A

Hey, everyone, and welcome to Seriously Risky Biz. This is the podcast here that we do all about cybersecurity policy and intelligence. My name is Amberly Jack, and in just a moment, I'll bring in our policy and intelligence editor, Tom Uren, to talk all about the Seriously Risky Business newsletter that's been published today. And you can of course, read that and subscribe over at our website, Risky Bizarre. But first up, I would like to thank the William and Flora Hewlett foundation for supporting Tom's work here at Risky Biz and also Lawfare, who syndicate his newsletter and publish it on the LawFair Media website. And finally, thanks to our sponsor, Spectrops, this week as well. G', day, Tom. Great to see you.

B

G', day, Amberly. How are you?

A

Not too bad. Although I do kind of feel like we're showing our age a little bit here by waving our fists and yelling at clouds about kids these days. But, Tom, you've got a really good write up where you're looking at a couple of young cyber criminals, one from recent years and one from about a decade ago, and the sort of cybercrime landscape that they grew up in and grew into. And as always, Tom, I love your eternal optimism, but things aren't looking so good.

B

Yeah, yeah. So there's a piece that Bloomberg published which looked at this young man called Noah Urban, who's been arrested and convicted recently to 10 years in prison for his online cyber crimes, basically. And that Bloomberg piece is very interesting and it has a lot of material about how he ended up in that situation, how he got enticed into it. And I thought it was a really interesting contrast. A couple of years ago, Wired had a piece about three teenagers who were involved in writing the Mariah botnet, which. And it sort of charts their history through it as well, how they got enticed into that community. And I found the differences really quite striking in terms of everything just seems to be getting worse. So I'm kind of thinking of it like a funnel. And both sets of kids, the Mirai kids from like the mid-2010s, got into it through online communities like Minecraft. And the same happened with Urban. It was also Minecraft. Now, the Mirae kids had these actual legit technical skills, so they, I guess, gravitated or met each other because they could do things that other kids couldn't. So, for example, like writing code for Minecraft servers, having a denial of service hack, you know, hacking their own schools with denial of service attacks, that kind of thing. And so they Sort of formed a community of technically like minded people. By contrast, Urban, he was basically just good at talking to people. He was polite and he had a deep voice. And so he was able to get into the sim swapping, I guess, community, and he was very, very good at it. So it turns out that at some point someone said to him, why don't you try it? I'll give you $50 for each SIM swap attack that results in a cryptocurrency theft. And so the idea is you take over people's accounts by getting access to their phone numbers, resetting passwords, and he was able to earn $3,000 in a week.

A

So that's, that's a decent paycheck for a week.

B

That's when he was like 15, I think. But of course, if you're getting paid 50 bucks and the person who takes the account is stealing hundreds of thousands or millions in cryptocurrency, that doesn't seem like a good deal. So he, like, it's easy to see how you escalate into stealing that cryptocurrency yourself. And so he later told authorities that he stole something like US$15 million in something like a year and a half. So that's the other big thing that's changed is that there's a huge amount of money involved because of the rise of cryptocurrency. And so the technical skills required, far, far lower. He basically says, Urban says that it was because he was polite and well mannered as well. So that coupled with a deep voice and it sounds like he's a good conversationalist, like a good sense of humor. You can get people to help you out, basically.

A

I think that was one of the things that kind of struck out to me reading through the newsletter, Tom, is you, you talk about the, the redemption paths of these kids and compare them and you know, a decade ago these, these kids with technical ability had a pathway to legitimate, good paying security jobs.

B

Yeah.

A

Whereas when you've got the gift of the gab and that's it.

B

Yeah, yeah. I think that's one of the big differences is a lot more people get involved nowadays. They don't need those technical skills. And at the end of the road, after they get, if they get arrested, it's not as if people are willing to hire you just because you're a good talker. Like there's millions of good talkers in the world. You don't necessarily need one who's been in prison for online crimes. Whereas the, I guess the technical skills, the Mariah Kids had. They're all working in the security industry nowadays. And so it may. I think there's two things that are going on. One is that there's a pathway to a good job. If you had technical skills and the pay was like, I think they could have earned more being criminals, but, you know, that's balanced with the risk.

A

But it wasn't stupid money.

B

Yeah, that's right. Whereas now you can earn stupid money, you know, work for a few years and retire kind of money. And there is no alternative that is attractive. Like, no one's saying you should be reformed and do social engineering for good. Like, that's. That's not a thing. And so I think that that is a really significant change as well, that the pathway for redemption just doesn't. I don't think it exists anymore. The other, I think, pretty significant change is that that online community is a lot more violent nowadays. And I think that's driven by the cryptocurrency involved. So in the old days, a decade ago, there was. There were things like swatting, and that was inevitably driven by online drama. People, you know, disagreeing with each other, that would escalate to swatting. But nowadays, because of the cryptocurrency, people want to basically steal it and they'll hire people, kidnap you, take you in a van, put a, you know, put a hood over your head, hold a gun to your head and try and get the cryptocurrency out of you. And so that changes, I think, well, hardens people, I guess. So there's a couple of stories in the Bloomberg piece where Urban is. People try and extort Urban by threatening associates, throwing, you know, throwing bricks into his mother's house, holding a kid he knows at gunpoint. And he just. He's like, no, I'm not going to pay a ransom. It's the. It's the. He takes the US government approach to ransoms and we never pay ransoms. But I think it makes it harder when you've been in that kind of environment, like, to have a pathway to redemption as well.

A

Yeah, for sure. I just had a. Had a flashback to when I was, you know, 15 and working for whatever it was. $5 an hour at the local video shop.

B

Yep.

A

Not the best money, but I never had to explain to my mum why bricks were being thrown through her window, so.

B

That's right. Good old days.

A

Yeah. And so, Tom, is it all just doom and gloom and it's only ever going to get worse? You sort of mentioned, you know, we need to try and cut off these online pipelines at the knees. But how. How do authorities and governments go about doing that?

B

What.

A

What's the answer?

B

Yeah, that's a good question. So I think that there just need to be interventions earlier. Like, I'm not 100% clear what they are, but I think that the platforms have some responsibility there. So the. The ones that come up are Discord, Minecraft, Telegram to an extent as well. Definitely Telegram. And so there are ways that they can be encouraged to crack down more. And I think the dynamic has been that police have got involved, that slowed these kids down temporarily at times. And there's also a dynamic where when they're underage, you can arrest them or raid them and it slows them down, but it's very hard to actually stop them. And so what tends to happen is they reach 18, 19, 20, they get arrested, convicted, and put in jail, which I think is also a bad outcome. So I think the. The earlier interventions will make a difference to some kids, and they'll also reduce the size of the online population that gets into these crimes. So there is no silver bullet solution that will stop this. I think that describing it as a pipeline is correct, but there's also a lot in, I think both stories where the kids are encouraged to be more extreme because it's a social dynamic where you get attention and status if you do something exciting and different. And so for the Mariah kids, it was exhibiting technical prowess. You know, creating a botnet that worked better was bigger. More recently, it's getting into bigger and bigger thefts of money or disruptions of companies. And so the crimes are actually also more disruptive because of the rise of ransomware. So there's several different elements that are going in to make everything just worse, I suppose, like, just stepping back, big picture. If things are worse, you need to spend more time and effort trying to fix it.

A

Yeah.

B

So it's not a time to just assume that the status quo is good enough.

A

Yeah, yeah, for sure. And I mean, we're not dissing the fact that there's been a string of arrests lately, because that's clearly a good thing, but there just needs to be more done.

B

Yeah, more done. Probably more arrests and also probably more earlier on as well.

A

Yeah, for sure. And, Tom, your second story that you've written up today, you've looked into a report that sort of reckons you the US can win the cyber war by stopping a punching bag, basically.

B

Yeah. Yeah. So it's CSRS report, it's the center for Strategic and International Studies. It's called or titled A Playbook for Winning the Cyber War. And it's got a whole lot of different chapters. I thought the most interesting part was the way it talks about deterrence. So there is a dynamic, or I guess the received wisdom is that deterrence doesn't work in cyberspace. And so the whole rise of the notion of persistent engagement, where it's just this place of constant struggle in a way stems out from the failure of deterrence. The report points out that America's approach to deterrence has been very, very narrow. So what it's tried to do, the US is focus on cyber actors and target them when they've done bad stuff. And so the problem is that you're basically targeting foot soldiers in a broader campaign. And of course that does nothing. Those costs of having a. For China, for example, it's had a long running intellectual property theft campaign and a number of companies and individuals have been indicted and sanctioned. And so those companies, like they're expendable essentially is my view. When you're growing entire industries with some of the, with the help of intellectual property theft, it's not the sole factor, but it is a part of the factor. So instead it says the US should embrace a strategy of deterrence by punishment. And it's not punishing the cyber actor, it's punishing the country behind the cyber actor. So for example, it suggests that instead of, you know, sanctioning front company, maybe a proportionate response might be to target some of China's what are called the five poisons. So the Communist Party has five poisons, which it thinks are the biggest threats to internal stability. So democracy advocates Taiwanese independence advocates Uyghurs, Tibetans and the Falun Gong. And so an example it gives is that if Beijing's penetrating US power grids, perhaps the US could release detailed information about Uyghur prison camps, like satellite photos, that kind of thing that would be very embarrassing to the regime and give the, the five poisons ammunition, I guess, a leg up. And so that to me makes sense because you're matching a significant long term benefit to the Chinese with also a significant threat. So I thought that was really interesting. I think that's an interesting idea. I think they're probably right to deter those kind of campaigns, you need to really have something at risk. They also point out that you've got a signal that shift though you don't just start doing out of the blue.

A

I love that they're like, here's some specific words you can use when you announce this.

B

Yeah, yeah, they've got some sample text, so I thought that was the highlight of the report. There's a whole lot of other stuff in there, but to me, that seems like a key insight that I haven't seen expressed anywhere else.

A

And so you, I mean, just before, Tom, you. You sort of said that you. You kind of agree with this. This idea. And do you. Once again, I'm going to ask you to pull out that crystal ball of yours. Do you think it's likely to happen?

B

I think that if there's any president that would do it, it's President Trump. Right. But I also think that Trump has different interests, like he prosecutes things he cares about. I think that the cyber aspect is kind of, I suppose, subsumed by the broader loss of American manufacturing. So I guess the short answer is no, but I think the chances are higher than ever that it might happen.

A

Okay. All right, we'll take it. And on that note, Tom, we will. We will leave it there. But thank you so much for joining me, and we will catch you again the same time next week.

B

Thanks, Emily.