Welcome to Codebook, the cybersecurity newsletter that makes vrooming noises whenever it uses a shopping cart.
If you've got tips or story ideas, I'd love to see. Just reply to this email.
1 big thing: Trump's destabilizing "intervention" in Huawei CFO case
In an interview with Reuters, President Trump suggested he might be willing to trade an arrested Chinese executive for a better trade deal. Such an offer, experts tell Axios, is uncomfortably transactional, dangerous to U.S. institutions and alliances, and quite likely a constitutional no-no.
Driving the news: The administration reportedly began discussing using Meng Wanzhou, chief financial officer of the global electronics giant Huawei, as a bargaining chip very soon after her arrest in Canada for violations of U.S. sanctions against Iran.
Answering a Reuters question about intervening in the Meng case, Trump said:
“Whatever’s good for this country, I would do. ... If I think it’s good for what will be certainly the largest trade deal ever made — which is a very important thing — what’s good for national security — I would certainly intervene if I thought it was necessary."
What's at stake
The Department of Justice bristles at the suggestion it pursues any arrest with the purpose of advancing political negotiations. But Trump's statement may give that charge weight in this case.
- At a congressional hearing Wednesday, Assistant Attorney General John Demers addressed the potential for the DOJ to be miscast: "What we do at the Justice Department is law enforcement. ... It's very important for other countries to understand that we are not a tool of trade when we bring those cases."
- "Frankly," replied Sen. Richard Blumenthal (D-Conn.), "that's the danger of the president's statement. It makes it look like law enforcement is a tool."
- The DOJ, for its part, appears to have clean hands. The Huawei investigation dates back to 2016 — 1 president and 2 attorneys general ago. It was not a spur-of-the-moment arrest.
Presidential norms: It's worth noting that the president likely does not have the right to interfere with DOJ investigations. Trump has had a few other scuffles over this very issue.
- Courts have never formally settled the issue, but the principle is deeply held in the U.S.
Campaign promises: Trump campaigned as the tough-on-Iran candidate, with reinstated sanctions a centerpiece of that strategy. Yet Huawei would be the second company, after ZTE, that he's been willing to forgive violating those sanctions.
Relations with Canada: Canada did not arrest a high-profile Chinese executive thinking the U.S. mainly intended to use her in trade negotiations.
- Trump's statement might have aided Meng's defense, which can now credibly say she's a political target. Per Reuters, that argument "would resonate in Canada where judges are particularly wary of abuse of the court system."
- Meanwhile, Canada now faces potential Chinese boycotts and possibly even the arrest of citizens abroad in China in retaliation.
The rule of law: In this situation — in a striking parallel to the case of Jamal Khashoggi, the U.S.-based journalist murdered by Saudi Arabia — Trump's position forthrightly elbows aside the law for transactional needs.
- "At its core, this is an Iran sanctions issue," said Elizabeth Rosenberg, a senior fellow at the Center for a New American Security, who worried blunting punishments for violating sanctions might encourage more violations.
The bottom line: If Canada faces Chinese retaliation, the U.S. might, too. Codebook spoke to one executive who had researched all of the countries with extradition treaties with China to keep his employees safe.
- But it doesn't end there. "What about companies with Canadian supply chains?" asked Rosenberg. "They now have to figure out if they will be able to deliver products with parts that come from China."
2. Report: Iranian hackers target sanctions enforcement officials
Why it matters: The hacking attempts started just as the Trump administration began to reinstate sanctions against Iran.
Details: The attacks used fake alerts of unauthorized attempts to access webmail accounts to convince victims to provide the hackers with login credentials.
- Once the hackers had taken over the email accounts, they would either send email or post social media messages asking other people to download a file from a phishing page meant to look like Google Drive.
- Targets also included, according to AP, "high-profile defenders, detractors and enforcers of the nuclear deal struck between Washington and Tehran, as well as Arab atomic scientists, Iranian civil society figures and D.C. think tank employees."
3. North Korea-like hackers hit defense and other targets
McAfee discovered an apparent espionage hacking campaign targeting global defense, critical infrastructure and financial firms that looks "strikingly" like the work of known North Korean spies.
But, but, but: The attacks seem "too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags."
Details: Since Oct. 25, targets in North and South America (including the U.S., Mexico and Canada), Europe, Russia, India, Australia, the Middle East and Egypt received English-language invitations to apply for jobs.
- The files were written in a Korean version of Microsoft Word and they installed malware using code from the Duuzer implant used by the North Korean Lazarus Group.
- The new implant, which McAfee dubbed "Rising Sun," can perform reconnaissance and steal files.
- McAfee is referring to the campaign as "Sharpshooter."
4. FINALLY some Taylor Swift news
Rolling Stone reported that Taylor Swift concerts used a facial recognition kiosk at the entrance to analyze anyone who looked its way.
The kiosk was intended to weed out Swift's stalkers, not track the mass of other fans.
The bottom line: There aren't really norms governing when bulk biometric identification is creepy and when it is valuable. IDing stalkers might be more on the socially acceptable side of the scale than, say, a store IDing its customers to send custom ads.
5. New bill would expand FTC privacy powers
A horde of Democrats led by Sen. Brian Schatz (D-Hawaii) introduced the Data Care Act Wednesday, which seeks to drastically increase the Federal Trade Commission's ability to regulate privacy.
Details: If passed, the bill would allow the FTC to intervene when a company storing user data fails at any of three standards (as defined by the bill):
- Duty of Care — Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information.
- Duty of Loyalty — May not use individual identifying data in ways that harm users.
- Duty of Confidentiality — Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling or sharing individual identifying data.
The bottom line: Given that the FTC is currently limited to regulating privacy based on whether a company is deceptive about its privacy practices, this would be a massive expansion of the commission's domain.
But, but, but: The bill's backers are all Democrats, and Republicans still control the Senate.
6. The most wonderful time of the year: FITARA scorecard released
The House Committee on Oversight and Government Reform released its latest grades on government agencies' technology acquisition practices, known as the FITARA scorecard (after the law that mandates it). The results this time are, by and large, good news.
Stay with me here: Rep. Will Hurd (R-Texas) often notes that you never see protesters in the streets about technology acquisition, but modernizing systems is critically important to security, cost and the ability to provide services.
The FITARA scorecard is a biannual grading system for progress in setting up organizational structures and policies to modernize smartly. And, though there were no "A" grades given out, no agency did worse in these grades than in the last ones in May.
Agencies did particularly well in keeping track of software licensing, according to the report.
7. Odds and ends
- Tech scrutiny is here to say, says Google's CEO (Axios)
- The infamous Shamoon malware re-emerged. (Axios)
- Rhode Island is suing over Google+'s security woes. (ZDNet)
- Hertz now allows facial recognition to rent cars. (Nextgov)
- The GAO nixed IBM's protest over the Defense Department cloud. (Washington Post).
- Scammers steal $1 million from Save the Children because criminals are not nice people. (Boston Globe)
Codebook will return on Tuesday