have extensive ties with the Chinese Communist Party, as well as a track record of doing business with rogue regimes like North Korea and Iran. So it's only prudent that no one in the federal government use their equipment or services and that they receive no taxpayer dollars,” said Sen. Tom Cotton (R-Ark.) who introduced the measure with Sens. Chris Van Hollen (D-Md.) and Democratic leader Chuck Schumer (D-N.Y).
"Given their repeated violations of U.S. law, we cannot trust them to respect U.S. national security, and so it's vital we hold them accountable and pass this amendment," Cotton said. Susan Collins (R-Maine) and Bill Nelson (D-Fla.) have also signed onto the measure.
The Commerce Department earlier this year imposed a seven-year ban on ZTE buying critical parts from American firms after the company sold items to Iran and North Korea in violation of a sanctions settlement. But Trump backpedaled on the punishment last month after Chinese leaders said it would drive the company out of business.
Under the new agreement, ZTE will pay a $1 billion fine, replace its top leadership and bring in a team of American experts to make sure it complies with U.S. trade laws, as my colleagues David J. Lynch, Simon Denyer and Heather Long reported.
Commerce Secretary Wilbur Ross said it all amounted to the largest penalty and the strictest compliance measures the agency had ever levied against a company that violated export controls. “We are literally embedding a compliance department of our choosing into the company to monitor it going forward. They will pay for those people, but the people will report to the new chairman,” Ross said.
But lawmakers from both parties scoffed at the deal they said constituted an imminent security risk.
From Sen. Mark Warner (D-Va.), the vice chairman of the Intelligence Committee:
This idea of “embedding a compliance team” at ZTE is a nice talking point, but unless the Trump Administration plans to open an FBI counter-intel field office inside the company, Beijing is about to get one heck of a deal on a backdoor into US telecom networks. https://t.co/nlsTnnDci1— Mark Warner (@MarkWarner) June 7, 2018
Congressional investigators and intelligence officials say ZTE's consumer devices and its access to U.S. telecommunications infrastructure could allow Beijing to eavesdrop on citizens, government offices and private corporations, steal trade secrets, hack sensitive computer networks and even help China wage cyberwar.
Sen. Ron Wyden (D-Ore.) called on Congress to block the deal, saying the risks were clear:
A loser deal for American security & American workers. @realDonaldTrump & his admin are giving ZTE & China the green light to spy on Americans & sell U.S. tech to North Korea & Iran - as long as it pays a fine that’s only tiny fraction of its revenue. https://t.co/QQofTLIcOF— Ron Wyden (@RonWyden) June 7, 2018
The steady drumbeat of warnings about the security threats posed ZTE and Huawei has gone on for years, as I reported recently.
Though the companies deny they do Beijing's bidding, an 11-month probe by the House Intelligence Committee in 2012 found that the companies were essentially arms of the Chinese government. Intelligence officials have reached the same conclusions. In a February congressional hearing, the heads of the FBI, CIA and National Security Agency, and the director of national intelligence, all cautioned against the public using ZTE's products. And in May the Pentagon banned ZTE and Huawei phones from being sold on military bases, saying they “may pose an unacceptable risk to Department's personnel, information and mission.”
But this is not the first time that Trump has been willing to buck his intelligence chiefs. Since he took office, he has repeatedly rebuffed findings from the intelligence community that Russia interfered in the 2016 election and waged a sweeping disinformation campaign on social media to help him defeat Hillary Clinton. The Senate Intelligence Committee concluded last month that intelligence officials were correct in determining that Russia interfered in the election with the aim of helping Trump win.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: Prosecutors secretly obtained email and phone records of New York Times reporter Ali Watkins during an investigation into the leaking of classified information that led to the arrest of former Senate Intelligence Committee staffer James A. Wolfe, the Times's Adam Goldman, Nicholas Fandos and Katie Benner report. Court documents list instances in which Wolfe had conversations with Watkins, with whom he had been in a relationship for three years, and other reporters via encrypted messaging applications, they write. "A prosecutor notified Ms. Watkins on Feb. 13 that the Justice Department had years of customer records and subscriber information from telecommunications companies, including Google and Verizon, for two email accounts and a phone number of hers," Goldman writes. "Investigators did not obtain the content of the messages themselves."
“We are troubled to hear of the charges filed against a former member of the Committee staff,” Senate Intelligence Committee Chairman Richard Burr (R-N.C.) and vice chair Warner said in a joint statement late Thursday. “While the charges do not appear to include anything related to the mishandling of classified information, the Committee takes this matter extremely seriously. We were made aware of the investigation late last year, and have fully cooperated with the Federal Bureau of Investigation and the Department of Justice since then."
Reporters reacted to the indictment with reminders about data security:
Reporters: Using Signal does not guarantee that the government won't be able to read conversations with your sources. pic.twitter.com/WMWp8PB2Aw— Brad Heath (@bradheath) June 8, 2018
If you don't set your Signal messages to auto-delete, they're just unencrypted data on a phone. https://t.co/mJpfFyk8Tr— Ryan Gabrielson (@ryangabrielson) June 8, 2018
PATCHED: Google will not use artificial intelligence to help develop weapons or for other applications that could injure people, company chief executive Sundar Pichai said on Thursday in a blog post laying out the principles that Google will follow in its use of AI. "We want to be clear that while we are not developing AI for use in weapons, we will continue our work with governments and the military in many other areas," Pichai said. "These include cybersecurity, training, military recruitment, veterans’ healthcare, and search and rescue." Additionally, the company committed not to pursue AI capabilities that could result in human rights violations or surveillance "violating internationally accepted norms."
"The new rules could set the tone for the deployment of AI far beyond Google, as rivals in Silicon Valley and around the world compete for supremacy in self-driving cars, automated assistants, robotics, military AI and other industries," The Washington Post's Drew Harwell writes. Pichai praised AI as a tool that carries "clear benefits," saying for instance that it can improve health care and farming, but added "that such powerful technology raises equally powerful questions about its use."
The company decided last week not to renew a contract with the Pentagon when it comes to expiration next year, Harwell reports. Thousands of employees had requested in a letter to Pichai that Google stop its involvement in a program called Project Maven to use artificial intelligence to analyze drone footage. "The move is a setback for the Pentagon's push to supercharge the military's capabilities with powerful AI that could help process battlefield data or pinpoint military targets," Harwell wrote last week after Google's decision to drop the contract. Rep. Peter T. King (R-N.Y.) on Thursday called Google's move "disgraceful and cowardly."
Google's decision to cancel Pentagon contract to develop AI for drone strike accuracy is disgraceful and cowardly. Hurts America. Agree with @MikeBloomberg, this is defeat for U.S. national security, patriotism & saving civilian lives. Too bad Google is ashamed to defend America!— Rep. Pete King (@RepPeteKing) June 7, 2018
Pichai said the guiding principles Google is pledging to follow in its work on AI are to "be socially beneficial," to "avoid creating or reinforcing unfair bias," to "be built and tested for safety," to "be accountable to people," to "incorporate privacy design principles," to "uphold high standards of scientific excellence" and to "be made available for uses that accord with these principles." "A Google representative who requested anonymity to speak candidly about the process said the company has been developing the ethical principles for months and will bring in outside advisors to conduct internal reviews to ensure the AI guidelines are enforced," Harwell writes.
PWNED: Lawmakers from both parties are taking a closer look at the links between Google and Chinese tech firm Huawei amid concerns about data privacy and national security, The Post's Tony Romm reports. Warner wrote in letters to Google's parent company Alphabet and Twitter on Thursday that "the relationship between the Chinese Communist Party and equipment makers like Huawei and ZTE has been an area of national security concern" for several years. Warner noted in his letter to Alphabet that Google and Huawei announced a "strategic partnership" over cellphone messaging in January. The senator asked Google to provide details about its relationship with Huawei as well as the Chinese companies Xiaomi and Tencent.
"Republicans, meanwhile, signaled Thursday that they could also take action against Google and other tech giants soon," Romm writes. "Rep. K. Michael Conaway (R-Tex.), a member of the House Intelligence Committee, is looking into the matter, a spokeswoman said. [Cotton] similarly has raised concerns about Google’s relationship with Huawei." A spokeswoman for Google said the company has "agreements with dozens" of device makers globally, Romm reports. "We do not provide special access to Google user data as part of these agreements, and our agreements include privacy and security protections for user data," Google said, as quoted by Romm.
— More cybersecurity news:
— A bipartisan group of House lawmakers on Thursday reintroduced a bill to "preempt state and local government encryption laws" and set up a national standard for encryption at the federal level. Reps. Ted Lieu (D-Calif.), Mike Bishop (R-Mich.), Suzan DelBene (D-Wash.) and Jim Jordan (R-Ohio) introduced the piece of legislation, which is titled Ensuring National Constitutional Rights for Your Private Telecommunications Act. "When 50 states have different laws on encryption, it undermines our efforts to protect innocent Americans from bad actors who are looking to snatch personal data for their own nefarious uses," DelBene said in a statement. "This legislation strengthens our national security, while ensuring that people’s privacy is protected and advances in technology can continue to flourish." Jordan, a member of the conservative House Freedom Caucus, said the federal government has "abused warrantless surveillance in the past," adding that the lack of unified policy "makes it easier for further abuses." "By creating a unified approach to encryption, we can protect security and privacy while allowing law enforcement to continue keeping us safe," he said.
— Spies across the world are increasingly hacking into cellphones to conduct surveillance of political opponents as authoritarian governments outsource malware campaigns to contractors, The Wall Street Journal's Robert McMillan reports. "Mobile-security firm Lookout Inc. counted 22 phone-hacking efforts in the first five months of this year that appeared to be government-backed," McMillan writes. "Most targeted political opponents in developing nations, Lookout said. The company’s researchers identified just two such efforts in all of 2015." Hacking into a cellphone can give spies access to sensitive information including a user's contacts as well as financial data, according to McMillan. "It is one thing to compromise someone’s computer," Mike Murray, vice president of security research at Lookout, told McMillan. "It’s another thing to have a listening device that they carry around with them 24 hours a day."
— The ticketing service Ticketfly brought its website back online Wednesday night after a cyberattack last week exposed the data of about 27 million users, The Post's Travis M. Andrews reports. "Users’ names, phone numbers, addresses and email addresses connected to the accounts were accessed in the hack, but financial information like credit and debit card numbers were not, according to Eventbrite, the San Francisco-based company that owns Ticketfly," Andrews writes. "Upon first learning about this incident we took swift action to secure the data of our clients and fans," Ticketfly said in a statement. "We take privacy and security very seriously and regret any disruption this has caused." Ticketfly had been taking back parts of its services back online progressively during the week, Andrews reports.
The hacker, who goes by IsHaKdZ, told Mashable that he had found a vulnerability on Ticketfly's website and demanded a ransom of "1 bitcoin for protection," Andrews reports. "The hacker also shared with the media outlet a large directory of spreadsheet files that seemed to contain personal data for Ticketfly customers and employees," Andrews writes. "Mashable said it confirmed some of the data was authentic."
— Facebook's bad week got worse on Thursday. The social network asked 14 million users to review the posts they shared from May 18 till May 22 after a flaw changed the settings on their accounts, The Post's Hayley Tsukayama writes. Users who thought they were publishing a private post during that time may have been sharing it publicly instead. "We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts," Erin Egan, Facebook's chief privacy officer, said in a statement. "Today we started letting the 14 million people affected know – and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before, and they could still choose their audience just as they always have." Egan said the glitch started while the company was "building a new way to share featured items" on users' profiles.
Even though posts on new accounts default to public, users have the ability to adjust the privacy settings of the posts they share on the platform by using a tool that Facebook calls an "audience selector," Tsukayama reports. "But, for four days in May, the bug ignored user preferences and set the default audience for all new posts to 'public,' the company said," she writes. "Facebook stopped the bug on May 22 but did not restore the proper privacy settings to all posts until May 27." "We’ve heard loud and clear that we need to be more transparent about how we build our products and how those products use your data – including when things go wrong," Egan said. "And that is what we are doing here."
Hi @yonatanzunger To be clear, the bug affected Facebook posts, NOT private messages. It suggested posting publicly as opposed to the previous audience setting. Regardless, this was a significant mistake and we apologize to those affected by it. https://t.co/hgEKBzSxnC— Facebook (@facebook) June 7, 2018
— This AI in security cameras can recognize your face and body:
— Four times Trump got history a little wrong:
— There are many theories about what IHOP's new name could be: