Welcome to Codebook, the cybersecurity newsletter with a line graph.
Today's newsletter is 1,308 words, a 5-minute read.
1 big thing: China's move on face-recognition standards
Chinese tech companies have ramped up efforts to set technical standards for facial recognition, raising concerns among business competitors, political observers and humanitarian advocates.
Why it matters: China has long made a systematic effort to set international standards on data and hardware compatibility across brands so that the standards reflect how Chinese products already work — giving its domestic industries a leg up in engineering races.
- But the nation's push to do so on behalf of facial recognition and surveillance industries that it built to surveil and subjugate the nation's Uighur ethnic minority is casting its standards efforts in a new, harsher light.
Driving the news: Several Chinese firms, including ZTE, Dahua and China Telecom, have sought approval at the International Telecommunication Union, a UN technical standards body, for technical standards allowing different companies' surveillance technology — including facial recognition — to work together.
- China's surveillance industry has grown in no small part due to funding research and buying equipment to fuel a high-tech human rights crisis. China has sent more than 1 million Uighurs to re-education camps while developing systems that identify race using facial features.
To be clear: Technical standards do not commit atrocities.
- Facial recognition technology has legitimate uses, from unlocking phones to identifying missing persons, and to use data or software across different brands of products, there needs to be standardized hardware and file formats.
But, but, but: China will likely use the technical standards to claim a UN seal of approval for its use of its products.
- Humanitarian groups worry about a feedback loop, where standards set to create Chinese surveillance industry successes will fund more research into technologies domestically used for oppression, which can then be sold for profit to create new business success.
The big picture: China has tried to use this standards approach to corner entire industries, including telecommunications. Facial recognition techniques represent a particularly thorny part of a broader effort to control artificial intelligence standards.
- By the time complex infrastructure schemes are entrenched in poorer nations, including those in Africa and Asia, they become extremely difficult to alter.
- “China offers equipment and funding to modernize those countries on the condition they use these standards, making them even harder to change,” said Tom Duesterberg, senior fellow at the Hudson Institute.
- That’s bad for technology. “One thing we don't talk about as much is how China’s rush to entrench its standards precludes other technical standards,” said Kara Frederick, fellow at the Center for a New American Security. “It stops innovation wherever China decides to stop it.”
Between the lines: Technical standards are conventionally seen as modular schematics for emerging technologies. For instance, they explain how to encode an MP3 file so it will play on any device — not what an MP3 file should be allowed to encode.
- So a technical standards body, at least as we currently envision it, might not be an effective place to address geopolitical or humanitarian issues.
- But there aren't too many other battlegrounds for challenging China on the Uighur issue. Several humanitarian groups are taking the human rights fights to the ITU.
- There is a second option that some, including Frederick, specifically mention: A U.S. technology policy that funds domestic research and development, so that the U.S. remains in the conversation as China picks future standards fights.
2. Report: Iran debuted new destructive wiper malware
IBM's X-Force IRIS research team reports that Iran is using a new disk-deleting "wiper" malware in destructive attacks.
Why it matters: Wiper malware is behind some of the most destructive attacks in history. Iran's OilRig group used malware known as Shamoon to substantially disrupt operations at Saudi Aramco.
The newly discovered malware, dubbed ZeroCleare, uses legitimate data modification software known as EldoS RawDisk to delete systems.
IBM sees several similarities between ZeroCleare and Shamoon, and the company believes the same actor is behind both attacks.
- IBM has only seen one instance of ZeroCleare being used, against an energy firm in the Middle East. But Iran has only used Shamoon in a handful of attacks since it first arrived in 2012.
3. The difference between Russia and Ukraine on election meddling
Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said this week that Ukraine meets the standard for election meddling that people first held Russia to. But that's not what the numbers show (we have a graph!).
Why it matters: While Burr didn't draw a moral equivalence between Russia — which committed several crimes on U.S. soil during the 2016 election — and what we know about Ukraine, he muddled the debate in that direction.
Driving the news: "You considered Russia meddling with just the preference they had before you knew the rest of it," said Burr. "Apply the same standard to Ukraine."
- "It was called meddling when it was just Russia had a preference on who would win. And I'm saying, you can't go any further than that until somebody investigates Ukraine."
But, but, but: Codebook analyzed 1,847 news stories from 179 news sources that used the words "Russia," "election," "meddling" and their derivatives between Jan. 1, 2014, and Jan. 1, 2017. And it's pretty clear the concept of Russian election meddling didn't enter the American zeitgeist until the WikiLeaks email leaks on July 25.
- That was the first time 10 news sources even used the three words in the same article in one day, and the time newspapers started using all three together to describe the 2016 election.
- That set off a chain of events, especially with President Trump's request that Russia hack Hillary Clinton's emails three days later, when the term "Russian election meddling" started to enter the news lexicon.
- When the stories weren't talking about Russian cyber measures, they simply weren't talking meddling.
- In fact, there wasn't a broad understanding that Russia preferred Trump until after the hacking confirmed it. Republicans argued the hack couldn't be Russia because Russia would prefer a Democrat.
Burr did not respond to a request for comment.
4. Other news from last week
Voting machines break down during Pennsylvania elections (New York Times): Mechanical and design problems in voting machines in Northampton County, Pennsylvania, nearly gave the election to the wrong judicial candidate.
- The elections were saved by two measures often discussed in the context of election security: paper backups and audits.
- If you're on the fence about regularly funding election security, many of the same solutions defend elections from human and mechanical error as well. While the Northampton County machines were new, modern, electronic voting machines only have a 10-year shelf life — they need to be replaced regularly.
Researcher arrested after advocating cryptocurrency in North Korea (DOJ): Virgil Griffith, a developer for the Ethereum cryptocurrency, was arrested after presenting on cryptocurrency in Pyongyang for helping North Korea evade U.S. sanctions.
- Griffith, an American living in Singapore, allegedly admitted in personal communications that he knew he was violating sanctions.
- Cryptocurrency doesn't pass through the global banking system, making sanctions harder to enforce.
Hackers are evading an Outlook security patch (FireEye): Microsoft first patched a vulnerability in Outlook in 2017. But the patch can be dodged.
- FireEye reports an uptick in hackers using a security flaw known as CVE-2017-11774, a favorite technique of the Iranian hackers APT33 (also known as Holmium, Refined Kitten and Elfin).
- The problem is a maintenance issue — if IT staff doesn't continually correct settings, the patch ceases to work.
5. Odds and ends
- Codebook recommends this hearing on privacy legislation you probably missed watching some other hearing yesterday.
- Homeland security updates its airport facial recognition plans. (Axios)
- Maybe 5G isn't such a big deal. (Ars Technica)
- Russia is working on technology to seize cryptocurrencies. (TASS)
- Huawei sued the FCC over its telecommunications equipment ban. (New York Times)
- Meanwhile, middle-class unrest and an employment dispute have damaged Huawei's reputation in China. (New York Times)
- You, too, can be a government (Krebs on Security)
- Hackers are swiping credit cards from hotel front desks. (Kaspersky)
- Millions of SMS messages were exposed by a leaky database. (TechCrunch)
- Europol took down more than 30,000 piracy websites. (Europol)
- China outlawed deepfakes. (The Verge)
- Debate settler of the day: "Ewoks are the most tactically advanced fighting force in Star Wars." (Wired)
This is the last Codebook for 2019. We have decided there will be no more cyber news until next year.