Srsly Risky Biz: FCC demands telcos improve security - Risky Bulletin

Summary5 min read

Risky Business News – Episode Summary: "Srsly Risky Biz: FCC demands telcos improve security"

Release Date: December 12, 2024
Host: Risky Biz
Guests: Tom Uren, Public Policy and Intelligence Editor at Risky Business

1. FCC’s Initiative to Enhance Telco Security

The episode delves into the Federal Communications Commission's (FCC) recent proposal aimed at compelling American telecommunications companies to bolster their cybersecurity measures. Host Patrick engages Tom Uren in a comprehensive discussion about the implications and effectiveness of this initiative.

Overview of FCC’s Proposal:

Basic Requirements: The FCC is advocating for telcos to develop comprehensive cybersecurity plans. However, the specifics remain vague, merely encouraging companies to “do your best” without clear guidelines or penalties for non-compliance.
International Comparisons: Tom contrasts the FCC’s approach with international counterparts. Australia, since 2017, mandated that telcos must strive for optimal security without imposing strict penalties. Meanwhile, the UK’s response following concerns over Huawei’s involvement led to a detailed and enforceable code of practice covering identity management, network security, and supply chain integrity.

Key Insights:

Effectiveness Concerns: Patrick expresses skepticism, suggesting that the FCC’s minimal demands may not lead to substantial improvements. He remarks, “The FCC is just basically saying, hey, we think it'd be good if you had a plan for security... which is, you know, I mean, come on, they probably already do” ([04:41]).
Minimum Standards vs. Flexible Plans: Tom emphasizes the need for clear, enforceable standards rather than allowing telcos to set their own benchmarks. He notes, “Neuberger's talking about setting minimum standards... is a different place” ([05:33]).

Notable Quote:

“If they've got a plan, it doesn't mean they care about the plan.” – Tom Uren ([04:41])

2. Shift Towards Over-the-Top Communication Services

The conversation transitions to the potential benefits of moving away from traditional telco networks to over-the-top services like WhatsApp and Signal. This shift is proposed as a compensatory strategy to mitigate security concerns inherent in telco infrastructures.

Advantages Discussed:

Enhanced Security: These platforms inherently possess stronger security measures compared to traditional telcos, particularly in encryption and data protection.
Reduced Vulnerability: By relying on secure applications, the risks associated with compromised telco networks diminish significantly.

Critical Analysis:

While Washington-based platforms like WhatsApp offer metadata access to law enforcement, they limit interception capabilities for end-to-end encrypted messages, thereby reducing the scope of data leakage ([07:04]).
Patrick suggests adopting a “zero trust” model for telco networks, advocating for stringent verification processes akin to corporate cybersecurity practices ([08:07]).

Notable Quote:

“Using Signal WhatsApp is a good, I guess you'd call it a compensating control.” – Tom Uren ([08:15])

3. TikTok’s Role in Romanian Election Interference

The episode shifts focus to the alarming influence of TikTok in Romania’s presidential elections. A fringe right-wing candidate’s success, amplified through TikTok, led to the annulment of the first election round due to pervasive interference.

Key Points:

Algorithm Manipulation: TikTok’s algorithm was allegedly exploited to flood users’ feeds with content supporting the candidate, undermining democratic processes.
Legal Repercussions: Romanian courts intervened, nullifying the election round to address the interference, highlighting the platform’s significant role in political manipulation.

Discussion Highlights:

Patrick criticizes TikTok’s mismanagement and lack of effective oversight, referencing a campaign with popups encouraging users to contact their congresspeople as “the most insanely dumb bit of government relations” ([09:09]).
Tom underscores the incompetence rather than malicious intent behind TikTok’s failures, questioning the company’s ability to manage influence risks effectively ([10:06]).

Notable Quote:

“If they can't manage that, how do you expect them to manage any kind of influence risk? Yeah, it's just terrible.” – Tom Uren ([10:06])

4. Elon Musk’s Influence on X Platform and Regulatory Challenges

Addressing the conversation about influential figures in media, Patrick and Tom discuss Elon Musk’s role in managing the X platform (formerly Twitter) and the broader implications for free speech and regulation.

Key Insights:

Regulatory Constraints: Unlike Chinese entities, Elon Musk operates within the American legal framework, including First Amendment protections, which limits the extent to which external entities can exert control or influence.
Systemic Accountability: Tom argues that systemic laws can adapt to manage the concentration of influence by individuals like Musk, contrasting this with the unregulated nature of Chinese cyber operations ([10:58]).

Notable Quote:

“He is legitimately in the game and, and acting within his rights.” – Tom Uren ([10:58])

5. Chinese APT Groups and Their Unorthodox Cyber Tactics

The final segment examines the behavior of Chinese Advanced Persistent Threat (APT) groups, particularly their unorthodox methods that deviate from conventional cyber norms.

Behavioral Analysis:

Loose Control: Tom explains that Chinese cyber actors often operate with minimal oversight, leading to actions that are damaging and counterintuitive. This lack of stringent control results in operations that prioritize quantity over strategic effectiveness, such as deploying ransomware when faced with disruption attempts ([12:48]).
Negative Impact on Reputation: These actions not only harm innocent parties but also tarnish China’s international reputation, creating unnecessary geopolitical tensions.

Proposed Solutions:

Bureaucratic Reinforcement: Both hosts suggest that implementing more robust bureaucratic structures could help regulate and control these cyber operations more effectively, reducing the incidence of reckless or harmful activities ([16:04]).

Notable Quote:

“They are objectively bad because they cause unnecessary damage to innocent people.” – Tom Uren ([13:56])

Conclusion and Future Outlook

Patrick and Tom conclude the episode by reflecting on the challenges of improving telco cybersecurity amidst regulatory delays and international comparisons. They emphasize the need for clearer standards and more effective oversight mechanisms to enhance national and global cybersecurity postures.

Closing Remarks:

Website Launch: Risky Business is launching a new website, marking a significant milestone after nearly two decades.
Upcoming Plans: The podcast is set to take a hiatus, with Patrick and Tom planning a return in February, signaling a brief pause after an intensive year of discussions.

Final Thoughts: The episode underscores the complexities of cybersecurity regulation, the ethical responsibilities of tech platforms, and the intricate dance between national security and individual freedoms. Patrick and Tom provide a nuanced perspective on these issues, offering listeners both critical analysis and thoughtful insights into the evolving landscape of digital security.

For more detailed analyses and insights, subscribe to Tom Uren’s newsletter available at News Risky Biz and stay updated with the latest cybersecurity developments.

Loading summary

Transcript36 lines

[00:05]
A
Hey, everyone, and welcome to another episode of Seriously Risky Business, the podcast we do here at Risky Biz hq, where I talk to Tom Uren, who is our public policy and intelligence editor at Risky Business. Tom, g'day. How you going?
[00:19]
B
Good, Patrick, how are you?
[00:21]
A
Good, good. All right, so this week's edition of Seriously Risky Business is brought to you by proofpoint, best known for email security, but does all sorts of other stuff as well, like DLP and cloud security and sorts of good stuff. So you can find them@proofpoint.com and of course, Tom's work with us is supported by the William and Flora Hewlett foundation and Lawfare Media, where they syndicate his newsletter. So that's always nice to see your byline over there, Tom. And yeah, in this podcast, we're going to recap Tom's wonderful newsletter that he has written for us. If you'd like to subscribe to the newsletter, head over to News Risky Biz. So, first up, you have covered stuff in your newsletter that we spoke about on the primary show yesterday, but as usual, in more depth than we go into. So the first thing that you've taken a look at is the FCC toying with the idea of forcing American telcos to take security more seriously. We did speak about this briefly in yesterday's podcast, but I'm curious for your take here, because my opinion is I don't know that this is going to do all that much.
[01:25]
B
Yeah. So the FCC has come out with something that's very basic and a very first step, like you should have a cybersecurity plan. And I thought I'd compare and contrast what Australia and the UK have done over the years. And so Australia was actually first back in 2017, which feels like a lifetime ago. And it basically said, look, telcos, you've got to do the best job you can to keep yourselves secure. And that's basically what the legislation says. You've got to do your best. And there's no penalties. There's a kind of vague definition of what your best is. And it's like all reasonable steps to improve security.
[02:07]
A
And amazingly, like champagne Australian lawmaking, where they're like, you guys have got to go and do a good job, and they codify that in law and then don't really tell you what a good job is.
[02:18]
B
Yeah, that's right. Yeah, I think that that part has picked up over time. You know, what. What does it mean to do a good job? And amazingly, that was basically just a group of people who thought telco security is not where we'd like it to be. So we'll just try and up the ante. The uk, it didn't introduce stuff until just laws or regulations until a couple of years ago. And that was driven by the presence of Huawei on UK networks. And so they launched this big telecommunications supply chain review. And that led to new laws and that led to a code of practice. And that code of practice is very comprehensive. It's like, you know, what do you do for identity, what do you do for network? Network management, monitoring, visibility, supply chain, the whole gamut.
[03:08]
A
It's pretty funny though that the Brits looked into the issue of Huawei and that made them look at telcos and then say, oh my God, we need to do something here.
[03:17]
B
Yeah, yeah, that's right. But the point is, these are all like huge, long running. Well, if you do it the way the Brits did, it's a huge long running process. If you do it the way the Australians did, it's like, yeah, just go ahead and do a better job. But actually rolling that out will take a long time. And it seems like the US is not in a place where it can flick a switch and security will magically improve overnight. It just kind of staggers me that there wasn't any obligation to do that before. Like, how do you arrive in 2024 and it's up to telcos to decide, you know, security, whatever.
[03:58]
A
Yeah, I mean, it's, it's crazy, right, that the FCC is saying, we will demand that telco in response to this terrible intrusion. We will demand that telcos have a cybersecurity plan. And it's like, wait, that's what you're demanding? Although, you know, you did drop a couple of quotes into the piece from Ann Neuberger, who is the deputy National Security Advisor for cyber, and, and she said the White House wants, you know, minimum cybersecurity practices at telecoms, from secure configurations to architecting, to monitor for anomalous behavior, to strong key management. I mean, that's more like it. But that's not what the FCC is kind of proposing here. The FCC is just basically saying, hey, we think it'd be good if you had a plan for security. Which is, you know, I mean, come on, they probably already do.
[04:41]
B
Yeah, yeah. I think the problem with that is if they've got a plan, it doesn't mean they care about the plan. And so there's a certification process on top of that where they have to say that they're sort of adhering to the plan or carrying it out or whatever. I think it's, it doesn't fundamentally change how much they care, which is the problem. So Neuberger's talking about setting minimum standards. Having a plan where you set your own standards, I think is a different place. And so it just strikes me that they're in a very difficult position. Fixing it anytime soon is going to be very, very difficult. Everyone is on board. Like there's lawmakers who are talking about it. They want to, they want to fix things. It's just that when you're starting so far behind the eight ball, it's just very, very difficult.
[05:33]
A
Yeah, I mean the way that you end this piece is to say, you know, another short term plan would just be to get everyone to use WhatsApp and Signal basically. And you know, it would really mitigate a lot of the concern here. You know, we could just give up on trying to assume that our telco networks aren't compromised and act accordingly because acting accordingly doesn't really cost you much.
[05:56]
B
Now I think the place where it is difficult is in the lawful intercept part where the, I guess you would say, look, those port, what's happened is that the portals were law enforcement submit court orders. Seems like at a few telcos those, those have been compromised. So you'd probably tighten up those, you'd really focus on the lawful intercept systems to make sure that they're not being compromised. And so then you mitigate the counterintelligence risk, which is that Chinese or other actors would find out who the US FBI is looking at as their spies.
[06:34]
A
Because I mean, to be clear, that's probably the biggest national security harm in all of this is that those portals were compromised. And to be clear, WhatsApp would have a similar portal where the FBI can go and ask for metadata and whatnot. So although WhatsApp doesn't provide an interception capability to law enforcement for end to end encrypted messages, they do provide metadata. So those similar sorts of portals do exist and the information the Chinese were seeking would be available in those portals today.
[07:05]
B
Yeah, yeah. And I think it's a lot, it's just a lot more tractable problem to try and secure a relatively small number of portals compared to the whole telco infrastructure.
[07:16]
A
Yeah, yeah, that's right. And I think, you know, but I still think people moving to over the top services because don't forget, they did attack the portals and gather that information for sort of counterintelligence purposes. But they also intercepted some text messages and voice calls and did some, you know, network graph mapping of who's talking to who and whatnot. That would be more difficult if you were having to try to obtain that information From Meta through WhatsApp or Signal. Because, and this is the interesting thing, because those companies are just fundamentally better at security than the telco. So I think really it all just comes back to that problem, which is telcos are just not very secure networks and we need to perhaps think about this as the zero trust problem. You know, we've always talked about zero trust as being for corporate networks. Well, why don't we think about zero trust for telco networks as well?
[08:08]
B
Yeah, that seems fair enough to me. I think using Signal WhatsApp is a, is a good, I guess you'd call it a compensating control.
[08:15]
A
Yeah, yeah. All right. So like us, you also had a look at the issues in Romania where a fringe right wing candidate who's very friendly with Russia was able to do extremely well in the first round of the Romania's presidential election because he was all over TikTok and you know, every second video on people's for your page was this guy. This has actually led to the Romanian courts annulling the first round of the presidential election. I mean, your take on this was pretty similar to mine, which is that this is not a good look for TikTok and isn't going to do them any favors.
[08:53]
B
That's right.
[08:54]
A
When, when it comes to, you know, US lawmakers considering what to do about them as the deadline for ByteDance divesting them looms.
[09:02]
B
I mean, you've just got to really wonder what is going on at that company where you like, they really shoot.
[09:10]
A
Themselves in the foot. Right. Every now and then. Like the other great example is where they did that campaign with popups on people's phones where they could call their congresspeople and whatever. And that was just the most insanely dumb bit of government relations I've ever seen. And then they let something like this happen.
[09:27]
B
Exactly.
[09:28]
A
Before there's a major event happening and you just think, who's running this thing?
[09:35]
B
If it was me, it'd be like, what are the potential risks that would happen between now and divestment? One risk might be that we're portrayed as having had influence on an election and you've got to say, well, let's eliminate that risk. Totally try and get out of being involved in elections whatsoever.
[09:54]
A
And, and then you allow interference of such a level that an EU country, a NATO member, had to annul the first round of its elections because of the level of interference. I mean, it's unbelievable.
[10:07]
B
Yeah, yeah. And it strikes me as much more incompetence than maliciousness. Like they've got absolutely everything to lose. And like Romania, in the grand scheme of the whole world is not a, you know, it's not a swing country or whatever. And so everything to lose, nothing to gain. And if they can't manage that, how do you expect them to manage any kind of influence risk? Yeah, it's just terrible.
[10:36]
A
It's funny that I do see something coming up pretty regularly in a conversation about this, which is. Oh, but Elon Musk. Right. And look at the influence that he was peddling on the X platform. And you and I have talked about this offline, maybe in an interview, publicly as well. But your take on that as well. He's an American, he has political rights in the United States. The Chinese Communist Party doesn't, which I think is a pretty decent argument, to be honest.
[10:58]
B
Yeah, yeah, yeah. And I think he's operating within a system and people can respond to that. So lawmakers could decide that, you know, having a single person with so much influence because they run a media company is a bad thing and they could make laws and he would respond to those laws. I guess the thing is that in that kind of context, the Chinese Communist Party is outside of that system, so you can make laws and they'll just try and subvert them. So I think he's. You may not like it, but he's legitimately in the game and, and acting within his rights. Yeah, exactly.
[11:35]
A
As well. I don't know that there's all much, all that much that the Americans could do about that because of the First Amendment, you know, which is they tend to take pretty seriously over there. But, you know, that's the point. He is an American exercising his rights and, you know, that's just, that's just the way it be. Now, one more thing we're going to talk about is. So we discussed some of this on yesterday's show, but you've come at this from a bit of a different angle, which is there's been some treasury sanctions and indictments unsealed against these Chinese exploit developers who were tearing down Sophos Kit. But you know, you've really looked at how badly a lot of these Chinese apts, and I think even this crew in particular, were behaving throughout these campaigns and about how their actions are really outside what we would consider to be norms. There's echoes of the Barracuda campaign here where, you know, where a Chinese apt crew or contractor gets detected and then instead of, you know, packing up and going home, which is what I'm guessing a Western operation would do, they might drop, like, encrypting ransomware or, you know, burn down the box. And it's just. It's kind of pointless and rude and weird, and what can we do about it? And, you know. Good question.
[12:48]
B
Yeah. So the Grac and I, in one of our between two nerds discussions, talked about tight and loose control. And the Chinese, these types of cyber actors are the ones where government control seems to be very loose. They're kind of left to do their own thing, and then it's. They deliver what they can, and then the government will either pay them or not. And so there doesn't seem to be, do this, do this, don't do this, don't do this. And so these actors, they just go, hell for leather. They do all sorts of things that we would consider unacceptable. And I think, like, objectively trying to step back from my position as an Australian, I think they are objectively bad because they cause unnecessary damage to innocent people. And so in this case, it was, you know, if you try and get rid of our malware, we'll torch your box. We'll deploy ransomware. Now, they didn't actually succeed in doing that, but this seems like the downside of that very loose control, where your cyber actors, like, they do some good stuff for the country, but they also get you blowback that you probably don't actually want. Like, this seems.
[13:56]
A
Well, it's because, as you said, it's pointless. Right. And it's weird. And you and I were discussing, you know, before we got recording, like, where does that mentality come from? I mean, the only thing I can think of is that it's sort of like this nationalist vibe, which is f you to the outside world. Like, we don't care about you. It sends a signal of we don't care about anyone except us. You know, that's the only thing I can think of, and I'm not even sure that's a good explanation.
[14:21]
B
Yeah, I don't know either. I thought maybe it's like, it's trying to deter cleanup operations. Like, if you deploy this cleanup script, your box ends up getting wiped. And so. But that doesn't really make sense either.
[14:35]
A
That doesn't make sense either. Right. So it is strange, isn't it? Where. And, you know, in my interview last week in Sydney with, you know, in front of an audience in Sydney with Chris Krebs, the first director of CISA and a very smart guy, you know, we were sort of talking about how the Chinese ecosystem for these type of operations is just the wild west. You know, they haven't quite. They formalized the roles. Right. So MSS is sort of like nsa. The PLA is acting more like Cyber Command. So they seem to have split those intelligence and military functions in their cyber operations. So in that sense they're sort of mirroring us. Right. Us being the sort of collective, you know, five eyes countries. But then you look at the. Yeah, the control, there doesn't seem to be much. Right. Like it's. And especially in the contractor ecosystem, these people are just going wild.
[15:26]
B
Yeah, yeah. So like overall, like very, very big picture. It totally makes sense because they've got lots of contractors just go out and do stuff. Like, you know, you've got very broad direction. I think this is the downside where they go out and do stuff that is probably damaging to China's reputation and is also kind of pointless. There's. It's all pain, no gain. But I think there's a reason they've got that loose control. It's because there's just not enough. There's too many people who can contribute by hacking and not enough middle managers.
[16:05]
A
Yeah. I was just so funny as you were talking that I'm like, he's actually making a compelling argument for bureaucracy, bloated bureaucracy, to try to rein this in. Look for people who want more details on this. You can go and find Tom's newsletter at News Risky Biz. Although it will still be available at News Risky Biz. But I think we're pushing the Go Live button on our new website today, so you might even be able to find that at just our normal Risky Biz website. So after nearly 20 years of running this outlet, we're finally actually having a real website, which is exciting. It's somewhat embarrassing that it's taken this long, but tomorrow we'll wrap it up there. Thank you so much. This is our second last recording of this podcast for the year and you're taking a nice long break. You're going to drop off at the end of next week and you're not back till February, so lucky you. But I look forward to chatting to you again next week for the last time in 2024. Cheers.
[17:01]
B
Thanks, Patrick.