If Kaspersky, Huawei and ZTE are suspected of helping Russia and China spy on U.S. government computer systems, they shouldn’t be allowed near sensitive academic research projects.
That’s the argument made by three Republican lawmakers who introduced a bill Tuesday that would bar researchers who work on many federally funded projects from using any technology from those companies – or from any other companies with close ties to the Russian or Chinese governments.
The goal is to ensure it’s just as hard for Russian and Chinese government-linked hackers to steal important U.S. academic research as it is for them to steal government secrets, the bill’s sponsor, Rep. Jim Banks (R-Ind.), told me.
“Huawei and ZTE are snakes in the grass, tools of the Chinese government,” Banks said. “If we restrict their use for federal government purposes, we should restrict their use on college campuses as well for anything related to sensitive research.”
The Protect Our Universities Act would apply to projects that receive funding from the intelligence community, Pentagon and Energy departments, but not to classified projects, which are subject to numerous other security requirements. It would also apply to projects dealing with technology that the State and Commerce departments have restricted from being sold abroad to some degree.
The concern here: That academic researchers who aren’t specifically focused on cybersecurity might use Kaspersky anti-virus simply because it’s cheaper than other options or unwittingly buy technology with Huawei components.
The bill — which is co-sponsored by Reps. Trent Kelly (R-Miss.), Paul Cook (R-Calif.) and Don Bacon (R-Neb.) — is a further indication of how an effort that began with banning a few companies that posed cybersecurity risks to government computer systems is growing into an all-out battle to block numerous Russian and Chinese companies from access to American secrets.
The cybersecurity provisions in the bill are part of a larger set of security measures that include requiring the intelligence community to conduct background checks on students and researchers who work on those projects and who are citizens of Russia, China, Iran or North Korea.
Banks serves on the House Education and Armed Services committees, which probably will review the bill. He was also a leading author of a letter last year with 26 Senate and House members asking the Education Department to perform a voluntary review of Huawei’s involvement in federally funded university research projects – a request he said the department failed to act on.
“The response has been inadequate at best from the Department of Education, and meanwhile the threats continue to grow,” Banks told me.
Kaspersky and Huawei have consistently denied spying on behalf of their governments and both sued the U.S. government for banning them from its computer networks. Those denials have done little, however, to deter officials in the U.S. and elsewhere from trying to scrub them from other sensitive sectors.
Washington is especially stepping up the pressure on Chinese telecom giant Huawei, which Congress ordered off government systems last year. U.S. officials worry Huawei could help Chinese snooping on a mass scale if it gains a privileged position in next-generation 5G telecommunication networks, and they’ve been crisscrossing the globe making that case to allies.
The Federal Communications Commission is also considering banning Huawei from even less-powerful 4G networks in areas that receive federal assistance to make cell service more affordable.
The federal government is also creating a committee to review cybersecurity and national security dangers posed by all federal contractors and to recommend banning the riskiest ones — including companies with ties to governments such as Russia and China that U.S. officials don’t trust.
The Protect Our Universities Act would create a similar commission to determine which companies are too risky to be trusted near sensitive research projects and to share the list of those companies with universities.The first draft of that list must include Huawei, ZTE and Kaspersky, the legislation states, as well as Hikvision and Dahua, two Chinese makers of video surveillance products, and Hytera, a Chinese radio systems manufacturer.
The list, which would be regularly updated, should also include any companies that are controlled by or have deep financial ties to the Russian or Chinese governments or to Iran or North Korea, the bill states.
In addition to introducing the bill on its own, Banks also intends to introduce it as an amendment to the National Defense Authorization Act, a mammoth annual defense policy bill. He’s especially hopeful the bill can pass in that form, he said, because it’s previously been a vehicle for major cybersecurity reforms, including the government’s Kaspersky and Huawei bans.
“A number of my colleagues have been caught off guard realizing there’s a greater threat here than they realized,” Banks told me. “The nature of the growing threat to our national security research on college campuses is too great and we can’t turn a blind eye to it.”
— Shane Harris contributed
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: The Navy and the contractors that supply it are “under cyber siege” from Chinese hackers, according to a Navy review obtained by the Wall Street Journal. That digital assault is threatening the United States’ position as the world’s top military power, the Journal’s Gordon Lubold and Dustin Volz reported.
“The 57-page document is especially scathing in its assessment of how the Navy has addressed cybersecurity challenges facing its contractors and subcontractors, faulting naval officials for not anticipating that adversaries would attack the defense industrial base and for not adequately informing those partners of the cyber threat,” Lubold and Volz reported.
The report also “acknowledges a lack of full understanding about the extent of the damage,” according to the Journal report.
PATCHED: Another review published by the Government Accountability Office Tuesday found that most government agencies don’t have a firm grasp on what their cybersecurity workers should be doing or the appropriate qualifications for those jobs.
That lack of clarity is making it harder for agencies to properly fill vacant cybersecurity jobs and putting government computers and data at higher risk of hacking, the report states.
The GAO found that 22 out of 24 government agencies, including NASA and the General Services Administration, were likely misclassifying about a fifth or more of their cybersecurity workers. It found that six of those agencies hadn’t completed classifying the workers at all, despite an April 2018 deadline.
PWNED: Many state and local election systems are still outdated and vulnerable to hacking, Cybersecurity and Infrastructure Security Agency Director Chris Krebs plans to warn a House Appropriations panel tomorrow, according to prepared testimony.
“We recognize that there is a significant technology deficit across [state, local, territorial and tribal] governments, and state and local election systems, in particular,” Krebs plans to say. “It will take significant and continual investment to ensure that election systems across the nation are upgraded and secure, with vulnerable systems retired.”
The White House’s proposed budget would deliver “more than $1 billion for DHS cybersecurity efforts” including assisting state and local election officials, but details of that funding haven’t been released yet. Congress will also debate this year whether to deliver additional money directly to states to buy new voting machines and to upgrade cybersecurity protections, but it’s not clear how much money they’ll provide or what strings they’ll attach to it.
— Sens. Martin Heinrich (D-N.M.) and Rob Portman (R-Ohio) will announce the launch of a bipartisan artificial intelligence caucus this morning. It’s an issue that often dovetails with cybersecurity because hackers that compromise AI systems could steal very complex data about people’s personal lives and preferences. The caucus aims to connect members and staff with artificial intelligence experts in the private sector and academia, and will complement the work the Trump administration is doing on prioritizing artificial intelligence in federal agency spending, the senators said. Caucus members will include Senators Brian Schatz (D-Hawaii), Cory Gardner (Colo.), Gary Peters (D-Mich.) and Joni Ernst (R-Iowa).
More cybersecurity news from the public sector:
Cybersecurity news from the private sector:
THE NEW WILD WEST
Cybersecurity news from abroad: