Risky Bulletin: "Srsly Risky Biz: Punish the Wicked and Reward the Righteous"

Podcast: Risky Bulletin
Host: Amberly Jack
Guest: Tom Uren (Policy and Intelligence Editor)
Date: January 29, 2026

Episode Overview

This episode of Seriously Risky Biz explores the global fight against abusive commercial spyware and the effectiveness of government strategies to shape the industry. Amberly Jack and Tom Uren analyze the limitations of voluntary industry standards, discuss practical alternatives for telecom security, and weigh the costs and benefits of regulatory approaches in the context of high-profile cyberattacks attributed to Chinese hacking groups.

Key Discussion Points & Insights

1. The "Palmail Process" and Government Strategies Against Spyware

• Topic Introduction: The Palmail process is an international diplomatic effort aiming to rein in abusive commercial spyware by developing voluntary industry standards.
• US Approach: The US response to the spyware problem, particularly following revelations about the NSO Group, has been both punitive (sanctions and restrictions) and incentivizing for companies that align with US ethical and security interests.

Two-Pronged Blueprint:

• Punish the Wicked:
  • Sanctions imposed on NSO Group and visa restrictions on individuals involved in abusive spyware activities.
  • These actions are fundamentally reactive, targeting bad actors after abuses have been exposed.
• Reward the Righteous:
  • Companies like Paragon Solutions actively sought US approval by aligning their customer base with countries the US "would not object to"—notably more pro-Western nations.
  • Paragon quickly dropped clients (e.g., the Italian government) when their product was used to target journalists and activists; this strategy culminated in US contracts and a lucrative sale.
• Key Insight:
  • “I think those two arms, punish the wicked and reward the good, are what will fundamentally shape the spyware industry.” – Tom Uren (05:26)

Limitations of Voluntary Standards:

• Many international codes and standards are voluntary and nonbinding, making them easier to sign but ultimately less effective.
  • “It’s a lot easier to sign up to something… you can back out whenever you want.” – Amberly Jack (06:19)
  • “What will actually get companies to change their behavior… that is punishment and reward.” – Tom Uren (06:45)

2. Effectiveness of Telecom Regulation Against State-Backed Hacking

• New Revelations: Chinese hacking group Salt Typhoon has compromised numerous telcos in both the US and UK, raising questions about the effectiveness of strict telecom regulations.
  • “Salt Typhoon is a Chinese hacking group that has compromised telcos worldwide. They’ve had been outrageously successful in the US and this is the first report that we’ve got in the UK.” – Tom Uren (07:57)

UK vs US Regulatory Posture:

• UK: Strict Telecom Regulations
  • Intended to ensure network resilience, particularly in the face of potential sabotage by hostile states.
  • Regulation includes government processes for assessing and improving telco security posture.
• US: Laxer Approach, Reliance on Political Pressure
  • The FCC imposed some regulations after the Salt Typhoon attacks, but the new chairman called these measures “ineffective and burdensome.”
  • Improvements in telco security are mostly attributed to political pressure rather than strict adherence to regulation.

Are Heavy Regulations Effective?

• Regulations are justified as a response to increased risk and impact due to the dependency of modern societies on telecommunications.
• However, for targeted attacks against high-profile individuals, Tom Uren recommends simpler, cheaper mitigations:
  • Provision of locked-down, compartmentalized phones using end-to-end encryption instead of expensive, network-wide upgrades.
  • “If that’s your problem, telco regulation is not the answer… use Signal on it or use WhatsApp or anything that’s end to end encrypted.” – Tom Uren (09:11)
  • Investing millions in network upgrades is less effective than practical operational security for key targets.

3. The Challenge of Security Investment

• Structural Incentives:

  • Security is frequently seen as a cost center; telcos and companies have little commercial incentive to protect against rare, high-impact intrusions because they rarely bear direct consequences.
    • “Companies just don’t invest enough in security because when things go bad, they often don’t wear the consequences.” – Tom Uren (13:46)
  • Regulations aim to make rare but catastrophic events less likely, even if they’re expensive and burdensome.

• Philosophical Divide:

  • One philosophy: let companies maximize profit regardless of broader societal risks.

  • Tom argues for a regulation model that accounts for the state-level consequences of cyber-sabotage (e.g., Chinese group Vault Typhoon preparing for scenarios related to Taiwan).

    • “The telco doesn’t bear the consequences of China invading Taiwan… Yet at the same time, I think the US would be better off if they were better defended from that kind of scenario.” – Tom Uren (15:56)

Notable Quotes & Memorable Moments

• On Punishment vs. Reward (Spyware industry):

  • “Those two arms, punish the wicked and reward the good, are what will fundamentally shape the spyware industry.” – Tom Uren (05:26)
  • “It’s the kind of toddler approach.” – Tom Uren (07:06)
  • “Think of them like a small child.” – Amberly Jack (07:16)
    (Both on how basic incentives drive corporate behavior)

• On Practical Security for High-Profile Targets:

  • “It’s a lot more simple to say: you’re a very important person, here’s a locked down phone, use Signal on it… you can even throw out your phones after a month or two.” – Tom Uren (09:11)

• On the Limits of Telecom Regulation:

  • “Security investment is a cost center and so typically they underinvest.” – Tom Uren (13:46)
  • “What the UK regulation really gets is that the UK now has a way of saying: what is telco’s security posture like? We have a process to ramp it up if we think that’s necessary.” – Tom Uren (14:32)

• On Government vs. Corporate Responsibility:

  • “In some ways, it’s a philosophical approach, like companies should be just free to make money regardless of how much it hurts other people… I don’t think it’s the right way.” – Tom Uren (15:00)

Key Timestamps

• Punish the Wicked, Reward the Righteous — US Approach to Spyware (01:10–06:00)
• Flaws of Voluntary, Non-Binding Industry Standards (06:01–07:16)
• Salt Typhoon: Lessons from Chinese Telco Hacks (07:19–10:17)
• UK vs. US Regulation, and What It Accomplishes (10:32–13:41)
• Structural Analysis: Why Companies Underinvest in Security (13:41–15:56)

Episode Tone

The conversation is frank, mildly cynical, and pragmatic, with a clear-eyed view of both international regulation and the practical realities of industry incentives in cybersecurity. Amberly and Tom maintain a collegial and occasionally wry tone, especially when critiquing government and corporate postures.

For further reading, listeners are encouraged to check out Tom Uren’s Seriously Risky Business newsletter at Risky Biz.