Welcome to Codebook, almost certainly not the worst cybersecurity newsletter you could be reading right now.
Situational awareness: Politico reports that phone surveillance devices, commonly known as stingrays, found in the D.C. area were planted by Israel, with the Trump administration opting not to publicly confront Tel Aviv. Netanyahu denied the claim.
Today's Smart Brevity: 1,689 words, 6 minute read
Illustration: Aïda Amer/Axios
An announcement this week by a major spyware vendor that it aims to embrace human rights is forcing the industry, governments and civil society groups to consider whether the concepts of "human rights" and "spyware" can ever be reconciled.
The big picture: Government-grade spyware has always been abused. In June, David Kaye, the UN special rapporteur on freedom of opinion and expression, determined that commercial spyware had become so vast a problem that the world needs a moratorium on it, for companies and governments to figure out how to protect human rights.
It’s tough to prevent abuse without oversight. Spyware vendors are loath to surveil their own clients, meaning that reporting about potential human rights abuses either comes from victims lucky enough to figure out they were being watched or from the countries themselves.
Amnesty International has been a persistent thorn in NSO’s side, even assisting a lawsuit to force Israel to ban NSO from exporting products. But Amnesty deputy program director Danna Ingleton is optimistic that there is a way for spyware companies to align with human rights.
The bottom line: The commercial spyware industry is not going to vanish — it's too ingrained in global intelligence and law enforcement. That might mean the only way to protect human rights is to adopt rules like those NSO has announced and make them work.
In signaling a human rights focus, the NSO Group is facing an uphill battle. That's in part because of the industry's history of subverting rights policies — like when Italy quietly gave Hacking Team a global license to circumvent international export standards on commercial spyware.
The big picture: If NSO is true to its word and genuinely wants to address human rights, it will need to overcome a history of friction with civil society groups that has created an antagonistic relationship where it needs collaboration instead.
What they're saying: The NSO human rights plan reads, "We are committed to ongoing dialogue with all relevant stakeholders ... including organizations promoting the rights to privacy, freedom of opinion and expression."
The other side: "Claims they’ve been dealing with civil society are light," said Danna Ingleton of Amnesty International. In fact, major human rights groups and NSO haven't agreed on preconditions to start meetings, which the groups require.
NSO's new human rights policy includes (as I reported on Tuesday):
Yes, but: Several human rights experts noted that the NSO Group is not taking public responsibility for abuses in the past, which the experts see as critical to the process of starting anew. NSO, however, might need to violate contractual confidentiality agreements in order to do this.
The external whistleblower process does not address how to incorporate law enforcement into the process, which John Tye of Whistleblower Aid found odd.
NSO doesn't have internal mechanisms to detect misuse, to the frustration of the experts we spoke to.
The bottom line: The general sense among civil society groups is that if NSO is serious about protecting human rights, the company will need to demonstrate it through deeds, not statements.
Editor's note: This story has been updated to include NSO's responses to criticisms of the whistleblower process and the absence of internal mechanisms, and also to note that the requirement for preconditions in meetings between NSO and human rights groups comes from the groups' side.
John Bolton arrives in Downing Street in London, Aug. 13. Photo: Tolga Akmen/AFP/Getty Images)
After the ouster of national security adviser John Bolton this week, the White House loses a key cog in its cybersecurity and cyber warfare machine.
The big picture: John Bolton was a hawkish national security adviser at a time when the Department of Defense was taking a more hawkish approach to cybersecurity. He also eliminated the position of White House cybersecurity coordinator, giving him more control.
The big question: Will a new adviser bring back the cybersecurity coordinator position?
But, but, but: Don't hold your breath about the position coming back, said Jamil N. Jaffer, VP for strategy, partnerships and corporate development at IronNet Cybersecurity and a former associate White House counsel to President George W. Bush.
"It's hard to imagine someone more hawkish," said Dave Weinstein, chief security officer of Claroty, a cybersecurity firm protecting critical infrastructure. "But I could imagine someone more intelligence-focused pulling back a little."
The bottom line: The Bolton tenure was volatile in part because he was an ideologue working for a president with no consistent ideology, said David Kris, a former head of the national security division at the Department of Justice and founder of the Culper Partners consulting firm.
U.S. Cyber Command trolls North Korea (Axios): We reported Sunday that U.S. Cyber Command released samples of North Korea's government-funded malware to researchers during the early hours of North Korea's Day of the Foundation of the Republic — a move seemingly timed to unnerve the hermit nation during a national holiday.
Update on Joe's mom's favorite cyber espionage group (Symantec): Thrip, an espionage group that hacks satellite communications and geospatial intelligence groups in the U.S. and Asia, is still active, reports Symantec. But more interestingly, the firm reports it may be connected to a much older espionage group.
NERC report clarifies April attack on electric grid (E&E news): The North American Electric Reliability Corp provided new details about a cybersecurity event on the electric grid that did not cause any blackouts or brownouts.