Welcome to Axios Codebook, the newsletter no one would let me call "Axios Haxios" because "childlike whimsy" is apparently not a business model.
As always, feed me tips, suggestions and other ideas by replying to this email.
The thumbs up sculpture "Really Good" by British artist David Shrigley. Photo: Daniel Leal-Olivas/AFP via Getty Images.
Organizations are closing the skills and preparedness gap between hackers and themselves, improving a picture that's all too often painted as grim.
That means we — at least those of us in the Western Hemisphere — are getting pretty good at cybersecurity, according to the latest numbers from one of the largest cybersecurity firms.
“It’s strange to hear, but things are actually getting better,” said Charles Carmakal, vice president at Mandiant, which released its yearly report yesterday.
The big picture: In a report that contains plenty of potentially alarming material, including multiple sections on the growing Iranian threat, Carmakal said the most important statistics are those on who first noticed data breaches and how they did it.
For all the high profile coverage of massive, often careless breaches, there’s reason to think defenders are outpacing attackers.
Why it matters: Who notices hackers makes a big difference in how fast the hackers get caught. Internal detection is much faster, so hackers are in systems for less time than they used to be. In the U.S., it’s a threefold difference.
A new study from Digital Shadows mapping the internet’s probably-should-be-secured files found that only 7% of those files were from leaky Amazon cloud buckets — the cloud storage system that is frequently misconfigured, allowing anyone password-free access.
The rest of the unsecured files are found via a variety of other protocols, including FTP (a file transfer protocol so primitive, its acronym stands for "file transfer protocol"), the network protocol SMB and a host of backup service systems.
The details: Michael Marriott, who worked on the Digital Shadows report released this morning, says that while some of the protocols are old, many of the documents are new. And those documents — the firm found a total of 1.5 billion, clocking in at 12,000 terabytes of data — contained plenty of sensitive content.
Go deeper: Marriott warns that, much of the time, the problem is "a supply chain issue" — a company's files getting exposed by subcontractors.
Senate Judiciary Committee staffers are in discussions with technology companies over mandating some form of law enforcement access to all encrypted data, per Chris Bing at Cyberscoop.
Negotiators from the offices of chairman Chuck Grassley (R-Iowa) and ranking member Dianne Feinstein (D-Calif), along with representatives of the Justice Department, are handling the talks in secret. They're even keeping the details from many on the committee, who claimed to have only heard about the efforts recently.
Why it matters: The long-fought encryption debate has different faces. On one level, it pits the public interest in giving police access to evidence for truly horrific crimes against the likelihood that, from time to time, every computer system in the world will be left wildly unprotected from hackers, malware and spies.
On another, it is an argument over whether the U.S. wants to take a step that will encourage oppressive regimes to pass similar laws, which will undoubtedly be used to crush dissent.
What happens when there’s no answer palatable to everyone? “[This debate] is just going to keep happening,” Rep. Will Hurd (R-Texas) told Codebook last week.
Photo: Jaap Arriens/NurPhoto via Getty Images
Facebook has increased its worst case estimate number of people it says may have been impacted by the Cambridge Analytica scandal from 50 million in earlier reports to 87 million and will begin telling individual users whether their information may have been improperly shared.
Facebook is also updating its policies to restrict third party data access.
From a Wednesday conference call with CEO Mark Zuckerberg:
The number of records stolen in breaches globally dropped by more than a billion last year, from 4 billion in 2016 to 2.9 billion in 2017, according to new information from IBM. That's a first: never before has there been a year over year decline in this statistic, which is one yardstick for how many times individuals had their data stolen.
Yes, but: IBM is also pretty sure this has less to do with hackers developing scruples than with the rise of more lucrative forms of cybercrime, like ransomware and cryptocurrency mining.
The security advocacy group Global Cyber Alliance tested the 26 email domains managed by the Executive Office of the President (EOP) and found that only one fully implements a security protocol that verifies the emails as genuinely from the White House. Of the 26 domains, 18 are not in compliance with a Department of Homeland Security directive to implement that protocol.
Why it matters: Imagine the havoc someone could cause sending misinformation from a presidential aide's account: Such fraudulent messages could be used in phishing campaigns, to spread misinformation to careless reporters, or to embarrass White House employees by sending fake tirades under their names.
The technical details: Email was not originally designed with security in mind. Any person can send any message with any email address listed as the sender. The security protocol DMARC allows an email provider to request that another server verify that an email was sent from the claimed sender.
Go deeper: Read the full story at Axios.com.
Codebook will be back on Tuesday.