Welcome to Codebook, the only cybersecurity newsletter being written during a staff meeting.
Situational awareness: House Homeland Committee is discussing transportation cybersecurity.
Photo: Paco Freire/SOPA Images/LightRocket via Getty Images
The big picture: Neither country particularly wants to be spied on. But the U.S. has apparently failed to make a strong enough case to its partners that Huawei can't be trusted.
Background: The U.S. argues that Huawei likely sabotages its products to allow China to spy on the data they transfer. At a minimum, the U.S. says, Chinese law requires a company like Huawei to aid its home country if the government demands.
The allies' rejection is a black eye for the United States in global efforts to thwart a threat, particularly if the U.K. doesn't follow the U.S. lead. The U.K. is perhaps the United State's closest intelligence ally.
What went wrong: In part, neither Germany nor the U.K. might have been the most receptive audience for the American message.
Yes, but: That doesn't mean the United States has played its hand particularly well.
Inconsistent U.S. stances on China have not helped, either. Getting others to take Chinese threats seriously is harder for the Trump administration after it has suggested that just about anything related to China could be used as a bargaining chip in trade negotiations — from the allegations of espionage by ZTE, another major Chinese manufacturer, to the arrest of Huawei's CFO for fairly significant crimes.
If you heard last week that popular password managers — including LastPass, 1Password and others — had dangerous vulnerabilities, you may have been tempted to stop using them.
Don't do that: This isn't the first time a problem has come to light in password managers — and it's a more boring problem than media coverage has made it out to be. But even acknowledging that password managers, like all software, may have flaws, the benefits of using a password manager will almost always outweigh the risks for average users.
The big picture: "Password managers are a better way of using passwords for most people," said Dave Lewis of Duo, a company that specializes in providing two-factor authentication for all logins, including password managers.
The kinds of vulnerabilities that get found in password managers have so far tended to be for targeted attacks, which are less likely. It's always a better option to guard against the higher-risk attack.
Mozilla is currently determining if DarkMatter, a UAE group likely involved in surveillance operations, should be trusted as a certificate authority, a trusted third party aiding in the security of the internet.
Why it matters: Reports from Reuters and The Intercept have described DarkMatter as the company running the UAE's hacking intelligence operations. And entrusting DarkMatter with protecting other sites may give it more access to cause harm.
Yes, but: The traditional criteria for being a certificate authority is, more or less, whether a group meets technical standards and hasn't abused its authority in the past. DarkMatter is, by these standards, as valid as anyone.
A polling station in Manhattan, Nov. 6, 2018. Photo: Atilgan Ozdil/Anadolu Agency/Getty Images
The U.S. Election Assistance Commission announced Monday that Christy McCormick will take a second term helming the commission.
Why it matters: The EAC interfaces with states on elections, including on voluntary voting machine security standards. While Homeland Security also offers substantial resources for election security, EAC is in charge of distributing funds released last year to upgrade security and would distribute funds in the Democrats' new election security plan.
The intrigue: McCormick headed the EAC between 2015 and 2016. But in January 2017 — while she was still a commissioner — she claimed the U.S. attribution that Russia had spearheaded hacking efforts against parties and states was "political," "thin" and contained elements that were "patently untrue."
Yes, but: McCormick made the comments as part of an argument that the Department of Homeland Security should not have deemed elections as critical infrastructure. Among conservatives at that time, there was rampant paranoia that the government's motives for offering voluntary resources to states was intended as a national takeover of elections.
Codebook will be back on Thursday.