November 08, 2018
Welcome to Codebook, coming to you live from the Aspen Cyber Summit in San Francisco.
If you have a tip or story idea for the newsletter, just hit reply. And tell your friends to sign up here.
1 big thing: Sessions' exit likely won't end DOJ cyber strategy
Under Attorney General Jeff Sessions, the Department of Justice took a harder line against cyber espionage, particularly by China, than it ever had before. But experts say the offensive against China's theft of billions of dollars in intellectual property is likely to continue under Matt Whitaker, the new acting attorney general.
The big picture: Press coverage is spotlighting the impact Sessions' departure may have on the Mueller investigation. But the DOJ is a big machine with many moving parts, and a change at the top could affect any or all of them.
Background: On Oct. 30, the U.S. announced the indictments of 10 Chinese spies and collaborators for hacking aerospace firms to steal intellectual property for the benefit of Chinese industry. On Nov. 1, the U.S. indicted three more Chinese citizens and two companies for similar charges related to computer chips.
- These were the third and fourth sets of indictments since September against China's IP theft rings.
- The aggressiveness spanned to other countries, too. The U.S. filed its first-ever charges against a North Korean agent in September for his role in the Sony Pictures hack and WannaCry malware outbreak.
Where it stands: The aggressive policy is likely to continue under new DOJ leadership.
The cause and effect: Part of why Sessions was the first attorney general to go on a cyber espionage indictment spree was simple chronology.
- The Obama administration indicted members of the Chinese army for economic espionage in 2015 around the time Presidents Obama and Xi reached an agreement for China to stop stealing intellectual property via hacking.
- That worked, briefly, meaning the Obama administration didn't have to go all in on a DOJ strategy. But when Trump took office, China cranked up the hacking again. That's when Sessions' department went full bore.
- "This is a multiyear process. It was the logical flow from the 2015 indictments," said John Carlin, former assistant attorney general for the National Security Division and current partner at Morrison & Foerster.
The leadership structure: The head of the DOJ doesn't unilaterally set department policy — priorities ultimately flow from the White House.
- The China strategy appears to be part of a coordinated effort across the executive branch. While the DOJ released indictments on Tuesday and Thursday last week, on Monday the Department of Commerce released sanctions against China related to IP theft.
- "From the outside, it didn’t appear that AG Sessions was the driving force behind DOJ’s more aggressive stance on cybersecurity related issues," Michael Daniel, former White House cybersecurity coordinator under Obama and current president and CEO of the Cyber Threat Alliance, wrote in an email.
2. What an unhacked election means for election security
No one appears to have hacked the 2018 midterm elections. That's pretty good!
Yes, but: Concern over what happened in 2016 fueled much of the legislative momentum to increase election security. After a successful election, some of that impetus could vanish.
What they're saying: "It was clear that the stepped-up effort and heightened awareness around election security helped in the midterm elections," said Jay Kaplan, co-founder and CEO of Synack, a security firm that pledged more than $1 million to a pro bono election security service for states.
- "A united, proactive effort on election security can defend our democracy from our adversaries, but we absolutely cannot get complacent," he said.
The bottom line: States still lack adequate funding to purchase less hackable equipment, including machines with auditable paper backups and other security enhancements. Not all states that can audit machine accuracy, do audit machine accuracy — useful against hacking or bugs. And while the bevy of companies volunteering services, like Synack, is helpful, the effort lacks coordination.
The outlook: Many states are still gung-ho about improving security.
- "This doesn’t change our attention to election security concerns," said a representative from the Colorado secretary of state's office. "This is a race without a finish line because the nature of threats is continually evolving and requires vigilance."
But it will take until January to see whether the new Congress has matching enthusiasm.
And the midterm elections aren't over. There are still recounts and runoff elections aplenty before this election is totally out of the woods.
3. Georgia posted absentee voter records online for years
Election watchers on Twitter took note Wednesday that the Georgia secretary of state's office posted the roster of citizens who filed absentee ballots in the election to its website with no additional security. What many didn't immediately notice is that this had been Georgia's practice for years.
Why it matters: Many states offer voter records to interested parties. But usually there are rules, forms and fees involved in the process to prevent, say, scammers or stalkers from accessing those lists.
The bottom line: What Georgia did was legal, but anecdotally it still appears to have exceeded what voters thought was going to happen with their data when they submitted it to the state. Those fears were amplified by a contentious governor's election, in which one candidate was the secretary who ostensibly oversaw the public release of the database. Secretary of State Brian Kemp resigned his role Thursday morning amid accusations of conflicts of interest.
4. Cyber Command joins VirusTotal malware sharing service
U.S. Cyber Command uploaded its first malware sample to a widely used malware research community Wednesday, kicking off a new initiative to share nation-state-borne malware with researchers.
Details: VirusTotal, which is owned by Google parent company Alphabet, is sort of a clearinghouse for malware samples. It collects new strains through researcher uploads and a public-facing malware scanner.
Cyber Command's first upload was a derivative of the LoJax malware, widely believed to have been developed by Russia's Fancy Bear espionage group.
5. Odds and ends
- Dutch police decrypted thousands of encrypted messages sent by what criminals thought were secure cellphones. The encryption algorithm worked fine, but was poorly implemented on the phone. (Dutch police)
- Facebook Messenger is getting an unsend feature. (The Verge)
- One in three discussions of Wikipedia articles is trapped in unending argument. (Motherboard)
- DerpTroll pleads guilty to denial-of-service attacks against Sony and other gaming systems. (Department of Justice)
- Synack launched a veteran-centric bug bounty recruitment program. (Synack)