Sep 13, 2018



Welcome to Codebook, Axios' hurricane-opposing cybersecurity newsletter. Hate us if you want: We're against them.

Tips? Feel free to reply to this email.

1 big thing: Behind Trump's new election security order

Specialist Andcherla Marcelin checks voting machines for accuracy at the Miami-Dade Election Department headquarters in August. Photo: Joe Raedle / Getty Images

President Trump on Wednesday signed an executive order mandating automatic sanctions against countries that interfere in U.S. elections.

Yes, but: The order covers fewer scenarios than you’d think, guarantees less in sanctions than a pending bipartisan Senate bill and has left critics wondering exactly how seriously the president can be taken on the issue, when he has repeatedly claimed that the jury is out on well-documented foreign interference.

To wit: Laura Galante, who heads a geopolitical cybersecurity strategy firm, weighed in at an Atlantic Council panel discussion Wednesday evening: "His words in Helsinki are louder than the executive action."

What the executive order covers:

  • Tampering with voting infrastructure
  • Hacking political parties or candidates

What it doesn't cover:

  • Social media campaigns and other illicit propaganda campaigns, which are increasingly what people think of when they hear "election interference"
  • Tertiary attacks that impact elections — like, for instance, a coordinated traffic jam near a polling station that could reduce the number of voters

The automatic penalties are limited to freezing financial accounts whose activity moves through the U.S. banking system. The president would receive a report of other sanctions to consider.

  • "I applaud the attempt to not let [election interference] fall away," said Michele Markoff, deputy coordinator for cyber issues at the State Department, at the same Atlantic Council panel.

But the president retains much more leeway than he would have had if Senate stakeholders had their way.

  • The Defending Elections from Threats by Establishing Redlines (DETER) Act, spearheaded by Marco Rubio (R-Fla.) and Chris Van Hollen (D-Md.), is muscular in ways that the executive order is not.

The details: Here is what would happen under the senators' bill within 10 days if the director of national intelligence reported election interference of any kind — including social media campaigns — from Russia:

  • The U.S. would freeze the accounts of 6 major Russian banks; 3 major energy companies; entities involved in the defense and intelligence sector; state-backed aerospace, rail and mining concerns; any company at least half owned by Russia; and high-ranking Russian politicians and oligarchs.
  • American entities would be prohibited from purchasing Russian bonds.

The executive order has fewer automatic sanctions, but they apply to any actor — from Russia to, say, Luxembourg, on the off chance it is feeling feisty.

Rubio and Van Hollen released a joint statement excoriating the executive order as a half-measure: "The United States can and must do more."

  • In a call with reporters, national security adviser John Bolton said the administration was not opposed to hearing lawmakers' ideas on how to improve the executive order. "We're happy to discuss ... with the members of the House and the Senate ideas and thoughts that they have."

The move is certainly a step up from doing nothing, but it's hard — particularly for his critics — not to interpret the executive order in terms of the measures it's missing and the record of his past struggles with the issue of election security.

2. Digital industry groups release privacy guidelines

Since Tuesday, when we wrote about the Chamber of Commerce's privacy principles, two digital industry groups have released their own frameworks for national data privacy legislation.

Why it matters: Both groups, the Internet Association and BSA | The Software Alliance propose more consumer protections than the chamber, including the right to correct or delete data from accounts. Both groups' frameworks contain the chamber's calls for increased transparency from companies and for a national law to circumvent state laws.

The Internet Association aligns closer to the chamber. It lists chamber priorities like risk-based enforcement and sector neutral laws, which the BSA's does not.

The BSA's recommendations are largely on the consumer's behalf and would push online companies to use data in a way less-savvy users might already expect: only collecting personal information relevant to the service being offered. BSA also emphasizes the international harmony of privacy laws and that laws allow the cross-border transfer of data so that international companies can function.

Go deeper: Axios' David McCabe has more on the groups' proposals.

3. Everyone is going to jail

Since Tuesday, the Justice Department announced the guilty plea of Russian national Peter Yuryevich Levashov, the plea deal of Latvian Peteris Sahurovs and a guilty plea by Romanian Bogdan Viorel Rusu.

Why it matters: These cases are unrelated to one another, but collectively they paint a mural of the malicious sabotage that thrives on today's internet.

Levashov created the Kelihos botnet, a massive network of tens of thousands of hacked computers that was leveraged for large-scale spam campaigns, theft and distributed denial-of-service attacks, which flooded targeted online servers with so much traffic that they collapsed.

Sahurovs offered "bulletproof hosting" — in other words, law enforcement-proof web hosting to other computer criminals. He also participated in a campaign to distribute "scareware," malware that annoyed people into purchasing a fake security product to fix computer slowing. The scareware spread via a malicious ad on the Minneapolis Star Tribune website.

Rusu stole nearly $1 million through ATM skimming, physically manipulating ATMs in order to steal bank card information as users deposited and withdrew cash.

And (sigh): Nigerian Onyekachi Emmanuel Opara was sentenced to 5 years for a business email compromise scam — what is colloquially referred to as a Nigerian scam.

4. Senators slam State's cybersecurity

A bipartisan cadre of senators sent a letter to Secretary of State Mike Pompeo on Tuesday calling out the department's poor adoption of multi-factor authentication.

Why it matters: Multi-factor authentication requires users to take an additional protective step when logging into an account — often a physical key or a biometric scan. Beyond being a good practice for federal agencies, multi-factor authentication is also the law for all high-level government accounts.

The gripe: Sens. Ron Wyden (D-Ore.), Cory Gardner (D-Colo.), Rand Paul (R-Ky.), Ed Markey (D-Mass.) and Jeanne Shaheen (D-N.H.) pointed to a recent Government Accountability Office report that found only 11% of required agency devices had enhanced security.

Go deeper: Read an excerpt from the letter here.

5. Mobile providers unveil behavioral authentication

It may even secure a cell phone in this poorly lit room. Photo: Thomas Trutschel/Photothek via Getty Images

AT&T, Sprint, T-Mobile and Verizon demoed a jointly developed prototype authentication app at the Mobile World Congress Conference on Wednesday. It uses customer behavior patterns to verify users identity.

Why it matters: While Project Verify may look similar to other apps that use a phone for authentication — Google Authenticator included — cell companies have access to a host of data that app designers, and even phone manufacturers, do not. If it works as intended, Project Verify is a significant step in mobile security.

"This is not just a better mousetrap," says Johannes Jaskolski, general manager of the companies' joint Mobile Authentication Taskforce. "This is fundamentally different, using very unique signals."

The internals: Without collecting any additional information beyond what they do now, phone companies already have access to SIM cards, detailed location data and other information that normal authentication apps do not. Phones allow special access to apps from carriers.

Go deeper: Read about potential uses here.

Odds and ends

Codebook will return next week. Stay safe.