January 10, 2023

Happy Tuesday! Welcome back to Codebook.

  • This morning, I learned the British intelligence agency has a data manipulation tool called CyberChef. I know how I'm spending my afternoon. (Just kidding ... maybe.)
  • But first: Have any thoughts, feedback or scoops to share? [email protected]

Today's newsletter is 1,408 words, a 5.5-minute read.

1 big thing: The UN doesn't know how to define cybercrime

Illustration: Sarah Grillo/Axios

Over the next two weeks, a group of nations is trying to answer one of the most basic questions in cybersecurity: What exactly is considered cybercrime?

Driving the news: A United Nations committee — whose members include delegates from the U.S., China and Russia — is meeting throughout this week and next to continue negotiations for a new international cybercrime treaty.

Why it matters: The finished UN cybercrime treaty will jumpstart a wave of new laws around the world based on the agreed-upon principles in the document.

The big picture: Unlike past meetings, where members mostly shared answers to previously determined discussion questions, this latest meeting features a rough negotiating treaty draft up for debate.

  • However, the wide-reaching, 21-page document includes most of the provisions requested by each member nation, including the U.S. and the rest of the West, as well as Russia, China and other authoritarian states.
  • At the latest meeting, member nations will focus solely on the provisions about what actions should be criminalized and the law enforcement mechanisms surrounding them.

Between the lines: The current negotiating draft paints an overly broad picture of cybercrime.

  • Right now, the document defines it as "the use of information and communications technologies for criminal purposes," prompting provisions on everything from the proliferation of child sexual abuse materials to online posts inciting political revolts or terrorist activities.
  • But human rights and civil society groups argue the definition should be limited solely to crimes that target another computer or internet-enabled device, such as data breaches and other hacks.
  • The U.S. State Department said in a statement Monday it plans to push for a "narrowly focused criminal justice instrument" in the treaty.

The intrigue: A broad definition of what cybercrime is and how prosecutors should approach it could open the door for governments to use the treaty as cover for surveilling journalists, political dissidents and other at-risk groups, human rights organizations argue.

  • In a letter to the UN committee released Monday, more than 80 nongovernmental groups warned the panel that several provisions are "drafted in a way that does not uphold human rights law, in substance or in process."
  • The groups are pushing the UN panel to add more protections from prosecution for reporters, researchers and whistleblowers, and to place limits on the investigative powers laid out in the treaty.

Catch up quick: The current treaty negotiations have faced political strife from the very beginning, when the Russian delegation requested the UN create such a pact in the first place.

What they're saying: "The stakes are high, so we need to ensure a potential cybercrime treaty is narrow in scope, including a narrower, crime-related focus," Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation, tells Axios.

  • "The potential treaty should not become a tool for states to impose broader controls on the internet," she says.

What's next: The committee is scheduled to meet again in April and September before presenting its final draft to the full UN early next year.

2. Realizing the ChatGPT nightmare

Illustration: Sarah Grillo/Axios

Malicious hackers are already using flashy new AI chatbot ChatGPT to create low-level cyber tools, including malware and encryption scripts, according to a recent report.

Why it matters: Security experts have been warning that OpenAI's ChatGPT tool could help cybercriminals speed up their attacks, and it all happened fast.

Driving the news: Researchers at Check Point Research said in a report Friday they've spotted malicious hackers using ChatGPT to develop basic hacking tools.

  • The report details three instances in December where hackers discussed ways to use ChatGPT to write malware, create data encryption tools, and write code creating new dark web marketplaces.

The big picture: Hackers are always looking for ways to save time and speed up their attacks — and ChatGPT's AI-driven responses tend to provide a pretty good starting spot for most hackers writing malware and phishing emails.

Details: According to the report, the hackers have so far only created basic data-stealing and encryption tools.

  • An anonymous user of a hacking forum posted that OpenAI's tools gave him a "nice [helping] hand to finish the script with a nice scope," per the report.
  • Another "tech-oriented" hacker was also spotted teaching "less technically capable cybercriminals how to utilize ChatGPT for malicious purposes."

Yes, but: It's still too soon to say how much cybercriminals will lean on ChatGPT in the long run — or how much longer they'll be able to abuse the platform.

  • OpenAI has previously said ChatGPT is a research preview, and the organization is constantly looking at ways to improve the product to avoid abuse.

3. Facial recognition's horse race

Illustration: Maura Losch/Axios

The breakneck development and deployment of facial-recognition technology are outpacing efforts to corral alarming pitfalls, Axios What's Next co-author Alex Fitzpatrick writes.

Why it matters: Police, retail stores, airports and sports arenas are rapidly increasing biometric surveillance. But critics say the results are too often blindly trusted, without enough double-checking of matches.

Catch-up quick: The latest face-recognition surveillance technology is designed to identify people seen on security cameras in real time, or close to it.

  • It aims to match security camera footage of someone with images tied to that person's identity and kept in various databases or publicly available online, such as police mugshots or social media profiles.

Driving the news: A Black man in Georgia was recently jailed for almost a week after a facial-recognition system incorrectly matched his face with a suspect in a New Orleans robbery, his lawyer told The New Orleans Advocate.

  • The man — who said he's never been to Louisiana — was released after detectives realized their mistake, The Advocate reports.

Zoom out: Some cities and states that have restricted the use of face recognition in the past are mulling whether to loosen those rules to fight upswings in crime. Others are holding fast.

Go deeper

4. Catch up quick

@ D.C.

👨🏻‍⚖️ The Supreme Court declined to hear NSO Group's appeal to stop a lawsuit from WhatsApp over claims that the Israeli spyware maker exploited a flaw in the encrypted messaging app. (Reuters)

🏛 Rep. Mark Green (R-Tenn.), a member of the conservative Freedom Caucus, will lead the House Homeland Security Committee — a key driver of cyber legislation. (Bloomberg Government)

🚧 TikTok faces a tough path forward in Washington as national security and surveillance concerns continue to mount. (Axios)

@ Industry

😬 Microsoft is ending security support for Windows 7 extended versions and Windows 8.1 today. (BleepingComputer)

⚠️ Civil society and human rights groups caution that many of the products demoed at this year's CES conference fail to account for user privacy. (Washington Post)

📲 The parent company behind Ciphr, an encrypted messaging app popular with cybercriminals, is testing a new app to help the company attract enterprise customers. (Vice)

@ Hackers and hacks

🧐 Hackers have been exploiting a security flaw in Experian's website to bypass the site's identity-verification process and gain access to victims' credit reports. (Krebs on Security)

🏥 Ransomware attacks on health care organizations have doubled in the last five years, according to a new JAMA Health Forum study. (Fierce Healthcare)

🏦 Denmark's central bank said earlier today that hackers have targeted its website, but its day-to-day operations have not been affected. (Reuters)

5. 1 fun thing

Illustration: Gabriella Turrisi/Axios

Last week, I asked for book recommendations, and boy, oh boy, did y'all deliver! I now feel compelled to share the most popular resources and recommendations:

  • A few people recommended checking out Ohio State University's "cybersecurity canon" roster of books.
  • Many of you also recommended the recent go-tos: Nicole Perlroth's "This Is How They Tell Me the World Ends," about the dark market of zero-day vulnerability sales (which I'm also making my way through), and Andy Greenberg's "Tracers in the Dark," about how investigators track down cybercriminals via their crypto.
  • And some of you went for an old standby: Steven Levy's "Hackers," one of the first to chronicle the history of hacking and the culture around it.

That's only the tip of the iceberg — I'm almost compelled to start a book club ... almost 👀.

☀️ See y'all on Friday!

Thanks to Peter Allen Clark for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.