The accusation from Jeffrey P. Bezos’s security consultant that Saudi Arabia was responsible for hacking the Amazon CEO’s phone and possibly leaking intimate photos is raising difficult questions about how the U.S. government should respond when foreign hackers target private companies and individuals.
In a Daily Beast opinion piece on the conclusions of his investigation into an alleged extortion attempt by the company that owns the National Enquirer, Gavin de Becker suggested this weekend that the Saudi government had been targeting Bezos, who also owns The Washington Post, because of the paper's coverage of the killing of journalist Jamal Khashoggi. The CIA has concluded that Khashoggi's killing was ordered by Saudi Crown Prince Mohammed bin Salman.
De Becker said he shared the results of his investigation with federal officials. The FBI declined to comment on the report.
Yet his accusation highlights the fuzzy line between where the responsibility of individuals and companies to defend themselves against hackers ends — and the U.S. government’s interest in defending them kicks in.
Clint Watts, a senior fellow at George Washington University’s Center for Cyber and Homeland Security and a former FBI official, urged the FBI, intelligence agencies and Congress to investigate.
Congressional Intel, Homeland Security, Commerce committees, DNI, FBI should quickly address this allegation and whether it’s true. Did a foreign country hack CEO of 1 of America’s biggest companies and then with help of a different American company conduct influence campaign?— Clint Watts (@selectedwisdom) March 31, 2019
But here's the dilemma: With global cybercrime costing companies $600 billion, the U.S. government doesn’t have the resources to respond to every possible hack of a U.S. company or individual — especially when it has limited authority to ensure most of those companies and individuals are adequately protecting themselves.
On the other hand, individuals and companies can’t help but be vulnerable against the superior hacking powers of the most capable nation-states, such as Russia and China. As independent journalist Marcy Wheeler tweeted, it’s notable that even Bezos — the richest man in the world — can’t prevent his phone from being hacked by a determined nation-state.
Let's assume Bezos' security dude is correct, the Saudis had hacked his phone.— emptywheel (@emptywheel) March 31, 2019
What does it say that The Richest Man In the World can get his phone hacked?
The U.S. government usually focuses on punishing hackers for attacking sectors that are critical to national security and economic security — think Iran targeting U.S. financial institutions or North Korea infecting hospitals with ransomware.
There is a precedent, however, for the government responding to hacks that target other sectors.
The 2014 North Korean hack of Sony Pictures Entertainment and the leak of embarrassing internal emails, for example, didn’t seem to affect any U.S. government interests. The Homeland Security Department maintains a list of 16 infrastructure sectors that are critical to U.S. security, and movie studios aren’t among them.
The Obama administration sanctioned Pyongyang anyway, however. Those sanctions came amid cries that the hack was a direct assault on free speech rights — because the movie studio decided in the wake of the attacks not to release The Interview, a stoner comedy that plays the assassination of North Korean leader Kim Jong Un for laughs. The film was later released on Netflix. Officials also argued North Korea had crossed a line by destroying some of the hacked material rather than just stealing it.
Even elections weren’t considered critical infrastructure until after Russia targeted them as part of its 2016 influence operation that intelligence officials concluded was aimed at assisting President Trump’s election. That didn’t stop special counsel Robert S. Mueller III’s office from indicting the hackers or the Obama and Trump administrations from imposing sanctions, however.
The case for the government taking action following the Bezos hack is more complicated.
First, there's a difference in scale. Even if de Becker’s conclusions are correct, the chief goal seems to have been to damage Bezos’s reputation or to assist American Media Inc. in trying to silence criticism of the media company. Bezos, in an earlier post on Medium, accused AMI of threatening to reveal intimate photos unless he halted de Becker’s investigation of AMI and declared that the company has no political vendetta against him.
AMI, meanwhile, denied any Saudi involvement in its story, which focused on intimate photos Bezos shared with his girlfriend Lauren Sanchez. AMI claims the only source for the photos was Sanchez’s brother Michael. De Becker did say it is possible that American Media Inc. was not aware of the Saudi involvement.
The U.S. could determine that actions against an individual — even a very powerful one — would seem to warrant less government involvement than against an organization that could affect the nation’s physical or economic security.
Yet Watts argued that if the government doesn’t respond, it will embolden Saudi Arabia and other nations to target more Americans.
If Saudi regime hacked Bezos & US does nothing, dangerous cyber domino effect can take place. Scenario discussed @AspenSecurity forum 2017. White House says only protect .gov .mil - notifies people corporations hacked, but Americans can’t counterattack https://t.co/QoFQ1Ih3rj— Clint Watts (@selectedwisdom) March 31, 2019
It might also lead to more U.S. companies and individuals taking matters into their own hands -- and hacking back at their adversaries on their own, he warns. That would not only be illegal but could draw the United States into a broader cyber conflict it didn’t intend.
If USG won’t investigate, protect, counterattack, what are Americans supposed to do. Ordinary citizens supposed to just get attacked? But Bezos has a company hires thousands of Americans, he has resources, if USG won’t defend him, should he defend himself?— Clint Watts (@selectedwisdom) March 31, 2019
Then there's the geopolitics of it: Saudi Arabia is a strategic ally -- and Trump’s adviser and son-in-law Jared Kushner has cultivated a close relationship with the crown prince, who he’s championed as a reformer. Trump has also resisted blaming Mohammed bin Salman for the Khashoggi assassination, despite the Senate unanimously condemning him for it.
De Becker did not disclose details or evidence about how the hacking occurred, but noted that his investigators consulted with “leading cybersecurity experts who have tracked Saudi spyware.” Spyware is essentially commercial hacking technology, which Saudi companies have been accused of selling to numerous oppressive regimes. De Becker did not say whether the government had directly managed the hacking or relied on intermediaries.
If the government investigates and confirms De Becker’s conclusions, that could put pressure on the Justice Department to indict Saudi officials, Matthew Miller, a former Justice Department public affairs official, said on Twitter.
So what happens if and when the FBI confirms this and DOJ wants to indict a bunch of Saudi officials? Lot of difficult conversations inside the administration. https://t.co/pXni4C5xMO— Matthew Miller (@matthewamiller) March 30, 2019
There are also complex personal dynamics at play. Trump has frequently criticized Bezos on Twitter — largely over what he views as negative coverage in The Post.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: House Homeland Security Chairman Bennie G. Thompson (D-Miss.) wants more answers from the Federal Emergency Management Agency about an incident in which the agency mistakenly shared personal information from 2.3 million disaster victims with a contractor.
Thompson sent nine questions to FEMA’s acting administrator in a letter Friday — including if and when FEMA will notify victims of the incident, what remedies it will provide for them and how it will ensure similar incidents don’t happen in the future.
The mishap — which affected victims of Hurricanes Harvey, Irma and Maria and the 2017 California wildfires — occurred because FEMA didn’t update an information template it shares with a contractor that finds hotels for disaster victims, an inspector general’s report found.
The contractor was not obligated to alert FEMA that it was sharing information it shouldn’t, according to the report. Thompson’s letter also asks whether FEMA plans to update that requirement.
“It is completely unacceptable for the federal government to place Americans' [personal information] in jeopardy of exploitation by malicious actors, especially when these disaster survivors have already lost so much," Thompson said.
PATCHED: A Chinese cybersecurity law that U.S. officials say could compel Chinese companies to spy for the government has become a key sticking point in broader trade negotiations between the two nations, the Wall Street Journal’s Lingling Wei and Bob Davis report.
U.S. officials have cited the law as justification for barring the Chinese telecom company Huawei from U.S. government digital systems and for urging other nations to ban the company from their next-generation 5G wireless networks.
Here’s more from the Journal: “The cybersecurity law presents a significant challenge for U.S. businesses operating in China, Washington officials have said, as it requires them to store sensitive data in China and to favor Chinese network equipment over foreign ones.”
“In recent weeks, Chinese officials have shown a willingness to discuss those issues, which they previously viewed as off-limits for negotiation, said the people briefed on the matter as well as others with knowledge of the process, to try to clear remaining stumbling blocks to reaching a trade agreement.”
PWNED: Speaking of Huawei, it’s past time for the United States to officially ban the company from its own 5G networks, the Center for Strategic and International Studies top cybersecurity analyst James Lewis writes.
The Trump administration was long rumored to be preparing an executive order that would restrict Huawei and other companies with suspect foreign ties from 5G, but those rumors went on ice after Trump suggested on Twitter that he may rethink the ban as part of broader trade negotiations – a position that undercut his administration’s argument that the ban was about security, not trade.
“These reports that the Administration would issue an EO on telecom supply chain security created expectations, and the nonappearance of the EO now creates uncertainty,” writes Lewis, who was formerly a top cybersecurity official in the State and Commerce departments. “Countries and companies ask if the U.S. will actually ban Huawei, or if it will it become a chip in the trade talks to be exchanged for concession from China.”
Lewis urges a broader 5G security strategy that goes beyond a simple Huawei ban. That strategy should include assistance for other nations to keep Huawei out of their supply chains and new research focused on how to communicate securely on international networks that include Huawei in their infrastructure, Lewis writes.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector: