Welcome to Codebook, the only cybersecurity newsletter that still hasn't seen the new "Star Wars" movie.
Tips? Comments? Please hit reply.
Photo: LawrenLu / Getty
Much of the controversy around ZTE, the Chinese telecom manufacturer at the center of a trade dispute, centers on a theory that China may have sabotaged its products for use in espionage. That spying threat sounds huge, and lawmakers are sounding an alarm, but technical experts aren't entirely convinced. There's nuance here, as well as actual danger — just not the danger we expect.
Why it matters: The U.S. is barring tech exports to ZTE — an effective death penalty for the company — for a different reason: The firm is charged with selling banned technology to Iran and North Korea. But if Congress ends up keeping those sanctions in place against the wishes of a White House trying to strike a deal with China, the espionage question will drive at least some of the votes.
What people think the risk is: To hear lawmakers and regulators talk about it, the threat is a continuous risk of economic and political espionage, as China uses backdoors in telecommunications equipment to spy on the U.S.
But, but, but: It would be difficult — even for a well funded nation-state, and even if everything went right — to use back-doored telecom equipment this way. Telecom industry belief holds that tight monitoring of device behavior would catch a back door in use pretty quickly. Besides, other kinds of attacks — including simple social engineering — are perennially effective to steal intellectual property, require far smaller research and development effort, and wouldn't jeopardize Chinese manufacturers' credibility in the world market.
Still, danger: That doesn't mean we are out of the woods.
Be smart: China is absolutely involved in espionage, particularly the theft of intellectual property. Adam Meyers, vice president of intelligence at CrowdStrike, stressed to Axios that those IP thefts have increased over the last year and a half, and the company just issued a new warning to its clients.
What they're saying:
A joint report on botnets from the Department of Homeland Security and the Commerce Department released Wednesday received generally good reviews from security pros, even if it does not drastically shift the conversation about botnets.
What a botnet is: A network of hacked computers or devices that are then used in other attacks.
Advice for warding off botnets and their attacks hasn't changed too much over the years, making a game-changing report unlikely. "In general, if it's a good solution, it's already in play," said Andy Ellis, chief security officer for Akamai.
The details: The report emphasizes industry standards, education and market solutions to try to cut off the supply of systems susceptible to attackers. Of particular concern are internet-of-things devices, which are generally less shielded against attack and less visible to network security platforms.
Why it matters: DHS and Commerce compiled the report at the White House's request, as part of last year's cybersecurity executive order. If the solutions are largely already known, that might be fine. The president —like most people — probably didn't know them prior to the report.
Commerce and DHS also provided the White House with a report on cybersecurity work force development Wednesday. It was a good day for reports.
A federal district court in D.C. has dismissed Kaspersky Lab's lawsuits against the U.S. government over two different rules banning Kaspersky products from federal systems.
The background: Both a federal law passed as part of last year's National Defense Authorization Act (NDAA) and a binding operational directive (BOD) issued by the Department of Homeland Security prohibit federal agencies from using Kaspersky products. Both measures portrayed Kaspersky, a Moscow-based company, as a national security risk.
The perceived threat: Lawmakers and DHS have publicly said the national security threat from Kaspersky products stems from Russian law. Antivirus programs and other security programs often upload files to a security firm's server in the course of analyzing them for threats. By law, Kaspersky would have to honor Russian official requests for the data.
What they're saying: Kaspersky Lab's statement: “Kaspersky Lab is disappointed with the Court’s decisions on its constitutional challenges to the U.S. Government prohibitions on the use of its products and services by federal agencies. We will vigorously pursue our appeal rights."
Photo: Sirinapa Wannapat / EyeEm via Getty
The four-decade-old SS7 protocol has always been a looming threat for cellphone security. The protocol offers great potential for hacking to cellphones, but such exploits also require an unlikely amount of access to work.
In a letter released yesterday and first reported by The Washington Post, Sen. Ron Wyden (D-Ore.) chastised the FCC's inaction on securing the protocol after a phone company alerted his office to an SS7 breach involving customer location data.
"This threat is not merely hypothetical — malicious attackers are already exploiting SS7," Wyden wrote.
What SS7 is: Signaling system 7 allows mobile phone users to use different cell phone networks when their carrier is out of reach. But the protocol offers little security. With access to a phone company's systems — a prerequisite unlikely for nearly all attackers —hackers could redirect phone calls, track customer locations and, more or less, completely surveil owners.
Codebook will be back on Tuesday.