December 12, 2019
Welcome to Codebook, the Axios cybersecurity newsletter coming to you this week from Scott Rosenberg.
Today's Codebook is 1,611 words, a 6-minute read.
1 big thing: Distrust of tech could be encryption's Achilles' heel
A Senate Judiciary Committee hearing Tuesday set up what's likely to be the most consequential national debate on encryption since the 1990s.
The big picture: The technical community's long-held consensus against weakening encryption is colliding head-on with bipartisan political hostility toward the Big Tech companies that are making encrypted communications an internet default.
- On one side: Lawmakers and law enforcement advocates argue that the end-to-end encryption that's increasingly built into messaging platforms and mobile devices is unacceptably hampering efforts to combat terrorism, human trafficking and child abuse.
- On the other: Tech companies and privacy advocates maintain that weakening encryption for law enforcement needs also inevitably opens vulnerabilities that bad actors can exploit — including foreign governments, criminal hackers and legal authorities overstepping their bounds.
Driving the news: Senators from both sides of the aisle lit into representatives of Apple and Facebook at the Tuesday hearing, telling the companies that if they don't voluntarily find a way for the government to access the data it seeks to stop crimes, Congress will legislate one.
- New York District Attorney Cyrus Vance Jr. testified that Apple's decision to begin encrypting iPhone content by default in 2014 "effectively upended centuries of American jurisprudence holding that nobody's property is beyond reach of a court order."
- Erik Neuenschwander, Apple's manager for user privacy, told the senators that Apple has never held keys that let it access users' data, and it opposes efforts to require it to do so: "We've been unable to identify any way to create back doors that would only work for the good guys. They will be exploited by nefarious entities as well."
- Jay Sullivan, product management director for privacy and integrity at Facebook Messenger, argued that if the U.S. mandates weakened encryption for U.S.-based services, customers will simply switch to services offered by companies abroad that will be less responsive to American authorities.
Meanwhile, Attorney General William Barr has been pursuing his own campaign, launched with a speech last summer, promoting the need for back doors to encrypted devices and communications.
- In October, Barr, along with officials from DHS and European and Australian law enforcement, sent Facebook a letter requesting the company adopt such a scheme for WhatsApp and Messenger. Monday, the company responded "no."
History lesson: The U.S. government's one significant attempt at the creation of encryption back doors — the Clinton administration's Clipper Chip program, which lasted from 1993 to 1996 — was a technical and market failure.
- Each Clipper Chip had its own key that private companies held in "escrow" to hand over under government order. But the scheme wasn't mandatory, experts hated it and the industry never embraced it.
That '90s fight took place right as the formerly academic internet went mainstream, and it pitted "crypto rebels" against a government establishment, with the telecom industry caught in between.
- Today, the fight is instead between the government and a group of rich tech companies that have amassed vast power while facing a growing roster of controversies involving user privacy, failures to curb misinformation, monopolistic behavior, and accusations of bias.
Our thought bubble: We could end up with an encryption law for the 2020s that mandates some kind of updated Clipper Chip (likely via software rather than hardware) — not because anyone thinks it will work, but because lawmakers and voters of both parties have lost trust in the tech companies that oppose it.
2. Tech industry girds itself for fake census news
Google on Wednesday offered a roundup of its efforts to keep census misinformation from infesting YouTube, search, ads and other products. It's the latest effort from a tech platform to show it's taking the 2020 census seriously, Axios' Kyle Daly reports.
Why it matters: Census results from 2020 will be used to draw political districts in 2022, shaping democratic representation in the U.S. for a decade.
- That makes the census a ripe target for parties domestic and foreign who want to skew the results by taking to the internet to discourage certain groups of people from taking part.
- Advocacy groups say these campaigns are particularly likely to target people of color, immigrants and members of the LGBTQ community.
At Google, ads and YouTube videos that misinform people about when or how to take part in the census are banned, per a Wednesday blog post.
- The company is also looking to boost accurate information in search and to keep fake Census Bureau outreach out of people's Gmail inboxes and apps that appear in the Google Play Store.
At Facebook, COO Sheryl Sandberg promised in June that "we’re going to treat next year’s census like an election."
- That means resources devoted to training employees and algorithms to detect and root out census-related misinformation, the company said then.
- And Sandberg said Facebook would roll out a new policy on census misinformation this fall. A company spokesperson said Wednesday the policy is being finalized now.
On Twitter, the service bans false or misleading information about elections and other civic events (like the census).
- A spokesperson said the company has been in talks with Census Bureau officials on how best to support an accurate count.
- But Twitter has been fairly quiet about specific efforts it's taking to protect the integrity of the census, prompting a letter from 57 House Democrats last month urging CEO Jack Dorsey to go public with a plan.
What's next: The Census Bureau will conduct its count by mail, phone, the internet and in-home visits next year, primarily in the spring.
3. GOP Senator blocks election meddling bill
A Republican senator is blocking bipartisan legislation meant to counter foreign election interference, saying it is more anti-Trump than anti-Russia, Axios' Margaret Harding McGill reports.
The big picture: The Defending Elections from Threats by Establishing Redlines (DETER) Act of 2019 is sponsored and supported by both Republicans and Democrats. But efforts to counter Russian election interference have often run afoul of the Trump administration, which has frequently downplayed Russian meddling in the 2016 race and pointed a finger (without evidence) at Ukraine instead.
Driving the news: Sen. Mike Crapo (R-Idaho) objected Tuesday when Sen. Chris Van Hollen (D-Md.) sought consent to pass the DETER bill, as reported by The Hill.
- The bill would apply Russia-specific sanctions on the country's finance, defense and energy sectors if the director of national intelligence determines the Kremlin has interfered in a federal election.
- Crapo, chairman of the Senate Banking Committee, argued President Trump has "probably put more sanctions on the Russians than any president in our history. "
- But he called economics sanctions legislation a double-edged sword. "The mechanisms in this bill have been designed more to attack the Trump administration and Republicans than to attack the Russians and those who would attack our country and our elections," Crapo said in a statement on the Senate floor.
Yes, but: The DETER Act was introduced by Van Hollen and Republican Sen. Marco Rubio and counts other Republicans as co-sponsors.
- "This has nothing to do with President Trump, this has to do with protecting our elections," Van Hollen said, noting that the bill has been tweaked to allow the president to waive sanctions.
Why it matters: The stalled legislation comes as U.S. intelligence agencies predict Russia and other foreign countries will attempt to interfere in the 2020 election.
4. D.C. leads on security talent, trails in AI
The national capital region (Washington, D.C., metro area) accounts for 12% of all U.S. workers in the information security field — more than double the San Francisco Bay Area.
Yes, but: When it comes to artificial intelligence talent, San Francisco and Seattle have almost 40% of the total workforce, Axios' Kim Hart reports.
Why it matters: "Regions should consider what kinds of skills they need to achieve to support their local economies, and then choose a couple of areas to make bigger bets (based on current gaps relative to where there is demand) to help an area thrive," said McKinsey partner Brooke Weddle, who co-authored a report with the Greater Washington Partnership to evaluate the D.C. region's talent pipeline.
- The large presence of the defense industry in the Washington, D.C., area helps draw in info-sec talent. Meanwhile, Big Tech companies on the West Coast are among the biggest investors in AI development.
Quick take: Data security and AI are increasingly intertwined, and the potential for adversaries to use AI to automate large-scale attacks is a major threat. So look for these employment clusters to even out as the fields integrate over time.
5. Odds and ends
- How China tried to get the World Bank to fund surveillance in Xinjiang — an Axios scoop from our new China reporter, Bethany Allen-Ebrahimian (Axios)
- The great $50 million African IP address heist (Krebs on Security)
- Gizmodo used the Neighbors app to map neighborhood networks of Amazon Ring doorbell cameras in 15 cities (Gizmodo)
- Kansas' controversial and error-prone Crosscheck program, which aimed to find citizens who'd registered to vote in more than one state, shut down (Associated Press)
- Iran's president wants to put his nation on one big intranet (CNet)
- Inside Facebook's "red-team" hackers, who try to find the company's vulnerabilities before malicious hackers can (ZDNet)
- DHS has selected Bryan Ware to fill its top cybersecurity post. Jeanette Manfra, who'd held the job, is taking on a role at Google Cloud. (CyberScoop)
- Belgium-based Secure Code Warrior raised a $47M B round to grow its developer security training business (Tech.eu)
- Ordr, based in Santa Clara, which offers real-time network threat protection as a service, closed a $27.5M B round (VentureBeat)
- Tines, a Dublin-based startup that automates repetitive enterprise security tasks, raised an additional $11M on top of a previous $4M round (VentureBeat)
6. A note from Joe Uchill
"Keen-eyed readers will have noticed that in last week's newsletter, we said we'd be off for vacation until next year. But I have some personal news to share that probably shouldn't wait until next year: The last issue of Codebook was my very last issue of Codebook. I'll be leaving Axios in the new year in search of my next adventure and spending the next few weeks helping the company transition to a less-chaotic, Joe-less existence.
I'd like to thank all of you for reading what was an experimental cybersecurity newsletter about my mom, Godzilla, and bad career decisions. We also, occasionally, did some pretty OK journalism. But it's now time for someone else's mom to take Codebook's reins."
Axios will miss Joe. Look for Codebook's return in January, and have a great holiday!