Welcome to Codebook, live(ish) from RSA! Send all advice and comments to Joe by replying to this email or by yelling loudly, whichever you find more effective.
Illustration: Sarah Grillo / Axios
The Trump administration is blaming foreign governments for cyber attacks at more than 8 times the rate of its predecessors.
Over 8 years, the Obama administration attributed attacks to foreign governments only 4 times. With an attribution of an attack on internet infrastructure to Russia on Monday, Trump's tally is now 6.
Why it matters: Attributions are accusations that a nation committed a destructive crime on foreign soil. They embarrass governments, cause businesses to be skeptical of international partners, and hang an albatross on international relations. Most important, they demand some form of response from leaders.
The big picture: Trump's rapid attribution pace doesn't necessarily correlate to changes in the actual pace of attacks. It might be that Obama held back from naming names in hopes of improving relations with aggressors. Or it might be that Obama (and Trump, too) set precedents that Trump is now pressured to follow.
Geopolitical change: Michael Daniel, Obama's cybersecurity coordinator, said there is nothing to suggest an uptick in the number of attributable attacks since his era. He told Axios that some of the increase in attributions has a geopolitical basis.
"If you no longer have to worry about causing a greater rift in a relationship with Russia, it's easier to pull the trigger."— Michael Daniel, Obama administration cybersecurity coordinator
The growing body of precedent is another possible factor. When Trump's Justice Department indicted a private Iranian military contractor for theft of intellectual property and academic research, it harkened back to a 2013 indictment of Chinese military officers for IP theft.
"It's the power of setting precedents," said New America Foundation senior fellow Peter Singer via email. When new incidents unfold that match previous ones, there's an existing template for what you're supposed to do — and questions arise if you don't act.
The Trump administration is gearing up to announce and implement a national cybersecurity strategy, and vacancies on the White House cybersecurity team may extend the wait.
Here's what Obama era cyber czar Michael Daniel told Axios about the recent departures of his successor, Rob Joyce, and of White House homeland security adviser Tom Bossert:
"It will inevitably slow down implementation of the [White House cybersecurity agenda] — there's no avoiding it — but career staff is still in place to do most of the work."
Go deeper on the potential for cybersecurity policy delays.
Codebook is still coming at you from the RSA Conference, the annual parade of the newest cybersecurity wares. Here's what caught our attention:
The FDA announced plans Tuesday to ask lawmakers to provide it with more regulatory authority over the security of medical devices.
Why it matters: No one wants their pacemaker hacked.
The details: The FDA plan includes measures security advocates have long asked for:
Positive reviews: Beau Woods of the advocacy group I Am the Cavalry emailed Axios, "It’s clear FDA views cyber safety as a priority in protecting trust and trustworthiness of the public health system."
You've tried getting tough with your employees to bolster your company's security. Have you tried being nice? This was Akamai chief security officer Andy Ellis's pitch to Axios at RSA.
"I could have told you about solving problems with data," he said "but at the end of the day, data doesn't solve problems. People do."
Efficency: Ellis believes that the traditional business practice, which sets up security officers and other employees as adversaries, is wildly inefficient.
"What we expect from employers is this feudal model," he told Axios. "It's the wrong model."
The reasoning: Ellis receives more security leads through honey than vinegar. He has a simple rule: If you tell him about a potential security problem, you get to set the schedule to fix it. "We've only had one person abuse it," he said.
The result: "Tactically, it's faster on any given day to be hierarchical. But over the course of a year, we get more done working with employees than against them," he said. "It used to take a month to get anything done. Now, if it takes a month, it will be talking about the best solution to a problem, not whether or not there is a problem."
A 19th century wax model of the human brain. Photo: SSPL/Getty Images
In the event that cybersecurity has still not been solved by Tuesday of next week, Codebook will return then. There's still a day left in RSA. Who knows?