Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

November 13, 2018

Welcome to Codebook, true believers, the only cybersecurity newsletter that accidentally stole a pen from the Department of Homeland Security and is now kind of concerned that might technically be a federal crime.

I'd love to steal your story ideas. Just reply to this email address.

1 big thing: U.S. hasn't signed cyber principles — yet

Photo of Trump and Macron looking in opposite directions.
French President Emmanuel Macron appears with President Trump before a lunch at the Elysee Palace in Paris on Nov. 11. Photo: Jacques Demarthon/AFP via Getty Images.

The United States has not signed the Paris Call for Trust and Security in Cyberspace, a pact between 51 countries and hundreds of the important companies in tech, nonprofits and universities. At least, not yet.

The big picture: Signatories tell Axios that the U.S. hasn't shut the door on the agreement of general principles for internet security. The agreement, a first-of-its-kind document involving both the public and private sector, could be a significant step toward a global understanding of what countries are and aren't permitted to do online — but that's likely only if the U.S. lends its heft.

What they're saying: "It is a missed opportunity for the U.S., especially because the agreement is nonbinding," Peter Singer, a strategist and senior fellow at the New America Foundation, told Codebook via email.

The Paris Call is a handshake establishing principles, including:

  • Human rights should extend to online spaces.
  • Countries should work together to prevent the theft of intellectual property (as China is accused of doing), election tampering (as Russia is accused of orchestrating) and destabilizing the core of the internet (as China may have done through BGP hijacking).
  • Countries should never release malware causing indiscriminate harm to the public (as Russia and North Korea are accused of doing with NotPetya and WannaCry).
  • The private sector will not risk collateral damage by "hacking back" their hackers.

Other odds and ends: It also stipulates:

  • Disclosure programs and other basic cybersecurity measures are generally good.
  • The private sector must play a role in comprehensive security plans.

Who didn't sign: The U.S. is not the only nation that didn't sign the Paris Call. But many of the other nonsignatories skew in an unflattering direction: They include North Korea, Russia, Iran and China.

  • 3 out of 5 of the nations in the powerful Five Eyes alliance signed the accord. (The U.K., Canada and New Zealand did. The U.S. and Australia did not.) Israel didn't sign, either.

The intrigue: The United States appears to have two motivations not to sign.

1. Trump hates these things. President Trump likes deals, not agreements. He likes bilateral, transactional things where he feels like the U.S. comes out ahead. This is more of a zero-sum affair, where everyone in the world benefits because everyone gives something up.

  • "The problem is that so many threats to U.S. security simply can't be solved in that way. Whether it is cybersecurity or environmental or nuclear nonproliferation issues, they are multilateral and multilayered," said Singer.

2. Big dogs don't like fences. And nearly all the major cyber powers (U.S., North Korea, China, Iran, Russia and Israel) stayed out of the agreement, likely hesitant to place even nonbinding restrictions on how they act. One exception is the United Kingdom, who signed the agreement.

  • "While the goal of the Call is laudable, and the list of industry signatories in particular is impressive, without the U.S. and other offensive-minded states as signatories, it feels a bit like the players on the sidelines telling the ones in the game to stop playing," said Betsy Cooper, a one-time attorney and adviser at the Department of Homeland Security who was just named director of the new Aspen Tech Policy Hub.

2. France to send government officials to Facebook to fight fake news

Also in Paris, President Emmanuel Macron announced on Monday a new plan to send "regulators" to Facebook to fight hate speech.

Why it matters: While regulators around the world put different filtering restrictions on Facebook — Germany has Facebook filter Nazi messaging, for example — this is the first instance of a government sending chaperones.

The announcement: "I'm delighted by this very innovative experimental approach," Macron said (as quoted by NBC). "It's an experiment, but a very important first step in my view."

The response: “As Mark Zuckerberg has said, with the Internet growing in importance in people's lives we believe that there will be need for regulation. ... We are grateful to the French Government for its leadership on this co-regulatory approach and look forward to working together over the next months," Nick Clegg, Facebook vice president of global affairs, emailed Codebook.

Our thought bubble: It's tough to imagine the French approach — placing government speech watchdogs onsite at social media networks — flying for the U.S. public, given American free speech traditions as well as wide partisan differences over what constitutes hate speech.

3. One year later, zombie WannaCry still dominating ransomware

WannaCry, once the greatest cybersecurity calamity in history, now doesn't work. A website critical to its function is now controlled by civic-minded security researchers, and the fixed deadline to pay the ransom has long passed. Yet WannaCry still accounts for 28% of ransomware attacks — the most of any ransomware family.

The big picture: According to a new study by Kaspersky Lab, the defanged North Korea linked ransomware is still spreading uncontrollably. The spreading mechanism that passed WannaCry from victim to victim that was so virulent in the 2017 attack is still active, even if the ransomware itself isn't.

What they're saying: "This is not an uncommon occurrence, as there are multiple currently defunct worms that are still automatically spreading in the wild and infecting unpatched/unprotected machines," wrote Fedor Sinitsyn, senior malware analyst, via email.

4. Google traffic suspiciously routed through China and Russia

A directional sign of Beijing Airport Terminal 3
Photo: PhotoTalk/Getty

Google apps web traffic was mysteriously routed through Russia and China on Monday, in what some security experts anticipate was an attack on one of the internet's core networking protocols. It could also have been caused by something as simple as a typo in Russia or China. The internet is fragile.

What is clear is that on Monday, something was horribly amiss in the border gateway protocol (BGP).

  • Not all internet and web service providers can talk to each other, and BGP lets various networks coordinate the quickest path from point A to point B.
  • On Monday, through some accident or intentional attack, the internet began to believe that the fastest way to Google was through a server in Russia and a server in China regardless of where the traffic originated from. The China server ceased all the traffic sent its way, making Google Cloud briefly appear to be out.

What is not clear is whether this was an intentional attack. Given the countries involved, it's very possible it was, although due to the way internet traffic is encrypted, China would have needed to let the internet traffic through to Google to do full-throttle surveillance.

  • BGP routing errors can and frequently are caused by simple mistakes. This could be a mistake. It's impossible to definitively say.

5. That streetlight may contain an ICE security camera

Quartz reports that the DEA, ICE and local police offices have contracts to hide security cameras in streetlights.

The bottom line: This shouldn't be a problem for privacy minded people so long as they can avoid light.

6. Odds and ends

  • Smartphone grandpappy BlackBerry is in talks to buy AI-based security company Cylance for as much as $1.5 billion. (Business Insider)
  • CloudFlare is expanding its privacy service to smartphones. (CloudFlare)
  • France will use social media accounts to search for tax evaders. (Reuters)
  • Keurig's new pod machine makes cocktails. (The Verge)
  • A popular WordPress GDPR compliance app accidentally embedded a massive security flaw into a bunch of websites. (CyberScoop)
  • Imperva discovered a Facebook security flaw. (Imperva)
  • Kaspersky Lab opens its first transparency center, aimed to counter fears the firm is involved in Russian spying. (Kaspersky Lab)