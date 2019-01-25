THE KEY

Microsoft President Brad Smith in Bellevue, Wash., on Jan. 17. (Chona Kasinger/Bloomberg News)

Microsoft President Brad Smith has a message for the Trump administration: 2019 is the year for democracies to band together in cyberspace.

Smith called on the administration during a panel discussion at the World Economic Forum in Davos to endorse the “Paris Call,” a statement of principles outlining acceptable behavior in cyberspace that’s been signed by more than 60 governments and more than 100 other organizations. The United States is notably absent.

The United States’ refusal to endorse the principles — which include condemning election hacking and large-scale, indiscriminate cyberattacks — gives freer rein to more authoritarian governments to define how nations ought to act in cyberspace, said Smith. That’s particularly dangerous in an era when digital attacks are targeting “democracy itself,” Smith added, such as the Russian hacking and disinformation campaign during the 2016 U.S. election.

“Democracy can only be defended effectively when the world’s democracies act in a united way,” said the leader of Microsoft, which has long sought to help outline the rules of the road in cyberspace rather than leave the job totally up to governments.

The Paris Call is distinctive because its signatories aren’t just governments but include universities, think tanks, privacy and Internet freedom advocacy organizations and major tech companies including Microsoft and Facebook.

Because the majority of the internet is managed by industry, private companies frequently find themselves at the center of state-on-state disputes about hacking, law enforcement access to digital information and other topics where nations' laws either conflict or haven't been written yet. Microsoft has been a leader urging tech companies to take an active role in resolving these disputes. The Washington state company launched a Cybersecurity Tech Accord with 33 other global tech and security companies in 2018, for example, and has advocated for a Digital Geneva Convention.

The Trump administration has not given a rationale for not joining the Paris Call, which is a nonbinding statement of principles rather than a formal treaty or convention. But Smith suggested at Davos that the non-signature might simply come down to President Trump’s distaste for multilateral international agreements. The president has consistently called trade and diplomatic agreements unfair to the U.S. and since taking office has withdrawn from the Paris Agreement on climate change and the multiparty Iran nuclear deal.

The Trump administration has signaled that it's more open to international cooperation in cyberspace, where the U.S. lacks a decisive military advantage, than in other fields. The United States has also been historically wary, however, of endorsing agreements that might restrict its own use of cyber weapons. The White House did not respond to a request for comment on Smith’s comments.

The Paris Call mostly affirms things the U.S. previously endorsed during the Bush and Obama administrations, including that international law applies in cyberspace and that countries and companies should share information about cyberthreats when possible.

The Paris Call is far from the first effort at international cyber comity, but it marks a departure.

The biggest past government efforts to map out rules of the road in cyberspace have generally sought consensus between the United States and other democracies on one side and Russia and China on the other.

Those efforts have produced some narrow agreements — for instance a 2015 pledge from a U.N.-backed group that nations shouldn’t hack each other’s cyber emergency response units — but also a lot of friction. The last U.N. effort disbanded without consensus in 2017.

The Paris Call, by contrast, doesn’t include Russia, China or other typical U.S. cyberspace foes. French President Emmanuel Macron unveiled the call shortly after the 100-year anniversary of the end of World War I in Paris.

The document doesn’t explicitly describe itself as a democratic approach to cyberspace, but the government signatories include most major democracies — with a handful of exceptions including the United States, India and Israel.

Smith also called on India to sign the Paris Call during his Davos panel, saying it’s “important for the world’s largest democracy to stand up and defend democracy.” India’s hesitancy is largely because the document endorses a 2004 convention against cybercrime that India is not a signatory to, Smith said.

Smith noted that simply signing the nonbinding document wouldn’t change India’s position on the cybercrime convention.

“If the world’s democracies don’t come together, we risk being pulled apart in ways that fundamentally threaten the values that we all share,” Smith said.

Roger Stone on April 12, 2017.(Photo by Andrew Innerarity/For The Washington Post)

PINGED: Special Counsel Robert S. Mueller III indicted longtime Trump adviser Roger Stone on Friday morning. Stone communicated during the 2016 campaign with Guccifer 2.0, a Twitter persona found to be a front for the Russian military unit that hacked Democratic emails.

“Stone was charged with seven counts, including one count of obstruction of an official proceeding, five counts of false statements and one count of witness tampering, according to Mueller’s office,” my colleagues Rosalind S. Helderman, Devlin Barrett and John Wagner reported.

Stone, who also claimed before the election he was in contact with Wikileaks founder Julian Assange and called him "my hero," will make an initial appearance Friday at the federal courthouse in Fort Lauderdale, Fla., my colleagues reported. While Stone repeatedly denied any contact with Russia or WikiLeaks, he publicly cheered on the site as it released the emails stolen from Democrats during the campaign season.

Rep. Michael McCaul (R-Tex.) in Washington on Oct. 23, 2017. (Drew Angerer/Getty Images)

PATCHED: Rep. Michael McCaul (R-Tex.), the top Republican on the House Foreign Affairs Committee, and Rep. Eliot L. Engel (D-N.Y.), the committee's chairman, introduced a bill that would create an Office of International Cyberspace Policy at the State Department. The bill, which mirrors legislation that passed the House last Congress but not the Senate, would effectively reinstate an Obama-era State Department cyber coordinator position that former Secretary of State Rex Tillerson first eliminated and then combined with another top digital position.

The coordinator's office would be tasked with implementing the U.S. position that the Internet should be “open, interoperable, reliable, unfettered, and secure,” according to the text of the Cyber Diplomacy Act of 2019. Under the legislation, the head of the office would have the rank of ambassador and would be the principal official in charge of cyberspace policy.

“The threats to America’s security, economy, and the Internet itself are growing in cyberspace,” McCaul said in a statement. “The United States must lead the way in promoting a secure and free Internet and reject China and Russia’s authoritarian attempts to impose state control over the global cyber commons.”

The National Security Agency campus in Fort Meade, Md., on June 6, 2013. (Patrick Semansky/AP)

PWNED: The U.S. government is greatly worried about operations to tamper with computer supply chains and is particularly wary of China on that front, according to the Intercept's Micah Lee and Henrik Moltke. That's despite the multiple denials and skepticism that met a Bloomberg Businessweek report last year alleging that China carried out a supply chain attack against several U.S. companies. In fact, the reporters wrote, “supply chain attacks are a well-established, if underappreciated, method of surveillance.” Documents leaked by former National Security Agency contractor Edward Snowden show that U.S. intelligence agencies were warned almost a decade ago about the risk that China could compromise hardware supply chains, according to the Intercept.

“The documents also detail how the U.S. and its allies have themselves systematically targeted and subverted tech supply chains, with the NSA conducting its own such operations, including in China, in partnership with the CIA and other intelligence agencies,” the Intercept reported. “The documents also disclose supply chain operations by German and French intelligence.”

The University of California at Berkeley campus in California on April 21, 2017. (Ben Margot/AP)

-- Several U.S. universities are doing away with telecommunications equipment from Huawei and other Chinese companies to avoid losing federal funding amid claims by U.S. officials that such devices could be used as tools for Chinese spying, Reuters's Heather Somerville and Jane Lanhee Lee reported. The universities' decisions is a consequence of the National Defense Authorization Act ,which “bans recipients of federal funding from using telecommunications equipment, video recording services and networking components made by Huawei or ZTE,” according to Reuters. “Also on the blacklist are Chinese audio-video equipment providers Hikvision, Hytera, Dahua Technology and their affiliates.”

As a result, the University of California at Berkeley has removed a video conferencing system from Huawei and the University of California campus in Irvine is also moving to replace some audio and video equipment from China. Universities could lose government funding if they don't abide by the NDAA by August 2020. “In addition to the University of Wisconsin, a half dozen institutions, including UC Los Angeles, UC Davis and the University of Texas at Austin, told Reuters they were in the process of reviewing their telecommunications equipment, or had already done so and determined they were NDAA compliant,” Somerville and Lanhee Lee wrote.

The Capitol Dome in Washington on Dec. 27, 2018. (J. Scott Applewhite/AP)

— House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) said the partial federal government shutdown is hindering the government's ability to prevent cyberthreats, CyberScoop's Sean Lyngaas reported. “We can kind of address things as they come, but we can’t look forward and do additional mitigation and other kinds of things that we normally do,” Thompson said during an event highlighting the effects of the shutdown on security, according to CyberScoop.

Caitlin Durkovich, a former assistant secretary for infrastructure protection at the Department of Homeland Security, said that efforts to combat hacking, disinformation and other threats “have been significantly reduced, if not come to a halt” because those are not deemed to be “imminent” threats, Nextgov's Jack Corrigan reported.

— A group of 15 senators asked the Federal Trade Commission and the Federal Communications Commission to investigate the sale by wireless carriers of their customers' cellphone location data to third-party companies. “It is clear that these wireless carriers have failed to regulate themselves or police the practices of their business partners, and have needlessly exposed American consumers to serious harm,” the senators said in a letter to FTC Chairman Joseph J. Simons and FCC Chairman Ajit Pai.

The lawmakers also asked the FTC and FCC to probe how third-party companies accessed customers' location information and sold it to others. The senators who signed the letter are all Democrats and also include Sen. Bernie Sanders (I-Vt.). The lawmakers' letter comes after Motherboard reported this month that T-Mobile, Sprint and AT&T sold their customers' cellphone location information to third parties.

A Surface Laptop computer at Microsoft's main campus in Redmond, Wash., on April 20, 2017. (Mike Kane/Bloomberg News)

— A leak of millions of documents containing financial data that was reported by TechCrunch's Zack Whittaker is actually worse than initially thought. That's because the original documents — and not just the converted version of those documents that was first found online — were exposed elsewhere. Security researcher Bob “Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password,” Whittaker wrote. “Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server to see — and download — the files stored inside.” (Amazon founder and chief executive Jeffrey P. Bezos owns The Washington Post.)

Huawei's offices in Warsaw on Jan. 11. , 2019. (Kacper Pempel/Reuters)

— Poland is planning to block Huawei from its future 5G network after an employee of the Chinese company was arrested on suspicion of spying, Reuters's Joanna Plucinska and Anna Koper reported, citing officials and industry sources. “Polish government officials are talking to European Union and North American allies on the next steps but haven’t determined which telecoms equipment maker might replace Huawei, the sources said,” according to Reuters.

