Risky Bulletin: US Investment in Spyware Skyrockets

Podcast: Risky Bulletin — Srsly Risky Biz: US investment in spyware skyrockets
Date: September 18, 2025
Hosts: Amberly Jack & Tom Uren

Episode Overview

This episode of "Seriously Risky Biz" looks at two major developments in cybersecurity policy:

• The sharp rise in US investment in commercial spyware vendors, as reported by the Atlantic Council—and whether this is a threat or an opportunity for regulating the industry.
• The tentative resolution (“framework deal”) of the TikTok-US ownership saga, with a focus on whether the deal addresses—or sidesteps—key national security risks.

1. US Interest in Spyware: Threat or Opportunity?

Atlantic Council’s Alarming Report

• The Atlantic Council updated their study on the commercial spyware market, noting that the number of US investors in the industry has jumped from 12 to 31 in just one year.
• The report characterizes this surge in US investment as a negative trend, suggesting financial support is “bad money” that could undermine US efforts to suppress abusive spyware operations (00:44-01:18).

Not All Spyware Is the Same

• Amberly Jack: “Spyware isn't inherently bad. Not all spyware is abusive spyware.” ([02:32])
• Tom Uren: Distinguishes between spyware used for legitimate purposes (counter-terrorism, organized crime) and “abusive spyware” (that violates human rights).

Current US Government Efforts

• Strategies include sanctions, visa restrictions, executive orders, and naming and shaming bad actors.
• Tom describes industry evolution: “In the last couple of years, the US Government has done quite a lot… naming, shaming, sanctions, executive orders.” ([02:40-03:20])

Case Study: Paragon

• An example cited by the Atlantic Council as problematic is Paragon. However, Tom disagrees:
  • Paragon sought to proactively avoid US government disapproval by vetting customers, limiting sales to a US-approved list.
  • When informed their product was used to target journalists in violation of their contract, Paragon “cut ties with that government” ([04:24-05:50]).
  • Tom Uren: “To me, that actually looks like a company at least trying to behave responsibly… Everything they did was with the strategy that… the US should see them as the good guys.” ([05:29])

Investor Influence: Reputational Upside

• Tom argues US investment can incentivize good behavior:
  • “If the company behaves well, there’s the possibility of US government contracts… If it behaves badly, there’s the possibility of US government sanctions. That’s really bad. You give them money because you think you can… shape their behavior so that they’re worth more money.” ([06:18-07:13])
  • He suggests the influx of US investment is likely investors seeing an opportunity to rehabilitate tainted companies and benefit from a cleaner reputation.
  • Tom Uren: “Perhaps this is actually a good news story, that the influx is because of US Government action and it will actually shape the industry to be more responsible.” ([07:52])

Candiru as a Complex Example

• In the Candiru situation, US investment led to moving personnel to a new entity to evade sanctions—a potential shell game.
  • Tom believes the key is whether the new entity acts responsibly, otherwise “it’s just in the same situation.” ([08:23])
  • The underlying theory: investors want to acquire cheap, tarnished assets and polish them for future gain.

2. The TikTok-US Deal: A Win for China?

Current Status: “Framework Deal” Announced

• TikTok must sell its US operations to domestic interests or face a ban.
• The deal:
  • A new, majority US-owned company (over 80% US), with minor Chinese stakeholders
  • US user data stored in Texas (Oracle servers)
  • The app’s core content recommendation algorithm still built using technology licensed from ByteDance in China—meaning engineers in China retain influence ([09:40-11:14])

Is This Sufficient Protection?

• Amberly Jack: “On face value, you could go, okay, majority owned by US. But that's the point where we kind of come in and say, actually this is a win for China.” ([11:14])
• Tom Uren: “There have been two major concerns… user data and… content recommendation algorithm. The latter is much more significant from a propaganda and influence campaign [perspective]... this deal doesn't seem to really do much to address that.” ([11:28])
  • He adds: the Chinese government’s priority is influence (“soft power”) over personal data.

Algorithm Control: The Real Issue

• Tom quotes Chinese negotiators: They care about “Chinese characteristics” (i.e., control over app content), while US negotiators focus on “national security.”
  • Tom Uren: “If I was to say social media with Chinese characteristics, I'd say social media where the Chinese government is in control, it censors things and it's in control of the narratives that are promoted… If you're leaving their hands on the levers of TikTok, I think that's just a terrible decision.” ([12:20-13:27])

Possible Solutions?

• Tom advocates for total separation:
  • “I think it has to be a complete separation… Maybe the final deal will have stronger protections… If you leave TikTok engineers with their hands on the levers, then I think it's kind of naive to expect that they won't do anything.” ([13:40-14:24])
  • He notes algorithm auditing is “notoriously hard” and current compliance mechanisms are unclear.

Conclusion

• Amberly Jack: “As you said in the newsletter, the government is, as we can see right now, failing to sort of fully mitigate those risks. So I guess it's a matter of sort of wait and see where the deal ends up. But I did enjoy your line in the newsletter that this is a win—yes, of course, it's a win for China and it's a win for TikTok.” ([15:05])
• Tom Uren: “Yeah, that’s right. Not so much for US national security.” ([15:30])

Notable Quotes & Memorable Moments

• On Responsible Investment:
  • Tom Uren (07:00):
    “Giving them money and saying go do whatever you like… you may as well just take a match and light your cash on fire. I think [investors] are trying to take tarnished assets and get them back on the straight and narrow.”
• On TikTok’s Algorithm Risk:
  • Tom Uren (13:20):
    “If you're leaving their hands on the levers of TikTok, I think that's just a terrible decision.”
• On the Outcome of the TikTok Deal:
  • Amberly Jack (15:10):
    “Yes, of course, it's a win for China and it's a win for TikTok.”
  • Tom Uren (15:30):
    “Not so much for US national security.”

Key Timestamps

• [00:44] – Discussion of the Atlantic Council spyware investment report
• [05:10] – Paragon’s approach as a “responsible” spyware vendor
• [08:23] – Candiru and the shell game of evading sanctions
• [09:40] – TikTok “framework deal” details
• [11:28] – Real risk: algorithm control and influence
• [13:40] – Prospects for truly mitigating algorithmic manipulation
• [15:10] – Summary: wins and losses in the TikTok deal

Tone & Language

• The discussion is clear, analytical, and slightly skeptical, with both hosts balancing caution with optimism about potential for positive change via investment and regulation.
• The tone is conversational, occasionally wry—Tom is critical but not sensationalist, urging nuanced assessment rather than blanket condemnation.

Summary

This episode unpacks the nuances in the ongoing fight to regulate digital risks—from spyware industry investment to safeguarding US public discourse online. The hosts challenge black-and-white narratives, instead arguing the surge in US investment in spyware could drive positive reform, while warning the TikTok deal might leave the US open to foreign influence despite appearances. If you want the inside story behind the headlines in cyber policy, this episode is rich with sharp analysis and insight.