Risky Bulletin – "Between Two Nerds: Telcos Bad, Cloud Good."

Podcast: Risky Bulletin
Date: November 24, 2025
Hosts: Tom Uren (A), The Grugq (B)

Overview

In this episode of "Between Two Nerds," Tom Uren and The Grugq dive into the differences between security practices in traditional telecommunications (telcos) and modern cloud service providers. Leveraging recent regulatory and geopolitical news, they explore why telcos are often perceived as lagging in security, why cloud companies are (relatively) more secure and resilient, and whether tighter government regulation is helpful or counterproductive for either sector. The discussion is lively, sometimes sarcastic, and includes thoughtful reflections on cyber sabotage, legislation, and real-world case studies.

Key Discussion Points & Insights

1. FCC Rollback on Telco Security Regulation

[00:10–02:30]

• The FCC is planning to repeal a regulation from the Biden administration that set minimum security standards for US telcos: multi-factor authentication, patching, exploit mitigation, and removing default passwords.
• Grugq notes the minimal requirement:

  "These are, to be fair, like the most minimum of security standards. Right. Like multi factor authentication, mandatory vulnerability, patching and exploit mitigation, and changing default passwords across the network." [00:51 – B]

• Telco response is dismissive: arguing they've "already done it" or that implementing changes is "too expensive."
• Tom's reaction:

  "Now my reaction was it's a terrible idea. Telcos need to be prodded to do security." [01:55 – A]

2. The Reality of Telco Security Culture

[10:47–12:50]

• Telcos fundamentally care about security only to prevent "revenue leakage," i.e., theft of service.
• Broader security issues—like interception of traffic by adversaries—are not core business concerns.
• Grugq elaborates:

  "But if they get hacked and all of your SMS traffic and Internet traffic and everything gets vacuumed up by someone else... That's not really their problem because as long as you paid for it..." [11:36 – B]

• Many telcos operate as marketing companies, outsourcing technical operations to contractors, making security further "just a cost center."

3. Emergence of Cloud as Critical Infrastructure—but Different Incentives

[03:36–05:58; 06:00–07:50]

• Geopolitical attention is on "critical infrastructure," often meaning physical utilities, but cloud services are just as (if not more) essential today.
• Cloud outages (AWS, Cloudflare) now cause massive disruption.
• Despite that, Tom and Grugq feel the big cloud players do "a good job" with security and resilience—greater government security regulation, in their view, could be counterproductive.
• Grugq's view:

  "Any legislation I think would be, I think it would be counterproductive. Right. If you take, if you make these people spend more time filling out paperwork, they'll spend less time doing actual security." [07:22 – B]

4. Legislative Approaches—Global Comparisons

[07:50–09:43]

• US: Minimal regulation pre-Biden, new rules likely to be rolled back.
• Australia: Law since 2017 saying telcos should "do your best to have good security," which Tom calls more an internal lever than real enforcement.
• UK: Heavy, complex framework from 2021/22—a massive rulebook that Grugq finds problematic.
• Grugq jokes:

  "[Australian law] was basically a pep talk from a Hallmark movie about some sort of youth league team... like, go out there and do your best." [08:44 – B]

• Over-regulation risks encumbering fast-moving tech with outdated requirements.

5. Cloud Outage Complexity and Attack Viability

[13:30–15:15]

• Real-life cloud outages are triggered by obscure, technical failures understood only in hindsight—attackers would struggle to exploit such complex systems without years of inside knowledge.
• Grugq notes:

  "This is not like, get into a network, find the active directory, ... This is significantly more complex. So I think the amount of skills you'd have to have... would be [huge]." [13:59 – B]

• Reference to Netflix's Chaos Monkey—cloud tech is built for failure and recovery, making sabotage hard to make lasting impacts.

6. Cyber Sabotage, Espionage, and Effectiveness

[17:13–20:55; 22:10–27:44]

• Attackers like China's Volt Typhoon group focus on critical infrastructure (e.g., Guam) for potential military disruption, but success means only causing delays, not devastation.
• Attack examples:
  • Belarus cyber partisans caused only an eight-hour train delay (still impressive as a two-person cyber op).
  • Aeroflot hack wiped redundant data centers; flight delays lasted one day.
• Grugq contextualizes:

  "It's a really [bad] Sunday when you're trying to travel and get home. Yeah. It's not a world ending event." [23:47 – B]

• Their conclusion: Cyberattacks may be disruptive and a nuisance, but are rarely "knockout blows."

7. Cloud vs Telco: Security Incentives & The Chinese Perspective

[27:44–31:29]

• Discussion of whether Chinese cloud providers (Tencent, Alibaba) have similar incentives and sophistication; consensus is yes, as resilience and security is intrinsic to the business model, regardless of country.
• Reference to Chinese researchers finding and fixing security flaws (i.e., Xen bugs).
• Anecdote about SSD failures affecting large cloud ops—cloud operator's business is constant recovery from inevitable failures.

8. Sabotage vs. Espionage Value in Cloud Context

[32:23–33:41]

• If an attacker got lasting access to AWS or similar, intelligence value would likely outweigh sabotage gains, especially for state adversaries.
• Tom:

  "I think it goes back to what you think your theory of victory is." [33:27 – A]

• Grugq:

  "Effects are only useful if they can be exploited ... But I think the majority of the time... Let's just get some intelligence. That's where you're going to fall pretty much all of the time." [33:41 – B]

9. Final Thoughts—Cloud Is Critical, But Regulation’s No Panacea

[34:15–35:19]

• Cloud is essential, "critical infrastructure" in a deep, societal sense—but legislation may not drive meaningful improvement.
• Attackers get minimal benefit from large-scale cloud outages, and the cloud companies' business incentives already push them to excel at both resilience and security.
• Tom wraps up with dry humor:

  "There's no need for regulation, because they're not that good anyway. If they can't manage their own business, the Chinese won't do anything about them anyway." [35:01 – A]

Notable Quotes & Memorable Moments

• On legislative overreach:

  "Legislative overreach. This is an onerous, insane. You know, there's no way we can keep up with the Chinese if we're forced to deal with this sort of red tape and regulation." [01:16 – B]

• On telco attitudes:

  "We've already done security. We're done." [02:33 – B]

• On telcos’ security priorities:

  "For a telco, a security issue is revenue leakage, which is when someone is stealing services ... But if they get hacked and all of your SMS traffic and Internet traffic and everything gets vacuumed up by someone else. That's not really their problem because as long as you paid for it..." [11:00–11:36 – B]

• On cloud provider resilience:

  "They have so many postmortems that they've done and so many contingencies ... I'm pretty sure that if you show up and you start doing Chaos Monkey stuff, it's not going to be as effective as you would think, simply because they've had decades of chaos monkeys." [15:15 – B]

• On cyber-attack effectiveness:

  "It's not a world ending event. Even when [attackers] hit Aeroflot... it caused a 24 hour delay... and they were back up the next day." [23:47 – B]

• On regulation as internal leverage:

  "I thought of it was it was a tool for people in the security parts of telcos to be able to say, this is important. There's this legislation that says we should do our best. It gave you a bit more of a lever internally." [08:57 – A]

• On the challenge of attacking the cloud:

  "[If] Cloudflare didn't know about that beforehand, I'm not sure an attacker could have discovered it without having years [of study]." [14:01 – B]

• On sabotage value vs. intelligence value:

  "Is the most effective thing that you could do to disrupt AWS for 72 hours ... or would it be to monitor and get intelligence from specific targets using aws? And I think that the espionage value is probably far in excess of any sabotage value even if you are China and even if you are starting a war." [32:23 – B]

Timestamps for Important Segments

• 00:10 – FCC’s plan to revoke telco security regulation
• 01:55 – Rationale for minimal telco security standards
• 03:35 – Australian intelligence flags Chinese targeting of critical infrastructure
• 04:37 – Cloud outages—AWS & Cloudflare
• 07:50 – Comparing Australia, UK, and US legal regimes
• 10:47 – Telco business priorities re: security
• 13:30 – Complexity of cloud outages and attack difficulty
• 17:13 – Volt Typhoon and the limitations of infrastructure sabotage
• 22:10 – Case studies: Belarus railways and Aeroflot
• 27:44 – Chinese cloud security evaluation
• 31:12 – Resilience practices in cloud vs. sabotage attempts
• 32:23 – Intelligence vs. sabotage in cloud attacks
• 34:15 – Summing up: are cloud providers "critical infrastructure," and does regulation help?

Tone and Style

• Conversational, at times irreverent and deeply skeptical of regulatory quick fixes.
• Laced with dry humor: ("Do you want technology that moves at the speed of regulation?").
• Balanced technical insight with real-world, practical perspectives.

For listeners:
If you want a nuanced, candid, and at times amusing take on why telcos are so often insecure with your data while cloud providers are—by market necessity—pretty good at keeping things resilient, this episode is essential listening. Be prepared for sarcasm, memorable anecdotes, and hard truths about what governments and companies actually care about in cyber.