Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

May 31, 2018

Welcome to Codebook, the only cybersecurity newsletter that still hasn't seen the new "Star Wars" movie.

Tips? Comments? Please hit reply.

1 big thing: The real threat posed by ZTE's telecom equipment

Cell towers

Photo: LawrenLu / Getty

Much of the controversy around ZTE, the Chinese telecom manufacturer at the center of a trade dispute, centers on a theory that China may have sabotaged its products for use in espionage. That spying threat sounds huge, and lawmakers are sounding an alarm, but technical experts aren't entirely convinced. There's nuance here, as well as actual danger — just not the danger we expect.

Why it matters: The U.S. is barring tech exports to ZTE — an effective death penalty for the company — for a different reason: The firm is charged with selling banned technology to Iran and North Korea. But if Congress ends up keeping those sanctions in place against the wishes of a White House trying to strike a deal with China, the espionage question will drive at least some of the votes.

What people think the risk is: To hear lawmakers and regulators talk about it, the threat is a continuous risk of economic and political espionage, as China uses backdoors in telecommunications equipment to spy on the U.S.

  • Earlier this year, the FCC voted to ban U.S. telecom firms from using ZTE equipment (and also that of Huawei, another Chinese telecom manufacturer) for reasons including espionage.
  • Sen. Marco Rubio said on Face the Nation over the weekend that ZTE equipment was indeed used in spying (although there is no public evidence to back that claim) — and that should have stopped Trump from making a deal: "[ZTE equipment is] used for espionage... not just for national security. That's how they steal corporate secrets. That's how they transfer technology. If they can't force you to do it through a business deal, they steal it from you. "

But, but, but: It would be difficult — even for a well funded nation-state, and even if everything went right — to use back-doored telecom equipment this way. Telecom industry belief holds that tight monitoring of device behavior would catch a back door in use pretty quickly. Besides, other kinds of attacks — including simple social engineering — are perennially effective to steal intellectual property, require far smaller research and development effort, and wouldn't jeopardize Chinese manufacturers' credibility in the world market.

Still, danger: That doesn't mean we are out of the woods.

  • While it may be difficult to use back-doored equipment for continuous espionage, quick, one-time attacks are possible. That could include destructive attacks, like briefly knocking communications systems offline. This hasn't been China's modus operandi, but it's still a risk.
  • Even the companies that provide the software used to monitor devices sold by firms like ZTE can't guarantee that it will always work right. One maker told Codebook that the alerts its monitoring tools send need to be investigated by human beings, and some alerts end up being missed or ignored.
  • What we don't know, we don't know: An exotic technique to extract information using ZTE routers could stay under the radar.

Be smart: China is absolutely involved in espionage, particularly the theft of intellectual property. Adam Meyers, vice president of intelligence at CrowdStrike, stressed to Axios that those IP thefts have increased over the last year and a half, and the company just issued a new warning to its clients.

What they're saying:

  • Matt Kinard, director of critical infrastructure partnerships for Raytheon's Forcepoint cybersecurity brand, summed it up: "The risk associated with supply chain issues may be low in terms of likelihood, but the potential for an attack to be catastrophic in scope is high."
  • CrowdStrike's Meyers worries about foreign tech in the face of an upcoming rapid expansion of the U.S. telecom network: "If you allow a foreign nation's equipment to be used in the 5G rollout, shame on you."

2. Feds' botnet report embraces market solutions

A joint report on botnets from the Department of Homeland Security and the Commerce Department released Wednesday received generally good reviews from security pros, even if it does not drastically shift the conversation about botnets.

What a botnet is: A network of hacked computers or devices that are then used in other attacks.

Advice for warding off botnets and their attacks hasn't changed too much over the years, making a game-changing report unlikely. "In general, if it's a good solution, it's already in play," said Andy Ellis, chief security officer for Akamai.

The details: The report emphasizes industry standards, education and market solutions to try to cut off the supply of systems susceptible to attackers. Of particular concern are internet-of-things devices, which are generally less shielded against attack and less visible to network security platforms.

Why it matters: DHS and Commerce compiled the report at the White House's request, as part of last year's cybersecurity executive order. If the solutions are largely already known, that might be fine. The president —like most people — probably didn't know them prior to the report.

Commerce and DHS also provided the White House with a report on cybersecurity work force development Wednesday. It was a good day for reports.

3. Kaspersky suits dismissed

A federal district court in D.C. has dismissed Kaspersky Lab's lawsuits against the U.S. government over two different rules banning Kaspersky products from federal systems.

The background: Both a federal law passed as part of last year's National Defense Authorization Act (NDAA) and a binding operational directive (BOD) issued by the Department of Homeland Security prohibit federal agencies from using Kaspersky products. Both measures portrayed Kaspersky, a Moscow-based company, as a national security risk.

The details:

  • Kaspersky sued to prevent the two rules from coming into effect, claiming the NDAA provision was a form of unconstitutional punishment against a specific company known as a bill of attainder. The judge reasoned that "The NDAA does not inflict 'punishment' on Kaspersky Lab. It eliminates a perceived risk to the Nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation."
  • Because the NDAA ruling remains in effect, the judge ruled the BOD case was essentially moot: No matter what the ruling in that case, the NDAA would continue to block federal agencies from using Kaspersky products.

The perceived threat: Lawmakers and DHS have publicly said the national security threat from Kaspersky products stems from Russian law. Antivirus programs and other security programs often upload files to a security firm's server in the course of analyzing them for threats. By law, Kaspersky would have to honor Russian official requests for the data.

  • Media reports suggest there may be a more specific espionage threat. The New York Times and Wall Street Journal reported Russian spies used Kaspersky Lab products to search for classified files on U.S. systems that had Kaspersky products installed.
  • Kaspersky has denied any fealty to the Russian government or willing involvement in an espionage scheme, and it moved its data centers to Switzerland in order to boost public trust.

What they're saying: Kaspersky Lab's statement: “Kaspersky Lab is disappointed with the Court’s decisions on its constitutional challenges to the U.S. Government prohibitions on the use of its products and services by federal agencies. We will vigorously pursue our appeal rights."

4. Senator says attackers are exploiting the SS7 cellphone protocol

Man looking at cell phone crosses street

Photo: Sirinapa Wannapat / EyeEm via Getty

The four-decade-old SS7 protocol has always been a looming threat for cellphone security. The protocol offers great potential for hacking to cellphones, but such exploits also require an unlikely amount of access to work.

In a letter released yesterday and first reported by The Washington Post, Sen. Ron Wyden (D-Ore.) chastised the FCC's inaction on securing the protocol after a phone company alerted his office to an SS7 breach involving customer location data.

"This threat is not merely hypothetical — malicious attackers are already exploiting SS7," Wyden wrote.

What SS7 is: Signaling system 7 allows mobile phone users to use different cell phone networks when their carrier is out of reach. But the protocol offers little security. With access to a phone company's systems — a prerequisite unlikely for nearly all attackers —hackers could redirect phone calls, track customer locations and, more or less, completely surveil owners.

5. Odds and ends

  • Democrats are split over internet privacy rules. (Axios)
  • The secure messaging app Telegram says that Apple has not let it update its program since April, when it entered a feud with Russia. (Reuters)
  • New America released some new, American case studies of state-level cybersecurity. (New America)
  • The White House is limiting visas for Chinese students in high tech fields. (The Verge)
  • South Carolina will now require insurers to offer cyber insurance. (Insurance Journal)
  • New York is holding election hacking drills. (Reuters)
  • The Brookings Institute is worried about cyber crime in Africa. (Brookings Inst.)
  • The DOD's travel agency discovered 100 bugs in a recent bug bounty program. (HackerOne)
  • Provocative take on businesses that "hack back" : Why not have Cyber Command do it? (CFR)

Codebook will be back on Tuesday.