Summary5 min read

Podcast Summary: Risky Bulletin – Srsly Risky Biz: America Wants to Hack the Planet

Air Date: August 28, 2025
Host: Amberly Jack
Guest: Tom Uran (Policy & Intelligence Editor)
Theme: Exploring new U.S. legislative approaches to hacking foreign cybercrime, Microsoft's evolving China security posture, and repercussions for policy and the private sector.

Main Episode Theme

This episode dives into two major cybersecurity topics:

Proposed U.S. Legislation: The "Scam Farms and Mark and Reprisal Authorization Act," a controversial bill to empower private sector hacking against foreign cybercrime.
Microsoft’s Security Reversal: New restrictions on information sharing with Chinese vendors and the ramifications of deep-rooted trust issues between U.S. tech and China.

Key Discussion Points and Insights

1. U.S. "Hack-Back" Bill: The Scam Farms and Mark and Reprisal Authorization Act

Overview (00:45–03:02)
- The bill revives the concept of “letters of marque” – historically, government licenses for privateers to attack enemy ships, now applied in cyberspace.
- Ostensibly targets “scam farms” (large criminal operations scamming U.S. citizens), but is written far more broadly.
Critical Analysis (03:02–07:44)
- The bill allows the President to authorize private sector groups to hack any foreign cybercriminal entities, not limited to scam farms.
- Tom Uran:
  “It’s more like hack anything or anyone that the President wants…tremendously broad, not at all limited to scam farms.” (03:02)
- Comparison with the prior ACDC (Active Cyber Defense Authorization or Certainty) Act, which faltered under technical and policy flaws.
- Main problems with hack-back legislation:
  - Attribution: Risk of attacking wrong targets.
  - Scope: Applies to almost every threat actor attacking the U.S.—a wide-open field.
  - Collateral Damage: Potential to interfere with ongoing law enforcement and state operations.
- Tom Uran:
  “…when you’ve got such a large, I guess, scope like that’s just impossible to deal with. So the ACDC went nowhere.” (06:06)
When Hack-Back Could "Make Sense" (07:44–08:36)
- Scam farms might be uniquely suited for targeted private action, due to their decentralized structure that's hard for state agencies to disrupt decisively.
- But Uran remains skeptical about direct impact:
  “…I’m not sure that state action, at least in the cyber realm, will make that much difference; but perhaps like broad based, private sector based action could, could make some sort of difference.” (06:52)
Flaws & Political Realities (07:44–09:59)
- The bill is vague about financial incentives—what happens to money seized from criminals?
- Not a serious legislative effort:
  - Lacks co-sponsors.
  - Likely a “messaging bill” to generate debate, not become law.
- Tom Uran:
  "It felt to me like there's this thing called a messaging bill...a think piece, something to provoke thought. And I think for that purpose it's actually quite good." (09:19)

2. Microsoft, China, and "Trust Debt"

Microsoft's MAP Program Change (10:16–12:14)
- Microsoft’s MAP (Active Protection Program) gives trusted vendors advance access to vulnerability details and sometimes proof-of-concept (PoC) exploit code.
- Recent incidents suggest Chinese vendors may have leaked PoC code to Chinese intelligence agencies or cyber contractors—possibly leading to high-profile mass hacks.
- Microsoft has decisively scaled back what Chinese vendors receive (from PoC exploit code to only general vulnerability descriptions, and only at patch release).
Where Did the Leaks Come From? (12:14–13:18)
- Possibility the information actually leaked from Microsoft’s own China-based engineering teams.
- Chinese law requires individuals and companies to assist with intelligence efforts.
- Raises doubts over whether Microsoft should have ever trusted China-based engineers with sensitive projects.
Microsoft’s Slow Security Evolution (13:18–15:58)
- For years, Microsoft prioritized cost and speed over security, leading to questionable decisions (e.g., Chinese engineers working on U.S. DoD systems).
- Only after a damning Cyber Safety Review Board report did Microsoft begin to prioritize security at the executive level.
- Tom Uran:
  "If you really care about security, both of those are non-starters...but no, now Microsoft has had in the past year...a revelation that, oh actually security is important..." (13:54)
- “Nadella, in his memo…said, you know, security is a team sport and they're only just realizing that some of their players are actually potentially playing for a different team.” (15:50)
Long Road Ahead (15:58–17:03)
- The Microsoft-DoD-China entanglement will be extremely painful to unwind due to a lack of available, affordable skilled engineers.
- AI may be part of the solution, but “it’ll take time.”
- Tom Uran:
  "I think it's going to be extremely painful." (16:20)

Notable Quotes & Memorable Moments

On the Bill’s Scope:
“Anyone the President doesn’t like, as long as you can, I guess, plausibly say that they’re a criminal…[it’s] tremendously broad, not at all limited to scam farms.”
— Tom Uran, (02:41)
On Old Hack-Back Proposals:
“…if you were attacked, the idea was you could, air quotes, hack back…to do a certain limited number of things like attribution, try and protect themselves, or do things like delete stolen data. Now none of this made sense to me...”
— Tom Uran, (04:12)
On Policy Messaging:
"It felt to me like there's this thing called a messaging bill which is you don't expect it to pass, but you float it up as a think piece, something to provoke thought. And I think for that purpose it's actually quite good."
— Tom Uran, (09:19)
On Microsoft’s Delayed Security Prioritization:
"Microsoft has gone through a long phase over the last couple of decades where it's basically not cared about security enough in my view...Now Microsoft has had in past year or so a revelation that, oh actually security is important."
— Tom Uran, (13:19)
On Learning from Mistakes:
"They're only just realizing that some of their players are actually potentially playing for a different team."
— Tom Uran, (15:50)

Important Segment Timestamps

Introduction to the episode and topics: 00:05–00:45
Overview and deep analysis of the U.S. hack-back bill: 00:45–09:59
Microsoft’s evolving approach to China and lessons learned: 10:16–17:03

Tone and Style

The conversation balances skeptical, dry humor with serious concern over the practical realities and risks of cybersecurity policy. Tom Uran provides candid, often sardonic insights, while Amberly Jack steers the discussion to clarify legislative intentions and high-level industry impacts.

Takeaway

The episode provides a nuanced exploration of U.S. cyber counterattack legislation—ultimately revealing its broad overreach and limited political viability—while exposing long-standing problems in Microsoft's trust and security culture as it recalibrates its approach to China in a geopolitically charged era.

Loading summary

Transcript27 lines

[00:00]
A
Foreign.
[00:05]
B
And welcome to Seriously Risky Biz. This is the podcast we do here at Risky Business, all about cybersecurity policy and intelligence. My name is Amberly Jack, and in just a moment I will chat to Tom Uran, our policy and intelligence editor, all about the Seriously Risky Business newsletter that is up on our website today. You can of course read that and subscribe over at Risky Biz. First, though, I'd like to thank the William and Flora Hewlett foundation for supporting Tom's work at Risky Biz and also Lawfare, who syndicate Tom's newsletter and publish it on the Lawfare Media website. Finally, this week's episode is sponsored by Okta. So big thanks to them for that. And g', day, Tom.
[00:44]
A
G', day, Amberly. How are you?
[00:45]
B
Yeah, I'm good, thanks and keen to chat to you about. One of the pieces that you've written about in your newsletter today is that there's new legislation that's being proposed in the US which would essentially give private sector authority to hack foreign cybercrime entities targeting the US and on the surface, I mean, scam farms is in the title of this bill. So it kind of looks like, okay, private sector can hack scam compounds and that doesn't seem so bad, but apparently there's a little bit more to it and it's a bit more complicated than that, Tom.
[01:19]
A
Yeah, yeah. So the bill, it's called the Scam Farms and Mark. The Scam Farms Mark and Reprisal Authorization Act. So it's riffs on old time, what were called letters of marque. And these were basically government licenses that would allow privateers to attack and steal the goods of the ships of other nations. And this was like they were in used from like the 13th to the 19th, early 19th century. So these are old time government authorities. And the idea is every now and then people have said we should have cyber letters of Marc, where you would authorize private sector actors to go and hack because hacking is a big problem and so more hacking is the solution. Now, that's probably an unfair characterization of the argument, but this particular bill basically says the President can decide that if there's a cybercriminal group that they can authorise a private sector hacker or group to go and hack whatever or anything anywhere in the world, as long as.
[02:36]
B
It'S outside the US So not just scam farms then?
[02:41]
A
Yeah, anyone the President doesn't like, as long as you can, I guess, plausibly say that they're a criminal and you know, criminalism to some, at least in the eye of the beholder. So it was tremendously broad, not at all limited to scam farms.
[02:56]
B
Yeah, that feels a little misleading. Side note.
[03:03]
A
It'S more like hack anything or anyone that the President wants. Bill. So that made me think back to the previous time this has come up was the Active Cyber Defense Authorization or Certainty act, the ACDC Act. And the basic idea why this idea keeps on coming back is that there's all this latent private sector capacity to do hacking things in the US and it basically doesn't get used while other states are using contractors to hack or have relationships with their cybercriminal underground. And so it feels like there's a bit of an unfair playing field. And so is there any way that the US can usefully use that capacity? And so this perennially comes up and each time it comes up the answer is, well, they seem like there's too many problems. So the contrast with the ACDC act is interesting in that it was designed to give private sector companies some tools to deal with hacks. And if they were attacked, the idea was that they could air quotes, hack back to do a certain limited number of things like attribution, try and protect themselves, or do things like delete stolen data. Now none of this made sense to me in that like you can delete stolen data from somewhere, but like it's just one copy command away from being stolen permanently, like there's no guarantees you can do that. A lot of the technical arguments didn't make sense. And also thinking about it, there's a vast majority or there's just a vast swathe of threat actors that attack U.S. interests. So you're effectively saying with the ACDC act, any U.S. company can respond to anyone who attacks it. And that pretty much opens up the field to everyone from commodity cyber criminal groups all the way up to the most, the most amazing state based intelligence groups. Like those are the range of threat actors attacking the US So it was even though it sort of felt like it was targeted because it was only the threat actor that attacked you in en masse, it was like most of the planet. So the concerns with hacking back, are you going to hack the right person or grip, like getting that right seems important. Are you going to cause collateral damage? Are you going to interfere with state operations that are going on. So if NSA or Cyber Command or FBI has an operation going on, they don't want random hackers turning up and muddying the waters, making mistakes, getting them caught. And when you've got such a large, I guess, scope like that's just impossible to deal with. So the ACDC went nowhere. Now, at least in theory, the scam farms act feels like it should be targeted on scam farms. And if it was, I think it, it actually, like that makes sense because scam farms are huge. They're industrialized, they're decentralized. There's no single point that the FBI or NSA or cyber Command could attack where they would have, they would really get bang for the buck.
[06:33]
B
Yeah, right.
[06:33]
A
Like those operations make sense. When you can understand the network, you can find a key point, you can do something that's if not decisive, it's at least significant. It doesn't feel like that for scam farms. That place exists. So it feels to me that even though they're a huge problem, like they cause a lot of harm and damage, I'm not sure that state action, at least in the cyber realm will, will make that much difference. But perhaps like broad based, private sector based action could, could make some sort of difference. And the second thing is that you're not like, like you've got a limited number of actors now. It's a huge ecosystem, but it's positive. Here's a group that you can go after. The President could say you can go after these specific things, not anyone who happens to hack you. So I think that the bill, even though it's problematic, it highlights that there are some threat actors out there where maybe the private sector would be part of the solution.
[07:45]
B
Yeah, yeah, for sure. Just going back to. It's got a few problems I did like in the newsletter that you sort of highlighted that it's a little bit light on some details like where the money goes.
[07:59]
A
That's right, yeah, yeah. So it says you can hack anyone or anything, but it doesn't say what you do with the money. So if you're a privateer, it would like, I think, you know, being able to hack anyone and anything or anything the president specifies to get money, that seems like a great deal. There's a tremendous profit incentive. But from a society, I think it makes sense that you would give like most of the money back to the victims. And how would you do that? I don't know. So that, that all seems like problematic, but I think like you step back, the big picture idea I think makes a lot of sense.
[08:36]
B
So, and that's, that's kind of what I get from, from reading your piece as well is if it stuck to those scam compounds, that seems kind of fair and kind of worthwhile. So basically what you're saying Is this bill will be left on the shelf of unused to die. Yeah.
[08:53]
A
So I spoke to a number of people. They thought that it would not go anywhere. The ACDC act had quite a few co sponsors, I think like 18 or something like that. So that, that felt like a serious bill. They thought it through. To me, this one doesn't feel the same because like, you know what happens to the money, like you've got to have that in there. Like that seems like a key detail.
[09:18]
B
A little bit important.
[09:19]
A
And there's no co sponsors. It felt to me like there's this thing called a messaging bill which is you don't expect it to pass, but you float it up as a think piece, something to provoke thought. And I think for that purpose it's actually quite good. Like I think to me it made me think through the implications of who do you, who you would try and get the private sector to attack. And if it doesn't seem like the US is going to adopt the China or Russia solution for good reason, I don't think it makes sense for the us but this seems like perhaps a position that would make sense.
[10:00]
B
And that's the thing at the end of the day, I guess, is getting people talking is a first step to these things a lot of the time. So maybe that's what this will do.
[10:11]
A
Maybe it's a brave new world.
[10:16]
B
And another thing that, I mean we never see on the desks here at the Risky Biz newsroom is both Microsoft and China. But the latest between Microsoft and China, Tom, is Microsoft's made a bit of a move with its MAP program that seems to suggest they're maybe finally learning some pretty painful lessons about putting their blind trust in China. Tell me about that.
[10:42]
A
Yeah, so this feels like a long historical journey. The news is that Microsoft, Microsoft has a program it calls map, the Microsoft Active Protection program, where it gives certain air quotes trusted vendors the advanced warning of bugs. And in the past it used to give them proof of concept code that would actually exploit the vulnerability. Now it turns out that Microsoft is depending upon how you phrase, scaling back that program for Chinese vendors. And the concern is that Chinese vendors have at times in the past taken that proof of concept code and perhaps given it to Chinese intelligence agencies or Chinese hacking contractors or whoever. So there have been a couple of incidents. This most recent SharePoint hacking incident and back in the past, Microsoft Exchange, a mass hacking incident where there's been the suspicion that that the bug has leaked from MAP to Chinese hackers. So the Exchange incident was back in 2000. They kicked some vendors out of the program back then. This incident happened obviously this year and they've basically scaled back all the sharing for Chinese vendors. So instead of getting proof of concept code ahead of time, they'll just be given a general description at the same time the patch is pushed out. So that's a pretty significant change.
[12:14]
B
You sort of say, you know, they're looking at whether those leaks could have come from that program, but there were a few places they could have come from.
[12:22]
A
That's right, yeah. So it turns out that the most recent vulnerability, SharePoint, the engineering team that maintained SharePoint was actually based in China. And so the other possibility is that the leak came directly from Microsoft itself and its China based engineers. And the reason that China is a concern is it has laws which say that if you're anyone, you have to help with intelligence work. So Microsoft has gone through a long phase over the last couple of decades where it's basically not cared about security enough in my view. So it's prioritized doing things quickly and cheaply rather than doing them securely. So in that period it made a number of decisions about how much to trust China based engineering teams. One of Those is with SharePoint, another one we spoke about a couple of weeks ago, it had China based engineers helping to maintain U.S. department of Defense systems. Now if you really care about security, both of those are non starters. Like you would just immediately eliminate them as like thought bubbles. Like they go on the brainstorming blackboard and they are crossed out immediately now, but no, now Microsoft has had in past year or so a revelation that, oh actually security is important. If we don't get it right, it undermines trust in everything for the second time in 20 years. The first time was back in 97 and it took really a Cyber Safety Review Board report which said it talked about Microsoft's cascade of security failures. It was a very, very harsh report. And I think that was the moment that the eyes opened and people there went, oh, actually this is a serious problem. The government is losing trust in what we do. This is a big problem for our business. And they had launched a secure future initiative and they basically embiggened it. And the CEO Satya Nadella sent out a memo saying security is the top priority. At the time I thought that was good news. It is still good news. I think it has made some difference. But what they didn't do was go and revisit all the decisions made about who do we trust, all of the decisions they made in that decade or so. Where they basically like sort of fudged security. Like I think both of those, the SharePoint decision and the government cloud being maintained in China, those are not decisions you could possibly conceive of making if you really cared about security. But they didn't go and revisit them. So it feels like to me there's this legacy, I would call it, I guess a trust debt where you've put your trust in places that you really shouldn't and it doesn't seem like they've revisited those decisions and they're learning, you know, one bad news story at a time, that this is a problem. So Nadella, in his memo that placed security as a top priority, he said, you know, security is a team sport and they're only just realizing that some of their players are actually potentially playing for a different team.
[15:59]
B
Yeah, for sure. And I know you love productions, Tom, but I'm going to ask you here, just, I mean, they're obviously learning these lessons. They're obviously learning them quite late. How hard is this going to be to climb out of this kind of web that they've spun for themselves?
[16:20]
A
I think it's going to be extremely painful. So for example, we, and we spoke about this with the U.S. department of Defense cloud. It said that they're not going to be using China based engineers anymore. And I joked at the time that that just leaves Indian, Brazilian, you know, every other country's engineers and I think they face a capacity constraint where there's not enough well trained engineers that they want to pay to do this work. So undoubtedly they'll do things like look to AI to fix the problem. I think it's, it'll take time.
[17:03]
B
Yeah, yeah, for sure. All right, we might leave it on there there, Tom, but thank you so much and look forward to seeing you again next week.
[17:11]
A
Thanks, Em. Sam.