A

Foreign.

B

And welcome along to Seriously Risky Biz. This is our podcast all about cybersecurity policy and intelligence. And in just a moment I'll bring in Tom Uren, who is our policy and intelligence editor. And we're going to chat all about the Seriously Risky Business newsletter that he has put together. And you can of course read and subscribe to that over at our website, Risky Biz. First though, I'd like to thank our sponsor for this week, which is SpectreOps, experts in attack path management. And you can find them@Spectropsio. So big thank you to them for that. Now, Tom, it's great to see you.

A

G', day, G', day, Amberly, how are you?

B

Oh, really good, thanks. And I want to jump straight into your first story of the newsletter this week, which is all about Starlink, really. And Starlink is sort of being used as a bit of a lifeline in Iran at the moment amid the political unrest there. The entire country, it seems, is pretty much been cut off from the, from the global Internet. That's been going on for a little while. But Starlink is being used by some Iranians to be able to connect with the rest of the world. Now, Tom, that seems like a really good thing, but we're kind of not holding hands around the campfire here singing, you know, One Love or We Are the World and praising the Almighty. All great selfless SpaceX, because they do have a bit of a history of being fairly reactive when it comes to stuff like this. And you're thinking this isn't really any different to that.

A

Starlink does some good stuff. Their Internet service, by all accounts, is really good. And they've several times reacted when there's been a crisis or an emergency. So the first time was when. Well, the first time I'm aware of was at the beginning of the Russian invasion of Ukraine. And basically over Twitter, as it was known back then, there was this interaction between Elon Musk, the CEO of SpaceX, which is the company that runs Starlink, and the Ukrainian minister, and Musk just basically committed to rolling out Starlink to Ukraine. And it's a great service in that you can just do that. You can ship terminals and basically they can just switch them on. And in a way that's kind of what has happened in Iran. So in Iran recently there have been civil unrest. The regime has launched a bloody crackdown, and it seems that at least thousands of people have been killed. They've at the same time imposed an Internet blackout. So they've cut Internet access, essentially to the whole country. So 90 million people just disappear off the Internet. There have been a lot of Starlink terminals shipped to Iran and in the last week it seems that, or maybe it's almost two now, those terminals are basically free to run. So prior to the unrest you needed a subscriber, you needed to actually pay for the service. And that was a bit difficult because of sanctions against Iran. So it was hard for individuals to do that. I'm sure many of them succeeded. But you couldn't use an Iranian credit card or an Iranian bank, for example. So apparently Donald Trump said he was going to talk to Elon Musk the day after that. Those subscriptions were free. So if you had a terminal, you could just run it. The numbers I've heard range from 50 to 100,000 terminals in Iran. And this I think is a good thing.

B

Yeah, absolutely.

A

And the, at least part of the motivation of the regime of cutting Internet access is to prevent bad news about the violent crackdown getting out. And that is getting out. Reporters that specialize in Iranian news, they say that most of the reporting they're doing is based on stuff that is transmitted over Starlink. So like that's good. It's consistent with the way SpaceX just sort of reacts to news. There's no forward planning and in a sense also the US government. So part of the story is that those terminals ended up in IRAN because the U.S. government, it kind of eased or exempted those terminals from sanctions. So it was legal for US people to send them to Iran, not legal for Iranian people to have them. But now in the today that seems like a really far sighted move. But in fact that was also reactive in that it occurred after a previous round of protests and blackouts. So everyone is just reacting to the situation. So Starlink is like, that's good, but it's limited to the number of terminals. It's hard for mass access because even though that sounds like a lot of terminals, it's a big country. It's also susceptible to electronic jamming and countermeasures. So the regime has, it seems like it's got Russian equipment or Russian help. You can upset Starlink terminals just with GPS spoofers because if the terminal thinks it's in the wrong location, it can never find the satellites in the sky. It needs to know where it is to find the satellites. So if it's confused as to where it is, it just can't pick up the signal. So there's these countermeasures that can be deployed. So it's not A perfect solution.

B

Do you think Also, Tom, given SpaceX can be quite reactionary, whether due to government pressure or whatever else, if SpaceX can kind of be pressured to giveth, do you think if things change or whatever happens, they can kind of be pressured to take it away as well?

A

Oh, yeah, I'm sure that's true. And I think that is a, that from a US Government perspective, that's an argument for having multiple providers and having actual arrangements in place that are more than just, hey, I'll, I'll give it, I'll give Elon a phone call and we'll sort things out. And so Amazon is launching its own equivalent or competitor, Starlink. So I think there's also a couple of other, There's I think a European service, a Chinese service that basically all have the same idea. So having more services would be good, I think. And again, this gets back to my point of actually planning for these things. So there will be other disasters where you want to deploy rapidly. Internet access. And I think the Starlink style Internet access point is, is a good thing. And having a couple of different providers where you've got it, I don't know, maybe competitive contracts to try and for emergency relief and disaster relief and censorship, that makes sense. There's also new technologies coming online. So Starlink has a new technology called Direct to Cell and they've actually been calls by Iranian activists to activate Direct to Cell over Iran. So the idea is that you have a normal cell phone and instead of using the domestic cell towers, you can use cell towers in space. And in countries like Australia, Canada, even the US that's been rolled out because the geography is just so vast that there's a lot of places where you don't have cell tower coverage and it's used for things like emergency text messages, you know, I've been bitten by a snake, whatever. And there's like a small number of stories about people using exactly that service.

B

Yeah, right.

A

And from a Internet blackout point of view, that's kind of attractive. Like Instead of having 50,000 terminals, you'd have, you know, I don't know, 15 million cell phones in Iran that might be able to use that service. It would be more broadly accessible. It would be harder for the regime to crack down on because it's harder to block signals. There's so many more of them. It's harder to track down individuals for the Starlink terminals. They've been doing things like flying drones to try and identify them. And so in some ways it feels like a very attractive solution. To use direct to cell. But I also think it's not the kind of solution where SpaceX can just flick a switch and turn it on. So in the countries that it's in, which is I think less than a dozen so far, it's rolled out in cooperation with the local domestic telco. So there's I'm sure pretty complicated links between the satellite and the domestic telcos. And it's not something where Starlink can just go, okay, we own the ground equipment, we own the terminal, we own the satellite. It's a matter of updating a database and all of a sudden that traffic flows the you'd need a telco to take up that signal. And I think it gets very complicated. So it's something that is a possibility. Maybe it really makes sense. Maybe from a foreign policy perspective you'd like the ability to switch on that capability in disaster areas, say like as humanitarian relief for a short time or in like a case like an Internet blackout, like, like Iran, those blackouts are actually pretty common. And as a foreign policy, you know, an option maybe that would be really nice to have.

B

And it's like you said in the newsletter, I mean this, this particular situation in Iran that's happening right now is not going to be the last situation like this that we ever see. So maybe it is time to start putting in that planning for future situations that we all know will happen at some stage.

A

Yeah, I think at very least it makes sense to think about is it something that we would want? Should we have that option? How would we get that option in place? Like is it practical? Is it feasible? Does it actually make sense? I think there's a lot of questions there that people tend not to think about until it's a problem. So I imagine, I'm hoping people are thinking about it now. Who knows?

B

And I want to move on, Tom, to General Joshua Rudd and his nomination to lead NSA and CyberCom. He appeared in front of the Senate hearing and shall we say, Tom, you are not necessarily leading the Joshua Rudd fan club right now.

A

I actually feel sorry for the, for the guy. I've met a number of senior US military people and inevitably they're very impressive individuals. I think when you've got a large military, I don't know something about the training and the selection. I always come away feeling like, yeah, that's a stand up person and clearly very competent. So that's my assumption with Rudd. But having said that, he's basically thrust into this unenviable position where President Donald Trump has said, I Want you to take this role that frankly, he's like, totally inexperienced and unequipped for. And that came across pretty clearly in the nomination. So this was in front of the Senate Services Committee and he's, you know, one of the first questions, what's your, what's your experience? And he basically says, look, I've got, I've used intelligence and I've integrated stuff from Cyber Command in operations. So, you know, I use Amazon a lot.

B

And yeah, I'm a consumer of a lot of things.

A

I think I could be CEO.

B

I consume a lot of food, but I don't think I'm quite ready to, I don't know, run it out, be a farmer.

A

So I could actually forgive that. Right. Because so much of senior leadership is dealing with outside stakeholders. So the managing outwards and upwards, a lot of it is dealing with other people in the administration. So if you're really good at that, you've got experts internally that can help you with the nitty gritty of how the organization runs. Like, that's, that's why you've got that kind of civilian deputy person in those organizations.

B

Typically that may be the case. But he still seemed very unprepared.

A

Yes, I think there's a couple of key issues that you would have to deal with as head of NSA and Cyber Command. And so the ones I can think of, and I'm sure there's more, but the ones that I've written about at least, you know, Section 702 and the Protection of civil liberties. So that's using domestic access to getting intelligence on overseas people. So that is a political hot potato that's come up pretty regularly. There's the dual hat arrangement where both NSA and Cyber Command are led by the same person. And then there's the role of offensive cyber operations and when they, whether they can be used to deter foreign adversaries. And so those are three topics that come up over and over again. They're discussed regularly. They're the sort of thing that I think you need to have an opinion on. You don't necessarily have to have an answer, but I think in those roles they would come up and you would be expected to have a position and argue internally in the administration for what your position is and basically for each of those. Rudd said, well, you know, things seem to be okay so far. I don't know, I would talk to experts inside and come up with a position and see that.

B

That's, that's what seems so strange to me because if I was going to a job interview. And I knew for a fact that a certain question was going to come up regardless whether I knew the answer or not. Surely you'd think of an answer.

A

Yeah, yeah. So there was a particularly like the really striking part of the hearing was Rudd was asked by Senator Angus King, who's an independent, do you think we should have a declaratory offensive cyber deterrence policy? So that's a policy that you publicize about. We will use offensive cyber to hit back. And the idea is that by publishing it, you making it clear that you'll do it, you deter your adversaries in cyberspace.

B

Yeah.

A

So I think that's actually a really good question because it's not clear to me what the answer is. Like, it makes sense for the US as a whole to have a declaratory policy about how well struck back, which they already do. But does it make sense for the just the cyber portions? Well, I think it's arguable now. Rudd basically ducked the question entirely. And he's like, it's not my role if I was confirmed. It's not my role to have, you know, to set declaratory policy. And like that's true. But King comes back with, yeah, like that's true, it's not your role, but you surely must have an opinion. You've been nominated for some time. This is one of the key questions. And you've got no opinion or are you just not telling me?

B

And that question had been asked before, hadn't it?

A

Yeah, yeah. So he, King had asked Rudd's predecessor, who was General Hawk at his confirmation hearing, basically the exact same question. And like, to be fair to Rudd, if you just sort of distill what he said down, he said pretty much the exact same thing that Hawk said. Hawk just said it, you know, with a lot more background about what actually goes on in those organizations. So he was able to say it's not my role to set declaratory policy. But he prefaced that with a whole lot of stuff about what actually goes on in Cyber Command. And Rudd just looked extremely uncomfortable that question. So either you're not telling us what you think or you don't have any thoughts. And I'm very disappointed.

B

I'm not big on the idea of cheating with AI, but it feels like the kind of thing you could just throw into chat GPT quickly and be like, what should I say when someone asks me this question? And at least have a building block.

A

So the. I think. But to put this in context, it seems like Rudd is just trying to be a small target, like, I'll say as little as possible about anything, and that may make it more likely that I'll survive in the Trump administration, where someone like Laura Loomer, who's basically a Twitter activist, can say to President Trump, I don't like this person for XYZ reasons, and they get fired. Which is what happened to Hawk. Yeah. And, you know, is that a good way to choose the head of the most, probably the most capable cyber organizations on the planet? Yeah, probably not, but maybe that's what you get right now.

B

Yeah, yeah, yeah, exactly. As much as he may not seem completely qualified for the role, Tom, when you give the current state of everything at the moment, is, is he the best person for the job?

A

Do you think he might be? He might be. I think so much of the Trump administration runs on personality rather than policy. Didn't like in this hearing, it didn't seem that policy was his strong suit when it comes to cyber operations. So we can only hope that he's got the personality that works within the Trump administration.

B

Yeah. Alright, Tom, we might actually leave it there, but great chat as always and thank you so much for joining me. You can, of course, read and subscribe to Tom's Seriously Risky Business newsletter over on our website, Risky Biz. But, Tom, have a great week and I will catch you same time next week.

A

Thanks, Amberly.