A master lock with ones and zeroes instead of the regular numbers.
June 07, 2018

Welcome to Codebook, the only cybersecurity bold enough to tell you not to delete requested evidence in an ongoing criminal case (see below).

Tips? Reply to this email address.

1 big thing: White House's ZTE deal wins race with legislators

ZTE sign framed against a blue sky
Photo: Johannes Eisele/AFP via Getty

The $1.4 billion deal the White House reached to keep embattled Chinese telecom equipment maker ZTE running preempts an amendment in the National Defense Authorization Act (NDAA) that would have tied the Trump administration’s hands on the issue.

Why it matters: The Trump administration and China hawks are fighting over how to define the ZTE controversy: Is it about balance-of-trade figures or national security? Trump's side just won a round.

The background: ZTE was caught — twice — selling banned technology to North Korea and Iran. After the first infraction, ZTE agreed that if it was ever caught again, it would lose access to U.S. tech components it needed to make equipment. That was the equivalent of a death penalty for the firm — and after the U.S. imposed the penalty in April, ZTE announced it would shut down manufacturing.

  • President Trump approached the penalty as an employment issue (he tweeted that the move would kill too many Chinese jobs) and as a bargaining chip in trade negotiations with China.
  • Lawmakers on both sides of the aisle were more concerned with the national security implications, including allegations that ZTE and rival Huawei place backdoors in products to spy on the U.S.

Timing is everything: The Senate is nearing passage of its version of the NDAA, which contained an amendment that would block the White House’s ability to make this kind of deal with a Chinese firm.

  • Several offices contacted by Axios — including those of Sens. Marco Rubio (R-Fla.) and Chuck Schumer (D-N.Y.) — were counting on the amendment, written by Sen. Chris Van Hollen (D-Md.), to halt the negotiations. The Trump administration beat opponents to the punch.

2. DOD, states in election security turf war

Illustration of toy soldiers protecting a ballot
Illustration: Sarah Grillo/Axios

Two Senate Democrats have introduced a bill that would provide $50 million to stand up National Guard cyber units in every state to prevent and respond to election security issues. But there's a glitch: the Defense Department is somewhat resistant to shifting its authority to states.

Why it matters: Once more, the U.S. is up against its age-old conflict in election security — between the belief that states should run their own elections and the fact that the feds provide much of the resources and authority.

The buzz:

  • "It’s kind of a turf war between the National Guard and the DOD," a House staff member told Axios.
  • “There’s some concern over who’s going to control this,” a spokesman for the National Guard Association of the U.S. tells Axios, whose organization is supportive of the bill.
  • "The DOD’s job is to be conservative. It’s Congress’ job to push for new ideas," Washington Rep. Derek Kilmer, whose bill on the issue preceded the Senate's, told Axios. He added that at the end of the day, "everybody wants the same thing": more secure elections.

The arguments for it: The bill's authors, Sen. Maria Cantwell and Sen. Joe Manchin, and other advocates point out that the National Guard is already working on other critical infrastructure issues — including election security — in the states. As a result, the National Guard is uniquely familiar with the technological landscape that it would need to protect when it comes to election security, said Kilmer.

Why the DOD might push back: Standing up state-backed cyber units would naturally pull some resources away from the DOD.

  • “If there’s the Army and the Air Force paying for their training and equipment they’d like to have these people at their disposal when they need them,” the spokesman for the National Guard Association of the U.S. tells Axios. And yet the state perspective is, “this infrastructure is just as important."
  • It's unclear right now whether DOD resistance will block the legislation.

Read the full story from Axios's Shannon Vavra here.

3. Pentagon eyes cloud-based browser

The Department of Defense sent out a request for information (RFI) about a cloud-based web browser on Tuesday.

Why it matters: Traditionally, browsers are local programs that pull down content and code from servers elsewhere. The cloud would add a layer of protection — the content and code would open on a different server and then broadcast to the user's computer. It's a neat technical idea, and a fundamentally different approach to security.

How it's different: There are not a whole lot of places from which malware can enter a computer. Surfing the web is a big one.

  • The malware protection products most people use monitor network behavior, outgoing connections and programs as they run, and scan files for malware.
  • A completely different model would be to run the web browser in the cloud on a system that scrubs everything but the most essential components at the end of each session. Every errant link would open first on someone else's computer, malware would never enter a user's network, and even if something problematic was installed, it would soon be deleted.
  • If everything works to plan, it would allow super secure networks to be less restrictive about the sites workers can visit — it mitigates much of the risk of adventurous browsing.

There aren't too many players in the cloud browser space. Scott Petry, cofounder and CEO of one of those companies, Authentic8, told Codebook the RFI showed it was an idea whose time has come.

"It sends a message to government and commercial environments that the biggest, most secure network can use it," he said.

4. Mueller checking witness phones for encrypted apps, chats

Special prosecutor Robert Mueller is asking witnesses to turn in their cell phones so he can check for encrypted apps. Meanwhile, Sean Hannity told his viewers not to comply.

Why it matters (in the probe): Former Trump campain chair Paul Manafort may have his bail rescinded after prosecutors claimed to have found he had used the encrypted app WhatsApp to ask witnesses in his case to lie on his behalf. This represents another instance where Manafort seems to have believed he could use technology to cover his tracks but didn't quite stick the landing.

Why it matters (to Sean Hannity): Hannity advised witnesses viewing his program to take thorough steps to thwart Mueller's request, as seen in this video taken by liberal media monitoring organization Media Matters For America: "Delete all your emails and then acid-wash the emails on the hard drives and your phones, then take your phones and bash them with a hammer to little itsy bitsy pieces...and hand them over to Robert Mueller and say: ‘Hillary Rodham Clinton, this is equal justice under the law.'"

There are two problems here:

  • The smaller problem: Hannity is confusing the free secure file deletion program BleachBit with acid washing, a critical step in turning regular jeans into mom jeans.
  • The larger: Destroying evidence a prosecutor is aware of is an objectively bad idea, especially if you've done nothing wrong.

5. Former FCC chair: Trump team is ducking security issues

In a Wednesday taping for C-SPAN's "The Communicators," Wheeler said that his successor, Ajit Pai, hasn't made the security of America's telecom networks enough of a priority.

Axios's David McCabe offers a report from his C-SPAN interview with former FCC head Tom Wheeler:

What Wheeler is saying: “The fact of the matter is that we need to have safe and secure networks, and the Trump FCC has said that’s not our job," he said. "And it seems to me that the agency responsible for America’s networks needs to also show leadership in the security of those networks.”

  • He took issue with the way that the Pai commission has approached the cybersecurity work it did under his leadership, and said he thought that didn't square with steps Pai has taken towards potentially limiting the use of Huawei and ZTE telecom equipment with American carriers.
  • "I think what needs to be done is have a holistic program to deal with security of the networks, rather than have some kind of a rifle shot, 'Well, we’ll do this to affect rural carriers and not others,'" he said — referring to Pai's moves that would affect the Chinese companies and those U.S. networks that purchase their inexpensive products.

The bigger picture: Questions about network security aren't going away, as a recent scuffle over stingray devices in Washington, D.C. shows.

6. Bipartisan bill would keep encryption policy uniform nationwide

A quartet of Congress folk re-introduced legislation Thursday morning to prevent states and localities from introducing their own encryption laws.

Why it matters: It's easy to view any policy about encryption through the lens of the encryption debate over whether it would be a good thing to weaken encryption to aid law enforcement. This is not that debate. Instead, this is about whether it's feasible for tech vendors to create different versions of phones for each state or city that develops its own law.

Second time's the charm? 2018's ENCRYPT act, sponsored by Ted Lieu (D-Calif.), Mike Bishop (R-Mich.), Suzan DelBene (D-Wash.) and Jim Jordan (R-Ohio), is the same as 2016's ENCRYPT act, sponsored by those 4 and former Rep. Blake Farenthold (R-Texas).

7. Odds and ends

  • VPNFilter malware is more virulent than we previously knew. (Axios)
  • The U.S., which has the most allocated internet addresses, also leads the world in total systems vulnerable to the kinds of attacks in which hackers scan internet addresses in bulk to find victims. (Rapid7)
  • Homeland Security documents suggest the agency is concerned about airplane hacking. (Motherboard)
  • The group who attacked the Ukranian power grid may be branching out to other countries. Not the U.S., though. (Dragos)
  • The latest on Sofacy (aka Fancy Bear) (Palo Alto)
  • House Homeland Security advanced a grid security bill. (The Hill)
  • Marcus Hutchens, the security researcher who shut down WannaCry only to be arrested for creating malware that stole banking passwords, is facing a host of new charges in the same case. (Ars Technica)
  • Capgemini purchased the cybersecurity arm of Leidos. (Capgemini)
  • Wednesday was the fifth year anniversary of the Snowden leaks. (Twitter)

Codebook will return next week with a vengeance.