May 16, 2019

Axios Codebook

Joe Uchill

Welcome to Codebook, the only cybersecurity newsletter with a 5-star Uber rating.

Situational awareness: Facebook just took down a network of inauthentic pages run by an Israeli firm.

1 big thing: Why campaigns turn down free cybersecurity

Illustration: Aïda Amer/Axios

Cybersecurity outfits are itching to offer political campaigns free or cut-rate products to protect them from being hacked. But the campaigns, spooked by legal and technical concerns, keep turning them down.

Why it matters: Here's an abridged list of campaign-related hacking targets during the last two presidencies: The Obama, McCain and Lindsey Graham campaigns; John Podesta's and Sara Palin's private emails; the Democratic and Republican National Committees; and the Democratic Congressional Campaign Committee. Cybersecurity for campaign operations might be a good idea.

The big picture: Security companies of all sizes have mulled offering free or discounted cybersecurity products to campaigns for a mix of altruistic and marketing reasons.

  • Google, Synack, Cloudflare, Microsoft and others already offer a variety of free protections to government officials. Several others, including Akamai, offer discounted services.

But offering the same services to campaigns gets complicated, because of campaign finance regulations and lack of expertise.

  • It's also against campaign finance law for corporations to donate directly to campaigns, whether that's in the form of money or services.

Driving the news: The FEC is currently determining whether to offer an exemption to Defending Digital Campaigns, a nonprofit started by campaign advisers to Mitt Romney and Hillary Clinton that aims to offer a host of discounted or free cybersecurity services.

  • The decision has been in the works since last year and may be decided as soon as May 23.
  • "We don’t want campaigns to be NASCAR," said Patrick Peterson of Agari, an email security firm that wants to offer free services to campaigns. "We don't want Elizabeth Warren to wear a jacket with Dunkin’ Donuts and Agari logos. We just want campaigns to be able to handle risk management."

What happens next: If the FEC decides to grant the exemption for the nonprofit, that opens the doors for other firms to make similar offerings, said Daniel Weiner, senior counsel of the democracy program at NYU's Brennan Center for Justice.

  • But experts believe it's better for the FEC to make a formal rule than to settle the issue through ad hoc exemptions, which leaves murkier boundaries.
  • Good governance groups have argued the issue would ideally be solved by Congress.

The expertise shortage is as much an issue as the campaign finance rules. Microsoft obtained an exemption similar to the one Defending Digital Campaigns is seeking and offered discounted security tools to 2018 campaigns — but it still struggled to get campaigns to accept the tools.

  • Campaigns for local office, the Senate or Congress are not large operations, and they often lack full IT teams to configure enterprise-strength security controls. Many chose not to accept Microsoft's help.
  • Microsoft is addressing this issue for 2020 by offering setup wizards to streamline the process.

But expertise might affect adoption of other technologies differently. Even though there are already a ton of free and low-cost tools for government election officials, officials have complained they have no way to separate useful tools from snake oil. Political campaigns aren't likely to have any easier a time.

2. Trump hits Huawei in way he spared ZTE

There were two big news stories for Huawei yesterday.

  • One, which received plenty of fanfare, saw the president sign an executive order likely aimed at blocking Huawei equipment from U.S. 5G networks.
  • The second, which did not get as much attention, saw the Department of Commerce place Huawei on the "Entity" list, making it more difficult for U.S. companies to export goods to Huawei.

Between the lines: Don't ignore the second one. It's under the radar, but devastating.

Details: The executive order declared a national emergency in threats to the U.S. telecommunications sector, and it gives the Department of Commerce 150 days to name a list of companies whose products are national security threats.

  • In 150 days, when Commerce seems likely to place Huawei on that list, it will mean that no Huawei equipment will be used by cellphone companies during the 5G rollout.
  • If Commerce doesn't put Huawei on the list, companies still won't use their products. A softer, yet still effective campaign to prevent the use of Huawei product was already in effect, dangling a threat to potential government contracts.

But restrictions on Huawei exports to the U.S. are also likely to bite the company hard.

  • Unlike fellow Chinese firm ZTE, which immediately began to shut down when it lost the right to export to the U.S. (until Trump gave it a reprieve), Huawei is in a better position to weather a storm. For example, Huawei makes microprocessors, something ZTE didn't.
  • But the company is still dependent on global exports for everything from operating systems to transistors.

Why did Trump spare ZTE and not Huawei? On its surface, the behind-closed-doors arguments to shut down ZTE was that it violated sanctions, whereas Huawei is accused of violating sanctions, stealing intellectual property and being a tool for Chinese espionage.

  • But issues like IP theft and espionage are endemic to Chinese companies based on their close ties to the state. Marco Rubio (R-Fla.) argued not to spare ZTE for those reasons.

The difference may be dependent on trade negotiations.

  • The ZTE reprieve came at the beginning of those talks and reportedly was meant as an act of goodwill to China.
  • The Huawei executive order was originally going to be signed earlier, but was reportedly delayed in part because trade negotiations were going well. When they faltered, the hammer fell on Huawei.
3. DOJ, partners bust $100 million crime ring

The Department of Justice announced Thursday morning it had indicted 10 people involved in a transnational banking malware scheme as part of an international effort to break up the crime ring.

The big picture: The group allegedly used the GozNym banking malware to steal credentials to online banking accounts that they then attempted to rob for more than $100 million.

Details: The alleged criminals hail from Russia, Georgia, Ukraine, Moldova and Bulgaria.

  • The 5 Russian citizens remain fugitives, with the other 5 having been arrested.
  • Bulgarian Krasimir Nikolov pleaded guilty in the United States in April and will be sentenced in August.
  • U.S. victims range from a church in Texas to a D.C. law firm.
  • The takedown involved international cooperation from the U.S., Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust.
4. Patch everything

Thangrycat!

It's been an uncommonly busy week for high-profile companies patching critical security vulnerabilities.

Cisco shipped a patch for an extremely dangerous bug in hardware designed to verify the integrity of the firmware in a wide assortment of its products. The vulnerability, named 😾😾😾 (pronounced "Thangrycat") was discovered by the security firm Red Balloon.

Microsoft patched a severe vulnerability in Windows operating systems that could create self-propagating malware à la WannaCry. The vulnerability was so worrisome that Microsoft issued patches for Windows 2003 and Windows XP, which it no longer supports.

Intel released a patch for yet another bug in the same vein as Meltdown and Spectre. This one, discovered by a team of academics, is known as ZombieLoad.

Google doesn't have a patch for a vulnerability in its Bluetooth security fobs used for two-factor identification. Instead, if you own one, Google will replace it. USB fobs are not affected.

5. North Korea-linked ScarCruft group hacks Bluetooth

Kaspersky Lab's new report on the North Korea-linked group ScarCruft contains an interesting tidbit on the group's latest attacks: It has added Bluetooth to its bag of tricks.

Details: Kaspersky identified malware that retrieves information on nearby Bluetooth devices.

  • While you might think of Bluetooth as the way your headphones connect to your phone, there are potentially more intriguing systems the group might be looking to mess with, like security key fobs (see Intel section above) or printers.
6. Sen. Ron Wyden needs his own newsletter

We know what you're saying: "All that news is great, but what is Sen. Ron Wyden (D-Ore.) up to?"

Introducing voting legislation: Wyden and a bevy of other Senate Democrats introduced the Protecting American Votes and Elections Act, an expanded version of an earlier Wyden bill. It would require paper ballots and risk-limiting audits of votes, and it would ban any form of internet connectivity from voting machines.

Nudging the FCC: The FCC is set to auction off portions of the radio spectrum that NASA, NOAA and the American Meteorological Society believe will interfere with our ability to monitor and predict the weather. Wyden and Sen. Maria Cantwell (D-Wash.) co-signed a letter sent Monday asking FCC chair Ajit Pai to consider the implications of the auction.

7. Odds and ends

Illustration: Sarah Grillo/Axios

Joe Uchill

Codebook will return on Thursday.