Welcome to Codebook, the cybersecurity newsletter that had to look up what Shein is (see below).
Tips? Reply to this email.
Huawei's booth at February's Mobile World Congress conference. Photo: Guo Qiuda/Xinhua via Getty Images
A Canadian security official assured that country's parliament last week that using Huawei products to build 5G infrastructure doesn't pose an espionage danger because Canada carefully tests the equipment. That baffled several security experts Codebook consulted — and also bucks an international trend of countries, including the U.S., that are shunning Huawei out of fear the Chinese company leaves backdoors in its gear.
The bigger picture: The United States and Australia both have restrictions in place for Huawei products being used by telecoms, with Japan considering a similar move and reports (disputed by Huawei) that India may follow suit.
Why it matters: The United States has a strong interest in the national security of Canada. The two nations are linked through a variety of pacts, including NATO and the Five Eyes arrangement.
The details: Scott Jones, assistant deputy minister for IT security at Canada's Communications Security Establishment (CSE), which is roughly like the National Security Agency in the U.S., told parliament that Huawei can enter the Canadian market if its equipment passes security testing at "White Lab" facilities.
What they're saying: "We have a very advanced relationship with our telecommunications providers, something that is different from most other countries, to be honest from what I have seen,” Jones said during his testimony.
But, but, but: Security experts generally scoff at systems that might approve components deemed suspect by the international intelligence community, no matter how much testing they go through.
Go deeper: Just how much damage could backdoored telecom equipment do?
The defining moment in the 2016 election was Russia's breach of the Democratic National Committee. Two years later, McClatchy reports that candidates for Congress are knowingly underspending on cybersecurity — with only 6 spending more than $1,000.
The case study: Jay Hulings, who lost in the Texas Democratic primary in March, told McClatchy he started the campaign emphasizing security. As the campaign grew, that focus diminished.
The potential fallout: Foreign actors likely won't be attacking House candidates to sway House races — the risk and even fiscal cost is too high for a 1/435 share of the chamber. But that doesn't mean there are no risks. There are still angry constituents, protestors and disruptive apolitical threats like ransomware.
The Office of Management and Budget updated the executive branch's cloud strategy for the first time since 2011 on Monday. The major security change is a move from a standardized rule for using third-party networks (2007's Trusted Internet Connections policy) to a patchwork of agency specific rules.
Why the change? The "Smart Cloud" strategy notes that the TIC was intended to reduce the number of external connections and restrict as much traffic to the security of internal networks as possible. That made sense with the limited cloud landscape of 2007, but is not as applicable to today's more secure and pervasive cloud.
What they're saying: The report reads: "Since then, the technology landscape has changed dramatically with the proliferation of private-sector cloud offerings, the emergence of software-defined networks, and an increase in the mobile workforce. Improvements to security are now driven by standards and secured connections instead of limited physical connections."
Photo: Gokhan Balci/Anadolu Agency via Getty Images
Google's latest edition of Chrome made a choice that is either a small step forward in privacy protections or a massive privacy apocalypse, depending on who you ask.
The details: Chrome has always had a neat feature that synchronizes activity across multiple computers. Log in to Chrome on your phone and the passwords you saved on your desktop's Chrome can be used there, too. The latest version now automatically signs users into Chrome whenever they log into a Google website.
Some privacy advocates are less than thrilled. Cryptographer Matthew Green argued on Twitter (and then on his blog) that users should have the right to use Google sites without being logged in and that it was inappropriate to make the change without notifying customers.