Welcome to Codebook, the only newsletter with a wrestling finishing move (the StuxNeckbreaker).
Feel free to reply to this email with tips, comments or Survivor Series challenges.
1 Big Thing: Your next cybersecurity hire could be an Olympian
The cybersecurity skills shortage is dire — one commonly cited estimate predicts 3.5 million unfilled jobs worldwide by 2021. Kevin Simzer, chief operating officer of cybersecurity firm Trend Micro, believes the most economical solution might be to train way more employees than his company needs —knowing that most will go to competitors.
The lack of available talent leaves security companies recruiting employees from rivals and offering them huge raises. "That's not sustainable," Simzer said.
The big picture: The skills shortage is not hypothetical. Cybersecurity is a field of growing demand, yet it hit 0% unemployment in 2016. And while most of the new jobs will not be the highest-skilled positions — the type that cybersecurity specialists, like Trend Micro, will be concerned about filling — the demand for lower skilled posts will inflate salaries and deplete talent pools.
Solution — train everybody: To fill its roster, Trend Micro offers a fully-paid three month bootcamp to 200 20-somethings with no cybersecurity experience. By design, only one in five will win a role in the company. The rest leave with a certificate that has proven to be a boon to employment elsewhere.
According to Simzer, it's cheaper, over time, for Trend Micro to train all those extra people and then cherry-pick its hires than to poach talent or compete for recent grads.
Who to target: A lot of people with no cybersecurity background join the program. Simzer says that the company targets people who've had some other great success in life, academic or otherwise — they're likely to be self-motivated: "We had an Olympic swimmer who was really successful. He won a bronze."
- Continuous self-evaluation and improvement could be critical outside of the classroom. Cybersecurity is a rapidly changing space, requiring on-the-job learning as new threats develop.
Exportable solution: Simzer argues the train-everyone approach could remedy cybersecurity shortages even outside specialist firms. "We don't have a patent on it. And it could definitely work for Acme Corp," he says.
2. Ray Ozzie gives the security world key escrow deja vu
Ray Ozzie created Lotus Notes. He is a well known technologist, former Microsoft CTO, and an all-around accomplished person. He has also just proposed a solution to the encryption debate that doesn’t address any of the issues currently being debated.
The encryption debate in brief:
- Law enforcement would like to access evidence on cell phones and other devices that is now protected by unbreakable encryption.
- Many crimes are horrific.
- Security experts and cryptographers agree that creating a system for law enforcement to bypass the need for a suspect's password makes devices more vulnerable to hackers.
- So we’re stuck: Either password-protected criminals get away, or we face periodic global security disasters.
Ozzie’s solution: As detailed in Wired, Ozzie proposes a system he calls Clear, in which tech companies hold individualized keys to unlock devices.
- That is what’s known as a key escrow solution — where a key is held by a third party, not the suspect or the police. Key escrow was first suggested decades ago.
- By handing the key to a third party, the reasoning goes, the police will not be able to abuse the surveillance.
- There are more components to Ozzie's scheme, including a system to prevent tampering with information once the phone has been broken into.
- Key escrow plans, like Ozzie's, address concerns about government overreach. But they leave wide open the potential for a security meltdown, which is mostly what spooks security pros.
The problems Ozzie doesn't address:
- Under key escrow, the very existence of keys creates the risk they leak. Ozzie’s keys would be kept in safes, but those safes immediately become an extremely valuable target and would be accessed as often as warrants require. The famous Stuxnet malware relied on a software certificate held in just such a safe.
- The solution still has to be implemented. Not all companies are Apple or Google. We would be trusting every tech start-up to properly integrate Clear into their products without creating a vulnerability at those seams. Security problems usually aren’t in the conceptual design of systems — they come from sewing them together.
- All this assumes that the Clear system itself doesn’t have vulnerabilities. It will, because it is nearly impossible to create a system that is 100 percent secure.
Go deeper: Cryptographer Matthew Green discusses his issues with Ozzie's plan.
Go deeperer: Errata Security's Rob Graham goes over even more problems with it.
3. FISA court denies record number of surveillance requests in 2017
The FISA court denied more requests for top-secret surveillance warrants during President Trump's first year in office than in the rest of its history combined, according to ZDNet.
Why it matters: The court handles national security cases so secretive that they cannot be addressed in traditional court. It existed a hair shy of four decades before Trump took office, in which time it rejected only 21 applications. During Trump's first year, it rejected 26.
What it means: The secrecy of the court makes the numbers as hard to parse as they are startling. But the easiest explanation— and certainly the most attractive for Trump's critics — is that Trump appointees have taken more chances with applications.
4. The most popular hotel locks had security flaw
Tomi Tuominen and Timo Hirvonen, researchers at cybersecurity firm F-Secure, have discovered a security flaw in the most popular line of digital hotel locks. The manufacturer was notified and has patched the problem — although with 40,000 hotels using the locks, not all of them may have updated yet.
The details: "It started at a hacker conference in Berlin in 2003," said Tuominen. "We came back to our room and found that our friend's laptop had been stolen. But the locks didn't show any signs of being broken into. The hotel didn't take us seriously because, I think, they thought we were hippies in black t-shirts."
- That started a nearly 15-year side project as the duo researched how they could hack the locks. It took until last year to digitally break the locks — during which time they learned that "it's actually much easier to break the lock with a wire hanger."
How it works: They began by taking any key from a target hotel, even an expired one. That key gives them location-specific information to be used in the attack.
- The key cards are embedded with a password chosen from a vast pool — way more than you could fire off to try to unlock a door. But Tuominen and Hirvonen figured out how to reduce the set of possible passwords for the master key so it is small enough for a device try in just a few minutes.
- Once the device discovers the master key, it works on any door.
Go deeper in our full story.
5. DHS nominee finishes Senate test, now awaiting grade
Christopher Krebs cleared his Senate Homeland Security Committee hearing Wednesday to head the National Protection and Programs Directorate, the cybersecurity and critical infrastructure wing of the Department of Homeland Security.
Why it matters: To the Senate, it was largely a chance to emphasize the importance of election security issues. Sen. Claire McCaskill (D-Missouri) said that keeping a full-time staff of only a dozen assigned to the election was "woefully inadequate." Krebs said he'd make elections a "top priority."
Why he'll be confirmed for the role: Krebs is a well-respected official who was already the acting head of NPPD. Forty-eight former national security officials — including former DHS Secretary Michael Chertoff — sent a letter to committee leadership backing the nomination earlier this week.
The best title in the business: Until he is confirmed, Krebs has the most delightfully incomprehensible title in the government: He is (ahem) the Senior Official Performing the Duties of the Undersecretary for the National Protection and Programs Directorate.
6. Odds and ends
- The industry group BSA | The Software Alliance published a framework for international governments producing cybersecurity laws. "We're particularly concerned with the international Balkanization of cybersecurity laws, including data localization and many conflicting standards," BSA's Tommy Ross tells Axios.
- Mark Zuckerberg still hasn't provided answers to the I'll-get-back-to-you questions at his Congressional hearing. (The Verge)
- CSIS on how Facebook scandals affect data laws in China. (Center for Strategic & International Studies)
- Federal contractors aren't protecting their email accounts from fraud. (Axios)
- Dutch police may have closed the most infamous revenge porn site. (Motherboard)
- North Korean elites disguise internet usage, mostly to watch videos. (Axios)
- A misconfigured online database leaked the personal information of thousands of investors in the cryptocurrency Bezop. (MacKeeper)
- FireEye details a trojan campaign aimed at Brazilian banks. (FireEye)
- The Cambridge Analytica whistleblower says Steve Bannon had the firm test public reactions to Trump slogans as early as 2014. Also in 2014? He had the firm test reactions to Vladimir Putin and Russia's eastward expansion. (USA Today)
- Alexa, how do I eavesdrop on your customers? (Axios)
Codebook will be back on Tuesday. Please water our plants while we're gone.