B (2:33)

We've already done security. We're done.

A (2:35)

Yeah, yeah. So by all accounts, Salt Typhoon hasn't gone away. The other thing that occurred just this week is Mike Burgess, who is the head of Australia's security intelligence organization, asio. So it's got part of the function of the FBI in that it does counterintelligence. He came out publicly and said that Chinese actors are compromising Australian critical infrastructure for the Purpose of sabotage. Yeah, so that I thought was interesting because there have been technical documents from five eyes cybersecurity authorities that have said, yeah, this affects us, but it's never really become a political issue. So he's raised it at a political level. He gave a speech. I'm presuming he's trying to raise awareness to get people to do something about it. The dynamic in Australia is that China's our biggest trading partner and so we want to mitigate risks while at the same time not.

B (3:36)

Yeah, like still selling too upfront about it. Mineral resources.

A (3:42)

Now, what was interesting about that in particular was it made me think that he's talked about critical infrastructure and you get a sense of the sorts of things he's talking about, even though sometimes he's not explicit and it feels like electricity networks, telcos, that kind of thing. But what doesn't really come up is cloud infrastructure. The three big cloud companies we've talked.

B (4:06)

About multiple times that, you know, so much, so much of what counts as critical infrastructure is still mired in this sort of almost 1950s view of things, where it's like, oh, we need electricity and we, we need the telephones and then we probably need water and yeah, I think that's it. That covers literally everything that like civilization needs to maintain this high standard of living. And things have come on and the Internet is just like it's, it's critical infrastructure for society.

A (4:37)

Yeah. So I think in the last couple of weeks we've had two big outages. One was aws, one of their data centers, US East. One had problems and that caused a lot of disruption. And then I think it was Cloudflare as well, had problems like a separate incident, and then that also caused a lot of disruption. So it seems like, it seems logical at least that if you were an adversary like China, those cloud companies would be a potential place that you would go to try and cause mayhem. Like, if you're, if you're preparing for the contingency of having to sabotage an entire another country, those cloud companies seem like a good place. And each of those incidents, it was something very, very tiny went wrong. People didn't really understand the implications. And then it blew up to everything not working right, cascading failure, going away or something. Yet at the same time, if you said to me one of the most important things is that the government gets legislation to require cloud companies to do good security, I would probably go, no, it's not actually that important. I think they do a good job. So that's kind of Interesting to me that.

B (5:58)

Yeah. So there's this.

A (6:00)

Is it an asymmetry? I think what underlies it is a difference in incentives, maybe.

B (6:06)

Yeah. So I actually had a discussion about this yesterday on Twitter where. What's his name?

A (6:11)

Phil in Seattle, Brian and Frank. Brian in Pittsburgh.

B (6:16)

Philadelphia. Yeah. So Brian in Philadelphia brought up sort of the same point that you did, which is that if it's so easy to knock these cloud companies over and then it impacts so much of the web, surely nation state adversaries are going to be looking at this and saying we should target these entities to disrupt our adversaries. And I'm with you on this one. I disagree. So I do think that it's entirely possible they might be targeted and those attacks might be successful, but I don't think it matters. And I think that they're actually quite hard targets as is. They're going to have like the people who work there do very good security because there's a lot of money spent on it and they have a lot of very smart people and they spend a lot of time on it and they worry about it all the time. So I don't think that there's a problem of them sort of. I don't think there are telcos, essentially. I do think that they change the default passwords on their devices. I think that they have mfa. I believe that they patch. I think that they do this sort of like basic security, hygiene things. So I strongly believe that they are quite good at their jobs. And any legislation I think would be, I think it would be counterproductive. Right. If you take, if you make these people spend more time filling out paperwork, they'll spend less time doing actual security. So I don't, to be fair, I.

A (7:50)

Think that there probably is quite a bit of regulation that affects parts of their business. But in terms of carving out the industry as a, you know, telcos, you need to do better, cloud companies, you need to do better. I don't think that legislation really makes sense. So quite a while ago I wrote a piece that looked at similar issues and I was struck by the difference between different legislative regimes. And at the time the US basically had nothing. This was before the Biden era regulation Australia had legislation that dated back to 2017 and it was essentially telcos, you have to. And this was actually in the legislation, you have to do your best to have good security. And that was basically kind of it. I could add words around effective control, like you need, need to be able to control.

B (8:44)

So it was basically a pep talk from a Hallmark movie about some sort of youth league team on the second half of their. Of their big match of like, go out there and do your best.

A (8:57)

Thought of it was it was a tool for people in the security parts of telcos to be able to say, this is important. There's this legislation that says we should do our best. It gave you a bit more of a lever internally.

B (9:13)

Right.

A (9:14)

And then the UK had come up with a whole massive framework and that it had taken a couple of years to come up with. And that was instituted like just three years ago, something like that. 2021, 2022. It had come out of a supply chain security review. So there was a whole lot of massive, you know, you shall do this, you should do that. I'm not really a fan of that kind of legislation because it's just like too much work.

B (9:43)

Well now and like, do you want technology that moves at the speed of regulation?

A (9:48)

Right, yeah.

B (9:49)

Is. I know that that's sort of the position of a lot of these move fast and break things companies. But in this case I do think it applies. Like, I think that if you have security rules that get mired in legislation are the reasons we have things like you have to change your password every 30 days or, you know, your password has to be like, hard to remember because of like some stupid arbitrary thing. When it's like the data shows that that is not the best approach. And now that we know what the best approach is, we still have all this legacy stuff. And the thing about regulations is, like, they're never repealed, they're only added to like you only accrete them. So you just get more and more. Yeah, like I'm, I'm entirely on board with. I don't think that that's a great idea. I'm. I think we should have more of these Australian rules of like, you should do your best. That's right. Government says do better, you know, like. So the.

A (10:47)

I suppose the problem with telcos is that they don't care because it fundamentally doesn't seem to affect their business if they get hacked.

B (10:59)

Well, so here's the thing is that for a telco, a security issue is revenue leakage, which is when someone is stealing services. Right. So that's a security issue that they care about. That's why SIM cards are very secure. They worry about things like are you able to get a line that you can then cheat them in some way for services that you don't get billed for. That terrifies them. But if they get hacked and all of your SMS traffic And Internet traffic and everything gets vacuumed up by someone else. That's not really their problem because as long as you paid for it, you know, I mean, they might be looking at us being like, well, these guys vacuum it up. Were they getting free bandwidth from us? Like, was there an opportunity for some revenue generation that we missed here? Like, should we. Should we reconfigure around that? So, yeah, like telcos, they just don't care because it's not part of their business. And in fact, at least in the rest of the world, a lot of telcos are actually. They're just. They're basically marketing companies. So they have contractors that manage all of their networks. They basically have people who are in charge of the technical parts and all this other stuff. And their role is sort of like you manage the licenses for your frequencies and you advertise your services and you sell them. And then when you're getting a new service, you bring in a contractor who can build that and supply it. And if that's your approach, then security is absolutely only a cost center because it's not something that you deal with yourself. Like, it's not part of your company DNA. Your company DNA is to do as little as possible with the technical stuff.

A (12:50)

Yeah, yeah. I guess going back a while now, it's also not as if customers had any alternatives. I wonder if that still has any, you know, flow on into the sort of culture that you have as a business. I suppose there's more competition nowadays. Now, it seems that the cloud providers. I don't know if I actually believe this, but to me it would make sense that you would go in, find two or three tricky little things that you could muck around with and try and upset them as a potential sabotage operation. But it just doesn't seem to be happening.

B (13:30)

Yeah, so, like, there's so many things with that scenario that I think aren't appreciated. So first of all, I think if you've looked at the outages that have existed, they've been things like Cloudfare says that a database was misconfigured that output duplicate entries into a file and that file was ingested by something else where because the duplicate entries, it exceeded the maximum size for that file, which caused this service to stop operating. And because everything sort of in some way relied on it, there's this cascade of failures all the way out. Like, if Cloudflare didn't know about that beforehand, I'm not sure an attacker could have discovered it without having years of the amount of study that you would need this is not like, get into a network, find the active directory, get, you know, domain admin, find the SharePoint server and copy all of the, you know, Budget 2025 folders. This is significantly more complex. So I think the amount of, just like the amount of skills you'd have to have in order to understand how the thing works so that you could mess with it in a way that's effective would be.

A (14:50)

Rob Joyce, when he was head of Tao, gave a talk and he said that the way that attackers win is by understanding the network better than the defenders.

B (14:59)

Right, right.

A (15:00)

And I guess in this case, yeah, you, yeah, you. You can't understand it.

B (15:05)

No one can understand better than Defenders.

A (15:06)

Because the defenders don't even understand it. Like, you know, you have to go beyond what is possible.

B (15:15)

Yeah. Like, you're looking for emergent behavior in a complex system and that's like, that's a hard task. Like, I'm not saying you can't disrupt it. I'm saying that anything you do to disrupt it is unlikely to be, obviously not permanent. But I don't think it's just going to last very long. You can delete a whole bunch of stuff, maybe, and it's going to take them hours to recover just because that's how long it takes to restore the backups just in volume. Like, you can do things without understanding the network completely. That would be disruptive. But I think that they have so many postmortems that they've done and so many contingencies that they've developed for different types of similar examples. Yeah. So long ago there was. I think it was Netflix, might have been Amazon, but I'm pretty sure it was Netflix had a system called Chaos Monkey, and it was a service that existed in their network whose job was to go around and start disabling things at random so that they were able to build redundancies and resilience so that regardless of when, like, basically, if this database crashes, how do we keep operating? Okay, well, we need to have duplicates like that, blah, blah, blah. So, like, I'm pretty sure that if you show up and you start doing Chaos Monkey stuff, it's not going to be as effective as you would think, simply because they've had decades of chaos monkeys. So I think that's baseline. I'm not sure it's going to be very effective. Even if you get 24 hours of downtime, which would be a phenomenal success. What is the actual impact of cloudflare or AWS going down for 24 hours? Chaos. The End of civilization, rioting the streets, the National Guard gets deployed, you have to declare martial law.

A (17:13)

So in the case of Vault Typhoon, which is the Chinese group that has been getting into US and it appears elsewhere, critical infrastructure for the potential of sabotage, it seems that there was some focus on Guam, which is where there's a US military presence that is relatively close to Taiwan. So I'm not sure if I've seen it explicitly written, but presumably the idea is that if there was some military flare up, some disruption there would delay or interfere with a US military response.

B (17:46)

Right.

A (17:47)

And that seems. Well, yeah, it might delay it by some time. Maybe that's enough to. Maybe that's enough to make a difference.

B (17:56)

Right. So this harkens back to our discussion in BTN 145, which was last week's we were talking about like it's like it's very hard to coordinate effects operations with military stuff. So like, yeah, it could, it could work in that situation. And I think that that's sort of like one of the very, very few times that it, it actually matters because.

A (18:23)

It'S right at the beginning.

B (18:25)

Yes, it's right at the beginning at a time critical phase, like when you know, an extra 24 hours without interference could be pivotal. Like it could tip everything in your favor. But you know, if it's been going on for three years, 24 hour delay.

A (18:44)

Yeah. So if you take that as a viewpoint, then I guess the disruption of Cloudflare or AWS or Google Cloud or whatever, like it doesn't make any difference because there's no nexus around Guam or Taiwan.

B (19:00)

Right.

A (19:01)

So it, to me, it is curious that the rhetoric around Vault Typhoon is far broader than just Guam or Taiwan.

B (19:12)

Yeah. So I think Salt Typhoon, which is the telco one is more impactful, but it's also much easier to solve. Except the solution is encrypted services for everyone. And no one likes. Nations do not like that as the solution. That is not the solution that they want. It's that they want their backdoor into networks to exist only for them. They want it to go back to being no bus, like nobody but us. And so I think that the threat is bigger there, but the solution is simple, like just use signal. So I'm just thinking that one of the things that the SOE had the French resistance do is right after the.

A (19:55)

Special Operations Executive in World War II.

B (19:57)

Right. So that basically the sabotage units and that the French resistance that was being managed in many ways by them after the D day invasions, what they had these guys Doing simultaneously was cutting telephone lines. And the reason that was given was like we want to disrupt the communications between army units inside France, which is absolutely true. But the real reason was they wanted the communications to move to radio because radio could be intercepted and decrypted by Ultra. So I wonder if that makes sense. Like you would disrupt Cloudflare and AWS so that signal goes down which forces people to use the telephones, which then puts you in salt typhoon.

A (20:45)

So it actually to me makes more sense that it would be practical to disrupt signal for longer than aws, for example.

B (20:54)

Right, right.

A (20:55)

I don't really know why. I think that. I think maybe just because AWS is a bigger organization, they're dealing with resources.

B (21:04)

Yeah.

A (21:04)

They've got, they make a lot of money and they pay people a lot of money to keep services running. So they're kind of used to being on a service recovery treadmill.

B (21:14)

Yes, absolutely. So, yeah, I agree with you. But like that makes sense to me. Like that would be a useful attack, but again it would have to be coordinated with something to be like, it would be useful only in that it would set the conditions for something that could be, that could exploit those conditions. Like in and of itself it doesn't have value. Right. It doesn't get you anything. And I think that sort of, that's the big picture problem with a lot of these things. So I mean if we're talking about like, you know, cyber attacks against critical national infrastructure, I think about, you know, when the Belarus cyber partisans went after the Belarusian railway service and they, they shut everything down and tried to, they tried to do a ransomware where Lukashenko had to stop cooperating with the Russian military if he wanted his railway back.

A (22:10)

Right. Yeah.

B (22:10)

And you know, as far as ransoms go, that's kind of funny. And this was an incredibly effective attack. Like these are, these are skills, skilled operators. They were there for a long time time, they got very deep. They, they were comprehensive in their attack and it did work like it caused an eight hour delay for the use of the trains which is like, that's hugely impressive in terms of like what a two man cyber team can do. But it's an eight hour delay. Like. Yeah, you know, like that's a really, it's a really Sunday when you're trying to travel and get home. Yeah. It's not a world ending event. Even when they hit Aeroflot, which was much more recently I think earlier this summer, again, it was a comprehensive skilled attackers that, a long time where they were resident, where they were Sort of figuring out what are all of the things that we need to take out to make sure that there's just no recovery possible. And they did that and they hit, there was redundant data centers. They hit both of them, they wiped both of them. There were no backups because they relied on sort of syncing between these two centers. And so that was a massive and huge attack against a system that relies very heavily on cyber services like Aeroflot. The national carrier for Russia needs those things to schedule refueling, sell tickets, board people, you know, refund tickets, like all of the stuff. And that caused a 24 hour delay in Aeroflot and they were back up the next day and it was, you know, reduced services, but within a week they were basically back. And so it's like, yeah, that sucks if you were flying then, but it's not a knockout blow.

A (24:06)

Yeah. So Aeroflot has a whole lot of other problems, so, like sanctions. It's hard to get parts for at least some aircraft. And I was thinking that the cyber attack is like another straw on the camel's back. So it's unlikely to be the one that breaks the organization. And probably in the context of what else is going on, it's, it's a.

B (24:32)

Huge drain on resources. Well, I think it's a drain on resources that could be better spent elsewhere. Like they don't want to spend their time restoring their network. They want to spend their time figuring out how to deal with the 20% inflation and rotate parts between planes so that things don't fall out of the sky and all sorts of other things that they would rather deal with that are more pressing issues.

A (24:59)

It seemed like from a cyber partisan's point of view, like a cyber operation is the hammer we've got. So we're just going to use that hammer. Regardless of that, it's not probably the most effective way to disrupt Aeroflot. But also what other options are there? There have been sanctions, there has been Western pressure.

B (25:23)

Well, I'd sort of turn that around a little bit, which is that if you are 10 people or three people, whatever it is, they have a very small team. The most effective thing you have is absolutely cyber. It's not the most effective tool that the west has. But in terms of a small group, cyber gives them disproportionate power compared to their actual size. But I guess there's two things. So on the one hand, yes, I think it was good for them to do it. And I think that, I'm not saying they should not have done it. I Think it was part of the war effort. It makes complete sense within that context. My point is less about the effectiveness of this attack itself and more about the effectiveness of these types of attacks as they are perceived by these, like, cyber war theorists. When you sit down and you go, like, what would happen if our telco carriers got completely knocked out? It's like, well, look at Keefstar. They were completely knocked out. People went across the road and they bought a SIM card for one of the competitors and they went on with their day. Keestar was back up in seven days. Like, it was annoying. And life went on. You know, there were more pressing things. The Aeroflot example, right. Like, people were delayed for a few days and it sucked and then life went on. So I think that, you know, these, like, it would be terrible if people did this. Like, yeah, it would be annoying. It would be very annoying. It might cause serious problems for. Look, I'm not saying we wouldn't get our hair mussed. Yeah, I do feel a little bit like a nuclear war strategist explaining why we would win a nuclear exchange because we would only lose a few cities. But, But I do think that it's sort of the idea of cyber is like this big, powerful weapon when it's used in this way is very misguided. And I think that there's a lot of examples that show it's just not effective as the sort of, like it's not effective as a hard power.

A (27:44)

Okay, so let's turn this around. And instead of being the defenders and thinking of AWS and Azure and whatever, who, for whatever misguided reason, we probably think have relatively good security postures. Do you think that is true for Chinese cloud providers? Because there's some big ones. And is it, is it the dynamics of just running that sort of business that forces you to be good at security?

B (28:13)

So Tencent is one of the big cloud providers. Right. Most of the Zen bugs of the last few years have been submitted by Tencent. And so Xen is the hyper supervisor used by a lot of cloud providers. And so the bugs that get discovered and patched, a lot of them are found by Tencent and Alibaba. So I do think that, like, I think they do have good security. Now. I, I don't know if their security is limited to like, you know, hypothetically, if you wanted to break into someone else who was running Xen, let's red team and go offensive. Like, so maybe that's the security that they have and they don't have resilience. But I think that's unlikely. I think that the nature of trying to run something.

A (28:55)

Yeah, yeah, yeah. Like the, the nature of the business is you have tens or hundreds of thousands of servers, they're always breaking because when you've got that many, you know, some percentage of breaking all the time. And so therefore you've got to have systems in place to deal with that and like cascading failures, you've got to be prepared to deal with that because that's the nature of the business. It's not, I wonder. It's not that the US providers are exceptionally brilliant or good or doing security out of the goodness of their heart. It's the sort of flip side of resilience.

B (29:31)

I'm wondering if there's been like a CN west one where somehow like all of Tencent or Alibaba went down and the church Chinese Internet was just offline for most of a day and we never hear about it because that's not the sort of thing that interests any of us in the news or that would make the news over here necessarily. Like maybe they do have these events and we just don't know about it. I mean, all I'm getting at is they have similar sized companies that we know and there's a non zero chance that those companies have had incidents that are similar to the US East. One goes down and so all of Beijing loses Internet for a while. But I think that they're probably resilient in the same way because you would have to be to be in that business. I think it was earlier this year where an SSD manufacturer discovered that they had an error in their production, which meant that at the five year mark their SSDs just stopped. They went, they bricked themselves. So because it was coming up in the five year mark now like there are just banks and banks of servers where like suddenly the disk stops working, like all of them at once because they're all. And so like that's a thing that you're just going to have to deal with because it's like it's got nothing to do with the defensive cyber action. It's just hardware fails. And it turns out that you invested a huge amount in one specific thing that happened to have a fault that shows up years later and that's it, you know, like you have to recover from that because that's business as usual.

A (31:12)

Yeah. I'm wondering if there's a difference between sabotage operations and intelligence operations. Like I'm kind of thinking now that all cloud companies are good at dealing with attempted sabotage. Because resilience is the name of the game.

B (31:26)

Yeah.

A (31:27)

Whereas.

B (31:29)

From a, like, from a railway point of view, there's very little difference between someone blowing up a railway track and a railway track coming loose and falling off. Like it needs, they both need to be solved in the exact same way. So it's, you know, you take an existing skill set, you just like, this was a malicious action, this was accident, same thing. And you deal with accidents all the time. So I think it's, I think I'm saying in a very, very long winded way. Exactly what you said in a succinct way.

A (32:03)

But I mean, obviously you need to be able to kick people out of your system. So if your security is not up to scratch, it probably doesn't matter how quickly you can restore things if the person who, you know, the unwanted intruder who's still in charge can just switch them off again. So there must be a security element as well.

B (32:23)

Yeah. So I do think they've got better security than most and I do think that it extends to things. But in a way I do agree with you, which is that let's go back to thinking like an attacker. Say you have access to aws. Is the most effective thing that you could do to disrupt AWS for 72 hours. Right. Like some insane, impossible amount, or would it be to monitor and get intelligence from specific targets using aws? And I think that the espionage value is probably far in excess of any sabotage value, even if you are China and even if you are starting a war. And so it's probably even more important at that point to be able to see what's going on. Because there's going to be things like lots of manufacturers who are involved in the defense industry are going to be using AWS and you'd love to be able to see.

A (33:27)

I think it goes back to what you think your theory of victory is.

B (33:32)

Right.

A (33:33)

So if your theory of victory is we'll take Taiwan in four days, maybe sabotage is fine.

B (33:41)

Right. You can exploit it in the time period that you have. And so like, yes, this is, like, this is a lot of my contention is that effects are only useful if they can be exploited. And they're very hard to exploit because of coordination problems. However, if they can be exploited, then that's when you do the equity equities analysis to say, okay, it is worth it to do these effects because we can exploit them and get this much value instead. But I think the majority of the time when you evaluate your equities, you're going to come out with. Let's just get some intelligence. That's where you're going to fall pretty much all of the time. Yeah. So I guess, in summary, there's been a lot of talk about legislation of sort of treating cloud service providers as critical national infrastructure, and I conceptually agree with that. I think that they are critical infrastructure, but I think they're a critical infrastructure for society, and in ways that we don't quite comprehend because it's just so deeply interwoven. That said, I don't think that regulation is necessarily the right approach, and I don't think that attacking these providers is necessarily that effective as an attack.

A (35:01)

There's no need for regulation, because they're not that good anyway. If they can't manage their own business, the Chinese won't do anything about them anyway. Thanks, grah.

B (35:19)

Thanks some it.