Jan 30, 2020

Axios

Axios

Welcome back to Axios' cybersecurity newsletter, brought to you once again by your guest host, Scott Rosenberg.

Today's edition is 1,497 words, a 5,5-minute read.

1 big thing: Huawei's trial by "what if"

Illustration: Aïda Amer/Axios

U.S. critics of Huawei are ramping up a campaign to make the Chinese telecom giant a global pariah even as key American allies remain unsold on the case against the company.

Where it stands: U.S. officials and experts advocating blocking trade with Huawei lack hard evidence of Beijing-backed misdeeds, so they're asking the rest of the world to make choices based on "what if" scenarios.

Driving the news: Prime Minister Boris Johnson announced Tuesday that the U.K. would use Huawei as one supplier for "non-core" parts of its 5G network.

  • The British choice flouted U.S. security warnings and threats that such a move could endanger the long-standing "special relationship" between the nations and cause the U.S. to stop sharing intelligence with its transatlantic ally.
  • Wednesday, the EU followed suit, recommending restrictions on Huawei but not an outright ban.
  • Germany is still making up its mind.

Britain says it will keep Huawei far away from key routers and other network nerve centers. But intelligence experts for both the U.S. and many of its "Five Eyes" allies believe that the advent of software-configurable equipment and 5G's more decentralized network architecture have eroded the distinction between "core" and edge, leaving networks at risk from almost any point.

The big picture: U.S. efforts to quarantine Huawei come as the Trump administration pursues a trade war with China and Americans grow more concerned over Beijing's willingness to bend technology to its own ends — as it has in surveilling Uighur Muslims.

The case against Huawei relies on two key scenarios.

1. Espionage: Huawei critics and human rights experts, citing the company's close relationship with China's government and military, along with the provisions of China's 2017 National Intelligence Law, say that any country that uses the company's equipment to build a next-generation 5G wireless network will open its communications networks to Chinese spying and surveillance.

  • Yes, but: Overseas, leaders and executives haven't forgotten the long and messy history of U.S. telecommunications surveillance by the NSA and other agencies.

2. Sabotage: In a future crisis, Huawei critics say, use of the company's equipment in key networks could render them vulnerable to surprise attacks or give China access to U.S. energy facilities, factories and other critical infrastructure.

Throughout this conflict, which began early in 2018 and ramped up dramatically last year when the U.S. declared a national emergency and barred U.S. firms from trade with Huawei, the Chinese company has vehemently denied any wrongdoing.

The catch: The spying and cyber warfare scenarios that drive U.S. efforts to block Huawei from the global 5G market remain theoretical at this point.

  • There's more of a factual record supporting U.S. quarrels with Huawei over intellectual property issues and questions over the company's role in supplying nations like Iran and North Korea with equipment counter to U.S. and other international sanctions.
  • Those charges form the American case against Huawei CFO Meng Wanzhou, whom the U.S. is seeking to extradite from Canada.

Between the lines: A British oversight board tasked with auditing Huawei equipment last year found no evidence of Chinese government meddling but did find troubling shortfalls in “basic engineering competence and cyber security hygiene.”

  • Those flaws could give China — or other potential bad actors — a way to mess with 5G networks.
  • The routine stream of updates and patches Huawei, like all device manufacturers, sends its customers to fix such bugs could theoretically provide the company with another avenue to pursue espionage or sabotage.

Meanwhile, a new report in Germany suggests U.S. intelligence has provided authorities there with new "smoking gun" evidence that Huawei products are compromised, per Reuters.

The bottom line: The intelligence community broadly believes Huawei can't be trusted. But in the absence of evidence, many in the industry remain skeptical, and allied governments aren't falling in line with the U.S.

Go deeper: Inside the Feds' battle against Huawei (Garrett Graff, Wired)

2. Cybersecurity sees record venture capital investment in 2019
Expand chart
Adapted from PitchBook; Chart: Axios Visuals

The cybersecurity sector is attracting "unprecedented levels of VC dealmaking," according to the year-end Venture Monitor report by the National Venture Capital Association and PitchBook, Axios' Kim Hart reports.

Why it matters: Technology is now not just a sector of the economy, it is the primary driver of the economy. And the more wireless networks, software applications, cloud data centers and internet-connected devices we use, the more security vulnerabilities we'll have to protect against. 

The big picture: That's a big opportunity for smart investors. Virtually every company is willing to pay big bucks for security solutions and protection. And the threats are morphing all the time. 

Details: Cybersecurity capital investment hit a new record in 2019. 

  • The share of late-stage deals fell slightly due to strong interest in early-stage deals, per the data. 
  • The average deal size in 2019 was $17.3 million, a slight uptick from 2018. 
  • But average valuations fell to $136.8 million, a correction after a significant uptick from 2017–2018. 
3. Antivirus provider Avast shutters marketing arm

Avast is shutting down a controversial subsidiary that shared anonymized user data with marketing clients.

Driving the news: For years, Avast, which offers users free antivirus services, sold user data to marketers through a subsidiary, according to a report from Motherboard and PC Magazine.

  • Jumpshot, owned by Avast, provided clients with a trove of detailed user profiles that were technically anonymized but contained browsing histories, device IDs and other potentially identifying information.

What they're saying: Avast initially responded by saying that users have always been able to opt out of having their data tracked by Jumpshot.

  • After the coverage sparked criticism, the company posted a longer defense and said it has shifted from the opt-out scheme to one that invites users to opt in instead.
  • Wednesday, CEO Ondrej Vlcek posted an apology and said he was shutting down Jumpshot immediately.

The bottom line: Antivirus vendors are in the business of protecting users from risk. Marketers sharing user data is a source of risk (as well as a privacy concern, even with "anonymization").

Our thought bubble: If you need an antivirus tool, it's probably the kind of software that's worth paying for upfront so the provider doesn't have to scrounge for shadier sources of revenue.

4. Apple's closed security model: Great till it isn't

Last week's report that Jeff Bezos' iPhone was allegedly hacked via a WhatsApp message from Saudi Crown Prince Mohammed bin Salman discomfited a lot of Apple customers who long believed that one of the features of their high-priced phones was invulnerability.

The big picture: The flaw in this case was in WhatsApp, not the iPhone itself. But the larger lesson is that in a networked world full of incentives for digital mischief, there's no such thing as perfect security — only varying degrees of relative risk.

The iPhone has long been the safest bet for smartphone users, thanks to Apple's close control over the App Store and its tight reins on iOS.

  • The chief alternative, Google-developed Android, is an open-source project, which means phone manufacturers and software developers can easily adopt and adapt it for their own ends.
  • That flexibility has made Android cheaper and more ubiquitous than iOS, but it also means there are many "flavors" of its code with a wider range of bugs and flaws that offer hackers wider opportunities for attack.

The Washington Post lays out how iOS's and Android's differing software philosophies shape their security landscapes:

  • Open-source software like Android follows the principle that "given enough eyeballs, all bugs are shallow" — let the world pound on your system so you can find and fix as many flaws as possible. It's a messy approach that tends toward improvement as long as smart developers put their energy into squashing bugs.
  • Apple holds iOS code close, shares relatively little information about flaws, and provides all fixes and upgrades itself. That centralization keeps its software buttoned-down and clean.

The catch: Apple's approach, experts the Post talked to argue, also means that when there is an exploitable hole in iOS, it's easier to keep it secret and exploit it. That leaves "high-value targets" — like, say, billionaire Bezos — more likely to fall victim to high-value hacks.

The bottom line: As security researcher Patrick Wardle told the Post: “A lot of Apple security is amazing and really benefits the average user, but once you’re a target of an advanced adversary or three letter agency, the advanced security of these devices can be used against you."

5. Odds and ends
  • Okta's sixth Business @ Work report finds that people — and their weak passwords — remain the weakest link in businesses' security defenses (Okta)
  • The United Nations covered up a major hack targeting its Geneva offices last year (The New Humanitarian)
  • New York Times reporter Ben Hubbard was the target of an attack that likely originated from Saudi Arabia using NSO Group's Pegasus software in 2018 (Citizen Lab)
  • The Cyber Threat Alliance and The Financial Services Information Sharing and Analysis Center agreed to collaborate on threat intelligence (CTA)
  • Google's bug bounty program has paid out over $21 million since 2010, $6.5 million in the last year (VentureBeat)
  • Cryptocurrency hacking incidents are up, but hackers stole less money (ZDNet)
  • Meet the Shlayer Trojan, the most common macOS malware (Wired)
6. One map thing: Where in the world is Ukraine?

When Secretary of State Mike Pompeo threw a fit at NPR journalist Mary Louise Kelly last week, he dared her to identify Ukraine on a label-free map of the globe.

That task is a cinch for anyone who grew up playing the board game Risk (or, for that matter, and more relevant to the State Department, Diplomacy).

An enterprising data editor has risen to this occasion by creating a do-it-yourself Ukraine-finding test. Take the Pompeo challenge yourself!

Axios