Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.
December 18, 2018

Welcome to Codebook, the cybersecurity newsletter doing laundry on New Year's Eve.

Questions? Comments? Tips? Reply to this email.

Since it's December, you're probably up to your elbows in pundits' predictions of what will happen in 2019. That's why Codebook has asked a series of cybersecurity experts what won't happen in 2019.

1 big thing: There won't be a Department of Cybersecurity

Photo: Justin Tierney/EyeEm via Getty Images

The idea that the United States needs a centralized, federal Department of Cybersecurity has long bounced around D.C.

But, but, but: Don't expect to see one anytime soon, said Suzanne Spaulding, former head of the Department of Homeland Security's National Protection and Programs Directorate (now called the Cybersecurity and Infrastructure Security Agency).

The argument for a separate department is pretty simple. Cybersecurity is an issue of growing importance, and it's one that many other nations, including Israel and England, consolidate under one roof.

The United States is, however, much bigger than either of those nations (or both combined).

In a new paper for the Center for Strategic and International Studies, Spaulding argues that a centralized system might weaken security for agencies and the organizations they protect.

  • "A significant piece of risk management is understanding the impact of cyberattacks to a business beyond its computer networks," said Spaulding. "Creating a cyber department, you separate IT people from missions people."
  • The Department of Homeland Security, she believes, is better equipped than a third-party agency to work on security standards for the critical infrastructure it is tasked with protecting.

The bottom line: Spaulding isn't saying that there's no use for centralized services. DHS provides many cybersecurity services across the government.

  • But granting regulatory or advisory authority to a new agency would sacrifice the institutional understanding the current agencies already have of their charges.

2. In 2019, no one will "kill the password"

No one likes passwords as a standalone tool to authenticate users. Since 2012, many groups have moved to "kill the password," using that phrase specifically. Yet we'll end the year of 2019 as password-dependent as always.

The big picture: The adage goes that there are three ways to authenticate users: asking them for a thing they know (like a password), a thing they have (like a house key) or a thing they are (like a fingerprint scan).

  • "A thing you know" is the only one of these a hacker can guess.

Everyone wants to kill the password. Google wants to kill the password. Microsoft wants to kill the password. The National Cyber Security Alliance wants to kill the password. Yahoo wanted to kill the password in 2015. Cellphone companies tried to kill it in 2014.

"Passwords won’t even be mostly dead anytime soon, because the fatality won’t spread to legacy applications that are too expensive to retrofit," said Wendy Nather, head advisory chief information security officer of Duo Security, a Cisco-owned company that specializes in bolstering login security.

The intrigue: There are other options than passwords for consumer-friendly security.

  • A widely supported passwordless encryption protocol called WebAuthn is the most recent attempt to codify a global standard.
  • Microsoft, and others, offer apps that use cellphones to authenticate.
  • Google and Facebook allow users to login once on their services and log into other sites based on their go-ahead.

But, but, but: Users have a tendency to assume that authentication systems that are easier to use are less secure — that, somehow, the amount of effort it takes the user to do something is indicative of how difficult it would be for a hacker to break in.

  • The Facebook breach shows some of the dangers of using a website with multiple moving parts as a centralized clearinghouse of user authentication.
  • And, in general, for the security savvy consumer, it's always safer to use multifactor authentication — say, a thing you have plus a password or a biometric plus a password.

Note: Wendy Nather is the sister of David Nather, managing editor at Axios.

3. The Kremlin won't take a year off between elections

In the United States, Russia's social media disinformation campaigns are often seen as an election-tampering issue. There's a good chance we'll spend 2019 talking about propaganda as something we have to prepare for before the 2020 election.

But, but, but: The propaganda isn't going anywhere in 2019. It's simply not tied to elections.

Russia uses these campaigns to create discord over divisive issues. There's nothing that says that kind of chaos can't happen outside of an election.

  • So while a report to the U.S. Senate from the University of Oxford and the intelligence company Graphika made headlines this week as a past-tense review of the 2016 election, one of its key findings got overlooked.
  • The study reaffirmed that Russian propaganda peaked after the election, specifically in April 2017.

What they're saying: "The Kremlin won’t stop their efforts to sow chaos and confusion," said Camille Francois, research and analysis director for Graphika. "Our recent investigation for the U.S. Senate shows how tempting it is for the Russians: It’s proven cheap, effective and creates havoc as platforms and governments attempt to get ahead of the threat."

You can confirm Graphika's work in other ways. The Justice Department's indictment of Elena Khusyaynova, the chief accountant of the Russian misinformation campaign, shows that spending increased after the election.

4. Hackers won't cause a civilization-ending blackout in 2019

A bonus from our archives: Hackers won't be able to crash the nation's energy grid for the simple reason that there is no single energy grid.

Read more about it in this Codebook piece from August, "Why crashing the grid doesn't keep cyber experts up at night."

5. See you in 2019

Photo: Malorny / Getty Images

This is the last issue of Codebook for 2018, the first year this newsletter has ever existed.

This was fun. Let's do it again next year.

6. Odds and Ends

  • U.S. ballistic missiles have bad cybersecurity. (ZDNet)
  • The Czech Republic is the latest country to bar Huawei's telecom equipment. (Czech Republic press release)
  • Fans of YouTuber PewDiePie hacked the Wall Street Journal. (The Verge)
  • Twitter patched a bug in a form to request support. It may have been been actively exploited. (Twitter)

Codebook will be back. Eventually.