Welcome to Codebook, the cybersecurity newsletter taking a close look at how we prepare for 2020.
1 big thing: For hacked campaigns, 2020 looks like 2016
For all the energy the U.S. has spent determining whether Donald Trump broke any laws when he enthusiastically welcomed hacking efforts against his 2016 opponent, the nation has done little to prevent candidates from doing the same thing in 2020.
Why it matters: The election is only a year and a half away, and Russia's methods of election interference demonstrated some degree of success. If a candidate were hell-bent on benefitting from hacking undertaken by hostile actors, either foreign or domestic, we have put no new barriers in place to stop such efforts.
What they're saying: "If anything, I think the Trump campaign would be emboldened to do the exact same things again," said Paul Rosenweig, a senior fellow at the conservative-leaning R Street Institute and former deputy assistant secretary for policy at the Department of Homeland Security.
- "The only way this changes is if it starts meaning that a candidate goes to jail or doesn't win an election," he said.
Details: The Trump campaign has played coy about whether, presented with the exact same circumstances as 2016's hacking in 2020, it would behave the exact same way.
- According to the Mueller report, the 2016 Trump campaign met with Russian agents at Trump Tower to obtain dirt on Hillary Clinton, coordinated with WikiLeaks on the release of hacked emails, and publicly requested Russia produce hacked copies of Clinton's State Department emails (Trump later said he was joking) before coordinating with Republican activists to do the same.
- "There's nothing wrong with taking information from Russians," Trump attorney Rudy Giuliani said Sunday on CNN, and "any candidate in the whole world" would have done so.
The catch: All of this is still arguably legal.
- A little nuance: Mueller says he decided not to bring charges over the Trump Tower meeting largely because the participants didn't break the law knowingly. Given the hoopla, that would be a tougher argument to make in 2020.
- But Mueller also notes that the meeting wouldn't have broken laws unless it provided useful information (it didn't), and even then the case would be difficult to argue in court.
Democrats want an agreement with Republicans to not use hacked documents during campaigns.
- On Monday, Democratic National Committee chair Tom Perez wrote an open letter to his Republican counterpart pledging the DNC would not "weaponize stolen private data for political gain."
- The letter is an attempt to bring the RNC to the negotiating table on the issue. Until the two discuss terms, that pledge has no teeth — there is no prescribed consequence if a Democrat used hacked materials.
- Meanwhile, an RNC representative quoted chairwoman Ronna McDaniel on its stance for 2020: "Any breach of our political organizations — regardless of party — is an affront to all of us, and we should come together as Americans to prevent it from ever happening again."
- That official did not respond to a follow up questions about the consequences for a candidate not complying.
The Trump campaign did not reply to requests for comment.
The bottom line, via Rosenweig: "If you don't spank a dog when it doodles on the rug, it will keep doodling on the rug."
2. Report: Ex-DHS head told not to warn Trump of Russian threat
Grappling with foreign election interference ultimately means responding to foreign powers' behavior. But the New York Times reports President Trump's chief of staff told outgoing Department of Homeland Security Secretary Kirstjen Nielsen not to bring up Russian election threats.
Via the Times: "[I]n a meeting this year, Mick Mulvaney, the White House chief of staff, made it clear that Mr. Trump still equated any public discussion of malign Russian election activity with questions about the legitimacy of his victory. According to one senior administration official, Mr. Mulvaney said it 'wasn’t a great subject and should be kept below his level.'"
Background: This isn't the first time we've heard Trump shies away from the entire topic of Russian election interference. As Axios' Mike Allen and Jonathan Swan wrote last year, "He hates talking about the subject, fearing it'll raise questions about the legitimacy of his victory."
3. News outlets will struggle with leaks in 2020
Many media organizations that eagerly trumpeted coverage of the hacked Democratic campaign files in 2016 have made little or no effort to strategize for 2020 about how to handle document leaks by malicious nations trying to meddle in the election, according to a CNN report.
Why it matters: As politicians and parties steel their defenses for 2020, it's important for the media to do the same.
Details: CNN asked around newsrooms and found little in the way of distinct plans for a 2020 document leak like WikiLeaks in 2020.
- On the one hand, journalists want to avoid serving as conduits for propagandists trying to influence an electoral outcome. On the other hand, media organizations have a reflex — and, some would argue, an obligation — to report information that's actually newsworthy regardless of the source.
- And, on a third hand, the media did an awful job differentiating between the few newsworthy emails in the WikiLeaks document trove and ones with, say, risotto recipes.
Between the lines: This isn't just a 2020 issue. After Russia's successes in 2016, Qatar and the United Arab Emirates used leaked emails and the U.S. press to wage a proxy war.
- Readers, and journalists too, have a tendency to overestimate how important leaked files are — there's an incorrect belief that files don't get leaked unless they are important (see: risotto).
The press is still tangibly better equipped for 2020 than it was for 2016.
- The 2016 hacking effort caught the press off-guard — it seemed far fetched to some, and was covered more as a political news story than a national security one.
- Since the story got treated as a political issue, explaining the evidence about the DNC hack on news shows got left to people like Clinton campaign manager Robby Mook rather than cybersecurity specialists.
- Over the course of 2016 story, the focus shifted to national security. Networks like NBC and CNN have invested in cybersecurity reporters.
My thought bubble: I was involved in some 2016 leaks myself.
- We didn't have a policy, and while I think we did a good job of emphasizing that Russia was the likely leaker of Guccifer 2.0 documents and why specific documents were leaked to us, I've never been entirely sure I did the right thing.
- Every time I see Robby Mook, I ask him.
4. Mueller report sparked an increase in Russian misinformation
Russian bots and trolls immediately capitalized on the Mueller report, according to research from SafeGuard Cyber.
Why it matters: Russia's social media efforts are often incorrectly thought of as purely election interference. They're actually a year-in, year-out slog aiming to capitalize on any major news story to fracture the U.S. public.
Details: SafeGuard maintains a database of 600,000 "bad actors" — a mix of automated accounts (bots) and manually controlled accounts (trolls). SafeGuard attributes many, not all, to Russia.
- Russian bots and trolls increased their rate of posting by 286% on April 16, the day Mueller's report was released, and the number of unique accounts posting increased by 48%.
- It's pretty clear what they were talking about. The top 5 hashtags were #mueller, #muellerreport, #trump, #barr, and #russia, with the rate of #muller increasing more than 50-fold.
What they're saying: "The goal here is to get out the content with so much force that getting one or two retweets a time will reach a huge audience," said George Kamide, director at SafeGuard.
- "We didn't just see an increase in activity, we saw an increase in the potency of the accounts used," he said.
- In the days leading up to the report, the average account the company classifies as Russian had 13,500 followers. After the report was released, that number spiked to 18,600.
5. Pirate TV boxes harbor hackers
A new report from the Digital Citizens Alliance shows several efforts to take advantage of set-top hardware used to stream pirated content.
Details: The set-top boxes, sort of like a Roku where everything you stream is free, are relatively cheap — DCA tested boxes purchased on eBay, Craigslist and Facebook Marketplace purchased for between $75 and $100.
- One preinstalled app (Mobdro) immediately forwarded the WiFi password to a server in Indonesia.
- Other apps crawled any network a device was plugged into, including one that uploaded 1.5 TB of data from the researcher's system.
What they're saying: This isn't an issue of protecting moviemakers' profits. "We've never dealt with the morality of piracy," Tom Galvin, DCA executive director told Codebook.
6. What you missed last week
MalwareTech pleas guilty: Marcus Hutchins, also known as MalwareTech, pleaded guilty on Friday to charges relating to the sale of Kronos and UPAS-Kit malware, marketed and sold online between 2012 and 2015.
- Hutchins' trial struck a nerve with many in the cybersecurity community because he had gone on to become a well-regarded and well-liked security researcher.
- The plea sparked massive debate among security folks over how the community should approach prior bad deeds.
- Hutchins pleaded guilty to 2 charges, with 6 charges against him being dropped in exchange. Each charge carries a maximum sentence of 5 years in prison and a $250,000 fine.
Hackers posing as the U.S. State Department target foreign embassies: Researchers at CheckPoint spotted a malicious, phony State Department secret document being sent to "government finance authorities and representatives in several embassies in Europe."
- The document unspools TeamViewer malware when opened.
Crime pays: Crimes reported to the FBI Internet Crime Complaint Center totaled $2.71 billion in victim losses between February and December of last year.
- All hope isn't lost, however. A new recovery team to reclaim money stolen in business email compromise schemes was able to restore just under $200 million, around 71% of the total losses it looked into.
7. Odds and ends
- GoDaddy takes down a massive fraud scheme. (Axios)
- President Trump meets with the CEO of Twitter in the White House. (Axios)
- Facebook girds for an FTC fine up to $5 billion. (Axios)
- Voting machine firm ES&S released an independent security audit, but experts have a tough time buying in. (Cyberscoop)
- Researchers discover hundreds of Ethereum cryptocurrency owners are protected by weak security keys. (ISE)
- 78% of people would be okay if their workplace chats were leaked to WikiLeaks. (Symphony)
- Hackers are in your ears. (Malwarebytes)
- Magecart vultures swindle the Atlanta Hawks. (Sanguine Security)
- If you can't trust DarkWeb criminals, who can you trust? (Infosecurity Magazine)
Codebook will be back on Thursday.