Srsly Risky Biz: US intelligence community worried about personal data
Risky Business News
Deep Dive
Shownotes Transcript
Hey everyone and welcome to another edition of Seriously Risky Business, the podcast and now YouTube video that we do here at Risky Business Media where we speak with Tom Uren who works with us to write his weekly Seriously Risky Business newsletter which covers you know cyber security topics but from a policy perspective we talk a lot about intelligence matters in all of this
So yeah, that's what Seriously Risky Biz is. And this edition of Seriously Risky Business is brought to you by Materials Security, which makes a very interesting product designed to put some access controls around cloud-based emails. So you can lock up some of your cloud email services
So you need to do like a step up authentication challenge if you're trying to access archived messages, things like that. It can auto-redact PII. It's an interesting product and you can find them at material.security. Seriously Risky Business is supported by the William and Flora Hewlett Foundation and also receives assistance from Lawfare. So thanks to all involved in making this happen. Tom Uren.
joins me now. Tom, good to see you. Good day, Patrick. How are you? Good, good. So we're going to talk through the newsletter that you've written this week. And the first item that we're going to discuss is a report written by or published by the DNI, the Director of National Intelligence in the United States. It's 2024 US counterintelligence strategy. And interestingly enough, data risk is a big theme in the 2024 report.
Yeah, I love these kinds of reports. I'm always a bit of a strategy tragic. And what I found interesting is that, and I think rightly for that kind of organization, it worries about things but doesn't necessarily spell out what the whole US community should do about them. So it's got this part where it focuses on individuals and says that individuals are really at risk and
And the reason that they're at risk is there's just so much data out there that's available about them. So it talks about biometric and genomic data, healthcare data, geolocation information, vehicle telemetry information, mobile device information, financial transaction data, data on affiliations, political affiliations and leanings, hobbies and interests, etc.
And so there's a whole swath of data that we've talked about on this show quite a bit over time that is, in my view, just too easily available. And in this document, it highlights the risks and that there are foreign adversaries who have both the means, the opportunity and the motive to try and take advantage of all that data, pull it together and make it a problem for not only individuals, but for US national security.
Yeah, so this is a topic that's come up between you and I previously, and I think it was maybe even, I think it was more than a year ago now, we wrote about that story where a
was it a priest had been sort of outed as uh being you know probably gay because of the data trail that he left behind in commercially available uh data bought from data brokers so some conservative religious publication managed to pull together a package showing this guy's pattern of life showing trips to you know i don't know i can't even remember what it was but it was like trips to gay saunas or whatever or you know a presence on grinder it was
And it was really interesting because as much as this publication was a hit job on this poor guy, what was really interesting about it is the reaction out of policymakers like you wrote about it. But it was one of those events that made people stop and think, okay, this is a media outlet doing a hit job on a guy, but
wow, that's a capability that's available to everyone with a credit card. And I think since that time, it's all sort of unfurled from there. That actually strikes me as a bit of a watershed moment. So it is encouraging, isn't it, to see a report like this till that ground? Yeah, so the...
actions for that particular part of the strategy are basically educational, or at least one of them is educational. So I thought this was the point where the strategy would really like to say the US government should do something about this, but it's not the place of the intelligence community to say what lawmakers should do. So it talks about in
informing people of the risks with decision makers, which I sort of interpreted as we need to make lawmakers understand these risks so that they do something about them. I think that the thing about that data ecosystem is that most of the time for most people, there's no one who's out there to get you and is willing to spend the time and money to mine that kind of data, gather it together. And so for most people, most of the time, it's a nothing burger.
Well, I think to a degree, sorry to cut you off there, but I think to a degree that explains the lack of action from lawmakers because it's not exactly something that their constituents are lining up around the block to complain about. But when you look at this from a macro perspective and you look at it through a national security experts, you know, frame of view, it is alarming.
Exactly. You stole the words out of my mouth. So that's the reason why is that you've got motivated actors who've got the capability to do it. And it's probably a lot easier than doing other sorts of espionage in many cases. So I think that's the point of leverage that makes people think about the risk and it's a national security risk.
Yeah, I mean, I think at the time that we spoke about that case involving the priest, you know, I suggested, well, I think we both suggested that a great way to get privacy law, sensible privacy laws enacted in the United States, which doesn't have sensible privacy laws right now, but a way to get sensible privacy laws actually onto the agenda is to turn this into a national security issue. Do you think that lawmakers will...
perhaps move in that direction, perhaps realise that this is not just about privacy, it is about national security and that that might move the needle and actually see some bills get proposed that might actually go somewhere? Well, there have been a number of bills that have come and gone since that priest story and they've each time seemed more promising than last and no one's ever quite got across the line. And I think it's a tricky issue in that probably economically you would
I think it's been good for the economy to have a free-for-all where everything's gone. Like that's viewing the economy narrowly. Has it been good for people? I'm not in probably on balance, yes. But I think you've got to weigh up these very, very different equities, I guess. It's the economy, it's personal privacy, it's national security. And so I think it is a difficult problem to strike a right balance.
Yeah, because a lot of these lawmakers obviously don't want to be seen as anti-business by putting really onerous data regulations on people. You know, the GDPR is certainly perceived in the United States as being a ridiculous kind of regulation, right? So you try to introduce anything like that that puts, you know, red tape on commercial operations, like that's politically quite tough there, right? Yeah, that's right. And I think it's – so you've got these different equities
balancing them is tough. I think the, I wouldn't argue for a super onerous regulation. I would just argue for something sensible.
And what does that look like though? So one thing that's really funny here is that you point out that this report, it talks about talking to stakeholders and lawmakers and whatever, but this is the sort of thing you see in strategy reports when they don't actually have any good ideas, right? When they're just like, we need to raise awareness and things like that. So it seems you're a bit critical here because-
there's no there's nothing really concrete that they're proposing it's more just like a they're proposing that people view it a certain way but not so much proposing concrete steps yeah well i don't think it really is the role of the intelligence community to say we need a law on this right so i think um it is a criticism but it's also i think that's the right approach you've just got to highlight the problem and say it's up to someone else to make the decision
Now, I actually liked elements of the two previous laws that have come up in the last couple of years, the American Privacy Rights Act and the ADPPA, which is acronym. I can't remember what it stood for. And they both had here are things you can.
can't do with data and that you should have a particular purpose. Things like targeted advertising were fine, but you had to have a particular purpose for doing it and you couldn't just distribute data willy-nilly. So it struck me as both of them were not perfect, but were definitely better than what was in place right now, which is kind of dependent on state law.
Yeah, I mean it is a total patchwork at the moment. It is interesting though to see a report from the Director of National Intelligence that specifically talks about how this data could be abused by foreign intelligence entities, FIEs they call them. We're always getting new acronyms to describe foreign threat actors, right? That's right. Yeah, I was wondering... Because it used to be FIS, right? Foreign Intelligence Services, and now it's Foreign Intelligence Entities.
Yeah, and I suppose that it talks in the report about the use of commercial providers. And so I think there's a recognition that they're not all services or agencies. There are commercial players who are doing essentially the same services. And I guess that's part of the... Well, thanks to the ISUN leaks, we see the way that that works in China, right? Yeah, that's right. But I think also there are companies who are mining open source and doing...
Well, I mean, you just have to look at something like Bellingcat, which is a Western group that mines this kind of data and produces essentially intelligence reports. It just publicizes them and highlights wrongdoing in...
in bad states. Well, it's not always about highlighting wrongdoing. I mean, quite often they're just answering questions about various events, how they happened, right? So I'm a big fan of Bellingcat, but, you know, would we be comfortable with, you know, with China's or Russia's Bellingcat, right? Like, would we regard them as a foreign intelligence entity? And I think your point is, yes, we would. Yeah, yeah. They're a great example of an independent organization who is doing...
very advanced open source research and kicking goals like finding, uh,
actionable intelligence. And so that's, we don't hear about the Chinese or Russian or Iranian groups doing the same thing. I imagine there must be some, uh, it's just that they're not publicizing their work because they've got a different business model. Now you also wrote about this prisoner swap. This is something that I covered yesterday in the show with Adam Boileau. I also published an interview I did with Dmitry Alperovitch about this. Um,
The general consensus seems to be that the two cyber criminals out of all of the people who were freed, the two cyber criminals were... It doesn't really look like they were really deeply involved with the state. It looks like they were more likely freed because they were politically well-connected through their families or whatever. One interesting thing you turned up, though, and I'd seen it said that one of these guys was linked to...
Ivan Ermakov, who was a Russian who had been charged with interfering in the 2016 US election. But you've actually gone a step further and written what that link is, which is the US Department of Justice says that one of these guys who was swapped, Klyushin, he was the guy who ran the M13 pen testing company in Russia. He employed Ermakov at M13, but after the indictment. So...
Again, this undermines the idea that these guys were somehow sort of connected to state operations, right? And it just doesn't seem to be the smoking gun that I think some people were hoping it is. Yeah, I don't think so either. So M13, the story of M13 I think is interesting. So if people don't know that it was purportedly a pen test company, but the way it made money was by running an investment fund.
and it hacked the agents that publicly listed companies use in the US to submit SEC filings to the stock market. So it hacked those two of those agents. It would intercept or collect the quarterly earnings reports and those sorts of mandatory reports, and it would trade on that information before it was made public. And so that stock fund did very, very well.
So Cleutian made a lot of money. So he was politically well-connected. He had a lot of money. He was silly enough to holiday overseas, and that's where he got arrested.
And in the same way that in countries like Australia and the US, people who work for the intelligence community go and work for all sorts of other different related companies. So it would be very unsurprising if a pen test company in Australia had...
a former ASD employee. Well, indeed, we were sort of joking earlier that you worked at ASD for a long time and now you work with us and that doesn't make me connected to Australia's intelligence services, right? It's just, it's a community, right? It means that someone could write that you have links. Exactly, right? Exactly. So I think also M13, I mean, it didn't just do crime. I think it even had some state contracts, but to do like pen test services, I mean, maybe they were a supplier to ASD
you know, even if they were a supplier to an intelligence community, intelligence agency in Russia, it doesn't necessarily make them sort of state directed. I don't know if they're doing like exploit research or whatever. So I just don't think that's why. And I think it's, I think we've all sort of landed on that. The dotted line between Russia's intelligence services and cyber criminals remains dotted.
I'm afraid, Tom. But yes, you've covered also a bunch of other stuff in the newsletter, which people can find at news.risky.biz. But Tom, you're in. That's it for this edition of Seriously Risky Biz. Thank you so much for joining me for this discussion and I'll look forward to doing it all again next week. Thanks, Matt.