Intelligence

On Tuesday, Wikileaks released a huge cache of documents it said were descriptions of CIA cyber tools used to break into smartphones, computers and internet-connected TVs. Wikileaks says the documents came from an inside source--speculation is it is either a CIA operator or contractor--and claimed the release was meant to spur a debate over "whether the CIA’s hacking capabilities exceed its mandated powers" and "the security, creation, use, proliferation and democratic control of cyberweapons." In any case, it is damaging to the CIA and another in a growing list of embarrassing instances of the U.S. intelligence agencies losing control of their digital weapons (see, for example, Edward Snowden; Shadow Brokers; Harold Thomas Martin III). Here’s a roundup of what we know so far: Did the CIA break the internet? No. Unless you are already a CIA target, you are unlikely to get hacked by any of these tools. NSA tools work at internet-scale, sucking up as much data as they can legally acquire and sift through it later. According to the Wikileaks dump, the CIA malware is different in that operatives must want to target you specifically, and in some cases, require physical access to implant malware into your iPhone. Unless you’re a Chinese spy, a member of the self-declared Islamic State group, or selling nuclear material to North Korea, the CIA is not interested in your cat videos. Also, the CIA operations did not break or bypass encrypted messaging apps like Signal or WhatsApp. As far as we know, encryption remains strong. If someone is already in your phone, they can take screenshots or log your keystrokes--no amount of encryption will save you from that. Also, according to much of the technical analysis out there, the tools are not particularly sophisticated. CIA operators recycled attacks, techniques, and code that has been used by many others. Still, as always with these reports of vulnerabilities, you should update your phone’s operating system.   The bad news is that platform exploits are very powerful. The good news is that they have to target you in order to read your messages. (7/) — matt blaze (@mattblaze) March 7, 2017   How did this happen? We don’t know for sure yet, and the FBI and CIA are investigating, but this seems the best explanation so far:   Answer: Enormous size of secrecy bureaucracy + digitalization of secrets = impossible to protect secrets. https://t.co/BYTYCWT3uK — Jack Goldsmith (@jacklgoldsmith) March 8, 2017   And according to Reuters, the U.S. officials have known about a compromise at the CIA since late last year:   U.S. officials aware of CIA security breach in 2016, say WikiLeaks papers authentic https://t.co/vGCJ52qiey — Reuters Top News (@Reuters) March 8, 2017   Is there a Russian angle?  Wikileaks claims the documents came from a whistleblower with a conscience. James Lewis of the Center for International and Strategic Studies believes it is more likely that a foreign power was behind the leaks. No matter the source, bots have been set up on Twitter to promote fake stories arguing that the dump proves that the CIA used Russian malware in the hack of the DNC in a false flag operation to tarnish the Kremlin. Moscow will certainly not mind the embarrassment of the Agency, and more distrust among Trump supporters of the intelligence community. What does this mean for the VEP? The VEP, or Vulnerabilities Equities Process, is a process by which the government decides if it will reveal a software vulnerability to the vendors or keep it for offensive purposes. In the past, government officials say the VEP is biased toward responsible disclosure. NSA Director Admiral Mike Rogers has said “by orders of magnitude, the greatest number of vulnerabilities we find, we share.” Jason Healey has estimated that the government holds a small number of zero days, "dozens of such zero days, far fewer than the hundreds or thousands that many experts have estimated." Healey seems to argue that, given the age of the vulnerabilities and their use outside of the United States, the CIA did not need to them report to the VEP. Robert Graham uses the leaks to argue that the VEP is "nonsense"--largely a public relations exercise to assuage the tech world that the U.S. government is not stockpiling flaws affecting products made by U.S. companies. The intelligence agencies buy vulnerabilities and they are going to use them; "if they [CIA and NSA] spend millions of dollars buying 0days because it has that value in intelligence operations, they aren’t going to destroy that value by disclosing to a vendor." What does this mean for the split between Silicon Valley and Washington? It is not good, but it could be worse. The tech companies are going to be angry that the CIA had vulnerabilities and did not report them (here’s Mozilla’s statement). This makes everyone worse off. These reports will also be used by foreign governments to increase scrutiny of US tech companies in their markets (the Chinese paper Global Times already ran this headline, "US consulate becomes a hacking center! WikiLeaks once again exposes shocking CIA secrets"). But the attacks were targeted, did not undermine encryption or the internet backbone, and do not expose thousands or millions of users. This leak will join a growing list of events that keep the two sides apart--and here I suggested how to bridge the gap--but will not be in top 3.

Lorand Laskai, research assistant in the Asia studies program, and Alex Grigsby, assistant director of the Digital and Cyberspace Policy program, contributed to this post. Earlier this week, Chinese cybersecurity company Qihoo 360 released its annual report on advanced persistent threats (APTs) active in China. One of them was APT28--also known as Fancy Bear which the U.S. government has attributed to Russia’s intelligence services--in potential violation of a Russia-China cyber non-aggression pact signed in 2015. Unlike certain western cybersecurity companies more willing to attribute cyber activity to a particular state, Qihoo’s reports can sometimes be frustratingly vague and shirk attribution. Its new report identifies thirty-six APTs active in China in 2016, including the actors behind ProjectSauron and APT28/Fancy Bear, and notes that universities were the primary victims, followed by the private sector and government institutions. Aside from noting that APT28/Fancy Bear was active in China, the report is silent on whether it aimed to compromise specific targets or industries, or was simply looking to use Chinese computers for their command and control infrastructure. It will come as no surprise that Russia and China spy on each other. Despite their public appearances, both countries have traditionally been wary of each other and that skepticism extends to cyberspace. Last year, in its report detailing the decline of Chinese state-sponsored activity against U.S. targets, FireEye noted that Chinese actors tried to compromise Russian defense contractors and engineering firms in the energy sector. Kaspersky has also noted that Chinese activity against Russian targets has increased significantly in recent months. However, it is unclear whether this increase was state-sanctioned or just Chinese freelancers and moonlighters looking elsewhere given that U.S. targets were off-limits in light of the Obama-Xi deal. What makes APT28’s activity in China particularly significant is the notoriety it has accrued over the past few years. The cyberattacks attributed to APT28 include conducting operations against the Ukrainian Central Election Commission (CEC) in May 2014, compromising the networks of France’s TV5 Monde in 2015, and most recently hacking the U.S. Democratic National Committee over the course of 2016. If APT28--known to be operated by Russian intelligence services--is active in China, then it is would appear to violate an agreement Presidents Xi and Putin signed in 2015. That agreement said:   Each Party has an equal right to the protection of the information resources of their state against misuse and unsanctioned interference, including computer attacks against them. Each Party shall not exercise such actions with respect to the other Party and shall assist the other Party in the realization of said right.   Assessing the deal, Russian cyber expert Elaine Korzak wrote:   The two sentences, in conjunction, could be read in a way to keep Russia and China from using “computer attacks” against each other. [...] On the other hand, the language of this provision is strikingly vague. Phrases such as “misuse” and “unsanctioned interference” could obviously be interpreted quite differently by both sides leaving significant loopholes in the scope of the provision.   In other words, APT28’s activities could constitute a violation of the deal if Beijing interprets the text as a no-hacking pact. Qihoo, like its American and European counterparts, produces these reports for marketing and advertising, but they raise an interesting policy challenge for Beijing. Chinese leaders hope to build a strong domestic cybersecurity industry, able to compete with foreign firms, and defend domestic networks and identify attackers. But even if Chinese policymakers wanted to confront Moscow on the reported espionage, they are unlikely to turn to a cybersecurity company for public attribution. It would set a precedent of the types of evidence that could be offered to prove who was behind a hacking attack, and there are numerous APT reports that point the finger at China using similar techniques. In fact, in the past, Beijing has harshly criticized these reports as unscientific and unprofessional. The ambiguity of the phrasing in the Sino-Russia pact, the desire not to set a precedent on private actors and attribution, the demands of the bilateral relationship--these are all reasons why Beijing is likely to do nothing public in response to Russian hacking. China will hack Russia, Russia will hack China, and Beijing and Moscow will point to their non-aggression pact as a sign of friendship and cooperation.

This week I sat down with Dr. Jason Matheny, director of the Intelligence Advanced Research Projects Activity (IARPA).  IARPA invests in high-risk, high-payoff research programs to address national intelligence problems, from language recognition software to forecasting tournaments to evaluate strategies to “predict” the future. Dr. Matheny shed light on how IARPA selects cutting-edge research projects and how its work helps ensure intelligence guides sound decision- and policymaking.  He also offers his advice to young scientists just starting their careers. Listen to a fascinating conversation with the leader of one of the coolest research organizations in the U.S. government, and follow IARPA on Twitter @IARPANews.

Efforts to understand the causes and consequences of Donald J. Trump’s victory are underway, and this election illuminates features about the relationship between democratic politics and digital technologies that require attention. In this campaign, the template of digital progressive politics pioneered by the 2008 and 2012 campaigns of Barack Obama failed Hillary Clinton. In its place, Trump produced a digital populism that repudiated the Obama template. The 2016 campaign also revealed problems with cybersecurity that undermine notions the United States made progress in this domestic and foreign policy realm over the past eight years. Although perhaps now hard to recall, Obama’s campaigns in 2008 and 2012 harnessed the internet to engage in grassroots fundraising, social media to build a demographically diverse coalition, and big-data analytics to power the election ground game. The success of these strategies connected with the sense, during those years, that digital technologies strengthened democracies at home and advanced democracy and internet freedom abroad. What emerged was a digital progressive trajectory--to succeed in democratic politics and democracy promotion, politicians and governments had to be technologically savvy, politically inclusive, and globally engaged. Once president, Obama supported this approach by attempting to promote internet freedom, establish norms of responsible state behavior in cyberspace, and build strong cyber defenses to protect digital-dependent activities, and deter adversaries from malicious cyber behavior.   For the 2016 election, Clinton followed the Obama recipe by exploiting digital technologies to build a demographically diverse coalition of voters, apply big-data analytics in the Democratic Party’s ground game, and communicate Clinton’s global experience and vision. Clinton also developed more detailed positions on cybersecurity and digital issues than Trump. For Clinton, these efforts did not deliver victory. Instead, Trump prevailed with digital populism. He used social media in politically divisive rather than demographically inclusive ways. He exacerbated divides in the United States by hyper-fueling the increasingly disturbing echo chamber phenomenon in social media. He sought support from people far from the Silicon Valley literati invested in the digital progressive agenda. Trump’s campaign relied less on big data than on his big personality to get out the vote. Trump’s social media efforts spread nationalistic fervor rather than commitment to global engagement. He showed little interest in cybersecurity, international cyber norms, or internet freedom--objectives important to President Obama and candidate Clinton. In addition to the rise of digital populism, the 2016 campaign was scarred with embarrassing and damaging cybersecurity incidents. Clinton’s use of a private server for emails during her time as secretary of state became a never-ending fiasco, complete with FBI Director James Comey’s “October surprise” letter to Congress about Huma Abedin’s emails found on Anthony Weiner’s computer. This self-inflicted wound communicated a cavalier approach to cybersecurity by one of the most prominent members of an administration stressing the importance of protecting the U.S. government’s work from foreign cyber espionage. The “hack and leak” activities the U.S. government blamed on Russia represented an unprecedented effort by a foreign power to meddle in U.S. electoral politics. These activities were hammer blows to the Obama administration’s pursuit of cyber defenses, cyber norms (especially internet freedom), and cyber deterrence. The hacks revealed, again, the porous condition of cyber defenses in the United States. The leaks involved Russia interfering through digital means with American democracy, an episode that underscored how internet freedom has been suffering globally in recent years. Russia’s behavior demonstrated the ineffectiveness of efforts to establish international norms in cyberspace. And Russia was not deterred from trying to influence a U.S. election by the offensive cyber power wielded by the U.S. government. The U.S. body politic now finds itself in a place few would have imagined possible after Obama’s second presidential campaign in 2012. Digital populism is ascendant domestically, as it was in the United Kingdom in the Brexit vote. Digital populism might henceforth emerge more strongly in democracies around the world. The 2016 campaign also highlighted that the Obama administration’s efforts to advance cybersecurity, cyber norms, and internet freedom have not taken root internationally. Presently, it does not appear likely that the Trump administration will prioritize objectives once central to President Obama’s vision of the relationship between democracy and digital technologies within and beyond the United States. As with many policy areas, what President Trump will actually do in the digital and cyber policy arenas remains unclear. In addition to inheriting unfinished business from the Obama years (including election cybersecurity), “America First” populism will force the Trump team to address the ongoing economic disruption that innovation in digital technologies creates, the business community’s interest in e-commerce and cross-border data flows in a context where trade agreements are under threat, and the danger that intolerance on social media will corrode the social contract in democratic countries.

Almost four months after the cybersecurity firm CrowdStrike claimed that two Russian hacker groups were behind the theft of data from computers at the Democratic National Committee and other political organizations, the U.S. government has publicly attributed the attacks to Russia. In a joint statement from the Director of National Intelligence and Department of Homeland Security, the intelligence community declared that it was "confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations." According to the statement, the hack was not the work of an individual calling himself Guccifer 2.0 or a 400 pound hacker sitting on a bed, but was: intended to interfere with the U.S. elections; consistent with other Russian efforts to influence public opinion in Europe and Eurasia; and was likely to have been authorized at the highest levels of the Russian government. This is the latest in a growing list of cyberattacks that the United States has attributed to state-supported hackers. Washington accused the PLA of hacking U.S. Steel and others; North Korea of attacking Sony; and seven hackers tied to the Iranian Revolutionary Guard Corps of attacks on U.S. financial institutions and a dam in Rye, New York. Russia has, not surprisingly, denied any responsibility, saying the claims "lack proof" and are an attempt to create "unprecedented anti-Russian hysteria." The next steps for the Obama administration are unclear. As Henry Farrell notes, the U.S. government will now have to decide if it will provide compelling evidence of Russian culpability. Releasing additional proof will be necessary if the United States wants to build some international legitimacy for whatever retaliatory actions it takes. In fact, the United States signed onto a 2015 UN report that said that accusations of internationally "wrongful acts brought against states"--the kind the United States is accusing Russia—"should be substantiated." But substantiation has significant risks. It will be difficult to assign responsibility without revealing intelligence capabilities, and attribution may allow Russia to patch vulnerabilities and result in the loss of U.S. defensive and offensive capabilities. A number of analysts have stressed the challenges facing the United States in responding to these attacks, and especially in preventing the confrontation from spinning out of control. While covert cyber operations would be one example of a proportional response—and the United States certainly has the capability to attack Russian networks—it cannot ensure escalation dominance and the ability to end the conflict. Attacks that attempt to undermine Putin’s legitimacy by exposing emails or financial records and revealing compromising information might provoke even more widespread threats to U.S. critical infrastructure. Moreover, as former NSA general counsel Rajesh De and former CIA deputy director Michael Morrell note, offensive cyberattacks are counterproductive to the norms of behavior that the United States is trying to establish. This does not mean there should be no reaction. Instead, Washington will want to consider a range of options such as extending sanctions to those around Putin using a new executive order, more aid to Estonia and other states on Russia’s periphery, and more funds for the development of next generation anonymizing tools for dissidents and non-governmental organizations that monitor the Kremlin. The United States could also take steps to dismantle the IT infrastructure and hop points that Russian intelligence used to compromise U.S. political institutions to disrupt future cyber operations. This could take the form of clandestine activity or publicly visible steps, such as working with the international network of computer emergency response teams much like the United States did to counteract the 2011-2013 Iranian denial of service attacks against U.S. banks. Great powers are still trying to navigate the bounds of acceptable and proportionate responses when faced with confrontational state-sponsored cyber activity. Although analogies to nuclear policy or previous U.S. experience with Russian kompromat from the past may be helpful to navigate the present, cyberspace has unique characteristics that make these imperfect parallels. Washington’s response to Moscow’s actions will set the bar for future responses and set the example for other countries who could be victim of the same kind of activity. The White House will want to choose its next move carefully.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. U.S. government officially accuses Russia of directing email compromises of U.S. officials. The Department of Homeland Security and Office of the Director of National Intelligence accused the Russian government of directing the recent email compromises of Democratic Party officials and subsequent release through DCLeaks.com, WikiLeaks, and Guccifer 2.0. Furthermore, DHS and ODNI officials believe “that only Russia’s senior-most officials could have authorized these activities” and that the disclosures are intended to "interfere with the U.S. election process." The accusation is significant, as it is only the fourth time the U.S. government has publicly attributed a cyber incident to a state-sponsored actor (the first three times being the 2014 PLA indictment, the 2014 North Korean hack of Sony Pictures Entertainment, and the 2011-2013 Iranian denial of service attacks). Curiously, Washington chose to accuse Moscow on a Friday afternoon via press release despite the Russian doxxing campaign being arguably noisier and higher profile than the three previous incidents, which drew indictments and a public rebuke from President Obama. 2. Yahoo collaborated with the NSA... maybe? On Tuesday, Reuters reported that Yahoo had secretly developed a program to scan the entirety of its customers’ emails for a specific string of characters provided by the National Security Agency. The report stated that this was the first time an email provider had been asked to simultaneously scan all incoming communications. Yahoo called the story misleading and several other tech companies were quick to deny that they had similar efforts in place. The following day, the New York Times contradicted some of Reuters’ claims. Quoting anonymous sources, Yahoo is said to have modified existing software that scans incoming email for malware and child pornography to quarantine messages with a specific "digital signature" believed to be used by a state-sponsored terrorist organization for later FBI collection. It’s difficult to draw concrete conclusions about anything from what’s been written. In fact, the Times and Reuters contradict each other on the basic substance of the request: Reuters called it "a broad demand for real-time Web collection" while the Times referred to it as an “individualized court order to look only for code uniquely used by the foreign terrorist organization.” And a third report from Motherboard claims the NSA and FBI actually demanded that Yahoo install a rootkit on its systems. As Nicholas Weaver makes the case for at Lawfare, it might be best to withhold judgment on this incident until a clearer picture of what actually happened is available. 3. We swear, the IANA transition is actually happening. Last week, four states filed a suit to prevent the turnover of basic internet functions to ICANN, which failed in the final hour, allowing the transition to go forward at midnight last Friday. The debate has since moved from prevention to reversal, with many arguing that the lawsuit was stopped on merely technical grounds and that the actual case is still valid. If this is true, then the suit can still progress through the courts, which can then force the United States to retake control of IANA. The Register, as always, provides the best analysis on the transition’s machinations. 4. Facebook’s Free Basics in the United States? The social media giant wants to bring its controversial version of subsidized internet to unconnected Americans. Free Basics, which started its life as Internet.org, provides free access to a limited set of websites curated by Facebook by exempting these sites from carriers’ data caps--a practice known as zero rating. It’s currently available in more than forty countries, mostly in Africa, and has served more than 25 million people. It was banned in India in February under a law that prohibits charging different amounts for access to different websites, and suspended in Egypt last December after Facebook was used to coordinate anti-government protests. Fearing a similar backlash in the United States, where a net neutrality policy may make Facebook a target of the FCC, the company is first engaging in discussions with the White House to determine the most feasible path to implementation. 5. Donald Trump’s cybersecurity speech. Republican presidential candidate Donald Trump announced his cybersecurity plan this week. Net Politics contributors Alex Grigsby and David O’Connor compare his proposals to current White House policy.

A year ago, presidents Barack Obama and Xi Jinping stood next to each other and declared that neither the U.S. nor Chinese governments "will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage." Despite a great deal of warranted skepticism about the agreement initially, much of the heat surrounding cybersecurity in the bilateral relationship has dissipated. It is Russia, and the alleged hacks of the Democratic National Committee and World Anti Doping Agency, that now dominates the headlines and drives much of U.S. cybersecurity policy discussion. When he announced the agreement, President Obama warned “We will be watching carefully to make an assessment as to whether progress has been made in this area.” The available evidence suggests that the overall level of Chinese-backed hacking has gone down. FireEye released a report in June 2016 that claimed the the number of network compromises by the China-based hacking groups it tracks dropped from 60 in February 2013 to less than 10 by May 2016. Absence of evidence is not the same thing as evidence of absence, and the Chinese may be becoming more stealthy and sophisticated in their attacks. Indeed FireEye noted that decline in number of attacks may be accompanied by a rise in the sophistication of attacks. U.S. Assistant Attorney General John Carlin confirmed the company’s findings that attacks were less voluminous but more focused and calculated. Chinese hackers may have shifted their focus to other targets. Kaspersky Labs reported Chinese hacking of Russian defense, nuclear, and aviation industries rose nearly threefold in the first seven months of 2016 A month after signing the agreement with the United States, China inked a similar deal with the United Kingdom, and, in November 2015, China, Brazil, Russia, the United States, and other members of the Group of Twenty accepted the norm against conducting cyber-enabled theft of intellectual property. The United States and China have also held two round of cyber talks between the U.S. Department of Homeland Security (DHS) and Chinese Ministry of Public Security (MPS), the first in December 2015, the second in June 2016. At these meetings, Washington and Beijing agreed on the guidelines for requesting assistance on cybercrime, discussed establishing a hotline, and conducted tabletop exercises. In August, the Ministry of Public Security reported that the hotline between DHS and MPS was up and running. The shift in Chinese hacking seems to have been driven by external and internal forces. Over a two year span, the United States mounted an aggressive naming and shaming campaign, indicted five People’s Liberation Army (PLA) hackers, and, in the weeks before the September summit, hinted it would sanction Chinese individuals or entities that benefited from cyber-enabled theft. Xi Jinping’s anti-corruption campaign and the clamp down on criminal use of state resources as well as efforts to modernize the PLA and bring cyber operations under more centralized control may have also produced the decline in hacking. Former National Security Agency official Dave Aitel argues that the Chinese move to a higher grade of hacking, and increased capabilities across the board, make it more likely that the United States and China will be able to cooperate in cyberspace. As Aitel puts it, "You don’t have to hack EVERYTHING if you can hack ANYTHING," and this allows for collaboration on areas of shared interest. I am less optimistic. Beijing and Washington do have shared interests in cybersecurity—preventing the proliferation of capabilities to non-state actors; limiting attacks that threaten global financial networks and the integrity of the internet—but it is very difficult to convert these shared concerns into concrete cooperation. Moreover, strategic mistrust is high between the two sides, and they remain divided over many other digital issues, including the free flow of information, internet governance, data localization, and how to best secure information technology products and supply chains. But Aitel is right that cooperation would certainly be nearly impossible if the high rates of theft of intellectual property were continuing. Let’s hope that the attacks on the private sector remain low, and that the United States and China can build on the agreement in other areas of cyberspace.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. Mo’ cyber, mo’ problems. On Thursday, Yahoo announced that a hack nearly two years ago resulted in compromise of data of at least 500 million users. The company blamed a “state-sponsored actor” for the breach. The breach is almost certainly one of the largest in history. On the same day, hackers leaked Michelle Obama’s passport and details of Joe Biden and Hillary Clinton’s schedules, reportedly stolen from the Gmail account of a young Democratic operative, through DCLeaks.com, the same outlet that published Colin Powell’s personal emails earlier this month and allegedly the work of Russian intelligence. And the website of security journalist Brian Krebs was hit with a massive denial of service attack, so big that Akamai--who was offering Krebs protection from such attacks pro bono--stopped doing so. Krebs tweeted that the same entities also targeted his Skype and email accounts. But despite all the hullaballoo they cause, data breaches may not actually cost companies as much as many thought. A recent RAND Corporation study found that attacks like these typically have minor financial impacts—about $200,000 per incident. 2. ’Shadow Brokers’ got NSA exploits from server in the wild. Reuters reports that National Security Agency (NSA) hacking tools dumped on the internet last month by suspected Russian hackers were left on a server by careless employees. According to four anonymous sources, Shadow Brokers was able to compromise that server and obtained the hacking tools instead of relying on a NSA insider like former contractor Edward Snowden as some suspected. What’s more, the NSA has known about the breach since 2012, just after it happened, and has been monitoring the internet to detect their use, but did not detect any use against the United States or its allies. But as Nicholas Weaver points out, it is unlikely that the NSA has the ability to detect the exploits, which operate within Cisco and Fortinet firewalls, not on the web. Weaver criticizes the NSA’s "hubris" in knowing that the exploits had been stolen but not notifying manufacturers, calling it "evidence that the NSA is not dutifully discharging their role in defending our country from others who seek to exploit our systems." 3. IANA-clingers go out with a bang. Republican Senator Ted Cruz (TX) made a Hail Mary attempt this week to put a stop to the IANA transition, the move by the Obama administration to move control of the IANA functions, a set of clerical functions that keep the internet running smoothly, from the Department of Commerce to the Internet Corporation for Assigned Names and Numbers (ICANN). He got last minute help from GOP presidential candidate Donald Trump, whose campaign released a statement opposing the move. But despite the last minute effort, Congress moved forward with a continuing resolution that does not contain language blocking the move. 4. Tesla joins ranks of hacked cars. A team of researchers from Tencent’s Keen Security Lab announced the discovery of security vulnerabilities in the Tesla Model S, and posted a video showing them controlling the moving vehicle’s brakes, mirrors, windshield wipers, and trunk door. Tesla quickly released a software update after learning about the flaw, and noted that the security exploit was only feasible under very specific conditions. Hacks of cars—which came to the public consciousness last year when security researchers managed to remotely hack the brakes on a moving Jeep—have pushed the White House to issue guidelines for self-driving cars, as well as model legislation for states that wish to legalize automated vehicles. The Department of Transportation will also be releasing a list of best practices for improving vehicle cybersecurity.

Editor’s Note: The blog post Lessons from the Cold War to Combat Modern Russia Disinformation Campaigns by Robert Caruso has been taken down. Since publication, information has come to light that has put the author’s credentials in question.

The Digital and Cyberspace Policy Program has launched a new Cyber Brief. This one is authored by yours truly. There has been a growing debate over the role the U.S. government could and should play in the zero-day market--the market that exists to buy and sell software vulnerabilities that have not been disclosed to software vendors. Some experts have suggested that the federal government corner the market, purchasing all known zero-days and revealing the vast majority of zero-days that it buys or discovers. Others want to regulate the market and make the sale of zero-days to bad actors illegal. Attempts to either monopolize or restrict the zero-day market to specific actors are, however, likely not only to fail but also to undermine security by handicapping legitimate research. Instead of overreaching to regulate the entire zero-day market, I argue the U.S. government should create incentives for individuals, companies, and governments to find software vulnerabilities, publicize, and patch them, and thus reduce the risk of attack. The U.S. government should expand exemptions for security research under criminal and copyright law, promote secure software engineering early in a product’s development, and expand bug bounty programs throughout the federal system. You can find the full brief here.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. There’s a reason we’re told not to poke bears. Hackers posted medical records of several U.S. athletes online this week, claiming the stolen documents proved the athletes, including Simone Biles and the Williams sisters, were using banned drugs. The World Anti-Doping Agency (WADA), an international organization that combats the use of performance-enhancing drugs by athletes, confirmed that the files had been stolen from its servers by a hacker group known as Fancy Bear or APT 28, which several cybersecurity firms believe to be affiliated with Russian intelligence. The hackers adopted the Fancy Bear moniker, posting the stolen files on a gif-laden website of the same name, following an approach similar to that used in leaking the files stolen from the Democratic National Committee earlier this summer (more of which were put online this week). Russian President Vladimir Putin disavowed any knowledge of the hack, but said that by exposing disparities in WADA’s treatment of Russian and American athletes, what the hackers had done was “of interest to the international community.” 2. Looks like you’re not regulated enough. Let me help you with that. Two jurisdictions rolled out digital regulations this week. First, the state of New York is proposing regulations that would require entities overseen by its department of financial services to take certain a number of steps to improve their cybersecurity. Specifically, regulated financial services will need to establish a cybersecurity policy, employ a chief information security officer, undergo regular penetration testing and vulnerability assessments, deploy multi factor authentication, and encrypt all non-public information in transit and at rest. Second, as anticipated, the European Commission announced a draft telecommunications reform directive that would extend some regulations that apply to telcos to new entrants like Skype and Viber, also known as over-the-top providers. The Commission’s proposal also included proposed copyright reforms that would allow viewers in one EU country to access the same online content than one in another EU member. 3. It’s Snowden week! The House Permanent Select Committee on Intelligence released an unclassified summary of a 36-page report on Edward Snowden, the information he leaked, and its implications for the U.S. intelligence community, just a few days ahead of the release of an Oliver Stone biopic on the former NSA contractor. The House report mostly sums up information that’s already been reported elsewhere and opinions on Snowden we’ve heard many times before from government officials (Snowden is a “serial exaggerator” who is “not a whistleblower”). Snowden’s defenders fired back that the report is “aggressively dishonest” and also launched a campaign calling on President Obama to pardon Snowden. On Lawfare, Timothy Edgar, former director of privacy and civil liberties for the National Security Council, and Jack Goldsmith, a former assistant attorney general, held a thoughtful debate about whether Snowden should be pardoned that’s worth checking out. 4. Are mom and dad getting a divorce? According to multiple reports, Secretary of Defense Ash Carter and Director of National Intelligence James Clapper have recommended to President Obama that he approve separating CYBERCOM from the National Security Agency (NSA), which are currently led by the same person, Admiral Micahel Rogers. Over the last few years, some observers, including a presidential review commission, have advocated splitting up the leadership of CYBERCOM and the NSA on the grounds that both organizations serve different functions and that they are too big to be led by a single person. At a Senate Armed Services Committee hearing this week, Senator John McCain vowed to block a leadership split, believing the Obama administration was rushing to make a decision before the president leaves office. For background on the proposed split, you can find out more here.