A

Hey everyone, and welcome along to Seriously Risky Biz. This is our podcast all about cybersecurity policy and intelligence. My name is Amberly Jack and very shortly I'll bring in Tom Uren, who is our policy and intelligence editor, to chat all about the Seriously Risky Business newsletter that he's written this week. And you can of course read that and subscribe over at our website, Risky Bizarre. First, though, I'd like to thank this week's sponsor, which is Push Security. And you can find them@PushSecurity.com G', Day, Tom. Great to see you.

B

G', day, Emberley, how are you?

A

Yeah, really good, thanks. And Tom, let's talk about the Palmail process, an international effort to rein in abusive commercial spyware, which is good and is aiming to develop voluntary industry standards, which also sounds good. But Tom, on the show, it doesn't feel like you and I heap a whole lot of praise on the US too often, but America does seem to have a strategy here that you think could be used as kind of a blueprint when it does come to spyware.

B

Yeah. So I think I would hesitate to call it a strategy right now. I think what they've done is they've demonstrated. Well, I think they've demonstrated a possible blueprint for a strategy and I think it arose just by chance. And so I guess the kind of the backstory is that people learnt about NSO group spyware. The problem was that it was sold to states that basically used it to facilitate human rights abuses, anti democratic authoritarian stuff. And as a result, the Biden administration did all sorts of basically like punishment activities. So it sanctioned the group, it imposed visa restrictions on people who were involved in abusive spyware. And so I think that that's one arm of the strategy is to just punish the wicked. And I think those were all reactive. Here's something that looks like abusive spy, where we don't like it, we'll respond to it. There was also sanctions and other steps, so a range of different steps and then, you know, just punishing people who are doing bad stuff. Like it's a good start, but it's not the whole answer. And there's another company called Paragon Solutions, which was also back then in Israeli spyware company, and their whole strategy was to stay in the good books of the US in particular. And so they went to the US and said, you know, which countries would you be happy with us selling to? And presumably they gave some, must have given some like rough overview of what the product was. And, you know, I think it was probably, maybe not a formal agreement, but it's like, you know, how about this country? What about that? Yes, no. So the reporting is that they had a list of 35 countries, mostly in Europe and Asia, that the US was, I don't know if happy would be the right word. The phrasing the report from the Financial Times uses would not object to. So the idea was we'll get an allow list of countries and then we want to do everything to stay in the US good books. So that's the kind of frame that that company had. And like, ideally, that's the kind of attitude you would want all commercial spyware companies to have. Now, that wasn't a perfect strategy. The paragon had some like its product was used by the Italian government to prosecute. The reporting is that it was used to target journalists and activists that the government didn't like. So Paragon, pretty quick smart, dropped them as a customer. They've since got US government contracts that were issued in the last days of the Biden administration and they were sold to a US venture capital firm for $500 million. So in that sense, that strategy is paid off. And I think those two arms, punish the wicked and reward the good, are what will fundamentally shape the spyware industry. So having, I think I'm quite cynical about voluntary, non binding standards for industry in that the people who you can spend a long time arguing about how many angels can fit on the head of a pin. And fundamentally what you want to provide is incentives rather than rules, I think. And so I think that that to me is basically it. You'll do more shaping the industry by getting strong government action. Now the question is how much does the Trump administration care about spyware? How much time and effort will it invest to punishing people or I guess rewarding them? And so that's still a question. It's signed up to the Palmail process. So there was a state voluntary and non binding code of practice. And that code of practice actually says these two things in like paragraph 8, section C or something like that. So it's not the core of the code of practice, but I think it should be. I think it should be what states aspire to is actually taking action that shapes company behavior. Like committing in a non binding way to do that is great. Now they actually need to do it, I think.

A

Yeah, I mean it definitely feels like it has a lot more oomph and meaning behind it if it's not voluntary and non binding.

B

Yeah, well, I mean, I think the reason so many of these Agreements are voluntary and non binding is it's a lot easier to sign up to something.

A

You know, you can back out whenever you want.

B

That's right. And there's like, to be fair, there's instances where states have different, you know, different motivations. Like not every state is the same. And so the article that I sort of raised this as something to talk about for me was actually in cybersecurity and the topics were dealing with just industry and it was, you know, who should the rules apply to, how to incentivize and measure compliance and what to do with companies with a chequered pass. And I think these are all very difficult questions and you can spend a long time thinking about them and getting more and more precise language. And it doesn't actually change like what will get companies to. It doesn't really get to the root of what will actually get companies to change their behavior. And I think that is punishment and reward. Yeah. And so, I mean it's the kind of toddler approach to.

A

I was going to say think of them like a small child.

B

Yeah.

A

Hey, jumping onto the next story now, Tom, we learned recently that China has got all its hacking fingers up in Downing street and has for a few years, which kind of had you pondering today about the usefulness of the strict telco regulations that the UK has. And I mean, when you compare the uk, which has a lot, and the us, which kind of has a bit of a she'll be right attitude, both have been Salt typhooned. So what's your thinking? There are talca regulations even that important when it comes to Salt Typhoon.

B

Salt Typhoon is a Chinese hacking group that has compromised telcos worldwide. They've had been outrageously successful in the US and this is the first report that we've got in the uk. So one thought is that perhaps they've just been less successful in the UK. It's at this stage, the US reporting, there's multiple outlets talking about like nine different telcos. And so it's early days for the UK's reporting. I'm not convinced it's as serious, but it's just too early to say. Now the focus of Salt Typhoon has been on particular very high profile politicians and officials. So in the us, the people they've talked about targeting were in the Kamala Harris presidential campaign and in Donald Trump's presidential campaign. So this was before the election and it appears that they were successful. They were able to get access to calls and texts and I actually think that if that's your problem, telco Regulation is not the answer. So I think it's a lot more simple to say you're a very important person. Here's a locked down phone use signal on it or use WhatsApp or anything that's end to end encrypted. And then you can do other things. For example, you might say only talk to these people on this phone. So you have a purpose phone for your friends and family, one for business contacts, one for the political party. You know, you compartmentalize and have separate phones for separate purposes if you think you're that important or if it's that worthwhile. And then you can even like throw out your phones after a month or two disappearing messages, all that kind of stuff. So there's lots of practical mitigations that you can do that don't rely on spending millions or billions to upgrade the telco network. Probably might not be effective anyway. I think that's a cheap, easily to implement strategy for protecting very important people. That'll work like quite well. It's not perfect but bang for buck it's, it's far better.

A

Now given that. Tom, does that mean that the really strict UK regulations as opposed to the US's none really was just a total waste of 150 pages or.

B

Well, yeah, okay, I think it's a good question. What does it actually get you? So I think one, one interesting thing is that part of the regulation is about the network as a whole. We want it to be resilient and we want it to not be susceptible to things like sabotage. So both Australia and the UK have started down this and I'm sure other countries as well have started down increasing regulation for the telecommunications sector because of increasing worries about states that might want to sabotage or disrupt telecommunications networks. So there's an increasing risk and it's also the telecommunications networks are increasingly important because many other things rely upon them. So it's not as if, you know, back in the old days if the telephone went down, you didn't have telephone, but if it goes down nowadays there's a whole lot of services that rely on top on that sit on top of the telco network. And so it's the, the impact of that is also much higher. And so you know, if the risk and the impact goes up, perhaps you should do more about it. That's the, I guess the philosophical justification. Now the Biden administration after Salt Typhoon said let's the fcc, they sort of shoehorned some regulation in using a particular law. And subsequently the new FCC chairman Brendan Carr has come along and said, ah, look, this law was ineffective and burdensome. And I think when it comes to like protecting high profile officials. That's right, as I've said, there are cheaper and easier ways to do it. I think the problem is, he then went on to say, and look, the telcos have done all these things to improve their security since then. So it's telcos responding to political pressure because like having every single telco in your country compromised is a bad look. I think now, to be fair, it's probably not every single one, but it was like the major ones, like I think nine, at least nine was the figure I'd heard. Part of Chairman Carr's justification is that, look, telcos have done all this good work to improve their security. He called it extensive coordinated efforts, accelerated patching equipment, updating access controls, improving threat hunting and cyber security information sharing efforts. And people have been in the industry a long time will laugh at information sharing efforts because that's the go to number one thing. So those I think are not bad responses. Right, that's good. But they're also things that already existed in the UK's security regulation, as far as I can tell from the level of technical detail I've got and also.

A

The way that it's, that it's sort of set here, it certainly feels like a sort of a hand again, a handshake agreement. Yeah, that's right.

B

And I think it's, there's political pressure, we'll do more until people have forgotten management's turned over a bit. Why are we doing this? What's the point? It's costing us lots of money. And the fundamental problem is that companies just don't invest enough in security because when things go bad they often don't wear the consequences. So I guess like salt typhoofing is a good example, they got compromised. And it's like commercially it has no impact because, you know, what does it matter to whoever, whatever telco, that someone's phone calls are being listened to? Like, there's no, they don't lose money from that. And so security investment is a cost center and so typically they underinvest. Now what the regulation is trying to do is to make it much harder for those sort of rare but very, very high impact events that telcos will just on their own would never spend any time and effort trying to tackle because they're rare, they're high impact, but the telco probably won't wear the cost anyway. And so I think what the UK regulation really gets is that the UK now has a way of saying, what is telco's security posture like? We have a process to know what it is and we have a process to ramp it up if we think that's necessary. And so they're not making rules up out of nowhere. They've got the UK's NCSC giving advice. All that is like that is burdensome. It's expensive. They have to spend more than they want to on security. But that's the whole point is to get them to spend more than they want to on security. And so in some ways it's a philosophical approach, like companies should be just free to make money regardless of how much it hurts other people. Hurts other people, imposes risks on other people. And you can argue that that is. That is one way of running government regulation. I don't think it's the right way because in the case of something like there's a Chinese group called Vault Typhoon that is being compromising US critical infrastructure. And Microsoft says part of the point was to be able to disrupt U.S. telecommunications services. So I think. And that was not an end in itself, but it was to possibly help with some sort of invasion scenario of Taiwan. And so the consequences, I guess that's a perfect example, right? The telco doesn't bear the consequences of China invading Taiwan. Like it's protecting against that is a cost center that it doesn't think it needs to do anything about. Yet at the same time, I think the US would be better off if they were better defended from that kind of scenario, better protected.

A

On that note, Tom, we might actually leave it there, but thank you so much. Always a pleasure. And you can of course check out Tom's Seriously Risky Business newsletter at our website, Risky Biz. But Tom, thanks so much for the chat once again and we'll see you same time next week.

B

Thanks, Amberly. Sam.