May 8, 2018

Axios Codebook


Welcome to Codebook, the only cybersecurity newsletter that has specifically been asked to stop using photographs of people in bear costumes to illustrate Fancy Bear.

Tips? Comments? Reply to this email.

1 big thing: ZTE sanctions might strengthen Chinese tech

Rebecca Zisser/Axios

When the U.S. announced new trade sanctions against Chinese tech giant ZTE last month, it didn't intend to strengthen China's domestic semiconductor industry. But trade fights can have unexpected consequences.

"The Trump administration probably didn't think twice about sanctioning ZTE, but it's going to have real effects," said Jim Lewis, senior vice president at the Center for Strategic and International Studies and a former head of the Commerce Department team dealing with national security issues in high tech trade with China.

The broad strokes: In mid-April, the U.S, which says ZTE has illegally traded with North Korea and Iran and covered up its actions, barred the company from access to all U.S. exports for 7 years. ZTE is dependent on American microprocessors to build its wares.

  • On Friday, the Wall Street Journal reported China would invest $47 billion to develop its own semiconductor industry to cut reliance on the west.
  • That appears to be in play whether or not ZTE is successful in this week's request for the U.S. government to suspend its penalty.

The intrigue: Skirmishes over semiconductors and those involving China's two leading hardware firms, Huawei and ZTE, always happen under a cloud of national security and cybersecurity fears.

  • The U.S. blocked the sale of semiconductor firms to Chinese owners for national security reasons.
  • ZTE and Huawei phones were recently banned from U.S. military base stores for cybersecurity concerns and the House draft of the annual National Defense Authorization Act released Monday bars military purchases of equipment from the Chinese companies.
  • The U.S. has long warned telecom firms not to use the Chinese firms' products, which the FCC moved to formally ban the use of federal funds to purchase in April.

Go deeper: Read the whole story.

2. Fancy Bear tied to "ISIS" threats against U.S. military spouses

An AP investigation found new ties between the hacking group that raided the Democratic National Committee in 2016 and so-called-ISIS cyber attacks — in this case, death threats to U.S. military spouses.

The background: We already knew there was a connection between attacks claiming to be from the "Cyber Caliphate" and Fancy Bear, a group the U.S. and many other nations have attributed to Russian intelligence.

  • When officials investigated a 2015 attack on France's TV5 Monde that replaced the station's website and Facebook page with the Cyber Caliphate logo, they found evidence the hack was actually a false flag by Fancy Bear.
  • In 2016, during the U.S. elections, the cybersecurity firm Secure Works found that Fancy Bear inadvertently left its url-shortener account exposed to the web, revealing a target list of thousands of email accounts, including that of John Podesta, the Clinton campaign chair whose emails were eventually leaked.

The new details: The AP received access to the Secure Works victim list and found that five prominent military spouses, all women, who received death threats from the Cyber Caliphate were also being targeted by Fancy Bear around the same time.

  • The targets, who included well known bloggers, the head of an LGBT military families group and the head of a charitable organization, appeared in news stories attributing the threats to ISIS.
  • Until contacted by the AP, they were unaware of the possibility that Russia — not ISIS — spearheaded the threats.
3. Gmail's "self destruct" could illegally trash public records

The National Freedom of Information Coalition worries government employees and groups may run afoul of public records laws if they use Gmail's new "self- destructing message" feature. The advocacy group is urging Google to turn off the feature on all .gov accounts.

Why it matters: The executive branch and many local governments are required to archive all communications for freedom of information, oversight or historical purposes. Gmail's self-destruct feature, introduced last month, lets senders set a limit on how long an email will stay in someone else's mailbox. That makes it a nifty security tool for those who don't want their old missives to be stolen or leaked.

  • Exhibit A: John Podesta, Hilary Clinton's campaign chief, whose largely mundane emails were leaked to WikiLeaks during the 2016 election. Though the messages were seldom more interesting than a risotto recipe, they were often framed as earth-shattering revelations.

Tech to stop embarrassing leaks has been too tempting to ignore for government officials, even when it violates records laws. White House employees communicated using the encrypted messenger Confide, likely in violation of records laws. Missouri governor Eric Greitens —who Monday moved to quash a search warrant on his Gmail account in a sexual misconduct scandal — was also criticized for using Confide.

4. The federal IT workforce is graying

Federal IT workers skew more "Matlock" than "How To Get Away With Murder." By NextGov's count, there are 4.64 employees over 60 years old for every one under 30.

Why that matters: NextGov based that stat on December data. When it looked at September data last year, the ratio was 4.53 to one. Both of those ratios were up from the June 2017 numbers.

But, but, but: The demand for IT staff is growing, not shrinking. And staffers over 60 have a tendency to retire.

Worse than the government as a whole: The ratio of above 60 to below 30 is three times worse for IT than government as a whole, though both are skewing older than months past.

5. Intel processor flaw info put on hold

Photo by Joby Sessions/Maximum PC Magazine via Getty Images

Security folk had hoped a new spate of security vulnerabilities in Intel processors discovered by several different groups of researchers, including Google's Project Zero, would be announced Monday. But the vulnerabilities and patches won't start to be released until the second half of this month, if not later.

Why it matters: The German computer magazine c't reported that Spectre NG is a suite of eight glitches, four of which are high risk. The same publication reported that the delay in announcing the bugs was to give time to Intel to finish creating patches.

  • The vulnerabilities are supposed to be similar to the Spectre vulnerabilities patched in early 2018 — the NG in Spectre NG stands for next generation. Spectre was one of the first in a recent wave of security vulnerabilities found in hardware, a newer theater of battle in cybersecurity.

Extreme caveat: It's tough to gauge the severity or even existence of flaws no one can examine. All of the coverage of Spectre NG is still coming through a shroud of secrecy. Even the theory that the bugs would be released Monday was based mostly on a guess. Google's Project Zero, which supposedly discovered one of the bugs, traditionally gives manufacturers 90 days to come up with a patch before publishing the flaw on its own.

Odds and ends

Codebook will return on Thursday.