By Joseph Marks
Jeffrey P. Bezos, Amazon founder and CEO, speaks at The Economic Club of Washington. (Cliff Owen/AP)
In a Daily Beast opinion piece on the conclusions of his investigation into an alleged extortion attempt by the company that owns the National Enquirer, Gavin de Becker suggested this weekend that the Saudi government had been targeting Bezos, who also owns The Washington Post, because of the paper's coverage of the killing of journalist Jamal Khashoggi. The CIA has concluded that Khashoggi's killing was ordered by Saudi Crown Prince Mohammed bin Salman.
De Becker said he shared the results of his investigation with federal officials. The FBI declined to comment on the report.
Yet his accusation highlights the fuzzy line between where the responsibility of individuals and companies to defend themselves against hackers ends — and the U.S. government’s interest in defending them kicks in.
Clint Watts, a senior fellow at George Washington University’s Center for Cyber and Homeland Security and a former FBI official, urged the FBI, intelligence agencies and Congress to investigate.
Congressional Intel, Homeland Security, Commerce committees, DNI, FBI should quickly address this allegation and whether it’s true. Did a foreign country hack CEO of 1 of America’s biggest companies and then with help of a different American company conduct influence campaign?— Clint Watts (@selectedwisdom) March 31, 2019
On the other hand, individuals and companies can’t help but be vulnerable against the superior hacking powers of the most capable nation-states, such as Russia and China. As independent journalist Marcy Wheeler tweeted, it’s notable that even Bezos — the richest man in the world — can’t prevent his phone from being hacked by a determined nation-state.
Let's assume Bezos' security dude is correct, the Saudis had hacked his phone.— emptywheel (@emptywheel) March 31, 2019
What does it say that The Richest Man In the World can get his phone hacked?
There is a precedent, however, for the government responding to hacks that target other sectors.
The 2014 North Korean hack of Sony Pictures Entertainment and the leak of embarrassing internal emails, for example, didn’t seem to affect any U.S. government interests. The Homeland Security Department maintains a list of 16 infrastructure sectors that are critical to U.S. security, and movie studios aren’t among them.
The Obama administration sanctioned Pyongyang anyway, however. Those sanctions came amid cries that the hack was a direct assault on free speech rights — because the movie studio decided in the wake of the attacks not to release The Interview, a stoner comedy that plays the assassination of North Korean leader Kim Jong Un for laughs. The film was later released on Netflix. Officials also argued North Korea had crossed a line by destroying some of the hacked material rather than just stealing it.
Even elections weren’t considered critical infrastructure until after Russia targeted them as part of its 2016 influence operation that intelligence officials concluded was aimed at assisting President Trump’s election. That didn’t stop special counsel Robert S. Mueller III’s office from indicting the hackers or the Obama and Trump administrations from imposing sanctions, however.
The case for the government taking action following the Bezos hack is more complicated.
First, there's a difference in scale. Even if de Becker’s conclusions are correct, the chief goal seems to have been to damage Bezos’s reputation or to assist American Media Inc. in trying to silence criticism of the media company. Bezos, in an earlier post on Medium, accused AMI of threatening to reveal intimate photos unless he halted de Becker’s investigation of AMI and declared that the company has no political vendetta against him.
AMI, meanwhile, denied any Saudi involvement in its story, which focused on intimate photos Bezos shared with his girlfriend Lauren Sanchez. AMI claims the only source for the photos was Sanchez’s brother Michael. De Becker did say it is possible that American Media Inc. was not aware of the Saudi involvement.
The U.S. could determine that actions against an individual — even a very powerful one — would seem to warrant less government involvement than against an organization that could affect the nation’s physical or economic security.
Yet Watts argued that if the government doesn’t respond, it will embolden Saudi Arabia and other nations to target more Americans.
If Saudi regime hacked Bezos & US does nothing, dangerous cyber domino effect can take place. Scenario discussed @AspenSecurity forum 2017. White House says only protect .gov .mil - notifies people corporations hacked, but Americans can’t counterattack https://t.co/QoFQ1Ih3rj— Clint Watts (@selectedwisdom) March 31, 2019
If USG won’t investigate, protect, counterattack, what are Americans supposed to do. Ordinary citizens supposed to just get attacked? But Bezos has a company hires thousands of Americans, he has resources, if USG won’t defend him, should he defend himself?— Clint Watts (@selectedwisdom) March 31, 2019
De Becker did not disclose details or evidence about how the hacking occurred, but noted that his investigators consulted with “leading cybersecurity experts who have tracked Saudi spyware.” Spyware is essentially commercial hacking technology, which Saudi companies have been accused of selling to numerous oppressive regimes. De Becker did not say whether the government had directly managed the hacking or relied on intermediaries.
If the government investigates and confirms De Becker’s conclusions, that could put pressure on the Justice Department to indict Saudi officials, Matthew Miller, a former Justice Department public affairs official, said on Twitter.
So what happens if and when the FBI confirms this and DOJ wants to indict a bunch of Saudi officials? Lot of difficult conversations inside the administration. https://t.co/pXni4C5xMO— Matthew Miller (@matthewamiller) March 30, 2019
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
House Homeland Security Committee chairman Rep. Bennie Thompson (D-Miss.). (AP Photo/Susan Walsh)
Thompson sent nine questions to FEMA’s acting administrator in a letter Friday — including if and when FEMA will notify victims of the incident, what remedies it will provide for them and how it will ensure similar incidents don’t happen in the future.
The mishap — which affected victims of Hurricanes Harvey, Irma and Maria and the 2017 California wildfires — occurred because FEMA didn’t update an information template it shares with a contractor that finds hotels for disaster victims, an inspector general’s report found.
The contractor was not obligated to alert FEMA that it was sharing information it shouldn’t, according to the report. Thompson’s letter also asks whether FEMA plans to update that requirement.
“It is completely unacceptable for the federal government to place Americans' [personal information] in jeopardy of exploitation by malicious actors, especially when these disaster survivors have already lost so much," Thompson said.
China's Vice Premier Liu He, right, shakes hands with U.S. Treasury Secretary Steven Mnuchin. (Nicolas Asfouri/AP)
U.S. officials have cited the law as justification for barring the Chinese telecom company Huawei from U.S. government digital systems and for urging other nations to ban the company from their next-generation 5G wireless networks.
Here’s more from the Journal: “The cybersecurity law presents a significant challenge for U.S. businesses operating in China, Washington officials have said, as it requires them to store sensitive data in China and to favor Chinese network equipment over foreign ones.”
“In recent weeks, Chinese officials have shown a willingness to discuss those issues, which they previously viewed as off-limits for negotiation, said the people briefed on the matter as well as others with knowledge of the process, to try to clear remaining stumbling blocks to reaching a trade agreement.”
Two men use their mobile phones outside a Huawei retail shop in Shenzhen. (Kin Cheung/AP)
The Trump administration was long rumored to be preparing an executive order that would restrict Huawei and other companies with suspect foreign ties from 5G, but those rumors went on ice after Trump suggested on Twitter that he may rethink the ban as part of broader trade negotiations – a position that undercut his administration’s argument that the ban was about security, not trade.
“These reports that the Administration would issue an EO on telecom supply chain security created expectations, and the nonappearance of the EO now creates uncertainty,” writes Lewis, who was formerly a top cybersecurity official in the State and Commerce departments. “Countries and companies ask if the U.S. will actually ban Huawei, or if it will it become a chip in the trade talks to be exchanged for concession from China.”
Lewis urges a broader 5G security strategy that goes beyond a simple Huawei ban. That strategy should include assistance for other nations to keep Huawei out of their supply chains and new research focused on how to communicate securely on international networks that include Huawei in their infrastructure, Lewis writes.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Source: The Washington Post