Sep 12, 2019

Axios Codebook


Welcome to Codebook, almost certainly not the worst cybersecurity newsletter you could be reading right now.

Situational awareness: Politico reports that phone surveillance devices, commonly known as stingrays, found in the D.C. area were planted by Israel, with the Trump administration opting not to publicly confront Tel Aviv. Netanyahu denied the claim.

Today's Smart Brevity: 1,689 words, 6 minute read

1 big thing: Spyware's human rights dilemma

Illustration: Aïda Amer/Axios

An announcement this week by a major spyware vendor that it aims to embrace human rights is forcing the industry, governments and civil society groups to consider whether the concepts of "human rights" and "spyware" can ever be reconciled.

The big picture: Government-grade spyware has always been abused. In June, David Kaye, the UN special rapporteur on freedom of opinion and expression, determined that commercial spyware had become so vast a problem that the world needs a moratorium on it, for companies and governments to figure out how to protect human rights.

  • Spyware from NSO Group, the Israel-based firm that announced the human rights initiative, was allegedly used by Saudi Arabia to spy on U.S.-based reporter Jamal Khashoggi, who was later killed by Saudi agents. Mexico also used NSO spyware to surveil government employees and researchers who backed a tax on soda.
  • But even well before NSO group became a major spyware player, other products — including Gamma’s FinFisher and Hacking Team’s Da Vinci and Galileo products — have been embroiled in human rights debates. Ethiopia allegedly used spyware to surveil journalists, Uganda allegedly targeted opposition political figures, and Morocco allegedly targeted activists.
  • Many other clients of spyware vendors have poor human rights records, including Azerbaijan, Venezuela, Uzbekistan and Sudan.

It’s tough to prevent abuse without oversight. Spyware vendors are loath to surveil their own clients, meaning that reporting about potential human rights abuses either comes from victims lucky enough to figure out they were being watched or from the countries themselves.

  • “If they don’t have a mechanism of looking over governments’ shoulders, I don’t see how this has any teeth,” John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which has done much of the research on NSO’s alleged human rights abuses, told Axios.
  • Without that oversight, Scott-Railton isn’t confident that any spyware could be safe for human rights. “If the question is, ‘Is it possible to sell cyber weapons and assure they won’t be used for abuse,’ I think it’s a contradiction in terms,” he said.

Amnesty International has been a persistent thorn in NSO’s side, even assisting a lawsuit to force Israel to ban NSO from exporting products. But Amnesty deputy program director Danna Ingleton is optimistic that there is a way for spyware companies to align with human rights.

  • “I think it must be possible,” she said.
  • That doesn’t mean NSO’s current plan passed Ingleton’s muster, yet (see item 2). But through due diligence before making sales to regimes, honest accounting of past actions, export rules that are more transparent and engagement with civil society groups, she believes a company like NSO could get ahead of the human rights issue.
  • NSO would have to be more open about its internal capabilities to flag human rights abuses as they happen. And governments would need to take an active role in restricting sales to dangerous countries.
  • “The onus is on the companies. If they can’t protect human rights, they need to enact safeguards,” she said. “And if it’s an industry that can never be in line with human rights, it’s up to the state to do what it needs to do."

The bottom line: The commercial spyware industry is not going to vanish — it's too ingrained in global intelligence and law enforcement. That might mean the only way to protect human rights is to adopt rules like those NSO has announced and make them work.

2. Critics weigh in on NSO's human rights plan

In signaling a human rights focus, the NSO Group is facing an uphill battle. That's in part because of the industry's history of subverting rights policies — like when Italy quietly gave Hacking Team a global license to circumvent international export standards on commercial spyware.

The big picture: If NSO is true to its word and genuinely wants to address human rights, it will need to overcome a history of friction with civil society groups that has created an antagonistic relationship where it needs collaboration instead.

What they're saying: The NSO human rights plan reads, "We are committed to ongoing dialogue with all relevant stakeholders ... including organizations promoting the rights to privacy, freedom of opinion and expression."

The other side: "Claims they’ve been dealing with civil society are light," said Danna Ingleton of Amnesty International. In fact, major human rights groups and NSO haven't agreed on preconditions to start meetings, which the groups require.

NSO's new human rights policy includes (as I reported on Tuesday):

  • Commitments to align business policies with the International Bill of Human Rights, the International Labor Organization’s Declaration on Fundamental Principles and Rights at Work, and the UN Guiding Principles on Business and Human Rights.
  • Promises to research potential clients and decline to sell to those with too many red flags.
  • An external whistleblower program to identify misuse, providing a formal mechanism to contact the firm.
  • A promise to engage with civil society groups.

Yes, but: Several human rights experts noted that the NSO Group is not taking public responsibility for abuses in the past, which the experts see as critical to the process of starting anew. NSO, however, might need to violate contractual confidentiality agreements in order to do this.

  • The firm does acknowledge that it has terminated 3 contracts with clients in the past over product misuse.

The external whistleblower process does not address how to incorporate law enforcement into the process, which John Tye of Whistleblower Aid found odd.

  • "[Y]ou should consult a lawyer and consider reporting the violation to an independent law enforcement agency or investigative body," he said via email.
  • "It is strange that NSO Group's "External Whistleblowing Policy" does not imagine a role for independent law enforcement investigations."
  • The NSO Group told Codebook that the whistleblower process was conceived of as being separate from the law enforcement process, and the company believes that law enforcement is the proper adjudicator for many complaints.

NSO doesn't have internal mechanisms to detect misuse, to the frustration of the experts we spoke to.

  • For a problem to be investigated, a victim of wrongful surveillance would have to discover, analyze and report NSO's stealthy malware on their own — something that is by design unlikely.
  • NSO argues that looking over the shoulders of intelligence agencies would be legally dubious, and hopes to screen out potential misusers before it sells its products to them.

The bottom line: The general sense among civil society groups is that if NSO is serious about protecting human rights, the company will need to demonstrate it through deeds, not statements.

Editor's note: This story has been updated to include NSO's responses to criticisms of the whistleblower process and the absence of internal mechanisms, and also to note that the requirement for preconditions in meetings between NSO and human rights groups comes from the groups' side.

3. With Bolton gone, White House cybersecurity strategy may change

John Bolton arrives in Downing Street in London, Aug. 13. Photo: Tolga Akmen/AFP/Getty Images)

After the ouster of national security adviser John Bolton this week, the White House loses a key cog in its cybersecurity and cyber warfare machine.

The big picture: John Bolton was a hawkish national security adviser at a time when the Department of Defense was taking a more hawkish approach to cybersecurity. He also eliminated the position of White House cybersecurity coordinator, giving him more control.

The big question: Will a new adviser bring back the cybersecurity coordinator position?

  • Beyond a role in cyber warfare and cyber defense, the so-called cybersecurity czar coordinated often competing cybersecurity-related interests across the federal government.
  • "A more visibly coordinated, unified approach to cybersecurity would better protect U.S. interests moving forward," said Michael Daniel, the president and CEO of the Cyber Threat Alliance, who served as cybersecurity coordinator in the Obama White House.

But, but, but: Don't hold your breath about the position coming back, said Jamil N. Jaffer, VP for strategy, partnerships and corporate development at IronNet Cybersecurity and a former associate White House counsel to President George W. Bush.

  • "The president obviously prefers a smaller, more focused, and trusted set of advisers — in part because he likes to make key decisions rapidly based in large part on his own counsel — so it wouldn’t be surprising if he rejected the idea of re-creating a cyber czar position, even if that’s what the new national security adviser wanted,” Jaffer said via email.

"It's hard to imagine someone more hawkish," said Dave Weinstein, chief security officer of Claroty, a cybersecurity firm protecting critical infrastructure. "But I could imagine someone more intelligence-focused pulling back a little."

The bottom line: The Bolton tenure was volatile in part because he was an ideologue working for a president with no consistent ideology, said David Kris, a former head of the national security division at the Department of Justice and founder of the Culper Partners consulting firm.

  • That could lead to an era of less consistent strategy if President Trump appoints a more philosophically malleable adviser with less desire to keep the Oval Office on the rails.
  • "Without a doubt, the most significant challenge will be managing the commander in chief," said Kris.
4. In case you missed last week

U.S. Cyber Command trolls North Korea (Axios): We reported Sunday that U.S. Cyber Command released samples of North Korea's government-funded malware to researchers during the early hours of North Korea's Day of the Foundation of the Republic — a move seemingly timed to unnerve the hermit nation during a national holiday.

  • Cyber Command periodically releases malware to the research community to bolster private-sector defenses against foreign threats. But while previous releases received praise from the researchers for providing new details about threat groups, the North Korean samples that were atypically released on a Sunday don't immediately appear to be as fruitful.
  • The release contains samples of malware from the hacker group Hidden Cobra, which the U.S. government has attributed to North Korea.

Update on Joe's mom's favorite cyber espionage group (Symantec): Thrip, an espionage group that hacks satellite communications and geospatial intelligence groups in the U.S. and Asia, is still active, reports Symantec. But more interestingly, the firm reports it may be connected to a much older espionage group.

  • Symantec found code similarities between Thrip tools and the Billbug group, who have been active since 2009.

NERC report clarifies April attack on electric grid (E&E news): The North American Electric Reliability Corp provided new details about a cybersecurity event on the electric grid that did not cause any blackouts or brownouts.

  • The attacker used vulnerabilities in the web portal for "a low-impact control center and multiple remote low-impact generation sites" to crash over a 5 minute period.
5. Odds and ends
  1. Hackers stole $4.2 million from a pension fund for Oklahoma state troopers. (The Oklahoman)
  2. The federal ban on Kaspersky products is now permanent. (Dark Reading)
  3. An alderman in Germantown, Tennessee, lost access to his government email address because he didn't complete a mandatory security webinar. (Commercial Appeal)
  4. The Council on Foreign Relations takes a long look at LinkedIn spies and scammers pretending to work at the Council on Foreign Relations. (CFR)
  5. A court rules that scraping data from a public website does not violate hacking laws, challenging some conventional readings of the law. (CyberScoop)
  6. The Department of Justice wants Apple and Google to deliver the names of people who installed a gun scope app. (Sophos)
  7. Symantec receives a counteroffer. (Axios)
  8. Kaspersky is coming for esports cheaters. (Kaspersky)
  9. Former NSA and Cyber Command head Mike Rogers joins the Brunswick Group. (Brunswick Group)
  10. HackerOne snags $36.4 million in Series D funding. (BusinessWire)

Codebook will return next week. Are you happy, Mom?

The Codebook fan pick Cleveland Browns Cleveland Brownsed their week 1 opener, losing 43-13 to the Titans.