Dec 6, 2018

Axios Codebook

Axios

Welcome to Codebook, Axios' cybersecurity newsletter and trust fall liability.

If you've got tips or story ideas, I'd love to see. Just reply to this email.

1 big thing: Experts say China could retaliate for Huawei arrest

A Huawei store in Shenyang, Liaoning Province of China. Photo: VCG/VCG via Getty Images

The arrest and pending extradition of Huawei chief financial officer Meng Wanzhou for violating Iran sanctions may have quick, dramatic impacts in international politics and global technology sales.

Why it matters: The beleaguered Chinese electronics and telecommunications equipment firm is now facing geopolitical crises on two fronts: British telecom giant BT just barred use of Huawei products in its 5G network. The arrest of Meng, the CFO and daughter of the company's founder, is a blow to the company on top of an already bad situation.

We may have cornered a wounded corporation. "Huawei is one of the Chinese government's pet companies," said James Lewis, director of technology policy at the CSIS think tank and a former Commerce Department official who worked on Chinese high tech policy. "They will retaliate and China will take hostages.

"If I was an American tech executive, I wouldn't travel to China this week," Lewis added.

Background: Meng was arrested in Canada and will be extradited to the United States. China has demanded her release.

  • The U.S. has investigated Huawei for export violations since 2016.
  • Huawei denies all charges. In a statement, it wrote, "The company has been provided very little information regarding the charges and is not aware of any wrongdoing by Ms. Meng. The company believes the Canadian and U.S. legal systems will ultimately reach a just conclusion."

The intrigue: The South China Morning Post reported Meng sent a memo to employees saying there were some situations — "yellow lines" as opposed to "red" ones — in which it would be OK to violate sanctions laws, she said.

The charges echo similar charges against ZTE. Both Chinese companies manufacture tech equipment. ZTE has twice admitted to sending equipment to Iran and North Korea, ultimately settling for a $1 billion fine and organizational changes.

Huawei, like ZTE, is often accused by U.S. lawmakers of sabotaging its products to allow Chinese surveillance. Those allegations have led many nations, including the U.S., to bar the firms' equipment from use in telecommunications projects.

  • Ironically, Canada — which made the arrest — has not banned Huawei equipment.

Sen. Marco Rubio (R-Fla.) celebrated the arrest in an email to Axios and encouraged Canada to reverse course on permitting Huawei wares. "[Huawei] has long posed a serious risk to U.S. national security, and I continue to strongly urge Canada to reconsider Huawei’s inclusion in any aspect of its 5G development, introduction, and maintenance," he wrote.

  • Sen. Chris Van Hollen (D-Md.) also endorsed a hard line against Huawei. In a statement, he wrote, "Huawei and ZTE are two sides of the same coin — Chinese telecommunications companies that represent a fundamental risk to American national security. While the Commerce Department focused its attention on ZTE, this news highlights that Huawei is also violating U.S. law. At a bare minimum, we must hold both companies to the same standard."
2. What we learned from the Facebook documents

Key takeaways (abridged) from a British Parliament member's release of internal Facebok emails and documents from Axios' Sara Fischer.

Naivete about data leaking: An email shows a former Facebook VP of product management saying he was generally skeptical there was as much strategic risk in data leaks between developers (like what happened with Cambridge Analytica).

  • Point: Facebook has already conceded that it is fair to criticize how it handled data privacy in its earlier days. But it reinforces Facebook's naivete about how much it could trust its developer partners.
  • Counterpoint: Facebook CEO Mark Zuckerberg says that it changed its policies to address these abuses in 2014–2015 and that "We're confident this change was the right thing to do."

Whitelists: The documents show that Facebook gave some companies like Netflix and Lyft access to data that Facebook stopped giving broad access to beginning in 2014-2015 after it changed its data policies.

  • Point: While this revelation isn't totally new (WSJ reported this in June), it shows that Facebook actively pursued whitelisting as part of its sales pitch, which undermines its narrative that it puts user privacy ahead of business deals.
  • Counterpoint: Facebook says there's a distinction between sharing friends' data and lists of friends (name and profile picture) because the latter is less invasive. They also say it’s common to help partners transition their apps during platform changes.

Call and text history on Android: Facebook executives emailed about the PR and legal risks of accessing a record of Android call and message history. Emails make it seem like the company wanted to collect the data as discretely as possible to avoid such risks.

  • Point: Facebook received a ton of blowback when users discovered this policy in March. Facebook at the time basically said the practice is normal, but the emails show that they knew this was a "high risk" PR fiasco but moved forward anyway
  • Counterpoint: Facebook says it's an opt-in feature and that it's not useful after a year anyway.
    • Our thought bubble: This is a weak defense. The problem is that the opt-in feature wasn't marketed explicitly enough, which is why users were caught off-guard. That's what was being debated in the emails revealed Wednesday.
3. NRCC breach might be election tampering — or not

After the NRCC acknowledged an email breach occurred before the election, many people's thoughts turned to election tampering — as in the 2016 election. But even if the NRCC was hacked by a foreign nation, which we do not yet know, it still might not be tampering.

Why it matters: All nations spy. And while no one wants to be the victim of spying, spying without breaking anything is well within what nations expect each other to do.

It's counterintuitive to most people, but the world works under a gentleman's agreement that espionage — gathering intelligence purely to inform policy or military decisions — is the international equivalent of a misdemeanor. Using the information to meddle with other countries' affairs is the felony.

"The key differentiators are the intent behind the intrusion, what the intruder does on the network and how any stolen information is used," said Michael Daniel, ex-White House cybersecurity czar and current president and CEO of the Cyber Threat Alliance.

We don't know if the NRCC hackers intended any damage to the infrastructure or psyche of America. They could easily have been looking for information to guide policies if a party won an election — as American officials admit the U.S. has done.

That doesn't mean we're definitely out of the woods.

  • "They may or may not have specific intentions at the outset, and they won’t always act on those intentions right away.," said Nate Jone, former National Security Council detailee and founder of the Culper Partners consulting group.
  • Intentions may change over time.
  • We don't always see effects right a way.
4. Stolen Pencil campaign targets professors

Photo: Maciej Toporowicz, NYC

Hackers are targeting academics, particularly those with biomedical engineering backgrounds, in an espionage-like campaign to steal data. Arbor Networks ASERT team, who discovered the group, have dubbed the actors "Stolen Pencil."

Why it matters: Universities are gold mines of intellectual property. But ASERT notes that there is no evidence of data theft, leaving the purpose of the attacks a little unclear.

Details: Victims were sent links to a malicious browser extension that would open a secret connection to the victims' system. The hackers then uploaded a bevy of tools to harvest passwords from those machines.

Maybe it was North Korea: There is some evidence that the attack may have come from North Korea, although not enough to say with any certainty.

  • During one session, a hacker changed the keyboard layout to Korean.
  • Some of the web addresses that can be linked to the hackers specifically mention North Korea.
  • The toolkit included software specifically designed to steal Ethereum cryptocurrency, which is in line with the Kim Jong-un regime's use of online cryptocurrency theft and other financially motivated attacks to compensate for sanctions.
5. Australia goes full tilt toward encryption bill

The Australian government passed a modified version of its encryption bill Thursday, after the attorney general and his opposition shadow came to an agreement.

Why it matters: The bill gives law enforcement the ability to compel tech firms to circumvent encryption in their products to aid law enforcement. Australia is a member of the Five Eyes alliance along with the U.S., U.K., Canada and New Zealand, and the bill is seen by many as a stepping stone toward new encryption laws in other nations.

What they're saying: "We are very concerned," said Sharon Bradford Franklin, director of surveillance and cybersecurity policy at New America’s Open Technology Institute. "The U.K. Investigatory Powers Act may have been the first domino towards global encryption policy, but Australia's rule is far more dangerous."

The original bill was marketed as one that gives law enforcement access without the creation of back doors or mass surveillance, and indeed it specifically bans "systemic surveillance."

  • But It did not define that term, and law enforcement has suggested it interprets that phrase to mean "surveillance that affects literally every owner of a product" — meaning authorities could be free to pursue something closer to mass surveillance than many would like.

The compromise will permit the government to command tech firms to implant surveillance technology or software into products to investigate crimes that carry at least a three-year prison sentence.

  • The compromise also adds a semi-judicial oversight process, allowing a firm with the aid of a technology expert and ex-judge to halt an order to circumvent encryption if the order is not as limited as possible, proportionate or technologically feasible.

"This is a backdoor to a backdoor," said Bradford Franklin, who noted that if Australia ordered a surveillance implant in an Apple phone, the U.S. or anyone else could order Apple to provide access to that information feed.

6. Odds and ends
Axios

Codebook will return on Tuesday.