Between Two Nerds: A European cyber command - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary: Between Two Nerds – A European Cyber Command

Podcast Information:

Title: Risky Bulletin
Host/Author: risky.biz
Episode: Between Two Nerds: A European Cyber Command
Release Date: March 10, 2025

Introduction: Shifting Transatlantic Defense Dynamics

In the March 10, 2025 episode of Risky Bulletin, hosts Tom Uren and Craig delve into the evolving landscape of cybersecurity and defense within Europe. The discussion is sparked by recent developments where US politicians, specifically President Trump and Vice President Vance, have strained the transatlantic relationship. This shift has led European nations, notably Germany, to reassess and increase their defense spending in response to perceived US disengagement.

Tom Uren [00:10]: "In the last couple of weeks… Germany made a big commitment to remove a debt limit so that it could spend more on defence."

Craig [01:12]: "Basically the US is saying, I'm going out for a pack of smokes and perhaps forever."

Defining Signals Intelligence and Cyber Command

The hosts begin by clarifying two crucial components of modern defense: signals intelligence and cyber command. Signals intelligence involves the collection of intelligence data, often through cyber espionage and hacking to gather actionable information. In contrast, a Cyber Command is responsible for executing cyber operations aimed at projecting power, particularly during times of conflict.

Tom Uren [02:14]: "Signals intelligence is collecting intelligence… hacking to collect intelligence."

Craig [02:32]: "Signals intelligence… for times of peace and times of war, whereas the cyber commands you use during times of war exclusively."

Current Intelligence Infrastructure: US vs. Europe

Comparing the United States to Europe, Tom highlights the extensive network of US intelligence agencies, with the NSA reportedly employing around 30,000 individuals and a specialized hacking team exceeding 1,000 members. European counterparts like the UK's GCHQ, France's DGSE, and Germany's BND each have approximately 7,000 personnel. When combined, Europe's intelligence workforce approaches that of the US, though fragmented across national boundaries.

Tom Uren [03:06]: "The US signals intelligence agency is NSA… 30 odd thousand people who work for NSA."

The Case for a Cohesive European Intelligence Apparatus

A significant portion of the discussion centers on whether Europe would benefit from a unified signals intelligence framework or if maintaining separate national agencies with enhanced cooperation is sufficient. Craig advocates for greater cohesion, arguing that a centralized European agency would facilitate faster and more efficient information sharing, free from the bureaucratic delays inherent in multi-national cooperation.

Craig [05:06]: "If you've got one central agency… the information sharing inside that agency. It's going to be a lot faster."

Tom counters by emphasizing the diverse national interests that may complicate a unified approach, suggesting that while a centralized body could streamline operations, it must also accommodate individual country priorities.

Tom Uren [06:12]: "Each agency has their own priorities and interests… the Germans are spying on the French and the British, the British are spying on the French and the Germans."

Challenges in Forming a Pan-European Intelligence Agency

Creating a unified European intelligence entity faces several hurdles. Trust issues emerge, particularly concerning the reliability of member nations' counterintelligence efforts. Craig points out specific concerns regarding Germany's counterintelligence, highlighting historical skepticism about their internal security practices.

Craig [18:21]: "It would be very hard to have an international… without including the Germans… I don't feel that they're doing a good job."

Furthermore, the logistical and financial challenges of pooling resources for extensive cyber infrastructure—such as global server networks and data processing centers—are discussed. Craig argues that without significant collective investment, achieving the scale necessary to match US capabilities would be unfeasible.

Craig [10:46]: "You need budget at the scale that the US has… tens of billions of dollars into just this sort of activity."

The Imperative for a European Cyber Command

The conversation shifts towards the necessity of establishing a European Cyber Command. Craig asserts that cyber capabilities are existential and must be prioritized to ensure collective security. He contrasts the decentralized cyber efforts in Ukraine with Russia’s more organized and hierarchical approach, underscoring the superiority of a centralized cyber strategy.

Craig [22:58]: "Cyber, that's an existential problem. This should be their top priority."

Tom echoes this sentiment, emphasizing that cyber operations offer strategic advantages by enabling nations to influence adversaries without resorting to overt military force.

Craig [28:11]: "It's a strategic capability. It can compensate for missing capabilities in other areas… it's a very valuable strategic asset."

Real-World Implications: Lessons from the Ukraine Conflict

The hosts reference the ongoing conflict in Ukraine to illustrate the practical applications and limitations of cyber operations. Russia's attempts to disrupt Ukrainian infrastructure highlight both the potential and the challenges of cyber warfare. Despite significant efforts, the effectiveness was limited due to Ukraine's acclimation to continuous cyber threats, suggesting the need for more robust and proactive cyber defenses.

Tom Uren [21:00]: "The Germans were so unconvinced that the German spymaster got caught in Kiev on the night of the invasion."

Strategic Value and Future Outlook

In concluding their discussion, Tom and Craig agree on the critical importance of developing a coherent and centralized European cyber strategy. They acknowledge the complexities involved but maintain that the evolving geopolitical landscape necessitates such advancements to ensure European security and resilience against global threats.

Craig [32:23]: "We can reach out and touch you, but we don't need to."

Tom Uren [33:24]: "Yeah, exactly. So you, you buy it?"

Conclusion: Navigating the Future of European Cyber Defense

The episode underscores the urgent need for Europe to enhance its cybersecurity infrastructure amidst diminishing reliance on US defense support. While acknowledging the significant challenges in creating a unified intelligence framework, the hosts advocate for increased cooperation and investment in cyber capabilities to safeguard European interests in an increasingly digital and adversarial world.

Notable Quotes:

Tom Uren [00:10]: "Germany made a big commitment to remove a debt limit so that it could spend more on defence."
Craig [01:12]: "Basically the US is saying, I'm going out for a pack of smokes and perhaps forever."
Craig [05:06]: "It's going to be a lot faster."
Craig [10:46]: "You need budget at the scale that the US has… tens of billions of dollars into just this sort of activity."
Craig [22:58]: "Cyber, that's an existential problem. This should be their top priority."
Craig [28:11]: "It's a strategic capability… it's a very valuable strategic asset."
Tom Uren [21:00]: "The Germans were so unconvinced that the German spymaster got caught in Kiev on the night of the invasion."
Craig [32:23]: "We can reach out and touch you, but we don't need to."

This summary provides a comprehensive overview of the episode’s key discussions on the necessity, challenges, and strategic importance of establishing a European Cyber Command amidst shifting transatlantic defense relations.

Loading summary

Transcript136 lines

[00:04]
Tom Uren
Hello, everyone, this is Tom Uren and I'm here with Gruk. G'day, Gruk, how are you?
[00:09]
Craig
G'day, Tom. Fine and yourself.
[00:11]
Tom Uren
This episode of between two Nerds is brought to you by Gray Noise, who have a fleet of Internet sensors to tell you what's going on on that big bad Internet and you can find them@greynoise IO. So for people who aren't hanging on our every episode and come across this later, what's just happened in the last couple of weeks is basically US politicians, President Trump and Vice President Vance are blowing up the transatlantic relationship and Europe is extremely worried about what it's going to do in terms of defence. And so there's, I think just in the last few days, Germany made a big commitment to remove a debt limit so that it could spend more on defence. President Trump has just committed to removing military aid from Ukraine and intelligence. Intelligence support. Yeah. So a whole lot of countries are thinking about how are we going to replace the void left by the US retreating? Basically, yeah.
[01:13]
Craig
Basically the US is saying, I'm going out for a pack of smokes and perhaps forever. Right. And it's, it's, it's getting to be week three and we're thinking maybe they're not coming back.
[01:24]
Tom Uren
Yeah. So we're going to discuss the cyber related aspects of European defense. And just broadly, I guess we've broken them down already into a European signals intelligence type function and a European Cyber Command. And so I guess we should first of all define what we think those two things are. So signals intelligence is, is collecting intelligence. I think that's relatively straightforward nowadays. There's always a strong cyber espionage element to that. So basically hacking to collect intelligence and the Cyber Command is using cyber operations to project power, I guess, at the very sort of top level of abstraction.
[02:15]
Craig
Right. I think one, one very, very crude way of looking at it is the intelligence, like the signals intelligence one you use during times of peace and times of war, whereas the cyber commands you use during times of war exclusively.
[02:33]
Tom Uren
Right.
[02:33]
Craig
In theory, that's the like. One of them is sort of for conflict and, you know, very, very aggressive actions, and the other one is for covert stealth monitoring.
[02:44]
Tom Uren
Yeah.
[02:45]
Craig
That's not a strict separation, but that's generally how I would look at it.
[02:50]
Tom Uren
I would quibble, but we'd get bogged down if I quibble for too long.
[02:56]
Craig
These are broad and blurry categories. I wouldn't say that they're, I wouldn't say that they're exclusive or even mutually exclusive, but in general that's what you're looking at? I think.
[03:07]
Tom Uren
So just to set the scene in terms of the US, the US signals intelligence agency is NSA. Just looking at Wikipedia, it claims that there's 30 odd thousand people who work for NSA.
[03:22]
Craig
Yeah. And there's at least 1,000 that work for the, it's no longer called TAU. Basically their hacking team is over a thousand people.
[03:31]
Tom Uren
Right, right. And so those numbers are almost certainly wrong, but they give us an order of magnitude, like a sense of scale.
[03:39]
Craig
It's, it's big.
[03:40]
Tom Uren
Yeah, yeah. So I just had a quick squiz at the UK's equivalent, GCHQ7000, the French equivalent, DGSE and the German equivalent. I think it's the BND.
[03:54]
Craig
Yeah.
[03:55]
Tom Uren
Both the German and the French do many different things, so they're just not signals intelligence specialists. But they're also roughly around 7,000. And so probably if you added up all, all the different intelligence agencies across Europe, I don't know, maybe you'd get close to 30,000.
[04:13]
Craig
Right. And that's assuming that they're no longer doing any of their own national work, that they're only doing this.
[04:20]
Tom Uren
Yeah, yeah. They just try and put things in, in rough context of how much people are already spending now the U.S. you would also, I think, include some other stuff. So they launch satellites which isn't part of NSA. There's the National Reconnaissance Office.
[04:36]
Craig
Right. There's 18 different intelligence agencies in the U.S. which like that's a lot.
[04:44]
Tom Uren
Yeah. So first of all, I guess the basic question is does Europe need, I guess it would be a more cohesive signals intelligence apparatus or is it fine to have each country still has their own intelligence agencies and they work independently and they share intelligence. Is there an advantage for them to try and join up and get bigger?
[05:07]
Craig
Okay, so I would argue yes. And I think that there's sort of two clear areas where it makes sense. First of all is information sharing between agencies is always delicate and it's always sort of partial and stuff like that. So you're going to have, you know, if you have to have liaison where the French find something and they share it with the Germans, but it's with a caveat that Hungary can't get access to it. Then the Germans need to share it with Italy because Italy needs to do whatever and they need to share it with Switzerland and like on and on, like it becomes quite difficult to share intelligence in a useful manner in a speedy way. Like it's, it's possible to solve, but it's not going to be quick. So I think if you've got sort of one central agency that process a, you've got one set of regulations, one set of laws, the people have been vetted just to be there, et cetera, et cetera. And so you can have very rapid information sharing inside that agency. It's going to be a lot faster.
[06:13]
Tom Uren
Right. So as you were talking, I was thinking, well, each agency has their own priorities and interests. And so I don't know if this is true but, but like my cynical view as a former intelligence professional would be that the Germans are spying on the French and the British, the British are spying on the French and the Germans. Like that may or may not be true, but it's, it's not, not true. But, but the point still stands. They've got separate interests that only they would necessarily be interested in. And so I guess maybe a more realistic example might be the French would be interested in what's happening in former colonies, for example, in different parts of the world that the Germans would have no interest in.
[06:58]
Craig
And the Germans might be a lot more interested in China's factories than the French are because the French don't have a huge manufacturing base that they're worried.
[07:06]
Tom Uren
About something like that. I'm sure there's real examples. I don't know exactly what they are. So in that case it doesn't make sense for a sort of joined up organization to do those country level priorities. Right. And so like, does it only do stuff like this is the problem, I think. Does it only do stuff that everyone wants to do and all those other intelligence priorities, right.
[07:33]
Craig
Is it getting directors from Brussels? Right. So it's before they can, before they can say what they're interested in, they have to have a committee meeting to set up, you know, a subcommittee to explore options. And then, well like to me, they come back with a repertoire report on what they think they should be looking into.
[07:53]
Tom Uren
Well, that actually doesn't sound different for the intelligence processes that go on in countries.
[07:59]
Craig
Right.
[08:00]
Tom Uren
So like Australia they have, it used to be called the National Intelligence Collection Requirements Committee or something like that. And it's basically like different heads of agencies say we're interested in this, yada yada, and you come up with a prioritized list. And so that doesn't seem to me, that's not probably any different. It would just be at a different.
[08:22]
Craig
A different body of politicians making decisions.
[08:25]
Tom Uren
Yeah, yeah, yeah. And so that doesn't seem problematic to me. What seems problematic is if I'm France, I have these pan European requirements, but I also Have French requirements.
[08:39]
Craig
Right. So the way I would see it working would be not so much to span GCHQ and create.
[08:46]
Tom Uren
No, I think that's a non starter.
[08:48]
Craig
Yeah. Like Euro nsa. It would probably be more along the lines of sort of the way that Cybercom works where you have Cybercom as the command but you'll have like Air Force and Navy and army and Marines each contribute personnel. Right. So you'd have your spy agency for Europe and GCHQ and DGSC and so on would each put several people. They would sort of hire, vet and control these people and pay them, but put them into this shared environment where they're all working together. That's the way I'd see it working. Because trying to hire and then do security vetting individually for all of your. You're not going to get stood up in the next decade. It would take forever.
[09:32]
Tom Uren
Yeah. So as we're going, I'm kind of thinking more of a European eyes relationship where there's, I guess in a European context there would be several different centers of gravity, gchq, dgse.
[09:48]
Craig
Right.
[09:49]
Tom Uren
Etc and they would sort of be the hubs. And then like to me that might work. And I guess what would drive things I think is uniting against a common enemy.
[10:01]
Craig
Yeah, but where would you find one of those? So I said there are sort of two reasons. The second reason I think it's important is a resource issue, which is that sort of bigger is different.
[10:17]
Tom Uren
Right.
[10:18]
Craig
So like the dgse, GCHQ cannot afford to build like an X key score. Like they can't afford to build at the scale that NSA can build because they just do not have the national budget for it. And then the budget that they have, they have to spend on all these different priorities. If you pool resources and have just a massive fund that you can then use to do things at the proper scale.
[10:46]
Tom Uren
Right, but does that require a joint up organization or is that just sharing? Here's a list of things we're working on that are obfuscated to some degree where we're happy to share them.
[10:58]
Craig
No, I mean my feeling is that there's infrastructure that needs to be built. Like if you want to do the X key score thing, you need to put servers in a whole bunch of places, collect all the data somewhere and then process it somewhere. And that's not a thing that you could do at the national level unless you're huge. Right. Like I don't think that DGSE could afford to put servers across the entire world, collect all the data, do Things like pay so that there's least cost routing to force routes to go through, things that you collect. You're basically subsidizing part of the Internet just so that you can get their traffic. I don't think you can do those things without pooled resources. Like you would need budget at the scale that the US has, budget, like you need to be putting in tens of billions of dollars into just this sort of activity. And my feeling is that if the DGSE had tens of billions of dollars, they wouldn't necessarily be interested in doing that sort of infrastructure for everyone like they might like it to have for themselves. And then they would share out what they felt was pertinent and necessary to someone else as it came along.
[12:08]
Tom Uren
Right.
[12:09]
Craig
You know, like they would be making they decide, you know, what, this might be useful for Germany, but it might not be. Why don't we just wait and see?
[12:17]
Tom Uren
Right. So one of the things that makes the five Eyes work is that they're in different locations around the world. And so just by virtue of that, you've got different places which are harder or easier to reach. And so you've got Australia, for example, like just geographically in a different location. And so there's different things that we could provide that are difficult for the other partners. Whereas Europe, I mean, and I guess the thing is that some of those countries there were colonial powers. So in terms of having a global presence, perhaps you can stitch together an island here, a former colony there, I don't know.
[12:58]
Craig
Yeah, but I mean, my feeling is that if the Euro eyes group asked Canada, Australia, New Zealand if they wanted to join, I suspect the answer would be yes. You know, I think that you'd be able to integrate that at some level without a big problem. I think you could do it because, I mean, you could do it with Canada now for sure. But Canadians are angry. And my feeling is it's just a matter of time until that gets to everyone. Right.
[13:31]
Tom Uren
So I think to me, this, like these organizations, and I guess we're speaking a bit about the five Eyes, which is probably not where we want to keep talking about, but they've got a sort of organizational inertia and a long heritage, and so breaking that down will take a long time. I think if that did break down, I would agree that they would be looking for partners. And if they come across someone who seems more trustworthy than the current US that would be like, you'd have to think about it. You'd be a fool not to think about it.
[14:01]
Craig
Right, right.
[14:01]
Tom Uren
But I Think that will not come easily.
[14:04]
Craig
It's not, it's not in the next two months.
[14:06]
Tom Uren
Yes, that's right. Yeah. Yeah.
[14:08]
Craig
No, I think that's, I think that's reasonable. That said, if we're looking at a common enemy that's going to unite Europe, we're looking at someone in Europe and you know, maybe China.
[14:20]
Tom Uren
Yeah.
[14:20]
Craig
So I don't think the reach is as global, you know, like the DGSE focus on Africa for their former colonies. I don't think that that steps on toes with what other people are interested in in Europe. Right. They, they want to, want to spend communal resources on it, but it's not going to be a conflict of interest where other people are looking at the same areas for their own national purposes. So I think that there's absolutely scope to have. You know, this is the, the Russia and China monitoring agency.
[14:52]
Tom Uren
Yeah. But you feel there needs to be a, a kind of pan European organization that deals with the stuff that is of common interest to all the countries.
[15:04]
Craig
Sort of for shorthand, it would be sort of like the NATO level interest, only without.
[15:09]
Tom Uren
But of course. Right, yeah, right.
[15:13]
Craig
But yeah, you know, it's stuff that like the European security overall is something that they need to think about but breaks down badly because for example, Poland is particularly worried, but they don't have the resources of all of Europe and Spain is less worried because they're geographically quite behind Poland.
[15:39]
Tom Uren
I guess there's a sort of gradient of concern.
[15:43]
Craig
Yeah, very much so. And so I think one of the reasons that having a pan European thing would be useful would be that it would provide a way of taxing these people who are less willing to pay voluntarily.
[15:57]
Tom Uren
Right. You mean like people who are further to the west and care less?
[16:01]
Craig
Exactly.
[16:02]
Tom Uren
Right, right. I mean, but that to me is.
[16:04]
Craig
It sort of like equalizes this curve. Right.
[16:09]
Tom Uren
But that to me is also the reason why, why it's difficult, why it wouldn't work. Yeah. You're speaking as a citizen of Europe, which you're not.
[16:17]
Craig
Right.
[16:18]
Tom Uren
But, but sort of putting your European hat on.
[16:22]
Craig
Yeah. Like as a global citizen.
[16:25]
Tom Uren
Yeah.
[16:25]
Craig
Looking at it from this broad point of view, this is what makes sense to me.
[16:29]
Tom Uren
Yeah. Or your cyber hat. But. Right, yeah, right, like, so I'm not convinced that you can't get by with just more cooperation and a kind of divvying up of those top level priorities with an increased investment in those national organizations like you know, Biggie, the intelligence organizations and having some process to say, look, here are the European, pan European intelligence concerns who's going to, who's going to meet them? What are we going to do?
[17:01]
Craig
So I think maybe like the, the happy medium that's achievable would be to have an agency that's responsible for managing group priorities and divvying them up and then pooling the intelligence for sharing just to speed up that whole process so that it can operate at a reasonable speed and with minimal friction. Maybe if they don't actually have an operational arm, but they're sort of just a management and clearinghouse now.
[17:31]
Tom Uren
The other problem that occurs to me.
[17:33]
Craig
Is that man, it's not fun talking to you. You're really good at picking holes at things.
[17:39]
Tom Uren
Well, the other thing that was occurring to me is that these organizations run on trust. Right. And in the five eyes situation, what has happened is that NSA has a huge security leak and then they push out very much stricter security vetting requirements to everyone. And it's part of the deal. Like so we're the biggest, we can set the standards. We've had a grew up. So you're all going to have higher standards right now. To be fair, every, every partner has had speakers at times over you know, 30, 40, 50 years, whatever. So no one's immune.
[18:22]
Craig
Yeah. Well, I would say for example, it would be very hard to have an international or sort of this, this federal or European wide spy agency without including the Germans. But the Germans counterintelligence seems to be newspaper reporters who uncover KTB spies inside the date various things. So it's, I would feel very uncomfortable incorporating the German spy agencies without some better vetting because I don't feel that they're doing a good job.
[18:55]
Tom Uren
So I guess you've proposed, for lack of a better word, a cyber clearinghouse, prioritization and clearinghouse. And I think that there's many problems with all solutions and I guess it comes down to how much they fear Russia and America's unreliability and how much those are drivers. And there's a model somewhere that if the demand or the need is high enough, people will find one that they can live with if, if, even if it's not the best. And my short term thinking is that you would go, we like having our own intelligence agencies and we're just going to embiggen them and add something on top. So I think that that might be the, the practical short term solution, even if it's not a long term best solution.
[19:46]
Craig
Yeah.
[19:46]
Tom Uren
Or even a good solution.
[19:47]
Craig
This whole thing of like do we really need to send up an entire new Agency with all of this stuff, when in four years this is going to be over and we'll go back to how things used to be. Like, we just need to weather the storm for now until then and we can, you know.
[20:02]
Tom Uren
Oh, yeah, I think there will be a lot of people. Yeah, yeah, I think there will be a lot of people who think that. So final question. Do you think that kind of pan European signals intelligence collaboration is a nice to have, a must have, an absolute imperative. We've got to get it done.
[20:19]
Craig
First thing I'm gonna say, nice to have. Leaning towards must have.
[20:25]
Tom Uren
Okay, so I mean, I'm kind of guessing that the US was giving them some intelligence, but not a whole heap. So is there really a need to bolster what you weren't getting anyway?
[20:37]
Craig
Yeah, my overall feeling is I think that there's collective security concerns that should be addressed collectively in some way and whatever that may be sort of open to interpretation.
[20:50]
Tom Uren
Right, right. And I guess in the context of what's gone on in the last couple of years might be the US saying to Europe, hey, we think that Russia is going to invade Ukraine. That might be that.
[21:00]
Craig
Yeah.
[21:01]
Tom Uren
Like that seems like a single piece of intelligence. That would be absolutely. You'd want to know.
[21:07]
Craig
Right.
[21:08]
Tom Uren
I'm not convinced that the Europeans would have found that out by themselves, but it seems like to me that the US was, they were doing things to try and try and prevent by releasing intelligence.
[21:21]
Craig
And let's not forget that the, the Germans were so unconvinced that the German spymaster got caught in Kiev on the night of the invasion.
[21:29]
Tom Uren
Right.
[21:29]
Craig
Like, he so didn't believe it, that he was like, I'm going to go and visit them and prove that this isn't happening and then had to get bundled out.
[21:37]
Tom Uren
Right, Right. Yeah. So that seems like a concrete example of something that they clearly didn't know and probably would want to replace that on the assumption that, I guess at this point they wouldn't be convinced that the US would ever tell them again.
[21:51]
Craig
Right.
[21:51]
Tom Uren
Like maybe they would, maybe they wouldn't, who knows? But that seems like a huge risk that you'd want to mitigate against. Okay, so let's put that one to bed for now. The secondary question is we think that having a bigger cyber espionage capability or a joined up cyber espionage capability would be good. What about a European cyber command? So just to be clear, what I'm thinking about is that that type of organization has military objectives and it has the scope to do things like the definition I use is like, deny Degrade, destroy, disrupt. And so that can range from the very subtle type of disruption, which is locking someone out of account, making malware not work properly, to something very much more obvious, which the Russians have tried, which is like wipers trying to disrupt electricity networks, etc. Does Europe need one of those? A European Cyber Command? I feel yes, because you're a cyber person.
[22:59]
Craig
Right? Because, you know, they could figure out if they need tanks or not. There's plenty of time. That's not really depressing, you know, but cyber, that's an existential problem. This is. Should be their top priority. In fact, I know someone who could probably advise them if they are. Yeah. So my sense is that, for example, in Ukraine, they don't have a cyber command, but they have a large number of, not necessarily competing, but certainly not cooperating cyber forces. And I think that that's not. That's not been particularly effective. I think it's been okay, but it hasn't been great. Whereas if you look at Russia, they're a lot more centralized, hierarchical and organized, and I think it's been more effective for them. There's a lot of things that they've been able to do with their spy stuff that has been, you know, it's provided a positive impact for their military.
[23:55]
Tom Uren
Right.
[23:56]
Craig
And I think that that demonstrates that you're better off having organization that will prevent duplication of effort, that will allow sharing of resources that will, you know, in cyberware, ideas are super important, being how being able to have a whole bunch of smart people talking to each other is like exponentially better than having a whole bunch of smart people thinking by themselves.
[24:18]
Tom Uren
Right, right, right.
[24:19]
Craig
Like, it's just. It's going to be more productive. So I do think that there is definite benefit to be had from a sort of collective defense or collective offense cyber. But I think there's a lot of problems that come up. So I guess the way I'd look at it is if Europe decides that they need a tank that's going to work for everyone, that's a sort of physical engineering, political, you know, where is the factory going to be? Problem that can be solved, and then when it's done, everyone gets a tank.
[24:49]
Tom Uren
Everyone.
[24:49]
Craig
And you're happy and your tank is useful for the next 20 years or whatever. But cyber isn't quite like that. Right. So cyber equities have much shorter lifespans, and their value in that short lifespan is quite high. So what happens when, you know, you got the Dutch and the French and the Germans and the English and, you know, everyone is working together and they build like an iOS remote capability that'll allow them to spy on iOS devices. And then you've got all of these national interests who also have a finger in the pie and they're suddenly going to go like, this is great. I've got a whole bunch of journalists I've always been wanting to spy on. This is exactly what I need. How do you deal with those conflicting priorities? Particularly because that capability is not going to last more than a year, most likely probably six months or so. So if the, the Greeks, the Italians, the Spanish, you know, if these guys don't get it to abuse it, then it's not going to get used. So why invest all this money anyway? It's just a waste of time.
[25:56]
Tom Uren
I mean, isn't, isn't this also true for sort of cyber espionage capability though, in a sort of pan European context? Sure.
[26:04]
Craig
I think it's the same problem that comes up, right? Like it's the. It's sort of a fundamental issue of sharing secrets.
[26:11]
Tom Uren
Yep, yep. Okay. So we're in a world where Europe seems like it's decided that it needs to spend a lot more on defense, and part of that is for military hardware. And so in the context of trying to catch up and fill the gaping hole left by the departure of the US does it make sense to spend any time at all on a cyber command? Or are you like just a few.
[26:36]
Craig
Million with targeted investment in robust advice and maybe a small committee with a couple of million dollars to investigate, maybe based out of Thailand, for example?
[26:55]
Tom Uren
I actually do think that the resources you need to build more shells or tanks or planes or whatever are not the same resources you need to build a cyber command. So I think, right. If, if they think they need it, they could walk and chew gum at the same time, to use an American expression, I don't know what the European equivalent is. Smoke cigars and eat baguettes at the same time. Yeah, yeah.
[27:25]
Craig
So one of the things I think is worth thinking about is that you don't need to spend that much on the cyber command. Right. The price of a cyber command is less than the price of a diesel submarine, and nations will buy several diesel submarines in a year. So if you've got a sort of collective pooled resource, if there was 1 billion euros, I think that that would be enough to get something happening. And getting a billion euros from everyone collectively, that's pretty straightforward.
[27:57]
Tom Uren
Like you, like you've so kindly offered to advise the EU on setting up a cyber command. What would you tell a European bureaucrat. What are they going to get out of a Cyber Command? Why is it worth investing in it?
[28:12]
Craig
Yeah. So I think some of the things that we've seen is that cyber can compensate for missing capabilities in other areas, that you can use cyber capabilities to get intelligence in denied areas that you can't get otherwise. Or if you don't have spy satellites, you can use IP cameras. There's creative ways of using cyber to compensate for other capabilities that you lack. I think that there's also a lot that can be done with shaping the environment using cyber. Ukraine, I think, was a bad. It was not fertile ground for shaping the environment because it's had so many years of cyber attacks that they're sort of. They're used to. They're acclimated.
[29:02]
Tom Uren
Yeah. They've become a hard target through experience.
[29:05]
Craig
Right. After eight years of continuous attacks, one more attack, it's not a big deal. Like, it's not great, but it certainly lacks the psychological impact of, you know, those first ones.
[29:18]
Tom Uren
Right.
[29:18]
Craig
So I think that there's a lot that could be done in other places that wouldn't work in the war that's currently being fought.
[29:28]
Tom Uren
So, to paraphrase, Ukraine's not a good example in terms of what the Russians achieved with offensive cyber. But. But mind you, I think that the Russians came very close to it actually being tremendously effective. Right at the beginning of the war.
[29:45]
Craig
Absolutely.
[29:46]
Tom Uren
Yeah. Yeah. We've spoken about this before, but they disrupted one military communication satellite network. They tried to disrupt a telco. And, you know, if those had both come off. Yeah, I think that would have been quite a force multiplier. Now, Kim Zeta, so she has a substack0day, and she wrote about recent news that Pete Hegseth had told Cyber Command to stand down. And so she actually got a former deputy general counsel at US Cyber Command to tell her why cyber operations were important. Kurt Sanger is his name. So reading his response, Cyber operations are effective because they can have a significant impact on a target without using force. The use of force against a target nation entitles the nation to use force in response. The ability to affect your adversary without using force is an enormously valuable strategic asset. So, in other words, the way I paraphrase that is we can muck around with their stuff and they don't really have a significant recourse, but it's like.
[30:52]
Craig
There'S two sides to that. One of them is because it's plausibly deniable, they can't necessarily drum up the support to retaliate. Like, it's harder to do that, but the other side is it allows them an off ramp to save face.
[31:07]
Tom Uren
Right.
[31:08]
Craig
They don't have to. They don't have to be the last person that got punched in the face before calling it quits.
[31:14]
Tom Uren
Yep. So Kim paraphrases what Sanger says. Cyber Command's operations at this level are a powerful military capability that can be effective in changing an adversary's military and political decision making without inviting a violent response. And now she's quoting him again to say that halting operations below the use of force doesn't put national security at risk or have a dramatic impact, reflects a massive misunderstanding of a capability used against U.S. adversaries and enemies every day. So then it goes on about the. The current halt, but like, those couple of paragraphs actually seem like, yeah, I'd like to have that if I'm.
[31:55]
Craig
I want one.
[31:56]
Tom Uren
Yeah, exactly. So, I mean, are you going to incorporate that into your little dossier?
[32:04]
Craig
Oh, yeah, that's going in my pitch deck right now.
[32:06]
Tom Uren
So you, you buy it?
[32:08]
Craig
I. Absolutely. I think that. I think that that captures a lot of it quite well. You know, it's a strategic capability. It's not just tactical and it's. It's not just something that you can roll out during wartime and turn someone's lights off and.
[32:23]
Tom Uren
Yeah. So I was initially thinking that if you're trying to deter an adversary, planes and tanks and shells are the thing that you want to be able to say that you've got a lot of. But this actually seems like a way to deter an enemy without a show of force. Like, it's through manipulation and influence.
[32:44]
Craig
It's harder than soft power and softer than hard power, I think.
[32:47]
Tom Uren
Right.
[32:48]
Craig
So it's not just, you know, hey, we've got blue jeans and Coca Cola, be nice to us, or we've got tanks and we can blow you up. It's sort of in between. It's. We can reach out and touch you, but we don't need to.
[33:02]
Tom Uren
Well, I mean, I don't think it's the threat of that, though. It's the actual practice of doing it and. Yeah, and. Yeah, and shaping their thinking mind control powers.
[33:17]
Craig
And that's why you should be able to smoke and chew onions at the same time.
[33:23]
Tom Uren
Thanks a lot, Craig.
[33:25]
Craig
Thanks a lot, Tom.