Srsly Risky Biz: The West's tepid China deterrence is not working - Risky Bulletin

Summary5 min read

Risky Bulletin: Srsly Risky Biz – The West's Tepid China Deterrence is Not Working

Episode Release Date: July 31, 2025
Host: Amberly Jack
Guest: Tom Uren, Policy and Intelligence Editor at Risky Business

In this engaging episode of Risky Bulletin, host Amberly Jack converses with Tom Uren about pressing cybersecurity issues, focusing on the West's ineffective deterrence against Chinese cyber activities. The discussion delves into recent exploitation of Microsoft SharePoint vulnerabilities, the challenges of outsourcing IT services, and Microsoft's controversial practices involving Chinese engineers in Department of Defense (DoD) cloud systems. Below is a comprehensive summary highlighting the key points, insights, and notable quotes from the conversation.

1. Exploitation of Microsoft SharePoint Vulnerabilities

Timestamp: [00:45]

Tom Uren draws parallels between the recent exploitation of Microsoft SharePoint vulnerabilities and the widespread attacks on Microsoft Exchange servers in 2021. He explains how vulnerabilities were initially discovered by a researcher who reported them to Microsoft. However, before patches were publicly released, exploitation began slowly and eventually escalated uncontrollably.

Tom Uren [01:01]:
"It's a step-by-step exact repeat... if you've got SharePoint on the Internet and it hasn't been patched, it's been compromised."

Key Points:

Pattern of Exploitation: The method of exploiting SharePoint mirrors the 2021 Exchange server attacks, indicating a recurring strategy by threat actors.
Scope of Impact: While Exchange affected hundreds of thousands of servers globally, SharePoint's impact is smaller but still significant, affecting tens of thousands, including government servers.
Microsoft's Advanced Protection Program: Speculation arose that vulnerabilities may have leaked from Microsoft's Advanced Protections program, which offers select vendors early access to security fixes.

2. Inefficacy of Western Deterrence Measures

Timestamp: [04:41]

Tom Uren criticizes the Western response to repeated cyber-attacks by Chinese actors, emphasizing that previous condemnations have failed to deter further malicious activities.

Tom Uren [04:41]:
"Those condemnations did not work. They did not deter Chinese actors from doing essentially exactly the same thing again."

Key Points:

International Condemnation: In 2021, the U.S. and its allies publicly condemned China for cyber-attacks, but this approach proved ineffective.
Lack of Consequential Actions: Although there was a strong rhetorical response, no substantial measures like sanctions or tariffs were implemented to address the underlying issues.
Repeat Offenses: The recurrence of similar attacks indicates a lack of deterrence and raises questions about the effectiveness of current policies.

3. Offensive Cyber Operations as a Response

Timestamp: [04:49]

The discussion shifts to potential strategies for the U.S. to counteract Chinese cyber threats. Tom Uren mentions the Trump administration's inclination towards offensive cyber operations as a form of deterrence.

Tom Uren [04:49]:
"Trump would say, I don't like Chinese hacking. I'm going to impose tariffs. And that seems like that tool in the toolkit has been used."

Key Points:

Offensive vs. Defensive Measures: Uren advocates for focusing offensive cyber operations on large-scale, strategic threats rather than individual incidents.
Targeting Persistent Threats: Emphasis is placed on disrupting ongoing campaigns like "Salt Typhoon" and "Vault Typhoon," which aim to compromise U.S. critical infrastructure.
Effectiveness of Disruptive Actions: Highlighting successes like the Department of Justice taking down a botnet used by Vault Typhoon, Uren suggests that targeted disruptions are more impactful than reactive measures.

4. Risks of Outsourcing IT Services: The Clorox vs. Cognizant Case

Timestamp: [09:16]

Tom Uren discusses a lawsuit filed by Clorox against Cognizant, highlighting the inherent risks of outsourcing even simple IT services like help desk support.

Tom Uren [09:45]:
"Good security might be if someone rings you up... get that person to then send you a selfie with maybe an id... and that is not quick. That's a bit painful."

Key Points:

Security vs. Efficiency: The lawsuit reveals how outsourced IT support may prioritize quick resolution of issues over stringent security protocols, creating vulnerabilities.
Misaligned Incentives: Service providers may be incentivized to resolve tickets rapidly, potentially compromising security for speed.
Loss of Control: Outsourcing can lead to diminished oversight and control over IT security measures, as evidenced by Cognizant's defense blaming Clorox's internal cybersecurity competence.
Legal Implications: The case underscores the need for rigorous contractual agreements and security standards when engaging third-party IT services.

5. Microsoft's Use of Chinese Engineers in DoD Cloud Systems

Timestamp: [13:32]

The conversation turns to a ProPublica report revealing that Microsoft outsourced maintenance support for DoD cloud systems to Chinese engineers, a practice that sparked significant security concerns.

Tom Uren [16:34]:
"It's such a big problem that they can't eliminate foreign engineers altogether. They've just eliminated the most problematic ones in the short term."

Key Points:

Outsourcing to China: Microsoft contracted Chinese engineers to manage DoD cloud systems, justifying it as a cost-saving measure.
Security Risks: These engineers, often paid minimally and lacking advanced technical skills, posed significant security risks, potentially allowing adversaries unauthorized access.
Response and Accountability: Following the exposé, Microsoft ceased employing Chinese engineers for U.S. federal government systems, with high-level officials like Secretary of Defense Pete Hegseth publicly condemning the practice.
Broader Implications: The incident raises concerns about the viability of outsourcing critical government infrastructure to foreign entities, highlighting the challenges in ensuring security and trust.

Conclusion

In this episode of Risky Bulletin, Amberly Jack and Tom Uren critically examine the ongoing challenges in cybersecurity, particularly focusing on the ineffective deterrence against Chinese cyber activities. The discussion underscores the need for more robust and strategic responses, such as targeted offensive operations and stringent oversight of outsourced IT services. Additionally, the episode highlights the vulnerabilities introduced by global outsourcing practices, as exemplified by Microsoft's controversial use of Chinese engineers for DoD cloud systems. The insights provided serve as a call to action for policymakers and organizations to reassess their cybersecurity strategies and partnerships to better safeguard critical infrastructure and information.

For more in-depth analysis and updates on cybersecurity policies and intelligence, subscribe to the Seriously Risky Biz newsletter available on the Risky Biz website.

Loading summary

Transcript18 lines

[00:05]
Amberly Jack
Hey, everyone, and welcome to Seriously Risky Biz. This is the podcast that we do here at Risky Business, all about cybersecurity policy and intelligence. My name is Amberly Jack, and in just a moment, I'll bring in Tom Uren, our policy and intelligence editor, to chat about the Seriously Risky Business newsletter that he's put together today. And of course, you can subscribe and read that on our website, Risky Biz. But first, I would like to thank the William and Flora Hewlett foundation for supporting Tom's work here at Risky Biz and also Lawfare, who syndicate his newsletter and publish it on the Lawfare Media website. And finally, we do have a corporate sponsor this week, which is Nuclear Security, but Tom. G'.
[00:44]
Tom Uren
Day, G', day, Emberley. How are you?
[00:45]
Amberly Jack
Oh, not too bad, not too bad. And there's a couple of things I want to chat to you about today, but the first piece in your newsletter today, the exploitation of Microsoft SharePoint vulnerabilities has given you a sense of deja vu and not in the best way.
[01:01]
Tom Uren
Yeah, yeah. So when I was learning about this hack, it struck me that it's like exactly the same as what went on in 2021. So in 2021, there was mass exploitation of Microsoft Exchange servers. So pretty much every Microsoft Exchange on premise server that was visible on the Internet was hacked. So hundreds of thousands of servers were hacked. And the way it went down is that there was a researcher discovered vulnerabilities and they reported them to Microsoft. And then in the days leading up to Microsoft issuing a patch, there was slow exploitation, and then it just ramped up and up until it was totally widespread and out of control. And it's. In 2021 with exchange, the Microsoft launched an investigation to see if it had leaked from this advanced notice program they have called the map, the Advanced. The Microsoft Advanced Protections program. And basically they give a small, relatively small, I think it's like 90 or 100 vendors advance notice of things that they're going to fix so that they can get a head start, basically. And so the theory is that maybe someone leaked that. And this is exactly what happened with SharePoint, like the other week. So there was small exploitation in the days before Microsoft released the patch publicly, and then that picked up, got larger and larger. And essentially, if you've got SharePoint on the Internet and it hasn't been patched, it's been compromised. Now, SharePoint is a smaller product than Exchange. It's got a smaller user base. So instead of hundreds of thousands of servers, it's just tens of thousands, but it's a number in the US Government, a number of governments around the world, and it's like a step by step exact repeat. Now, after the 2021 incident, people at the time thought that it was outrageous. Basically, there was a whole lot of what I'd call collateral damage. So there were servers that were compromised, and they were basically left open so that people could. Other people, criminals could access them and ransomware actors and criminals. And in many cases multiple times, people were compromising these servers. And so there was a very strong international response at the time. So it was the U.S. the Five Eyes allies, the European Union, NATO. They all issued statements of condemnation and said, you know, China, what are you doing? We don't like this. This is unacceptable. Now, obviously, when you've got something that is an exact repeat of something that's gone on before, those condemnations did not work. They did not deter Chinese actors from doing essentially exactly the same thing again. So that was my first takeaway from that, is that it's just striking how when you've got something that is so similar, obviously your deterrent, whatever you tried to do to stop China last time had no effect. It's like the actors seem oblivious. Yeah.
[04:42]
Amberly Jack
And I kind of liked how you had in the newsletter, I think you had something like, obviously this coordinated finger wagging didn't quite do the trick.
[04:50]
Tom Uren
Yeah, yeah, yeah. And so the question is, what do you do next? Now, the first thing that comes to mind is that the Trump administration has signaled that they're very keen to use offensive cyber operations against China. They've actually talked about punching back and that they'll want to use it as a form of deterrence. Now, I think that that potentially falls into the same trap that diplomatic action fell into, in that the diplomatic actions tended to be aimed at specific outrageous incidents. So the exchange server thing, people went, this is outrageous. Let's do something. And they called that incident out. Now, to be fair, they also said there's a pattern of PRC behavior, but they didn't address that pattern with anything consequential. So there was no sanctions, there was no, like, tariffs. So I guess in today's world, it's perfectly plausible that Trump would say, I don't like Chinese hacking. I'm going to impose tariffs. And that seems like a thing that might actually get China to the negotiation table to talk about their hacking. But of course, President Trump has used tariffs for other things that, to be fair, are more important than. Than cybersecurity incidents. So that seems like that tool, that tool in the toolkit or that arrow in the quiver has been used. You can't also use it for cybersecurity incidents. But they've said that they want to do offensive cyber actions. But I think you need to focus those actions on the big picture threats. So dealing with this incident, it's over, it's done. China's had a win. It's punched. It's punched the US and other governments in the face. And I think essentially it's gotten away with it at this point. Like they've, that operation's over. They opportunistically seized a moment in time. But there's no ongoing campaign that will have strategic impact for the US it's done and dusted. So instead I think those operations, those offensive cyber operations should be used to tackle those big picture campaigns. So things like Salt Typhoon, which is compromising US Telecommunications infrastructure, I think it would be really a better use of Cyber Command's time and effort to try and disrupt those operations than it would be to try and punch back against this particular or against the people who are responsible for this particular incident. And also there's Vault Typhoon, which is the group that is trying to compromise US Critical infrastructure. People think for disruption in the event of military conflict, it would be a better use of time and effort to disrupt that group than it would be to try and punch back against the particular groups responsible for this.
[07:51]
Amberly Jack
And there's been a bit of that, hasn't there? So you're basically saying just, just give us more of that. Don't worry about the.
[07:57]
Tom Uren
Yeah, that's right. So the US I think it was announced by the Department of Justice, they took down a botnet that Vault Typhoon was using. So I think those sorts of disruptive actions, I wouldn't really call that one a Cyber Command operation. They may have been involved. I think those are much more useful in that they really get to what is China trying to achieve in cyberspace and how can we disrupt that? Now one of the things they're trying to achieve is opportunistically taking advantage of of force in Microsoft products. But I think it's really hard to stop that in the moment. You've got to stop it beforehand. So maybe it's to disrupt other programs that they've got that might feed into that opportunistic action. But I think once it's done, it's too late. It's done and dusted.
[08:48]
Amberly Jack
Yeah, fair enough. And moving on quickly to the second thing that you've brought up in the newsletter. Today, which is this Clorox, the bleach company, has filed a lawsuit against Cognizant, who they contracted for some help desk services. And as you say in the. In the newsletter, it kind of highlights the perils, I guess, of outsourcing things, as simple as a help desk. So tell me a bit more about that, Tom.
[09:16]
Tom Uren
Yeah, so the story is that the lawsuit has some really quite stunning allegations in the. In it. And that it's got parts of conversations where a hacker says, I've forgotten my password. And the help desk immediately says, oh, let me give it to you. And then they'll say, oh, I don't have my multi factor authentication. And the help desk will say, oh, let me reset that for you.
[09:46]
Amberly Jack
Definitely go and read this newsletter. Because when I was reading it this morning and I saw those screen grabs of some of those conferences, my first thought was, this is a joke. But no, it actually is. I've lost my password. Okay, here it is.
[10:00]
Tom Uren
Yeah, that's right. So the. Now those conversations, like, they're partial, so we don't know the whole story. There's a lot of context that we don't have. So I'm withholding judgment, but that was certainly sensational. One of the things it reminded me of is that quite a while ago, Coveware, which is a ransomware incident response firm, said that it had dealt with incidents, several incidents, where the outsourced IT support part of the problem was that their incentives, which were based on things like resolving tickets quickly, were actually kind of cut against good security. So, for example, good security might be if someone rings you up, you hang up the call, and you ring back that person on a phone number that is in the internal directory, and you get that person to then send you a selfie with maybe an id, government id, photo ID with it. And that is not quick. That's a bit painful. And so if the clauses in the contract are, you know, we'll give you more money if you resolve things quickly, I think you can see how the incentives might be. Well, we'll just skimp a little bit on security because we'll end up with more money because we kick over tickets quickly, we resolve things quickly. So I think it's interesting that it highlights there's a difference in incentives between the client company and the service provider. They're not perfectly aligned. And the lawsuit, that was the sensational part. There's other parts where it says that we were Clorox, we were under the pump, yet cognizant the service provider didn't respond as quickly as we'd like. And despite having worked with them for 10 years, they didn't have the expertise we thought that they should have. Now Cognizant has responded and said, look, you just wanted help desk support. We did that. It's not our problem if you're incompetent at cybersecurity. So I think that it points out to some degree that you can outsource some IT help desk services, but you can't really outsource the risk. And to some degree you lose a bit of control over exactly what goes on. So there was talk of an email back and forth about have you followed these policies? Yes, we followed those policies. But when it's a separate company that's doing it as a Clorox IT security person, like how do you really know? I guess that's the broader point there. Yeah, yeah.
[12:53]
Amberly Jack
And I think it's worth pointing out as well, which you did in your newsletter as well, is that none of these allegations in this back and forth has been tested in court yet. So, you know, we obviously don't know the full story, but interesting read nonetheless. And just also on this outsourcing services, very quickly, your final piece here is Microsoft contracting engineers in China to work on Department of Defense cloud systems and just kind of served as another neon flashing light example of this may not be the best idea.
[13:33]
Tom Uren
Yeah, well it's different in that I don't think the US Government has any choice. Like the US Government is not going to create its own cloud services. So the story is that about a decade ago, aws, Microsoft, Google, they were all competing to try and get U.S. government business and Microsoft ended up winning. And the reporting from ProPublica says that one of the key things, one of the key ways that Microsoft was able to cut costs was by to outsourcing a lot of the maintenance support to China. So this is 10 years ago, things are a bit different. It's still a terrible idea. Now the way they justified it to themselves was we'll have digital escorts and they'll oversee everything that's going on. ProPublica reports that these people are paid just a little bit above minimum wage. Sometimes they don't have technical skills. And so it's, I guess it's like whitewashing the appearance of security or trying to give the appearance that you've got a compensating control. Now I think that if you give an adversary hands on keyboards, which they didn't exactly have, there is no compensating control. Like that's just a Terrible idea. Yeah, but and again, this highlights that the incentives for the service provider and the company, the client are just different now. I don't think the US Government really has any choice. It's got to find a contractor. But the other thing that struck me is that no one in the Department of Defense seemed to know about this program, about the idea of digital escorts. So it's just like a stunning piece of reporting. And in the immediate aftermath after the news broke, both Microsoft, well, firstly Microsoft said no more Chinese China based engineers. They won't be working on US Federal government systems. So it wasn't just the Department of Defense, it's also the government, the government broader government cloud. So Justice, Treasury, Commerce were all using those that cloud. So Microsoft said no China based engineers. And also Pete Hegseth, the Secretary of Defense came out in a video and said there will be no more China based engineers. And it struck me that it's kind of weird that they're talking about China based engineers because that leaves scope for India based engineers, Vietnam based engineers, Poland based engineers. And so I'm convinced that that's what's going on. It's such a big problem that they can't eliminate foreign engineers altogether. They've just eliminated the most problematic ones in the short term.
[16:35]
Amberly Jack
Just one at a time. We'll see what happens in a couple of years when the next story comes out.
[16:39]
Tom Uren
Yep.
[16:40]
Amberly Jack
Oh, thanks Tom. We'll leave it there. And interesting conversation as always. We will. You're heading away next week, so we will see you in a couple of weeks. But yeah, thanks so much.
[16:50]
Tom Uren
Thanks Everli. Sam.