Sep 7, 2021

Axios Login

Welcome to the first Login of the year. 5782, that is.

Today's newsletter is 1,401 words, a 5-minute read.

1 big thing: Inside the SolarWinds response

Illustration: Axios Visuals

Seizing upon a flaw in software from SolarWinds, Russian hackers spent months leisurely probing the computer systems of dozens of businesses and government agencies. By contrast, when the intrusion was detected, tech companies and government agencies had to scramble to close the hole, assess damage and try to learn techniques to block future attacks.

Between the lines: Fresh details on how Microsoft, SolarWinds, GoDaddy and various government agencies managed the response to last winter's massive security failure are included in an update to a book co-authored by Microsoft president and longtime top lawyer Brad Smith.

Among the revelations:

  • Microsoft convened urgent meetings spearheaded by CEO Satya Nadella designed to make sure that all of the company's top security organizations were focused on the effort.
  • The company also mobilized more than 500 workers to respond to the SolarWinds attack.
  • The Russian attackers used a server at GoDaddy to establish separate backdoors into the different victims. However, that common server also had a "kill switch" that, once discovered, could be used to halt the spread of the attack. That work was carried out, in part, by transferring the server in question from GoDaddy to Microsoft.

The big picture: In the book's new sections, Smith writes that SolarWinds represented more than cyber-espionage as usual, but wasn't a full-on act of cyber-war, either.

  • Rather, Smith writes, it was a "moment of reckoning" that showed just how much unfinished work remains to be done to set global rules and norms for how technology can be used by nation-states to attack one another.

What's next: The SolarWinds attack offered a variety of lessons for preventing future attacks. Many of Smith's recommendations are standard best practices: using cloud-based systems (or at least fully patched on-premises servers), requiring multi-factor authentication and adopting a "zero trust" approach.

  • More interesting is what Smith says is lacking in the broader security ecosystem, especially when it comes to communication between business and government as well as among different businesses.
  • The U.S. government itself fails to sufficiently share data on cybersecurity threats, according to Smith: "Repeatedly in late 2020 we found people in federal agencies asking us about information in other parts of the government, because it was easier to get it from us than directly from other federal employees."
  • "It's impossible to avoid the grave conclusion that the sharing of cybersecurity threat intelligence today is even more challenged than it was for terrorist threats before 9/11," Smith writes.

Of note: Microsoft was both investigator and victim in the SolarWinds attack. At the same time it was trying to help customers evaluate and minimize damage, the company was also trying to assess how much information the attackers had gained by accessing Microsoft's own servers and viewing company source code.

The latest: The paperback edition of "Tools and Weapons" goes on sale today, with three new chapters, including the one on the SolarWinds response.

2. Facebook's "trust deficit" ahead of wallet launch

Photo illustration: Axios Visuals. Photo: Andrew Harrer/Bloomberg via Getty Images

Facebook says it's finally ready to launch its most ambitious new product in years: a digital wallet called Novi. But the man leading the charge says Washington could stand in its way, Axios' Sara Fischer reports.

Why it matters: Facebook needs to convince regulators skeptical of its power that it's a good idea. "If there's one thing we need, it's the benefit of the doubt," Facebook's David Marcus said in an interview with Axios. [W]e're starting with a trust deficit that we need to compensate."

  • Much of Facebook's broader ambitions, like building a "metaverse" and advancing its shopping platform, are tied to innovations in payments.

Details: Marcus — head of F2, which stands for Facebook Financial — visited Washington last week to meet with key regulatory stakeholders about Novi, a wallet app built on blockchain technology.

  • Crypto-based payment systems, he says, will help to "really lower the bar for accessibility to a modern financial system."
  • He was also there to discuss the Diem Association, a group made up of 26 corporate and non-profit members that is building a blockchain-based payments system that Novi will use.

Marcus says Facebook is hoping to launch Novi in conjunction with Diem by years' end. While Novi is ready to launch now, it's unclear whether Diem will be ready this year, in part because it requires more regulatory buy-in.

  • Regardless, "we plan to actually get it out (Novi) in the market this half, no matter what," he said.

Catch up quick: Facebook originally announced its digital payments ambitions in 2019, but had to pivot and rename its products when it was met with early skepticism and scrutiny from regulators.

Read the full story.

3. Exclusive: FCC to study landlords' broadband deals

The Federal Communications Commission wants to learn whether deals between landlords and internet service providers raise prices for apartment dwellers as part of the Biden administration's push on increasing competition in the economy, Axios' Margaret Harding McGill reports.

Why it matters: Despite cities having more competition among broadband providers, those in apartment buildings can be stuck with one provider because of the arrangements.

Driving the news: A senior agency official told Axios the FCC on Tuesday will begin seeking comment on the impact certain practices have on tenants, including:

  • Revenue sharing agreements in which the landlord takes a percentage of the revenue an internet service provider receives, incentivizing the landlord to steer tenants to that provider.
  • Exclusive wiring agreements that involve a landlord saying only one internet provider can use a building's wires to provide service.
  • Exclusive marketing agreements where only one company can market its services in the building.

Between the lines: The FCC already has a rule banning exclusive contracts between landlords and internet providers, but the senior official said that these other practices have the effect of keeping competition out of buildings.

The big picture: The FCC's move is its first step in addressing competition among broadband providers since President Biden signed an executive order on competition. The order urged the agency to begin a rulemaking that would prevent landlords and cable and internet service providers from limiting tenants' choices for service.

  • The new inquiry will lay the groundwork for the agency to potentially impose new rules.
4. Apple's big concession: A willingness to concede

Apple spent another week on its heels last week, settling cases with regulators and, on Friday, agreeing to delay a controversial plan to start monitoring iPhones for child sexual abuse material.

Why it matters: The individual moves themselves won't hurt Apple and could actually take some pressure off the company. The downside for the company is they show that Apple can back down if pushed hard enough.

Driving the news:

  • Apple said Friday that it would delay implementation of its plan to scan for childhood sexual abuse material, which critics worried could lead to broader screening of otherwise private and encrypted data and communications.
  • The company announced earlier in the week that makers of certain "reader" apps for viewing subscription content would be able to include a link in their apps to an outside web site for managing accounts. The move was made to settle an investigation from Japanese regulators.

The big picture: Those moves followed other concessions that Apple made as part of a tentative deal to settle a class-action lawsuit with developers over the App Store.

  • The concessions around the App Store come as the company looks to preserve the key pillars of that service: Apple's sole control over what apps are allowed, its commission structure and its prohibition of rival payment systems.
  • Critics have called those changes insufficient, and Apple still faces pressure from regulators around the world over the App Store and a lawsuit by "Fortnite" developer Epic Games, which aims to force the company to open the iPhone to other app stores and payment mechanisms. (A trial took place earlier this year, and a federal judge could rule on that suit at any time.)
5. Take note

On Tap

Trading Places

  • Business and government telecom firm Granite Telecommunications promoted Sana Sheikh to VP of transformation and strategic affairs, as well as deputy general counsel.

ICYMI

6. After you Login

Just a reminder for those celebrating the Jewish New Year: While it is tradition to dip apples in honey, doing so with an iPhone is likely to void your warranty.