May 2, 2019



Welcome to Codebook, the newsletter that hides "Avengers: Endgame" spoilers throughout the news stories.

1 big thing: How to stop the next "Huawei moment"

Illustration: Sarah Grillo/Axios

The U.S. is having a "Huawei moment," as security concerns prompt the Trump administration to try to block allies from using 5G equipment produced by the Chinese company. But policymakers and experts also fear the U.S. is ill-prepared to challenge Chinese dominance in the next waves of technology — opening the U.S. to another round of national security worries.

Why it matters: Today, neither the United States nor its closest allies manufacture 5G telecom equipment to compete with Huawei for global business. The same dynamic will play out with 6G and other markets unless the U.S. takes long-term measures today to challenge China's manufacturing power and prepare for the next Huawei moment.

Background: Huawei is accused of:

  • Placing backdoors in equipment to allow China to spy on telecom networks, allowing it to steal billions in intellectual property to prop up domestic businesses.
  • Building its business on the back of stolen intellectual property.
  • Ignoring sanctions against Iran.

There's also some fear in the U.S. that China's domination of any tech market hurts U.S. interests.

Driving the news: On Monday, the U.S. repeated its threat to limit intelligence sharing with the U.K., its closest ally, if Britain moves ahead with plans for limited use of Huawei equipment in its 5G buildout.

Between the lines:

  • Chinese companies like Huawei operate in a national economy that deliberately blurs the lines between the state and major private enterprises. In the U.S., conservatives typically oppose measures they see as thumbing the scales of free and fair competition.
  • "Conservatives are worried that we'd harm fair competition in the market. But intellectual property theft makes it an unfair market," said Jamil Jaffer, former associate legal counsel for the George W. Bush White House. "Are we going to be able to compete if they use unfair practices? Of course not."

Jaffer believes that enforcing fair practices starts with penalizing China in trade negotiations for its theft of intellectual property.

  • While U.S. conservatives and many moderates typically oppose federal industrial policy as anti-capitalistic, Jaffer says an industrial policy motivated by national security concerns is really more of a national security policy.
  • "The core infrastructure on which our technology runs needs to be treated as national security infrastructure. We used to treat telephone wires that way — we treated the highway that way," he said.

The big picture: 6G isn't the only emerging technology with national security implications. Others include AI and quantum computing, and China is funding research in both those areas with the goal of dominating the market.

A pragmatic industrial policy would mean defending all those technologies, said Michael Daniel, CEO of the Cyber Threat Alliance and former cybersecurity coordinator for the Obama White House.

  • That might mean tax incentives or more subtle encouragement, like tailoring government procurement to favor allies. It would almost definitely mean investing in research.
  • It will also mean structuring government to better watch for technical trends. "We need an entity plugged in to emerging technologies and infrastructure risk," said Daniel.
  • While elements of government already partially do this, including the National Institute of Standards and Technology and the intelligence community, there's little connecting those predictions to policy.

The bottom line: It may be impossible to right the ship as quickly as we'd want.

  • "Just think of how long it took for the U.S. to not have a 5G manufacturer," said Daniel. I’ve read lines of argument that trace it back to the breakup of AT&T [in the 1980s]. The time scales can be very long."
2. Trump drops demand China stop robbing U.S.

The Trump administration is dropping its trade negotiations demand that China cease hacking U.S. companies to steal intellectual property, according to the Financial Times.

Why it matters: Per the report, President Trump's team is softening its positions in order finish a deal by the summer. But Chinese intellectual property theft is a multibillion-dollar drain on U.S. industry.

Details: It's cheaper to steal someone else's trade secrets than do the research and development yourself. China has used the technique to prop up entire industries, which can undersell the firms they steal from by passing savings on to consumers.

3. The curious case of Bloomberg's Huawei scoop

Bloomberg reported Tuesday that Vodafone's Italian division had discovered "backdoors" in its Huawei-brand telecommunications equipment in 2011 and 2012.

But, but, but: The story did not play well in the security community, where the evidence is seen as insufficient of the central claims. It didn't make a strong case that the "backdoor" was anything more than a minor, unintentional problem. Vodafone's official stance was it wasn't.

Here's what actually happened: The story was based on internal memos leaked to Bloomberg.

  • The "backdoors" were a number of security flaws that Vodafone found in security testing. All hardware and software have security vulnerabilities, so that doesn't seem particularly malicious.
  • One "backdoor" was Telnet, an extremely common communications protocol that many hardware manufacturers use for configuration. While Huawei used the industry standard way to make Telnet inaccessible via the wider internet, Vodafone has a policy of not allowing Telnet.
  • When Huawei fixed the equipment, it claimed it resolved the Telnet issue, but Telnet was still accessible.
  • According to the memos, Huawei said that Telnet couldn't be entirely removed from the router.

To be clear: This chain of events is common for manufacturers. It's hard to make the leap to claiming this was a backdoor based on the story.

  • This is where the story stopped.

However: Bloomberg may not have given the full account of the technical reasoning that the Telnet issue was intentional.

  • Bloomberg did not release the memos, so it's hard to verify any technical details.
  • Still, according to Stefano Zanero, an expert quoted in the story who did see the memos, the memos make Huawei seem sketchier than the story suggested.

According to Zanero, the following was left out of the story:

  • The Telnet service wasn't in guides explaining how the hardware worked.
  • The passwords to the Telnet service couldn't be changed, meaning that the manufacturer would always know how to hack the hardware.
  • It accepted connections in a nonstandard way, which made it seem hidden.
  • The Telnet was successfully removed once but reintroduced later.

The bottom line: It still isn't a smoking gun. Even with Zanero's elaborations, to most of the security community, this has read like Vodafone employees attributing malice to incompetence.

4. We got better, but not good, at using open source code

60% of code audited by the open source security firm Synopsys in 2018 contained at least one out-of-date open source library with a vulnerability that has already been patched, according to a new report.

Why it matters: That's better than 2017, when 78% of programs had at least one vulnerability. That may be because in 2017, the massive Equifax breach happened on account of an already patched open source vulnerability.

Details: Almost all code — 96%, per the report — uses open source libraries.

  • "It's de facto now that you’ll end up with an open source component," said Tim Mackey, officially an "open source evangelist" for Synopsis.
  • But companies are often unaware or unmotivated to update their code when new patches are released.
  • This is often due to code changes requiring a lot of testing to ensure uptime won't be affected, or a feeling that if they don't use the component that had the vulnerability, they don't need to update the library.
  • But code gets stale fast. 43% of already patched open source vulnerabilities found in code were more than a decade old.
5. Health and human services lowers fines for HIPAA violations

The Department of Health and Human Services reduced its fines for violations of HIPAA — the law requiring health care industries to protect customer data, according to a notice this week in the Federal Register.

Driving the news: The new rules reduce a maximum fine of $1.5 million to a maximum fine of $250,000.

  • HHS claims the changes in fines reflect a better reading of the law.
  • The law is ambiguous and poorly written, supporting both the new and old readings of the law, said Jon Moore, senior vice president and chief risk officer at Clearwater Compliance, a company that helps customers comply with HIPAA.

Details: The changes in fees may fundamentally alter how companies approach compliance fines, said Moore.

  • Investigations into HIPAA fines can take years.
  • "Most organizations who are investigated don’t end up paying penalties. Or they settle and enter a corrective action plan," he said. "But that might change. An organization may say 'I’d rather pay [the lowest-tier fine of] $25,000 than be investigated for years.'"
  • It's hard to say whether the changes will increase or decrease compliance with the law. It's now less costly not to comply. But by decreasing the penalty for complying with the law but still suffering a breach, the changes also make complying more attractive.
6. In case you missed last week

British Defense Secretary Gavin Williamson. Photo: Alberto Pezzali/NurPhoto via Getty Images

UK defense secretary fired over Huawei leaks: At the end of last week, someone leaked results of secret U.K. National Security Council decision to allow telecoms to purchase less critical equipment from Huawei. (CNN)

  • Theresa May blamed Defense Secretary Gavin Williamson, who she then fired.
  • Williamson denies the allegations.

Fiserv cyber suit: The financial technology firm Fiserv, a major maker of banking software, is being sued by a Pennsylvania credit union over alleged "baffling security lapses," significant bugs and rampant billing errors. (Axios)

  • A representative for Fiserv emailed: "We believe the allegations have no merit and will respond to them as part of the legal process."

Citycomp files posted online: The German IT provider Citycomp, whose clients include Volkswagon and Hugo Boss, did not pay ransom on stolen client files, and the files have been posted online. (Sophos)

Financial services fraud up: Financial services firms saw 60% more email fraud last year, according to a report from Proofpoint.

7. Odds and ends

Codebook will return Thursday.

Correction: In last week's Codebook, Paul Rosenzweig's name was misspelled.