Srsly Risky Biz: The West's tepid China deterrence is not working

Summary

Risky Bulletin: Srsly Risky Biz – The West's Tepid China Deterrence is Not Working

Episode Release Date: July 31, 2025
Host: Amberly Jack
Guest: Tom Uren, Policy and Intelligence Editor at Risky Business

In this engaging episode of Risky Bulletin, host Amberly Jack converses with Tom Uren about pressing cybersecurity issues, focusing on the West's ineffective deterrence against Chinese cyber activities. The discussion delves into recent exploitation of Microsoft SharePoint vulnerabilities, the challenges of outsourcing IT services, and Microsoft's controversial practices involving Chinese engineers in Department of Defense (DoD) cloud systems. Below is a comprehensive summary highlighting the key points, insights, and notable quotes from the conversation.

1. Exploitation of Microsoft SharePoint Vulnerabilities

Timestamp: [00:45]

Tom Uren draws parallels between the recent exploitation of Microsoft SharePoint vulnerabilities and the widespread attacks on Microsoft Exchange servers in 2021. He explains how vulnerabilities were initially discovered by a researcher who reported them to Microsoft. However, before patches were publicly released, exploitation began slowly and eventually escalated uncontrollably.

Tom Uren [01:01]:
"It's a step-by-step exact repeat... if you've got SharePoint on the Internet and it hasn't been patched, it's been compromised."

Key Points:

Pattern of Exploitation: The method of exploiting SharePoint mirrors the 2021 Exchange server attacks, indicating a recurring strategy by threat actors.
Scope of Impact: While Exchange affected hundreds of thousands of servers globally, SharePoint's impact is smaller but still significant, affecting tens of thousands, including government servers.
Microsoft's Advanced Protection Program: Speculation arose that vulnerabilities may have leaked from Microsoft's Advanced Protections program, which offers select vendors early access to security fixes.

2. Inefficacy of Western Deterrence Measures

Timestamp: [04:41]

Tom Uren criticizes the Western response to repeated cyber-attacks by Chinese actors, emphasizing that previous condemnations have failed to deter further malicious activities.

Tom Uren [04:41]:
"Those condemnations did not work. They did not deter Chinese actors from doing essentially exactly the same thing again."

Key Points:

International Condemnation: In 2021, the U.S. and its allies publicly condemned China for cyber-attacks, but this approach proved ineffective.
Lack of Consequential Actions: Although there was a strong rhetorical response, no substantial measures like sanctions or tariffs were implemented to address the underlying issues.
Repeat Offenses: The recurrence of similar attacks indicates a lack of deterrence and raises questions about the effectiveness of current policies.

3. Offensive Cyber Operations as a Response

Timestamp: [04:49]

The discussion shifts to potential strategies for the U.S. to counteract Chinese cyber threats. Tom Uren mentions the Trump administration's inclination towards offensive cyber operations as a form of deterrence.

Tom Uren [04:49]:
"Trump would say, I don't like Chinese hacking. I'm going to impose tariffs. And that seems like that tool in the toolkit has been used."

Key Points:

Offensive vs. Defensive Measures: Uren advocates for focusing offensive cyber operations on large-scale, strategic threats rather than individual incidents.
Targeting Persistent Threats: Emphasis is placed on disrupting ongoing campaigns like "Salt Typhoon" and "Vault Typhoon," which aim to compromise U.S. critical infrastructure.
Effectiveness of Disruptive Actions: Highlighting successes like the Department of Justice taking down a botnet used by Vault Typhoon, Uren suggests that targeted disruptions are more impactful than reactive measures.

4. Risks of Outsourcing IT Services: The Clorox vs. Cognizant Case

Timestamp: [09:16]

Tom Uren discusses a lawsuit filed by Clorox against Cognizant, highlighting the inherent risks of outsourcing even simple IT services like help desk support.

Tom Uren [09:45]:
"Good security might be if someone rings you up... get that person to then send you a selfie with maybe an id... and that is not quick. That's a bit painful."

Key Points:

Security vs. Efficiency: The lawsuit reveals how outsourced IT support may prioritize quick resolution of issues over stringent security protocols, creating vulnerabilities.
Misaligned Incentives: Service providers may be incentivized to resolve tickets rapidly, potentially compromising security for speed.
Loss of Control: Outsourcing can lead to diminished oversight and control over IT security measures, as evidenced by Cognizant's defense blaming Clorox's internal cybersecurity competence.
Legal Implications: The case underscores the need for rigorous contractual agreements and security standards when engaging third-party IT services.

5. Microsoft's Use of Chinese Engineers in DoD Cloud Systems

Timestamp: [13:32]

The conversation turns to a ProPublica report revealing that Microsoft outsourced maintenance support for DoD cloud systems to Chinese engineers, a practice that sparked significant security concerns.

Tom Uren [16:34]:
"It's such a big problem that they can't eliminate foreign engineers altogether. They've just eliminated the most problematic ones in the short term."

Key Points:

Outsourcing to China: Microsoft contracted Chinese engineers to manage DoD cloud systems, justifying it as a cost-saving measure.
Security Risks: These engineers, often paid minimally and lacking advanced technical skills, posed significant security risks, potentially allowing adversaries unauthorized access.
Response and Accountability: Following the exposé, Microsoft ceased employing Chinese engineers for U.S. federal government systems, with high-level officials like Secretary of Defense Pete Hegseth publicly condemning the practice.
Broader Implications: The incident raises concerns about the viability of outsourcing critical government infrastructure to foreign entities, highlighting the challenges in ensuring security and trust.

Conclusion

In this episode of Risky Bulletin, Amberly Jack and Tom Uren critically examine the ongoing challenges in cybersecurity, particularly focusing on the ineffective deterrence against Chinese cyber activities. The discussion underscores the need for more robust and strategic responses, such as targeted offensive operations and stringent oversight of outsourced IT services. Additionally, the episode highlights the vulnerabilities introduced by global outsourcing practices, as exemplified by Microsoft's controversial use of Chinese engineers for DoD cloud systems. The insights provided serve as a call to action for policymakers and organizations to reassess their cybersecurity strategies and partnerships to better safeguard critical infrastructure and information.

For more in-depth analysis and updates on cybersecurity policies and intelligence, subscribe to the Seriously Risky Biz newsletter available on the Risky Biz website.

Summary

Risky Bulletin: Srsly Risky Biz – The West's Tepid China Deterrence is Not Working

Episode Release Date: July 31, 2025
Host: Amberly Jack
Guest: Tom Uren, Policy and Intelligence Editor at Risky Business

1. Exploitation of Microsoft SharePoint Vulnerabilities

Timestamp: [00:45]

Tom Uren [01:01]:
"It's a step-by-step exact repeat... if you've got SharePoint on the Internet and it hasn't been patched, it's been compromised."

Key Points:

Pattern of Exploitation: The method of exploiting SharePoint mirrors the 2021 Exchange server attacks, indicating a recurring strategy by threat actors.
Scope of Impact: While Exchange affected hundreds of thousands of servers globally, SharePoint's impact is smaller but still significant, affecting tens of thousands, including government servers.
Microsoft's Advanced Protection Program: Speculation arose that vulnerabilities may have leaked from Microsoft's Advanced Protections program, which offers select vendors early access to security fixes.

2. Inefficacy of Western Deterrence Measures

Timestamp: [04:41]

Tom Uren criticizes the Western response to repeated cyber-attacks by Chinese actors, emphasizing that previous condemnations have failed to deter further malicious activities.

Tom Uren [04:41]:
"Those condemnations did not work. They did not deter Chinese actors from doing essentially exactly the same thing again."

Key Points:

International Condemnation: In 2021, the U.S. and its allies publicly condemned China for cyber-attacks, but this approach proved ineffective.
Lack of Consequential Actions: Although there was a strong rhetorical response, no substantial measures like sanctions or tariffs were implemented to address the underlying issues.
Repeat Offenses: The recurrence of similar attacks indicates a lack of deterrence and raises questions about the effectiveness of current policies.

3. Offensive Cyber Operations as a Response

Timestamp: [04:49]

Tom Uren [04:49]:
"Trump would say, I don't like Chinese hacking. I'm going to impose tariffs. And that seems like that tool in the toolkit has been used."

Key Points:

Offensive vs. Defensive Measures: Uren advocates for focusing offensive cyber operations on large-scale, strategic threats rather than individual incidents.
Targeting Persistent Threats: Emphasis is placed on disrupting ongoing campaigns like "Salt Typhoon" and "Vault Typhoon," which aim to compromise U.S. critical infrastructure.
Effectiveness of Disruptive Actions: Highlighting successes like the Department of Justice taking down a botnet used by Vault Typhoon, Uren suggests that targeted disruptions are more impactful than reactive measures.

4. Risks of Outsourcing IT Services: The Clorox vs. Cognizant Case

Timestamp: [09:16]

Tom Uren discusses a lawsuit filed by Clorox against Cognizant, highlighting the inherent risks of outsourcing even simple IT services like help desk support.

Tom Uren [09:45]:
"Good security might be if someone rings you up... get that person to then send you a selfie with maybe an id... and that is not quick. That's a bit painful."

Key Points:

Security vs. Efficiency: The lawsuit reveals how outsourced IT support may prioritize quick resolution of issues over stringent security protocols, creating vulnerabilities.
Misaligned Incentives: Service providers may be incentivized to resolve tickets rapidly, potentially compromising security for speed.
Loss of Control: Outsourcing can lead to diminished oversight and control over IT security measures, as evidenced by Cognizant's defense blaming Clorox's internal cybersecurity competence.
Legal Implications: The case underscores the need for rigorous contractual agreements and security standards when engaging third-party IT services.

5. Microsoft's Use of Chinese Engineers in DoD Cloud Systems

Timestamp: [13:32]

Tom Uren [16:34]:
"It's such a big problem that they can't eliminate foreign engineers altogether. They've just eliminated the most problematic ones in the short term."

Key Points:

Outsourcing to China: Microsoft contracted Chinese engineers to manage DoD cloud systems, justifying it as a cost-saving measure.
Security Risks: These engineers, often paid minimally and lacking advanced technical skills, posed significant security risks, potentially allowing adversaries unauthorized access.
Response and Accountability: Following the exposé, Microsoft ceased employing Chinese engineers for U.S. federal government systems, with high-level officials like Secretary of Defense Pete Hegseth publicly condemning the practice.
Broader Implications: The incident raises concerns about the viability of outsourcing critical government infrastructure to foreign entities, highlighting the challenges in ensuring security and trust.

Conclusion

For more in-depth analysis and updates on cybersecurity policies and intelligence, subscribe to the Seriously Risky Biz newsletter available on the Risky Biz website.

wavePod

Powered by Wave AI

Summary

1. Exploitation of Microsoft SharePoint Vulnerabilities

2. Inefficacy of Western Deterrence Measures

3. Offensive Cyber Operations as a Response

4. Risks of Outsourcing IT Services: The Clorox vs. Cognizant Case

5. Microsoft's Use of Chinese Engineers in DoD Cloud Systems

Conclusion

Summary

1. Exploitation of Microsoft SharePoint Vulnerabilities

2. Inefficacy of Western Deterrence Measures

3. Offensive Cyber Operations as a Response

4. Risks of Outsourcing IT Services: The Clorox vs. Cognizant Case

5. Microsoft's Use of Chinese Engineers in DoD Cloud Systems

Conclusion