A

Hey, everyone, and welcome to Seriously Risky Biz. This is the podcast that we do here at Risky Business, all about cyber security policy and intelligence. My name is Amberly Jack, and in just a moment, I'll bring in our policy and intelligence editor, Tom Uren, to talk all about the Seriously Risky Business newsletter from this week. And you can, of course, read that and subscribe to it over at our website, Risky Biz. Thank you. First, though, I'd like to thank the William and Flora Hewlett foundation for supporting Tom's work and also Lawfare, who syndicate his newsletter and publish it on the LawFair Media website. And we do have a corporate sponsor this week, which is Airlock Digital. So big thanks to them for that. G', day, Tom.

B

G', day, Emily. How are you?

A

I'm good, thanks. Now, Tom, you've kicked off this week's newsletter with some good news, although it does appear that not everyone thinks so. A report from the Atlantic Council has shown that US investors in spyware have sort of skyrocketed in 2024 and basically leapfrogged above every other country. Atlantic Council say this is a bad thing. But you don't agree, Tom?

B

Yeah. Yeah. So the background to this report is the Atlantic Council did a report about a year ago where it took a deep dive into the whole global spyware for sale business, spyware as a service. And Patrick and I spoke about it at the time. It found it was a very concentrated industry. There was Israel, India and Italy, interestingly, had a lot of spyware vendors. Now a year later, they've done an update, basically covering all of what happened last year. And the really striking finding is that the number of US Investors into these, into these vendors has skyrocketed. So the original report found just 12 US based investors in spyware, and now the number is 31. So that's by. That's numerically. So they don't talk about the number of dollars. But, like, I think that's significant and I think it's really interesting to think what's going on there. But their basic premise is that this is bad money. Funneling into the spyware industry undermines U.S. government efforts to clamp down on abusive spyware. So as an aside, I define abusive spyware as stuff that is used to violate human rights, basically, for sure.

A

And I think it is worth pointing out as well that spyware isn't inherently bad. Like, not all spyware is abusive spyware.

B

Yeah, yeah. So it's interesting in this kind of field, there are people who appear to believe that all spyware is bad. My view is that you can use it for good purposes, like counter terrorism or counter organized crime, serious crimes that are a problem. Those kind of tools are useful for good law enforcement. Services like these things do exist in some countries at least. And so the trick from a US Government point of view is to discourage bad uses of spyware. And so they've done things like sanctions, they've named individuals and canceled visas or given them visa restrictions, executive orders that investigate particular types of businesses and cutting them off from the US Market, that kind of thing. So especially in the last couple of years, the US Government has done quite a lot of that. And industry groups have also name and shamed different spyware vendors who are using their products abusively or allow their products to be used abusively. So the report names a couple of examples which they cite as companies that have been involved in abuse. And one of them is, for example, Paragon. So that's interesting to me because I've written about Paragon a couple of times, and back in 2023, the Financial Times had this piece where they talked about Paragon. Basically, their entire strategy has been to stay on the good side of the government. So they went to the US Government and said they sought a list of allied nations that the US Wouldn't object to seeing deploy Paragon's product. So here's a vetted, I guess, customer list, a list of governments. And the Times says people with knowledge of The Manor suggested 35 countries are on that list. Most were in the EU and some in Asia. Everything they did was with the strategy that the end of the day, the US should see them as the good guys. So I remember writing about them. I think they got Antony Blinken, a former Secretary of State, to help represent them with the US Government. So this was like a serious effort. So they actually got pinged in the last year because their product was being used to target journalists and activists. So WhatsApp came out and said, you know, this is bad. It turned out that some of those journalists and activists had been critical of the Italian Prime Minister Giorgia Maloney's government, and they cut ties with that government. So because reportedly they breached the terms of the contract forbidding targeting of journalists or members of civil society. So to me, that actually looks like a company at least trying to behave responsibly. It sought out, like, you know, what's okay to do, tried to find the limits of what was acceptable, find the limits and not push the limits. When it learned that a customer was abusing Its product, it cut ties with them.

A

Yeah, I was going to say that kind of sounds like an example of a company trying not to be abusive. Spyware. So it seems like a sort of a strange example to cite.

B

Yeah, yeah. So maybe that is what success looks like now. They're the ones. The author's view was that investment undercuts the US Government efforts. I think it's actually the other way around. So from the perspective of a US Investor, I know that if the company behaves well, there's the possibility of US Government contracts. Those are lucrative. That's good money. And if it behaves badly, there's the possibility of US Government sanctions. Like. Like, that's really bad. I don't want that. So I'm giving you money and I'm just going to turn a blind eye and not care? No, that's not the way it works. You give them money because you think you can perhaps give them some insight into what's acceptable, or you can shape their behavior so that they're worth more money than they were before. And I think just giving them money and saying, go do whatever you like, you may as well just take a match and light your cash on fire. So I think it's really interesting to think why there's so many US Investors over the last year. And I actually think it's because there's been, at least in the Biden administration, a concerted focus on abusive spyware. And so some of those companies are. They've been targeted by the US Government. They're not doing well. I think there's actually investors would say, here's an opportunity for us to turn that around and make some money if we take their assets, put them on the straight and narrow, and put them on a different path. And so my view is that perhaps this is actually a good news story, that the influx is because of US Government action and it will actually shape the industry to be more responsible.

A

Yeah, yeah, for sure. I mean, it doesn't seem like a great business plan to be throwing money into an industry that is just a wild west. So, yeah, that makes complete sense that since there's been this kind of attempt to clamp down, it seems like a great opportunity to start investing.

B

Yeah. So one of the other examples the report talks about is Candiro, and the example is the US investor put money in. They basically shifted the people into a different entity that's not controlled, that's not subject to sanctions. So it's a kind of a bit of a shell game, but I think so in isolation that looks bad, but I think the trick is if it's for it to pay off, they've got to get that new entity to behave responsibly. Otherwise it's just in the same situation that candiru was in. It's being pummeled by the US Government. It's not going to have a great business. The idea is to get a cheap asset and then turn it into something valuable because it's got a good reputation. That's my. Maybe I'm. Maybe I'm optimistic, maybe I'm not cynical enough, but that's what I think is going on with the influx of US investment. They're trying to take tarnished assets and get them back on the straight and narrow.

A

Yeah, for sure. Now that makes sense. And sticking with the U.S. tom, a deal, has. Has it been announced? Has it kind of been a deal of a deal of. Mention of a deal has maybe been announced. TikTok, tell me about it.

B

There's a framework deal is the wording that the people involved have used Another way to think of it might be an in principle deal where they've got the rough parameters of what's going to go on. And the idea is that TikTok, its existence has been risky in the States because a law was passed saying that they must sell to US interests or basically they'll get shut down. So President Trump has been, I guess, kind of subverting the law by just not doing anything about it and extending the deadline, despite there being no actual lawful basis for that. Anyway, the deal is that most, well, TikTok's US operations will be, I guess, carved off. Most of that new entity will be owned by the U.S. interests. I think just over 80%. There'll be minority Chinese stakeholders. There'll be a new app that will work just with the TikTok US and user data will be stored in Texas in Oracle servers. Most importantly, the Wall Street Journal reports that TikTok engineers will create content recommendation algorithms using technology licensed from ByteDance in China. So if that's what actually goes down, that leaves Chinese engineers with their hands on the levers of TikTok US.

A

Right. So that's kind of where, I mean, from face value, you could go, okay, majority owned by us. But that is the point where we kind of come in and say, actually this is a win for China. Which is what you've said in the newsletter.

B

Yeah, yeah. So there have been historically two major concerns about TikTok's presence in the U.S. and its success in the U.S. one is the user Data and being able to track users. To me, that was always, maybe not always, but I've come to think of that as a secondary concern because the US data ecosystem is just so loose. There's other things Chinese could do to get the same data. I think that having a, basically a media platform where you've got control or influence over the algorithm is much more significant from a propaganda and from an influence campaign and from shaping the public opinion of the US populace, I think that's really significant. And this deal doesn't seem to really do much to address that.

A

Right.

B

And so Scott Besant, he talked about what Chinese negotiators wanted and he said they are interested in the Chinese characteristics of the app, which they think are soft power. We don't care about Chinese characteristics, we care about national security. Now that statement is very curious to me because if I was to say social media with Chinese characteristics, I'd say social media where the Chinese government is control, it censors things and it's in control of the narratives that are promoted. So this is very strange to me and it seems to point out that maybe they don't care about the soft power algorithm manipulation part of the app. I think that's actually really significant. And the Chinese government and the Communist Party, that's their modus operandi. They try and control public opinion, they try and shape what people think and see. And if you're leaving their hands on the levers of TikTok, I think that's just a terrible decision.

A

If you're in control here, Tom, what's your solution? Just next TikTok.

B

I think that there is the possibility of separating completely, but I think it has to be a complete separation. So, you know, maybe the final deal will have stronger protections than that. So the arrangement, my understanding is that from 2022, Oracle's been auditing TikTok's algorithm. It's totally unclear to me what that means or how effective it would be. Like, for example, hypothetically, maybe there's anti tariff sentiment on TikTok US. Is that just the result of the way US people feel because tariffs are causing prices to go up and buying products more difficult, or is that a Chinese propaganda influence campaign being carried out? I mean, how do you tell the difference? Like and like, auditing those kind of algorithms is notoriously hard. And if you leave TikTok engineers with their hands on the levers, then I think it's kind of naive to expect that they won't do anything potentially. The risk remains, I guess, and there's no way, I'd be happy with that risk. Unless there was total separation. Like, no TikTok. People had their hands on the algorithm. Maybe that's where the deal will end up. It doesn't sound like it right now.

A

Yeah, for sure. And as you said, I mean, the risk is there. And as you said in the newsletter, the government is, as we can see right now, failing to. To sort of fully mitigate those risks. So I guess it's a matter of sort of wait and see where the deal ends up. But I did enjoy your line in the newsletter that this is a win. Win. Yes, of course. It's a win for China and it's a win for TikTok.

B

Yeah, that's right. Not so much for U.S. national security.

A

Not so much. No. No. All right, Tom. Hey, we may leave it there, but thank you so much for your time again, and we will see you same time next week.

B

Thanks, Amberly.