Welcome to Codebook, Axios's cybersecurity newsletter. Trust us. We're professionals.
Say hello by replying to this email.
1 big thing: One small step for a decade-long security "moonshot"
A White House advisory committee voted Wednesday to recommend an ambitious cybersecurity "Moonshot" program aimed at coping with future threats, including the formation of a council set to address the kinds of problems that might only emerge in a decade.
Why it matters: Peter Altabef, CEO of Unisys who co-headed the Moonshot report project, tells Codebook that the White House needs to act immediately to be ready in a decade. But the government has always found long-term planning a challenge.
What they're saying: "A lot of cybersecurity today is how can we patch this problem in the next five days or months, or legislate a solution before the next election," says Altabef, co-chair of the National Security Telecommunications Advisory Committee's Moonshot working group. "But what about the problems it takes time to prepare for?"
Background: This is not the first time a group has tried to look for long-term solutions to cybersecurity problems. It's not even the first time it's been done under the "moonshot" name.
- This time, however, the effort comes from within the White House. Vice President Pence was briefed on the project in May and has mentioned the project in speeches since then.
Yes, but: A moonshot might not be the right metaphor. President Kennedy had two distinct advantages a cybersecurity moonshot does not.
- Kennedy knew where the moon would be in 10 years. But we only have the broadest of outlines of what technology will be in 10 years.
- The moon doesn't fight back. But hackers will try to find workarounds to any defensive technique as soon as it gets announced.
Is the moon even big enough? "We'd argue it's as important as the moon program — I'd argue it's more critical to national security and to the economy," Altabef says.
Details: The report's major proposal is that the White House create a Cybersecurity Moonshot Council including a newly appointed executive director, experts and, since the problem spans most facets of government, Cabinet-level officials.
- Altabef says not suggesting discrete solutions to specific problems is a recognition that the problems will change over time.
- He also says that the president needs to start looking for the council's director "today." The problems are a decade away, but solutions take years to realize.
The report identifies "pillars" that the council will need to address, ranging from new technology to education.
The U.S. can't be flat-footed, the report argues.
- Quantum computing is a technology that's not fully invented yet, but it will be able to break modern encryption codes in ways current computers can't.
- China invests heavily in quantum computing, and if the U.S. plans to avoid Chinese spies, it needs to start developing quantum-proof encryption now. Designing new tech can take years.
- "There are certain technologies that we cannot afford not to lead in," says Altabef.
The big question: Can the U.S. get out of its own way?
- "It will take courage from lawmakers to say we're going to make this focus, we're going to get this done before there is a catastrophe," says Altabef.
2. DHS supply chain task force to meet for the first time
A new Department of Homeland Security task force devoted to heading off supply chain cybersecurity threats against communications infrastructure will meet for the first time Thursday.
Why it matters: Supply chain attacks — hackers sabotaging the security of hardware or software to attack the system in which it's installed — have been at the top of mind for many in the government, with recent dustups involving allegations against ZTE and Huawei as well as a widely disputed Bloomberg story.
Details: The Information and Communications Technology Supply Chain Risk Management Task Force will include several representatives from industry, trade and threat-sharing organizations, and government agencies.
- While the roster of members hasn't been officially announced, it will likely include providers and equipment makers for internet and telephone services, intelligence and law enforcement agencies, and the Department of Commerce.
One company that's confirmed for the task force is Cisco.
- Edna Conway, Cisco’s chief supply chain security officer, says the issue is less about banning specific suppliers (or countries) and more about accounting for a supplier's individual risk.
- "I don’t handle geographies. I am agnostic about where a product is made," she says. "Understanding what a third-party provider is providing and customizing security around it has been the most useful in the past."
3. Japan's cybersecurity minister has never used a computer
Yoshitaka Sakurada, Japan's deputy chief of the government’s cybersecurity strategy office, told parliament on Wednesday that he has never used a computer. He appeared "confused by the concept of a USB drive," per the Guardian.
Why it matters: Cybersecurity often involves computers.
4. House backs name change and more for DHS cybersecurity group
We've previously covered the woes of the National Protection and Programs Directorate, the Homeland Security team that desperately wants a name that describes what it does. A bill changing the name to the Cybersecurity and Infrastructure Security Agency fully cleared Congress Wednesday and now awaits President Trump's approval.
Yes, but: While a lot of attention focuses on the name change, other aspects of the bill could be more consequential. The legislation also elevates the NPPD in the Homeland Security organization chart, giving it the ability to shift around resources without Congressional approval.
5. Odds and ends
- Required reading: How Facebook handled election and other controversies. (New York Times)
- Dragos snagged $37 million in new funding. (Axios)
- If the last time you heard about new Meltdown-like processor vulnerabilities was before Tuesday, you are out of date. (The Register)
- OPM still hasn't finished mopping up its landmark 2015 breach. (GAO)
- LastPass rates online retailers' cybersecurity for a Christmas-themed list. (LastPass)
- Firefox beefed up alerts about recently breached sites. (Mozilla)