U.S. officials who argue Huawei can’t be trusted to play a major role in building global 5G telecommunications networks got another boost Wednesday when the Wall Street Journal reported that the Chinese telecom company helped two African governments spy on dissidents.
Huawei workers who were providing telecommunications services in those nations and a “safe city” program, a network of cameras and sensors Huawei sells to city nominally aimed at improving public safety, also helped intelligence agencies crack into perceived adversaries’ encrypted communications — an opposition politician in Uganda and dissident bloggers in Zambia, the Journal’s Joe Parkinson, Nicholas Bariyo and Josh Chin report.
“The Huawei technicians worked for two days and helped us puncture through,” a senior officer at Uganda’s surveillance unit told the Journal, describing how the Chinese telecom’s workers helped the unit hack the WhatsApp and Skype communications of opposition politician and pop star Bobi Wine. They used that information to arrest Wine and dozens of his supporters, the Journal reports.
The company also helped Zambian officials shut down opposition news sites, the Journal reports. “Whenever we want to track down perpetrators of fake news, we … work with Huawei to ensure that people don’t use our telecommunications space to spread fake news,” a Zambian official said.
The story marks the latest in a string of revelations about Huawei doing business with repressive governments, including Iran and North Korea. And Huawei’s willingness to help authoritarian regimes spy on their citizens suggests the company would also be willing to help Chinese government digital spying operations in other nations, say the Trump administration officials who have effectively banned Huawei from playing any role in building next-generation 5G networks in the U.S. and are lobbying allies to follow suit.
Taken together, this is yet another data point in their argument that the West and China are in a big-picture battle over the future of the Internet – and a Chinese victory will mean far more government control over communications and far less freedom and privacy for everyone else.
“A country that uses data in the way China has — to surveil its citizens, to set up credit scores and to imprison more than 1 million people for their ethnic and religious background — should give us pause about the way that country might use data in the future,” Robert Strayer, the State Department’s top official for cybersecurity issues, said during an address at a think tank earlier this year. “It would be naive to think that country, [given] the influence it has over its companies, would act in ways that would treat our citizens better than it treats its own citizens.”
Huawei said numerous details in the Journal story were incorrect. The company has steadfastly denied spying on behalf of the Chinese government and said it would not spy if Beijing asked it to — though U.S. officials argue Chinese companies have little power to ignore such requests.
Chin described the situation in stark terms on Twitter, noting that two former “models of web freedom in Africa have embraced China’s vision of the internet.”
Here’s the shape of the world to come: Two countries that used to be models of web freedom in Africa have embraced China’s vision of the internet. And Huawei is in both places, hand-holding local police as they learn to shackle dissidents with digital surveillance https://t.co/sd0NeJpd5M
— Josh Chin (@joshchin) August 14, 2019
Kenneth Weinstein, president of the conservative Hudson Institute, called the story “further proof that Huawei is part and parcel of the [Chinese] hi-tech surveillance state governance model being sold abroad.”
Further proof that Huawei is part and parcel of the PRC hi-tech surveillance state governance model being sold abroad: @wsi investigative report on embedded Huawei technicians helped cyber-surveillance units in Africa snoop on political opponents. https://t.co/wAaNMPo7ij
— Kenneth Weinstein (@KenWeinstein) August 14, 2019
The Journal report isn’t smoking-gun evidence that Huawei will help Beijing spy in nations where it has business, as the Journal reporters note.
“The Journal investigation didn’t turn up evidence of spying by or on behalf of Beijing in Africa,” the authors write. “Nor did it find that Huawei executives in China knew of, directed or approved the activities described. It also didn’t find that there was something particular about the technology in Huawei’s network that made such activities possible.”
It does, however, raise a question about whether the company’s assistance to repressive regimes represents a broader effort to export the Chinese Internet model.
“The big question has been whether Chinese companies are just doing this for the money, or whether they’re pushing a specific kind of surveillance agenda,” Steven Feldstein, a digital surveillance expert and a former Africa specialist at the State Department, told the Journal. “This would suggest it’s the latter.”
The situation is even more dangerous because 5G networks will transmit hundreds of times more data than earlier generations of wireless infrastructure. 5G will also support a vast expansion of Internet-connected devices such as smart cameras and autonomous vehicles, raising the risk of mass surveillance or even digital attacks that endanger people’s lives — say, if a digital attacker ran an autonomous car off the road.
The U.S. government has a spotty record in convincing allies to eschew Huawei, however. Only a handful of nations, including Australia and Japan have announced they’ll totally bar the company from their 5G builds and several European nations say they’re considering letting the company play at least a limited role.
To readers: The Cybersecurity 202 will publish on Tuesdays, Wednesdays and Thursdays this week and next and will take a break the week of Aug. 26 before returning full-time in September.
PINGED, PATCHED, PWNED
PINGED: Sen. Ron Wyden (D-Ore.) wants Democratic and Republican Party campaign committees to tell Congress what they’re doing to protect themselves from the kinds of Russian and Chinese-backed cyberattacks witnessed by both parties in recent years.
“Unfortunately, there are currently no federal laws or regulations that require political parties and campaign[s] to take even the most basic of steps to implement good cyber hygiene,” Wyden wrote in a letter yesterday shared with me. “This approach is obviously not working.”
Wyden’s top questions for both parties’ national committees and House and Senate campaign committees include how much they’re spending on cybersecurity, whether they employ a full-time chief information security officer, and whether they have accepted voluntarily cybersecurity assistance from the Department of Homeland Security. Answers will help lawmakers “assess the magnitude of the parties’ continued vulnerability to cyberattacks” and possibly inform legislative fixes, Wyden writes.
The DNC has doubled down on cybersecurity since it was hacked in 2016, offering updated checklists and trainings to candidates. The National Republican Congressional Committee pledged last month to offer candidates free cybersecurity assistance. But both parties are still vulnerable to attacks, according to researchers.
PATCHED: Sen. Elizabeth Warren (D-Mass.) is asking the Federal Trade Commission’s internal watchdog to look into whether the agency misled consumers about how much money they could receive from a $700 million settlement with Equifax, my colleague Tony Romm reports. The agency warned consumers last month that they were likely to get a lot less than the “up to $125″ first advertised as a settlement offer.
“The FTC has the authority to investigate and protect the public from unfair or deceptive acts or practices, including deceptive advertising,” Warren wrote in a letter to the FTC’s inspector general. “Unfortunately, it appears the agency itself may have misled the public about the terms of the Equifax settlement and their ability to obtain the full reimbursement to which they are entitled.”
Warren claims the FTC had conflicting information on its website that did not make it clear that the cash payment would likely be much less than the maximum $125. After high demand for the cash payout, the FTC released a blog post encouraging consumers to choose free credit monitoring services instead.
Warren previously introduced a bill that would have required Equifax to pay at least $1.5 billion in penalties, with at least 50 percent going to consumers. The bill would have also established an Office of Cybersecurity at the FTC to better hold credit reporting agencies accountable for breaches.
PWNED: The hacker accused of breaching the data of 106 million Capital One users may have also stolen data from more than 30 other companies, my colleague Renae Merle reports, citing court documents filed yesterday. Files seized from alleged hacker Paige Thompson’s computer servers had “multiple terabytes of data … from more than 30 other companies, educational institutions, and other entities,” prosecutors say. Thompson probably will face additional charges based on the additional alleged data thefts, Renae reports.
Prosecutors have not disclosed the names of the other targets but said the newly confirmed breached data does not appear to contain any personal information. Unicredit, Italy’s largest bank, and the Ohio Department of Transportation both confirmed earlier this month that they were investigating hacks likely committed by Thompson. Meanwhile, Vodafone, Ford and Michigan State University were identified as potential targets by both Israeli security firm CyberInt and cybersecurity blogger Brian Krebs.
The Global Cyber Alliance, a nonprofit organization that has launched initiatives to improve the cybersecurity of small businesses and people in developing nations, is launching a program today to help small businesses and individuals find and prevent digital bugs in their Internet-connected devices such as cameras, home assistants and smart thermostats. The organization is also offering another free tool that can help researchers find bugs in connected devices by effectively mimicking the devices in locations around the world and watching how hackers try to attack them. Check out details here.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The U.S. Election Assistance Commission will convene Secretaries of State, along with representatives from government and voting system manufacturers and testing laboratories for EAC Election Security Forum from 12:30-3:30 p.m.