Welcome to Codebook, the cybersecurity newsletter that's once again reminding you about Axios' upcoming Autonomous Vehicles newsletter. Don't make us remind you three times.
Tips? Hit reply on this email.
Protesters, like those in Cairo in 2011, can be targeted by government spyware on mobile devices. Photo: Karimphoto via Getty Images
A new report shows that a military contractor has likely sold spyware to repressive regimes. But the study's authors and other experts differ on how to stop the problem.
The big picture: That study, released Tuesday by the University of Toronto's Citizen Lab, found that 36 surveillance networks used commercial militarized spyware made by the Israeli NSO Group.
NSO is far from the only spyware maker that sells its tools to countries that might be repressive.
We can't get rid of the industry altogether. Lots of countries use commercial spyware for legitimate purposes. The study's list includes the U.S. and Canada, and the new U.S. strategy for military cybersecurity released earlier this week calls for more use of "off-the-shelf" hacking tools.
Citizen Lab's solution: regulation. “The best step to keep the tools in line would be a process of export controls with humanitarian restrictions rather than just defense and national security ones,” says Marczak.
Yes, but: The security industry is still stinging from the last time a powerful group of countries tried to do just that.
Katie Moussouris, a cybersecurity expert brought in by the State Department to renegotiate the Wassenaar Arrangement, says, "We’ve already seen for 20 years that export controls on software have been hard to do with surgical precision."
There are no easy fixes. "Stopping humanitarian abuses is something I think we as human beings typically support," says Moussouris. But there isn't any consensus on how to do that, safely, given the lessons learned the last time nations tried.
Politico was first to report the expectation around Washington, D.C., that a bill to give the Department of Homeland Security a standalone cybersecurity and infrastructure security agency (to be named the Cybersecurity and Infrastructure Security Agency) will be brought to vote in the Senate as early as next week. It has been a priority at DHS dating back to the Obama administration.
Why it matters: The Cybersecurity and Infrastructure Security Agency Act, which passed the House in 2017, is seen as a rebranding of the more ambiguously named DHS group currently handling that portfolio — the National Protection and Programs Directorate (NPPD). The bill would also elevate the importance of the NPPD and give it more leeway to make organizational changes without Congressional approval.
Don't underestimate the importance of the reorganization. As a current "headquarters" level agency, the NPPD can't shift around its resources without significant oversight. DHS and lawmakers see that as a needless roadblock for the group tasked with, among other things, elections, grid and financial markets security.
What they're saying: "CISA will define our nation’s leading cybersecurity agency as a standalone operational organization clearly tasked with deploying DHS’ cybersecurity and infrastructure security missions," says Rep. John Ratcliffe (R-Texas), chair of the House Homeland Security Committee's subcommittee on cybersecurity and infrastructure protection.
But seriously, that name: If you didn't know what the NPPD does, the name is inscrutable. You can't tell from an organizational chart which branch of DHS handles cybersecurity. That's why DHS has made the name change alone a sizable component of their priority.
Photo: Yu Chun Christopher Wong via Getty images
Bitcoin Core — software widely used to fuel the bitcoin cryptocurrency — patched a security flaw in its code on Wednesday that could give attackers the ability to crash the currency's infrastructure by maliciously manipulating the record-keeping system.
Why it matters: The technological appeal of bitcoin is, in part, that the records are distributed across the network. If a bad guy poisoned a block of 12.5 bitcoin (roughly $80,000), they could tear apart the network at its seams.
Many smaller coins also take advantage of their own rebuilds of the Bitcoin Core software, meaning those coins also have to patch.
Go deeper: Motherboard has a good rundown of the flaw.
Sen. Ron Wyden (D-Ore.) informed Senate leaders that a major tech company believes foreign hackers are targeting personal accounts and that Senate security won't address attacks against the personal (therefore unofficial) accounts, the AP reports.
Why it matters: It's easy to forget, but personal accounts played a major role in the 2016 election hacking scandal. Russia was never able to hack the Hillary Clinton campaign directly. Instead, it caused plenty of chaos by hacking campaign manager John Podesta's personal account.