A (3:30)

Yeah.

B (3:31)

Now I felt it was really significant that Google's Sandra Joyce, who's the vice president of their threat Intelligence Group, she made this comment at a keynote at a conference that was devoted to exploring the idea of hacking back. So I think if you just say it in isolation, like maybe it just does mean doing what Microsoft has done, replicating that model, doing it more aggressively, like devoting resources to doing that. But I think when you put it in the context of like the conference, the title was offensive Cyber operations Legal, you know, overcoming legal and strategy challenges, something like that. That's a very different kind of place to say that statement.

A (4:17)

Yeah, for sure. And I mean as you touched on Tom, they sort of court endorsed hacking back isn't, isn't new and. Right.

B (4:32)

Yeah, I wouldn't call it hacking back so much as giving it extra powers. So there's not in those cases been hacking back. There's been a couple of cases where Microsoft has worked with the FBI and the FBI has gotten a court order to be able to do things like remove web shells from infected hosts so that I would call a form of hacking back and that that's legally authorized and FBI can do it because they have this authority to do stuff when a court says they can. So I don't really imagine that Google will start to do that kind of hacking back. We do have an example last year where Sophos, the security company, they realized some time ago that their firewalls were being, I guess explored and experimented on for vulnerability research and exploit development by a particular group. And so we spoke about this on Risky Business. Not we, you and I, but Patrick and I spoke about this on Seriously Risky Business where they went on this journey and they started first they pushed out enhanced telemetry and so they could then narrow down which devices are these threat actors actually working on. And they combine that with other information they had like trial license, registration data, and they were able to come up with a small pool of devices that they knew or were Pretty highly confident that the threat actors were using to experiment on. They were doing vulnerability research on these devices and so they actually pushed out an implant onto those devices. So that I think is a true example of hacking back where it's tailored to someone who's affecting your products. They were able to understand what vulnerabilities the threat actors were developing and develop protections against them before they were actually used in the wild. They were able to grab malware and again develop signatures and protections against it. So that seemed like a genuine example of hacking back. And the legal basis for that was terms of service or the end user license agreement. And so Sophos had got legal counsel to say that, yeah, based on our eula, we think this is okay. And to me it seems like Google is very much in a similar position. It has products that it develops, it controls the terms of service. If it needs to amend the terms of service in some legalese way to enable it to do these kinds of aggressive things, it can do that. It also has the expertise to be able to say if we do this, what are the possible follow on ramifications? Like it has the expertise to manage the risk of doing something, I'd call it audacious or aggressive or offensive. So that seems to me to be a template if Google is looking to be more aggressive. That's one thing that makes sense to me. And in the context of the whole hacking back discussion, it seems that like there's, there's an underlying rationale for it. We want to engage the private sector more. This is a whole of economy thing. But rather than trying to get the whole private sector involved against potentially any actor, it's maybe get the most capable American companies to do more on their own products, where to do more to defend their own products, where they have, you know, a legal basis they can jimmy up or construct or and like incrementally improve the way that the private sector is involved rather than aiming for a big bang legislative solution like some sort of hack back legislation.

A (8:36)

Yeah, for sure. And I mean you and I, Tom, sort of touched last week on the Cyber Letters of Marx legislation that had been proposed. And that was, that was your issue. There was, it was way too broad and it was pretty much anyone and everything that the President doesn't like, maybe this is potentially a really good way to tightly scope that.

B (8:58)

Yeah, that's right. I guess the cyber Letters of Marc, which we spoke about last week, my conclusion from all of that was that maybe there's a set of threat actors where it does make sense to enroll the private sector. And that is these scam farms, because they're big, they're decentralized, they're not doing the work of states, they're just massive criminal organizations. And, you know, having a bunch of private sector hackers try and disrupt those, maybe that makes sense. Like that's a good set of targets. And this is kind of the converse, it's that there's a small number of vendors that have the capability to protect their own products. And so this may be, here's a small set of good candidates to encourage them to do a bit more. Maybe not license them to do a bit more, but encourage them.

A (9:53)

Yeah, for sure. And moving on now, Tom, to Salt Typhoon. So the campaign has been attributed to three Chinese companies by cybersecurity companies in 13 different countries. So it seems like that attribution and that kind of name and shame is a pretty big deal on the surface. But you're not convinced it's going to make a big difference.

B (10:15)

Yeah, so historically there have been a few, at least big bang cyber attributions where a collection of countries has gotten together and said, china, you're doing some bad stuff. We don't like it. So there's this one, there was one related to this campaign known as Cloud Hopper. There was one related to the mass hacking of Exchange, Microsoft Exchange servers. And basically the conclusion is that those have achieved kind of nothing. So a while back I wrote about how the SharePoint hacking, it's like a mirror image of the Exchange hacking. So whatever we did to determine or punish the hacking of Exchange, it did not make any difference. And I feel this falls into the same category. So there was an interesting comment by an FBI official to cyberscoop and he said that the use of contractor companies was a mistake. It was a failure. And my reading of that was that because these companies have looser operational security controls, they were able to pull on a thread and link it all back to these three particular companies. I won't read out the names because they're kind of Chinese names that don't really, they don't mean anything to me. Now from a Western point of view, if you're doing a big hacking campaign, something analogous to Salt Typhoon, and you get caught and busted, that's a huge deal, that's a massive failure. And the way Western agencies think about it is that if you can do something sneakily and quietly, if you don't get detected, you can just keep on going indefinitely, forever. So for example, if you. I don't know, I don't think he has a phone, but if you get onto Xi Jinping's phone, you don't want to be detected. And if you aren't detected, you can stay on there forever. And that is an enduring intelligence requirement. Being able to satisfy it forever is very nice. But when it comes to Chinese actors, the way that they seem to be getting enduring access is just digging in even deeper. So I talk about several examples where instead of being stealthy and quiet and not getting detected, they just hack everything, and it's very difficult to evict them. So in the case of Salt Typhoon, there was a couple of articles that said that the. Those companies, that threat actor had hacked over 80 countries and 200American organizations. So being named, being outed, it doesn't actually evict them from those networks.

A (13:12)

Yeah.

B (13:13)

And so if they're, you know, we. We know who's responsible, but if they're still in the networks, is. Is that a win? I don't think so. So my feeling is that the Chinese government will just brush off any diplomatic blowback. It has a standard playbook. Is it a failure by Salt Typhoon to get attributed in this way? I don't think it's good for the Chinese government, but I think they may feel it's just a cost of doing business and, you know, this is something we're willing to. To wear, and the benefits outweigh the risks.

A (13:52)

Yeah, yeah. Sort of an annoyance. But moving on, let's keep going.

B (13:57)

Exactly.

A (14:00)

Because I know you love when I ask you to make predictions, you do mention in the newsletter that this isn't so much a failure, and that failure will be when they get evicted from the networks. Do you see that happening or happening anytime soon?

B (14:17)

No, is the short answer. Like they will get evicted from some networks. There was a piece I wrote, a senator in the States spoke about the cost of evicting Salt Typhoon from America's telecommunications network, and he described it as astronomically high. So even if he was exaggerating, which he likely was, it was Senator Mark Warner who's involved in intelligence issues, so he should have some ide. Even if he was exaggerating, it seemed to me that the cost was like 100 fold too high. So even if he was exaggerating tenfold, it's still tenfold too high.

A (14:59)

Yes. Finally, Tom, and just very briefly, I want to touch on what's the very commonly misquoted Mark Twain quote. Reports my death have been greatly exaggerated. It seems that's kind of the case with Apple's UK stoush. So what's happened?

B (15:19)

So the Financial Times has viewed a document that was submitted to the Investigatory Powers Tribunal. So the backstory is that Apple was issued what's called a Technical Capability Notice. So this is an order from the UK government to do these things for us to allow us to have lawful intercept capability. And the, the legal way to challenge that is to go to the ipt, that Investigative Powers Tribunal. And so this is a document that's prepared by the IPT as a basis for discussion and it can provide some details of what the ground truth was. And so the Technical Capability Notice wanted Apple to provide the UK government with the capability to access icloud data from, from potentially anyone all over the world. And so far, that's what is up for argument in the case that will be heard next year, I think. So last week we had news, I'll use air quotes, news that it was not going to affect U.S. citizens. And a lot of people interpreted it as the UK government has backed out and is not going to pursue the Technical Capability Notice. It seems like it's going to go ahead, but. Or at least the court case is going to go ahead. I expect that there will be some carve out for US citizens that hasn't. It doesn't appear that that's formally happened, but the, you know, the matter is still up for adjudication. We'll have to wait and see. More to come, I guess.

A (17:06)

All right, we might, we might leave it there, Tom, but thank you so much for joining me once again. Again. And of course you can read and subscribe to Tom's Seriously Risky Business newsletter over at our website, Risky Biz. And Tom, look forward to catching up again next week.

B (17:20)

Thanks, Emily.