A

Foreign.

B

And welcome along to Seriously Risky Biz. This is our podcast all about cybersecurity policy and intelligence. My name is Amberly Jack, and in just a moment, I will bring in Tom Uren, our policy and intelligence editor, to chat all about the Seriously Risky Business newsletter that has been putting together. But first, I would like to thank the William and Flora Hewlett foundation, who support Tom's work here, and also Lawfare, who syndicate his newsletter and publish it on the Lawfare Media website. And we also have a corporate sponsor this week as well, which is Knock knock. You can find them at knoc, KNOC IO Tom, I want to talk about Peter Williams. This is a case that's been evolving all week, and it's fascinating and interesting and crazy and sorted and. And all the adjectives, basically. So this guy, former general manager of L3, Harris Trenchant, has just very early hours of this morning, I think our time pleaded guilty to selling exploits to Russian Zero day broker Operation Zero. And the case itself was super fascinating, but also has a couple of activists kind of questioning the role of private and commercial outfits when it comes to developing exploits for government. And Tom, you're sort of saying, let's not cut out the private sector when it. When it comes to developing these exploits for government, it's neither practical or a good idea at all.

A

Yeah. So the story is Williams worked at ASD for a while. He was actually there the same time I was there, but I don't recall ever meeting him or interacting with him. He joined a exploit development firm in private sector that was acquired eventually by Trenchant, and he rose up to become general manager. And so one argument you can mount is that it would be better if these very powerful capabilities were kept within the public sector. They were developed in house and used by governments, created by governments, used by governments for government purposes. And that would help, the theory goes, reduce or minimize the amount of the bad uses of exploits where they're used to abuse human rights or beat down on human rights activists, that kind of thing. So the problem there is that there is no such thing as the government. And so there are a lot of different government agencies and organizations that have similar legitimate needs for the use of exploits, but they actually want to use them in quite different ways. So in the piece I talk about nsa, so it has this enduring national security mission that doesn't go away. Basically, you know, China is a competitor, slash adversary, slash enemy. Not yet, but. And it will remain that way for a long time. And the same with Russia. They're not friends they're never likely to be friends. You want to spy on them forever. And those intelligence missions or also other sorts of cyber operations, they're very, very high priority in the big picture terms of things like the fate of nations can hang on the ability to get intelligence. And if you're nsa, you have the size, you're big enough, you have the money, you've got the resources and you've got the priorities. Like cyber capabilities are very, very important for you. So it totally makes sense that they would go and say, we need these capabilities, we need exploits. Let's build a team that can do that and let's make sure it's got the money and the people it needs to get what we need. Now, probably even that's not enough, even for them. But when you've developed your own exploits, you're thinking, I want to take care of them, I want to nurture them, I want to make sure that I don't accidentally overuse them and lose them. Because what's at stake is ongoing access to something that's really, really important. And so I want to use it at the right time and the right place to make sure that the benefits I get from it outweigh the risks. And the risk is that it gets discovered and then, you know, the vendor patches it and you lose that capability. So there's a trade off there.

B

So you kind of don't want the FBI coming along and being like, hey, we want this exploit for this very short term, kind of low risk.

A

So the FBI is in a very different position. So first of all, it has to find evidence. So it's got an evidentiary purpose. And sometimes that means it needs to justify to the courts what it did. And so there's an element of anything the FBI does. It has to at least be prepared for revealing something about the capability. That's something that's just not acceptable to nsa. We've got this super secret hack that does this, but don't worry about it. So that's number one. Number two, they're going against very different targets who are often less sophisticated. So maybe they don't need the same level of stealth. They also got targets that can't necessarily do the technical work, that are less sophisticated, that can't unwind and exploit and figure out what's going on and reveal it to the world. So they also have a lot of targets where, you know, we get the evidence, we lock them up, we put them away, move on, rinse and repeat. So it's not as if there's an enduring, there's an enduring need to do law enforcement. Like there will always be crime. There's a role for the FBI that's not going to disappear. But it's not as if the capability, that exact capability, is the be all and end all for a long time. And so they want to use exploits in a very different way. They've got a different risk. I don't even know that it's a different risk appetite. But just their missions require a different way of using them. And so if NSA develops something, it is not going to want to give it to the FBI, because the FBI will go, well, I can use it willy nilly. I think because of that it becomes very hard to share capabilities across government. And that's just looking at two particular organizations in the US and there's many more that have legitimate uses of these type of cyber capabilities. And so the problem just gets bigger. And then you also have, amongst allied countries like the Five Eyes, they also have a similar dynamic going on with their intelligence and law enforcement agencies, but each will have different, you know, different targets, different risk appetites. It all becomes very messy. So I think it is just totally impractical to siphon it all away and sequester it in in like a centralized place because it just becomes unmanageable.

B

I'm keen to ask though, tomorrow, putting aside these different needs and whether, you know, having the capability to do this in house and share is practical from a security sense, because this guy, Peter Williams, was the general manager of a company that was a defense contractor. So I would assume that for a company to get to that point, there's going to be some really stringent security measures and vetting and everything else that goes along with that. Would doing it in house even make it more secure if you cut out the private sector?

A

Right, right. So in the piece I said that doing it in house would arguably make it more secure.

B

Nice choice of words there.

A

And so I deliberately use the word arguably because I'm not entirely sure. So L3Harris was, I think, very much inside the security tent. So they would have had a whole lot of security practices that would be actually imposed upon them by Department of Defense and the security organizations there. Having said that, I think that many people inside government agencies and inside the security apparatus of government agencies would think that security in house is stricter.

B

Right.

A

And they've got more ability to control what goes on, more control of security culture, more control of actually what people are required to do. And it's also true that many people leave government because they get fed up with government practices and part of that is security practices. Not all of it, but part of it. So in fact Trenchant was actually made up of. One of the firms that made up Trenchant was composed of ex ASD people who left, formed a company called Linchpin Labs, were eventually required and formed into Trenchant. So there is a, it's actually a well trodden pathway of people who go into agencies like NSA or asd, develop some skills, eventually get fed up with working there because. Because of all sorts of different reasons, leave for the private sector which is more free. So I think it is arguable that security standards are laxer. I'm not sure that you're actually better off in or out of government because there's actually like some very, very large and serious leaks that have occurred from government agencies like the Snowden leaks and shadow brokers to name just cyber related ones. And when you've got states devoting time and effort to try and like figure out who and what is developing the exploits and what those exploits are, they'll be successful at times. And it probably, I don't know, like I said, it's arguable. I'm not convinced that in house development is drastically more secure, but I think you can argue that it is.

B

You straight up mentioned in the newsletter as well, I mean you're never going to get perfect security so leaks are going to happen. So is this just kind of the site? You know, a leak happens, we assess our security and make things a little bit tighter and wait for the next one and then we make things a bit tighter and just hope that the leaks get less and less.

A

Yeah, I think that's the, it's a bit fatalistic, a bit depressing, but that's the experience seems to be that every time there's a big serious leak and I think this is pretty serious, there's a review of security, extra measures get placed. They look at the pretty holistically at the whole situation like the personnel side. What were the factors that led into the decisions that you know, whatever person it was is like a history, a long history of espionage that led them to make those decisions. Is there anything we could have detected then? It would also go down to things like, you know, is the USB port on that computer active and is it logged and are there any alerts? So there's different levels that you can look at all of those, I guess mitigations or ways to detect that something suspicious is going on and you try and plug those gaps. I Think, you know, we haven't stopped espionage yet. I don't think we're going to do so anytime soon. So it does feel a bit fatalistic. But, yeah, I think it's, in a way, it's kind of a cost of doing business.

B

Your second piece today, Tom. U.S. national Cyber Director Sean Cancross says he wants to counter Chinese cyber threats. But on the other hand, we have US Cyber soldiers basically falling one by one with budget cuts lately. And as you've said in the headline, he's a bit of a one man army here. Is there a plan for this?

A

So I thought it was interesting that Cairncross was basically saying we've not done enough to send a message to China that what they're doing is unacceptable. And he particularly called out compromises of US Critical infrastructure. Now, that's probably fair enough. But it also struck me the same week there was a report from the cyberspace Solarium Commission 2.0. So the cyberspace Solarium Commission was a commission that looked at holistically at everything in the cyber realm and came up with a whole list of recommendations. And the 2.0 version does an annual review and basically gives a scorecard of how the US Is going. And so this is the first time it has come out and said, yeah, we're going backwards. And it basically calls out all the workforce reductions and funding reductions and disbanding of different organizations or boards and says the recommendations are basically, you know, you should restore this, restore that, restore this, restore that. And so four out of the five recommendations are basically, yeah, just put things back the way they were right now I think the commission recognizes that that's probably unrealistic, but they said it anyway. But their top recommendation was that we should empower the office of the National Cyber Director. So SEAN cairncross OFFICE and it has been, they say, useful as a kind of shepherd, but it doesn't actually have a lot of power. So it felt like to me this is we're going to cut everything else, but we're going to give this single individual more power because. Well, partly because I think that appeals to the way Donald Trump manages. He likes executive unitary power, where a single strong minded individual can make the right decision. And my gut feeling is that that's not going to undo. You can't compensate for like cutting cisa. You can't compensate for the changes at the State Department where they've lost a lot of cyber diplomacy and it's also being dispersed. So there's no central center of gravity, I guess.

B

Yeah.

A

And Just having one strong individual, I don't think makes up for that. But it's better than having no strong individual. Plus cuts at cisa. Plus cuts at the State Department. Yeah, plus cuts, other bodies. So I think that was the realistic part of the report, is we're not going to get these other recommendations through. I think they're realistic about that. That was my sense, just reading it.

B

Yeah.

A

And I think the recommendation about strengthening the ONCD stands regardless. Like, that would be true if the situation was different and all these bodies had funding and had not been cut drastically.

B

So not quite good enough. But hopefully they do it anyway because. Better than nothing.

A

Better than nothing.

B

Fair enough.

A

Like so much of cyber, it's, you know, we do. What's better than nothing?

B

Now, Tom, I very quickly want to touch on another piece that you wrote about today, and this one's just awful. 49 Afghans have been killed. 40 following a 2022 UK Ministry of Defence leak. And a horrific story for a start, but also kind of a punch in the face reminder that some leaks can have some really real world awful effects. So tell me a little bit about this one, Tom.

A

Yeah, yeah. So the backstory is, shortly after the Taliban regained control over Afghanistan, the UK Ministry of Defense leaked a spreadsheet that had the names and identities of 19,000 people, 19,000 Afghans who had worked with them during the time that the coalition was in Afghanistan.

B

Yeah.

A

So is it good news? The good news is that the UK government has actually tried to do something about that and it's actually spent in the order of £2 billion relocating more than 20,000 people affected by it to the UK. So those numbers are different because it's 19,000 people plus their families, I presume. But the people who, at the time they were facing things like, I was recognized by the Taliban and beaten up. The Taliban searched my family home and continued to threaten my relatives. My father was brutally beaten to the point that his toenails were forcibly removed. And my parents remain under constant and serious threats. So these are like, just terrible, obviously. Yeah. But there's this also weird disconnect. So at the time, the Ministry of Defense gave advice, and their advice was things like use a VPN and limit your social media use. And in these circumstances, they're just totally inappropriate for what's actually going on. So it's not a cyber risk you're facing from that data leak. It's not like identity theft or anything like that. It's like being beaten up. And so I think it's an interesting vignette of how I think, like, internally, my thinking is that it went, here's a data leak. Let's consult the data lake specialists and they'll come up with the standard advice that they give when there's been a data leak, which is appropriate if you're in the uk, probably, maybe totally inappropriate.

B

If you're in a supermarket. Loyalty card data has been leaked.

A

Yeah, yeah, yeah. Totally inappropriate if you're in Afghanistan and the government is hostile to the kind of work that you've done in the past.

B

Yeah. On that grim note, Tom, we might actually leave it there, but thank you so much for joining me again this week. And you can, of course, read all of Tom's analysis at the Seriously Risky Business newsletter on our website, Risky Biz. And, Tom, thanks so much, and we'll catch you again same time next week.

A

Thanks, Emily.