Axios Codebook

A new report shows that a military contractor has likely sold spyware to repressive regimes. But the study's authors and other experts differ on how to stop the problem.

The big picture: That study, released Tuesday by the University of Toronto's Citizen Lab, found that 36 surveillance networks used commercial militarized spyware made by the Israeli NSO Group.

• Many countries operated more than one network, and six of the suspected countries — including Bahrain, Kazakhstan and Saudi Arabia — had histories of using spyware to target dissidents, journalists and other civil targets.
• Some uses veered toward the petty: One cluster of infections hit supporters of a soft drink tax in Mexico.

NSO is far from the only spyware maker that sells its tools to countries that might be repressive.

• It happens often enough that companies follow the same script. “They say, ‘We only sell to law enforcement. We’re self-regulating,'" says Bill Marczak, the author of the Citizen Lab report. "But if this wasn’t being used to target civil society, it would never cross our desks.”

We can't get rid of the industry altogether. Lots of countries use commercial spyware for legitimate purposes. The study's list includes the U.S. and Canada, and the new U.S. strategy for military cybersecurity released earlier this week calls for more use of "off-the-shelf" hacking tools.

Citizen Lab's solution: regulation. “The best step to keep the tools in line would be a process of export controls with humanitarian restrictions rather than just defense and national security ones,” says Marczak.

Yes, but: The security industry is still stinging from the last time a powerful group of countries tried to do just that.

• The nations of the Wassenaar Arrangement, an arms export pact that includes the U.S., EU and others, tried to use that agreement to slow the spread of commercial malware to repressive regimes in 2013.
• The move was ultimately a disaster. Poor definitions in the agreement inadvertently applied limits not just to spying tools, but to research into spying tools, security testing software and other products that might need to replicate something bad to accomplish something good. Researchers — and Congress — rebelled.

Katie Moussouris, a cybersecurity expert brought in by the State Department to renegotiate the Wassenaar Arrangement, says, "We’ve already seen for 20 years that export controls on software have been hard to do with surgical precision."

• Moussouris, the CEO of Luta Security, says better alternatives might include sanctions against misbehaving countries or intervention under the military's new cyber strategy.

There are no easy fixes. "Stopping humanitarian abuses is something I think we as human beings typically support," says Moussouris. But there isn't any consensus on how to do that, safely, given the lessons learned the last time nations tried.

Politico was first to report the expectation around Washington, D.C., that a bill to give the Department of Homeland Security a standalone cybersecurity and infrastructure security agency (to be named the Cybersecurity and Infrastructure Security Agency) will be brought to vote in the Senate as early as next week. It has been a priority at DHS dating back to the Obama administration.

Why it matters: The Cybersecurity and Infrastructure Security Agency Act, which passed the House in 2017, is seen as a rebranding of the more ambiguously named DHS group currently handling that portfolio — the National Protection and Programs Directorate (NPPD). The bill would also elevate the importance of the NPPD and give it more leeway to make organizational changes without Congressional approval.

Don't underestimate the importance of the reorganization. As a current "headquarters" level agency, the NPPD can't shift around its resources without significant oversight. DHS and lawmakers see that as a needless roadblock for the group tasked with, among other things, elections, grid and financial markets security.

• The bill would also streamline the department into three clearly delineated components: cybersecurity, infrastructure security and emergency communications.

What they're saying: "CISA will define our nation’s leading cybersecurity agency as a standalone operational organization clearly tasked with deploying DHS’ cybersecurity and infrastructure security missions," says Rep. John Ratcliffe (R-Texas), chair of the House Homeland Security Committee's subcommittee on cybersecurity and infrastructure protection.

But seriously, that name: If you didn't know what the NPPD does, the name is inscrutable. You can't tell from an organizational chart which branch of DHS handles cybersecurity. That's why DHS has made the name change alone a sizable component of their priority.

• Christopher Krebs, undersecretary in charge of NPPD who would become director of CISA, tells Codebook in an email: "This legislation allows us to focus on our core risk management mission and gives us a name — the Cybersecurity and Infrastructure Security Agency — that clearly describes who we are and what we do."

Bitcoin Core — software widely used to fuel the bitcoin cryptocurrency — patched a security flaw in its code on Wednesday that could give attackers the ability to crash the currency's infrastructure by maliciously manipulating the record-keeping system.

Why it matters: The technological appeal of bitcoin is, in part, that the records are distributed across the network. If a bad guy poisoned a block of 12.5 bitcoin (roughly $80,000), they could tear apart the network at its seams.

Many smaller coins also take advantage of their own rebuilds of the Bitcoin Core software, meaning those coins also have to patch.

Go deeper: Motherboard has a good rundown of the flaw.

Sen. Ron Wyden (D-Ore.) informed Senate leaders that a major tech company believes foreign hackers are targeting personal accounts and that Senate security won't address attacks against the personal (therefore unofficial) accounts, the AP reports.

Why it matters: It's easy to forget, but personal accounts played a major role in the 2016 election hacking scandal. Russia was never able to hack the Hillary Clinton campaign directly. Instead, it caused plenty of chaos by hacking campaign manager John Podesta's personal account.

• Akamai has tracked 30 billion malicious login attempts since last June, which seems like a lot. (Akamai)
• A history of the custom-made badge art that hackers bring to conferences. (Motherboard)
• "There’s no clarity on cyber security leadership coming from Washington," said Arthur House, Connecticut's chief cybersecurity risk officer. "We cannot rely on Washington to keep us safe. The states have to take the lead." (Connecticut Mirror)
• The creators of the Mirai Botnet, which weaponized insecure IoT devices, now fight crime with the FBI. (Wired)
• Facebook is opening an election security "war room" next week. (The New York Times)
• The UK fined Equifax £500,000 (about $664,000) over last year's mega breach, (ZDNet)
• Update: FireEye provides some forensic analysis of the group robbing city utility payment sites that run Click2Gov software. Codebook was the first news outlet to cover the nationwide thievery in June.