Tim Starks (15:10)

Good to be here in the new year.

Dave Bittner (15:11)

I want to touch on a story that you wrote for cyberscoop here. This is about the UN adopting a cybercrime treaty that is not without controversy here. Can you unpack what's going on for us, Tim?

Tim Starks (15:26)

Yeah, this was something that has been in the works for five years, initiated by Russia. So if you were starting to start off skeptical about what they might want to do with the cybercrime treaty, that's some ground. The other countries that were in favor of it were countries that had a reputation for being repressive or authoritarian. So it finally came to a head on December 24th because, you know, everybody wants this for Christmas Eve. They're thinking, I think cybercrime treaty.

Dave Bittner (15:58)

There's no minute like the last minute.

Tim Starks (16:00)

The United nations at the last minute decided to do something with this. And I'll talk about what's troubling about it for people, but I'll just say that, you know, for our story, since this came out last week, we focused on what comes next, so we can talk about that in a second. But the parts of it that are controversial is there are a bunch of ways that this could be implemented or interpreted by countries that have those kinds of repressive backgrounds to abuse human rights. Journalists, lots of things. And one of the examples is that the requirement for cooperation amongst the treaty signatories is triggered by, in one case, what is the penalty for the crime? What is the length of the penalty of the crime? And if it's a long enough penalty, then you're obligated to cooperate. That's vague enough that if you're, you know, I think that it was David Kay, the former UN Special Rapporteur. I don't actually say not to say that word. That's the first on human rights. He said it's a crime in Russia to criticize the military. So the potential for harm with something like that is very deep. And that's just one example of what makes it controversial. There are some people who will speak in defense of it, but the United States is Really a reluctant part of what's going on here.

Dave Bittner (17:26)

Help me understand the process of something like this going through the various machinations with the UN like, as something gets proposed and then is there ratification and enforcement and where do we stand with it now? And at what point does something like this actually get some teeth?

Tim Starks (17:46)

Yeah, it's probably a ways off. During the process, when it started five years ago, the United States opinion was the Budapest Convention, an earlier cybercrime convention that was not UN Convention, I don't believe had done the trick that it was the thing that we should use. Russia, China, some other countries didn't like that convention, so they wanted to start their own with the U.N. the United States said, well, we can protest and sit it out, or we can look at the math and see that enough countries want to do this that we'd rather be on the inside negotiating and making things better, putting some provisions in there that they talk about saying nothing in this shall be construed to harm human rights, saying that those are some defenses against it. But it's a long, arduous, years long process of negotiating. You know, an earlier committee just in August voted on it. That was sort of the definitive, okay, this is going to happen. And the United States was uncertain whether they were going to vote for it and decided ultimately to do so, hoping that they could have an impact on the implementation side. Again, reading the math and going, we're probably not going to. This is going to probably happen with or without us. We need to make sure it happens with us. So the next steps are that 40 nations, as set by the rules of this particular treaty, as I understand it, I think that there's a variable on how many nations must ratify for it to enter into force. It's 40 in this case. The people I spoke to, I didn't actually mention this in the story, so this is exclusive for Cyber Wire listeners. Most of the people I spoke to think it's going to happen that there will be 40 nations. What's unclear is whether the United States will be one of them. I think it's going to be difficult for it to happen in the United States. Then it enters into force and then they start getting into implementation and oversight. And that's many, many years down the line. Just to give you a sense, I think it was four years before the United States approved. The Senate and the President were like, we're on board with the Budapest Convention. These things can take a long time.

Dave Bittner (19:40)

And this requires approval. Is it 2/3 approval from the Senate? I believe, yes.

Tim Starks (19:45)

Exactly.

Dave Bittner (19:45)

So not easy, especially in today's Senate.

Tim Starks (19:49)

Yeah, it's not easy in any Senate. In this Senate, you know, it's going to be, what is it, 51, 49 or something like that. It's a pretty close margin coming up in January. And then you have, you know, President Trump vacillates back and forth on how he feels about certain kinds of international alliances, but he does tend to be in that camp of, I'd rather not be bound by what the rest of the nation wants, what the rest of the world wants to do. You know, he seems to have reflexive resistance to that kind of thing. So I suppose if the right person gets in his ear, if he thinks that this will make Putin happy, maybe he'll be on board. But then you still have to get through the Senate. And I can't imagine great many senators liking this. We already have seen an indication from at least a handful of Democratic senators that they think this is really bad. So I think it's a tough road in the United States in particular.

Dave Bittner (20:43)

Well, before I let you go, let's do a little pivot here. And since this is the beginning of the year and it is the time when we do these sorts of things, what's Your outlook for 2025 and anything strike you as being noteworthy as we enter the coming year?

Tim Starks (21:01)

I mean, certainly one of the top stories I'm going to be watching, one of my beat focuses is policymaking. And the fact that there's a new president who can be erratic in terms of what he supports and what he believes and what he does is going to make that a very interesting development. I reported in this fall about some of the personnel that he was potentially going to be bringing in, either because those people wanted to be in or because they were people who just made sense for him to bring in. And there weren't a lot of people that you would. And this is a quote from one of the people who was a supporter saying, these weren't a bunch of. They aren't a bunch of MAGA radicals. So there, you know, in the previous Trump administration, there was that there was the control, if you will, of cyber pros kind of keeping their head down, but also doing policy work that wasn't controversial, at least until the end, when Christopher Krebs ran afoul of the president on election Lies. So it'll be fascinating to see what he does. I mean, I'll give an example of why the kind of thing that I find interesting, a lot of people in Trump's circle or who are Trump supporters or Trump oriented people on cyber say that he's going to curtail regulations. But if you look at the Republican national RNC platform, it said we need minimum security standards for critical infrastructure, which is what this past administration is doing. So policymaking wise, it's going to be really fascinating to watch what happens on the threat side. This is the part that's always the most unpredictable and it's one of the things that makes the job never boring. You know, you just never know what day somebody's going to use some kind of strange vector to attack somebody you didn't expect to get attacked. I don't think anybody, you know, while we could have worried about the state of telecommunications security coming into 2024, I don't think we would have said, oh yeah, we're going to end 2024 with the biggest hack of that sector ever. So that's always hard to predict. On the spyware side, that's also going to be really fascinating. That's another thing I cover a lot. You know, there's been some progress in lots of ways in the, in the fight against that. There was the Facebook WhatsApp meta ruling against NSO group. There have been some changes made by this Biden administration to that seem to have isolated or harmed some of these worst case providers. And there's the polish examination of what's going on there, what had gone on in their past. There are a lot of things that you could point to and say this is promising, but they also have a way of bouncing back. Like a lot of threats, you think that you've got them down and you might not. And that's not me denigrating any specific company. That's just me saying that the misuse of spyware seems like it's been here for a while and it's going to stay. I'll be curious to see how much the, the waves lap in and lap out and how, whether they recede to a certain point and stay receded. That'll be another thing I'll be thinking about a lot in the near.

Dave Bittner (23:57)

Yeah. All right, well, thank you again for joining us. Wishing you all the best this new year. Tim Starks is senior reporter at cyberscoop. Great to catch up with you, Tim.

Tim Starks (24:07)

Definitely, thanks. Thanks, David.

Dave Bittner (24:23)

And now a message from our sponsor, Zscaler. The leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million. Record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever With AI tools, it's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security and finally, cybersecurity leader Tenable has announced the heartbreaking passing of its chairman and CEO Amit Yoran, at the age of 54, following a courageous battle with cancer. A pillar in the cybersecurity world, Yoran was admired for his leadership and vision, having guided tenable since 2016. Yoran's career was marked by significant contributions, including roles at RSA Security Net Witness, which he founded, and Symantec. He also served as National Cybersecurity director at the U.S. department of Homeland Security, leaving a lasting legacy in public and private sectors. Following his medical leave in December, CFO Steve Vince and COO Mark Thurmond were named interim CO CEOs, ensuring stability during this transition. Art Coviello, an industry veteran, will chair the board. Tenable honors Joran's impact and assures stakeholders of its ability to meet financial expectations, reflecting the resilience he instilled in the company. The cybersecurity community mourns the loss of a true visionary and leader. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k. We're privileged that N2k cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here.