Welcome to Codebook, a cybersecurity newsletter happy to be back at sea level.
Tips? Feel free to reply to this email.
Photo: Miquel Benitez/Getty Images
Congress has jettisoned language in the must-pass National Defense Authorization Act to restore harsh penalties against Chinese telecom manufacturer ZTE. The change, first reported last week, is part of the final text of the bill, released on Monday.
Why it matters: While the story was easily lost in a week of Russia news, the ZTE debacle will likely have effects that outlast Dan Coats' befuddled look (as he first learned President Trump has invited Vladimir Putin to the U.S.).
The background: ZTE has twice been caught selling banned technology to Iran and North Korea. After the first incident, ZTE agreed if it was ever caught again, it would accept a 7-year ban on the U.S. technology it needs to make its wares. When that ban took effect, ZTE shut down major operations. The Trump administration, against the wishes of Congress, then cut a new deal with ZTE allowing the firm to stay in business.
The Senate version of the defense funding bill included a provision to reverse the Trump ZTE deal. The House version did not. The ZTE-related amendment did not survive the merger of the two bills.
Why it matters: Trump's deal with ZTE sets an unusual precident for the White House: a president's willingness to treat national security concerns as a bargaining chip.
Giving the president that transactional freedom comes at a price. Senate lawmakers and outside experts had been concerned that beyond the hit to national security, tearing up in place agreements would harm:
But House Republicans and other Trump defenders put aside penalizing ZTE to avoid sandbagging Trump amid his broader trade negotiations with China.
Sen. Marco Rubio described the resulting bill as a "cave."
All quid no quo: If ZTE could have been used as a bargaining chip with China, Trump appears to have squandered the chance. "It's all quid but no quo," said James Lewis, senior vice president at the Center for Strategic and International Studies and a former Commerce Department lead for high-tech trade with China.
The Department of Homeland Security is notifying power plants that Russian government-sponsored hackers are breaching their control rooms, placing attackers in a position where they could flip off the power.
The background: The Wall Street Journal reports the attacks come from a known Russian group often referred to as Energetic Bear.
This might not be quite as bad as it sounds. Sure, more vigilance is better than less vigilance, and we are certainly worse off than if no attacks were happening. But:
Blackouts aren't imminent. Rob Lee of Dragos, a firm specializing in infrastructure security, emailed Codebook: "What was observed is incredibly concerning, but images of imminent blackouts are not representative of what happened, which was more akin to reconnaissance into sensitive networks.... "[The] messaging in the WSJ article around 'throwing switches' and causing 'blackouts' is misleading on the impact of the targeting that took place."
The joke about WikiLeaks has always been that it's not a wiki. New research shows that it's also, by and large, not a leaks site — at least, not in the conventional sense of the term.
Security researcher Emma Best did a statistical analysis of 15 million files released between 2007 and 2017, and found that only 9.5% of the documents came from whistleblowers — what most people think of as leakers. The remainder came from external hackers (69.5%) and public records requests.
WikiLeaks violates its own policy of not republishing content that's already been published elsewhere a great deal, reports Best. A whoping 33.8% of its content has been published by other people first.
Hackers on Planet Earth (HOPE) is a community-focused conference beloved by, well, hackers on planet earth. But a number of groups and attendees signed a "letter of no confidence" about the conference's handling of alt-right agitators who attended this weekend's event.
Why it matters: According to several reports, the problem ran deeper than clashing political ideologies. The alt-right attendees appeared to be engaged in a coordinated effort to provoke a response.
HOPE organizers told Motherboard that the problems stemmed from conference-goers' complaints about perceived safety threats not getting through to the right people.
Worth noting: One of this year's talks directly related to research in alt-right communities on the internet.
Photo: Bill Clark / CQ Roll Call via Getty Images.
The IRS is making progress in authenticating users to keep them safe from fraud, but is disorganized in its efforts, according to a new Government Accountability Office report.
Why it matters: Authenticating users prevents thieves from stealing tax refunds or making other fraudulent moves. The IRS views W-2 scams as a perennial threat, and has faced persistent problems with identity theft.
The details: The report notes that IRS has done a good job identifying long term projects tht would aid the authentication process, but has not identified the funding requirements to make sure those projects stay afloat or prioritized which projects need to be completed first.
Codebook will return Thursday.