Welcome to Codebook, true believers, the only cybersecurity newsletter that accidentally stole a pen from the Department of Homeland Security and is now kind of concerned that might technically be a federal crime.
I'd love to steal your story ideas. Just reply to this email address.
French President Emmanuel Macron appears with President Trump before a lunch at the Elysee Palace in Paris on Nov. 11. Photo: Jacques Demarthon/AFP via Getty Images.
The United States has not signed the Paris Call for Trust and Security in Cyberspace, a pact between 51 countries and hundreds of the important companies in tech, nonprofits and universities. At least, not yet.
The big picture: Signatories tell Axios that the U.S. hasn't shut the door on the agreement of general principles for internet security. The agreement, a first-of-its-kind document involving both the public and private sector, could be a significant step toward a global understanding of what countries are and aren't permitted to do online — but that's likely only if the U.S. lends its heft.
What they're saying: "It is a missed opportunity for the U.S., especially because the agreement is nonbinding," Peter Singer, a strategist and senior fellow at the New America Foundation, told Codebook via email.
The Paris Call is a handshake establishing principles, including:
Other odds and ends: It also stipulates:
Who didn't sign: The U.S. is not the only nation that didn't sign the Paris Call. But many of the other nonsignatories skew in an unflattering direction: They include North Korea, Russia, Iran and China.
The intrigue: The United States appears to have two motivations not to sign.
1. Trump hates these things. President Trump likes deals, not agreements. He likes bilateral, transactional things where he feels like the U.S. comes out ahead. This is more of a zero-sum affair, where everyone in the world benefits because everyone gives something up.
2. Big dogs don't like fences. And nearly all the major cyber powers (U.S., North Korea, China, Iran, Russia and Israel) stayed out of the agreement, likely hesitant to place even nonbinding restrictions on how they act. One exception is the United Kingdom, who signed the agreement.
Also in Paris, President Emmanuel Macron announced on Monday a new plan to send "regulators" to Facebook to fight hate speech.
Why it matters: While regulators around the world put different filtering restrictions on Facebook — Germany has Facebook filter Nazi messaging, for example — this is the first instance of a government sending chaperones.
The announcement: "I'm delighted by this very innovative experimental approach," Macron said (as quoted by NBC). "It's an experiment, but a very important first step in my view."
The response: “As Mark Zuckerberg has said, with the Internet growing in importance in people's lives we believe that there will be need for regulation. ... We are grateful to the French Government for its leadership on this co-regulatory approach and look forward to working together over the next months," Nick Clegg, Facebook vice president of global affairs, emailed Codebook.
Our thought bubble: It's tough to imagine the French approach — placing government speech watchdogs onsite at social media networks — flying for the U.S. public, given American free speech traditions as well as wide partisan differences over what constitutes hate speech.
WannaCry, once the greatest cybersecurity calamity in history, now doesn't work. A website critical to its function is now controlled by civic-minded security researchers, and the fixed deadline to pay the ransom has long passed. Yet WannaCry still accounts for 28% of ransomware attacks — the most of any ransomware family.
The big picture: According to a new study by Kaspersky Lab, the defanged North Korea linked ransomware is still spreading uncontrollably. The spreading mechanism that passed WannaCry from victim to victim that was so virulent in the 2017 attack is still active, even if the ransomware itself isn't.
What they're saying: "This is not an uncommon occurrence, as there are multiple currently defunct worms that are still automatically spreading in the wild and infecting unpatched/unprotected machines," wrote Fedor Sinitsyn, senior malware analyst, via email.
Google apps web traffic was mysteriously routed through Russia and China on Monday, in what some security experts anticipate was an attack on one of the internet's core networking protocols. It could also have been caused by something as simple as a typo in Russia or China. The internet is fragile.
What is clear is that on Monday, something was horribly amiss in the border gateway protocol (BGP).
What is not clear is whether this was an intentional attack. Given the countries involved, it's very possible it was, although due to the way internet traffic is encrypted, China would have needed to let the internet traffic through to Google to do full-throttle surveillance.
Quartz reports that the DEA, ICE and local police offices have contracts to hide security cameras in streetlights.
The bottom line: This shouldn't be a problem for privacy minded people so long as they can avoid light.