A

You're listening to the Cyberwire Network, powered by N2K. Hello, Maria Varmaz is here and thank you for joining me today. The party's still going strong for our celebration of 10 years of the CyberWire Daily. So in today's N2K CyberWire Special Edition episode, as we look back at 10 years of the Cyberwire, I am of course chatting with Dave Pfittner, host of the Cyberwire Daily. And in this chat we are talking about the complexities of geopolitics and warfare. As we look back on the last 10 years of cybersecurity headlines. Well, it is my distinct honor yet again to bring back Dave Bittner, host of the Cyber Wire. Hi, Dave.

B

Hello. Good to be back.

A

Yes. Imagine we're talking to you today of all days about your show.

B

It's Maria, right? Yeah.

A

Nice to meet you.

B

Nice to meet you.

A

Pleasure. I appreciate that, Dave. And the occasion that brings us together is as we've been covering for quite a little bit now, the 10 year anniversary of the Cyberwire Daily and all of the incredible stories that the show and you have been covering over the last decade. And for our chat today, we're gonna take a focus look at geopolitics in the last decade as it relates to cybersecurity and the many, many stories in that realm that you have taken a look at in that time. So, gosh, to start to cover geopolitics, I think a few things have changed in the last decade.

B

One or two, just a few.

A

I mean, 2015, 2016 was a millennia ago.

B

I know.

A

Not literally, but kind of.

B

Yeah. Well, I'm still battling the reality that post Covid time has no meaning. But I really enjoyed looking back. As I was prepping for our conversation today, there were a lot of things that I hadn't really considered in a while. And when you kind of lay them all out in front of yourself, you see that. Yeah, there has been a lot of change over the past decade when it comes to a lot of this geopolitical stuff.

A

It's a feedback loop, isn't it?

B

It is, it is. I think one of the things that strikes me is just that it's become constant. Like there it used to be that you'd have something like the OPM breach, which was more episodic. Ooh, something happened and oh, there was a breach, or oh, the data got stolen, or ooh, there was some ransomware and it's just, it's everywhere now. It's daily. Thank goodness for us. Yeah, there's a low level drone of this stuff that is all the time now. And so that's the new reality. That's where we are.

A

Yeah. Was there anything leading question but anything that contributed to that shift? Because that is quite a change from what the landscape looked like, at least for the civilian side of things that you know now, as you said, that drone of continuous threats, especially on that international scale, it is quite a shift. What do you feel has contributed to that?

B

I think geopolitically it's the reality and the recognition from nation states that cyber is a domain without the usual borders. And also you get a huge return on your investment. You don't have to build an aircraft carrier to force your influence around the rest of the world. And we've seen that with things like influence operations from the Russians and Chinese, stealing information from our companies, our organizations, supply chain issues, all those kinds of things. Again, they're a day to day thing now and they weren't always, that's for sure.

A

Yeah. I think as we start thinking about specific incidents and threats, the one that definitely, I'm sure for most of our listeners would come to mind as we look back the 10 years, not Petya and how seismic Petya and then not Petya we truly were and everything that has come after that. Can you talk us through that one a little bit? Because that was such a huge, huge thing when it landed.

B

Well, I think it was the one that sort of opened everybody's eyes and thought it can happen to us. Right. You have a global disruption of the supply chain, major supplier gets hit and everybody starts worrying that maybe our global economy is a little more fragile than we thought it was. So it certainly got everybody's attention, made everybody feel like it was real and it's in everybody's consciousness ever since.

A

That's very true. That's very true. And another thing, as we look back on the last 10 years, 2022 was the start of the war in Ukraine and it's still ongoing. The fallout from that is certainly global, especially when we're talking within the cyber realm. What are the geopolitical shifts within the conflict that you think have fed into the cybersecurity realm, as it were? Like the nature of the threat?

B

Yeah, I mean, there's this whole idea that the war in Ukraine has been a bit of a laboratory for cyber war, for modern cyber war. The integration of cyber and kinetic battle using cyber alongside your battlefield operations. Again, information operations, which is top of mind for the Russians. It's always been something they've had up their sleeve. But it feels like cyber has been an accelerant for that, for them to be able to do the things they do. And then also sort of related to, I think it started in Ukraine, but related to what we're seeing now in Iran is seeing inexpensive technology being used in warfare. Little consumer drones, consumer electronics, routers, Starlink, all these things that are not mil spec, you know, such as it is. Right, whatever that means. But they're off the shelf tools that hose themselves up to the cyber and have allowed folks to be to have an unfair advantage, or at least maybe not as much of a outsized disadvantage against a larger, more capable adversary.

A

Speaking of adversaries, and again, we're based in the United States, so this is our very US centric point of view. So just owning up to that. But when we think about, in case that wasn't obvious, when we think about, you know, the adversarial nation states, often Russia, China, North Korea, those are the, the names that commonly come to mind. Iran, of course, is part of that as well, has been. But things have shifted in that arena as well in terms of nation state strategies against other nation states and also against private enterprise. It's all in the mix over the last 10 years. Again, big shifts. Anything notable that you want to highlight on that front?

B

Well, let's look at China who famously, I think they play the long game and we're in the middle of that long game. Who knows how long it is. We might be in just the beginning of it, but we've seen that they have position themselves in our infrastructure. They have access to the supply chain. So many things get manufactured in China that it's. And the manufacturers are obligated to do what the Chinese government wants them to do. So I think there's a legitimate concern from nations like ours to think about what might be in the firmware, what might be in our supply chain. We certainly found them in our telecommunications infrastructure with the various typhoons of old, typhoon salt typhoon and those sorts of things. So they're more looking for long term economic influence and advantage rather than turning the lights off, which I think is the fear that we have from say Russia or Iran of messing with our critical infrastructure. It seems like China's really interested in gathering information, knowing what we're up to so they can leverage that knowledge to their own advantage.

A

And it leaves defenders in a, really in a bit of a bind, truly when you're thinking about potential supply chain attacks or just issues from within the supply chain and specifically if we're talking about devices from China, in many cases, they're the only source for some of these things. Many things that are made. There is no domestic supplier for some, for not just some, many of the things that a lot of modern IT infrastructure relies on. So it leaves defenders in quite a difficult position. And I'm wondering what is the advice that defenders should be applying in their day to day or what can we tell them, what should they be doing in light of all that?

B

Well, I think ultimately, I mean, it's defense in depth, right. So you can't rely on only one thing to protect yourself. So you do your due diligence to check to make sure your supply chain is as secure as it can be, but then have defenses in place on the chance that it's not, because it might not be. And so look, we're seeing again to the present day, who thought we would see the rest of the world being so interested in digital sovereignty because of the actions of the United States, the major players, Microsoft, Google, Amazon. We're seeing other nations building their own infrastructure because they're not sure they can depend on us as good partners in a way that they had assumed that they could in prior years. So I don't know the degree to which people saw that coming. I certainly didn't. I don't know about you.

A

That was a blindside for a lot of us. Yeah, I did not. Am still reeling from it personally, honestly. And given the conversations that you've had, especially in the last few years, I'm wondering if the nature of what you're hearing from people that you've interviewed when geopolitics, but maybe also specifically supply chain issues, has the nature of that conversation changed? I mean, are there new worries, anxieties? What are you hearing that is trend wise that has changed?

B

Yeah, I mean, I think it's top of mind for a lot of people. They understand that the threat is real. They understand that there's only so far down the supply chain ladder that you can go to trust but verify. And like you said, so many things come out of other nations who are potentially adversarial. I mean, look at how many of us are carrying iPhones around, right? Who makes the iPhones? Where do they come now? So who are we trusting? We're trusting Apple to do their due diligence. But right, the thing. So at some point you have to trust someone.

A

I want to let that marinate for a second because it's an important point, but it also makes me kind of recoil. I don't know why. Just viscerally, it Makes me go, yeah, but.

B

And yet what is probably the most popular thing that we've seen or one of the, let's say, top five things that's come to the fore in terms of strategies is zero trust architecture. So you don't want to trust anybody. Right.

A

Where does it leave us, truly?

B

Right. Well, you have to strike that balance. And, you know, I guess it's the old Reagan saying, trust but verify only, trust so far and do your due diligence. And zero trust is a way to be constantly challenging the trust to make sure that people are only getting access to what they need to when they need it. And I think that's wise. So the rise of zero trust and its adoption by governments, the feds really jumping in with both feet with zero trust, I think shows that that's probably where we're headed going forward.

A

When I think on the last 10 years, I think we talked about this in our last chat, the rise of ransomware and its efficacy and also where we're seeing it, the systems that it's taking out. I think if you had asked me 10 years ago where it would be most effective, I'm not sure I would have said, oh, definitely on a large scale, nation state level, would we be seeing ransomware being a serious threat? I would have thought maybe enterprise only. And yet these lines have become so blurred. I don't know if that's maybe a theme of the last 10 years, but truly critical infrastructure is in the crosshairs with things that we might have thought of as sort of business level nuisances. Where do we go with that? What do we do with that? Just thinking about the lines being blurred between things that are critical, military or government level infrastructure and the commercial world. I don't know, I have this mentality of these two worlds being more bifurcated, but that is a very outdated model, clearly.

B

Yeah. I've wondered for several years now, and I remember this being a question that I was asking early on with, you know, folks who know way more about this than I do, was why don't we see brighter lines drawn in the sand when it comes to a lot of these things? And the answer seems to be that governments don't want those lines to be there. They want to have the flexibility to do putting air quotes what needs to be done when they decide something needs to be done. So if your ransomware operators are to your advantage to have them around when you need them, then we're going to let them operate. I'm just saying us, the US I'm Going to put us in the good guys category here. I know people will take. People perhaps justifiably take me to task for that. But for the sake of this particular argument, let's accept that. That we don't want to draw sharp lines ourselves because we want to have the flexibility to use whatever tools we think we need to use against our own adversaries. So there are things that I continue to scratch my head over, like why aren't hospitals off limits? There seems to me like there are some basic rules of humanity that we should be able to all agree with. And if there was a way, for example, you know, the Russians are famously forgiving and tolerant of their ransomware operators, which. Well, if the Russians said, okay, we're tolerant, but no hospitals.

A

Right.

B

I think we could all agree on. I don't see the controversy there. This is a basic law of warfare. Right. You don't bomb hospitals. And yet here we are.

A

And yet here we are. Yeah, right.

B

So I think there are frustrations. Cause I think there's low hanging fruit that people could agree on. Perhaps if we wanted to start with some international treaties over cyber things, that ransomware not going after hospitals would probably be a great first step.

A

Nice place to start. Yeah, yeah.

B

But I agree with that. We're still resisting that. And on the one hand I get why, but on the other hand, I sure would love it if we could do better.

A

Yeah, amen to that. When I think about geopolitics last 10 years as we are right now, attribution is another word that comes up for me as something that has really changed. Again, this is just my recollection from before the last 10 years, but I remember people being a lot more cagey about attributing anything, especially to a nation state. And that seems to have gone completely out the window at this point. It's almost like there's a rush to attribute. That feels like a big change to me. I'm curious your thoughts on that.

B

Yeah, I think that's right on. And I think we have all these named threat groups now, whether they're one of Fancy Bear or one of the UNCs or, you know, depending on who's naming them, they have all kinds of different names. And that's another point of frustration, sometimes many at once. I wish, Yes, I wish we could settle on it. And I have my own thoughts about giving bad guys cool names that sound like they're out of Marvel movies, but we'll set that aside for the moment. Yeah, I think you're right. People are less Cagey. There's a greater expectation. We know what sort of tradecraft comes out of different places, so we know what to expect. And I think it's easier to put a label on things. There are still organizations out there who are intentional about not signaling attribution. There are people who still think it doesn't matter. Yeah, I don't know that I agree with that. I think it's helpful to know where something's coming from so that you can use that context to help inform you and help you defend yourself and so on. But I think you're absolutely right that attribution has become much more routine and just a part of the daily back and forth. It is interesting to me how, however, again, being in the US and being US centric and everything that we do pretty much flowing through our own news organizations, how unusual it is for the US to be tagged as I was

A

just thinking that, I was like, do I say something? I'm going, when's the last time I've heard, oh, this was a US Based attack? I'm going, I can't really. I mean, it's happened, but not as much happened.

B

Every now and then you'll hear somebody allude to it or, you know, a chance. And a lot of times, just when something gets uncovered that's been around for a while. Like we had the thing that just in the past week or so, it was something that predated stuxnet.

A

It was, Yes, I remember. Yeah.

B

They were sneaking in faulty versions of simulation software that would spit out bad answers, and clearly that came from us. But it's been a long time since whatever that was went out. So I don't know. It's interesting to me that we don't see, See attribution to ourselves to the degree that we see the other folks. That makes sense. But I wonder, I imagine that's gonna change. Yeah. If the Chinese or the Iranian or the Russian version of the Cyberwire Daily, are they every day talking about Screaming Eagle or something?

A

Orange Cheeto?

B

I mean, some American name. Right? Something. Right. Something that's hilarious to them but slightly offensive to us.

A

Yeah, no, I bet that's just maybe a language barrier on our side. But I also have to imagine, given the lag in understanding about stuxnet, for example, eventually more is gonna be uncovered and we'll update our understanding retroactively. But I think if I was gonna make a prediction, I imagine that that would be a big thing that will change. But I'm curious about your predictions. Dave. You look as you look to the next 10. See what I did there?

B

Well, obviously the big thing is AI and we can't everybody drink.

A

He said it.

B

We were so close to getting through this one without summoning it. And it's a wild card, isn't it? Because we don't know how viable it is. We're throwing all this money, we're throwing all these resources, all this electricity, all this water at AI And I think there's general agreement that it can't go on the way that it's going on right now. In this, Right now we're in the land grab part where everybody's trying to be the dominant force in this. I understand that, but at some point it's gonna shake out and people are actually going to have to make money. So what does that mean for the future of it? Who will be able to afford to have these tools and what does that look like as we go forward? Will certain tiers of AI tools only be available to nation states? Maybe, maybe not. We've got quantum computing, which is, we joke about always 10 years out, no matter when you ask, but it feels like it is closer than we've ever thought it was before. Who was it? I think Google pushed up their timeline for being quantum safe on some things. So they're getting some signals that, hey, folks, this is probably real. So we'll see.

A

So Q day sometime in the next 10 years. That's a prediction. You heard it here first. Yeah, right.

B

But I'm not sure we all know exactly what that means. Some of the folks I've talked to have said be careful at how much you place on Q day, because while quantum computers are very, very good at certain things, there's a lot of other things that we rely on computers to do that it's not particularly good at. So in other words, it's not going to be a huge game changer to many of the areas of computing that we rely on day to day. Just turns out it's really good at cryptography, so. Which is important.

A

I was gonna say, good thing we don't use cryptography for literally anything. So, you know.

B

Right.

A

Yeah, it'll. It'll be seismic for sure. I'm sure on a international basis for, for a statecraft and all that kind of thing. And I mean, that would be my prediction. But for the, for the average folk, they may not see any change at all. So who knows?

B

Will we have a Sputnik moment where all of a sudden there's a beacon that everybody else can't ignore?

A

Just beeping Right.

B

And do you? And you know, I mean, Sputnik led us to putting men on the moon. So if we have a Sputnik moment with quantum computing, do we find ourselves in some kind of new arms race or cold war or who knows? Hard to tell is what Yoda said. Always fuzzy. The future. Always uncle.

A

Any other wit or wisdom, Dave, that we should add before we close out?

B

Look, I really appreciate this episode because as I said at the outset, looking back on this stuff was really interesting and a lot of fun. You lose perspective, I think, as you're doing this day to day and you're looking to the immediate future, which I think is what we all tend to do in the news business. So to take a 10 year look back and really see some of the big arcs that we've seen has really been interesting. Gives me good perspective. And hey, I'll talk to you again in 10 years.

A

Maybe a little bit before then, but yeah, I hope so. Same. Well, Dave, thanks as always. Yet another fascinating conversation. Thank you for letting me pick your brain yet again and thank you for everything you've done for the Cyber Wire over the last 10 years and long may it continue.

B

No, it's my pleasure. Thanks to our listeners for making it possible. It's been great fun. Talk to you soon.

A

Thank you for joining us today. See you back here next time.