Jan 27, 2021

Axios Codebook

Hello, and welcome to this edition of Codebook. This week, we’re reminding you to update your Apple devices now. Seriously.

Today's newsletter is 1,332 words, a 5-minute read.

1 big thing: In cyber espionage, U.S. is both hunted and hunter

Illustration: Eniola Odetunde/Axios

American outrage over foreign cyber espionage, like Russia's SolarWinds hack, obscures the uncomfortable reality that the U.S. secretly does just the same thing to other countries.

Why it matters: Secrecy is often necessary in cyber spying to protect sources and methods, preserve strategic edges that may stem from purloined information, and prevent diplomatic incidents.

  • But when the U.S. is only portrayed as a victim of nation-state cyber activity and not as a perpetrator in its own right, it creates a false impression of the state of play and invites calls for vengeance that could prove misguided or self-defeating.

The big picture: The U.S. is stronger in cyberspace than any other country, with world-spanning digital snooping capabilities, buttressed by American technological ingenuity and some of the planet’s most talented hackers and daring overseas operators.

  • Yet hacking performed by the U.S. — or our Five Eyes allies — is artificially hidden from view. Not only do U.S. officials not disclose it, neither do most private threat intelligence firms (insofar as they have insight), for reasons of patriotism, pedigree and profit.

Generally, only foreign-owned private cyber firms like the Russia-based Kaspersky, the object of deep distrust by U.S. intelligence officials, have treated U.S. threat actors like others: by naming them, describing their targets, and detailing their tactics, techniques and procedures.

Between the lines: The greater visibility, and heated rhetoric, surrounding cyber operations targeting the U.S. leads to more ink being spilled on the subject, which, in an escalatory spiral, further raises the public temperature.

  • Many within the halls of government — including in Congress, where most lawmakers are not regularly privy to classified information regarding U.S. government hacking — are also taking their cues from public reporting.
  • That means U.S. officials are themselves absorbing, and then often further amplifying, this distorted view.

Even when officials do acknowledge American cyber spying, it's often in coded language or to describe a specific subset of U.S. actions.

  • Officials will talk of "defending forward" — that is, U.S. activity meant to raise the costs for adversaries to be successful in cyberspace — rather than speaking clearly and frankly about cyber espionage for traditional intelligence collection purposes.

Yes, but: "Russia launched SolarWinds — the latest in a long series of hostile Russian cyber operations — not because the U.S. has engaged too proactively in cyberspace," Gary Corn, a former senior Cyber Command official, wrote in Lawfare. "Quite the opposite; it did so, very simply, because it could."

  • The U.S.' own cyber operations neither explains nor justifies the actions or motivations of America’s adversaries. But a clearer public understanding of what the U.S. does in cyberspace would mean a clearer understanding of what other countries are up to.

The most measured reactions to SolarWinds have therefore often come from top U.S. intelligence officials, who know too much about the country’s own activities to pretend otherwise.

  • So while lawmakers like Sens. Dick Durbin (D-Ill.) and Mitt Romney (R-Utah) compared SolarWinds to a Russian act of war, current and former intel officials were more muted.

"Good on them, bad on us," said former acting CIA director Michael Morell to news of the Russian hack. Morell emphasized that SolarWinds appears to have "just" been espionage and not, apparently, some type of prelude to destruction.

  • Paul Kolbe, a former senior CIA official, decried the “indignant howling” over SolarWinds in a provocative and clear-eyed essay in the New York Times.
  • In a statement about the hack, CISA, FBI, NSA and ODNI also underlined their assessment that SolarWinds “was, and continues to be, an intelligence gathering effort.”

The bottom line: The question isn’t whether U.S. cyber operators are, for example, targeting major Russian government agencies, but how successful these ventures have been and continue to be.

2. Biden rounds out top cyber picks

Photo illustration: Eniola Odetunde/Axios. Photo: Win McNamee/Getty Images 

The Biden administration is planning on nominating Jen Easterly, a former top Obama-era NSA and counterterrorism official, to the new Senate-confirmed national cyber director position, reports Politico.

Why it matters: Assuming she’s confirmed, Easterly will serve as the inaugural director of a new institution that is supposed to be the principal adviser to the president on cybersecurity issues.

Background: Easterly “served as deputy director for counterterrorism at the NSA from 2011 to 2013 before joining Obama’s NSC, where she served as special assistant to the president and senior director for counterterrorism,” writes Politico. Easterly also helped stand up the U.S. military’s Cyber Command.

  • Easterly helped advise the Biden transition on the new cyber director office, writes Politico.

Additionally, Biden is poised to likely select Robert Silvers, a former Obama-era DHS undersecretary, as the new head of CISA and Eric Goldstein, another DHS veteran, as head of CISA’s cybersecurity division, writes Politico.

  • Silvers and Goldstein also advised the Biden transition team on CISA-related issues.

The three Obama administration veterans will face a bevy of acute cybersecurity-related challenges, including the fallout from the SolarWinds hack.

  • Easterly will also be faced with the difficult job of establishing an entirely new unit — the Office of the National Cyber Director — which may have a staff of up to 75.
  • And she'll have to navigate some rocky bureaucratic terrain in the Biden administration, which is stacked with other top cybersecurity officials at the NSA and NSC.
3. Intel agency taps location data to track U.S. users

The Defense Intelligence Agency has purchased cellphone data from commercial brokers that can track American and other app users’ movements, according to an unclassified memo provided to the New York Times.

Between the lines: It's unsurprising that U.S. intelligence agencies are trying to use commercially available (and relatively cheap) data to circumvent collection restrictions. But U.S. intelligence agencies are still supposed to face limits on their use of this data when it comes to users on U.S. soil.

Details: The data streams do not separate Americans’ geolocation information from non-Americans’ user information, so the DIA “processes the location data as it arrives to identify U.S. location data points, that it segregates in a separate database,” according to the memo.

  • Use of this separate U.S.-only location database requires the DIA to seek approval from agency lawyers and leadership, says the memo. The DIA has received “permission to query” this data set five times in the last 2½ years, says the memo.
  • The memo does not elaborate on how often, or to what end, this data has been used to track non-American users’ data.
  • According to the memo, the DIA believes that existing legal precedent does not “require a judicial warrant endorsing purchase or use of commercially-available data for intelligence purposes.”

Flashback: Vice previously reported that another Pentagon entity, U.S. Special Operations Command, has also purchased commercially available geolocation data via brokerage firms for counterterrorism purposes, including access to data derived from a Muslim prayer app that has been downloaded over 98 million times worldwide.

  • The app, called Muslim Pro, helps users situate themselves toward Mecca for prayer.

Our thought bubble: If U.S. spy agencies can access these tranches, it’s a good bet that foreign intelligence services — including hostile services — can too, with far fewer internal restrictions governing their use.

4. North Korean hackers targeted U.S. security researchers

Suspected North Korean state hackers have been using social engineering schemes to target security researchers, according to researchers with Google’s Threat Analysis Group.

Driving the news: Using platforms "including Twitter, LinkedIn, Telegram, Discord, Keybase and email," the hackers themselves posed as threat researchers in order to build legitimate profiles and backstories.

  • "After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project," write the Google researchers.

One security researcher described how he was targeted — and later compromised — by someone he later realized was a North Korean operative.

  • "Hey folks, story time. A guy going by the name James Willy approached me about help with a 0-day. After providing a writeup on root cause analysis I realized the visual studio project he gave me was backdoored," wrote Alejandro Caceres, the researcher.
  • "Anyway, yes I was hacked," wrote Caceres. "No, no customer information was leaked, this was on a private [virtual machine] for this exact reason."

The Google team also said that the North Korean hackers set up a phony research blog that included malicious code that compromised the devices of targets who followed links to the site.

5. Odds and ends