January 29, 2019

Welcome to Codebook, the cybersecurity newsletter that sincerely regrets not headlining this article "Newsletter security misses DMARC."

Situational awareness: Intelligence leaders are meeting this morning with the Senate Intel Committee to discuss worldwide threats, including emerging cyber threats in Russia and China.

1 big thing: Huawei charges are tangled up in trade talks

Acting US Attorney General Matthew Whitaker announces a 13-count indictment of financial fraud charges against Huawei, Jan. 28. Photo: Saul Loeb/AFP/Getty Images

The allegations behind the Department of Justice's two new sets of charges against Chinese tech giant Huawei, announced Monday, had been discussed for years. But the U.S. made its move against Huawei at a critical moment for the Trump administration's high-stakes trade negotiations, as a Chinese delegation arrives in the U.S. for talks that begin tomorrow.

Why it matters: The trade talks are surrounded by a tightening knot of scandals for the world's largest telecommunications equipment provider. Even before yesterday's announcement, a growing number of countries had announced bans on Huawei's 5G wares due to allegations they were sabotaged for use in Chinese espionage.

What they're saying: "There’s no way to separate the charges from the trade issue," said Thomas Duesterberg, Hudson Institute fellow and former assistant secretary for international economic policy at the Commerce Department. "The negotiations are in some ways meant to correct the advantages China got through activities that led to the charges."

The charges:

  • One set of charges being tried in Washington state says Huawei personnel stole the technology used in a T-Mobile robot that tests phones.
  • A second set, this time in New York, alleges that Huawei repeatedly misstated its relationship to a Hong Kong-based firm, Skycom, which the DOJ says was actually a subsidiary operating in violation of Iranian sanctions.
  • Huawei CFO Meng Wanzhou was arrested in Canada in December as part of the second set of charges.

An easy inference to make is that the two sets of arrests were intended to influence the trade negotiations with China scheduled for Wednesday and Thursday.

  • Not so fast, some experts argue. While Trump has intimated that he might use Meng as a bargaining chip (a likely unconstitutional offer that may have jeopardized the extradition), the DOJ has distanced itself from the White House's trade negotiations.
  • There's a much more mundane explanation for the timing: Among U.S. allies, Canada is one of the toughest to obtain an extradition from, and it takes about this much time to go through the Canadian process, said Chris Ott, a former prosecutor with the DOJ's National Security Division and current partner at Davis Wright Tremaine.

The bottom line: While the administration largely believes a new trade agreement can stop China from skirting trade rules and reverse some of the long-term damage to U.S. interests, the DOJ penalties are more than just a bargaining chip in the trade negotiations.

  • The threat of arrest may be devastating for Huawei and, while it likely won't end suspicions of Chinese companies' participation in government mandated espionage campaigns, it will dramatically raise the business cost of doing so.
  • "It may not be safe for Huawei executives to travel to extradition countries," said Ott. "It's hard to run an international business that way. They can never show up to CES again. They can’t even go to Japan."

2. What Washington is saying about Huawei

Sen. Tom Cotton (R-Ark.) said lawmakers should "impose the death penalty on Huawei, which is precisely what it deserves for violating our sanctions."

  • Cotton means a corporate death penalty. He backs legislation to ban U.S. exports of technology to Chinese telecom companies including Huawei and ZTE, itself a recent subject of U.S. penalties for violating trade sanctions.

Sen. Mark Warner (D-Va.) said, "This is also a reminder that we need to take seriously the risks of doing business with companies like Huawei and allowing them access to our markets, and I will continue to strongly urge our ally Canada to reconsider Huawei’s inclusion in any aspect of its 5G infrastructure."

  • Canada, unlike countries ranging from Australia to the U.S., has not banned the use of Huawei components in its 5G rollout.

3. Sen. Angus King on the virtues of analog tech

Sens. Angus King (I-Maine) and Jim Risch (R-Idaho) reintroduced the Securing Energy Infrastructure Act earlier this month, a bill designed to increase the amount of analog technology in the energy grid to bolster cybersecurity.

It's hard to hack an analog valve. "My issue is that merely patching the grid's vulnerabilities might not be a total solution to cybersecurity," King told Codebook.

Details: The bill directs the Idaho National Lab to investigate using analog technology to bolster grid security.

  • The point here isn't to replace the digital equipment, said King. Rather, it's to make sure there's an analog failsafe at key chokepoints to override the digital systems in the event of a cyberattack.

King said the idea for the bill came after one of Russia's attacks on Ukraine's power grid, where a power outage was reportedly minimized by using analog controls after utility workers lost control of the digital ones.

Background: The bill almost passed once before. "Had the House stayed in session one more day last year, it would have passed," laments King. The bill had passed the Senate and was slated for a voice vote in the House at the end of the session, but the clock ran out.

4. Report: New Iranian threat snags personal information

Iranians attend a rally in Tehran. Photo: Rouzbeh Fouladi/NurPhoto via Getty Images

A newly detailed espionage group is breaching the telecom and travel industries in a likely attempt to surveil individuals, according to a new report by FireEye.

Why it matters: FireEye believes the group is Iranian and has dubbed it APT39. This would be the first Iranian hacker group to focus on personal information. Others have conducted destructive attacks on industry, along with general espionage or influence campaigns.

APT39 has been active since at least 2014 and primarily targets Middle Eastern victims, though the U.S., Europe and Australia have seen some activity as well.

  • FireEye has been tracking the group since December.
  • APT39 appears to have a secondary focus on more traditional espionage against governments.

The bottom line: FireEye has "moderate confidence" the group is Iranian, based on the infrastructure and timing of the attacks, the choice of victims and similarities to another Iranian group, APT34.

5. Google extends free election protection to Europe

On Tuesday, Google and its altruism-focused corporate sibling, Jigsaw, announced it would extend free protections against a costly type of cyberattack to European candidates and campaigns in the 2019 EU Parliament elections.

The big picture: The program, dubbed Project Shield, blocks distributed denial of service (DDoS) attacks — attacks that generate so much traffic to a target server that the server collapses. Those attacks can only be blocked through dedicated internet infrastructure, which many campaigns don't know or can't afford to invest in.

Project Shield already covers global charitable groups and U.S. elections. But Scott Carpenter, Jigsaw’s managing director of international policy, said legal complications make offering a free service to campaigns a complicated endeavor.

  • "Part of the reason we can't offer Project Shield to campaigns worldwide is working out legal and policy. In certain jurisdictions, you aren’t able to provide a free service to campaigns, and our legal team has to clear that country by country," he told Codebook.

Despite the availability of free services like Project Shield, not everyone who can be protected is protected.

"In an ideal world, you would not read any stories where an important electoral institution would go down from DDoS," said Carpenter. "There’s no reason if we offer a free service to go unprotected."

6. Europol now going after DDoS-for-hire customers

Europol announced Monday it shared data with worldwide law enforcement agencies about the customers of a DDoS-for-hire website law enforcement shuttered in April.

Why it matters: DDoS-as-a-service sites, in this case WebStresser.org, are a low-effort way for bad guys to knock victim websites offline. And they are popular: Europol lists WebStresser as having 151,000 registered users.

7. Odds and ends

We'll be back on Thursday. It can't be stopped.