LogoLogo

Podcasts

Newsletters

Videos

People

About

Search

Seriously Risky Business Newsletter

January 29, 2026

Srsly Risky Biz: Punish the Wicked, Reward the Righteous

Written by

Tom Uren
Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Push Security.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Pall Mall, by Call Me Fred on Unsplash

The Pall Mall Process, an international effort to reign in abusive commercial spyware, is turning its efforts toward developing opt-in industry standards. 

These kinds of voluntary, non-binding standards are all well and good, but relatively useless without strong government action.

CyberScoop has a good wrap of issues raised at a Chatham House discussion about the process in Washington DC last weekend. The topics included who the rules would apply to, plus "how to incentivize and measure compliance and what to do with companies with a chequered past". 

The overall goal of the Pall Mall Process is to shape the commercial cyber intrusion market and ensure that its products are only used for legitimate uses, such as assisting law enforcement. 

It's nice that industry stakeholders are invited to participate, but we think any actual success will come down to government action. It is our cynical view that voluntary industry standards take a lot of time to develop and rarely do much to actually shape the industry. But the canapes are great. 

The US government, bypassing industry brain-storm sessions and roundtables, has already demonstrated a successful strategy for shaping this market.

The first step was to simply punish bad behaviour. This included blacklisting spyware vendors  by placing them on the Entity List, imposing financial sanctions and even visa restrictions for people involved in the misuse of commercial spyware. 

Like any good, but firm, parent though, the US also indicated its willingness to reward good behaviour. Its interactions with another Israeli spyware vendor, Paragon Solutions, prove a good case study.

In a 2023 article, The Financial Times said that Paragon's strategy was to make sure that the US government saw them as "the good guys", according to a source familiar with the company's decisions. 

One element of Paragon's effort included asking for an allow-list of allied countries that the US would be comfortable with Paragon selling its product to. Sources told the FT this list included 35 countries in the European Union and Asia.

This strategy wasn't entirely foolproof for Paragon, though. Its spyware was used in Italy to target journalists and activists, including some that had been critical of Italian prime minister Giorgia Meloni's government. Paragon pretty quickly cut ties with the Italian government. 

This misstep doesn't seem to have hurt Paragon. It was granted a US government contract with Immigration and Customs Enforcement in the last months of the Biden administration and was sold to US private equity firm AE Industrial Partners for USD$500 million. 

We’re not sure that rewarding good behaviour was a deliberate US strategy, so much as a response to far-sighted corporate governance. 

Regardless, we believe these two elements: rewarding the righteous and punishing the wicked, are the key elements for successfully shaping the spyware industry. 

The good news is that the Pall Mall Code of Practice for States contains voluntary and non-binding commitments for states to encourage responsible and deter irresponsible behaviour. 

Taking inspiration from both Paragon and the US, governments should develop an allow-list of acceptable customer countries. It would be a good step towards defining what they deem good behaviour. 

And countries need to be more proactive in punishing abusive spyware vendors. Actions speak louder than words, after all. 

Telco Security Regulation About More Than Just Salt Typhoon

China's Salt Typhoon hacking operation managed to intercept the phone calls and texts of senior officials in Downing Street over a number of years, according to a report in The Telegraph.

The Americans have been very forthcoming about Salt Typhoon penetrating their communications, the Brits less so, so the Telegraph report is real news. 

But there are some interesting lessons in all of this when it comes to telco regulation, mostly because the USA doesn't really have any and the UK has, well, quite a lot.

Firstly, we would argue that telco regulation is not how you deal with a  threat like Salt Typhoon. For high-value targets who must communicate on public networks, the starting point is to equip them with locked-down, modern phones and end-to-end encrypted messaging apps like Signal or WhatsApp. You can add other mitigations like using different phones for different purposes, disabling risky features and regularly replacing devices to limit the damage caused by compromises. 

This strategy is relatively simple and doesn't rely on billions of dollars of upgrades to telecommunications infrastructure. 

So does that mean the UK regulations have achieved nothing? That more regulation doesn't result in effective security? And so the FCC is justified in dumping rules that its Chairman, Brendan Carr, called "burdensome" and "ineffective"?

No, because telco security regulation is not just about trying to protect the phone calls and texts of senior officials. It's also, and arguably more importantly, about the resilience and security of the network as a whole. 

The fundamental problem that regulation is trying to address is that companies typically underinvest in security. This is the natural result of a frequent tradeoff between commercial imperatives and security investments. And companies typically do not bear the full costs of security failures. 

Left to their own devices, telcos are very good at dealing with everyday, common faults and security issues that cost them money. But they underinvest in protections against rarer potentially high-impact "black swan" type events. 

Take the black swan known as Volt Typhoon, for example. This is another state-sponsored Chinese hacking group that has been compromising US critical infrastructure so that it "could disrupt critical communications infrastructure between the United States and Asia region during future crises".  

To combat security underinvestment, the US has taken the "don't worry, everything's fine" approach, while the UK opted for, "here's 150 pages of regulations, enjoy". 

The Biden administration did actually attempt to impose stricter security requirements on the sector, but the US Federal Communications Commission rolled those back last November. 

What the strict regulations really buy the UK is a verifiable reduction in risk. It knows its telcos are taking certain security measures and knows that it can amend those requirements over time as the environment changes. Late last year it proposed changes to the Telecommunications Security Code of Practice following security advice from the UK's NCSC, for example. 

By contrast, US telcos take extra security steps when they are pushed by political pressures. Chairman Carr said that in the wake of Volt Typhoon carriers agreed to make "extensive, coordinated efforts to harden their networks against a range of cyber intrusions". These included accelerated patching of equipment, updating access controls, and improving their threat-hunting and cybersecurity information sharing efforts. 

These are all worthwhile tactical responses, but as far as we can tell without the exact technical details these are simply catching up with some of the UK's existing security requirements. And the handshake agreement is a reactive approach. It won't provide the FCC with any ongoing visibility into telcos' security posture and it doesn't provide it with a formal way to ramp up incentives if and when needed. 

So when it comes to Salt Typhoon, the FCC's Chairman Carr is likely correct when he says US regulatory efforts would be "ineffective". But we don't believe it was the right call to abandon them completely. You won't stop Volt Typhoon by having officials use Signal and handing out a few extra phones.

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

  1. Zeppelin ransomware leader guilty: Ianis Aleksandrovich Antropenko, a Russian living in California, has pleaded guilty to crimes related to Zeppelin ransomware. Antropenko admitted to leading the group and was involved in ransomware attacks prior to moving to the US.  
  2. WhatsApp is getting safer: WhatsApp announced that it is rolling out a new security feature called Strict Account Settings. This will lock your account to the most restrictive settings and block attachments and media from people not in your contacts. They are also increasingly using Rust, a memory safe programming language. We covered why this is a good idea here. 
  3. New model to tackle cybercrime in the UK: The British government is setting up a new National Police Service to tackle serious and organised crime and threats to national security, similar to the FBI or Australian Federal Police. The NPS will also have responsibility for cybercrime, leaving local police forces to tackle regional crime. 

Sponsor Section

In this Risky Business sponsor interview, Catalin Cimpanu talks with Luke Jennings, VP of Research & Development at Push Security, about ConsentFix. It's a new form of email-based social engineering attack used in the wild, an evolution of the ClickFix attack that goes after your identity.

Shorts

Starmer Takes "Burner Plane" to China

In addition to burner phones, UK Prime Minister Keir Starmer and his team will take a "burner plane" on his trade mission to China. British MP Tom Tugendhat explained on X that "the government jet is staying home because it would need to be guarded round the clock to stop China putting bugs on it". Instead, they've chartered a plane.

More Intelligence and Offensive Cyber Action for Germany

Germany's Interior Minister, Alexander Dobrindt, has promised a "paradigm shift" in the country's intelligence services, saying that the country had been too dependent on foreign allies for too long.  

He also said that intelligence services and federal police should "strike back" against foreign hackers to "disrupt attackers and destroy their infrastructure". 

Although the language is more direct, this sounds very much like a German version of US Cyber Command's persistent engagement framework.   

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss how getting pinged hurts state hackers by introducing uncertainty. Publishing technical reports on the hack can actually improve the situation by removing uncertainty about how attackers were detected.

Or watch it on YouTube!

From Risky Bulletin:

Cyberattack cripples cars across Russia: A cyberattack has wreaked havoc across Russia on Monday after the servers of the Delta smart alarm system went down.

Per reports in local media, car owners using Delta's alarm system couldn't unlock cars or stop active alarms. In some cases, owners couldn't start engines or their engines jammed while driving.

The company confirmed the incident but did not provide other details besides calling it a "large-scale external attack."

[more on Risky Bulletin]

EU readies new anti-spyware group, but with even less powers than PEGA: The European Parliament has set up a new internal group tasked with investigating the use of spyware across the EU member bloc.

The new intergroup was set up last week in the aftermath of the Paragon spying scandal in Italy by Sandro Ruotolo, an Italian journalist and current member of the European Parliament for the Group of the Progressive Alliance of Socialists and Democrats.

According to WIRED Italy, Ruotolo will be joined by three other MEPs.

[more on Risky Bulletin]

Improperly patched bug exploited again in Fortinet firewalls: Threat actors have mounted a new wave of attacks against Fortinet's FortiGate firewalls using a vulnerability that was improperly patched last month.

Security firm Arctic Wolf says hackers are bypassing Single Sign-On (SSO) authentication using generic usernames, creating their own admin account for future access, and stealing the device's current configuration file.

Since the attacks were first being reported online, Fortinet has confirmed in private emails to some customers that the attackers have found a new way to exploit CVE-2025-59718.

The company patched the bug in December but now says the vulnerability has persisted even in the newer firmware.

[more on Risky Bulletin]

Recent Newsletters

  • Srsly Risky Biz: Punish the Wicked, Reward the Righteous
  • Risky Bulletin: Cyberattack cripples cars across Russia
  • Risky Bulletin: EU readies new anti-spyware group, but with even less powers than PEGA
  • Risky Bulletin: Improperly patched bug exploited again in Fortinet firewalls
  • Srsly Risky Biz: You Can't Block Space Internet

Recent Videos

  • Risky Business Weekly (822): France will ditch American tech over security risks
  • Between Two Nerds: Getting pinged and the fog of war
  • Srsly Risky Biz: You can't block space internet
  • Risky Business Weekly (821): Wiz researchers could have owned every AWS customer
  • Between Two Nerds: Why the West sucks at Information Warfare

Recent Podcasts

  • Srsly Risky Biz: Punish the wicked and reward the righteous
  • Risky Business #822 -- France will ditch American tech over security risks
  • Risky Bulletin: Cyberattack cripples cars across Russia
  • Between Two Nerds: Getting pinged and the fog of war
  • Sponsored: Push Security on ConsentFix attacks
Risky Business Media

Risky Business

  • Home
  • Podcasts
  • Newsletters
  • Video
  • Sitemap

Risky Business Media

  • About
  • People
  • Advertising
  • Sponsor Enquiries: sales@risky.biz

Risky Connections

  • Risky Business on Apple Podcasts
  • Risky Business on Spotify
  • Risky Bulletin on Apple Podcasts
  • Risky Bulletin on Spotify
  • YouTube
  • LinkedIn

Risky Contacts

Risky Business Media Pty Ltd
PO Box 774
Byron Bay NSW 2481
General Email: editorial@risky.biz

© Risky Business Media 2007–2026. All rights reserved.
ABN 73 618 465 517