Mar 29, 2018

Axios Codebook

Happy Thursday! Welcome back to Codebook.

As always, please send tips, suggestions to this email address. Tell your friends to sign up here.

1. Justice Department faces uphill battle over encryption

Illustration: Lazaro Gamio/Axios

Law enforcement's ongoing battle to access encrypted data on devices is taking a strange turn: The Justice Department is simultaneously poised to push new regulations for encryption while coping with a damaging report on how the FBI botched the DOJ's last regulatory push.

Why it matters: At least one Congressman thinks the report might hinder any new effort to move encryption legislation through the House. It also gives plenty of ammunition to the already vocal critics of that legislation, including tech companies, security researchers and national security experts.

Driving the news: The new report from the DOJ's Office of the Inspector General finds the FBI unwittingly misled Congress about exhausting all options to break into the iPhone of a suspect in the 2015 San Bernardino terrorist shootings.

"None of this changes what we already knew, that the FBI can conduct investigations without backdoors. In fact, this validates it."
— Rep. Will Hurd (R-Texas) told Axios.

The report: Former Director James Comey made the phone the focal point of congressional testimony in 2016 that the FBI was powerless to conduct some investigations without new laws or a court order to allow it access to encrypted data. But the FBI subdivision that ultimately found a private sector solution — the Remote Operations Unit — didn't even know about the iPhone woes until after the the squabble between the FBI and Apple went to court.

Meanwhile: Political forces are rallying to make a new push for encryption backdoors.

Read my full story on this in the Axios stream.

2. Palo Alto Networks CEO: Consolidation thwarts innovation

Illustration: Axios Visuals

At next month's RSA cybersecurity conference, around 600 cybersecurity vendors will be in the expo halls vying for visitor dollars. By next year, many of them will be out of business; others will be sold.

"I believe there will be a lot of consolidation in the industry and that it's exactly the wrong thing to do," Mark McLaughlin, chair and chief executive of Palo Alto Networks, told Axios.

"No one company can create all the innovation": Cybersecurity isn't like word processing — most companies can't get by with a single vendor or single program to perform all the functions it requires. The market is flooded with tools and services primarily designed to do single functions, each of which competes for security staffs' attention.

  • "We hear 'I can't keep consuming more and more technology,'" said McLaughlin. "Or 'I want less vendors.'"
  • But McLaughlin worries single vendors either must be so large that they lack agility or so small that they lack features. "No one company can create all the innovation," he said.

Consolidating platforms, not companies: McLaughlin has a horse in this race. Palo Alto Networks is launching an app store-type model allowing all vendors to operate within the Palo Alto framework.

  • If it succeeds, it will fundamentally change how companies, particularly smaller ones, compete in this space. On the one hand, for better and worse, it narrows the scope of a company's control over its own environment. On the other, companies won't need to lose focus of their strengths to compete. "You should pay attention to what you're good at," he said.
3. Law firm report: What comes after the breach?

A wide-ranging report on incident response by a global top 100 law firm provides a glimpse into what happens after corporate hacks, including more active oversight by regulators.

"The public expects what they see on CSI: Cyber with immediate resolutions to investigations after a breach," said Craig Hoffman, a senior member of BakerHostetler's data security team that edited the report. "That isn't what actually happens."

Why it matters: There are a number of good reports put out by security firms on what threats are common in the world. The BakerHostetler Data Security Incident Response report is a rare look at how corporations deal with those threats once they come to fruition.

The details: The report, released this week, is based on more than 560 breaches of various kinds handled by the firm in 2017.

Private forensic investigators are common: Despite what became a far right meme during the election, it's incredibly common for companies to hire private forensic firms to do the first steps of an investigation.

  • 65% of network intrusion incidents and 41.5% of data breach incidents used private firms.
  • "Companies can work with law enforcement, but law enforcement mostly prefers it when outside forensic groups do some of the work," said Hoffman.
  • Private forensic firms can help with breach remediation and determining the extent of the breach and narrow down the scope of the investigation for law enforcement like the FBI.

Regulators are taking a more active role: State attorneys general nearly doubled the number of inquiries into breaches observed by the firm between 2016 and 2017. Inquiries from other regulatory agencies spiked nearly 50%.

The time to investigate is longer than companies imagine: The BakerHostetler statistics show it takes 38 days on average between discovery of a breach and notifying clients. "When people haven’t been through an incident before and see headlines they notify far too quickly," Hoffman said. "When they try to communicate early they get things wrong." Giving people bad information that has to be revised can be worse for clients than taking the time to get things right.

Yes, but: The firm only has data on the companies that seek its help — half of which are firms with more than $100 million revenue. Smaller clients, and clients with different lawyers, probably respond differently.

4. Well, something happened at Boeing...

Late Wednesday, the Seattle Times reported that the WannaCry malware was running roughshod through the systems at Boeing. But Boeing sent out an ambiguous statement denying the scope of the attack and possibly the cause of the attack, leaving experts parsing words to guess at what happened.

Conflicting reports: The Seattle Times cites a panicky internal memo that the attack was "metastasizing" and required "all hands on deck."

But Boeing released a statement to multiple media outlets: "A number of articles on a malware disruption are overstated and inaccurate. Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems. Remediations were applied and this is not a production or delivery issue.”

  • What do they mean by "malware?" It's unclear how much of the story Boeing is saying is inaccurate. But many took the description of the attack as "malware" rather than "ransomware" as a sign systems were infected with something other than WannaCry.
  • On the other hand: Ransomware is a sub-classification of malware.

Why WannaCry would raise questions:

  • WannaCry is ransomware thought to be developed by North Korea. It was released last year with a firm cut off date for everyone to pay the ransom. That date has passed.
  • WannaCry caused massive international damage. Its unlikely that a corporation of Boeing’s might didn't update all updatable systems to block new infections. Any antivirus updated over the past year would likely catch it.
  • To prevent researchers from dissecting the malware, WannaCry had an overly convoluted tripwire that would cause it to self destruct if a specific web address was ever registered. A researcher registered that address during the initial attacks, thwarting new infections.
  • And WannaCry was particularly virulent, spreading over networks and the internet directly from one infected computer to the next. Unless a Rube Goldeberg-type series of events happened, involving a computer turned off at exactly the right time last year and not turned on again until Wednesday (when it was connected to a network not connected to the internet), it isn't likely it would be seen in one place but nowhere else.

What might have happened:

  • Boeing was hit with WannaCry and carefully worded the press release. Technically, ransomware is a kind of malware.
  • Boeing was hit with something similar to WannaCry or posing as WannaCry. Maybe this is a case of a faulty first assumption or overgeneralized terminology reaching the media.
  • Boeing was hit with other malware. Maybe the first reports were just plain wrong.
5. Harvard hosts massive election security tabletop training event

170 officials, including three secretaries of state and elections personnel from 38 states and one principality, converged in Cambridge, Mass., this week for a tabletop election security event thrown by Harvard’s Defending Digital Democracy Project.

Why it matters: 2018 midterms are only half a year away. Harvard has hosted a series of these simulated election crises in the past six months, but this was the first devoted to training officials on how to train their underlings. As one attendee told Axios, it was time to "teach a man to fish."

The details: The simulated election disasters took place the first day of a three day conference. Beyond carrying the resources, faculty and prestige of Harvard, the Defending Digital Democracy Project also enlists former campaign directors for Hillary Clinton and Mitt Romney.

6. Odds and ends

Codebook will return on Tuesday. James Bond will return in Moonraker.