Welcome to the first issue of Codebook! Tell all your friends to sign up here. Also tell some people who are not your friends.
Reply to this email to reach me with tips, comments and suggestions. You can also reach me on Twitter @joeuchill.
Codebook, we hope, will be a place to discuss cybersecurity, policy and science without trying to scare or shame you. The market is already crowded with people who will try to frighten you into clicks or condescend you into better security practices. But after 30 years of trying that without security getting much better, maybe it's time to try something different.
Illustration: Sarah Grillo / Axios
It’s no secret that the internet is a fertile recruiting ground for extremists of all types. But a five-month effort trying to combat extremism shows promise in getting would-be white nationalist and ISIS sympathizers to click away from radical content.
Why it matters: The internet is a major recruitment and organizational tool for extremist groups. Rather than count on websites to police themselves, Moonshot aims to temper extremists' ability to find that content. Based on Moonshot's numbers, there's reason to hope that someone can head would-be extremists off at the pass or even direct them to help, including mental health programs, an option they tested.
The effect: Moonshot’s redirecting strategy worked on 1,300 people out of 56,000 attempts. That's a fairly strong outcome — 20% more effective than the average ad on Google search.
The mental health option: Moonshot also experimented with offering ads for mental health services to those searching for extremist content. It appears to be a viable option. Their targets were 48% more likely to click on an add for psychiatric support than a control group. Those searching for the most violent content clicked on the ad 115% more often.
The big picture: Redirecting a person once does not inherently mean they will be dissuaded from seeking extremist material again. However, many former extremists say that mental health and social work were critical to leave violent movements. But while Moonshot is still tinkering with the content on the other end of their ads, it all means nothing if the ads don't work — which they appear to.
Photo illustration: Axios Visuals
Election security is sucking up all the oxygen in policy conversations these days. As a result, the first secretary of the Department of Homeland Security worries Congress is letting other aspects of cybersecurity slip through the cracks.
“We should be as obsessed with cybersecurity as we are with elections,” said former Secretary Tom Ridge, also a former Pennsylvania Governor and a recent add to the board of alliantgroup, which helps find tax rebates for cybersecurity firms.
Economic security: “No one thinks democracy is as important as Tom Ridge,” he told me, “but our economic security is at stake.“
Homeland has no real home: Jurisdictional problems make legislation even more difficult, said Ridge. Despite having a committee called the Homeland Security Committee, every committee maintains an interest in the security of whatever it is it discusses. “Government wasn’t designed to regulate security,” he said. “I spent more time on The Hill talking to committees than Donald Rumsfeld, and the DOD had two wars going on.”
A Monday Intercept piece about an ICE investigation involving Facebook spawned spate of headlines like "ICE accused of using Facebook to track undocumented immigrants." The Intercept piece doesn't actually show that.
The background: The Intercept found emails and evidence in a public records request that ICE agents had used data from Facebook to track a suspect. The story would later be updated with a statement from Facebook that it had responded to a lawful government request for information on a man being investigated as a active child predator.
Active child predators and undocumented immigrants are not the same thing: A correction to the story reads "The documents reported on in the story do not establish that the target of the investigation was an immigrant or that the individual was being pursued for immigration violations."
One more drip in Facebook's water torture: Facebook is drowning in data privacy scandals, including whether it should have done more to prevent Cambridge Analytica from fraudulently acquiring user data.
Courtesy of Agari
You probably take for granted that this email, sent from an Axios email address, came from Axios (it did!). For lay users, it's difficult to tell if an email is authentic. A new email security standard being rolled out today aims to address that.
Email security firm Agari announced a new email security standard that'll make it easier for users to tell which emails came from authentic sources. Comcast, Google, Microsoft and Yahoo worked on the standard, and a pilot test will run on Yahoo's platform.
Why it matters: Email wasn’t designed with security in mind. When an email says it is from your bank, the email standard doesn’t do anything to authenticate whether the email actually came from the bank or from someone pretending to be the bank.
The old way to prevent fraudulent email: There is an add-on standard that many service providers use, known as DMARC, that double checks with the sender’s email server that an email is authentic. Many organizations, including governments and major corporations, don’t use DMARC, although adoption is growing. That might be little comfort to users, most of whom do not how to tell if that system was in effect.
Enter BIMI: The new standard, Brand Indicators for Message Identification (or BIMI) places a visual cue — a company logo — over an email. Not only will it help people know when an email has been authenticated, but it will “absolutely boost adoption,” said Agari co-founder Patrick Peterson.
Editor's note: An earlier version of this story incorrectly said Google, Microsoft and Comcast were involved in the trial when they were only involved in the standard.
Matt Masterson, the most recent chairman of the Election Assistance Commission (EAC), has been added as an election cybersecurity advisor to the Department of Homeland Security’s National Protection and Programs Directorate. Congress and the Trump administration recently decided not to take Masterson on for another term at EAC.
Why it matters: Masterson is a well-liked figure in election security circles, known for conducting thorough outreach with the states on cybersecurity and for listening to cybersecurity experts after years of them being viewed as a nuisance. Just hiring the man — even before he does any actual work — is a useful signal to those communities.
Thanks for reading. Remember, if you keep this email in good condition, one day it will be a collectors item. Our next issue will be on Thursday. See you then!