Happy Thursday! Welcome back to Codebook.
As always, please send tips, suggestions to this email address. Tell your friends to sign up here.
Illustration: Lazaro Gamio/Axios
Law enforcement's ongoing battle to access encrypted data on devices is taking a strange turn: The Justice Department is simultaneously poised to push new regulations for encryption while coping with a damaging report on how the FBI botched the DOJ's last regulatory push.
Why it matters: At least one Congressman thinks the report might hinder any new effort to move encryption legislation through the House. It also gives plenty of ammunition to the already vocal critics of that legislation, including tech companies, security researchers and national security experts.
Driving the news: The new report from the DOJ's Office of the Inspector General finds the FBI unwittingly misled Congress about exhausting all options to break into the iPhone of a suspect in the 2015 San Bernardino terrorist shootings.
"None of this changes what we already knew, that the FBI can conduct investigations without backdoors. In fact, this validates it."— Rep. Will Hurd (R-Texas) told Axios.
The report: Former Director James Comey made the phone the focal point of congressional testimony in 2016 that the FBI was powerless to conduct some investigations without new laws or a court order to allow it access to encrypted data. But the FBI subdivision that ultimately found a private sector solution — the Remote Operations Unit — didn't even know about the iPhone woes until after the the squabble between the FBI and Apple went to court.
Meanwhile: Political forces are rallying to make a new push for encryption backdoors.
Illustration: Axios Visuals
At next month's RSA cybersecurity conference, around 600 cybersecurity vendors will be in the expo halls vying for visitor dollars. By next year, many of them will be out of business; others will be sold.
"I believe there will be a lot of consolidation in the industry and that it's exactly the wrong thing to do," Mark McLaughlin, chair and chief executive of Palo Alto Networks, told Axios.
"No one company can create all the innovation": Cybersecurity isn't like word processing — most companies can't get by with a single vendor or single program to perform all the functions it requires. The market is flooded with tools and services primarily designed to do single functions, each of which competes for security staffs' attention.
Consolidating platforms, not companies: McLaughlin has a horse in this race. Palo Alto Networks is launching an app store-type model allowing all vendors to operate within the Palo Alto framework.
A wide-ranging report on incident response by a global top 100 law firm provides a glimpse into what happens after corporate hacks, including more active oversight by regulators.
"The public expects what they see on CSI: Cyber with immediate resolutions to investigations after a breach," said Craig Hoffman, a senior member of BakerHostetler's data security team that edited the report. "That isn't what actually happens."
Why it matters: There are a number of good reports put out by security firms on what threats are common in the world. The BakerHostetler Data Security Incident Response report is a rare look at how corporations deal with those threats once they come to fruition.
The details: The report, released this week, is based on more than 560 breaches of various kinds handled by the firm in 2017.
Private forensic investigators are common: Despite what became a far right meme during the election, it's incredibly common for companies to hire private forensic firms to do the first steps of an investigation.
Regulators are taking a more active role: State attorneys general nearly doubled the number of inquiries into breaches observed by the firm between 2016 and 2017. Inquiries from other regulatory agencies spiked nearly 50%.
The time to investigate is longer than companies imagine: The BakerHostetler statistics show it takes 38 days on average between discovery of a breach and notifying clients. "When people haven’t been through an incident before and see headlines they notify far too quickly," Hoffman said. "When they try to communicate early they get things wrong." Giving people bad information that has to be revised can be worse for clients than taking the time to get things right.
Yes, but: The firm only has data on the companies that seek its help — half of which are firms with more than $100 million revenue. Smaller clients, and clients with different lawyers, probably respond differently.
Late Wednesday, the Seattle Times reported that the WannaCry malware was running roughshod through the systems at Boeing. But Boeing sent out an ambiguous statement denying the scope of the attack and possibly the cause of the attack, leaving experts parsing words to guess at what happened.
Conflicting reports: The Seattle Times cites a panicky internal memo that the attack was "metastasizing" and required "all hands on deck."
But Boeing released a statement to multiple media outlets: "A number of articles on a malware disruption are overstated and inaccurate. Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems. Remediations were applied and this is not a production or delivery issue.”
Why WannaCry would raise questions:
What might have happened:
170 officials, including three secretaries of state and elections personnel from 38 states and one principality, converged in Cambridge, Mass., this week for a tabletop election security event thrown by Harvard’s Defending Digital Democracy Project.
Why it matters: 2018 midterms are only half a year away. Harvard has hosted a series of these simulated election crises in the past six months, but this was the first devoted to training officials on how to train their underlings. As one attendee told Axios, it was time to "teach a man to fish."
The details: The simulated election disasters took place the first day of a three day conference. Beyond carrying the resources, faculty and prestige of Harvard, the Defending Digital Democracy Project also enlists former campaign directors for Hillary Clinton and Mitt Romney.
Codebook will return on Tuesday. James Bond will return in Moonraker.