Srsly Risky Biz: Why Iran is a scaredy cat cyber chicken - Risky Bulletin

Summary3 min read

Podcast Summary: "Srsly Risky Biz: Why Iran is a Scaredy Cat Cyber Chicken"

Podcast Information:

Title: Risky Bulletin
Host/Author: risky.biz
Description: Regular cybersecurity news updates from the Risky Business team...
Episode: Srsly Risky Biz: Why Iran is a Scaredy Cat Cyber Chicken
Release Date: July 3, 2025

Introduction

In the July 3, 2025 episode of Risky Bulletin, host Patrick Gray engages in an insightful discussion with Tom Uren, the policy and intelligence editor at Risky Biz. The episode delves into two primary topics: Iran's restrained approach to cyber warfare against the United States and the FBI's troubling operational security (OPSEC) lapses that have led to the tragic deaths of witnesses in Mexico. Throughout the conversation, Gray and Uren dissect the motivations behind Iran's cyber strategies and critically examine the FBI's vulnerabilities in the face of modern cyber threats.

Iran's Cyber Strategy: Avoiding a Cyber Pearl Harbor

Key Discussion Points:

Cautious Cyber Operations: Gray and Uren explore why Iran refrains from launching massive cyberattacks, often likened to a "cyber Pearl Harbor," despite apparent capabilities and intentions.
Historical Context: References to Iran's 2023 disruption of Israeli water supplies and subsequent hacking of programmable logic controllers (PLCs) highlight a pattern of annoying yet non-lethal cyber activities.
Strategic Restraint: The guests discuss Iran's preference for cyber operations that cause inconvenience without crossing the threshold that would provoke severe retaliation from the U.S.

Notable Quotes:

Patrick Gray ([00:00-02:07]): "We're going to look at why Iran is not really doing cyber Pearl Harbor-y sort of stuff to the United States, even though it probably really wants to."
Tom Uren ([02:07-04:10]): "If a cyber operation caused lots and lots of deaths, you would respond with something very, very serious. But that's typically not what we see in peacetime. It's kind of like just paper cuts."

FBI's OPSEC Failures: A Breeding Ground for Tragedy

Key Discussion Points:

Inspector General's Report: Uren discusses a critical report from the Department of Justice Inspector General highlighting the FBI's inadequate OPSEC measures.
Operational Vulnerabilities: The FBI's failure to recognize that it can be surveilled by criminals has led to severe breaches, including the tracking and subsequent murder of witnesses in Mexico.
Inadequate Training and Planning: The conversation points out that the FBI's gap analysis was superficial, with mitigation plans that lacked depth and effectiveness.

Notable Quotes:

Patrick Gray ([07:00-09:28]): "If you're dealing with the Chinese espionage communities, well, you have to think differently about OPSEC."
Tom Uren ([10:21-12:16]): "The red team, when it produced that gap analysis was just... it's like very large font as well."

Comparative Analysis: FBI vs. CIA OPSEC Practices

Key Discussion Points:

Cultural Differences: Uren contrasts the FBI's domestic focus with the CIA's extensive experience operating in hostile environments, emphasizing the latter's robust counter-surveillance protocols.
Resource Allocation: The discussion highlights how the FBI's limited resources and lower prioritization of OPSEC leave it vulnerable to sophisticated surveillance by adversaries and criminal organizations.

Notable Quotes:

Tom Uren ([09:28-10:14]): "The CIA, it's in its culture to operate in hostile environments... they realize that what they call universal, ubiquitous technical surveillance is here."
Patrick Gray ([15:02-16:21]): "If you have cartels or serious organized crime who have got FBI problems these days, they can actually spin up something approaching useful surveillance against law enforcement agencies."

Real-World Implications and Future Outlook

Key Discussion Points:

Impact on Law Enforcement: The FBI's OPSEC shortcomings not only jeopardize ongoing investigations but also endanger the lives of witnesses and agents.
Preventative Measures: Gray and Uren advocate for comprehensive OPSEC training and the adoption of best practices from agencies like the CIA to bolster the FBI's defenses against cyber and physical surveillance.
Broader Cybersecurity Landscape: The episode underscores the escalating sophistication of cyber threats and the imperative for continuous improvement in defensive strategies.

Notable Quotes:

Tom Uren ([16:21-17:08]): "You need to take more measures... here are the policies and procedures about how we should operate."

Conclusion

The episode of Risky Bulletin provides a compelling examination of Iran's strategic restraint in cyber warfare and casts a critical eye on the FBI's operational security deficiencies. Through the expert insights of Patrick Gray and Tom Uren, listeners gain a nuanced understanding of the delicate balance between offensive cyber capabilities and the imperative of maintaining robust defensive measures to safeguard national security.

For more in-depth analysis and updates on cybersecurity, subscribe to the Seriously Risky Business newsletter by Risky Biz.

Loading summary

Transcript38 lines

[00:00]
Patrick Gray
Foreign and welcome to another edition of Seriously Risky Business, the podcast we do here at Risky Biz hq, which is all about cyber policy and intelligence and very important things. My name is Patrick Gray. We'll be chatting with Tom Uren, who is our policy and intelligence editor, in just a moment about the newsletter that he has written this week. That is the Seriously Risky Business newsletter that you can find at Risky Biz. And yeah, we're going to cover off a couple of things. We're going to look at why Iran is not really doing cyberpearl harboury sort of stuff to the United States, even though it probably really wants to. We're also going to look at how the FBI's OPSEC wound up getting a bunch of witnesses killed in Mexico. And yeah, just the general culture around opsec there doesn't seem too great. But before we get into that, I would just like to thank the William and Flora Hewlett foundation for supporting Tom's work with us. And also Lawfare, who syndicate Tom's newsletter and publish it on the Lawfare Media blog. And we also have a sponsor this week which is Sandfly Security, which make a really interesting Linux security platform. Basically it goes and logs into all of your Linux devices, pulls telemetry, drops a couple of go binaries to collect stuff, and then it logs out and sort of disappears. And it's just a really nice agentless way to keep an eye on Linux devices in your environment. Whether you're operating a global CDN that runs a lot of Linux or you've just got a bunch of appliances that are based on Linux, whatever, it's really interesting stuff. Sandfly Security is the name of that company. So Tom, let's get into it now. And yeah, you've written about a couple of things. The first thing we're going to talk about, we did touch on this in yesterday's weekly show. But Iran is. Iran's a chicken. They're a cyber chicken. We've seen all of these warnings coming out of the US government and various security companies saying, oh, you know, Iran is going to cyber Pearl harbor us. I mean, your analysis lines up very closely with mine, which is I don't see it happening now that there are bombs being dropped.
[02:07]
Tom Uren
Yeah, I think the basic dynamic is that the reason you see cyber destructive operations outside of wartime is that they're annoying and it's hard to deter and stop them because there's this threshold that you have to get over. So if you want to respond in a really robust way, you've got to decide that you're going to do something very, very serious, something like military action, and if the disruption was big enough, you would do that. So if a cyber operation caused lots and lots of deaths, you would respond with something very, very serious. But that's typically not what we see in peacetime. And it's kind of like just paper cuts. And the reason that they're used is because they don't attract that kind of blowback. And so, for example, like, Iran actually has a history of these kinds of annoying operations. Back in 2023, they disrupted some water supplies. They hacked Israeli programmable logic controllers. And at the time, some of the people who ran those water utilities said, look, this is really, really annoying. We've got to get up in the middle of the night and switch on and off pumps.
[03:24]
Patrick Gray
Yeah. Which isn't like having your dam bombed.
[03:28]
Tom Uren
No, that's right. Yeah, yeah, yeah. And so. But as soon as you flip that switch and it's wartime, the threat of a military response is very, very much on the cards. And so to carry out that kind of destructive or disruptive attack on critical infrastructure, you've got to be really, really sure that you're. It's worth it. Like, is the risk worth the reward? And can Iran inflict on the US some sort of really damaging cyber attack that will basically win the war or gain it more than it would lose? And I would say, yeah, the chances of that happening are absolutely zero. So there's.
[04:08]
Patrick Gray
That's nil, right? Yeah, chances are nil.
[04:11]
Tom Uren
So there's no accounting for crazy, of course. So we can't rule it out. And I think it is, like, it's a good idea to send out these warnings because it could happen, and it's. It's an opportunity to try and motivate people to improve their security. But in a rational world, they're just never going to happen. Now, like, the caveat is the world is not always rational. But what.
[04:36]
Patrick Gray
But I mean, just a second. Like. Like, I think Iran, when dealing with Trump, has tended to act in a pretty cautious manner. Right. So when Qassim Soleimani was assassinated, what was their response? They threw a few missiles at some US bases. They said they were going to do it. Before they did it, they did it. And then they said, this concludes our response. Like, I remember it at the time, they were very. They did not want to escalate, and I don't think they will here. Now, of course, you know, we could be wrong. Maybe it's this time it's different, but it just doesn't, as you say it, like, what would be the point? You know, you've got. You've even got a Trump tweet in here or a Trump truth, social truth from Trump in here, all caps which says, any retaliation by Iran against the United States of America will be met with force far greater than what was witnessed tonight. And that's Trump's line. And I think the Iranians are taking that seriously.
[05:26]
Tom Uren
Yeah, yeah. So I think it's super interesting that a hacker Persona who is tied to the irgc, so it seems like the Iranian revolution, is it Islamic Islamic Revolutionary Guard Corps, which is an Iranian state militia, basically controlled that Persona. And that Persona has reappeared. They leaked emails in the recent presidential election, and it's reappeared and said, we're going to leak more emails. So this is basically the state body saying, you know, our cyber response is going to be to leak more emails. Now, you can imagine a situation where if the regime felt that it was an existential threat and that a cyber incident or attack would help, that would be the time I think that you could see it. But I don't think that they feel that they're in that situation yet. They feel like we need to do something symbolic that allows us to save a little face and say that we're striking back. But nothing that will.
[06:27]
Patrick Gray
Nothing. Sorry. Like, it's funny, right? Because my read on this is exactly like yours, exactly the same. Which is like, well, we can't go and hack any sort of control systems in the United States because that will escalate and things could go really wrong. But we've got all these old emails that we didn't leak, all of them from last year. Let's bring back that Persona and say, yes, we're going to do some hack and leak. Because I can't see how a bunch of leaked emails leads to an airstrike, whereas I can see how you hack a water treatment plant somewhere that could lead to an airstrike.
[07:01]
Tom Uren
Yeah. I think there's a dynamic where when you're in a war, any sort of attack on critical infrastructure, like, it makes sense to have a robust response, even if it's a mediocre attack or if it's just annoying. I think you would.
[07:19]
Patrick Gray
Well, you want to stop them before they figure out how to make them more damaging, right?
[07:23]
Tom Uren
Yeah. Yeah. You want to send a strong message now, before war, when it's just annoying, you go, oh, well, okay, we'll sanction you. Whatever. It's just annoying. There's bigger problems we have to deal with. So, yeah, I think that it all makes sense to me that you get these warnings.
[07:39]
Patrick Gray
But of course, now that we have, you and I have both predicted in our podcasts that nothing's going to happen. This is a dangerous. Being in predict the predictions business is dangerous, especially when you're dealing with.
[07:50]
Tom Uren
Yeah, entirely throughout writing the piece I was like, oh, I don't like making predictions. This is not a prediction, this is an explanation of what's going on.
[07:57]
Patrick Gray
Yeah, yeah, that's right. We've got to find some get out of jail free card is woven into the, you know, you've got to weave that into the, into the text. Now the other thing that you've covered, again we touched on this briefly in yesterday's weekly show with Adam is this report from the Office of the Inspector General at the Department of Justice which found that the FBI is really not dealing with the idea that it itself can be surveilled by criminals. These days there's been this massive democratisation of digital surveillance. Everything from buying location data from, from data brokers to, you know, using Stingrays. They bought it on Alibaba or whatever, but you know, and they've got some examples there. Like in 2018, apparently this Sinaloa cartel was able to follow around various FBI personnel and track them and figure out who they were calling and that led them to the identities of sources and witnesses that they subsequently murdered. And this report is pretty like, it's, it's, it's pretty damning. It looks at sort of the FBI's previous sort of Red Team a assessment of what its gaps were around this sort of opsec. And you know, the gap analysis is a single page. It just, you know, and like the version we've got here, you've, you've put it in the newsletter. It's like completely redacted, but it's one page. It just looks completely half assed. And really what you've done is write about how the FBI just doesn't seem to get it. Whereas the CIA, which is used to operating in places where it itself is being surveilled, seems to understand this a lot more, a lot better.
[09:29]
Tom Uren
Yeah, yeah. I found this report quite fascinating when you dive into the dynamics behind it. So yeah, like you said, the CIA, it's in its culture to operate in hostile environments, like counter surveillance is a thing that it's always aware of and it realizes that what they call universal, ubiquitous technical surveillance is here, uts is here and they're really struggling with it. Whereas the FBI, they have Director Ray, the former FBI director, called it a tier one enterprise threat. And they form this red team. And like you say, the red team, when it produced that gap analysis was just. It's not even a full page. It's like very large font as well.
[10:14]
Patrick Gray
Yeah. Crank that up to 14, guys. We got to fill the page.
[10:21]
Tom Uren
Like, big margins, big text, not very much content. And then they based their mitigation plan on this gap analysis. So it's like you sort of do a very, very high level and general job, then you base a mitigation plan and basically this report, which is a Department of Justice Inspector General audit report, and it basically says you're doing a terrible job and the way you're doing it is not likely to actually achieve the result you want. And also that mitigation plan was kind of a one and done plan. It's like, we'll do these few things all short term, and then job solved, problem solved, we're good.
[11:05]
Patrick Gray
Yeah.
[11:07]
Tom Uren
And I think that does come down to the FBI mostly. It operates domestically where it is top dog. Like they have the authorities to go and knock on doors and seize assets and seize devices and arrest people. Like, they're not operating in an environment where they've had to worry about, I guess, counter surveillance. And so it's not in their DNA. They don't think about it all the time. And to be fair, most of the time, for most of the cases that the FBI is dealing with, it probably isn't a problem. But I think it's when you reach the more capable groups, Chinese espionage communities.
[11:52]
Patrick Gray
Well, I mean, one thing I was just thinking about is, you know, this gap analysis was produced in 2023. Right. And it was last year when Salt Typhoon was found to be all up in their comms. That's when the FBI is like telling its own people, hey, maybe you should use signal when you're communicating with these sources who are of interest to the Chinese. And you know, if they're issuing that sort of advice in 2024, obviously some lessons were not learned.
[12:16]
Tom Uren
Yeah.
[12:17]
Patrick Gray
You know, so.
[12:19]
Tom Uren
Yeah, yeah. I don't mention Salt Typhoon in the article, but that very much is a concern where you, you're not operating in. On home turf, where it's safe. Home turf. It's contested. Home turf now.
[12:35]
Patrick Gray
Yeah, Home turf is contested now. Right. Yeah, that, that's the, that's the lesson. And you know, like, we're bringing in Salt Typhoon, which is a nation state actor, as we, you know, as the, as the, as the phrase goes. But I guess the lesson Here is that if you've got cartels or serious organised crime who have got FBI problems these days, they can actually spin up something approaching useful surveillance against law enforcement agencies. And, you know, through, through a variety of means. And yeah, the FBI hasn't quite adjusted to the idea that those. That type of data is accessible to their targets, to its targets.
[13:08]
Tom Uren
One of the examples I cite in the article is a group of finance researchers bought anonymous smartphone geolocation data and they identified devices that were linked to the securities and Exchange Commission. And then they saw where they think.
[13:28]
Patrick Gray
The sec, I remember this, and they could, they could basically predict who was about to be investigated.
[13:33]
Tom Uren
Yeah, that's right. And you just replace SEC with FBI and then all of a sudden you can see where FBI agents are traveling all across the country. And for, I think, the right investigative question, like if you're a cartel or organized crime or whatever, that would be tremendously valuable. And so that seems like an example that is entirely practical today, probably for the last several years at least. And it doesn't seem that the FBI was at all taking that risk seriously. So it, you know, they did things that sounded good, like we created a Red Team, we did a gap analysis, we came up with a plan based on that gap analysis. We were improving training. And if you look at all those things, that sounds like they're actually doing something. But when you look at the actual gap analysis and the report, the Inspector General's report also goes into the training. And the training was a mandatory 45 minutes every two years. Yeah, and it's like, that is, you know, it makes a small difference.
[14:44]
Patrick Gray
Yeah, but I mean, look, you know, you're speaking about the. I mean, you're someone who worked at an intelligence agency, and if the people you, your colleagues and yourself were going after, if all they had in their defense was 45 minutes of training every two years, you would think, oh, this is awesome, this is great. Right? Like, we can't lose.
[15:02]
Tom Uren
Yeah, yeah, that's right. I mean, now there was more training, but the. Basically the criticism was that it was starved of resources. So the, the audit report found that there's not enough people getting enough in depth training. And I think that, like, the FBI is actually in a better position than CIA in that there's a lot of unsophisticated actors it goes against where this is probably not a problem. So it can probably do half or three quarters even of its job without worrying about this. The problem is.
[15:35]
Patrick Gray
Well, I mean, if you look at the sort of opsec that the CIA and those human organizations that operate overseas, like, their OPSEC is crazy. It's expensive. It slows things down. Like the FBI can't do.
[15:46]
Tom Uren
No, that's right.
[15:46]
Patrick Gray
Entirely what the CIA does. But they might want to. They might want to get some notes. I don't know. Well, it seems, hey, CIA, give us your top five, you know.
[15:54]
Tom Uren
Yeah, yeah, it's, it's, it's like the most important and impactful actors for the FBI are the ones that you have to worry about. So it seems like if you're working on particular task force, you need to take more measures. I don't know what those measures would be, but they should have like, a whole lot of policies and procedures about when you're, you know, going after, you know, the organized crime mobs. Here's what you should be doing. Here's how we should operate.
[16:21]
Patrick Gray
That seems to me actually having someone who cobbles together like, you know, just some knowledge about how they might be targeted and who by and, you know, it would just be good to know that.
[16:33]
Tom Uren
Yeah. Yeah. And like, in theory, the gap analysis plan should have told them that. It was just so high level.
[16:42]
Patrick Gray
I guess half asked is another way to put it. You know, you can say that. It's okay. Actually, actually say that. All right. All right. Anyone who wants to read more about this, they can find your newsletter at Risky Biz and subscribe to it, and I highly recommend they do because it is a superb newsletter. But, Tom, that'll wrap us up for today. Great to chat to you, my friend. And we'll. We'll do it again. I guess I'm off for a couple of weeks and then you're off for a little while. So I guess we're going to be chatting it in about a month.
[17:09]
Tom Uren
Looking forward to it, Patrick.