Welcome to Codebook, the cybersecurity newsletter taking a close look at how we prepare for 2020.
Illustration: Aïda Amer/Axios
For all the energy the U.S. has spent determining whether Donald Trump broke any laws when he enthusiastically welcomed hacking efforts against his 2016 opponent, the nation has done little to prevent candidates from doing the same thing in 2020.
Why it matters: The election is only a year and a half away, and Russia's methods of election interference demonstrated some degree of success. If a candidate were hell-bent on benefitting from hacking undertaken by hostile actors, either foreign or domestic, we have put no new barriers in place to stop such efforts.
What they're saying: "If anything, I think the Trump campaign would be emboldened to do the exact same things again," said Paul Rosenweig, a senior fellow at the conservative-leaning R Street Institute and former deputy assistant secretary for policy at the Department of Homeland Security.
Details: The Trump campaign has played coy about whether, presented with the exact same circumstances as 2016's hacking in 2020, it would behave the exact same way.
The catch: All of this is still arguably legal.
Democrats want an agreement with Republicans to not use hacked documents during campaigns.
The Trump campaign did not reply to requests for comment.
The bottom line, via Rosenweig: "If you don't spank a dog when it doodles on the rug, it will keep doodling on the rug."
Grappling with foreign election interference ultimately means responding to foreign powers' behavior. But the New York Times reports President Trump's chief of staff told outgoing Department of Homeland Security Secretary Kirstjen Nielsen not to bring up Russian election threats.
Via the Times: "[I]n a meeting this year, Mick Mulvaney, the White House chief of staff, made it clear that Mr. Trump still equated any public discussion of malign Russian election activity with questions about the legitimacy of his victory. According to one senior administration official, Mr. Mulvaney said it 'wasn’t a great subject and should be kept below his level.'"
Background: This isn't the first time we've heard Trump shies away from the entire topic of Russian election interference. As Axios' Mike Allen and Jonathan Swan wrote last year, "He hates talking about the subject, fearing it'll raise questions about the legitimacy of his victory."
Photo: broadcastertr/Getty Images
Many media organizations that eagerly trumpeted coverage of the hacked Democratic campaign files in 2016 have made little or no effort to strategize for 2020 about how to handle document leaks by malicious nations trying to meddle in the election, according to a CNN report.
Why it matters: As politicians and parties steel their defenses for 2020, it's important for the media to do the same.
Details: CNN asked around newsrooms and found little in the way of distinct plans for a 2020 document leak like WikiLeaks in 2020.
Between the lines: This isn't just a 2020 issue. After Russia's successes in 2016, Qatar and the United Arab Emirates used leaked emails and the U.S. press to wage a proxy war.
The press is still tangibly better equipped for 2020 than it was for 2016.
My thought bubble: I was involved in some 2016 leaks myself.
Russian bots and trolls immediately capitalized on the Mueller report, according to research from SafeGuard Cyber.
Why it matters: Russia's social media efforts are often incorrectly thought of as purely election interference. They're actually a year-in, year-out slog aiming to capitalize on any major news story to fracture the U.S. public.
Details: SafeGuard maintains a database of 600,000 "bad actors" — a mix of automated accounts (bots) and manually controlled accounts (trolls). SafeGuard attributes many, not all, to Russia.
What they're saying: "The goal here is to get out the content with so much force that getting one or two retweets a time will reach a huge audience," said George Kamide, director at SafeGuard.
A new report from the Digital Citizens Alliance shows several efforts to take advantage of set-top hardware used to stream pirated content.
Details: The set-top boxes, sort of like a Roku where everything you stream is free, are relatively cheap — DCA tested boxes purchased on eBay, Craigslist and Facebook Marketplace purchased for between $75 and $100.
What they're saying: This isn't an issue of protecting moviemakers' profits. "We've never dealt with the morality of piracy," Tom Galvin, DCA executive director told Codebook.
MalwareTech pleas guilty: Marcus Hutchins, also known as MalwareTech, pleaded guilty on Friday to charges relating to the sale of Kronos and UPAS-Kit malware, marketed and sold online between 2012 and 2015.
Hackers posing as the U.S. State Department target foreign embassies: Researchers at CheckPoint spotted a malicious, phony State Department secret document being sent to "government finance authorities and representatives in several embassies in Europe."
Crime pays: Crimes reported to the FBI Internet Crime Complaint Center totaled $2.71 billion in victim losses between February and December of last year.
Codebook will be back on Thursday.