Risky Business News – Episode Summary: "Srsly Risky Biz: FCC demands telcos improve security"

Release Date: December 12, 2024
Host: Risky Biz
Guests: Tom Uren, Public Policy and Intelligence Editor at Risky Business

1. FCC’s Initiative to Enhance Telco Security

The episode delves into the Federal Communications Commission's (FCC) recent proposal aimed at compelling American telecommunications companies to bolster their cybersecurity measures. Host Patrick engages Tom Uren in a comprehensive discussion about the implications and effectiveness of this initiative.

Overview of FCC’s Proposal:

• Basic Requirements: The FCC is advocating for telcos to develop comprehensive cybersecurity plans. However, the specifics remain vague, merely encouraging companies to “do your best” without clear guidelines or penalties for non-compliance.
• International Comparisons: Tom contrasts the FCC’s approach with international counterparts. Australia, since 2017, mandated that telcos must strive for optimal security without imposing strict penalties. Meanwhile, the UK’s response following concerns over Huawei’s involvement led to a detailed and enforceable code of practice covering identity management, network security, and supply chain integrity.

Key Insights:

• Effectiveness Concerns: Patrick expresses skepticism, suggesting that the FCC’s minimal demands may not lead to substantial improvements. He remarks, “The FCC is just basically saying, hey, we think it'd be good if you had a plan for security... which is, you know, I mean, come on, they probably already do” ([04:41]).
• Minimum Standards vs. Flexible Plans: Tom emphasizes the need for clear, enforceable standards rather than allowing telcos to set their own benchmarks. He notes, “Neuberger's talking about setting minimum standards... is a different place” ([05:33]).

Notable Quote:

“If they've got a plan, it doesn't mean they care about the plan.” – Tom Uren ([04:41])

2. Shift Towards Over-the-Top Communication Services

The conversation transitions to the potential benefits of moving away from traditional telco networks to over-the-top services like WhatsApp and Signal. This shift is proposed as a compensatory strategy to mitigate security concerns inherent in telco infrastructures.

Advantages Discussed:

• Enhanced Security: These platforms inherently possess stronger security measures compared to traditional telcos, particularly in encryption and data protection.
• Reduced Vulnerability: By relying on secure applications, the risks associated with compromised telco networks diminish significantly.

Critical Analysis:

• While Washington-based platforms like WhatsApp offer metadata access to law enforcement, they limit interception capabilities for end-to-end encrypted messages, thereby reducing the scope of data leakage ([07:04]).
• Patrick suggests adopting a “zero trust” model for telco networks, advocating for stringent verification processes akin to corporate cybersecurity practices ([08:07]).

Notable Quote:

“Using Signal WhatsApp is a good, I guess you'd call it a compensating control.” – Tom Uren ([08:15])

3. TikTok’s Role in Romanian Election Interference

The episode shifts focus to the alarming influence of TikTok in Romania’s presidential elections. A fringe right-wing candidate’s success, amplified through TikTok, led to the annulment of the first election round due to pervasive interference.

Key Points:

• Algorithm Manipulation: TikTok’s algorithm was allegedly exploited to flood users’ feeds with content supporting the candidate, undermining democratic processes.
• Legal Repercussions: Romanian courts intervened, nullifying the election round to address the interference, highlighting the platform’s significant role in political manipulation.

Discussion Highlights:

• Patrick criticizes TikTok’s mismanagement and lack of effective oversight, referencing a campaign with popups encouraging users to contact their congresspeople as “the most insanely dumb bit of government relations” ([09:09]).
• Tom underscores the incompetence rather than malicious intent behind TikTok’s failures, questioning the company’s ability to manage influence risks effectively ([10:06]).

Notable Quote:

“If they can't manage that, how do you expect them to manage any kind of influence risk? Yeah, it's just terrible.” – Tom Uren ([10:06])

4. Elon Musk’s Influence on X Platform and Regulatory Challenges

Addressing the conversation about influential figures in media, Patrick and Tom discuss Elon Musk’s role in managing the X platform (formerly Twitter) and the broader implications for free speech and regulation.

Key Insights:

• Regulatory Constraints: Unlike Chinese entities, Elon Musk operates within the American legal framework, including First Amendment protections, which limits the extent to which external entities can exert control or influence.
• Systemic Accountability: Tom argues that systemic laws can adapt to manage the concentration of influence by individuals like Musk, contrasting this with the unregulated nature of Chinese cyber operations ([10:58]).

Notable Quote:

“He is legitimately in the game and, and acting within his rights.” – Tom Uren ([10:58])

5. Chinese APT Groups and Their Unorthodox Cyber Tactics

The final segment examines the behavior of Chinese Advanced Persistent Threat (APT) groups, particularly their unorthodox methods that deviate from conventional cyber norms.

Behavioral Analysis:

• Loose Control: Tom explains that Chinese cyber actors often operate with minimal oversight, leading to actions that are damaging and counterintuitive. This lack of stringent control results in operations that prioritize quantity over strategic effectiveness, such as deploying ransomware when faced with disruption attempts ([12:48]).
• Negative Impact on Reputation: These actions not only harm innocent parties but also tarnish China’s international reputation, creating unnecessary geopolitical tensions.

Proposed Solutions:

• Bureaucratic Reinforcement: Both hosts suggest that implementing more robust bureaucratic structures could help regulate and control these cyber operations more effectively, reducing the incidence of reckless or harmful activities ([16:04]).

Notable Quote:

“They are objectively bad because they cause unnecessary damage to innocent people.” – Tom Uren ([13:56])

Conclusion and Future Outlook

Patrick and Tom conclude the episode by reflecting on the challenges of improving telco cybersecurity amidst regulatory delays and international comparisons. They emphasize the need for clearer standards and more effective oversight mechanisms to enhance national and global cybersecurity postures.

Closing Remarks:

• Website Launch: Risky Business is launching a new website, marking a significant milestone after nearly two decades.
• Upcoming Plans: The podcast is set to take a hiatus, with Patrick and Tom planning a return in February, signaling a brief pause after an intensive year of discussions.

Final Thoughts: The episode underscores the complexities of cybersecurity regulation, the ethical responsibilities of tech platforms, and the intricate dance between national security and individual freedoms. Patrick and Tom provide a nuanced perspective on these issues, offering listeners both critical analysis and thoughtful insights into the evolving landscape of digital security.

For more detailed analyses and insights, subscribe to Tom Uren’s newsletter available at News Risky Biz and stay updated with the latest cybersecurity developments.