Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

June 19, 2018

Welcome to Codebook, the cybersecurity newsletter that's pretty sure Ed Harris plays a robot on "Westworld."

Situational awareness: Sens. Claire McCaskill (D-Missouri) and James Lankford (R-Okla.) introduced a supply chain cybersecurity protection law Tuesday.

Tips? Reply to this email address.

1 big thing: How cyber's forward defense could backfire

Lt. Gen Paul Nakasone

Lt. General Paul Nakasone, head of U.S. Cyber Commmand. Photo: Saul Loeb/AFP via Getty.

In recent months, the Pentagon has begun taking a more aggressive posture in its approach to cyber conflicts, seeking to slow attacks by taking the fight to enemy networks. But experts worry that approach could escalate cyber conflicts in ways the U.S. may not be prepared to absorb.

How we got here: Cyber Command, the Department of Defense's unified command for cyberwarfare, was conceived under President George W. Bush. It has been elevated in the chain of command under President Trump, who gave it increased autonomy as part of a Defense-wide effort to give the military more agility.

Why it matters: Under the new approach, there is "a very real danger of escalation," said Lisa Monaco, a former assistant to the president for homeland security and counterterrorism, via email.

  • Monaco notes that there are no international standards for what types of cyber actions constitute warfare , but other countries will tend to see what the U.S. does as acceptable.
  • There is no way to insure that another country will interpret actions the U.S. takes on its network as defensive.

The topic of the newly unleashed Cyber Command re-emerged Monday in a book excerpt in the New York Times by its cybersecurity reporter David Sanger.

What we're missing: "This is far from a cure-all to our cyber problems," said Michael Morell, former deputy director of the CIA. He sees two big hang-ups:

  • First, hackers often route attacks through other people's servers, meaning disabling an attack from Russia might mean damaging a server in England — an act of war against England, not Russia.
  • "Second, using our capabilities to attack the attackers is often not that effective because of the ease with which adversaries can move from one server to another," said Morell.

The best defense is a good defense: The best deterrent to a cyberattack, said Peter Singer, strategist at the New America Foundation, is "demonstrating that attacks won't work" — which can be as simple as hardening systems.

  • "If you believe that [offensive] kind of activity is necessary, then you must increase your defenses as well because other countries and groups will start carrying out these actions against the U.S.," said Michael Daniel, former President Obama's cybersecurity coordinator.
  • The White House has, in recent months, eliminated the cybersecurity coordinator position, which may limit the effectiveness of federal agencies' efforts to protect the nation from attacks.

2. Big day at Justice for OPM breach, CIA leaks

On Tuesday, the Department of Justice made two big announcements: A Maryland woman pleaded guilty to using data from the 2015 Office of Personnel Management breach in a bank fraud scheme, and a suspect was charged in leaks of CIA documents published on WikiLeaks.

Why the OPM plea matters: According to the DOJ press release, Karvia Cross pleaded guilty to applying for "numerous online membership and consumer loan[s] in the names of stolen identities that were victims of the OPM data breach."

This is a little baffling, because the OPM data breach — which pilfered information on millions of Americans — has always been assumed to be a Chinese espionage operation. We don't know where Cross and her codefendants got these identities.

  • Some (highly speculative) options: The identifying information came from a breach from the investigation of the OPM breach or an identity protection service offered to OPM victims. Or China has a leak of its own.

Why the CIA leak charges matter: The media had already identified Joshua Schulte as the likely suspect in the CIA leaks, which were, largely, unimportant (and not to be confused with the Shadowbrokers ordeal, in which a trove of National Security Agency tools was leaked). Also, Schulte was already on trial for an unrelated charge related to child pornography. Nonetheless, the 2017 leaks — posted on WikiLeaks under the name Vault7 — were a major embarrassment to the intelligence agency.

3. Senate passes defense authorization, spurning Trump on ZTE


Photo: Paco Freire/SOPA Images/LightRocket via Getty Images

With passage of its version of the National Defense Authorization Act on Monday, 85-10, the Senate has acted to thwart the president's deal to keep Chinese telecom manufacturer ZTE in business. The vote came two days before Trump is to meet with Republicans and lobby to salvage his deal.

ZTE in the length of a tweet: The U.S. gave ZTE a 7-year ban on using U.S. technology for illegally trading with Iran and North Korea.

  • ZTE needs U.S. tech to survive, and Trump agreed to shrink the penalty to a fine.
  • Lawmakers liked the ban for national security reasons, including unrelated allegations of espionage.

The House and Senate will now have to reconcile their differing defense authorization bills.

4. Google expected to patch location-gathering glitch

Researchers at Tripwire discovered a slight glitch in Google Home and Chromecast devices allowing attackers to swipe extremely precise location data. Blogger Brian Krebs, who first reported the discovery, says Google is likely to soon release a patch.

The details: All online computers have an internet address and, unless extra measures are taken, any computer that can see that address can figure out roughly what city that computer is in. Google determines location using other sources and can locate systems close to a street address. The Tripwire glitch would allow advertisers or unsavory characters to see that precise address.

5. Odds and ends

I mean, wouldn't it be devastating if the guy whose persona is based on not being a robot is a robot?

Codebook will return on Thursday. It is not a robot.