A

Hey everyone and welcome along to Seriously Risk Givers. This is our podcast where we kind of look at the big picture stuff like cybersecurity policy and intelligence. My name's Amberly Jack and very shortly I'll bring in our policy and intelligence editor, Tom Uran, and we're going to have a chat about the Seriously Risky Business newsletter that Tom has written up this week. You can read that and subscribe over at our website, Risky Biz. But, but first I'd like to thank our sponsor for this week, which is Sublime Security. And you can find them at Sublime Security. G', day, Tom. It is great to see you.

B

Hi Emily, how are you?

A

Yeah, really good, thanks. Hey, I want to jump straight into your first story here and you have taken a look at the war in Iran, but Iran's cyber retaliation to date, which has largely been missing in action. But you've actually looked at this through a bit of a longer term lens here, Tom, and it is your thinking that even if all of the US's military goals are achieved during this war, the post war risk of Iranian cyber mayhem is pretty high. And I guess to start with, Tom, let's, let's take a look back at what Iran has been doing to date. And the big one is this attack on US medical device maker Stryker and Iran. I'm assuming if you ask the people at Stryker, they would say this is a pretty big deal, but why isn't it in the grand scheme of things here?

B

Yeah, it's all about a sense of proportion. So I think from Stryker's point of view, it is a big deal. They've been out of action for, is it one week or two weeks? I read today that they're just starting to bring back their systems.

A

That feels like a really long time in terms of cyber attack.

B

I think it's a successful one. From an Iranian point of view, like often these things can drag on because people are trying to kick people out and they're actually switching off systems to prevent things getting worse. So it's on the longer side. Now the problem from a big picture point of view is that I'm sure if you asked Secretary Hegseth or President Trump, you know, what about Stryker? They would go, what are you talking about? Yeah, what sort of missile is that? I've never heard of that missile. And it just doesn't register at the top level of policymaking now. I think if 1,000 companies had been affected, yeah, that would be a political issue that may get the US leadership to reconsider. Now, somewhere between 1,001 companies, it starts to register and it's probably not linear. So I think, you know, if it was 10 companies, it's probably not a big deal either. And it's inconceivable to me that any country could really cause enough sudden ransomware impact that it would make a difference to something as big and significant as a real war.

A

Yeah, yeah, for sure.

B

Now, I suppose part of the motivation for this article is that every time there's a blow up between the US and and Iran, companies will warn of the possible possibility of cyber retaliation, which, I mean, I suppose is fair enough, but it also never happens in any significant way. But I think this time perhaps is different because America's stated goals, per the White House, are to obliterate Iran's ballistic missile arsenal, annihilate its navy, sever its support for terrorist proxies, and make sure that it can't build a nuclear weapon. So the war from a military perspective, from a blowing things up perspective, is going well. The US and Israel are successfully blowing a lot of things up. Now, if they 100% achieve those goals, which I'm a bit sceptical about, but let's grant that, what does that leave the Iranian government left? I'm assuming that barring regime change, which right now doesn't look likely, but who knows, barring that, they will still want to project power overseas. They want to achieve things that they can sell as victories internally. And I think that if you destroy all their other capabilities, that kind of leaves cyber capabilities. That's what they'll have left. And I think it's a bit more than just, you know, if you've got a hammer, you know, every solution looks like a nail. Is that, you know the saying, that's a terrible. I got it totally wrong, but that's the saying, something like that. But I think there's actually positive attributes that cyber has. Like it's tremendously resilient. So it's not as if the US can bomb a supply chain and stop production. You can't destroy the equivalent of nuclear facilities and stop production for good. It's all wrapped up in people's heads. Unless you somehow manage to kill all of Iran's hackers all at once. Like, the capability is very resilient. All it needs is for them to go and buy some more laptops or whatever. And so it's like the cockroach of their power projection. It'll be around even when, if everything else gets blown up. And it's also something that you can grow Quite quickly. So if you as a state want to develop that, it just requires political will. And so North Korea demonstrated that over maybe a decade, they went from relatively rudimentary capabilities to actually quite a good program. And they did that through talent identification, siphoning off the most capable people and putting them in, I guess, hothouse programs to really develop that talent. And so if Iran wants to do that, they can do it. And in a way, I think that removing other capabilities, other tools that they could use in a way forces them to try and double down on this.

A

If you're looking at a post war context, you've got a country that has been very heavily bombed. So something cheap, something resilient and something kind of fast is going to look really attractive.

B

Yeah. And there's already. I spoke with Hamid Kashfi, who's a specialist on Iranian cyber with the GRUK a while ago, and he was saying that they're already on a trajectory of improvement and that the previously the sort of regime's own internal dynamics had prevented them from doing much better. Will this war change it? It could. So I think that rather than this being a short term, they're going to strike right, strike back right now. I think this is perhaps a long term change in how much Iran will invest in this program, how capable that program will be and how much they'll try and use it. So although Iran has, I guess it's been the sort of third, the third or fourth worst cyber power from a malicious point of view, but I think it's been like a distant fourth rather than a close.

A

Yeah, yeah.

B

And so I think that may change. It may ramp up its efforts.

A

There something you mentioned in the newsletter, Tom, you sort of said these, these cyber capabilities, they can be, they can provide really quick wins, but without the risk of being bombed. Is that more because things have escalated to the point where they can't escalate anymore, or is that because cyber is generally sort of mischievous and not enough to warrant?

B

Yeah, yeah. So it's generally, I guess it goes back to what I said at the beginning. It's generally just not that good. So the Iranian group that pulled off that operation against Stryker, that was a very good operation. Like, they did a good job, but what more could they have done? Like they wiped everything. I think perhaps wiping or getting into more critical industries, something like clothing and pipeline, could have been worse, but it doesn't seem to me even at that type of level, when you get into some critical piece of American critical infrastructure, people don't call for bombs. In response. So when Colonial Pipeline happened, that was very significant. No one was saying we need to launch missiles at these people. So it's hard to imagine the sort of scenario that they would occur in. Like from an Iranian point of view, what is there? What will there be left to bomb anyway? Because cyber operations tend to be limited in their effects. They that mitigates the risk of being bombed in retaliation. And I also think that once the bombing stops, it's very hard politically to start it up again. Not necessarily like in capacity wise, but just actually taking that step. I think it's a big step to resume bombing. So like, I actually think that from an Iranian point of view, a propaganda win with very low risk of any kind of retaliation, significant retaliation is probably where they want to be operating.

A

So look out for some Iranian cyber mayhem on the horizon then.

B

Yeah, we'll see, we'll see. That's my prediction. But who knows?

A

Moving on, Tom, to your second piece here. Instagram is ditching end to end encrypted messaging in May. And you are very on side with this. And it largely comes down to the fact that social media is really popular with young and vulnerable people and if left unchecked can make them kind of a hub for predatory gross behavior. Is that the gist of it?

B

I think that's like, yeah, the high level. So I think there's a long history of this. So back in 2019, Mark Zuckerberg said social media is going to be private and we're going to roll out end to end encrypted messaging everywhere. So they already had WhatsApp, but they committed to rolling it out to Facebook messenger, which is the messaging service attached to Facebook. And we're going to roll it out to Instagram. Now back at that time there was a lot of people who thought that was a terrible idea. And so part like you said, the main reason is that if you're operating on a social media platform, there's naturally relatively open groups that you can associate with and then it's easy to reach out to people.

A

Yeah.

B

Now if those messages aren't encrypted, it's at least possible for the platform to do things to try and mitigate the of predatory behavior. Predatory, abusive, cyberbullying, all sorts of bad behaviors. And in fact, at the time, the people in Meta who were leading the trust and safety type organizations were saying this is a terrible idea. No good's going to come out of this. So there was a Reuters report a couple of months ago that that reported on documents that had come out in a court case.

A

Yeah.

B

And you know, they gave a sort of hypothetical example. If they were talking about messenger in this case, if it had been encrypted, we wouldn't have been able to provide data on like literally thousands of sextortion cases, 152 terrorist cases and nine threatened school shootings were the actual figures.

A

That kind of struck me as well when I was, when I was reading your piece this morning, Tom, is when you are talking about rolling something out and it's your staffers that are saying this is a really terrible idea.

B

Yeah. I think this is the way to think about this, is that Facebook meta, Mark Zuckerberg responds when there's political pressure. So at that time there had been a number of scandals around data privacy. Like you remember Cambridge Analytica, where it was, you know, the whole scandal was, I thought, ridiculous, but it was still a scandal. And so the rollout of end to end encryption was perceived as a solution to their problems at that time. Now there's a number of scandals related to the harms to children and young people. So pulling back on end to end encryption is the answer to those problems. And so from a policymaker point of view, I think the big picture is if you want behavior, you need to elevate it as a priority and force these companies to do the right thing because they're responsive to public pressure and that's the only thing that's driving them. And like the super cynical view is that end to end encryption is a way to avoid public pressure because all of a sudden they can't see these problems.

A

Right.

B

Nothing to see here. Now all of those reasons, I think that it never made sense to roll out end to end encryption to Messenger. It's there now, it's by default. I don't think it's going to go away, but I think it's good news that it's not going to go further. So I think Instagram, that's probably now used by more young people than Facebook. So I think that there's potentially a bigger risk for that platform. So not going out to Instagram, I think it's still a win.

A

And meta's not alone here. Like TikTok have recently also come out and said that they're not going to do it for TikTok as well.

B

Yeah, yeah, yeah. So I think there's good reasons and there's all sorts of things that you can which are basically the same for Facebook. I think there's all sorts of things you can potentially do when you have access to those messages. There's a lot of advocates who argue that private messages should always be perfectly private. I think there's many different interests that need to be balanced. And so if I want to send messages that I want to be particularly secure, I'll use Signal or WhatsApp. I think that as a sort of portfolio approach to the whole ecosystem is kind of fine. I think that attaching a social network with end to end encryption is like, we don't necessarily need that.

A

Yeah. And that was one of the things that sort of struck me with your newsletter as well, is you're not saying that there should not be end to end encrypted messaging anywhere. You're saying there is a time and a place, and the time and the place is not social media. So you're for Signal and WhatsApp and platforms like that.

B

Yeah. So quite a while ago, I wrote a paper when I was in a different job, which was about the future of assistance to law enforcement in an end to end encrypted world. And I was speaking to people in different social media organizations and I asked them, can you think of any example where someone has been harmed by the lack of end to end encryption on your platform? And none of them could come up with a single example.

A

Yeah. Right.

B

And so I thought that was very telling at the time. Like that's a theoretical risk that someone is somehow going to read your messages. For the vast majority of people, like that just never happens. And I'm talking about well run platforms, big platforms. And so I'm skeptical that the benefits that you get if the people in those organizations can't. Give me an example when they're arguing for end to end encryption. Like, I'm really sceptical that there are many harms from not having it.

A

Finally, Tom, very quickly, Donald Trump has a interesting strategy when it comes to the very real dilemma of smartphones and security risks for politicians. Please tell me more.

B

Yeah, so there's a couple of stories. There's one in the Atlantic and one in Semaphore. I find them just tremendously entertaining. And apparently President Trump's personal phone number is an open secret in Washington and people are trading it for different phone numbers. Amazingly, reporters are just ringing up President Trump and he'll answer the phone. And so in the past, I've written about the dilemma for politicians. They must use smartphones, but they're also horrendously insecure. So, I mean, we were just talking last week about, you know, this super advanced exploit kit that would compromise your phone and I think it's fascinating that he just answers the phone and talks to people. It is really concerning when politicians are using phones like that because of adversary foreign intelligence services. In this case, it's, you know, what Trump says, it's inconsistent between different phone calls. So I just think that there's actually, like, very little intelligence value in those, in those calls. And I've got examples where he tells people, like, over the space of a week, you know, five or six different answers about how long the, the war in Iran will go and, you know, it'll be over in two or three days, it'll be over in a week. It'll never be over. We've won. And so from a foreign intelligence service, you know, what are you going to say? Unreportable.

A

Yeah. So, so, so making things fairly easy for foreign intelligence services, but very easy giving them no value.

B

Yeah, Very easy to collect nothing of importance.

A

Hey, look, on that note, Tom, we will leave it there, but thank you so much for, for joining me again. And you can, of course, read and subscribe to Tom's Seriously Risky Business newsletter over at our website, Risky Biz. But, Tom, I will catch you the same time next week.

B

Thanks, Amberly.