Jul 24, 2018

Axios Codebook

Joe Uchill

Welcome to Codebook, a cybersecurity newsletter happy to be back at sea level.

Tips? Feel free to reply to this email.

1 big thing: Congress caves on ZTE

Photo: Miquel Benitez/Getty Images

Congress has jettisoned language in the must-pass National Defense Authorization Act to restore harsh penalties against Chinese telecom manufacturer ZTE. The change, first reported last week, is part of the final text of the bill, released on Monday.

Why it matters: While the story was easily lost in a week of Russia news, the ZTE debacle will likely have effects that outlast Dan Coats' befuddled look (as he first learned President Trump has invited Vladimir Putin to the U.S.).

The background: ZTE has twice been caught selling banned technology to Iran and North Korea. After the first incident, ZTE agreed if it was ever caught again, it would accept a 7-year ban on the U.S. technology it needs to make its wares. When that ban took effect, ZTE shut down major operations. The Trump administration, against the wishes of Congress, then cut a new deal with ZTE allowing the firm to stay in business.

  • ZTE's trading with sanctioned nations wasn't the only national security issue. The U.S. suspects the company of sabotaging the equipment it sells to the U.S. to enable Chinese spying on domestic communications.

The Senate version of the defense funding bill included a provision to reverse the Trump ZTE deal. The House version did not. The ZTE-related amendment did not survive the merger of the two bills.

Why it matters: Trump's deal with ZTE sets an unusual precident for the White House: a president's willingness to treat national security concerns as a bargaining chip.

Giving the president that transactional freedom comes at a price. Senate lawmakers and outside experts had been concerned that beyond the hit to national security, tearing up in place agreements would harm:

  • The government's ability to deal...: "It makes it more difficult for lawyers like me to know if we enter into a settlement with the government, will it be blown up on Twitter," Brian Fleming, a lawyer for Miller & Chevalier specializing in trade-based regulatory issues and former counsel at the Department of Justice, told Codebook in June.
  • ...and regulator's ability to threaten companies: Why abide by rules if penalties are negotiable?

But House Republicans and other Trump defenders put aside penalizing ZTE to avoid sandbagging Trump amid his broader trade negotiations with China.

Sen. Marco Rubio described the resulting bill as a "cave."

All quid no quo: If ZTE could have been used as a bargaining chip with China, Trump appears to have squandered the chance. "It's all quid but no quo," said James Lewis, senior vice president at the Center for Strategic and International Studies and a former Commerce Department lead for high-tech trade with China.

  • "The big flaw is that the US failed to get anything in return," said Lewis. There was no concession by the Chinese in return for reducing ZTE's penalty.
  • There were, however, some obvious things to ask for in return, said Lewis — most notably, Chinese approval of Qualcomm's merger with Chinese firm NXP, a deal that was held up by bureaucracy at the time of Trump's ZTE bargain and is now at risk of sputtering out due to the burgeoning trade war.
2. Russia's power-plant hacks: Don't panic (yet)

The Department of Homeland Security is notifying power plants that Russian government-sponsored hackers are breaching their control rooms, placing attackers in a position where they could flip off the power.

The background: The Wall Street Journal reports the attacks come from a known Russian group often referred to as Energetic Bear.

This might not be quite as bad as it sounds. Sure, more vigilance is better than less vigilance, and we are certainly worse off than if no attacks were happening. But:

  • The Journal story overstates power plants' vulnerability, making it seem trivial to enter a computer that's "air-gapped" (not connected to the internet) and suggesting that such isolation is the only form of security plants have.
  • Neither is true. Air-gaps are one of many layers of security at power plants. In fact, it was a private security vendor who identified the Energetic Bear attacks. The power plants' security apparatus ultimately worked.
  • These are ongoing attacks the industry is aware of, not a new threat.

Blackouts aren't imminent. Rob Lee of Dragos, a firm specializing in infrastructure security, emailed Codebook: "What was observed is incredibly concerning, but images of imminent blackouts are not representative of what happened, which was more akin to reconnaissance into sensitive networks.... "[The] messaging in the WSJ article around 'throwing switches' and causing 'blackouts' is misleading on the impact of the targeting that took place."

3. WikiLeaks: Not a wiki, and not a leaks site

The joke about WikiLeaks has always been that it's not a wiki. New research shows that it's also, by and large, not a leaks site — at least, not in the conventional sense of the term.

Security researcher Emma Best did a statistical analysis of 15 million files released between 2007 and 2017, and found that only 9.5% of the documents came from whistleblowers — what most people think of as leakers. The remainder came from external hackers (69.5%) and public records requests.

WikiLeaks violates its own policy of not republishing content that's already been published elsewhere a great deal, reports Best. A whoping 33.8% of its content has been published by other people first.

  • Best notes that this creates at least the appearance of bias. WikiLeaks' stance has always been that it didn't publish Trump campaign documents because it didn't receive any.
  • But WikiLeaks did receive Trump documents, which it vetted and even created a graphic for — before spiking after it found the documents published elsewhere.
  • It had no similar qualms reprinting Clinton-related content, or indeed all sorts of other documents amounting to one-third of its site.
4. Angry attendees say it's time to abandon HOPE

Hackers on Planet Earth (HOPE) is a community-focused conference beloved by, well, hackers on planet earth. But a number of groups and attendees signed a "letter of no confidence" about the conference's handling of alt-right agitators who attended this weekend's event.

Why it matters: According to several reports, the problem ran deeper than clashing political ideologies. The alt-right attendees appeared to be engaged in a coordinated effort to provoke a response.

  • One alt-right attendee questioned researcher Matt Blaze about whether Blaze had been honest in his allegations of "stalker" behavior and inappropriate touching against John Draper. Blaze is not the only researcher to make such accusations, and the issue wasn't relevant to his talk.
  • Another group of attendees followed Chelsea Manning around in an apparent attempt to menace her, letter organizers told Motherboard. Manning cosigned the letter.
  • The attendee who questioned Blaze later announced he was a "nationalist" during one question and answer session, after which another attendee stole his MAGA hat. Security retrieved the hat. The man (and his hat) were later kicked out of the conference for being physically threatening toward another attendee.

HOPE organizers told Motherboard that the problems stemmed from conference-goers' complaints about perceived safety threats not getting through to the right people.

Worth noting: One of this year's talks directly related to research in alt-right communities on the internet.

5. IRS's authentication push needs better organization

Photo: Bill Clark / CQ Roll Call via Getty Images.

The IRS is making progress in authenticating users to keep them safe from fraud, but is disorganized in its efforts, according to a new Government Accountability Office report.

Why it matters: Authenticating users prevents thieves from stealing tax refunds or making other fraudulent moves. The IRS views W-2 scams as a perennial threat, and has faced persistent problems with identity theft.

The details: The report notes that IRS has done a good job identifying long term projects tht would aid the authentication process, but has not identified the funding requirements to make sure those projects stay afloat or prioritized which projects need to be completed first.

6. Comings and goings
  • Rob Joyce, who left his role as cybersecurity coordinator for President Trump to rejoin the NSA, will be the U.S. liaison officer in London. The U.K. is a major cybersecurity ally and the role is a top overseas post in the agency. Joyce was one of several White House security figures who left after the appointment of John Bolton as national security adviser. Bolton eliminated the cybersecurity coordinator position after Joyce stepped down.
  • Howard Marshall, former FBI deputy assistant director for cyber, is joining Accenture's threat intelligence consultancy. Marshall was one of three top FBI cybersecurity officials who announced retirement last week.
Odds and ends
  • Ecuador will "imminently" kick Julian Assange out of its embassy, according to reports in RT and the Intercept. Two months ago, CNN reported that his Ecuadorian stay was in jeopardy. (The Intercept, CNN)
  • Google entirely thwarted phishing attacks for more than a year by using a physical USB key as second form of authentication. (Krebs on Security)
  • Cisco Talos researchers found serious security problems in a Sony security camera. (The Register)
  • The Senate's No. 2 Republican urges Trump to put the next Putin meeting on the "back burner." (The Hill)
Joe Uchill

Codebook will return Thursday.