Oct 17, 2019

Axios Codebook

Welcome to Codebook, the 100% organic cybersecurity newsletter.

Situational awareness: I'll be chairing a panel Oct. 23 on information campaigns at the STRATCOM conference. The conference will stream live from Washington, D.C., here.

Do you like taking surveys? Click here to take Axios' annual reader survey. It's the only way we know what we're doing resonates with you. It's a really good survey, promise.

Today's newsletter is 1,365 words, about a 5-minute read.

1 big thing: Upgraded Chinese cybersecurity law may slam U.S. firms

Illustration: Aïda Amer/Axios

China is applying tougher cybersecurity standards more widely as of Dec. 1, requiring companies to open their networks and deploy government-approved equipment. The changes worry international organizations and underscore the difference between U.S. and Chinese approaches to cybersecurity.

The big picture: China already has a law, applying to the most secure networks, that allows the government to audit private business networks and mandates the use of government-approved security equipment. That law will now apply to all networks.

  • "It’s going to be incredibly invasive," said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.

Background: China's cybersecurity law has been on a slow rollout since 2017. Clarifications of standards serving as de facto regulations were introduced in May this year.

  • Those included the right for China to plug into networks and check for cybersecurity, as well as mandates about securing supply chains for network security.
  • Until December, those standards only technically apply to companies where breaches could cause national security problems, though Chinese officials often hold companies to regulations in advance of their formal launch dates.
  • "Now the standards will apply to any company with a network," Samm Sacks, a fellow at the New America think tank, told Axios.

This puts a burden on U.S. companies that American companies are not used to. "Chinese companies won't bat an eye at it," Sacks said.

  • Given China's record of using hackers to steal intellectual property from global competitors, some network owners worry — justifiably, say experts — that allowing China access to their data puts corporate secrets at risk.
  • China has a history of using any means necessary to aid domestic businesses. That could now include ruling that a foreign company has failed to meet official security muster — boxing competitors out of China's market.

But, but, but: Those worst-case scenarios might not be the problem immediately at hand, said James Lewis, who currently heads cybersecurity at the Center for Strategic International Studies and formerly served in several federal positions evaluating and negotiating with China.

  • "The Cybersecurity Authority of China [CAC] insists it won't use the law to steal private information. And China has so many other ways to steal intellectual property that it probably doesn't need to," Lewis told Axios.
  • As with all things China, if the party tells the CAC to steal data in the future, it will do so, Lewis added.

The most immediate problem may be that the cost of compliance can become prohibitive for some firms to operate in the country. "If you are a smaller company, you may think twice about moving into China," said Segal.

  • The broader trade conflict between the U.S. and China makes it tougher for foreign firms to protest.

Chinese firms have a poor record on cybersecurity, said Lewis. The tougher law, at least ostensibly, addresses a very real issue.

The U.S. faces similar issues, but it addresses them differently. The U.S. operates using fewer top-down security requirements, choosing instead to emphasize trade groups setting industry standards.

  • The U.S. is far more permissive about lower-risk networks, offers more autonomy to network administrators, and generally uses a scalpel where China uses a chainsaw.

One thing the U.S. and China have in common: "In China, network operators have to submit to 'black box' security reviews. We have no idea what it takes to pass," said Sacks. "I'm beginning to see that from the Trump administration."

2. Massive pro-China troll response met Rockets GM's Hong Kong tweet

After Rockets GM Daryl Morey tweeted support for Hong Kong protesters, he received just under 170,000 angry tweets in response. But an analysis by experts in the Wall Street Journal suggests a massive chunk of the outrage came from a coordinated effort by sham accounts.

Why it matters: It's not immediately clear that the response effort was run by the Chinese government — though, at the numbers involved, that seems likely. But if it was a government-led effort, it marks a substantial change in China's modus operandi in dealing with global news events.

China typically focuses its disinformation efforts inward, toward the citizens of mainland China and its disputed territories.

  • While the Houston Rockets and NBA have a large Chinese following, Texas remains independent from China.

By the numbers:

  • 22% of tweets came from accounts with zero followers at some point in the last week.
  • 4,855 accounts involved in the campaign had never been used until replying to Morey.
  • 3,677 accounts didn't exist until Morey's tweet.
  • Less than half the accounts used in the campaign had more than 13 followers.
3. Cozy Bear didn't hibernate as much as previously thought

A wooden sculpture made of linden representing Russian President Vladimir Putin riding a bear at a souvenir shop in Saint Petersburg. Photo: Mladen Antonov/AFP via Getty Images

Cozy Bear, the less-discussed of the two Russian hacker groups that breached the Democratic National Committee in 2016, had been thought to be scaling back operations since that election, but a new report finds the group instead became more covert.

The big picture: The report, from cybersecurity firm ESET, shows that Cozy Bear switched to a different toolkit after 2016, continuing to target the ministries of foreign affairs in at least three European countries and the Washington, D.C., embassy of a European country.

Background: Cozy Bear, also called APT29 and The Dukes, has been associated with the Russian Federal Security Service and the Foreign Intelligence Service. Fancy Bear, its more famous cousin, is connected to the Main Directorate of the General Staff of the Armed Forces.

  • Russia runs a competitive model, wherein separate intelligence agencies are encouraged to breach the same targets.
  • Unlike other Russian groups, Cozy Bear's attacks are not associated with sabotage efforts.

Cozy Bear didn't disappear completely after 2016, but its attacks appeared to dramatically decline. There were flurries of breaches linked to the group in 2017 against U.S. think tanks, as well as several attacks around the 2018 elections against defense contractors, media and other verticals.

  • Even with the new campaign, Cozy Bear still does not appear to be as active as it was in 2016.

What's happening: ESET found evidence that the group maintained some of its anonymity since 2018 by using four previously undocumented strains of malware.

  • Some of that malware has been detected as early as 2013. Others appear to be new as of last year.
  • The new malware was found in organizations known to have been breached by Cozy Bear — sometimes as recently as three months before the new strains appeared in their systems.
  • ESET is calling this campaign "Operation Ghost."

As with previous Cozy Bear malware, the new strains used publicly available internet services like Reddit, Twitter and OneDrive to communicate and take instruction from operatives running the campaign.

  • The new malware also hid payloads in image files to disguise network traffic.
4. Other news from the last week

Twitter says some rules apply to world leaders (Twitter): "We want to make it clear today that the accounts of world leaders are not above our policies entirely," wrote Twitter in a blog post Tuesday.

  • The social media hot spot intended to clarify policies announced this summer stating that Twitter would give world leaders a longer leash than regular users.
  • The rules that will apply to world leaders mean that posts by President Trump that critics object to will not be taken down by Twitter.
  • Child exploitation, direct threats, doxing people and promoting terrorism are not permitted from world leaders, but "direct interactions with fellow public figures, comments on political issues of the day, or foreign policy saber-rattling on economic or military issues are generally not in violation of the Twitter Rules."

Apple isn't sending your browsing data to China (ZDNet): A poorly worded privacy policy led some users to conclude Apple was sending their browsing data to China. It wasn't true.

  • The privacy policy said that Apple would share certain web browsing information with Google and the Chinese firm Tencent.
  • But ... this was in reference to Apple's Safari web browser checking a database of malicious websites hosted by Google (in most of the world) and Tencent (in China) to prevent errant browsing.
  • Apple has to use the Tencent database in China because Google is not available.

An app explaining Xi Jinping's ideology is a security nightmare (Open Technology Fund): An official app described as Chinese President Xi Jinping's equivalent of Mao's Little Red Book allows the app substantial access to the phone's functions, including:

  • Complete administrator access.
  • Scans of the phone for other running apps.
  • Data collection of daily phone activity.
5. Odds and ends