February 26, 2019

Welcome to Codebook, the only cybersecurity newsletter being written during a staff meeting.

Situational awareness: House Homeland Committee is discussing transportation cybersecurity.

1 big thing: U.S. falters at Huawei diplomacy

Photo: Paco Freire/SOPA Images/LightRocket via Getty Images

Last week, Germany and the U.K., two key U.S. allies, shrugged at Washington's call to ban Huawei 5G products from their networks.

The big picture: Neither country particularly wants to be spied on. But the U.S. has apparently failed to make a strong enough case to its partners that Huawei can't be trusted.

Background: The U.S. argues that Huawei likely sabotages its products to allow China to spy on the data they transfer. At a minimum, the U.S. says, Chinese law requires a company like Huawei to aid its home country if the government demands.

  • The U.S., Japan and Australia have each banned Huawei products — either outright or functionally — from being used as they build out national 5G networks.
  • The U.K.'s cybersecurity authority and Germany both suggested that there may be ways to mitigate the risk to Huawei products without banning them.
  • Huawei denies any espionage or wrongdoing.

The allies' rejection is a black eye for the United States in global efforts to thwart a threat, particularly if the U.K. doesn't follow the U.S. lead. The U.K. is perhaps the United State's closest intelligence ally.

What went wrong: In part, neither Germany nor the U.K. might have been the most receptive audience for the American message.

  • The U.K. has facilities to reverse engineer Huawei products to check if they have been sabotaged. Most experts agree that the U.K.'s position is likely closer to the United States' than media reports have let on — and Britain's failure to ban Huawei doesn't rule out other British action against Huawei.
  • Both Britain and Germany want to preserve their access to the Chinese market.

Yes, but: That doesn't mean the United States has played its hand particularly well.

  • The U.S. may have undermined itself by waging aggressive, America-first diplomacy against traditional partners.
  • "It doesn’t help that we have eroded our soft power," said Christopher Painter, the State Department's top cyber diplomat from 2011 to 2017.
  • "The administration is in a time warp. They think it's 1983 and everyone will do what we say," said Robert Manning, senior fellow at the Atlantic Council. "We can't keep beating up on Europe and thinking they won't react."

Inconsistent U.S. stances on China have not helped, either. Getting others to take Chinese threats seriously is harder for the Trump administration after it has suggested that just about anything related to China could be used as a bargaining chip in trade negotiations — from the allegations of espionage by ZTE, another major Chinese manufacturer, to the arrest of Huawei's CFO for fairly significant crimes.

  • "Trump undercutting the U.S. interest in ZTE makes a lot of people wonder if he’ll undercut on Huawei," Manning added.
  • And on Friday, Trump even tweeted that he wanted the U.S. to win on 5G (and the as yet nonexistent 6G) through competition, rather than blocking competitors from the market.
  • Many onlookers took that to mean his stance on Huawei was softening, even as Vice President Pence lobbied against Huawei at a Munich security conference.

2. Don't give up on password managers just yet

If you heard last week that popular password managers — including LastPass, 1Password and others — had dangerous vulnerabilities, you may have been tempted to stop using them.

Don't do that: This isn't the first time a problem has come to light in password managers — and it's a more boring problem than media coverage has made it out to be. But even acknowledging that password managers, like all software, may have flaws, the benefits of using a password manager will almost always outweigh the risks for average users.

The big picture: "Password managers are a better way of using passwords for most people," said Dave Lewis of Duo, a company that specializes in providing two-factor authentication for all logins, including password managers.

  • Typical users tend to reuse passwords across multiple sites.
  • Hackers commonly use lists of passwords taken from one site to try to breach accounts on other sites.
  • For most users, password managers are the best way to set a unique, strong password on every site, preventing that attack.

The kinds of vulnerabilities that get found in password managers have so far tended to be for targeted attacks, which are less likely. It's always a better option to guard against the higher-risk attack.

  • In this case, a researcher found that passwords were stored in computer memory in plain text. The issue was one that experts say was already known both to the companies and in the wider tech community.

3. Mozilla mulls if DarkMatter's dark matters matter

Mozilla is currently determining if DarkMatter, a UAE group likely involved in surveillance operations, should be trusted as a certificate authority, a trusted third party aiding in the security of the internet.

Why it matters: Reports from Reuters and The Intercept have described DarkMatter as the company running the UAE's hacking intelligence operations. And entrusting DarkMatter with protecting other sites may give it more access to cause harm.

Yes, but: The traditional criteria for being a certificate authority is, more or less, whether a group meets technical standards and hasn't abused its authority in the past. DarkMatter is, by these standards, as valid as anyone.

  • Mozilla says the review process is ongoing and "concerns raised by the recent Reuters investigation are an important part of that discussion."

4. Christy McCormick gets second term heading EAC

A polling station in Manhattan, Nov. 6, 2018. Photo: Atilgan Ozdil/Anadolu Agency/Getty Images

The U.S. Election Assistance Commission announced Monday that Christy McCormick will take a second term helming the commission.

Why it matters: The EAC interfaces with states on elections, including on voluntary voting machine security standards. While Homeland Security also offers substantial resources for election security, EAC is in charge of distributing funds released last year to upgrade security and would distribute funds in the Democrats' new election security plan.

The intrigue: McCormick headed the EAC between 2015 and 2016. But in January 2017 — while she was still a commissioner — she claimed the U.S. attribution that Russia had spearheaded hacking efforts against parties and states was "political," "thin" and contained elements that were "patently untrue."

Yes, but: McCormick made the comments as part of an argument that the Department of Homeland Security should not have deemed elections as critical infrastructure. Among conservatives at that time, there was rampant paranoia that the government's motives for offering voluntary resources to states was intended as a national takeover of elections.

5. Odds and ends

  • How to hack a prosthetic arm (Kaspersky)
  • Flaws in 4G and 5G might allow tracking of phones. (TechCrunch)
  • Verizon wants to counter phone theft by locking phones for 60 days. (Ars Technica)
  • Schools might not have enough time in the day to teach cybersecurity. (The Conversation)
  • Q: How do you combat burnout in cybersecurity? (Fifth Domain)
  • A: By reading Codebook. (Codebook)

Codebook will be back on Thursday.