Warning Amplifies Previous US Intelligence Agency Alerts
The chief security officer for the Democratic National Committee is advising officials to not use mobile devices made by Chinese manufacturers ZTE and Huawei.
The warning comes from Bob Lord, who was chief information security officer for Yahoo for two years before becoming CSO of the Democratic National Committee in January. Prior to Yahoo, Lord was the director of information security for Twitter.
Lord says that Democratic entities should not use ZTE or Huawei devices “even if the price is low or free” and that no one wants to be the next “patient zero,” he writes.
“Last February, the heads of the FBI, CIA and NSA strongly recommended that Americans not purchase Huawei or ZTE devices as they pose a security risk,” Lord writes. “I wanted to highlight that the intelligence community does not make statements like this lightly.”
The advice comes as U.S. intelligence officials warn that Russia is conducting active campaigns designed to influence the mid-term elections in November.
Last week, U.S. Director of National Intelligence Dan Coats said that Russia continues to run messaging campaigns intended to weaken the U.S. as well as hack into candidates and other government officials.
Coats says that U.S. agencies have learned from the 2016 presidential election meddling and that the government is taking a “broad spectrum of actions.” In mid-July, Coats warned that “the warning lights are blinking red again” in regards to attacks against the U.S.’s digital infrastructure (see How to Secure US Elections – Before It’s Too Late).
Backing Coats’ statements, Facebook last week it had shut down 32 pages and groups that it believed were involved in “inauthentic” activity (see Facebook Reveals Ongoing Political Influence Campaigns).
The social media site stopped short of blaming Russia, but said some of the groups’ tactics used appeared similar to those of the Internet Research Agency, a St. Petersburg-based group identified as the hub of the much of Russia’s alleged manipulation of social media sites (see Facebook: Bogus Russia-Linked Accounts Bought Political Ads).
An investigation led by Special Counsel Robert Mueller has resulted in several indictments of Russians accused of meddling with the 2016 presidential election. Mueller’s probe continues to investigate connections between Russians and U.S. citizens involved in Trump’s campaign.
Lord’s warning, however, addresses China, which Coats has also singled out – with Russia, Iran and North Korea – as posing the greatest cybersecurity threat to U.S. interests.
Although Lord did not explicitly spell out the threats, security experts have long warned of so-called supply chain attacks. The fear is that hidden backdoors in hardware or software may be used to steal information.
Last December, the U.S. government banned use of Kaspersky Labs’ security software over worries that the company may be influenced by Russian intelligence agencies. Kaspersky denies that it helps Russian agencies for espionage purposes and last October offered to make its source code available for review (see New Law Bans Kaspersky AV Software From Federal Computers).
ZTE and Huawei have long faced accusations that their products may either wittingly or unwittingly subverted by Chinese intelligence agencies. Both companies have denied the accusations.
Huawei was banned from bidding on U.S. government contracts in 2014. Earlier this year, the Pentagon forbid its internal stores from selling Huawei and ZTE devices, although the devices could still be purchased for personal use.
In June, meanwhile, the U.S. government banned domestic manufacturers from selling key components to ZTE, in response to the company having violated trade sanctions against Iran and North Korea. In response, ZTE agreed to pay $1.4 billion in fines – receiving bailout help from the Chinese government to stay afloat – and attempted to calm investors by promising to replace its board of directors.
Whether the Democrats will fare better – from information security perspective – this election season than in 2016 remains to be seen.
But to be sure Democrats, Republicans and other parties are much more aware of the dangers. Many of the successful attacks against Democratic organizations and officials in 2016 focused on spear-phishing attacks, which collected authentication credentials.
“Last February the heads of the FBI, CIA and NSA strongly recommended that Americans not purchase Huawei or ZTE devices as they pose a security risk. I wanted to highlight that the intelligence community does not make statements like this lightly.”
—Bob Lord, CSO, Democratic National Committee
Leaked emails from compromised account of top Democratic officials threw the party into tailspins, allowing then-candidate Donald Trump to seize on the turmoil.
Candidates and officials are likely being nudged to use two-factor or multifactor authentication, preferably with the time-sensitive codes that are not sent over SMS. That’s due to SIM hijacking, where an attacker tricks a mobile provider into porting a number to another SIM card thus capturing the codes.
Last week, Reddit disclosed a breach that occurred in part because one of its employees phone numbers was hijacked. Motherboard has also recently highlighted the dangers of SIM card hijacking, with attackers seizing control of social media accounts and stealing cryptocurrency (see Reddit Says Attackers Bypassed SMS-Based Authentication).
Executive Editor Mathew Schwartz also contributed to this piece.