Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

September 25, 2018

Welcome to Codebook, the cybersecurity newsletter that had to look up what Shein is (see below).

Tips? Reply to this email.

1 big thing: Canada's lonely trust in Huawei

Huawei's booth at February's Mobile World Congress conference. Photo: Guo Qiuda/Xinhua via Getty Images

A Canadian security official assured that country's parliament last week that using Huawei products to build 5G infrastructure doesn't pose an espionage danger because Canada carefully tests the equipment. That baffled several security experts Codebook consulted — and also bucks an international trend of countries, including the U.S., that are shunning Huawei out of fear the Chinese company leaves backdoors in its gear.

The bigger picture: The United States and Australia both have restrictions in place for Huawei products being used by telecoms, with Japan considering a similar move and reports (disputed by Huawei) that India may follow suit.

Why it matters: The United States has a strong interest in the national security of Canada. The two nations are linked through a variety of pacts, including NATO and the Five Eyes arrangement.

  • But the bigger concern in this case will be the type of espionage China is best known for — state-sponsored theft of commercial trade secrets. Even if the theft is from a Canadian business, U.S. companies have to compete with Chinese ones who may be the beneficiaries of spying.

The details: Scott Jones, assistant deputy minister for IT security at Canada's Communications Security Establishment (CSE), which is roughly like the National Security Agency in the U.S., told parliament that Huawei can enter the Canadian market if its equipment passes security testing at "White Lab" facilities.

  • The CSE stressed to Codebook via email that the current regime is what has protected Canadians since 2013.
  • Third-party labs are accredited by CSE, which defines the requirements for equipment to pass testing. CSE then further advises telecoms based on those tests.

What they're saying: "We have a very advanced relationship with our telecommunications providers, something that is different from most other countries, to be honest from what I have seen,” Jones said during his testimony.

But, but, but: Security experts generally scoff at systems that might approve components deemed suspect by the international intelligence community, no matter how much testing they go through.

  • "Mind-boggling to say the least," said Bryson Bort, fellow at the National Security Institute and chief executive of Scythe, via email. Any backdoors in the 5G hardware would be hidden and hard to find. "You have to set up the right conditions to even see them," he said.
  • We don't know whether Canada has access to Huawei source code (the CSE would not provide specifics about testing protocols, citing non-disclosure agreements). Even if it does, that might not be enough. "That is expensive, time consuming, and only possibly effective," Bort said.

Go deeper: Just how much damage could backdoored telecom equipment do?

2. Only 6 House candidates spent $1,000 on cybersecurity

The defining moment in the 2016 election was Russia's breach of the Democratic National Committee. Two years later, McClatchy reports that candidates for Congress are knowingly underspending on cybersecurity — with only 6 spending more than $1,000.

The case study: Jay Hulings, who lost in the Texas Democratic primary in March, told McClatchy he started the campaign emphasizing security. As the campaign grew, that focus diminished.

  • Hulings, an ex-prosecutor, said he was keenly aware of the threat.
  • “Raising money is hard, and you have to spend it on signs and staff and TV ads and radio and all the typical campaign things. So I don’t think we spent anything on cybersecurity,” he said.

The potential fallout: Foreign actors likely won't be attacking House candidates to sway House races — the risk and even fiscal cost is too high for a 1/435 share of the chamber. But that doesn't mean there are no risks. There are still angry constituents, protestors and disruptive apolitical threats like ransomware.

  • Remember: During the 2016 election, Russia dumped documents on House candidates in an apparent attempt to sway swing state presidential votes. Embarrassing a Congressman is still a pathway to embarrassing a national party.

3. White House updates cloud computing strategy

The Office of Management and Budget updated the executive branch's cloud strategy for the first time since 2011 on Monday. The major security change is a move from a standardized rule for using third-party networks (2007's Trusted Internet Connections policy) to a patchwork of agency specific rules.

Why the change? The "Smart Cloud" strategy notes that the TIC was intended to reduce the number of external connections and restrict as much traffic to the security of internal networks as possible. That made sense with the limited cloud landscape of 2007, but is not as applicable to today's more secure and pervasive cloud.

What they're saying: The report reads: "Since then, the technology landscape has changed dramatically with the proliferation of private-sector cloud offerings, the emergence of software-defined networks, and an increase in the mobile workforce. Improvements to security are now driven by standards and secured connections instead of limited physical connections."

4. Google spars with privacy advocates over privacy feature

Photo: Gokhan Balci/Anadolu Agency via Getty Images

Google's latest edition of Chrome made a choice that is either a small step forward in privacy protections or a massive privacy apocalypse, depending on who you ask.

The details: Chrome has always had a neat feature that synchronizes activity across multiple computers. Log in to Chrome on your phone and the passwords you saved on your desktop's Chrome can be used there, too. The latest version now automatically signs users into Chrome whenever they log into a Google website.

  • Google thinks of this as a privacy feature. Users are only logged into Chrome for activities on the Google websites, and it prevents mix-ups when one user logs into Gmail in a browser someone else has signed into.

Some privacy advocates are less than thrilled. Cryptographer Matthew Green argued on Twitter (and then on his blog) that users should have the right to use Google sites without being logged in and that it was inappropriate to make the change without notifying customers.

  • Reacting to Green's response, Google changed its terms of service policy.
  • Green doesn't think that addresses the heart of his objections.

5. Odds and ends