Feb 19, 2019

Axios Codebook

Axios

Welcome to Codebook, the cybersecurity newsletter that will make "Alito: Battle Justice" jokes until they stick.

1 big thing: Hacking in the public interest

Poster for the film 'Help,' 1965. Photo: Buyenlarge/Getty Images

There is a critical shortage of cybersecurity experts working in public interest roles, including advising at-risk charitable groups, lawmakers and advocacy organizations. That's according to security expert Bruce Schneier, who will host the first symposium on the subject at March's RSA conference ("Bridging the Gap: Cybersecurity + Public Interest Tech").

Why it matters: We've written before about difficulties legislators have finding experienced advisers for tech issues and the detrimental effect that can have on policy debates. (Cliff notes: Recent Facebook and Google hearings did not go well.)

  • "But it's not just a policy problem," Schneier told Codebook. "Civil groups need cybersecurity professionals for protection."

The big picture: There's plenty of need for hackers to serve in public interest roles — but groups are unaware they need the help, and there is little infrastructure to guide civic minded security pros to those groups.

  • This isn't an abstract problem. We've recently seen nations target outmatched nongovernmental groups that antagonize them in even trivial ways. Mexico appears to have spied on advocates of a soda tax in 2017 with militarized spyware that's only sold to governments.

Schneier sees the gap as two solvable problems: "There's a supply problem and a demand problem," he noted.

  • Qualified professionals don't currently know they are needed. And when they do, they often don't know how to get involved.
  • Advocacy, governmental and charitable groups will never be able to pay as much as the private sector.
  • But, said Schneier, that hasn't stopped these groups from being able to employ other traditionally highly paid workers at steep discounts. "I don't know how to solve the salary issue," he said, noting that volunteering and rotating in and out of public service jobs might be an option. "But I do know that the ACLU can only pay a fraction of what a law firm can, but that every time there is an opening they get 100 applicants."

The demand problem can be especially complicated for protection positions.

  • Many public interest groups don't realize they are targeted by governments. Those that do might still decide they'd prefer to use their limited resources on their actual mission rather than on cybersecurity protection.
  • But the problem has grown big enough that the University of Toronto's Citizen Lab has built an international reputation by investigating nation state breaches of public service groups.
  • "High risk groups have resource constraints all over the place," said Citizen Lab's John Scott-Railton, who will appear at the RSA symposium. "A top flight researcher is going to go to an NGO and discover they haven’t set their printer up correctly."

Security tech doesn't work without a qualified person to run it, said Scott-Railton. This isn't a problem that can be solved without funneling new bodies into the sector.

RSA is a high profile conference attracting much of the field's talent. It's also a particularly business-focused event, making this a unique place to launch this initiative. Schneier said he doesn't know what size crowd to expect. But sometimes, he said, just getting the conversation started is enough.

2. Chinese hackers not deterred by charges

A landmark year of Department of Justice actions against China did not immediately diminish Chinese hacking, according to CrowdStrike vice president of intelligence Adam Meyers, who spoke to Codebook in advance of the firm's new global threats report.

Why it matters: In the past year, the Department of Justice charged several Chinese agents with stealing intellectual property both in person and through digital means.

  • Stealing intellectual property is one of the primary reasons China is involved in hacking — and deterring China is a key reason the DOJ pursues these charges.

What they're saying: "It hasn't had an impact with China other than to cause their operators to be more careful," said Meyers.

Contrast that with Iran. After an Iranian espionage group was charged in 2018, "those guys disappeared," he said.

The CrowdStrike report compares how quickly different nations' hackers can "break out" of one account to infect the broader network. Russian hackers can complete the task in under 20 minutes. Across the rest of the world:

  • North Koreans complete the task in 2.5 hours.
  • Chinese average 4 hours.
  • Iranians average 5 hours.
  • eCrime actors vary due to experience, with some operating with nation state speed and some taking substantially longer. The average time was just under 10 hours.
3. Huawei gets U.K. reprieve

The English Session Orchestra performs the reveal of Huawei, Unfinished Symphony, Feb. 4, London. Photo: David M. Benett/Dave Benett/Getty Images for Huawei UK

Huawei got some rare good news over the weekend, with reports that U.K. intelligence determined that risks associated with the company's products could be mitigated without outright banning them.

The big picture: The Chinese telecom manufacturer is still embroiled in espionage, sanctions violations and intellectual property scandals.

  • The U.S. has been adamant about the espionage risks of Huawei sabotaging its own products to provide Chinese spies access to 5g networks. While Britain's largest cellphone provider has announced it will forgo Huawei products during its 5g rollout, the national decision is still a blow to the U.S.' international argument.

Meanwhile: Huawei founder Ren Zhengfei told BBC, "There's no way the U.S. can crush us."

  • His point, despite colorful wording, is Huawei can scale back operations if countries ban their products, not that Huawei can maintain its current prosperity during a U.S. standoff.
  • Ren's daughter, CFO Meng Wanzhou, was arrested for the company's alleged violation of sanctions.

Ren, traditionally reclusive, has been doing a media blitz to counter the controversies. He said in an interview with CBS aired Tuesday that the firm wouldn't share information with the Chinese government. Critics have noted Huawei could be required by law to do just that.

Also: Chinese state media is suggesting that Chinese tourists will boycott New Zealand if a ban on Huawei products stays in place. China supplies the largest group of vacationers to New Zealand.

4. China denies hacking Australian Parliament and parties

China is denying speculation it hacked Australian Parliament and political party systems.

Australia announced Monday that the parties and government systems had been hacked, with the attacks being caught early.

While the government has not officially attributed the attack to China, there have been reports that China is seen as a suspect.

Chinese Foreign Ministry spokesperson Geng Shuang told the Guardian the accusations were "baseless speculations," adding that “Irresponsible reports, accusations, pressurising and sanctions will only heighten tensions and confrontation in cyberspace and poison the atmosphere for cooperation.”

5. Global Cyber Alliance offers small business toolkit

The Global Cyber Alliance, an advocacy group created by the governments of the cities of London and New York, released a free, broad toolkit for small businesses looking to protect themselves against digital threats.

Why it matters: It's hard for small businesses to navigate basic cybersecurity hygiene without a guide, or to get advice about cybersecurity tools that comes from a neutral party.

The tools, by and large, are already free. But they weren't collected in one, vetted place before now. Unless a small business already understood both the basics of cybersecurity (the need to patch systems, and how) and some of the finer points (DNS security, for example), they wouldn't know to search for any of them.

6. Firm to offer GDPR insurance

Insurance provider Coalition is launching a new insurance product aimed at the European Union's General Data Protection Regulation and other regulations — including fines not related to breaches. It appears to be the first such product sold for a mass market.

Why it matters: Cyber insurance can be a baffling thing. Not all policies protect against regulatory fines, and typically that coverage only covers fines related to a breach.

But GDPR and other regulations can fine companies for improper terms of service hoisted upon consumers. That has led to some uncertainty for small and medium-sized businesses, especially given the lack of accepted standards for what is covered by cyber insurance.

  • "When you’ve read one car insurance policy, you’ve read them all," said Coalition founder and CEO Joshua Motta. "When you’ve read one cyber insurance policy, you’ve read one."
7. Odds and ends
Axios

Codebook will be back on Thursday.