B (4:03)

Great, thank you. And thank you for sharing with us sort of what your work in definition of institutions was here. So you draw on cases ranging from the Bletchley park code breaking in World War II to Israel's weaponization of pagers in 2024. That's a lot of time of ground that you're covering. Can you walk us through one of these examples that really shows how this paradox of cooperation leading to conflict or making conflict possible, how this paradox plays out in practice?

A (4:42)

Yeah, absolutely. One of the reasons I wanted to have such a broad span of cases. Right. I mean, the ones you just mentioned are almost 80 years, is because the book is cybersecurity as secret statecraft. Right. So it's not cybersecurity as a new technological form of warfare. It's cybersecurity as something that's always been around, but we're doing it with different tools. So that's why I kind of had this broad scope. I think the case that will be fun to talk about is one that I treat in depth in the book, and this is the Stuxnet operation. And Stuxnet has been studied a lot, and it's often held up as the paragon example of cyber war. I call this the most famous example of cyber war. And it's not a case of war at all. In fact, it's a case of COVID action and secret diplomacy. So understanding why that works is really interesting. Now, the Stuxnet operation is this very famous incident that was publicly disclosed in late 2010. And it was slowly revealed, eventually through reporting in the New York Times, that this was a joint project between the United States and Israel to sabotage the centrifuges in Iran's nuclear program. So. So they used a computer malware to infiltrate into this factory system and caused the centrifuges to slow down and speed up, and some of them broke. So it was the first time in a real world setting where you saw that mere software could actually cause physical damage. And we saw an actor, in this case, a pair of actors, that was willing to do this in a real political context. So it caused a lot of excitement, you know, in kind of the early days of debate about cyber war and cyber warfare, because now we actually had an example. So that was 2010. We're now, you know, 15 years later, and a lot more information has come out. And it's come out through private industry that is looking at related operations. It's coming out through journalists, it's coming out through other places. And we now know, and this is what my case study tries to show, is that this isn't just an incident that happens in a year or two. It's this 15 year saga of multiple operations, using multiple toolkits, recycling some components. There were operations before Stuxnet in parallel with it, things that happened afterwards. And it makes a lot more sense to look at this as a network of covert operations rather than one particular operation.

B (7:27)

So I want to make sure I understand what you're saying here is that we think of Stuxnet as this one episode that happened in the late 2000s, but actually it was, I don't want to say, maybe 15 years in the making or should be connected with what came before for in the past 15 years. Is that. Is that fair?

A (7:45)

Yeah, yeah, absolutely. So, you know, one of the interesting things about cyber operations is that when you get a piece of malware, you have the ability to reverse engineer it and start to look at, you know, the different components that go into it. A piece of malware, you can think of it as lights, like a Lego toy, and it's got all these different little pieces, and so each of those pieces might have been made quite earlier. So there are components in Stuxnet that were made in 2001, 2000. There are suggestions that some might even come from the late 90s. And a lot of those were used as espionage and reconnaissance tools. And that makes sense. Right? And you can imagine that the US Would be very interested in just doing intelligence reconnaissance of the Iranian facility. But, you know, around 2007, the US starts experimenting with not just taking information and data out of Iran, but pushing instructions in to start messing with the controllers in the centrifuge as well. So stuxnet was this one component which is very, very famous, but there's a whole suite of other tools. And one thing that's really interesting is that once you start kind of digging into the forensics, and this is how all the different components of these different tools are connected together, you start to see that it's not just one organization, it's at least two Two organizations using four different toolkits, like sets of Legos, that are combining on, creating all of these different things. So to go back to your original question, which was how does cooperation enabled conflict work in this case, I would say it works in two really interesting ways. And the first is what makes secret statecraft different than war, which is requiring a degree of, what, willing but unwitting collusion between the target and the attacker. So in a very real way, I mean, I, I hate to blame the victim, right, But I mean, like, the target decides to use these technologies. These technologies are designed to connect, right? And these technologies provide the connectivity which opens the door for spies to come in. Right? And that's what makes spies different than soldiers. Soldiers will break down doors and they will destroy things and they will impose facts on the ground, whereas spies are going to go in through the back door, they're going to persuade somebody to open the door. They're going to use trickery and deception. Okay? So the fact that Iran is using technology built by the German company Siemens, they're using Microsoft software and the US NSA and Israeli, you know, 81, you know, 8100, which is their cyber organization, they are finding vulnerabilities in the software that enable them to get in. So, so that's really, really interesting. The second kind of cooperation is between the US And Israel. And this is really important and I think was less appreciated in the early days of thinking about stuxnet merely as a form of sabotage and cyber warfare. And when we look at that, we can say, well, it was neat in principle, but it had very little effect on Iranian enrichment. If you look at the trends of low enriched uranium production, it increases steadily the entire time that Stuxnet is, is operating. And once Stuxnet is disclosed, the Iranians improve their security. They build better centrifuges. So this is not a successful sabotage operation. It does not stop the Iranian nuclear program. But you also don't have, during this time, you don't have Israel starting or dragging the United States into a preventative war with Iran. And I think this is really important, right, because I think there are, you know, there's. There's evidence that the United States was interested in this third way. Not doing nothing, not allowing the nuclear program to go forward, but not starting a preventative war because the US Is already in Iraq and Afghanistan. So there's this third way where you can go to Israel and say, let's work together. We're already doing all this espionage operations. We can take the next step. And this will perhaps help us to interfere with this program, and it kind of helps to dissuade the Israelis from launching a war against Iran. So. So. So the first one, there's sort of this inadvertent cooperation from the target to the attacker, and then there is this secret cooperation between the two people in the Olympic Games coalition. And. And the first one is ultimately not successful, and the second one is very successful.

B (12:27)

Thank you. That sort of exemplifies how cooperation leads to conflict.

A (12:32)

Yeah, absolutely. And it helps them avoid a war rather than making war more risky. Right. Another one of these kind of interesting paradoxes when you start thinking about cyber conflict.

B (12:41)

And in fact, you started by saying, for many people, Stuxnet is an example of a cyber war, but that's not really the best way to.

A (12:49)

No, no, no. It's. It's this third category. And the logic of deception is just fundamentally different from the logic of war.

B (12:56)

Yes. So we're going to delve deeper into why all of this matters and how you got your research and your evidence. But if our listeners could take away just one core idea from Age of Deception, what would it be?

A (13:13)

So I just mentioned this idea that the logic of deception is different from. From the logic of war or the logic of deterrence. And I think that's really what it is, is that deception is an interestingly distinct class of strategy that we really need to pay attention to. It's not a new category. Right. Sunza, 2500 years ago in ancient China, right, Said war is the way of deception, but what he actually meant is you use deception, you don't even have to fight the war. Right. The acme of greatness is to take the state without fighting. Right? You're using deception, you're getting the other side to do the work. Okay, so war needs no cooperation. You need cooperation within the armies, but you don't need cooperation across the armies. It's hyper competitive, and you're trying to actively break down and destroy the other side. Now, deterrence is interesting, and this was a big deal in the 20th century. Deterrence was not new, but nuclear weapons fought forced us to pay attention to deterrence, which was using the means of war to achieve something like the ends of peace. We were going to use threats of ending the world in order to create stability and peace. And that's paradoxical and weird, and, you know, that's what the currents theory is about. But deterrence is fundamentally different from war. And I argue that deter. Deception. Excuse me, Deception is fundamentally different from either of those. And a pithy way of thinking about that is that if deterrence takes the means of war and applies them to the ends of peace, then deception takes the means of peace and apply them to the ends of war. Because you're going to take cooperative systems and you're going to subvert them to compete, but you're not going to compete out in the open like you do in war or deterrence. You're going to pretend to cooperate while you are taking benefits on the side.

B (15:02)

That's, that's a great, that's a great distinction. I love that paragraph in the book where, where you talk about how, just like we needed back then, after the nugget revolution, we needed a theory of deterrence, now need a theory of deception, which are different. Thank you for clarifying that. Why does this all matter to our listeners? Like, why should they care about this?

A (15:24)

Okay, well, I mean, we've got many different kinds of listeners. So people that are doing strategy or thinking about strategic behavior, you really want to be careful of not taking metaphors about war and conflict and putting them in the cyber domain, right? Talking about, you know, cyberspace as a war fighting domain or talking about strategies of deterrence. This is really a category mistake when we're talking about deception and counter deception, which has a slightly different logic. So that's important for all other listeners, right? We live in a densely human built world. We are reliant on technological systems. We are now, you know, increasingly reliant on AI and automated systems. And I think realizing that technology is social practice, right? It is built by humans, it is maintained by humans, it is adapted and repaired by humans. And these systems are big and they require a lot of cooperation in their very constitution. Right? So we're, we're recording this podcast right now, and that's reliant on literally thousands of cooperative miracles in order to have the technology in place to open up the connections, to make sure that we're on the same standards, to provide that ongoing bandwidth. Of course, we're speaking the same language. So all of these cooperative pieces of groundwork have been laid in order to enable this interactions. And I think that's both exciting and terrifying because you can start thinking about technology not just as this thing that smart guys in Silicon Valley build, but, but it is something that you, as a political actor, are actively participating in and, you know, for, for better and for worse. So, you know, we're not just using tools, but we're participating in an ecosystem of trust.

B (17:16)

Technology as a social practice. You just said that's gonna stuck with Me for a long time. Can you tell us, as you were sort of tackling this topic, as you were theorizing this topic, were there any surprises that changed the way you thought about something or any sort of, like, moments in which your evidence pushed you in an unexpected direction?

A (17:37)

Yeah, so there are lots of places. But one of the ones maybe that's most interesting to talk about would be the chapter on the 2016 election. And this is, of course, the infamous election where the Russians intervene and they've got hacking and leaking, and they're paying trolls on Facebook. They've got the overt rt. And of course, this is very dramatic and spawns several investigations. And much of the discourse around cybersecurity was focusing on technical threats. Suddenly, this happens, and there's this realization in the technical community that you can have systems that work just fine and yet can still be exploited and subverted by threat actors. Okay, so Facebook and Twitter worked just fine, but Russian trolls were using them and putting a lot of fraudulent content on there. So it was broadening the idea of what we think about as cybersecurity. And then there's this real puzzle in the 2016 case, okay? If you believe that disinformation and information operations are fundamentally about manipulating minds and changing opinion and doing sneaky online, you're basically making an argument that this is a form of deception and you're going to trick people into believing things. And if that's true, then how do you explain that once the Russian hand is revealed, the operation doesn't stop, it goes into overdrive and people keep forwarding things through. In fact, the volume gets even louder. And this is strange if you think that that disinformation is deception, because once deception is revealed, people don't want to be deceived. They should reject it, but they didn't reject it. Right. We had at least half of the US Electorate that embraced it and amplified the signal. So I had to look at this and say, I don't think this is deception at all. This is something else. Cooperation still matters, but it's a much more overt form of cooperation, in fact, and we now understand this very well, right, eight years later, that a lot of political speech is fundamentally performative. And you're not interested in getting to the truth of whether the 2020 election was real or stolen. Right. What you're interested in is. Is speaking in ways that people that are in your, you know, fellow traveling group are speaking and rejecting things that the other side is saying. And so the Russian operation ends up being really really useful because people on one side of the political spectrum are going to repeat these things and the other side are going to fact check and reject. Boosts the signal and makes it really easy for people to tell who's on each side. So this was a fun case because there are aspects that started off as deception, but it moves into what I would say normal political communication now. Dysfunctional and fractious and polarized, but I mean. But normal, right? We were no longer in the world of secret statecraft. So, you know, I think I put together a theoretical framework that was big enough to encompass that, but this, this case really pushed me to do that.

B (20:53)

I really like, as I said, we should talk, we should stick with the empirics. I really like the sort of the, all the cases that you covered and how you were able to sort of explain what is similar and what is different across cases. Can you tell us how, can you tell us more about how you approached gathering and analyzing evidence across such different technological and historical contexts? What does the process look like for you?

A (21:20)

Yeah, you know, I mean, anybody in the intelligence studies field. Right. Is inherently a frustrated scholar because they are, they're studying self hiding phenomena, right? You're studying things that don't want to be studied. They're actively hiding their tracks. Right. I mean, even, even if there's an open archive, like you're not going to find everything in that archive because, you know, actors have, you know, gone out of their way to push it around. And experts of deception don't just deceive foreign actors, they deceive their own bureaucracy. Right? So, so yeah, this is, this is just a fundamental problem in all of intelligence studies. And oh, by the way, I mean, like one of the cool things that the book does, like one of its contributions is trying to bring together the world of intelligence studies and secrecy studies in politics with the kind of new literature on cybersecurity that have kind of been separate. And I think the insights that come from the more historical archival work in intel studies or are really relevant. But with cyber. Right. One thing that's interesting, as I mentioned before with Stuxnet, when this stuff gets out in the wild, you find a piece of malware, right? You can start looking at it and you can find that it's communicating to various servers and it's taking particular kinds of data. It's like you found a spy ring out in the open and you don't have to be in the FBI to look at it, right? There are commercial organizations, there are NGOs that can start getting into this. So as the volume of spycraft increases and it goes digital, we actually are generating a lot more information about how this works. So I think there's a lot that can be done to bring these two together. Okay, so what, what I did is, you know, I, I conceived this book as an effort to build theory and understanding, and I wanted to pick representative cases or kind of in, know, nerdy social science language. These are critical cases. So Bletchley park is a critical case because every intel scholar in the world will say, this is a successful case. Well, I've got a theory of intelligence success. Like, I better find my conditions in this case. And Bletchley park is the most, you know, studied case in the world. And it's got really, really rich archival information. So you can, you can go inside of the organization in a way that you can't in these other ones. So that's why I wanted to start there. That's a wonderful case. I could talk forever on that. I mean, I call it the first cyber campaign because it's got civilian hackers, it's got digital machines, it's got all this cool stuff, and it's a very, very successful case. Stuxnet. Right? Stuxnet. It's the great case of cyber war. We talked about why it's not. Stuxnet's also this wonderful case because if you buy my interpretation that it's a 15 year long thing, you know, this is 2000 to 2015, which is a critical time in the evolution of cyber conflict as a new normal in international politics. So in telling the story of this case, you're also kind of telling the story of this broader evolution. 2016, the most well documented cyber operation of all time, because of all the controversy and in the investigations. So that's kind of how I proceeded. I picked these three critical cases that were fairly well documented, but were very, very, you know, like every political science book. I had this two by two theory which we could talk about. But I mean, I picked cases that kind of were representative of these different boxes, had the data so that I could go through and, and then work through what was going on in each case.

B (24:53)

Can I ask you a question? What, what percentage of cases do you think actually observe?

A (25:00)

Yeah, that's a, that's a great question. And you know, this is known as the problem of missingness, which is a big deal all over the place, but again, huge. There are all these efforts to come up with these quantitative data sets in cyber, and we know that they're missing Right. Especially the best ones. I mean, there are very few Stuxnet kind of things that we can attribute to the US nsa. And look at this. It's Stuxnet, it's Snowden, it's shadow brokers. Those are the three things that we know about the nsa and we know nothing else. Does that mean the NSA is doing nothing else? Of course not. Right. It's a hyperactive agency. It's all over the place doing all kinds of things, but it's very, very good at staying hidden. So we just don't ever find that out. Okay. Now, in the debate that I'm intervening, which is, is cyber a form of war or is it a form of secret statecraft missing? This actually really works in my favor because the stuff that's missing is secret statecraft. Right. You're not going to see it if I don't see it. That's great. If you, if it was war, if it was highly disruptive, if it was bringing. Turning off the lights and breaking the water supply and bringing airplanes out of the sky, you would see that stuff. So we don't see that. Right. So the fact that what's missing is actually at the low end of the complex spectrum, I think is really, really useful for the argument that I'm trying to make.

B (26:20)

I agree, once you put it that way. Yeah, I see your point. Let's talk about the practical side of what you are writing. You argue that success in secret statecraft depends less on sophisticated technology than on political context. So how should policymakers or cybersecurity practitioners use these insights? Perhaps if you should, you could define secret statecraft for us and explain to us how policymakers and cybersecurity practitioners can use this insight.

A (26:54)

Yeah, absolutely. So, you know, the. The quick answer to that is this framework highlights several systematic trade offs that exist in this space. And that's going to be frustrating to policymakers because nobody likes trade offs, because trade offs ultimately are about making value judgments. Okay. For example, right. As I mentioned, there's this two by two. So there's this idea that you need to have an environment that is permissive. So there needs to be a set of collective institutions that provide connectivity, but they've got flaws in their monitoring and enforcement capabilities. That just creates the possibility for deception. If you want to operationalize that, you need to have a clandestine organization that is good at staying quiet, which has the capability to be flexible. Okay, great. So if that's what enables intelligence performance, then it makes sense that if you're interested in improving cybersecurity you need to start weakening those things. Okay, well, you could weaken connectivity. You could create barriers. Well, the whole point of having it in the first place is to create connectivity. Okay? And we know what this looks like. We have all these onerous security procedures because, you know, we now live in a world where cybersecurity matters and it's really, really hard to log onto our websites. A result. Okay, so, you know, do you want connectivity or do you want security? That's going to be a fundamental trade off. Monitoring, enforcement. Okay, great, let's, let's improve monitoring, enforcement. Well, I've just basically said let's improve intrusive surveillance and police authorities to intervene throughout the technology stack in order to do things. Is that the kind of world that we want to live in, as you know, a democratic community? Right, that's, that's a debate you have to have over on the other side. Okay, well, how could you go about weakening organizations? Okay, do you want to be attacking them? Do you want to be attacking them proactively? Well, if you're going to do this, as I mentioned, because we're in the world of deception, not in the world of warfare. We're going to use counterintelligence, which means we're deceiving the deceiver, which means now we are reliant on subverting collective institutions. And here's where you get into these problems of it was Stuxnet, right? This was the US NSA subverting Microsoft, a US company. Like, isn't that weird, right? I mean, that's very, very strange, right? I mean, this is US infrastructure. NSA to some extent, is protecting the Americans that make that company. They make a lot of money. Once they get subverted, they're trusted last.

B (29:36)

Right?

A (29:37)

So, I mean, there's all kinds of strange incentives that go on here. So once you start understanding that this is an intelligence contest, you participate in an intelligence contest by counterintelligence, then you start to have all of these really, really wicked trade offs. Because improving defense means you're also having to improve offense. Improving security means you're degrading the usability of these systems. So, you know, in the last chapter, kind of goes through some of these systematic trade offs.

B (30:02)

That's great. That's great. Thank you. As you mentioned at the beginning of this interview, you've written another book, Information Technology and Military Power. It came out in 2020, and this is your second book. Looking back on the research and writing process for this book, which is Age of Deception, what was the most intellectually rewarding aspect of creating this work.

A (30:30)

Yeah. Okay. So actually, it might help to go into the Wayback Machine a little bit. So Information in Military Power was my dissertation book, but I didn't publish it right away. So, I mean, I. I got my PhD in 2011. My first job was a postdoc at UC San Diego at the Institute on Global Conflict and Cooperation. And I'd written a dissertation that used British and American cases. And I was really interested in looking at China because China was modernizing and was very interested in using information technology for fighting. But then in 2012 and 2013, this is when China really started to hit the news. And there were lots of big stories about Chinese espionage all over the world, hitting governments and IGOs and NGOs and corporations. And people kept saying, like, John, you do technology and politics, and this is a China place. What do you think about this? So I kind of switched into cybersecurity from kind of military power, and that's where I ended up publishing for the first 10 years of my career. And so I was best known as a cybersecurity scholar. So when this information technology and military power book finally came out, right. Ten years after having finished my PhD, people were like, where's the cyber? Here's the cyber guy. There's a cyber in this book. So, yeah, when I was writing that first book, I recently had a cyber chapter in it, and I pulled it out because it was clearly too much as a military power book. This was too much. And that that chapter became this 2017 article that I wrote called Restrained by Design. And, like, it's kind of chapter three in the book, although it's really evolved a whole lot. So I'd written that. I'd written several other things. I thought I understood cybersecurity really well, and I tell the story in the acknowledgments, right? I was joking with my wife, like, hey, I'm going to rip the cyber out of this book. I'm just going to write this other book. It'll be really quick. I'll staple it together, write the transitions. And, like, that was not true at all. I mean, like, the process really, really helped me to refine what I thought about this. And to get. And this is getting to the answer to your question, right? So, like, the thing that I got to was being able to take this incredibly complex domain with these, like, intrinsically complex operations and get it down to the two factors that I thought were really, really doing the work. Okay? The vulnerable institutions and the clandestine organization. And each of those, you can Unpack them. And they're very, very complex. But I kind of thought like, okay, this is the thing that really, really matters. So, so it was a long process and, and getting to a simple place often takes a really, really long time.

B (33:11)

Yes, but as I was saying offline, like, the book is very engaging. The way it's written is uniquely engaging. And you know, the topic is fascinating, but you know, still, it's, it's, it's, it's noticeable. So I want to thank you. It was a lovely time reading your book, but we took enough of your time. So I'll just ask one final question. What are you working on now or next?

A (33:37)

Yeah, great question. Well, so you know, this book, there was another book in between these two. It was on Deterrence that just came out. So I'm taking a little bit of a breath right now. But it's, it is hard not to be thinking about kind of the AI moment that we're in. So I'm actually thinking about this in two ways. Right. I'm really interested in kind of the long historical context of technology and I'm interested in kind of the, the fundamental logic of deception. And this has brought me, of all places, to the archetypal deceiver. And this is Odysseus in Homer's Odyssey. Right. I mean, the guy invented the Trojan horse and we now use that as a metaphor for this. And so I've been thinking a lot about kind of these old classic archetypes and how they continue to inform the way that we think about and talk about technology and automation in particular. And the reason I'm really interested in kind of these ancient pieces is that when you think about AI, we can automate data gathering, we can automate statistics, we can automate action with drones and robotics, but we cannot automate is figuring out what we want to do, values, our goals, the judgments. Like that is a uniquely human operation and that comes from a part of the human mind that has not been upgraded in thousands of years. So we're in this weird situation where I think we have Homeric minds in a 21st century technological environment. And I don't think that we've done enough thinking about kind of the effect of sort of these archaic archetypes and how they may still be structuring technology today. So.

B (35:16)

So it's different tastic topic. You must come back when the. And tell us all about it. Okay, good. I see you're nodding. I take that as a problem.

A (35:27)

Yes. Okay, nodding.

B (35:30)

John, Lindsay, thank you so much for taking the time to talk with us today. My guest today has been Professor John Lindsay, an associate professor at the School of Cybersecurity and Privacy at the Sam Nam School of International affairs at Georgia Tech. His research examines how technology interacts with statecraft. His new book, age of Deception, was just published in 2025 by Cornell University Press, and it appears in their Cornell Studies and Security affairs series. I am your host, Eleonora Matiacci.

A (36:08)

Sam.