Apr 19, 2018

Axios Codebook


Welcome to Codebook, live(ish) from RSA! Send all advice and comments to Joe by replying to this email or by yelling loudly, whichever you find more effective.

1 big thing: Trump's cyber attribution spree

Illustration: Sarah Grillo / Axios

The Trump administration is blaming foreign governments for cyber attacks at more than 8 times the rate of its predecessors.

Over 8 years, the Obama administration attributed attacks to foreign governments only 4 times. With an attribution of an attack on internet infrastructure to Russia on Monday, Trump's tally is now 6.

Why it matters: Attributions are accusations that a nation committed a destructive crime on foreign soil. They embarrass governments, cause businesses to be skeptical of international partners, and hang an albatross on international relations. Most important, they demand some form of response from leaders.

The big picture: Trump's rapid attribution pace doesn't necessarily correlate to changes in the actual pace of attacks. It might be that Obama held back from naming names in hopes of improving relations with aggressors. Or it might be that Obama (and Trump, too) set precedents that Trump is now pressured to follow.

Geopolitical change: Michael Daniel, Obama's cybersecurity coordinator, said there is nothing to suggest an uptick in the number of attributable attacks since his era. He told Axios that some of the increase in attributions has a geopolitical basis.

"If you no longer have to worry about causing a greater rift in a relationship with Russia, it's easier to pull the trigger."
— Michael Daniel, Obama administration cybersecurity coordinator

The growing body of precedent is another possible factor. When Trump's Justice Department indicted a private Iranian military contractor for theft of intellectual property and academic research, it harkened back to a 2013 indictment of Chinese military officers for IP theft.

"It's the power of setting precedents," said New America Foundation senior fellow Peter Singer via email. When new incidents unfold that match previous ones, there's an existing template for what you're supposed to do — and questions arise if you don't act.

  • Trump team's attribution that Russia was behind the NotPetya malware attack followed its announcement of North Korea's role in the similar WannaCry attack.
  • The growing body of Russian attacks has cleared the way to attribute similar attacks, from Obama's post-election attribution of the Grizzly Steppe campaign to Trump's attributions of energy and internet infrastructure attacks.
2. White House exodus may slow cybersecurity policy

The Trump administration is gearing up to announce and implement a national cybersecurity strategy, and vacancies on the White House cybersecurity team may extend the wait.

Here's what Obama era cyber czar Michael Daniel told Axios about the recent departures of his successor, Rob Joyce, and of White House homeland security adviser Tom Bossert:

"It will inevitably slow down implementation of the [White House cybersecurity agenda] — there's no avoiding it — but career staff is still in place to do most of the work."

Go deeper on the potential for cybersecurity policy delays.

3. The buzz from RSA

Codebook is still coming at you from the RSA Conference, the annual parade of the newest cybersecurity wares. Here's what caught our attention:

  • It's nothing new that bots can do some of hackers' busywork , but Cybereason detailed startling new complexity in attacks on a honeypot system designed to be breached. A bot did detailed reconnaissance —hunting for banking, dating and shopping site information, searching through memory for user passwords and creating a detailed map of the system. A hacker then swooped in, knowing exactly where to look for all the best stuff. (Cybereason)
  • Kits to hack nearly all makes of connected cars — typically via USB ports and other in-person attacks — are available in criminal markets and forums. Some allow owners to add features. Others allow attackers to pounce. (Kaspersky Lab)
  • The RSA phone app required a ton of permissions, an odd move for a security conference. (Twitter)
  • The Department of Homeland Security demoed several technologies invented in public-private partnerships. (DHS)
  • The OURSA Conference ran industry-star-studded counter-programming set up after RSA's initial announcement of keynote speakers contained only one woman. RSA later added more women. (Axios)
  • Pro-tip (and likely joke) from HackerOne CEO Mårten Mickos: "To make the most of [RSA], don’t attend. Hang out at the Four Seasons lobby and go to all the evening receptions." (Twitter)
4. FDA proposes new medical device security rules

The FDA announced plans Tuesday to ask lawmakers to provide it with more regulatory authority over the security of medical devices.

Why it matters: No one wants their pacemaker hacked.

The details: The FDA plan includes measures security advocates have long asked for:

  • Manufacturers would have to provide a software "bill of materials" listing what third-party computer code was used in a device. This can help make it clear if out-of-date software includes known security vulnerabilities.
  • All devices would have to be patchable. Medical devices are intended to last for years. Over time, researchers will find security flaws in nearly all computerized products, no matter how well-engineered they are. Patches are the only way to close those gaps.
  • Companies would be required to have coordinated disclosure programs — a fancy term for a plan allowing researchers to contact companies when they find security flaws, take credit for their discoveries and hold a company accountable if it slow-walks a patch.

Positive reviews: Beau Woods of the advocacy group I Am the Cavalry emailed Axios, "It’s clear FDA views cyber safety as a priority in protecting trust and trustworthiness of the public health system."

5. Firm catches more bugs with honey than vinegar

You've tried getting tough with your employees to bolster your company's security. Have you tried being nice? This was Akamai chief security officer Andy Ellis's pitch to Axios at RSA.

"I could have told you about solving problems with data," he said "but at the end of the day, data doesn't solve problems. People do."

Efficency: Ellis believes that the traditional business practice, which sets up security officers and other employees as adversaries, is wildly inefficient.

"What we expect from employers is this feudal model," he told Axios. "It's the wrong model."

The reasoning: Ellis receives more security leads through honey than vinegar. He has a simple rule: If you tell him about a potential security problem, you get to set the schedule to fix it. "We've only had one person abuse it," he said.

The result: "Tactically, it's faster on any given day to be hierarchical. But over the course of a year, we get more done working with employees than against them," he said. "It used to take a month to get anything done. Now, if it takes a month, it will be talking about the best solution to a problem, not whether or not there is a problem."

6. Odds and ends

A 19th century wax model of the human brain. Photo: SSPL/Getty Images

  • Brain implants might be hackable. (The Register)
  • The U.S. Army is looking to use quantum mechanics to create less hackable machines. (Motherboard)
  • A House subcommittee approved four energy security bills and a new House bill would allow the President to identify foreign cyber threats and respond with sanctions. (The Hill)
  • Chrome is (finally) silencing sounds from auto-play. (Naked Security)
  • Microsoft claims its new Chrome extension will make Chrome safer. (Ars Technica)
  • Facebook will change the user agreements for more than a billion users outside Europe who had been given the protections of European Union laws, now that EU privacy laws are getting stricter. Now they'll be protected by laxer U.S. laws. (Reuters)

In the event that cybersecurity has still not been solved by Tuesday of next week, Codebook will return then. There's still a day left in RSA. Who knows?