Welcome to Codebook, the cybersecurity newsletter honoring July fourth like a real American (and not returning with our regular newsletter till next week).
Tips? Please reply to this email.
The House Oversight hearings on OPM in 2015. Photo: Mark Wilson/Getty Images
Last month, Maryland resident Kavira Cross pleaded guilty to applying for fraudulent loans using personal information stolen in the 2015 U.S. Office of Personnel Management breach. The plea immediately raised some uncomfortable questions about the OPM breach, in which 21 million Americans' personal information was stolen.
The U.S. attributed the breach to a Chinese intelligence operation. But surely China would not have orchestrated an attack on a federal agency just to help an American woman defraud a credit union? Here's where it's important not to jump to conclusions.
Why it matters: It's hard to look at the Cross plea without wondering about the attribution. "All prior public information was that this data breach was caused by Chinese hackers,” Sen. Mark Warner (D-Va.) wrote in a July 21 letter to the Justice Department. “Yet, according to the DOJ, this information is now in the hands of U.S. residents for illicit use, and may have been as early as 2015."
The U.S. has even arrested a Chinese national last year in the case. If Cross, rather than China, had hacked OPM — again, please don't jump to this conclusion — the U.S. would pay a big price in lost credibility. But experts say there are other explanations in play.
The background: Some of this confusion is of the Department of Justice's making.
Be smart: "The story is weird, and we don’t know the provenance of the data," cautioned Toni Gidwani, director of research operations at ThreatConnect. "We’re in a space where there are multiple, plausible explanations for how she got the data."
ZTE completely overhauled its board on Friday, one of the measures agreed to in its billion-dollar bargain with President Trump to avoid more serious penalties for selling banned technology to North Korea and Iran. But the Wall Street Journal notes those changes may make little dent in the company's real power structure.
The details: ZTE's 14-person board of directors resigned, and 8 new directors were named. But:
""The continuing influence of key personnel and Chinese state actors in ZTE’s affairs adds ammunition to critics of the deal," the Journal wrote.
Russia will introduce two cybersecurity resolutions at the U.N. in September, according to Russian newspaper Kommersant.
Why it matters: Both resolutions ultimately aim to do the same thing — give independent states permission to take more control over their domestic internet. That's a power the West has long been concerned that authoritarian states already abuse.
The two resolutions include an updated version of a governance resolution Russia has tried several times to get passed and a modernized cybercrime initiative.
Illustration: Lazaro Gamio/Axios
There's still a lot of confusion about elections cybersecurity around the internet. Luckily, Axios' Shannon Vavra has created an Axios primer on election hacking, what can and can't be done.
"Saying 'the election system was hacked' is misleading, and that’s how a lot of people refer to what happened in 2016," Shannon says.
Why the story matters: If you're reading Codebook, you might be pretty well versed in election security. But it takes only a perfunctory look around Twitter to see the issue isn't going away.
It is with profound disappointment that Codebook reports the USB fans given to reporters during the U.S.-North Korea summit did not contain malware.
Anything with a USB dongle can be used to sneak malware onto a victims computer, and while the USB fans given to reporters at the Singapore meet would have been a comically obvious attack, sometimes comedy is all we have.
Why it matters: What good is a USB fan that doesn’t have malware on it?
Codebook will return a week from today.