InsideSources

State-sponsored hackers may or may not compromise hardware in the U.S. technology supply chain, but one cybersecurity firm says compromised software is definitely a national security risk — especially on mobile phones.

Smartphone applications often share code, and most apps aren’t vetted before they go to market, so it can be very easy for hackers to use apps to steal a user’s personal, private, or even top secret information, according to Tim LeMaster, director of systems engineering at Lookout, a mobile security company.

“A major concern tends to be software coming into the supply chain,” LeMaster told InsideSources. “That threat could come from people trying to compromise the source of the code.”

LeMaster said app developers often use open source code libraries to make new apps, which can create a huge risk to smartphone users, especially federal employees using smartphones.

“Very few applications are built from scratch by the developer,” LeMaster said. “Almost all apps share a code and pull from open source libraries and other sources, and a lot of times there is little validation of the code done to build that application. If I have an application that allows me to do document signing, I download it from the App Store, I really don’t know much about it, and the employers in many cases doesn’t know much about it either. When you plug in your phone at night, half a dozen apps update themselves and change, and you don’t know how they changed, and you don’t have visibility into that.”

Malicious or weak code can lurk in those open source code libraries. Some app developers may not be malicious, just careless. But that can make a world of difference to a federal employee using his or her smartphone to access sensitive information.

Lookout isn’t the only one making these observations. Global cybersecurity firm Crowdstrike noted an uptick in mobile malware in its 2019 Global Threats Report, released Feb. 19, specifically from Iran.

Crowdstrike also noticed hackers use mobile malware combined with “mineware” — a virus used to mine cryptocurrency — on the rise as early as 2018.

“In April 2018, Google announced that Chrome extensions containing mineware would be banned from the Chrome Web Store,” according to the report. “Two months later, Apple also updated its guidelines for iOS applications to prevent the inclusion of cryptocurrency mining code.”

Sometimes all it takes is a poorly coded app for a hacker to infiltrate a smartphone, which prompts national security concerns.

“Hardware concerns in the supply chain are completely valid, and the government has done a lot to address that, but I think software risk is of equal concern,” LeMaster said. “Agencies recognize that concern as well. It could just be poor coding practices in the software or malicious intent, vulnerabilities, weaknesses — there’s lots of ways the software supply chain can get compromised. It could just be the developer didn’t have security in mind.”

Follow Kate on Twitter

Secretary of State Mike Pompeo informed the public Saturday that the Iranian government tested a medium-range ballistic missile. If what Pompeo says is true, such a test is a direct violation of U.N. sanctions while additionally serving as a heavy-fisted protest to economic sanctions levied by the U.S. government to curtail Iran’s development of such weapons.

“The Iranian regime has just test-fired a medium-range ballistic missile that is capable of carrying multiple warheads. The missile has a range that allows it to strike parts of Europe and anywhere in the Middle East,” Pompeo said via a statement from the State Department.

This latest development in the continued diplomatic row between the United States and the Islamic Republic of Iran could serve as a turning point in the overall success of economic sanctions. President Donald Trump has openly called out Iran as a force of evil in the international community. As a result of Trump’s withdrawal from the Joint Comprehensive Plan of Action (JCPOA) of 2015 (a.k.a. the Iran nuclear deal), the administration’s play to reinstate sanctions on the Iranian regime could be a significant error.

Keep in mind that the Iran nuclear deal, brokered by former President Barack Obama under a legal executive agreement action, was an internationally accepted arrangement that added a degree of assurance regarding Iran’s efforts in holding off on the development of nuclear weapons and other related ordinance.

Under the Iran nuclear deal, the U.N. Security Council’s Permanent 5 members (China, Russia, France, the United Kingdom, and the United States) and Germany (the P5+1), were able to broker a significant arms control agreement with rogue Iran. These controls included 10- to 15-year control periods covering everything from centrifuge development to how much low-enriched uranium Iran can possess for the development of nuclear weapons. Trump, however, dismantled his predecessor’s benchmark foreign policy initiative as a means to come across as a potent force against the Iranians. This also occurred even though Iran was fully compliant with the rules and regulations of the JCPOA three years in a row.

“U.S. President Donald J. Trump’s decision to withdraw from the Iran nuclear agreement and reimpose sanctions jeopardizes the landmark arms control agreement, under which Iran dismantled much of its nuclear program and international inspectors gained extensive access to monitor its compliance,” Zachary Laub of the Council on Foreign Relations wrote in May of this year.

In turn, Trump’s unilateral withdrawal from the Iran nuclear deal was a calculation that he thought could bully Iran into behaving better on the international stage. To do that, harsh economic sanctions were set in place earlier in November 2018.

Historically, economic sanctions as a deterrence have very little success. Granted, there are exceptions. Overall, the history of sanctions remains mixed, nonetheless.

I believe that the president’s withdrawal from the Iran nuclear deal with his consequential reinstatement of broad and targeted economic sanctions was a “poke at the bear” we can’t afford. But, what proof do I have to make such a claim? The test of a medium ranged ballistic missile is exhibit ‘A.’

When economic sanctions are forced on a target country, they don’t necessarily guarantee compliance. As Cato Institute’s John Glaser wrote for The National Interest, “Sanctions have a generally poor track record of actually changing the behavior of the target state in the direction desired by the sanctioning country.” As a result of this truth, sanctioned states typically find means to compensate for the loss of economic fervor and financial capital by going toward illegal and criminal channels.

We’ve seen this case many times when it comes to the discussion of how effective sanctions were on limiting North Korea’s nuclear capabilities.

I’ve investigated how North Korea has been able to get around some economic sanctions by employing slave labor migrant forces abroad, in which, the central government steals foreign earnings. These earnings are then laundered back to the coffers of the central government and are used for whatever purpose. Though this example is indeed anecdotal, the similarities and the questions on the effectiveness of economic sanctions remain.

For example, the International Crisis Group found that economic sanctions forced upon Iran by the American government have a history of failure. The key finding in this report argues that economically strangling Iran will just further the Islamic Republic’s resolve to overcome and remain resilient. The missile test is a glaring example of Iran advancing its resolve and overcoming the challenges placed on the country by Trump’s sanctions. Ultimately, this policy position is counterproductive. The White House must reconsider in order to engage with the Iranians effectively and to ensure a peaceful, equitable and operative resolution.

Arkansas Republican Senator Tom Cotton admits to being something of a breath of youth in a legislative body not generally known for being spry. The youngest sitting senator, Cotton, who just had his 40th birthday, quips that only two of his colleagues were elected before he was born. Despite his youth, Cotton is quickly becoming a rising star in the GOP. On Thursday, he spoke with Washington Post columnist David Ignatius at an event focusing on the broad national security threats America faces, including North Korea, Iran, the JCPOA, and gun control. Cotton, who was scheduled to meet with President Trump soon after the talk, used his time to stress the need for America to project strength on the world stage.

First on his list of rogues is Iran. Cotton believes that refusing to certify Iran’s compliance with the Joint Comprehensive Plan of Action (JCPOA) signed under the Obama administration would give the U.S. an opportunity to work with its allies in the region and in Europe to try to get a “better deal.”

“This deal is not in America’s national security interests,” he said. “Even if the JCPOA stands, by the end of the next decade, they will be a lawful and legitimate nuclear power. I don’t think we can live with that. I don’t think Israel can live with that. I don’t think our Arab allies can live with that.”

For Cotton, a new and improved agreement would remove the sunset clause for Iranian nuclear development, hamstring their centrifuge and research development, stop ballistic missile testing, and change the menu of responses open in the event that Iran reneges on the deal. The current JCPOA offers few options outside of snapback sanctions, which makes it more difficult to garner European support, says Cotton. Part of the problem is that the treaty applies the same policy response to any Iranian violation, regardless of degree.

“Snapback sanctions are kind of like saying you only get the death penalty for murder or jaywalking,” he quipped.

Instead, Cotton wants to look towards other options that would keep international pressure on the Iranian regime without limiting the potential response types. Of crucial importance for him is an extended view of the future, which recognizes that an nuclear Iran will be just as harmful in 10 years as it is today, but fewer options will then be available.

“That is the blink of an eye in the lifetime of a nation,” he said of the ten-year projection that is the foundation of the JCPOA, citing North Korea as an example of a rogue regime that used treaties to buy time for its nuclear program.

Cotton’s strict interpretation of the law also extended to his view on the Deferred Action for Childhood Arrivals (DACA) program, which granted temporary amnesty for illegal immigrants brought to the U.S. as children. Expressing sympathy for young adults who have been raised as Americans, but still lack legal status, Cotton said that he worried that continuing the program would create a new “chain of immigration” with extended families following DACA recipients into the U.S.

The issue is part of the broader problems that Cotton sees in American immigration policy, which he broadly categorized as issues of documentation, enforcement, and border security. He has introduced a bill in Congress to address at least part of this problem, namely green cards. Cotton, who described his plan as moving immigration policy away from one designed for last century’s country and economy, towards one designed for this century’s country and economy, prioritizes immigrants with education and useful job skills, rather than family members of current immigrants.

“Every year we give out about the state of Montana in green cards,” Cotton said, trying to put the number into perspective. When immigration skews towards low-skilled labor, these new workers put a drag on American wages, particularly for those with only a high school education or less.

To accomplish this goal, Cotton wants to see Congress take action to end chain migration, which allows current residents to bring over family members. Cotton told Ignatius that he was willing to compromise with his colleagues in Congress and vote to pass an extension of DACA if Congress was able to pass a bill ending chain migration.

For Cotton, immigration is one of many issues that exposes how the life experiences of America’s elites differ from those of the working class.

“I’m more connected to the places in the country that understand the negative side of immigration,” he said. “If you live in New York City, Washington, or San Francisco, you see mainly the benefits of immigration. If you work the kind of job where you take a shower after you get off work rather than before you go to work, you see the negative side of immigration.”

These negatives include lost jobs and lower wages. While he did not want to discuss the likelihood of such a measure passing the Senate, Cotton emphasized the necessity for these types of reform.

It was a dense, information packed hour before Cotton had to rush back to Capitol Hill.

Correction: An earlier version of the piece identified David Ignatius as an associate editor with the Washington Post. He is an opinion columnist.

Follow Erin on Twitter.