Tom Uren

Foreign.

Patrick Gray

And welcome to Seriously Risky Business, the podcast we do here at Risky Biz HQ, where we speak with our policy and intelligence editor, Mr. Tom Uren. Hello, Tom.

Tom Uren

G'day, Patrick. How are you?

Patrick Gray

Good, good. And yeah, this edition of Seriously Risky Business is brought to you by Resourcely, which makes an awesome sort of terraform platform that helps you to spin up resources and like keep track of them and whatnot. Very cool stuff. I'm going to drop a link in above or a card on YouTube in above that links through to our demo of the Resourcely platform. Very illuminating stuff. We should also thank the William and Flora Hewlett foundation and Lawfare Media for supporting Tom's work with us. And the idea behind this particular podcast is we talk about more high level stuff, right? Stuff that pertains to sort of government policy and intelligence, so on and so forth. And today, Tom, we're talking about two things. The first thing we're talking about is, yes, it's the crypto wars. Yes, they are still going on, but you've written a pretty compelling piece arguing that governments are losing the crypto wars. And you cite, you know, Apple's refusal just recently to provide the British government with access to encrypted iCloud accounts. Essentially what the UK has done is issued a technical capability notice, a TCN developer demanding that Apple introduce a feature that allows them to get to this data. Apple said, no way, can't do it. And, you know, this is just one more milestone in a long and winding road of fail basically by governments to get any sort of result here.

Tom Uren

Yeah, there was a couple of things that I thought were really interesting about this. One of them was that there was reporting about it at all. So the idea of TCNs, or in the law, what it says is that if you're given one, you're not allowed to disclose it. So as journalists or analysts or whatever, we can report on it. But clearly it ended up in the Washington Post. The article in the Post was framed, I think, very favourably for Apple's interests or for privacy and security advocates.

Patrick Gray

So I wonder where it leaked from.

Tom Uren

I daren't speculate. So Alexander Martin, who's the UK editor at the Record, actually wrote a little piece and he said, I don't really think it's right to frame it as a backdoor. What they want is what they've got now and so they just want to hold on to something. So I think it's interesting that it's all about sort of the public perception of what's going on because when you read the Washington Post piece, you kind of your immediate first reaction is, this is outrageous. Like the UK is going to change things for the whole world. It's, you know, a tiny island nation. How does that make sense? And you read Martin's piece and it's like, okay, I can see where they're coming from.

Patrick Gray

But they are talking about a TCN that would enable them to access icloud data that is protected by like Apple's advanced Data Protection program, which is really robustly architected. You know, Apple can't cough up that data. They would need to make a change to the platform. So I can sort of see it both ways. Right. Like with always with the crypto wars, it's always about competing equities.

Tom Uren

Yeah, yeah, yeah. What was really interesting is that in a previous piece Alexander Martin wrote a couple of years ago, he said that there haven't been many equities technical capability notices issued. One of the reasons is that the UK government is afraid that tech companies would just say no. That's exactly what's happened here. So I spoke to another Martin, Kieran Martin, who is the former head of the UK's National Cyber Security center, and he was pretty definitive about it. He thinks, look, governments have just lost these wars, they've always lost them, they're going to continue to lose them. He said, like there's no easy to see technical solution, no compromise position. I guess that's easy to find.

Patrick Gray

Well, I mean, I kind of disagree with that. Right. Like if you have some good quality spyware, you know, that allows you to get onto a user's device in a privileged position, you, you are going to be able to access all of the data that that user can access from that device. Okay. I mean, that's a fairly simple uncontroversial statement. So the idea that there's no technical. That's one thing that's continuously frustrated me about, you know, these sort of discussions is people who don't like what governments are trying to do always overstate how difficult it would be for tech companies to actually deliver to them what they need. And the tech companies do that themselves.

Tom Uren

Yeah, yeah. So that's a technical solution. I wouldn't necessarily call it a compromise solution because it's the compromise solution where governments get everything that they want.

Patrick Gray

Yeah, yeah, yeah, yeah. But I guess my point is Apple's framing this as well, we'd have to re engineer our whole platform and it's like, no, no, you wouldn't. You would just have to allow law enforcement to get onto a device. So I feel like it's bad faith arguments top to bottom from both sides on this, I guess is what I'm getting at.

Tom Uren

You won't find an argument from me there except, you know, I'm the, I'm the only one making sense here. So now Kieran Martin's second point was that public opinion supports encryption versus lawful access. And finally the political support is behind encryption versus lawful access right now. Now he said that this is the most changeable, I'm going to use the word fickle. And so I think that's really what this all hinges about right now in the current environment, there is no political will to deal with this problem. Yeah. And this, this has to come from the US as well. It can't be the UK pushing very, very hard will make, will make no difference if us politicians don't agree.

Patrick Gray

So I mean iPhones have a, have a USB C charging port on them these days. And that wasn't the Americans who on that, the Europeans kind of did us a solid on that one. So I don't know that I would necessarily agree with that. I think if enough nations got together and all demanded the same thing, you know, you might see them start to offer that outside the United States. But you know, they're going to go kicking, kicking and screaming and there'll be court battles and all sorts of stuff like it's not going to happen easily. But look, I just want to touch on something that you mentioned there, which is the political will, you know, for those of us of a certain vintage, we, we remember what the political environment in the United States looked like after the 9, 11 attacks in New York. Right. And right then, you know, say the technology then was the technology now. There would have been political will, you know, plenty of political will to, for the government to basically do whatever it wanted to, to get into people's comms. Right. So I think people look at this and say, well, there's no political will. It's because there's no political driver. And that can change. Like if there is a substantial enough intelligence failure that can be attribute to government's lack of visibility into these sorts of devices, you will see that political will enthusiastically manifest across both sides of US politics.

Tom Uren

Yeah, absolutely agree. This is something I don't like talking about because it's just a bit grim. Like it's not a. If we end up in that world, that's not a happy place to be. So I'm kind of hoping that, you know, governments just continue to fail at crypto imposing their will on crypto.

Patrick Gray

If bad happens and we all live happily ever after, I mean, that is. That is the hope. Right. But you do get the sense that, you know, it has made some intelligence functions harder and that, you know, that may make something bad more likely to happen. But then again, people on the other side of the debate say, well, that's just nonsense. You know, there are compensating collection techniques that intelligence agencies can use to figure this stuff out.

Tom Uren

Yeah. A couple of weeks ago, Europol came out with a report that I don't think I wrote about in the newsletter, which talked about all the. Or maybe I just mentioned it briefly, that talked about all the challenges of cybercrime. And strong encryption was just one of them. So there's many things that they're doing that get them gobs and gobs of data. So some of the crime phone takedowns that we've spoken about, and they really struggle to analyze it because of the volumes, there was a whole host of different challenges. And so, like I said, there's maybe I haven't said there's a range of problems that they've got, and strong encryption is just one of them. So there's many things that they can focus on that will, I think, give them good returns. It's just that arguing against the spread of strong encryption has not yielded results so far.

Patrick Gray

No, no. And we should point out, too, like, the way it stands, according to the reporting, is that Apple has refused this TC that the Brits have insisted upon. It doesn't end there necessarily. Right. I mean, this could all be headed to. Presumably headed to court, you would think.

Tom Uren

Well, I think what happens is that this is a way of putting up a flag and testing the waters. Do we have strong political support at home or not? Now, I think that it appeared in the paper means that whoever revealed it, whoever spoke to the Washington Post, thinks that they will get strong political support, otherwise it just wouldn't appear in the paper. But that's the next step. Does President Trump support us or does he want that kind of lawful access?

Patrick Gray

Well, but, I mean, does that. Does what's happening in Trump's head, which is always a little bit difficult to know, does that affect, you know, how this will play out in the uk I guess, is what I'm wondering. Right. Because these are laws on the books in the uk, not the US but look, we'll just. We'll just keep an eye out for updates and, you know, take it from there. The other thing that you've covered this week and we touched on this briefly in yesterday's weekly show with Adam Boileau is, you know, ransomware is kind of, you know, there's a ransomware recession, which is what we like to see. The market is slowing, the ecosystem has really changed, and it's impossible. Like, you cannot say that this is not connected to what governments have been doing to ransomware operators. Right now we're talking about law, you know, we're talking about law enforcement takedowns, some arrests, but also the disruption operations that governments don't really talk about all that much. Occasionally they put out a big splashy release when they've done something big. But it's my understanding that these actions are ongoing and continuous, and it looks like they certainly are having an effect. Ransomware last year really receded.

Tom Uren

Yeah, yeah. So there's a couple of reports that came out in the last week. One was from incident response firm Coveware, where they deal with or help companies who've been affected by ransomware. So they see the sort of back end and they paint a picture of two of the big ransomware as a service operators have just gone away. So both Black Cat and Lockbit, they're gone. There is one that's sort of coming up, but it hasn't really replaced them as the forces that those two groups were.

Patrick Gray

And I think we can safely assume that if these operations are ongoing, they're going to target the emerging platforms instead of individual groups or whatever, just to try to keep a lid on this a little bit. Right. Just to mitigate it, to suppress it rather than eliminate it.

Tom Uren

Yeah. So one of the other interesting things they talked about is that there's the most prolific ransomware is actually, I guess what I call commodity ransomware. So it's standard attacks, small to medium enterprises. One of the groups actually seems to avoid critical infrastructure and hospitals and stuff like that. So if from a targeting perspective, you would go, okay, put those a bit down the list. They're big, but they're not extremely damaging. The third group is Ransom Hub, or the third most prolific category, I guess, is Ransom Hub, which is another ransomware as a service operator. And so they kind of get bumped up the priority list. And so you would definitely target those because in part because ransomware as a service is an enabler. So you can get people who, I guess, not uber competent and they can make use of the tools and techniques and so it lowers the barriers to entry.

Patrick Gray

We are seeing though, the emergence of these small groups using their own tools that are not linked to previous ransomware strains. So It's a small team, develop their own ransomware, deploy it themselves. And this is, funnily enough, like we predicted last year or the year before that if, you know, offensive operations against ransomware crews were effective, this is what we would see. We would see the dismantling of these large organisations and the emergence of sort of smaller crews using bespoke ransomware. So it actually has played out how we hoped it would.

Tom Uren

Yeah, the coveware categorized these groups as lone wolves and it's the fourth largest category they found. So 8% of ransomware attacks were these lone wolves. And they don't use ransomware as a service infrastructure or tooling. And just the barrier to entry to become a lone wolf is higher. You've got to do everything yourself. So, like, you know, there's still a lot of them, but that's. That's still a win.

Patrick Gray

Well, it is, and I would like to see that percentage grow because it's going to be more difficult for small crews using their own ransomware, you know, in house. Developed ransomware strains to operate at scale. So, you know, if that 8% becomes 30% in a year, becomes 50, you know, that's a sign that you're winning, in my view, because you're more limited in what you can do with offensive targeting, with these small crews versus large communities and ecosystems.

Tom Uren

Yeah, basically, they're having to reinvent the wheel all the time and if they.

Patrick Gray

Operate at too much scale, they pop up on someone's radar as a target and they have a bad time. I mean, the system is working.

Tom Uren

Yeah, yeah, yeah. So this is, I think, the way it is now. I also looked at a chainalysis report, so Chain Analysis is a blockchain analysis company, and they looked at the money flows and there's been significant change there. I've written over the years about a number of government actions against tumblers and mixers, which mix illicit funds with legal or lawful funds and tries to obscure where things are going. And the use of those is way down. The most fascinating thing, though, is it's is a lot of cybercriminals are just like hanging on to their cryptocurrencies.

Patrick Gray

Yeah, they're just parking. They're parking it because they don't know how to launder. And this is another really, really good sign. So not only payments down from like 1.2 billion to like 800 million. Ish. Look up the numbers in Tom's newsletter. So not only have payments tumbled, but, yeah, they're absolutely terrified of touching that because, you know, they go to actually turn it into fiat currency, they're going to have to pop up in the real world somewhere and there's going to be someone hiding behind a potted ficus ready to put cuffs on it.

Tom Uren

Chain Analysis used this phrase of the sort of lawful action against cryptocurrency laundering and they called it decisive and unpredictable. So it is the potted plant hiding behind type image that pops to mind. And yeah, so again, great news, but one of the things here is that in the newsletter I called it a red queen kind of thing where governments have to run very, very hard just to stay still. So where all these actions have sort of suppressed it. I don't know what the equilibrium is, but if governments take their foot off the accelerator, the problem will just bubble up again.

Patrick Gray

Yeah, I mean, this is a constant, you know, this is a crime type that requires constant suppression. Right. And much like any other organised crime type, you know, it's not like you do a bunch of takedowns in an organised crime group and then you, you know, never worry about it again. Like, even if you arrested every, all of the cartels in Mexico, for example, people are going to take their place. So it's a, it's a, you know, I think this is, you know, I'm not going to get started on my views of like, you know, prohibition on various drugs and the targeting of drug users as criminals or whatever, but I think some people throw the baby out with the bath water and say that the war on drugs is just, you know, the so called war on drugs is just stupid. I mean, it would look a lot worse if law enforcement action ceased to police those sort of things. So I think, you know, there is an element of suppression that has to happen, but yeah, not that. Elimination.

Tom Uren

Yeah. So I think that's where we are. I guess it's unclear what the Trump administration's attitude to all this would be.

Patrick Gray

So it's unclear what the Trump administration's attitude to a lot of things is though, Tom.

Tom Uren

Yeah, yeah, yeah. So the new Attorney General, Pam Bondi, she, she released a document that had all their priorities tackling cybercrime is not on there. But yeah, that doesn't mean it's been cut either. So just have to wait and see.

Patrick Gray

Yeah, well, we'll have to wait and see to see if the operators who are currently doing that work are given other priorities. Right. Because that really could happen. We are seeing, yeah. Different bits of the government being, being tasked with. Yeah. Different priorities. So it could absolutely get cut. But thankfully not just the Americans doing this. Tom, you're in. That's it for this podcast. Thanks a lot for joining me and for discussing your newsletter this week, which people can find and subscribe to at Risky Biz. I'll catch you next week.

Tom Uren

Thanks, Patrick.