March 12, 2019
1 big thing: Huawei 5G opens rift between U.S. and Germany
The United States has made its first threat to curtail sharing intelligence with an ally if that government ignores U.S. warnings about Huawei 5G equipment, the Wall Street Journal reported.
Why it matters: This is no small threat. The warning to Germany represents an escalation from previous American statements that raised the prospect of strained relationships and suggested the U.S. can't safely maintain a presence in countries where it believes infrastructure is not secure.
The big picture: Washington is waging an international campaign to sour the world on China's Huawei, based on four ongoing controversies. Huawei may be, according to various U.S critics, any or all of the following:
- Complicit in Chinese espionage.
- Subject to Chinese policy that could force it to be complicit in espionage in the future.
- A beneficiary of theft of trade secrets.
- A violator of trade sanctions.
And all this is also intertwined with President Trump's trade negotiations with Beijing.
The intrigue: If you set aside the potential espionage and other crimes, Huawei is an attractive supplier for 5G equipment. It offers price advantages in a thinly populated market for 5G equipment, and shunning the firm would harm Germany's economic relationship with China.
- Germany has argued it can take other steps to protect its cellphone infrastructure even if it uses Huawei's equipment.
What they're saying: Historically, presidents try not to play chicken with our allies.
- "Public threats with regard to intelligence sharing are not the way to go to influence policy in Berlin or anywhere else," said Michael Morell, former deputy director of the CIA and current host of the Intelligence Matters podcast.
- And the U.S. comes out ahead by sharing, noted Chris Painter, the State Department's former top diplomat for cybersecurity issues. "The U.S. shares sensitive information on threats and other issues for its own benefit — not just the benefit of the receiving country. Halting such sharing would undercut our ability to be aware of and collectively counter shared threats and would be shooting ourself in the foot."
Meanwhile, President Trump remains a wild card in the struggle to implement his own policies.
2. University consortium tackling public interest tech
The Ford Foundation, Hewlett Foundation and New America think tank announced Monday they had linked 21 educational institutions in a new network of schools training technologists to work for the public good.
The big picture: Jenny Toomey, the Ford Foundation's international program director for technology and society, compares the current state of public interest technology to public interest law in the 1960s — there's a need for the field, but none of the infrastructure to support it.
- Toomey notes that technologists looking to altruistically ply their trade don't have established career paths to enter government or charitable work. There aren't journals designed to work at the pace of public interest technology or curriculum repositories for professors.
- The Public Interest Technology University Network will work to build that infrastructure.
- "Today, if I were the ACLU looking for a lawyer, I could go to headhunter firms who would know where to look," she told Codebook. "You can't do that for public interest technologists."
The participants: The current slate of schools for the Public Interest Technology University Network includes heavy-hitting research schools like MIT, Harvard and the University of Michigan. Interestingly, it also includes Miami Dade College, a former community college system known for training practitioners rather than academics.
- "This is not just combining a Ph.D. in computer science with a law degree. Some problems can only be solved on the ground level," said Toomey.
3. The RSA business roundup: Products
RSA, which wrapped up on Friday, is a business-focused conference, and Codebook caught up with many businesses to discuss their latest news and insights.
ForeScout anticipates a convergence of business network and industrial systems protection.
- "After WannaCry, the first thing the CEO does is take control away from the plant manager and give it to the CIO," said ForeScout CEO Michael DeCesare. "For decades we have run a model that the person who owns manufacturing owns IT for their area. And that no longer makes sense," he said.
Axonius won an RSA award for innovative startup with a product marketed as intentionally boring.
- "Asset management isn't exciting, but if you asked every CISO at RSA if they want a system to keep track of their systems, they all will say yes," said CEO Dean Sysman.
Barrett Lyon talked about Netography, his new company that aims to reduce the amount of data it takes to identify a DDoS attack.
- Netography uses 400 different algorithms to reduce the amount of data it needs to sample to automate protection.
- "It’s like that scene in 'Jurassic Park' where they fill in the missing dinosaur DNA with reptile DNA and all of the sudden they have a dinosaur. In samples you get enough of what’s going on to re-create the rest," he said.
IBM discussed its new blockchain penetration testing service.
- “It’s a common misconception that if it’s the blockchain then it’s secure,” said IBM X-Force Red's blockchain testing lead Chris Thomas. Thomas noted organizations often misconfigure customizable blockchain products out of the box.
4. Bills target IoT security, children's privacy
New bipartisan bills seek more parental control over children's privacy and more forethought about "internet of things" security.
Details: The Children’s Online Privacy Protection Act of 1998 is now old enough to drink, and Sens. Ed Markey (D-Mass.) and Josh Hawley (R-Mo.) want to update the law. New features would include greater transparency for parents and giving them the ability to delete data.
- Sens. Mark Warner (D-Va.), Cory Gardner (R-Colo.), Maggie Hassan (D-N.H.) and Steve Daines (R-Mont.), as well as Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas), collectively propose that the government set standards for its IoT purchases, including a disclosure program for vulnerabilities.
5. The RSA business roundup: Mergers and acquisitions
Cylance on integrating with new corporate parent BlackBerry:
- "We absolutely will be creating a joint product. Our hope is to have a crisp, clear idea by analyst day," said Stuart McClure.
Veracode on being purchased twice over the last months of 2018:
- Veracode had been part of CA Technologies when CA was purchased by Broadcom. Broadcom then sold Veracode to Thomas Bravo.
- "We’ve done health care open enrollment like three times in the course of three months," said Chris Eng, VP of research.
- "CA’s messaging was around the ‘modern software factory,’ which is pretty broad — app security is just a piece of that. Now we are positioned as, 'You change the world, we’ll help you do it securely,'" Eng said.
6. Odds and ends
- That was fast. Researchers discovered a major flaw in the just-announced Swiss online voting system. (Motherboard)
- Hackers planted backdoors in three games largely downloaded in Thailand. ESET attributed the attack to the Winnti group, which has been previously linked to China. (ESET)
- The alleged LinkedIn hacker is challenging his fitness to stand trial. (CyberScoop)
- Recorded Future looks at internet access and censorship in Yemen, Bangladesh, the Sudan, India and Venezuela. (Recorded Future)
- A Saudi company tried to buy zero day vulnerabilities from a reporter. (Motherboard)