November 04, 2022
😎 TGIF, everyone. Welcome back to Codebook.
- Consider this your reminder to go outside and take a short break from your computer today ... but only after you've finished reading Codebook!
- 📬 Have thoughts, feedback or scoops to share? [email protected]
Today's newsletter is 1,316 words, a 5-minute read.
1 big thing: Passkeys enter the mainstream
Efforts to ditch easy-to-guess, phrase-based passwords are gaining more traction, paving the way for the passwordless future cybersecurity pros dream of.
The big picture: Companies are increasingly investing in technologies that let people log in to their accounts with passkeys, which replace passwords with biometric data or device PINs tied to a user's phone or laptop.
- Poor password hygiene is the root cause of more than 80% of data breaches, according to the FIDO Alliance, an industry group whose members include Amazon, Bank of America, Intel and many others.
- Many people reuse their passwords or use easy-to-guess phrases. Others have their passwords leaked onto the dark web, where hackers later buy them.
- Passkeys are an attempt to completely replace passwords, and they go a step further than other login security tools — like multifactor authentication — that still rely on using a phrase-based password to begin with.
- Apple and Google each started supporting passkey logins on their apps and operating systems earlier this year. Microsoft announced the capability in September 2021.
- Widely used password manager 1Password acquired passkey startup Passage on Thursday, as Axios first reported, cementing its own transition to a passwordless future.
Details: Passkeys work by allowing people to log in to an app or website using just a username and a preauthorized device.
- Those phones, laptops and other devices basically use a cryptographic token to prove a user is who they say they are — and those tokens are nearly impossible for hackers to steal or replicate remotely.
- Many of these logins will mimic how people unlock their phones with a fingerprint or face scan or by entering a PIN.
Each company is basing its passkey framework on technology standards set by the FIDO Alliance.
- Growing passkey adoption requires widespread availability, industry collaboration and regulatory support, says FIDO Alliance executive director Andrew Shikiar.
The intrigue: Around 430,000 Microsoft consumer accounts have enabled passwordless logins in the last year, says Vasu Jakkal, corporate vice president for security at Microsoft.
- While other companies are in the early stages of passkey adoption and declined to share figures with Axios, Microsoft's numbers suggest there's widespread interest in the technology.
- "We're seeing rapid adoption across the board," Shikiar says.
Yes, but: Hackers are uniquely talented at finding flaws in new technologies, so it's impossible to say something like passkeys is completely hackerproof.
Still, Shikiar says that passkeys will help eliminate hackers' ability to conduct and scale breaches remotely, and thus will make it so hackers need to reach a new level of sophistication to breach a company.
- "It should require that level of effort to take over someone's account," Shikiar says.
2. Russian disinfo targets far-right voters
A suspected Russian disinformation campaign is targeting far-right U.S. audiences to undermine support for Democratic candidates ahead of Tuesday's elections, researchers at social media analysis firm Graphika have found.
Why it matters: The new campaign indicates strong foreign interest still exists in interfering in tight U.S. races in the days leading up to Election Day.
Details: Graphika found Russia-linked actors are targeting the close Senate and gubernatorial races in Pennsylvania, Georgia, New York and Ohio by disseminating a series of racist and inflammatory political cartoons.
- The report, released Thursday, associates the ongoing campaign with the Newsroom for American and European Based Citizens, a fake right-wing news outlet that targeted the U.S. 2020 presidential elections and is believed to be tied to Russia's Internet Research Agency.
- Since Oct. 29, the group has published new political cartoons and fake articles undermining the Democratic Party on social media network Gab and far-right discussion forum patriots.win.
Yes, but: Graphika said the most recent set of political cartoons has "received very low engagement and no organic spread to other platforms."
Catch up quick: The suspected Russia-linked disinformation campaign follows reports of increased pro-China disinformation targeting the U.S. elections as well.
- Last week, researchers at Google-owned Mandiant said they had uncovered a pro-China disinformation campaign targeting U.S. voters across social media to dissuade voters from casting their ballots.
3. Exclusive: Rep. Garbarino's cyber plan push
A top GOP congressional cyber leader is pushing the Biden administration to establish an economic continuity plan in the event of a massive cyberattack, in a new letter shared exclusively with Axios.
Why it matters: The letter gives a sneak peek at what will be top of mind for House GOP cyber leaders if their party takes control of the House after the upcoming elections.
Driving the news: Rep. Andrew Garbarino (R-N.Y.) and Rep. Mike Gallagher (R-Wis.) sent a letter Wednesday to President Biden demanding he follow through on a requirement in the 2021 national defense policy bill to establish a "Continuity of the Economy" plan in the event of a cyberattack that causes "severe degradation to economic activity."
- The fiscal year 2021 National Defense Authorization Act required the president to submit a plan by Jan. 1, 2023.
Catch up quick: In the spring, the White House tasked the Cybersecurity and Infrastructure Security Agency (CISA) with drafting the plan, according to Garbarino and Gallagher's letter.
What they're saying: "As we approach the deadline for the submission of the COTE plan on Jan. 1, 2023, I am concerned that there appears to be limited action taken by CISA to develop or implement this plan," the lawmakers wrote.
- "The execution of this law requires a whole-of-government effort led by the commander-in-chief," the letter continues. "It is unfortunate that by waiting more than a year to task CISA with completing the plan, you have ultimately set them up to fail to meet the deadline set by Congress."
The big picture: House GOP lawmakers are expected to be more critical of the Biden administration's cybersecurity efforts if the GOP wins control of the lower chamber next week.
- Republican lawmakers will press harder for the administration to share metrics of success to defend future cyber budget requests, for example, one cyber lobbyist told Axios.
Yes, but: Cybersecurity remains one of the few bipartisan issues left on Capitol Hill. Several bills during the current congressional session passed with bipartisan support or had bipartisan co-sponsors.
4. Charted: Ransomware payments double in 2021
The number of payments believed to be tied to ransomware attacks more than doubled in 2021, from 2020's $416 million to $1.2 billion, according to Treasury Department data released this week.
Why it matters: The new data gives a clearer picture of what government officials have been up against in 2022 as they've handed down tougher ransomware-related sanctions and invested legal resources in seizing any payments made to gangs.
- Victims typically pay ransomware hackers in crypto to get them to unlock their encrypted files after an attack or to prevent hackers from leaking stolen data.
The bottom line: The incentive to pay the ransom remained strong in the last few years, forcing government officials to get creative and act fast to cut off ransomware hackers' financial incentives.
5. Catch up quick
🗳 More than 100 state and local election jurisdictions are on a waitlist to receive digital security assistance from CISA ahead of Tuesday's election. (NBC News)
🏥 Senate Intelligence Chair Mark Warner (D-Va.) published a policy paper warning the health care sector is "uniquely vulnerable to cyberattacks." (Senate)
🇺🇦 Microsoft is extending its free technology and cybersecurity support for Ukraine through 2023. (Microsoft)
📸 More than 15,000 surveillance cameras will monitor soccer fans attending the 2022 World Cup in Qatar. (Wired)
@ Hackers and hacks
🕯 The cybersecurity community shares its memories of renowned security researcher Vitali Kremez, who died while scuba diving off the Florida coast this week. (The Record)
💰 Scammers scored $1.2 million worth of Ether shortly before, during and after Ethereum's merge. (Chainalysis)
💻 The rise of the Rust programming language could end up strengthening the internet's baseline cybersecurity. (Wired)
6. 1 fun thing
A local D.C. coffee chain introduced a new ... Bitcoin Blend. Haven't we been through enough???
☀️ See y'all on Tuesday!
Thanks to Peter Allen Clark for editing and Khalid Adad for copy editing this newsletter.
If you like Axios Codebook, spread the word.