Chapters
Shownotes Transcript
Hi everyone and welcome to Seriously Risky Business, the podcast we do here most weeks at Risky Biz HQ where I talk to Tom Uren about the newsletter that he writes of the same name which he's just finished his edition. It's about to go out and we're going to talk about that. G'day Tom. G'day Patrick, how are you? Good, good. It's great to have you back. I filled in for you last week and actually wrote your column for you which was a lot of fun.
It wasn't as rigorous as what you do, but yeah, I definitely had fun doing it. It was a lot easier for me too.
So we'd like to say a big thank you to this week's sponsor of this work, which is Sublime Security. If you don't know them, they're a startup in the United States who make an email security product that's much less of a black box than the major email security services. Their customers love it. You can write your own rules and stuff and go back and do threat hunting in your email and stuff. Very, very cool. And you can get free versions. So you find them at sublime.security. We'd also like to say thanks to
to Lawfare and the William and Flora Hewlett Foundation who support Tom's work with us here at Risky Biz. And mate, you've written up a couple of things for us this week. And the first thing that we're going to talk about is this giant Five Eyes sanctions and indictments package that's been leveled against a bunch of APT groups, some with links to various contractors and companies in China.
What I found really interesting about your analysis is it didn't even really occur to me that the most interesting thing about this entire action is the stuff that the Five Eyes agencies and countries are getting salty about isn't, in this case, IP theft. It's political targeting. We haven't really seen this before, have we? We haven't really seen...
you know, US, UK, Canada, Australia and New Zealand saying, no, no, that's out of bounds. So this is very different. Yeah, yeah. So in the past, almost always, well, within every indictment, the main focus has been on IP theft. And the US has gone to lengths to say that this isn't an acceptable thing and it's the theft for economic or commercial gain that is the problem.
So they've more or less steered clear of including targeting of government, what the US thinks of legitimate government targets.
So they've tried, my take is that they've tried to send a message saying, you know, all this government and military targeting, that's okay. We can live with that. We accept that. That goes on. But the IP theft is out of bounds. Now, this indictment and the messaging around it, it's almost the exact opposite. The indictment actually contains a whole lot of information about IP theft, but it almost disappears into the background of
in the messaging that's associated with the announcements and the public statements. So, for example, the UK, their foreign secretary, talked about democratic systems interfering with UK democracy and interfering with
in general. And similarly, Merrick Garland, who's the US Attorney General, spoke about we can't allow the Chinese government to intimidate Americans who serve the public. And so a lot of that is sort of hung off the hacking that's been focused on either government officials, activists or parliamentarians. I'm curious about this though, right? Because...
They're saying that this is intimidation. They're saying that this is interference. Isn't this just espionage? Isn't this just collection? Like what is being done here that is making the agencies say that this is something more? This is something more like interference and intimidation. That's a great question. And the short answer is, I don't know, because it's not in the indictment and it's not in the statements. There is one very brief statement that,
where the US indictment mentions subsequent related malign influence operations. So what I'm assuming is that the hacking is part of a broader operation where there's follow-on steps that take place that actually you'd describe as interference rather than espionage. So in the States, there have been a couple of
cases where the U.S. has indicted Chinese MSS officers who've been operating in the States trying to intimidate potential candidates for Congress. So former Chinese citizens who've emigrated to the U.S., become U.S. citizens, are trying to get into elected office, and they've been trying to intimidate them. And there have been other similar incidents,
where they've been trying to influence things. So it's not the case now that we're redefining the norms and saying intelligence collection from politicians is out of bounds. It's more the...
Chinese characteristics of this activity that is the problem. I mean, if we're reading between the lines here. That's what I think. Now, I think it would actually, I think, be useful if they spelt it out and said... Yes, to our satisfaction. That's right. To our wants. I agree. It's always nice when government communications are tailored perfectly for ingestion by the team at Risky Biz HQ. But sadly, that's not the world we live in.
Yeah, and I think another data point is that Australia's security intelligence organisation head came out and said that they tried to recruit a former politician, some country, some unspecified country. So I think there's just a trend of more interference and these hacks, I think some of them play into that.
So the UK mentioned a hack of the electoral commission systems where they likely stole voter registration and voter details. And it's not clear to me
It's clear that that could potentially be used for interference somehow. And I think it makes sense to send a signal to say interfering with electoral systems is something that we're going to push back hard against. Stop trying to scare people who are running for office. Stop trying to scare people in civil society who engage in democratic processes. Get your dirty hands off our voter rolls. Exactly, yeah. And I think the...
I spent some time thinking about this and many of the political targets they mention in here on their own, I think would be, you know, air quotes, legitimate targets like parliamentarians. That seems fine. But if you hang up with an interference campaign, I think then it's like, this is the sort of response I think makes sense. Yeah, no, a hundred percent. It's a very, look, I, you know, you've got me thinking about this in a, in a,
more sensible way, right? Because I hadn't really had a chance to sit down and really go over this and go through it. And like, I agree with everything that you've just said. Do you think though that there's a... Do you think though that because they haven't been explicit in their messaging about why they've taken this action that...
Perhaps the message might be lost on the receiving end. Not that China ever bloody changes its behaviour because of these sort of things, but do you think that... I mean, you did say that a bit more clarity in the messaging would have been nice for us, but do you think a bit more clarity in the messaging would have been more useful? I think that...
The short answer, no. So I think this kind of indictment sends a message to the PRC. They know what they're doing. They're probably not going to change. But I think the other audience is the domestic audience. And in the past, because political hacking has not been talked about as much, there's...
all the potential victims or the potential targets have probably been able to not think about it too much. Whereas this kind of indictment, it makes everyone aware that they're a target. So one of the examples in the indictment is that there's a parliamentary alliance against the Chinese Communist Party. And it's got parliamentarians from all over Europe that are part of this loose group.
And it says that every single one of them was the target of a hacking attempt across Europe. But I mean, for collection purposes, that makes sense. I guess the question is, if they started repeatedly like bricking their phones, that's harassment, right? Like that's different. So I guess that's what I'm trying to understand. Like, what were their objectives on target that made it seem more like harassment and less like harassment?
What I think happened is they've got some examples where there's hacking and harassment or coercion or attempted recruitment stuck together. And there's other examples where that's not clear, but we'll bunch them all together because we're going to talk about it anyway. Jeez, China, why can't you just do stealthy collection like a normal country? That's right. And I guess it's funny too, right? Like you worked at ASD for 15 years and the mentality...
in those organizations, like mostly it's rooted in their history, right? But the mentality is really like, don't ever be seen. We don't exist, you know? And to see China just come along like a bull in a China shop, you know, it's almost offensive to the spy sensibilities of the people who work at these agencies. Would you agree? I think it's a really interesting example of,
You know, the sort of assumption in those places was that secrecy was very, very important. So NSA, people used to say that it stood for no such agency. And each of them has a history of, you know, basically not existing in terms of having a public profile. And it's only been since the kind of 80s, 90s that they've...
actually been organizations that you knew existed or that people knew existed. Whereas the Chinese approach is, I guess it's a blank slate approach, right? Yeah, if you were to rebuild it for the modern era, what would it look like? And this is what we get. Yeah, yeah, yeah. We'll just hack. What are they going to do? They'll complain occasionally, but we'll get a whole lot of juicy information. So why don't we do that? Now, I think that does actually have strategic downsides. And I think...
Well, everybody hates them for it. Yeah, exactly. I think it's diplomatically in the long term eroded trust in the Chinese government. It's one of the things. It's not the only thing. And so, you know, I can't say that I disagree with secrecy being important. Yeah. Well, at least it's not even so much secrecy, but discretion. Yes. Yeah.
You know what I mean? Like, at least make it somewhat deniable. This is just, I mean, ever since the APT1 report, when was that? Like 10 years ago, 11 years ago? Ever since then, it's just been like, you know, they've just done it all in the open. But yeah, look, very interesting chat about that. Thank you. And of course, we're going to link through to Tom's post on all this, which you can find at news.risky.biz.
The next thing you wrote about, and it's a topic that comes up every couple of years, right, is someone in the United States, it's the Foundation for Defense of Democracies, has suggested that the US needs a cyber force and has pointed out some problems that it sees with the whole approach to cyber command.
But they've done their work. They did 75 interviews with both active duty and retired military officers, which make it clear that Cyber Command is struggling with personnel and skill shortages. You know, it's impossible to read a synopsis of their reasoning here and think that it sounds dumb. No, it was a 39-page report and...
Basically, at its heart, it's that the people who do cyber are trained by Army, Navy, Air Force, Marines. And none of those services really care about cyber capabilities all that much. And so when you take those people and try and get the best people, retain them, train them,
motivate them over time. It just doesn't work when no one who runs those sort of development organization cares. And that to me just kind of makes sense. If you were going to do a bank blank slate, like just start from scratch,
without the heritage of the US military, you'd probably say, well, let's just get a contractor organization, spend a lot of money paying people well and build it from the ground up. But when you try and do it in the context of the current US military, that doesn't work. That's not how militaries are formed.
And so there's an argument really based on the heritage and the way the US military does things that you need a separate service. And the services are responsible for training and developing people.
And then Cyber Command is responsible for actually employing them in the field. Yes, this is the thing. Like US Cyber Command draws all of its people from the other branches of the military. And what you're saying is like those branches don't really care. And so Cyber Command can't get the skilled people and whatever. But let me ask you this. What's the difference between Cyber Force and Cyber Command?
Yeah, so the story is that the army develops army people and buys and purchases the equipment. But it's the different combatant commands that actually use army people. So Cyber Command is the, it's a unified combatant command, which is the group that says, okay, we'll do this mission together.
Here's the, you do that, you do that, you do that. And it runs the actual day-to-day, but it's not responsible for training and development. And so, I don't know, CENTCOM, for example, it gets army people, navy people, air force people, and puts them together into a package to do a particular mission or task force or whatever. But it doesn't train and equip those people. That's up to the services. So that's why you need a service system
rather than just saying to Cyber Command... Right, so what you need is a cyber force that's responsible for the training and equipping and developing the skills, and then Cyber Command can then task cyber force instead of having to get the best the Marine Corps has to offer for hacking. Yeah, yeah, that's basically it. And that is an argument based on the cultural heritage and tradition of the US military. Yeah. And so...
It's pretty funny when you've got Cyber Command tasking Cyber Force. I think the way it works is people in the Cyber Force get assigned Cyber Command. So I guess that's just a pedantic difference. Well, I mean, the idea is too that you could have people probably go over from Cyber Force to the Air Force if they needed to or over to the Army if they needed to. I get it, right? So you want that sort of pool of expertise there.
that can actually do the fingers on keyboard stuff and you want to be able to deploy them into Cyber Command or into the other branches. Yeah, yeah. And so in a different country where the military heritage is different, maybe you come up with a different solution. You don't need an entire new force because the way they train people is different or the way they use contractors is different or the way they use public servants is different. So it's not something I would suggest for Australia, also given the size and stuff like that, but...
Reading through that report, it makes a lot of sense for the US. Yeah, well, there you go. Can't wait to see the patch. Hopefully we can get one, Pat. You never know.
You never know. We live in hope. Or at least a coin. A coin. A coin would be good for the new cyber force. Let's see. Probably some of you out there listening, if cyber force happens, you're going to be in it. Send us a coin. I'll write in. I'll give you our PO box number. Tom, you're in. Thank you very much for that conversation. All very interesting stuff. Great newsletter as usual. And it's good to have you back on deck this week. And we'll do it all again next week. Thanks a lot, Patrick.
