Adam Boileau (4:59)

That seems like, at least at that point, right? Like how, how bad could it really be?

Tom Uren (5:07)

And especially when you can say to people on the inside, you look after me and there's a million bucks for you afterwards.

Adam Boileau (5:14)

Yeah.

Tom Uren (5:16)

So the report also talks about how the compounds generate so much money that it's a sort of money laundering network or ecosystem has developed around it. And there's also like a criminal services marketplace that has developed around these compounds. And so the money laundering, they're now working with Mexican cartels. So it feels like the whole China manufacturing hollowing out the rest of the world, where the Chinese money laundering networks will do it for cheaper and better than the cartels, probably Western based financial money laundering networks. So they charge less and they use all these different techniques that are a variety of techniques that are harder to track and harder to disrupt.

Adam Boileau (6:07)

I mean, I guess it makes a lot of sense, right, that they had to build those capabilities to support their own use case. And then now once you've built your, you know, the capability to launder on the scale of tens of billions of dollars. Why wouldn't you then go and sell that as a service elsewhere? Because I mean the more money that's going through the better for the laundering as a whole. Plus you've got that kind of expertise and scale that yeah, as you say, like small time Western money launderers just can't match, know the power of, you know, Asian mechanization.

Tom Uren (6:38)

Yeah, yeah, yeah. So the report says that the, these money laundering organizations or these crime syndicates are the market leaders in cyber enabled fraud, money laundering and underground banking globally. And from an Australian point of view, part of the report that was very interesting to me is that these syndicates are pushing out into the Pacific Islands. And so you can imagine that if you turn up in the Pacific Islands they apparently purport to be just legitimate investors and they set up things like casinos and tourism investment ventures and you turn up with a whole bucket of cash like that's going to buy you some access for sure. And so I find this very, very concerning because they're not spending huge amounts of money for good purposes. Like I think it's, it's the sort of money that is very corrupting.

Adam Boileau (7:34)

It's kind of like the Belt and road but, but for crime I guess is what I'm, what I'm getting.

Tom Uren (7:40)

Yeah, yeah, that's right.

Adam Boileau (7:41)

Yeah, go build ports and build, you know, infrastructure for developing countries to gain access. The same kind of thing is it, go build crime infrastructure in you know, Vanuatu or wherever else and you know, then you can establish yourself relatively cheaply in the scale of your, you know, of your industry and, and then use that as a base of operations and you know, corrupt local institutions and all of those sorts of things which, you know. Yeah, certainly for us in the Pacific, you know, it's kind of concerning because, you know, I mean, you know, I know New Zealand sees itself as, you know, a good partner for lots of small Pacific nations. You know, we have dependencies in like the Cook Islands for example, where Chinese interests have showed up and been, you know, kind of buying their way in. And you know, we're not really equipped as a country to compete with multibillion dollar Chinese cybercrime or Southeast Asian cybercrime syndicate.

Tom Uren (8:31)

So yeah, yeah, it's not just the Pacific Islands. The report also mentions Africa, South America and also Georgia, the state, the ex Russian, ex Soviet state, not the US state. But it's really a challenge that requires concerted action. So that's what the report's calling for some of those countries that are mentioned. I think something like capacity building help, like how do you identify and deal with that kind of corrupt money? I think that's like a serious problem. And that kind of cohesive response really needs to be something that happens. And the threat is evolving so rapidly that I think the policymakers aren't really aware that it's shifting as well. So I mean, I hadn't really heard about this until just two years ago. Like the whole, I mean, I knew of the pig butchering scams, but I didn't realize how, just how huge it was. And so there's very much a sense that governments are kind of playing catch up. So it'd be nice if they recognize this is a problem and started to do something.

Adam Boileau (9:46)

Now the other thing you wrote about this week, which maybe is also depressing is we've talked a bit about the state of things at cisa, losing a number of staff and sort of the changing role of CISA in the US Government. But you've got a story this week about the fate of the Secure by Design initiative.

Tom Uren (10:06)

Yeah. So Eric Geller, who's a cyber security reporter, wrote for Cybersecurity Dive that two of the key individuals have left CISA behind that program. So one of them is Bob Lord and the other one's Lauren Zaburik. Apologies if I've got that wrong. So probably no surprise Bob Lord was the involved with the Democratic National Convention. He was their security officer. So probably no surprise that he's leaving, I guess. Now apparently both of them were instrumental in setting up and running the program. And Geller reports that Lord was one of the key individuals. So there's the fact that two key individuals in the program have left. There's also that the plan is reportedly to basically cut CISA's staff in half. Not, not literally, but the numbers of staff. So it's hard to see how that program will get a lot of love because it's, I think it's a very worthwhile program, but it's not going to change things overnight. It's a long term, it's a strategic program basically. And the idea is that you're trying to encourage vendors to embrace security practices that make their products better. Now that's, I think, a long term project. I would describe it as a carrot. And so you're trying to encourage vendors to do this. And the practical thing they've, things they've done is they've said here's, you know, a roadmap for how you make more secure software, do these things. And they've also got a complimentary guide which is, if you're buying software, here's how you would see if the vendor is doing the good stuff. So it's trying to shape the market now. If you're trying to create change, I think you need a mix of carrots and sticks. It seems like the Trump administration is explicitly against regulation, so there's probably not going to be many sticks, which I think makes the carrots more important. So given all that, it seems that there is a space, I think, for other international cyber security authorities to step up because they've been involved in this process. The purchasing guide was actually published on the acsc, the Australian Cybersecurity Authority's website, and it's got joint authors from all amongst the five eyes and I think South Korea as well. So there's a lot of agencies who've been willing to co author things and sign up to things. So I think it would make sense if some of those stood up if sys ability to support this program is reduced, which seems likely.

Adam Boileau (13:07)

Yeah, like it is a real important program and so many, you know, so many bits of the industry have not. I'm thinking most, you know, security appliances in particular have been, you know, the thing that's been causing us a lot of grief lately. That's not a thing that the free market has guided vendors towards producing robust software. And so a little bit of intervention in that market, both in terms of education of buyers and some carrots and guidance and stuff to make it easier for vendors to do the right thing. It's just super important. And yeah, I think, I mean, I hope that you're right that there is enough interest in leadership elsewhere to kind of pick up the pieces of this work. But you know, when so many of the technology companies were also American, like, it really made sense that there was a thing that, you know, US Gov was leading, you know, comes with all that kind of respect and also buyer's influence, the way the federal government purchases these things. You know, we've seen influence, cloud services and all sorts of things. So yeah, I certainly hope you're right because there are many, many great bits of work done by CISA and other branches USGov that we hopefully will see other people pick up. I mean, Australia, I think has definitely done a lot of great work with the Essential eight and top four and so on and so forth.

Tom Uren (14:26)

So Bob Lord told Cyber Security Dive that he would continue working on the initiative, like in a private or capacity or wherever he ends up perhaps. So there's some commitment from people involved to keep going. I hope that CISA can keep it up. I'm not sure just based on the size of the expected size of the organization and just that it is a strategic program. If you've got fires to put out, and they will have fires to put out, there's always fires to put out. So just looking at it sort of practically as a manager's point of view, if you've got a lot less people and you've got this important but strategic program, I think it's very easy for it to sit on the back burner. It kind of has to sit on the back burner in that situation.

Adam Boileau (15:18)

Yeah. Certainly much respect to all the people at CISA who've worked so hard on these things. That's. I think that's about us for today, Tom. If people want to head on over to our rescue biz or our website and have a look at Tom's newsletter, there's a bunch of other good stuff. He always has three things that might bring you a little bit of, you know, a little smile, which in this industry you're really going to need. So, yeah, head on over. Subscribe to the newsletter. Check out that and all of our other fine content as we have quite a lot these days. So thanks very much, Tom. You'll be back with Pat next week. But, yeah, thank you. Thank you for your time and for your work.

Tom Uren (15:56)

Thanks, Adam.