Mar 28, 2019

Axios Codebook


Welcome to Codebook, the cybersecurity newsletter trying to bring back cargo pants.

1 big thing: EU copyright bill's bumpy legislative ride

A protester in Hamburg, Germany, objects to Article 13 (now 17) of the EU's pending copyright bill, March 26. Photo: Daniel Reinhardt/picture alliance via Getty Images

Europe's new copyright bill — the one many of the internet's inventors argue will jeopardize the network's future — is almost certainly destined to become law in each of the EU member countries, after an EU Parliament vote earlier this week. But some procedural hiccups left a sliver of doubt about the outcome, raising a glimmer of hope among the bill's ardent detractors.

Why it matters: The copyright bill has two controversial provisions that could fundamentally change how links and user-created content work online.

Background: The controversy stems from two sections:

  • The first, widely known as Article 11, would charge tech companies like Google to run services like Google News. It's been called a link tax because it would charge sites when they provide links and summaries of stories, and it's controversial because, while Google may be able to front that cost, an average blogger wouldn't be.
  • The second, widely known as Article 13, would require tech companies to pre-scan user uploads for copyrighted material, which could be extremely difficult to do at a YouTube or Facebook scale.

But, but, but: In the final draft of the legislation, well after people started debating Article 11 and Article 13 under those names, the official name of Article 11 became Article 15 and Article 13 became Article 17.

  • If that confuses you, it apparently confused many members of the European Parliament as well.

The catch: Those provisions may have passed by accident.

  • An amendment that would have put these two controversial parts of the bill on hold failed by 5 votes, but 13 voters claim they didn't mean to vote the way they did. If the lawmakers had voted as they say they wanted rather than as their votes were recorded, that amendment would have passed.
  • Even if the amendment had passed, there would have been another vote on the controversial provisions, which could still have okayed them.
  • The botched votes are official and indelible.
  • MEP Marietje Schaake, who first noticed the glitch, told The Verge that the voting confusion "could make a little bit of a difference" in the next stages of the copyright law process, but was unlikely to change its eventual enactment.

Where it stands: In the EU, after Parliament passes a bill, the Council of the European Union votes on it. This vote is expected on April 9.

  • Observers expect the copyright bill to pass the council. But all that's needed to alter the outcome is for a single country to flip its vote.
  • Opponents of the bill believe Germany is a good target to make that change. The country's privacy commissioner has come out against the bill.

Meanwhile, the U.K. — which as of this writing is still in the EU — presents a stranger situation.

  • It could be a prospect for changing its vote if Prime Minister Theresa May steps down.
  • Boris Johnson, who could be next in line to form a Tory-led government, has come out against the copyright rules as an example of why the U.K. needs to leave the EU.
  • But right now, it's Johnson's Tory party that has positioned the U.K. behind the bill.

Once the bill passes, each member country of the E.U. will be required to pass a domestic version of the law. That could take years more.

2. U.K. overseers doubt Huawei’s "cybersecurity competence"

A U.K. body set up to evaluate the security of Huawei telecommunications equipment has "not yet seen anything to give it confidence in Huawei’s capacity to successfully" address cybersecurity flaws, according to a blistering report released Thursday.

Why it matters: The U.S. is currently pushing foreign allies to avoid the use of Huawei 5G products due to security concerns. While the U.K. report did not find any intentional security flaws intended for use in espionage — which the U.S. has been warning against — it did find systemic unintentional security flaws.

Our thought bubble: The U.K. has been on the fence about formally banning Huawei products, arguing that it might be able to mitigate espionage attempts using technology. This report would be a reasonable excuse for Her Majesty's government to take up the U.S. line.

Background: The Huawei Cyber Security Evaluation Centre was set up by Britain in 2010 to evaluate the firm's wares as U.K. telecom firms purchased equipment.

  • The body had been attempting to work with Huawei to close security gaps in all (not just 5G) products. But this report found Huawei was making insufficient progress.
  • It "reveals serious and systematic defects in Huawei’s software engineering and cyber security competence," claims the report.

Go deeper: Why Huawei is the United States' 5G boogeyman

3. An interesting 24 hours for Grindr

Photo: Robert Michael/Getty Images

Grindr, a dating app marketed to the LGBTQ community often associated with casual sex, was at the center of two unrelated news stories Wednesday that could both have major impacts on cybersecurity.

Grindr unanimously won a federal appeals case against a man claiming the site should be liable for not preventing a malicious fake account from sending as many as 16 people a day to his home and workplace expecting sex, per Reuters.

  • At its core, the case is about the limits of the Communications Decency Act, a bill that in part exempts platforms from civil responsibility for user-generated content posted on them.
  • It's a more extreme version of the same general principle that's being tested by Rep. Devin Nunes (R-Calif.) in a lawsuit against Twitter that legal experts expect him to lose.

Meanwhile: Grindr's Chinese owner will have to sell the site after the Committee on Foreign Investment in the United States determined its recent purchase was a national security risk, anonymous sources told Reuters. It's been suggested the issue may be blackmail.

4. India tests its first anti-satellite missiles

India tested its first anti-satellite missiles Wednesday, making it the latest in a small group of countries with the potential to blow global communications equipment out of the sky.

Why it matters: India says the missiles are intended to fight the weaponization of space, not to attack telecommunications equipment or GPS satellites, which could cause disruptions to civilians. That doesn't mean the next nation to follow suit will be as judicious with its use.

As it stands, major military powers, including China, Russia and the U.S., have invested in similar technologies. Satellites are not really designed to dodge offensive weaponry.

5. Norsk Hydro damages top $40 million

The damages to one of the world's largest producers of aluminum caused by LockerGoga ransomware have topped $40 million, with the firm still not operating at full capacity a week after the attack, Norsk Hydro reported Wednesday.

The big picture: The ransomware is used in targeted extortion attempts, typically against industrial firms.

6. Odds and ends

Codebook will be back Tuesday, after I pitch a help wanted section.