Welcome to Codebook, the cybersecurity newsletter taking suggestions for a Halloween costume. If you have a tip or story idea for the newsletter, just hit reply.
Situational awareness: FireEye says it has found multiple pieces of evidence independently tying the core Triton malware used to hack industrial control systems in 2017 to the Russian government lab, Central Scientific Research Institute of Chemistry and Mechanics.
1 big thing: Australia's encryption bill raises Cisco's hackles
Australia’s new encryption legislation has red flags beyond the usual encryption debate, Eric Wenger, Cisco's director of cybersecurity and privacy for government affairs, tells Codebook.
Wenger recently testified in front of lawmakers Down Under about the bill, which is facing a vote in parliament within weeks, per Reuters.
Why it matters: Think of Australia as the first domino in a global move toward encryption legislation. Its bill — which would give law enforcement access to encrypted data without the consent of the owner — would likely be a model for the U.S. and others.
- The "Five Eyes" intelligence alliance — Australia, Canada, New Zealand, the U.S. and U.K. — recently released a coordinated statement on the need for governments to have access to encrypted files. Soon after, Australia introduced its legislation.
- "It would make sense there's an expectation that the other countries in the group would want to try to follow Australia’s example," Wenger says.
- Many products are designed with U.S., Canadian and U.K. markets in mind, given their size. Legislation from those countries is mimicked around the world.
The Australian bill is the next link in a chain of legislation dating back to 1994, when the U.S. passed the Communications Assistance for Law Enforcement Act (CALEA), Wenger says.
- CALEA requires digital telephone carriers to be compatible with wiretaps, but it doesn’t apply to encrypted chat apps that use the same networks.
- The U.K.’s Investigatory Powers Act took CALEA a step further, requiring manufacturers to help law enforcement decrypt devices and communications if the manufacturer has access to do so.
- The Australian law allows the attorney general to order technology providers to redesign a product to provide law enforcement with access.
There are safeguards written into the bill, but Wenger says Cisco sees ways they might fall short:
- "The way we read it, the Australian law could require us to build a capability to surveil but not disclose it. ... We want to be able to disclose any new features."
- The bill specifically bars the attorney general from demanding a "systemic vulnerability," but doesn't define what that means.
- Law enforcement agencies suggest defining "systemic" as affecting all copies of a device. "That seems broad."
- Cisco worries there is no court process to challenge an order.
Even if all these issues are addressed, there may be unintended consequences. The easiest way to add a surveillance system may be through a tainted system update. But that might lead users to abstain from updating systems, causing catastrophic security problems.
The bill explicitly permits the government to hack systems for surveillance. While the U.S. has a process for determining if the benefit of hoarding hacking techniques outweighs the risks of not allowing manufacturers to patch vulnerable products, many governments — including Australia — do not. Wenger thinks such a process should precede any hacking by a government.
The bottom line: These concerns are above and beyond all the traditional, familiar arguments about the dangers of circumventing encryption — and suggest just how big a fight the coming encryption debate could become.
2. AWS and Super Micro join Apple's retraction call
Two major tech companies have joined Apple in calling for Bloomberg to retract its controversial story claiming Super Micro shipped servers implanted with Chinese government spy chips.
Driving the news: On Monday, Andy Jassy, who heads the Amazon Web Services division said to have been aware of the chips, said Bloomberg should retract their story. Super Micro CEO Charles Liang followed suit shortly after. Apple CEO Tim Cook had called for a retraction last week, via BuzzFeed.
What they're saying:
- Cook: "I feel they should retract their story. There is no truth in their story about Apple. They need to do the right thing."
- Jassy: "[Tim Cook] is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract."
- Liang: "Bloomberg should act responsibility and retract its unsupported allegations that malicious hardware components were implanted on our motherboards during the manufacturing process," per CNBC.
We've covered the controversy in the past. It's worth noting that the Department of Homeland Security, a key NSA official, lawmakers, the British federal cybersecurity service and a boatload of security experts all contest the truth of the original story.
- Amazon, Apple and Super Micro all issued denials that would likely bring down the wrath of stock market and trade regulators if they were untrue.
- I've spoken to some fairly high level people trying to check Bloomberg's work who are also baffled by the story. Other reporters — save for Bloomberg — have also struck out.
Super Micro is investigating the claims, the company wrote in a Monday letter to customers trying to dispel fears stemming from the story, separate from its call to retract.
- The letter calls the Bloomberg story "technically implausible," noting that installing a chip into a server isn't as easy as just installing the chip into a server — it requires things like power that may require architectural changes to other parts of the motherboard.
Bloomberg reiterated an earlier statement to Codebook when asked for comment, saying it stands by its story, "the result of more than a year of reporting, during which we conducted more than 100 interviews."
3. Cyber Command sees you, Russian operatives
The New York Times’ Julian Barnes reports that U.S. Cyber Command is warning individual Russian disinformation operatives that America is on to them and watching their every move.
The big picture: The Times is clear that these aren’t threats, though adds that anyone working in propaganda would likely know the Russians could be sanctioned or even indicted for this kind of work.
4. Overlooked in the new Russia indictment
On Friday, the Department of Justice announced it had filed charges against a Russian citizen who was the accountant for the Russian misinformation campaign most famous for meddling in the 2016 elections and that continues today.
Details: You've probably already heard several key facts from that complaint, but just in case...
- The defendant is allegedly part of the same conspiracy from the earlier Internet Research Agency indictment.
- Accounting documents obtained by DOJ are said to show the social media propaganda campaign cost $35 million between 2016 and this summer. Based on its the most recent known spending, it's likely now near or beyond $40 million.
- The campaign tried to rile up both Democrats and Republicans over a variety of issues, including making and retweeting statements both for and against the earlier indictment of members of the campaign.
- Giving advice on how to frame propaganda, management advised that "Colored LGBT are less sophisticated than white; therefore, complicated messages do not work," and that John McCain was a "geezer."
One more thing: It didn't get mentioned a lot, but the budgeting for Russian misinformation appears to have stayed constant even after the 2016 election and to have nearly doubled between last February ($1 million) and this February ($1.7 million).
- The campaign, as detailed, was certainly intended to interfere with the election.
- But if the funding and activity stays constant in non-election years and only increases, it supports what intelligence sources already believe: The primary goal of the campaign isn't to influence elections, it's to create general chaos over whatever the news of the day is.
5. Bolton: Election hacking ineffective but still rude
National Security Adviser John Bolton told a Russian radio station Monday that the multi-level Russian scheme to impact the 2016 election didn't have any effect, but nonetheless made relationships between Washington and Moscow more difficult. He's currently in the region to meet with his Russian counterparts.
My thought bubble: This — in line with the administration's general unprovable position that hacking the DNC and spewing propaganda over RT and social media had no effect — strikes some people as insincere.
- But, it's not clear what people expect Bolton to say here. It's awfully hard, strategically, to tell Russia: "Your campaign worked. Stop doing it anyway."
6. Odds and ends
- After $700,000 (AUS) researching potential uses, the Australian government determines "for every use of blockchain you would consider today, there is a better technology." (ZDNet)
- The business new model in cybersecurity: Pay per phish. (Axios)
- A years old vulnerabilty in a popular website plugin just noticed by a good guy researcher has been being exploited since 2015. (Naked Security)
- Japan asks Facebook to up its security measures following lapses. (Reuters)
- Don't fake court orders to take down Google Reviews. (The Register)
Codebook will be back on Thursday. Just try to stop it.