Nov 1, 2018

Axios Codebook

Welcome to Codebook, the cybersecurity newsletter that will continue celebrating Halloween until someone stops it.

If you have any story ideas, please reply to this email.

1 big thing: Tough U.S. measures seek to stem Chinese espionage

Chinese Flag. Photo: Castaneda Luis/AGF/UIG via Getty Images

This week the United States made 2 big moves against China in response to Beijing's alleged government-orchestrated theft of intellectual property. Experts believe there will be more U.S. measures to come.

Why it matters: This is a sea change in how Washington deals with China. China is thought to have stolen billions of dollars in intellectual property from U.S. firms over more than a decade through hacking and human sources. The U.S. has never gone all-in on retaliation.

What they're saying: "China is surprised. They never thought we would wake up and push back," said James Lewis, who formerly led the Commerce Department's effort to fight Chinese espionage in the tech industry.

The 2 big U.S. moves:

These aren't isolated actions.

The big picture: U.S. experts charge that China has hacked into U.S. companies to steal anything and everything that could build up its tech industry without having to spend money on research and development.

  • Micron, the U.S. competitor to Fujian Jinhua, has long complained about theft by that firm.
  • Obama's Justice Department did indict a handful of Chinese hackers and developed an agreement with Bejing that economic espionage would be out of bounds, but China stopped abiding by the deal after Obama left office.
  • The posture dating back to the George W. Bush administration has largely been to treat China as more of an inconvenience than a threat.

"Preventing more theft has to be an all-in strategy. For the past 15 years, our strategy has been to ask 'pretty please.' It's time to try something else," said Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that companies often bring in to keep China out.

  • CrowdStrike has seen a steady uptick in Chinese economic espionage since January.

The prognosis: Alperovitch, who has seen the ebbs and flows of Chinese hacking after past attempts to curtail it, does not think that the U.S. moves, even combined with the broader trade war, will be enough to throw Beijing off balance.

  • Lewis, a senior vice president at the Center for Strategic and International Studies, sees "endless opportunities" for future embargoes and charges if the administration is committed to confronting China.
  • But he also questions whether the Trump administration will know how to play a strong hand. Just a few months ago, when the Department of Commerce placed severe sanctions on telecom equipment maker ZTE, Trump softened the penalty without getting Chinese concessions in return.

The White House isn't out from under ZTE's shadow, even with these actions.

  • Sen. Chris Van Hollen (D-Md.), a hawk during the ZTE dust-up, called the indictments "a step in the right direction" but pointed to the ZTE "sweetheart deal" as a sign that the Trump administration might not effectively hold China accountable.
2. Report: U.S. aids decline in global internet freedom

A new report by Freedom House assessing global internet freedom finds that U.S. politicization of the term "fake news" is being co-opted by authoritarian governments to crack down on free speech.

What they're saying: "Generally speaking, [President] Trump has emboldened totalitarian governments," said Adrian Shahbaz, Freedom House research director for technology and democracy and the principal author of the Freedom on the Net report.

Freedom on the Net is primarily a metric-based global ranking of internet freedom, ranging from Iceland and Estonia, the leaders in internet freedom, to China, which ranks last.

  • Worldwide, freedom has declined on the whole. That includes in the 6th-ranked United States, where scores declined after the FCC lifted net neutrality rules.
3. Candidates struggle to make cybersecurity an election issue

Photo: Drew Angerer/Getty Images

Cybersecurity is a growing problem in the United States, both as a domestic and international issue — but it's not one that brings people to the ballot box.

The big picture: Candidates who want to make cybersecurity a priority worry that the public may not adequately appreciate an important problem.

The stakes are high:

  • The world has already seen a single government-launched malware attack (NotPetya) cause billions of dollars in damage to civilians.
  • Companies face billions of dollars in losses from corporate espionage conducted by nation states.

Here's how two House candidates with backgrounds in the cybersecurity field, one Democrat and one Republican, are handling the issue.

Upstate New York

“How do you think we’re going to be attacked next?” asks Tracy Mitrano, Democratic candidate for New York's 23rd Congressional District.

Mitrano, a former director of information technology policy at in-district Cornell University, says that national cybersecurity is one of the key reasons she’s running in 2016.

Though, it just can’t be a key campaign issue. That's because, by Mitrano’s stats, only 4% of her mostly rural district view cybersecurity as a top issue.

  • In a region still struggling with getting broadband internet access, residents have firsthand experience with other needs ­— mostly jobs.
  • “The public does not understand the issue enough for it to be the big issue. And I don’t blame them. They are not getting the leadership they need from Tom Reed and other legislators,” she says, taking a swipe at her opponent.
San Antonio, Texas

In San Antonio, a hub for the burgeoning cybersecurity industry, Rep. Will Hurd (R-Texas) says that he’s asked once or twice at each town hall about cybersecurity.

  • “Almost every American has been impacted. They’ve needed to replace a stolen credit card or know someone whose identity has been stolen,” he said.
  • “People have been very clear that it is an issue. People are not clear what the issue is,” he said.

Hurd is known for his work in cybersecurity and federal IT issues. He is a rare lawmaker with a cybersecurity background, having been a senior adviser to the security firm FusionX.

The bottom line: Both Hurd and Mitrano believe Congress lacks cybersecurity expertise. Neither think it's an issue someone can run on.

  • Mitrano says she has focused her campaign around bringing jobs to her region through education and health care.
  • Hurd notes that if expertise doesn’t come from new blood in the halls of Congress, it could come from current members stepping up to learn the skill.
  • He singled out Robin Kelly (D-Ill.) as someone who he’s worked closely with on cybersecurity legislation who didn’t come from a tech background.
4. Fakers forge ".democrat" and ".gop" domains

Typosquatting — where troublemakers use similar-looking web addresses to trick victims who are looking for other sites — is being bolstered by new top level domain (TLD) names, according to a new report.

TLD? Top level domains are the things like .com and .net that come at the end of website names. Recent introductions to the TLD pantheon include ".democrat," ".gop" and ".republican."

Details: According to the firm Anomali, despite more than 7,000 registered .democrat, .gop and .republican sites, "very few candidates have actually registered domains on the appropriate party TLD."

  • Many of the remainder are pranks — forwards web users to a Donald Trump site.
  • The problem comes if hoaxers begin using the sites in more malicious ways — sending campaign funding emails, announcing policy, etc.
Odds and ends

Codebook will return on Tuesday.