Welcome to Codebook, the cybersecurity newsletter that is also not the CEO of Starbucks.
Tips? Just reply to the email.
Illustration: Sarah Grillo/Axios
Several private sector companies have independently begun offering free cybersecurity services to elections since the 2016 polls closed. Two firms, Cloudflare and Google-owned Jigsaw, offer free services that block efforts to overwhelm servers with traffic — but rather than butt heads for the prestige of being most altruistic, they are cooperating.
Why it matters: Competition in the tech industry is a natural law. That it's being sidelined in at least one corner of the business is a sign of just how seriously tech leaders are taking the threat to U.S. elections.
"We have a lot of interaction with Google," said Cloudflare head of policy Alissa Starzak. (Jigsaw is a technology incubator at Google devoted to tackling "global security challenges.") "We actually refer clients to each others' services when they'd be a better fit."
Plenty of work to go around: Election security is run by states and localities, not by the federal government. The U.S. encompasses 8,000 districts and more than 100,000 poling locations. As such, there are a ton of systems that need protection.
Synack announced Tuesday it would start accepting signups for a free election security testing service to help states bolster their ability to detect threats.
Why it matters: During the last election, 4 out of 5 states employed fewer than 15 full time cybersecurity staff for elections.
The details: Synack specializes in croudsourcing security tests using a pre-vetted set of hackers — a closed-enrollment variation of the bug bounty program approach.
The background: Anne-Marie Chun, who directs Synack's government services, suggested offering a free service to states in 2016 before the Democratic National Committee hack. Synack decided to pass that year due to concerns there wouldn't be enough interest.
There's enough interest: Synack has been coordinating their offering with a number of different states. So far all but one of the dozen states it contacted have expressed interest. "And that was only because that state didn't have modern enough systems for us to test," said Chun. "They literally drive the votes around in a car."
Private vs. public: Homeland Security offers some security help to states, who may or may not volunteer to take it. But free services like Synack cut dependence on an overworked DHS and allows states that distrust federal election support to seek security from the private sector.
Two-thirds of Americans (67%) worry electronic voting machines might be "hacked or manipulated," according to a new Axios / SurveyMonkey poll. That's about a third more than the 48% who are concerned paper ballots might be manipulated.
Why it matters: Election security is often billed as a partisan issue, with some states taking considerably more action than other. But the poll shows bipartisan concern nationwide.
Be smart: Part of the risk in ignoring voting machine security is that, even when nothing happens, people will succumb to conspiracy theories. In 2016, a certain breed of Democrats chose to believe that the election results were illegitimate rather than believe their side lost. In the 2018 election, both sides are now primed to believe that's an option.
Be even smarter: Hacking an election machine is easy. Hacking an election is harder. And the bigger the election, the harder it is to hack. It's much easier to change votes on a single machine to sway the race for county coroner than entire states' worth of machines to sway a senate race.
The FBI felled two major dark web criminal markets last year during "Operation Bayonet." Typically, after these markets are shuttered, the clients and vendors move to new markets. That didn't happen this time, according to new research from Digital Shadows. In the whack-a-mole game, the mole stayed whacked.
The background: Operation Bayonet did something clever. It seized both the largest market in the world, AlphaBay, and an also-massive competitor named Hansa. But rather than close both at the same time, the FBI staggered its response.
Self-sabotage: Another dark-web market, Olympus, tried to pick up the displaced clientele, but miscalculated when it promoted itself by hacking another site. "This was deemed to be against the criminal spirit," Digital Shadows analyst Michael Marriott told Axios, and the users stayed away.
Hackers move to forums: Hackers offering stolen information, malware and other services moved to hacker forums and Telegram channels to sell their wares.
Drugs harder to come by: While by no means gone from the internet, online illegal drug sales appear to have decentralized and decreased.
The bottom line: "What we’ve traditionally seen over the past 10 years was when one market went down, another market would bubble up. This time no market bubbled up," said Marriott.
Much of the conversation around Microsoft's purchase of computer code repository GitHub revolves around the potential culture clash — a corporate giant buying the keys to a scrappy open source community. But there are some potential consequences in security worth taking a gander at, too.
Why it matters: GitHub is so big in the coding world that no nation with a software industry could ever block it. Some freedom fighters have weaponized that indispensability.
Microsoft wouldn't comment on what happens to material hosted on GitHub if a government asked it to filter certain content from its country. Microsoft is more powerful than Github on the world stage, but an oppressive government also has a lot more levers it can pull to influence a corporation of Microsoft's size.
The public records site Government Attic received around 140 historical posters from a Freedom of Information Act request directed at the National Security Agency. Our favorites from this goofy slice of covert Americana are below.
A key reason the Trump administration has offered for bolstering coal in the U.S. energy portfolio is that keeping coal plants in service would safeguard the country from cyber attacks. Critical infrastructure security experts don't buy it.
What they're saying: "Claiming we should protect coal because of 'cyber' is like claiming we should wear body vests in case of snake bites...The cyber component to this debate though is a distraction," tweeted Robert M. Lee, founder of the critical infrastructure cybersecurity firm Dragos.
Codebook will return Thursday.