Srsly Risky Biz: The proliferation of spyware in Southeast Asia
Risky Business News
Deep Dive
Shownotes Transcript
And this week's edition of the podcast is brought to you by Okta. And Tom...
You know, of course, this is the podcast where we talk through the newsletter that you put together every week. And you've, you know, it's a fantastic newsletter this week. I read it this morning. It hasn't gone out yet, but yeah, it's absolutely fantastic. And you've covered two things in depth. One of them is an Amnesty International report into possible spyware abuse in Indonesia. And you rightly note in this piece that you've written that
that people tend to sort of ignore Indonesia a little bit, which is weird considering it's the world's fourth most populous country and one of the largest democracies in the world. But why don't you walk us through the rough shape of Amnesty's report here? So Amnesty International, they've got a security lab and they've done several reports over time on different types of spyware. And in this report, they looked at exports to Indonesia.
And they have, I guess, two arms to their research. So one arm is commercial trade databases. And they look through that and try and see if they can find sales from, I call them the usual suspects. So groups like NSO Group, Kandiru, Intellectual Alliance. So organizations that sell spyware that has often been implicated in human rights abuses.
So they found some information there. They also do infrastructure mapping. So they describe spyware servers as having different, basically, they call them distinct fingerprints. And so they look for those fingerprints across the internet and they try and map it out. And so at times they can map a type of spyware to a domain and to an agency even.
And so they find, or they found, that Indonesian entities, sometimes they could tie it to the police, but not necessarily, had bought a variety of different spyware. So stuff from the Intellectual Alliance, Candiru, Finfisher, firms linked to NSO Group. And you look at the domains, and some of them are
sus in the sense that they're sort of emulating opposition political parties or... Yeah, they're like lookalike domains for organisations that the police should not be targeting, basically. I think that's the easiest way to put that. Yeah, that's right. But they don't go so far as to say we have proof that these technologies have been used for human rights abuses. So the way they frame the report is...
Indonesia is a significant country in Southeast Asia. A lot of these transfers came via Singapore or Malaysia. Being able to buy these types of technologies in a covert way where you can sort of sneakily get them and perhaps you can use them for human rights abuses without anyone knowing, that's a problem. Yeah. I mean, even if you take human rights out of it, like using this sort of stuff illegally for political purposes is
You know, is that a human rights abuse or is that just sort of backsliding into a less than democratic form of government, you know? I think... Are they the same thing? I think I would argue that they're the same thing. I mean, I'm splitting hairs at this point, but you get what I'm saying. Like, you know, quite often when we hear about this stuff, it's like some activist winds up imprisoned based on stuff collected from their device or whatever. Whereas this... Yeah, I mean, for those who don't know a great deal about Indonesia, it was...
you know, a dictatorship for over three decades under Suharto. And then in, when was that? 1998 became a democracy. The transition to democracy was actually bloodless mostly, which was fantastic. And, you know, they, they do have a, you know, a healthy democracy. So it's concerning when you see stuff like this. And it reminded me reading this, it reminded me of like,
the cleanup happening in Poland now where the new government is still mopping up the previous government's abuse of this stuff and you really do get the impression
that because these things can be bought, as you point out, covertly, there's just such a temptation to acquire these tools and use them because you can kind of keep it quiet. Whereas if you're trying to spin up an organization to develop this stuff, it's a lot of budget. It's a lot of headcount. People are going to find out about it. This seems to be the sneakier way to do it. And as I say, the availability kind of encourages the use. So I think it's great that Amnesty is doing this work.
It really made me think about is we're a kind of gateway drug to more authoritarianism or is...
just another tool that governments with authoritarian tendencies tend to use? And the answer to that question makes you think about how hard you should go on spyware. So my personal view is, you know, you can use these technologies for legitimate purposes and you can abuse them. And if it's a gateway drug to
to sort of sliding into further authoritarianism. You really want to go very, very hard on them. So that was the sort of question it raised with me. So I spoke to Dr. Gatra Priyandita.
Yeah, you can pronounce it better than I can. So he's at the organization I used to work at. He's Indonesian and he looks at cyber and Indonesian foreign policy. And so his take was that it is a lot easier, but he thought that there'd been this tendency ever since the transition to democracy for Indonesian elites to sort of subvert power structures for their advantage. So, you know, they'd get...
members of the security apparatus to silence critics. They'd use laws. And so this is just another example, and it predated the use of spyware by some time. But he did agree that it's probably easier and more attractive to abuse power
So to me, you know, we absolutely need to try and crack down on the sale of spyware that's used willingly for purposes we think are bad. Yeah. I mean, you know, Indonesia has a long history of this sort of abuse, right? But more under the dictator period. I just looked at his name on the sheet too, and it would be Priyandita. Yeah.
would be the pronunciation. So I lived in Indonesia as a child when Sahara was still running the joint. And I think my favorite headline from the Jakarta Post was corruption investigator dies after taking a walk. And if I remember it correctly, they had him in the ground the same day as per Muslim custom and
And his family are away. There was no autopsy. I mean, the whole thing was very shady. We've had political assassinations carried out by Indonesia, one famously on a Garuda flight. That's their national airline. So, you know, dirty tricks, assassinations, all sorts of stuff is in Indonesia's history. And while they've made amazing progress in many ways, there's still...
There are still remnants of that political culture, right? And this stuff, yeah, like has a tendency to sort of encourage that type of behavior, I feel like. Yeah, yeah. One example, I'll use his first name, Gatra, talks about was this...
It's a special task force that was meant to tackle serious crimes like, well, online gambling and narcotics trafficking. But it was actually co-opted to basically harass political opponents. Yeah. And there's reports that it was involved in wiretapping and hacking. So it's related to this story. However, I guess the good news is that that command was shut down after the head of the command murdered one of his own officers. Yeah.
And it struck me as just a kind of vignette of how some countries have this kind of, it feels very Wild West to me. And I guess the take home for me was, yes, spyware is important and we should do something about it.
But there's also a bigger picture where we can't just say, look, we've tackled spyware, job's done, democracy's safe. It's got to be integrated into, you know, how do you sort of try and encourage these countries to do better? Now, the Amnesty Report points out that
Indonesian law allows wiretapping with judicial authorization. So that's the good part. The bad part is that there's not as much oversight as you'd like. Yeah. And so... I mean, to be clear, I mean, because there'd be a lot of people listening to this who would have just no even concept of Indonesia. Like it is a functioning democracy where rule of law applies and...
But it's just a little bit rough around the edges, I guess, is how we'd put that. But, you know, you're sort of talking about, well, what do we do about it here? First of all, you know, I think the civil society, you know, digital rights types have done a really good job on this issue over the years. You know, I find myself agreeing with them on most of what they say about all of this. Whereas, you know, when they start in on some of the, you know, Western intelligence agencies and sort of their imagined abuses, I don't know, I don't...
they lose me a little bit there, but I think they've done a wonderful job in all of this lobbying governments and whatnot to take action. But I guess, you know, looking at this, it just seems like
It's all the more important that countries that are in a position to do something about the proliferation of this stuff actually do it. And I think the US deserves some credit here for being quite aggressive in the way that they're going after these types of companies and trying to sanction them and, you know, travel bans and shutting them down and even indictments in some cases. Yeah, yeah, that's right. And one of the key parts of the report is it points out that it's really Singapore and Malaysia that appear to be a nexus. And it seems like when you've got any kind of...
Well, a nexus can also be a choke point. Yeah.
And Singapore seems like the sort of government where maybe you might get some traction on cracking down on this sort of thing. Well, Malaysia too, you'd think. Yeah. Yeah, that's right. So that's the good news. Yeah. So that was a really interesting read, mate. I really, really enjoyed that. Everyone can go to news.risky.biz to subscribe to Tom's newsletter if they haven't already. The other thing that you looked at, and this was something we covered in the main show with Adam Boileau and Lena Lau yesterday, but you've actually gone out and done an interview on this.
So you looked at the idea that the United States is going to introduce some sort of minimum security requirements for hospitals and healthcare organizations.
And you spoke to a CISO about this who is responsible for the security of a bunch of hospitals and clinics and whatnot in the United States, unnamed in this piece, obviously, because talking about this sort of stuff is sticking your head out a little bit. But they had some pretty interesting things to say about the pros and cons of this type of push. Yeah, so the...
regulation we're talking about is contained in a US Department of Health and Human Services budget plan. And there is money to improve cybersecurity for hospitals in the next year. But from 2029 onwards, they're proposing that if hospitals don't meet certain minimum requirements, the payments from the government actually get docked.
by a certain percentage. Now, the size I spoke to, he does pro bono work in small hospitals that basically couldn't afford his expertise. And this was really where he was focused. And he was saying, look, those small hospitals have a snowflake's chance in hell in actually doing anything, meeting those standards, because they're all essentially underwater. So they operate at negative temperatures.
operating margins. So the way they survive is by getting grants from state and local counties and fundraising and stuff like that. So the example he gave is there's a hospital he goes to. It's small, it's rural, 50 beds. They've got two IT personnel that do everything. So IT, security, also managing biomedical devices,
and they haven't made an operating profit since the 1970s yeah and it's it's a rural community there's not um there's just no capacity and they're already underwater and taking away more money is is just not going to work so he made the point that there's a lot of these sorts of
hospitals in this situation and they're either rural or they're in sort of dense urban areas ironically um and they just don't have the capacity to to do much now so yeah if the thinking is well you need to do all of this security stuff or we're gonna not give you grants anymore and well then bye-bye hospital bye-bye clinic right yeah yeah and he pointed out that there's
Medium and larger hospitals are in a very different situation. So if you want to do this sort of thing, he didn't actually strongly argue against it for large hospitals. He was saying you need to means test it. You need to carve out for the smaller ones. Yeah, that makes sense.
He thought the way to go was to try and encourage managed service providers for those sorts of hospitals to... Was he encouraging them to do it pro bono? No, no, not necessarily. I think he was just encouraging the spread of effective safe managed service providers across that swathe of hospitals would be a better way for the government to try and get traction and improve cyber security. Now, he also said that those hospitals...
are so resource poor that even though if they had a ransomware attack, it would be bad, it's not as if every device is networked and connected
He thought they would struggle through. Whereas in a large hospital, they've got the resources to network and connect everything. Everything's integrated, yeah. I mean, the point he made is like if there were a ransomware attack, they'd just grab their laptop from home, get on the guest Wi-Fi and then log in through the web to the medical records or whatever and they'd find a way to keep going. But I think that's an interesting idea and maybe that might help because I know there's been a lot of pushback against the White House over this. And, you know, perhaps if they were to...
as you say, sort of means test this and make it only apply to medium to large hospitals, it would, you know, it would get, it would still get the pushback, but it wouldn't be justified, right? Yeah. And I mean, the whole thing made me think that the health sector is just huge. And so one of the articles references Ann Neuberger, who's the Deputy National Security Advisor for Cyber, saying that, you know, some of the healthcare sector pushback is unjustified.
And, like, you look at Change Healthcare and they're making literally billions of dollars. Yeah, somehow they can't afford MFA, right? Yeah, that's right. But at the same time, there's this, like, parts of the US healthcare sector that are really, you know, in difficulty. And so it's this massive, well, it's an entire sector, right? Yeah.
It really requires a lot of nuance. And even the... I referenced an American Hospital Association statement that pushed back against these exact regulations...
And when I read that statement, it was not persuasive at all. So it's even if you take hospitals as a group, they can't come together to come up with a common statement because none of them want that regulation. But the reason that that regulation is nonsensical only applies to like a small subset of hospitals. And so I thought that was a really interesting dynamic about lobbying and
how even though you can be in a lobby group, your message can get lost because the whole group doesn't agree with necessarily. Well, I mean, you know, the US healthcare system is sort of infamously conservative
fractured and weird. Right. So that's, uh, that's not so surprising. You know, I have a feeling that if it were a, you know, a similar regulation were to, uh, to land here, um, yeah, it would be easier for the private healthcare system in Australia to, to lobby because it's just not as, I mean, obviously we're a much smaller country than the United States, but the system seems a lot simpler as well. Yeah. Yeah. Yeah. I mean, another point, the, um,
the size I made is that there's profit, non-for-profit. He kind of said, you know, well, if you're a for-profit healthcare, well, you know, you took your chances. So take your lumps. Yeah, that's it. That's it. All right, Tom Uren, thank you so much for joining me to walk me through this week's Seriously Risky Business newsletter. Fantastic chat. Great work as always this week. And we'll do it again next week. Thanks a lot, Patrick.