Welcome to Codebook, coming to you from the Aspen Security Forum. We're the first cybersecurity newsletter with altitude sickness.
Tips? Feel free to reply to this email.
1 big thing: Putin's offer is a laugh line at Aspen
Wednesday afternoon, the White House said it was considering a Russian offer for U.S. investigators to observe Russian officers question other Russians recently indicted for hacking several Democratic groups. Americans could sit in on those interrogations in exchange for letting Russia interrogate Americans, including former U.S. ambassador Michael McFaul.
Wednesday evening, here at the Aspen Security Forum, this idea was raised in an interview with FBI director Christopher Wray — and a wave of laughter rolled through the audience.
- Moderator Lester Holt started a question: "The offer was made by Mr. Putin himself to allow agents to travel to Russia and observe the questioning of suspects." The audience made it to "Putin" before beginning to crack up.
Why it matters: The roster of speakers at the Aspen Security Forum includes appearances by director of national intelligence Dan Coats, secretary of homeland security Kristjen Nielsen and deputy attorney general Rod Rosenstein. The room is full of government insiders, industry execs, independent experts, and specialist journalists.
This is the audience laughing at the idea of the Trump-Putin interrogation quid pro quo — and yet it is an idea that the president appears to be seriously entertaining, or at least not forthrightly rejecting.
- At Wednesday's White House press briefing, press secretary Sarah Huckabee Sanders said of the Russian offer: "There was some conversation about it but there wasn’t a commitment made on behalf of the United States. The president will work with his team, and we’ll let you know if there’s an announcement on that front.”
McFaul's name didn't come up in the Wray interview, but allowing foreign agents to interrogate a U.S. ambassador would break key norms that protect diplomats. A Daily Beast headline put it: "U.S. Officials ‘at a F---ing Loss’ Over Latest Russia Sell Out."
What they're saying: In Aspen, Wray referred all questions on the Mueller probe, which brought the indictments against the Russians, to Mueller himself. But asked in the abstract whether he'd allow Russia to interrogate suspects in the FBI's place, he answered: "I don't want to say never about anything, but it's certainly not high on our list of investigatory techniques."
Would he allow Russians to interrogate Americans? "That's probably even lower on our list," Wray answered.
2. Wray on China's threat, and his own threat to quit
The FBI director's appearance contained several other interesting tidbits.
- Wray implied he threatened to quit over White House threats involving the Mueller probe. That story was broken in January by Axios' Jonathan Swan. Wray didn't answer moderator Lester Holt's question about the threat head on, but did say this: "I'm a low-key, understated guy, but that should not be mistaken for what my spine is made out of. I'll just leave it at that."
- Wray identified China as the broadest espionage threat to the United States and said he was glad Washington leaders from both parties were beginning to see it that way. China uses cyber operations, mixed with other techniques, to steal U.S. economic secrets like industrial processes and intellectual property. He added there were economic espionage cases in all 50 states, from seeds in the midwest to wind turbines on the east coast.
- Wray played bass in a high school band. Lester Holt said he also played bass, and that the two should jam. Bass duet, anyone?
3. Most retail site traffic aims to steal accounts
According to a Shape Security report, depending on a variety of factors, between 80% and 90% of web traffic to online retailers comes from automated programs trying to breach accounts.
Huh? The criminals that go into your Amazon account and buy stuff are typically not the guys who stole your password. They're at the end of a long chain of bad guys.
- A criminal group specializing in data breaches obtains lists of passwords, and sells them.
- A separate group ropes together a network of hacked computers all over the world, called a botnet.
- A third group writes configuration files that can use those botnets to rapidly test whether those passwords work without raising much suspicion.
- The criminal who coopted your Amazon account likely first bought a list of account details, rented a botnet, and hired someone to write a configuration file, all to whittle down a list of working passwords. That process is known as credential stuffing, and this is where the bulk of that automated traffic comes from.
We knew this is how the system worked. What we didn't know was how much of the commercial internet was taken up by this kind of traffic. Shape estimates that nearly all traffic to retail sites , 60% to airline sales sites, 40% to hotels and 40% to commercial banking come from credential stuffing.
4. Trump saw damning Russia evidence in Jan. 2017
The New York Times reports that when intelligence chiefs briefed then-president-elect Donald Trump about the Russia investigation in January, 2017, they showed him texts and emails from Russian operatives confirming the attack as well as reports from Putin confidants.
Why it matters: Trump has never fully embraced the intelligence community's assessment that Russia was behind hacks at the Democratic National Committee and other targets. As recently as Tuesday, he claimed other countries may have been responsible for the attack, while walking back similar comments from Monday.
We don't know what Trump believes in his heart. But the Times article shows just how much mental gymnastics it would take these past 19 months to legitimately believe there are still questions about Russian involvement.
5. DDoS attacks meant to DDiS-rupt democracy
Cloudflare tells Axios that most of the election-related attacks it has monitored appear to be non-partisan.
"The vast majority of the volume of those attacks target the infrastructure of democracy rather than supporting a candidate," said Matthew Prince, the firm's co-founder and CEO.
Why it matters: Cloudflare is involved in the election space in two ways. The company specializes in protection services for distributed denial of service (DD0S) attacks — low-tech attacks that flood servers with so much traffic they crash.
- Cloudflare's Athenian Project offers free services to government-run election websites.
- It also protects many high-profile candidates, including both sides of the recent, contentious Alabama senate election.
Prince said the state elections take the brunt of the damage. He wouldn't speculate on relative percentages.
Athenian is now in contact with officials in 72 different districts, in 27 states, including state officials in 19 states, according to statistics it released Thursday, alongside new informational products to promote campaign security.
6. The apolitical fake news industry has partisan roots
According to a new BuzzFeed News report, the Macedonian site that pioneered the fake-news model, monetizing tricking conservatives with spurious clickbait articles, was actually intended as a quasi-legitimate news source for the conspiracy-bound wing of the Republican party.
Why it matters: While the media and Congress often focus on Russian misinformation campaigns, much of 2016's fake news ecosystem came from apolitical Macedonians wanting to do little more than feast off the ad revenue from clicks. What this article suggests is that whole Macedonian industry rose from something more politically motivated — and tied to Americans.
7. Odds and ends
- Last week, Goldman Sachs said election hacking concerns will be good for cybersecurity stocks. (CNBC)
- The Girl Scouts added new badges for cybersecurity and space exploration. (The Verge)
- Someone is targeting the Ukrainian government with credential stealing malware. (ESET)
- Meet the small town leading India in cybercrime. (ZDNet)
- A new election cybersecurity bill will come up for vote today, but it doesn't include funding to replace vulnerable equipment, to the dismay of Democrats. (Washington Post)
Codebook will return Tuesday, from sea level.