B (3:46)

I love that concept and I often talk about nation states and I think it ties in well to your book because I talk about the fall of Rome and actually how a lot of it had to do with the actors poisoning the external water supplies because they realized they could starve out the population that way. And it was just, that's just another type of defense that needed to be put in place that you weren't thinking about at the time. And I try to correlate that to cyber. So I love the fact you've written a book that actually takes historical context and correlates it to cyber.

A (4:19)

That is so cool. I love that reference. I think that's so topical because like, to your point, what I imagine you're getting at with that is that like it's. And what I talk about a lot in the book is that cyber attacks are another tool at a nation's disposal. They are not the only tool, they're not the most important tool, but when they're used well, they can be really effective for what that nation wants to do.

B (4:40)

Yeah. And it's all about infrastructure.

A (4:42)

Yes.

B (4:43)

So carrying that theme forward, one of the things you actually do beautifully in the book is you strip away the mythology about cyber war. The idea that it's chaotic or that it's even mysterious are driven by these shadowy geniuses. What do you think is the most dangerous misconception leaders still have about nation state cyber attacks?

A (5:02)

Honestly, it remains that these attacks won't happen to them, that they don't apply to them. I especially see this with small and mid sized businesses and unfortunately the reality is that it's just not true. I think about, and I talk about in this book notpetya as a great example of this, how did Notpetya start? It started with this tax document software created by this company, Intellect Service, which was a small family owned Ukrainian company that just made tax software and was just doing that for the country of Ukraine. It was a small business, it was a family run business, and it ended up causing such a larger conflict when it was originally hit, and especially in the past few years. And I know that your team has done a ton of research here that's been really valuable to paint this picture. The supply chain is everything. It is the way in for so many threat actors that don't want to just target the big players and want to find ways in that are a little bit more simple for them or where they can take advantage of some things that they might not be able to take in these larger scenarios. And unfortunately, like, the scale that you can get with those attacks is everything too. So especially as we move forward, as we continue to somehow be even more interconnected than we are already today, that is the thing that really needs to be driven home, is that at the end of the day, everyone has a role to play in this and it's important that we address that at the source and do our best to have the strongest security posture possible.

B (6:31)

I think that's right. I do think that a lot of folks, when they think about nation state actors, they think that they're going to attack the largest companies in the world, right? The Global 2000 or the Fortune 500. And in reality, they're not always there. Right. They often find the softest targets to make a point.

A (6:48)

Exactly.

B (6:49)

So a core idea is that, and I love this by the way you talk about it, it's that cyber activity reflects national identity, whether it's history. You talked about a little doctrine, even culture, and you focus heavily on the US and on Russia and on China. What should executives understand about how these differences actually play out in cyber operations?

A (7:10)

It was really fascinating as I was writing this book, because I originally started out with the intent to just look at the cyber attacks that these nations were perpetrating and focus most of my energies on that. But what I found is the more I went into it, the more that I couldn't ignore the regulations that were being put in place, the defensive actions that were being put in place, and the actual choices that the governments had made and the social contracts they'd established with their people and how all of those things factored into the defensive and offensive decisions they could make and what was available to them. It's been really interesting, because I do feel like when we look at the United States as an example, it's so much quieter with the attacks, or it has historically been so much quieter with the attacks that have been perpetrated, much more focused on being clandestine as much as possible, concealing the existence of the operation in any way possible. And a part of that is because there is an expectation that the US Is going to act a certain way on the global stage. But you can contrast that with other nations. We can go beyond China and Russia into, like, North Korea as an example. They use the cyber attacks that they do particularly to gather resources through Bitcoin and other cryptocurrencies, because there's no reason for them not to. It's not like we could sanction them more at this point, so they might as well go and use cyber attacks that way. Or you can look at Russia and see just how bombastic a lot of the attacks that they use are and how loud a lot of the attacks that they use are, because at the end of the day, all the attacker groups associated with Russia are trying to do is get as much attention and as much meaningful attention from Putin as they possibly can. And I find that really interesting, because when we look at a lot of the historical decisions that have been made with these cyber attacks, so much of the success of the cyber attacks nation states perpetrate is based on the coordination that they have between different branches of the military. And so when you've set up a system like there is in Russia, where everyone is vying for some type of attention from Putin, it makes it so much more difficult to execute these attacks in a coordinated way, where everyone plays their own part. And we see that it's a even more different thing in China, where they've set up such a walled garden for themselves, where there's so much censorship, there's so many websites that you can't even access, that there are a lot of instances where Chinese hackers will hop onto a box that's outside of China just so that they can log into their own Facebook accounts or their own X account, because they want to be on social media, but they can't in their home country. Or in other cases, the Chinese government outsources a lot of hacker activity to countries like Malaysia because they can't actually execute those actions directly in China. So it's fascinating to see the workarounds that they have to do in order to make it work, especially when put in the context of the geopolitical presence that they have and their choices within their own social contracts, in their own nations.

B (10:21)

So when you think about the average ciso, and a lot of the listeners for the podcast are CISOs, they're really stretched thin. They're balancing an awful lot. They're balancing identity, they're balancing ransomware, they're balancing cyber hygiene, they're balancing AI security, they're balancing cloud. And then they see these constant headlines about nation state attacks. What advice would you give them about when they should worry about nation state cyber risk and when is it just a distraction?

A (10:52)

This is such a good question, because I feel like it's always something where much of the cybersecurity community is saying, you need to be worrying about this. It's like the boy who cried wolf in some ways, even though it is an important issue that we need to pay attention to. But I'd say tangibly, it is hard to deny that if there was a moment to be worried about nation state cyber attacks, geopolitical risk, that moment is now. It has to be now. There are times when it is more of a distraction than a help, but this is not one of those times. When I was writing this book last year, I had so many moments where I thought to myself, gosh, I wish this was coming out right now and that I could release it right now, because I feel like it's so relevant. And now as I look back on that, I'm like, thank God I didn't. Because this is the time that we need to be having these deeper conversations within security and within other areas of the enterprise, and even to the level of citizens and consumers. We are at an inflection point right now. Russia's war in Ukraine has evolved hybrid warfare and shown just where it can and cannot be effective. There's a big shift happening in the world order that is leading to deeper splintering of the Internet, greater focus on digital sovereignty, fracturing alliances. We see that surveillance technology is becoming more ubiquitous, and unfortunately, seeing that some tech companies are deprioritizing privacy in lieu of their own type of political maneuvering. And all of this is against the backdrop of constantly changing geopolitical conflicts like those that we're seeing in Venezuela and in Iran. This is the tipping point where nations are becoming more aggressive with their offensive cyber operations. We even saw this as one of the top pillars in the Trump administration's National cyber strategy for 2026. The collateral damage of more offensive nation state activity is inevitably going to be the private sector. And so we need to take this into account as we enter an age where we're likely going to see much more aggressive cyber activity from the typical threat actors we'd expect, but also from a lot of the Western nations, including the US as well.

B (12:55)

Yeah, I think that we're definitely wading into pretty dangerous waters here. And it will be a trying time for CISOs. It'll be a trying time for any security professional because they're also trying to balance sovereignty conversations and resilience conversations with cyber conversations, and, of course, AI, which we're going to talk about in just a second. But if you had just one piece of advice to a CISO that's trying to balance all this, what would you tell them?

A (13:22)

Right now? Every organization should be holding regular meetings on geopolitical risk and the geopolitical threat landscape. These should be happening at least once a quarter, but if you have the resources to do so, they should be happening more often. And when new conflicts break out, at the end of the day, there are a lot of organizations that may not be direct targets of some of the threat actors associated with these conflicts, but the conflicts that are breaking out make them even more of a priority than they were before. And that's where the big change is taking place. And one of the things that makes this so important and to have these conversations so quickly is that ultimately, while you may not be a target today, you could be a much higher priority target tomorrow because of what's happening on the geopolitical stage.

B (14:10)

Yeah, I think that makes perfect sense, and it's rapidly evolving. So making certain that you're connected to the FBI, if you're in the US or your regional or state national law enforcement entity, making sure you're connected to your physical security folks, and making sure you're just staying up to speed on world affairs is increasingly important for CISOs. Let's talk a little bit about AI. So we can't get through any conversation in the year 2026 without talking about AI. You explore how AI is changing the digital battlefield and potentially accelerating everything. What concerns you more right now? AI empowering highly capable cyberpowers, or AI lowering the barrier for everyone?

A (14:52)

This is such an interesting question because it is a difficult one. Right? It's very important to keep track of the fact that AI is lowering the barrier to entry for everyone else. But to be honest, as I think about AI, and keep in mind, I'm a big skeptic in general of technology. I've been a big skeptic of AI for a while, but I'm starting to see the tide turn here. I am definitely more worried about AI empowering highly capable cyberpowers. Because at the end of the day, what we're seeing is there's so much potential with what we can do with AI as attackers and as defenders that whoever gets to that first is going to have a significant advantage. So if we look at, for example, the anthropic report that was released last year, that research goes into how they're seeing Chinese state sponsored threat actors who are attempting to automate as many aspects of a cyber attack as possible using AI. Admittedly they're not able to automate the entire process yet, but I 100% expect that's going to come this year. And I have big concerns about that. My background is as a hacker. I understand just how many constraints hackers have and how difficult it can be when you're thinking about the malware that you're going to create and how you have to understand the operating system you're working off of. You have to understand the vulnerabilities that system could have. You have to build exploits specific to that system. It's a lot of work. But with a jailbroken LLM, you could realistically be able to do that by just issuing a couple of prompts to AI, which would make it not only faster, but also much more dynamic in the malware that's being created. If the attackers are able to break through and accomplish that, then we need to have an equivalent way to respond to those situations and to prevent that from taking place, or at least prevent it from being effective. And so in the long term, and to be honest, in the relatively short term, that's one of my biggest concerns. And I expect that once that happens, it's going to trickle down to the cybercriminal community and to some individuals that maybe have a little bit less skill than others and need the barrier to entry to be lowered for them and that will lower it significantly.

B (17:06)

I agree. I completely agree. I think that the, one of the bigger challenges we're going to have isn't necessarily the nation state actors adopting AI, because they will. We know they're going to. Right. But we also understand them in a meaningful way and we don't understand necessarily. I'm always more worried about the random person, either the hacktivist or just somebody that's doing cyber financial gain and has no other motivation and what damage they're going to do in doing so. Let's talk a little bit about signal. What is one signal that leaders today should be watching that to tell a couple of signals. One, that AI is becoming a threat vector that they should be concerned about, particularly in their enterprise. But two, that the rules of cyber conflict are shifting and potentially their geography or their sector, their industry is going to be targeted.

A (17:55)

On the AI front, it's definitely a factor here that organizations need to be paying attention to the research that's coming out. I do think that the model providers have a significant responsibility here to be identifying just how effective threat actors that are potentially using their models are able to be with those capabilities. Because that type of research is going to be what gives us visibility into how these attacks are being done. Because at the end of the day, realistically, the attacks being done using AI agents could look very similar to those that are done by attacks. Typical threat actor, they ideally would be, would look very similar. I think there are some exceptions that you could find with things like the number of times a certain port or endpoint is hit, that type of thing. But ultimately it's copying the things that a normal threat actor would do. It's just doing them in a much more dynamic and potentially faster way. So we need those types of signals from the model providers. But on the geopolitical front, I do think that what we're seeing now with the latest in Trump's national cyber strategy for 2026 and the response to it is a big signal for how cyber conflict is going to shift. We saw in the Trump administration's first term that they prioritized initiatives like Defend Forward, which pushed more offensive cyber operations and had a bunch of really powerful successes in stopping attackers at the source. I expect, and based on the cyber strategy, that we are going to continue to see more offensive cyber activities take place, which is going to cause retaliation from the threat actors that they're targeting, unfortunately likely to hit the private sector. So that's one factor that's worth noting is a lot of what these nations and governments are saying they're going to do with the cyber attacks and defenses that they have. The other factor is definitely just what is the situation in the world? What new conflicts have broken out. Those are the signals that are gonna make a difference, and we need to be keeping track of those as closely as possible, just for our own experiences in the world and in the world of business, but also because of the implications that cyber attacks caused by those conflicts could have.

B (20:09)

I think that makes perfect sense. And I think you're. I called you at the beginning clear eyed. I think you're very clear eyed about it.

A (20:16)

Thank you.

B (20:17)

Before we wrap, we have a couple more questions. I want to take a moment just to reflect on your personal journey. What surprised you the most while writing Code War? And how did it change how you think about leadership or responsibility in cybersecurity?

A (20:31)

So my hypothesis going into writing this book was that I'd be able to tie a lot of historical references, like we're talking, like I mentioned earlier, BCE China, to the modern day cyber attacks that are being perpetrated. And I'm not gonna lie, it was surprising when that pit theory was proven to be correct in its own way, because it is a big ask to look back at some of these historical moments. But in every chapter of the book, I start with a historical example and then show how it ties through. And so one of the ones that kind of I found to be the most surprising and the most interesting was when I started to look at some of the attacks on US Elections that have happened over the years. And what I found is that of all things, it is strongly related to Edgar Allan Poe and his death. Are you familiar with that at all?

B (21:25)

Not terribly. So I'd love to hear it.

A (21:28)

Okay, awesome. So I found this so fascinating, I didn't know it before I wrote the book, but Edgar Allan Poe, the way that he died is very mysterious. He was actually found lying in a gutter outside of a polling location called Gunner's hall in Baltimore, Maryland. He was incoherent, he was in poorly fitting clothes, which was not typical for him, and he was reeking of alcohol when he was found. He never regained consciousness. He was in and out of hallucinations, and he eventually died a couple of days later. This is very mysterious, according to some of the Poe biographers that exist, because all of it was very unexpected for them. So, oddly enough, Poe had left Richmond, Virginia a week prior to go to Philadelphia, but he never actually arrived arrived, and instead, very randomly turned up in the gutter in Baltimore on election day. It's very mysterious, and many biographers who talk about Poe still don't know exactly what happened. However, they have one very enduring theory, which is that Po died after being a victim of what's called cooping. So during this time in Baltimore and in much of the United States, there was very rampant voter fraud. This was in 1850s. One of the most common methods of voter fraud was called cooping. And it was where people were kidnapped and forced to vote for one candidate multiple times. So the kidnappers would beat these people into submission, dress them up in different outfits each time they went to vote so they wouldn't be noticed as repeat voters. Kind of crazy stuff. This was also a very different time in the U.S. one where voters were given a little treat of alcohol after voting. It was considered their little reward for voting. So ultimately, if you voted multiple times in one evening, you would get pretty drunk by the end because you'd get multiple little treats. The polling location that Poe was found outside of was well known for being used for cooping. And some speculate that was actually how Poe died was that he was a victim left to die after the voting was done. Now, by the late 1800s, many reforms were introduced to prevent cooping and other methods of voter intimidation. So they did things like instead of party distributed ballots, secret ballots administered by the government were adopted to ensure voter anonymity. Voter registration requirements were adopted to ensure that voters would register in advance to be eligible to vote and to prevent some repeat voting and issues like that. Those reforms, especially those that were implemented in the late 19th and early 20th centuries, those were what fundamentally changed voting in the United States and made it very difficult to execute voter fraud on a large scale. Yet, as we see to this day, the fears of voter fraud still persist. And in the book, I take this example and tie it into a lot of the challenges that we saw in the 2016 and 2020 US elections and some of the concerns that come through there. And it's just been so fascinating how these things that happened so long ago have such a big and important tie to the way that cyber attacks are used today and to some of the challenges that we have using cyber attacks to execute particular attack techniques.

B (24:42)

It's fascinating, absolutely fascinating. Well, I always wrap afternoon cybertea with optimism. I know that for everything in the news, there's thousands of things that defenders have blocked. So what are you optimistic about with the future of cybersecurity?

A (24:59)

This is such a good question because sometimes I do struggle a little bit to be optimistic here. And I go and talk to a lot of my friends in the industry and I'm like, keeps you doing this, like what? Keeps you optimistic about this situation. And for me, it ultimately comes back to the community that we have in cybersecurity and the people that we have in cybersecurity. I have met so many great people through this, so many brilliant people who are very dedicated to what they do, very mission driven. And in many ways it is about the creativity that they bring to the problems that we're solving. So as we see tech evolve, as we see AI evolve, what we're seeing is a group of people that are very dedicated to making the best out of this and making sure that technology is used in a safe, responsible way and a secure way. And so that's the thing that gives me the most hope is that like even as I was doing the research for this book, I was able to interview so many amazing people who give such incredible perspectives on the state of the industry, on the history of cyber attacks and how these types of things happen and have a unique perspective on the future. And so I think that so long as we keep that spirit of creativity and that mission driven purpose, we have so much opportunity here.

B (26:18)

I think that's fantastic and I really appreciate you joining us today. Ally. I appreciate the clarity, the perspective you bring. And what I appreciate about Code War is that it does not just explain how cyber conflict works. It challenges leaders to think differently about power, about intent and about responsibility. In the digital age. It is not a book about panic, it's a book about clarity. So for our listeners, Code How Nations Hack, Spy and Shape the Digital Battlefield is available now. And Allie, where can people go to learn more about the book and also about your work?

A (26:51)

Yeah, so the book is available anywhere books are sold, so you can find it on Amazon, Barnes and Noble, Blackwells for International and you can find out more about the subject and my thoughts as we move forward into this year on Substack at the latest Breach. And of course happy to connect and chat on LinkedIn at any time. I'd love to hear from anyone who reads the book and exactly what you think of it, so please reach out.

B (27:14)

Awesome. And many thanks to our audience for tuning in. Join us next time on afternoon cybertake

A (27:23)

Foreign. This week on the Microsoft Threat Intelligence Podcast, come learn about how threat actors are using AI. We talk about Jasper Sleep, Coral Sleep, and how they're leveraging artificial intelligence to get their work done. Be sure to listen in and follow us@msthreatintelpodcast.com or wherever you get your favorite podcast.