Jan 8, 2019

Axios Codebook

Welcome to Codebook, the cybersecurity newsletter that did not win the NCAA football championship.

Tips? Sending me story ideas is as easy as replying to this email.

1 big thing: The shutdown has cybersecurity costs

Photo: Jorge Villalba/Getty

The government is on hiatus. Enemies of the United States are not.

Why it matters: During the government shutdown, essential personnel are exempt from the furlough — so in theory, anyone preventing cybersecurity calamities is still showing up for work. But experts believe the loss of support staff makes the cybersecurity effects of a shutdown bad in the short term and worse in the long term.

The fallout: Consider the difficulty of maintaining security in government networks before a government shutdown. Now try doing that with fewer people.

  • "Defending federal networks is already an act of triage, due to personnel shortages, legacy IT overhang, uneven risk management practices and a hostile threat environment. Furloughs make a hard job even harder," said Andrew Grotto, a former White House cybersecurity adviser for Presidents Obama and Trump and a current employee of Stanford's Hoover Institution.
  • While critical personnel are still on duty during a shutdown, he added, "What that means as a practical matter is that these people have to do even more than usual."

Those problems will stick around after the shutdown. It's likely, say multiple former federal employees Codebook spoke to, that federal networks will fall behind on basic hygiene tasks.

  • "Government shutdowns tend to affect support activities disproportionately, such as hiring or vetting contracts. Thus, over time, personnel slots will go unfilled and contracts will expire, making it difficult to sustain the workforce or upgrade equipment," noted Michael Daniel, former White House cybersecurity coordinator and current president and CEO of the industry group Cyber Threat Alliance.

In the long term, this could do irreparable damage to the federal government's ability to hire cybersecurity talent.

  • The unemployment rate for trained cybersecurity personnel is famously at 0%, the private sector pays better and the only advantage the government has in hiring is the importance of the work and the gratitude of a nation.
  • Willingness to shutter the government doesn't speak too highly to the perceived value of the job or its employees.

Departments devoted to cybersecurity policies will grind to a halt.

  • The National Institute of Standards and Technology, which is developing a widely awaited privacy framework, is seeing its staff reduce to 49 out of its normal cohort of roughly 3,000 employees.
  • The Department of Homeland Security's newly christened Cybersecurity and Infrastructure Security Agency will be without a substantial amount of support staff. By DHS' tally, 43% of the workforce — over 1,500 employees — are furloughed.

Security-related investigations and prosecutions at the FBI and Department of Justice will continue with all employees carried over.

The bottom line: Furloughing cybersecurity staff creates both short-term and long-term vulnerabilities.

  • "Cyber threats don’t operate on Washington’s political timetable, and they don’t stop because of a shutdown," said Lisa Monaco, former assistant to the president for homeland security and counterterrorism.
2. German man admits hacking German politicians and celebs

A German man has confessed to releasing documents on German politicians, journalists and other high-profile individuals under the guise of a Twitter advent calendar.

Details, including the suspect's name, are still hazy, but what is known is this:

  • The advent calendar ran during the Christmas season before coming to light last week.
  • The suspect is said to have been motivated by political statements made by the victims.
  • The victims included members of all political parties, save the far-right AfD.

Germany reached out to the NSA for help investigating the data leaks.

3. WikiLeak's media commandments: The edited version

Photo: Tony Savino/Getty

WikiLeaks sent reporters a "confidential" document Sunday to tell them not to say certain things about the site or its head, Julian Assange.

The intrigue: One thing no one can say about WikiLeaks — because it isn't true, not because it's in the document — is that the site has been particularly straightforward with the public about the document, which was quickly leaked by independent reporter Emma Best.

Best published the document as it was sent to reporters. WikiLeaks followed suit Monday, tweeting "FULL DOC: WikiLeaks' legal letter of media myths and falsehoods, in the news today, has, unsurprisingly, leaked" with a link.

But, but, but: The document WikiLeaks shared by tweet was not the same as the list it sent to reporters. As Best noted, the tweeted link (labeled version 1.3 of the document) edited a number of the lines that WikiLeaks was being mocked for — including:

  • "It is false and defamatory to suggest that Julian Assange stinks."
  • "It is false and defamatory to suggest that Julian Assange lives or has ever lived in a basement, cupboard or under the stairs."
  • The latter, wags pointed out, made Assange sound a touch Harry Potter-y.

While WikiLeaks edited parts of the document that related to the site, it did not correct a portion of the document misidentifying the gender of Chelsea Manning, convicted of leaking diplomatic cables to WikiLeaks.

4. Propaganda site USA Really loses security certificate

USA Really — a site recently sanctioned by the Treasury Department as a Russian influence operation — lost its security certificate over the weekend, according to McClatchy News.

Why it matters: Security certificates allow sites to open "https" connections, which are often necessary to prevent browser warnings that sites are not secure.

Details: Treasury's move apparently led USA Really's certificate issuer, Let's Encrypt, to revoke its certificate.

5. Odds and ends
  • The House of Representatives voted to create a position of whistleblower ombudsman. Whistleblower protections are often seen as a way to head off some federal data leaks. (Government Executive)
  • A Virginia federal court unanimously ruled that politicians blocking people on social media violates the First Amendment. The victor was represented by the same legal team pursuing a similar case against Donald Trump. (Ars Technica)
  • A hacker sent fake messages over an Australian emergency messaging system. (Naked Security)
  • The company Zerodium increased its payouts for security bugs in a variety of products it uses in its commercial hacking consultancy. (Zerodium)
  • Judge to alleged Russian internet troll's lawyer: Quoting "Animal House" is no way to go through life, son. (Washington Post)
  • Vinyl and cassette sales saw double-digit growth last year. (The Verge)

Codebook will return on Thursday