Dave Buettner (12:45)

We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates Fast. Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed. Plus we with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today.

Maria Varmazes (15:22)

Today, Dave Buettner sits down with Adam Murray from Arctic Wolf to discuss banning TikTok and increasing regulations for social media companies.

Adam Murray (15:31)

Right now we've been presented with what I think is a false choice or the wrong choice, and that is with TikTok. You know this went before the Supreme Court as a choice between free speech and national security, which there are implications and concerns for both. But the reason that we're at this point is a failure of leadership and a failure of Congress, our elected officials, to deal with the real issue, which is right now there is a complete lack of regulation on technology companies and social media in particular, which leaves us with few options to address real concerns like the national security implications of TikTok. And so now we're using a ban like a sledgehammer instead of a scalpel to deal with this problem.

Dave Buettner (16:26)

Do you think either of those arguments are legit here, the free speech argument, the national security argument, or is, as you say, that not really getting to the real issue?

Adam Murray (16:38)

Well, those are real concerns and they both have something to do with TikTok. There is a real value here we have in the United States of free speech. And in many court rulings, the Supreme Court has upheld the right of US Citizens to have access to information, even if propaganda from another country, and even if it's to hear speech from organizations that originate in a foreign nation, even an adversary. So US Citizens do have a right, and there are free speech concerns there. However, there are also real national security issues here that have come to bear because you have an app. And to call it just a social media app is, I believe, to not really do it justice at what it actually is. But it is a app that is owned by a foreign nation and an adversary in many ways in this case. And so its ability to affect life in the United States, to threaten our national security is very realistic. And if you want, I can dive into that security concern. So TikTok isn't just a fun video app. It's great at that. And its algorithm is one of the best, but it is just that. It's a highly sophisticated algorithm that is a content delivery system and it is controlled by a foreign adversary with no oversight and no transparency within the United States. And if you don't think that matters, imagine if a Chinese owned company controlled the front page of the New York Times or what appeared on Fox News or cnn. I think many of us would have concerns with that. More than half of Americans get at least some, if not most of their news from social media. So it's not just an app. It's really the equivalent of a broadcast network inside the United states with no U.S. editorial oversight, no accountability, and with an owner that is beholden to some degree, or maybe in a great degree to the ccp. We regulate many things in the United States. We regulate who can own TV stations, we regulate who can own radio networks, banks. And many of this is many of the reason we do this is for national security concerns to a large degree. Yet we've let foreign entities own the most powerful attention shaping tools in history, social media platforms, without any meaningful oversight. So that's really what the concern is with, with national security and why TikTok in particular is different than the others. But it's also the same in many ways.

Dave Buettner (19:12)

You know, I've seen people say that it wasn't supposed to get to this point, that the whole idea of the ban being the big hammer was really to get us to the point of someone else buying it. And it's the fact that that didn't happen that has got us to the kind of, you know, call your bluff, ban it or don't point here. If TikTok divested from their Chinese owners, does that get us where we need to be, or do we still have the bigger problem of social media in general?

Adam Murray (19:44)

Well, that's the thing again, I'd like to go before, we were trying to use the ban as kind of this, again, sledgehammer to deal with this problem. And so we're like, hey, we're going to do a game of chicken here and say we're going to ban you or you divest. And what that even looks like is still murky to this day, even with this extension on the deadline. But no, it does not address the real issue. What we really need is a comprehensive framework, data privacy laws, content transparency, algorithmic accountability, and restriction on foreign ownership for this critical digital infrastructure. The piecemeal whack, a mole approach just isn't going to work. Individual bans aren't going to work. And if you want proof of that, look at what happened when the ban sort of temporarily went into place over the weekend. That weekend where it was, you know, the ban was going to go into place and it stopped appearing on, you know, in the App Store and people's access to it was cut. What did they do? They immediately went to another app. And of course, this one was also owned by China in, in many cases. And so it's really not going to solve the problem to just do it for one app. Now, TikTok is amazing. It's a leviathan. It's huge. It's so popular, it works really well. And so it would have an effect, but it would just push people to another app. So we really need a comprehensive set of tools to deal with this through regulation. And right now we just have an absolute dereliction of duty of our elected officials, both sides of the aisle, for decades to set up anything meaningful to allow us to deal with this problem. We just don't have the tools we need and so we use a ban and it's just not working well.

Dave Buettner (21:32)

What sort of regulations do you think could be effective here?

Adam Murray (21:36)

Well, one to really think about. Well, first of all, I've mentioned one which is foreign ownership of broadcast networks. We just need to have a conceptualization of these social media apps that doesn't just treat them like an online bulletin board, which is essentially what we're doing right now, or even like a newspaper. Many of the national security arguments that were presented to the Supreme Court were based on analogies to, you know, mail order propaganda or newspapers. And I just don't think any of those analogies. They're apt in some ways, but they fail to capture how social media apps and how the Internet is different, especially with these algorithms. So we should capture in a different way legally what these entities are and then control their ownership to a way that satisfies national security concerns and will give us a better way to deal with it. So that's one. Another one is, you know, Section 230 and that's really, you know, legislation passed back in the 90s that allows these online applications to be free of any kind of responsibility for the things that are posted on their sites. And it was very important to pass at the time. But we are way, we're decades beyond the need for that, especially when it comes to these social media apps. So one thing that's been suggested I think is a very interesting thing that would give us another tool is making companies, social media companies accountable for what their algorithms serve up people. So they may not, they may not be accountable for individual posts, but they would be accountable for what an algorithm serves them up. So that would help us have additional controls. And then in addition to that, you could have transparency on what the algorithm's doing and how it works. And if anyone is putting their thumb on the scale one way or the other of what the algorithm is, serving up these kinds of laws, or at least exploring them or working on them, would give us more tools so that we could, it wouldn't just be ban TikTok because we think they might be serving up propaganda or making all these young people who are online feel just that much worse about America and just that much more positive about other things. We would know if they were doing that if there was transparency laws passed in how these algorithms work. But not only would it help us with TikTok, it would help us with all the US based companies like Facebook, Instagram, X, all of these. We would have the same set of tools that could help us with that problem and would also address, you know, foreign owned apps like this one.

Maria Varmazes (24:03)

You can hear Adam and Dave's full discussion on today's Caveat episode following the interview on Caveat, Dave and co host Ben Yellen discussed the issue.

Dave Buettner (24:28)

Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for.

Maria Varmazes (25:23)

$1,000 a US army soldier, Cameron Wagenius, was recently caught leaking confidential phone records and attempting to extort AT and T for $500,000. Prosecutors say he was part of a group of hackers that stole data from Snowflake, a cloud storage service accessing records from companies like AT&T, Ticketmaster and LendingTree. AT&T alone had data from 110 million customers stolen and reportedly paid hackers $370,000 to prevent further leaks. Bogenius, who operated online under the alias Kyber Phantom, pleaded guilty to leaking data, but had also searched for ways to defect to non extradition countries and even asked Google, can hacking be treason? Because nothing says criminal mastermind like crowdsourcing your legal defense from a search engine. Authorities found evidence that he attempted to sell stolen information to a foreign military intelligence service and had a cache of over 17,000 stolen identity documents. Prosecutors argue that he is a flight risk and the government is pushing to keep him in custody while he awaits sentencing, where he could face up to 20 years in prison. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Also, please fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm your host Maria Varmazes in for Dave Bittner. Thanks for listening. We'll see you tomorrow.

Dave Buettner (28:34)

And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever With AI tools, it's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement connecting users only to specific apps, not the entire network continuously verifying every request based on identity and context simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler zero Trust and AI. Learn more@Zscaler.com Security.