A master lock with ones and zeroes instead of the regular numbers.

Good afternoon, and welcome to the latest edition of Codebook.

This week — with the dizzying number of recent espionage-related indictments, official disclosures on foreign cyber espionage, and now the closure of China's Houston Consulate — we're thinking about a quote attributed to James Jesus Angleton, the CIA's legendary longtime former director of counterintelligence:

  • "Deception is a state of mind, and the mind of the state."

Today's newsletter is 1,729 words, a 6.5-minute read.

1 big thing: Why the U.S. needs better cyber deterrence

A computer repelling a cyber attack and splintering it into pieces
Illustration: Lazaro Gamio/Axios

The U.S. lacks a well-formulated policy of cyber deterrence, one that ensures adversarial states will anticipate the consequences of their own cyber operations and online influence campaigns against the U.S., according to a U.S. senator who is a prominent voice in the cybersecurity field.

Why it matters: With elections looming in November, hacks afflicting Twitter and other services, and misinformation rampant on social media platforms, the U.S. remains a vulnerable target for state-backed cyber operations.

  • A clear, enunciated policy of cyber deterrence could help mitigate future attempts at covert electoral interference in U.S. politics as well as serious disruptive cyberattacks.

What he's saying: Sen. Angus King (I-Maine), a member of the Senate Intelligence Committee and co-chair of the bipartisan Cyberspace Solarium Commission — a high-level expert group focused on U.S. cybersecurity and defense — spoke to Codebook in a recent telephone interview about this need.

  • “I probably have sat through .... 25 hearings over the last 7½ years on both Intelligence and Armed Services where it’s been made crystal clear that we don’t have a policy that causes our adversaries to calculate the risk of their actions,” says King. “We are a cheap date.”

The big picture: King points to Russia’s 2016 “active measures” campaign during the U.S. presidential election as the moment that crystallized the need for a better cyber-deterrence strategy.

  • Russia was deeply involved “in our election in 2016, which is a major part of what our democratic process is all about, and essentially paid no price,” notes King. “Some sanctions by Obama, but they essentially paid no price. So why shouldn’t they do it again?"

Some “rules for the road” are necessary, says King, in making clear how the U.S. will respond to certain sorts of cyber activities, so foreign states will understand the consequences of their activities. Otherwise, covert actions in cyberspace could lead to escalating retaliatory conflict — or even a hot war.

  • “I understand the dangers,” says King. “We spent a lot of time on this [at the Solarium Commission], the dangers of escalation. I want them in the Politburo when they’re discussing coming after our, I don’t know, water system in New York, saying, if we do this, something bad might happen to us, and we better think twice.”

How it works: It’s a balance, says King, between crafting policies that deter foreign cyber operations while also making clear to those adversaries exactly what the U.S. will do in response to such activities, which will preclude misunderstanding that could spiral out to conflict.

  • “The other side has to know what your intentions are — you have to have both the capacity and the will,” says King. “So it’s a big part of this, and that’s a part we can't really legislate. This is really a presidential responsibility to articulate a doctrine on cyber deterrence.”
  • Congress has a role to play as well, says King — publicly, with reports like those put out by the Solarium Commission, but also via closed-door meetings with top intelligence officials.
  • Roughly once a month, Senate Intelligence Committee members meet with the heads of the CIA, NSA, DNI and other senior intelligence community officials for informal roundtables, says King.

What's next: Fundamentally, according to King, deterring electoral interference by Russia or anyone else will require wider actions outside the cyber domain: primarily, public disclosure of Russian activities as part of a larger educational campaign.

  • “What if the intelligence community learns in September that Russians are penetrating the electoral system in 14 states, or even harder, they are penetrating the servers of the campaign apparatus of one of the major candidates?” asks King. “What is the responsibility of the intelligence community to disclose that information to the public?"

The bottom line: Under such a scenario, says King, the greatest deterrent to Russian “active measures” will be a more informed citizenry — which will require more transparency from America’s own intelligence agencies about just what they know Russia is doing.

2. Reading the Justice Department's new indictment of Chinese hackers

On Tuesday, the Department of Justice unsealed an indictment charging two individuals with working as hackers for the Ministry of State Security, China’s main civilian intelligence agency.

  • The campaign dates back to 2009 and targeted defense contractors, tech companies, dissidents —and, more recently, institutions involved in COVID-19 research.

What's happening: The hackers stole terabytes of data and “hundreds of millions of dollars’ worth” of intellectual property and trade secrets, says the indictment.

  • Prosecutors say the hackers worked for the MSS as contractors, both freelancing for their own economic gain — in one case trying to extract a ransom payment from a victim company whose intellectual property the hackers had pilfered — as well as responding to specific tasking from MSS officials.
  • In one case, MSS officials provided the two contractors with a “zero day” exploit — that is, a previously unknown vulnerability — to hack into the network of Burmese human rights groups.
  • The campaign was truly global in scope, with victim companies in “the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom,” among other countries, say prosecutors.
  • According to the indictment, the hackers breached a breathtaking number of targets across many sectors, including a Department of Energy facility in Washington State; gaming companies in Europe; a Japanese medical device maker; an Australian defense firm; a U.S. educational company, where the hackers stole personally identifiable data from “millions” of students and teachers; and many other private companies.

Our thought bubble: Though the indictment provides a fascinating glimpse into the tactics, techniques and procedures of hackers affiliated with Chinese intelligence, it is unlikely to have much of a deterrent effect.

  • After all, the hackers’ targets fall squarely within the established parameters of nation-state spying — especially China’s focus on economic espionage. China’s spies won’t simply stop spying because a few contractors got busted.

But the indictment could potentially throw a wrench into China’s activities by revealing just how much the U.S. knows about them.

  • The indictment discloses, for instance, the name of an MSS facility in China that operated under a false name — and includes actual pictures of the building.
  • How did the U.S. learn about the facility? Who took the pictures? How long have U.S. intelligence personnel been sitting on this information? What other MSS facilities may the U.S. know about?
  • These are the types of questions China’s spies may be asking themselves, in various degrees of frenzy.

Between the lines: This type of disruptive, offensive counterintelligence campaign may be precisely what U.S. officials had planned by disclosing these facts in an indictment that will likely never go to trial.

3. Russia is spying on COVID-19 research, Western officials charge

Russian state hackers are trying to steal COVID-19 research, British, American, and Canadian security officials announced last week.

Catch up fast: The responsible group, known as APT 29, Cozy Bear or the Dukes, is a formidable and well-known unit of Russia’s SVR intelligence service, the successor organization to the KGB’s First Chief Directorate — the Soviet Union’s elite foreign intelligence agency.

Details: Employing “custom malware,” APT 29 has “targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” say the three Western intelligence agencies.

  • Generally, the SVR and APT 29, in contrast to their aggressive colleagues (and sometimes rivals) in the GRU, Russia’s military intelligence agency, are known for conducting more traditional nation-state espionage — that is, spying for the sake of intelligence gathering, and not necessarily for disruptive purposes.
  • APT 29 “uses a variety of tools and techniques to predominantly target governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain,” says the bulletin. The group is considered highly capable and sophisticated by Western intelligence agencies and threat researchers.

Yes, but: That doesn’t mean the group won’t operationalize its activities for disruptive purposes.

  • APT 29 was one of two Russian hacking groups — along with the GRU’s APT 28, also known as Fancy Bear — that infiltrated the DNC in 2016 as part of Russia’s “active measures” campaign to influence that year’s U.S. presidential election.

The intrigue: Though the alert by Western intelligence agencies about Russian spying is unnerving, it is also, fundamentally, an example of business-as-usual cyber espionage.

  • Many states, from U.S. adversaries like China and Russia to U.S. allies like France and Israel, engage in economic espionage. And right now, there is nothing more valuable in the world than medical data related to COVID-19 vaccines or treatments.

Our thought bubble: It would be far more surprising if states were not seeking to spy on potential COVID-19 breakthroughs being developed in foreign countries.

4. Twitter hacked by cyber criminals in cryptocurrency scam

Illustration of the twitter bird logo as an open padlock
Illustration: Sarah Grillo/Axios

In a major security breach last week, cybercriminals hijacked the Twitter accounts of major public figures including Joe Biden, Elon Musk and Barack Obama as part of a Bitcoin scam that netted the hackers roughly $180,000.

  • The breach sent Twitter scrambling to eject the invaders, which led to service disruptions for many users.

Driving the news: The breach may have been aided by someone inside Twitter who assisted the hackers — the dictionary definition of an “insider threat” case.

How it worked: The hackers may have tricked Twitter employees into somehow granting them access to an employee Slack page.

  • From Slack, it appears that the hackers accessed the credentials that subsequently allowed them to take over individual user accounts, according to the New York Times.
  • The group of hackers that breached Twitter were initially focused on taking over and selling specialized dormant “handles,” or usernames, that are highly sought after in some circles because of their short length, and only after selling some of these handles did one of them turn to seizing the high-profile accounts, per the Times.
  • The Twitter breach, which immediately roiled cybersecurity circles, “was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother,” says the Times.

Our thought bubble: What was shocking about the Twitter breach was not what the hackers did with these accounts but how easily they compromised a social media giant.

  • If a relatively unsophisticated group was behind this massive disruption, what might stop a far more sophisticated state actor from doing the same thing, for more nefarious purposes?
  • Broad, long-term covert online influence operations — like Russia’s 2016 campaign — are more insidious than easily detected hacks into individual social media accounts. But the latter could still create chaos at key moments, like on Election Day.

5. Odds and ends