C (14:42)

Same here my friend.

B (14:43)

So, interesting story you published on cyberscoop. This is about an FBI official talking about Chinese reliance on domestic firms for hacking. Unpack this for us here Tim.

C (14:56)

Yeah, so you might have seen the story about the FBI announcing in a couple different news outlets that something like 80 countries have been victimized by Chinese hackers in the salt typhoon campaign. More than 200American companies have been affected by it. So they put out this alert, the FBI, a variety of U.S. agencies, a variety of world, world cyber agencies. And that said, this campaign is larger than we've been talking about. And when they say campaign, they, it seemed, it turns out they were actually talking about just Chinese cyber espionage in general, but just kind of all kind of part of this overall indiscriminate targeting and said, okay, look, it's affecting all these sectors too. It's affecting lodging, it's affecting not just telecoms, but it's affecting the military, it's affecting transportation. And you know, I did a follow up interview to see what I could find out about what, what did, what didn't make it into that report or what didn't make it into those stories. And the part that I was drawn to by what the deputy assistant director that I spoke to in the cyber division said was invest this gave investigators an opening. You know, the report mentioned three specific companies that are sort of tech infrastructure kind of companies in China that have been assisting with this cyber espionage. And what, what Jason Bonowski told me was that these companies made mistakes and the, the Chinese reliance on these companies creates risk for them to be exposed by investigators. And that's what happened here.

B (16:28)

Well, help us understand this relationship between these firms and the Chinese government.

C (16:33)

Yeah, so they're, I mean they're, they're, they're companies that are essentially just kind of tech backbone kind of companies in the ISP kind of related space. But because of China's national security laws, there is a great deal more control by the Chinese government over the handling of data and sensitive information that are, that affects domestic companies, companies that are doing business in China. And so while the story that I wrote doesn't make an explicit connection between those two things, and while that wasn't something Jason said explicitly either, it's easy to read between the lines that China as an authoritarian government with a great deal of legal written leverage, not just the sort of general authoritarian, we can do what we want over these companies. It stands to reason that the combination thereof was pretty good for China, saying, hey, we need your help. You're the companies through which we're going to be able to do this, come help us probably, or else.

B (17:30)

Right. So the story here is in the process of providing that help, these companies made some errors that our government was able to take advantage of exactly, Yeah.

C (17:43)

I mean, certainly when you think of the plaque, at least in the early days of nation state hacking, you thought of a particularly careful organization, an organization that was very surgical. And perhaps in the reach for broader reach, China has had to go outside those sort of regimented, literal military organizations to reach out further to expand who they can target and how that created vulnerabilities for them that they did not have before. As explained by the Deputy Assistant director.

B (18:23)

What do you suppose this indicates sort of for the broader ecosystem here? I mean, I think that obviously the US Government makes use of many contractors for many of the things that they need to do. The government, the military, all that sort of thing. So why does this deserve any attention at all?

C (18:41)

It's a very good question. Just as from the standpoint of a cybersecurity reporter, I like knowing how we find things out. It's interesting to me.

B (18:49)

Right.

C (18:51)

And I think perhaps other countries can learn from it, say, oh, these are things that we were able to identify as weaknesses. I think there might have been some messaging here. And I'm speculating a little bit. I don't want to put any words in anybody's mouth, but it seemed that, that the Justice Department, the FBI, wanted this to be known. This is how we found you out. So maybe that creates some sort of counter pressure on Chinese companies saying, hey, cooperate if you will, but you're going to put yourself at risk. And I think that's some of the potential value, you know, outside of just my general nerdiness of liking cybersecurity, is that sort of political gamesmanship as far as how it pertains to US Companies. I think that's interesting. We have been seeing a few developments in this administration that are, that are fascinating. One, of course, is we saw the US Government essentially obtain a stake in a US Company, intel, which, you know, that's, that's fascinating. We do hear sometimes Trump say things about China like, oh, for them, they don't even have to do much. They just say it and it gets done. So you can look at that as some maybe harbingers. I mean, Trump has actually been almost outwardly dismissive about the idea that there's something wrong with what China is doing when it hacks US Companies. He said whatever, we do it too. He said the same thing about Russia. You think we don't do that? So, and I think also you, you, this might be a little bit of a response to China also trying to put some pressure on us. There's a little bit of an escalation of, we, hey, we're the United States. We say, you bad guys, China did this. And China has been, over the years and, and especially in the last calendar year, been saying more and more, hey, America, we know you did this. We know you exploited Microsoft. We know that you, you know, you got aid from a university. Whether these things are true or not, these are the things they're messaging. And we have also seen China accusing US Companies of creating backdoors for, for the US Government. So this, these, these geopolitical elements, and they sort of like where the fight is going. I think those are interesting ramifications for US Companies, for the federal government, and for Chinese companies and Chinese government.

B (20:58)

How would you rate your level of surprise at hearing these revelations?

C (21:04)

I mean, I was a little surprised because. Well, I wasn't surprised. I guess we were talking about the original revelations of the alert that they put out. It does seem like it takes time for investigators to go, oh, hey, we found some hacking. And then to find out just how far it went. So that wasn't particularly surprising to me. It was a little surprised to me, the degree to which they were willing to talk about this. And that's where I start getting into the whole. Were they wanting to get a message out through me? Were they wanting to say to an audience, hey, we're watching you, because that can be a deterrent. So I was a little surprised. But then the more I thought about it, the more I thought it made a little bit of sense. If I'm. And again, Dave, I'm speculating irresponsibly here. I am speculating irresponsibly on this cyber security blog or podcast, and it's out of control. I need to reinvent in before I get too crazy.

B (21:57)

Yeah, yeah. Well, if you say they're. They're messaging through you, and now they're messaging through us.

C (22:03)

So here we are, propaganda arm of the United States.

B (22:08)

That's right. That's right.

C (22:10)

But no, look, I mean, we're joking about those things, but I, I often am thinking about the degree to which the US Government might be trying to use me or any messenger, really.

B (22:20)

Sure.

C (22:20)

Everybody has a reason to want to talk to us. It's not. They don't talk to reporters of the goodness of their hearts. The important thing is, is the story accurate and did we give something valuable to the reader? And I think whatever the attempted message was here, I think that the story was valuable to publish for that reason.

B (22:36)

Yeah, I agree. We'll have a link to that story in the show. Notes Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for joining us.

C (22:44)

Thank you, Dave.

B (23:00)

On our latest afternoon Cyber Tea segment, Ann Johnson and Harvard's Amy Edmondson discuss how psychological safety helps cybersecurity teams speak up, spot risks, and learn from failure.

C (23:13)

Today I am joined by Professor Amy Edmondson, the Novartis professor of Leadership and Management at Harvard Business School. Amy is not just an expert in psychological safety in the workforce, she is the expert. So can we start just by talking about psychological safety? Because it's a word that's used a lot in organizational development.

A (23:34)

The term itself has a kind of implication of comfortable and cozy and nice, and that's just not what it is. So let me first give you my formal definition of psychological safety. It describes a climate in which people believe their voice is welcome, where they believe they can take the interpersonal risks of speaking up with an idea, a question, a concern, a mistake, a dissenting view. And not that will be easy and fun all the time, it usually isn't. But that they believe it's welcome. They believe it's what we do around here. Many of the case studies that I have done gone into great detail on, say, the Columbia launch failure of 2003 or many other sort of real disasters were literally avoidable had people spoken up in a timely way. So I can't tell you how much I think about and value the speaking up about early warning signs. They're not worried about, oh, how do I look? They're like, this could be a nothing, but I'm going to raise it. I'm not going to be afraid of being called Chicken Little. The sky is falling when of course, it isn't. But. So I'm much more interested in that topic, right, that people can speak up about early warning signs of a potential breakdown or failure, but early warning signs about psychological safety and whether or not it's present, I don't think about that quite as much. But to freewheel a little, it's basically, I think in today's, you know, complex, turbulent world, an early warning sign is a sign that doesn't happen. It's the bad news, the questions, the dissent, the mistakes, the failures that you're not hearing about. So if you are a leader of a team and you're hearing an awful lot of good news, you know, everything seems to be green and nothing seems to be red, that is probably a warning sign that you don't have enough psychological safety because it just can't be the case that things aren't going wrong or that people don't see things differently, but it can be the case that you're not hearing about it because this is in fact the kind of environment where psychological safety is most important. And maybe ironically, when leaders call attention to the fragility, the complexity, the ever present potential for breakdown, that makes it more psychologically safe, not less. Because fundamentally it makes it discussable. It makes the reality of the situation discussable. And when leaders don't do that, people will naturally assume or think of the situation in the old fashioned way. The conception of the work environment where people are supposed to hit their targets and always do a good job and expect certainty and be perfect like that is not the world that cybersecurity professionals live in. So when leaders call attention to that reality, so what's at stake and how much very real uncertainty and complexity and interdependence there is that gives permission for people to speak up about it? Like you're saying we should expect things to go wrong. The only real question is, will we hear about it? Will we hear about it in a timely way? Things are going to happen. There will be breakdowns, there will be coordination and communication breakdowns. But by naming it, and by naming it early and often, it gives people permission to be part of the catch and correct system.

B (27:02)

Be sure to check out the Complete Afternoon cybertea podcast wherever you get your favorite podcasts.

C (27:20)

Abercrombie is an official fashion partner of the NFL and I'm CeeDee Lamb, wide receiver for the Dallas Cowboys. You know I'm here for Abercrombie's Cowboys gear. That's not a question, but I need a whole wardrobe to go with it. No shade to the guys, but I'm used to having the best tunnel fits. This season, Abercrombie has me covered. Shop NFL by Abercrombie in the app, online and in store.

A (27:52)

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com.

B (28:23)

And finally, ransomware gangs usually stick to the classics. Steal data, lock it up and demand cash. But Lunalock has added an avant garde twist, threatening to feed stolen artwork and personal data from online platform artists and clients. An art commission site straight into AI training data sets, the ransom note demanding $50,000 in Bitcoin. Or Monero warned that if unpaid, not only would files be leaked, but artists creations might end up teaching chatbots to doodle. For artists already wary of AI swallowing their work, it's a particularly cruel jab. As researcher Tammy Harper dryly noted, this is the first time criminals have explicitly dangled AI contamination as leverage. Whether lunaloc really has a plan or just hopes, AI crawlers are very hungry. The threat has struck a nerve in the digital art world. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. Were mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.