B (3:12)

Yeah. I mean, I'll buy it. I.

A (3:15)

Yes, go on.

B (3:17)

Like, I'm just, I'm not sure how transferable it is and how. How complete it is. Right. So like if you do this against Armenia, Armenia is probably willing to shut down their Internet. But if you were Germany.

A (3:32)

Yep.

B (3:33)

I'm not sure that they would be. And if you were like the uk again, I don't even know if they've got the infrastructure for that, which I guess would be another thing is that the Iranians have practice doing exactly this so that they will have plans and procedures and people to call and it's a thing they can do.

A (3:54)

Now, one thing that occurred to me, another country that might be in a similar situation because it's in what George Bush famously called the axis of evil, is North Korea right there. And I'm kind of in two minds. Like it seems like they probably would have the ability to shut off the Internet, but there's not much of an Internet to begin with. So, you know.

B (4:17)

Yeah. It wouldn't even impact their cyber capabilities because that's all run out of China.

A (4:22)

Yeah.

B (4:23)

Right.

A (4:23)

Or Malaysia.

B (4:25)

Yeah. Indonesia. Yep.

A (4:28)

Everywhere else. Now I still think the idea that the victim country can take drastic measures make sense and that they probably would do something they. A long time ago we spoke about how companies are actually the terrain. But in fact, countries also have a

B (4:50)

lot of control over the meta terrain of the terrain.

A (4:54)

Yeah. They can go to telcos and say switch this on or switch this off or.

B (4:59)

Or whatever. Yeah. Well, I assume actually that to a degree, if you're unprepared for a massive change in the landscape. So as an attacker, if you're like, we're using SSH because SSH is a safe default. Right. If the country just goes, you know what, that's it. The only port that anyone's allowed is 443. All right, we're done. Ingress and egress. If it's not 443, it's not happening. Unless you had prepared for that. That could catch you completely off guard and suddenly all of your access gets lost because you hadn't thought to set up like an email based back end that can be batched or something that connects back over 443 or whatever other contingency stuff.

A (5:44)

Yeah.

B (5:45)

And I could see that happening, at least for some tiers of operators, like, they might not have enough redundancy.

A (5:53)

So I think the key thing I picked up on there is if you're not prepared. And so now, now I'm going to pick holes in my own argument in that. I think when it comes to Iran, at least capable cyber actors would be thinking, yeah, they're probably going to switch off the Internet. So what's, what's our plan B?

B (6:14)

Well, I would say that if they didn't think that they haven't been operating for longer than like, three weeks, because just a month ago.

A (6:23)

Yeah, that's right.

B (6:24)

That literally happened. Right. So, like, as a cyber operator in an offensive role, Iran is probably the best case for an Internet shut off, not impacting you in that you would have had several opportunities to experience it, put things in place, test whether the stuff that you put in place works now.

A (6:47)

Yeah.

B (6:47)

And you could probably iterate, you know, one or two times before this time comes around. And so you would have had, you know, you would have just had opportunities to make sure that it doesn't catch you off guard and that you would be prepared.

A (7:00)

Yeah. So back in the 50s, or maybe it was the 60s, quite a long time ago, the US embassy in Moscow, they were gifted an art piece and it turns out that, yeah, art piece was a microphone and it was entirely passive. And. And if I recall correctly, the way it worked is that the Soviets would irradiate it with, I think it was microwave radio frequencies anyway, and when it was being lit up, it would reflect and the reflection would get modulated by the sound of people in whatever room it was held in.

B (7:42)

They called it the surface. Yeah, it was the thing. Yeah.

A (7:47)

So I guess the point of this story is that even without the Internet, there's ways of getting information out of places by being clever that are hard to detect. And that was partly hard to detect because it was entirely passive.

B (8:00)

So. So, yeah, like there's loads of ways of no Internet, but still some means of gaining access to intelligence.

A (8:11)

Yeah. So I think when it comes to this particular scenario, Iran, Israel, the us there would have been plans for. What do we do when the Internet goes down?

B (8:21)

Plans on plans. That's right. Like it's contingencies for contingencies. Like it would have been.

A (8:29)

Yeah, yeah. And I think at one level it might be something like, ah, we've got access to the Supreme Leader's communications. We want that all the time, regardless of. And in fact, especially when there's domestic unrest.

B (8:43)

Right.

A (8:43)

And so you can imagine that there's these very high level potential operations against senior people that would be, they would have redundancy or in fact alternate ways that don't rely on the Internet. And it kind of depends, I guess, like what sort of priority it is, how far that goes. Do you want to be able to do everything that you normally do without the Internet? Like that's a lot of work, but maybe you could figure that out.

B (9:06)

Yeah, well you could. I mean you would prioritize. Like if you've got the Internet, it's possible to do like, you know, the secretary's mother's emails can get scraped just in case she mentioned something that's useful. Right. So that might get dropped as a collection target, whereas the bodyguards fitness tracker is still going to be highly useful, for example, that sort of thing. So I think that you could, yeah, I'm pretty sure that you could have a list of like, if everything goes wrong, we need to have at least this. And if we can do this and one other thing. Here's that one other thing. And if we can do only 10 things. Here are those 10 things in order. I feel that if you don't do that and you've got a $20 billion black budget, whatever, you know, like it's just, you don't deserve that money. Right. Like if you're not able to, to deal with contingency planning, what are you even doing?

A (10:13)

Yeah. So I think the Venn diagram here is that Iran is a high priority target, certainly for the Israelis, also for the US Maybe not the highest, but certainly high.

B (10:24)

Right.

A (10:24)

Internet shutdowns, I mean it's no Venezuela, let's be fair. Internet shutdowns are standard practice. And so you've got the combination of priority and it's likely to occur.

B (10:39)

Right.

A (10:39)

So you want a contingency for that.

B (10:41)

It has occurred in the past. So if you weren't, if you weren't prepared the first time, the second time and the third time, maybe this fourth time,

A (10:52)

and it seems like the U.S. at least the U.S. has had plans on the shelves at least to invade Iran for 20 years or something like that.

B (11:03)

Yeah. So I think you're just to bounce back. Your initial point was that if you have an adversary that relies heavily on cyber and you can't really get the same value from cyber, you're going to look at drastic measures. And I think that that's true, but I think that cyber is just such a useful thing in terms of reducing friction internally and making things more efficient, that the drastic measures are going to be mediated by just how much pain you want to inflict on yourself as well.

A (11:42)

Right.

B (11:43)

And I think because of that, people are going to try to find a way to keep as much benefit for themselves as they can while limiting, while shutting off the Internet as much as they can as well. Sort of doing both because they, they cannot actually shut it down for themselves. I think that that creates the opportunity for someone who does prepare and does put in. Yeah, yeah.

A (12:12)

So I thought a more realistic scenario was something like US, China conflict, where God forbid I could imagine the great Firewall people, whoever they are, really adapting or ramping up what the Great firewall is doing if, if a conflict did happen. And so it's not an Internet shutdown because I just can't imagine that they would do that. But.

B (12:36)

Right.

A (12:38)

Because it's so useful for their own population and for their own economy. Like how would you do anything? I don't know.

B (12:44)

I mean you probably couldn't even listen to between two nerd that could crash your entire economy right there. So.

A (12:55)

Yeah, so I don't know what that would actually in practice, I'm not sure that it would even make much difference like to the two countries. But whatever it is that the Chinese Great Firewall were doing would be doing more of.

B (13:11)

You could take out, if you're China, you could just take out US East 1 and then the US will be cut off from the Internet and you know, you can continue to do your own thing. So like I, I think China is actually, it's, it's one of the few countries that is really like there's always this idea of like the sovereign Internet, like if, if, you know, Russia wants to, they can pull the plug and they'll be entirely self contained and they can't really do that, but I think China could. Right. Like they've got their own everything, right. They've got their own messaging apps, their own search engines, their own social media, their own video. Like they have all of their, like

A (13:54)

they have their own Internet, they've got their own TikTok.

B (14:01)

Right, right. So like basically in theory, China could actually turn off the Internet, like completely isolate themselves. I, I don't know if they would want to do that, but I think they're one of the very, very few countries that could and could still operate internally pretty much the same. Right. They wouldn't suffer degradation of their own services necessarily.

A (14:26)

Yeah. So it's interesting, they've had Salt Typhoon which has gone around compromising a whole lot of international telcos. They've had Vault Typhoon which is quite compromised critical infrastructure for the purpose of sabotage. People think in, in the event of a conflict over Taiwan. So they're particularly vault, it seems like, yeah, we're planning to be able to do this. Whether they're planning to actually do it, I don't know. But that, that would make you think that if you're going to compromise critical infrastructure, you should also be thinking about what are we going to do with the great firewall on that, on that day? What's, what's the switch that we flick,

B (15:08)

to coin a phrase. If you go in with a plan, you should probably have a plan for what happens when you get punched in the face. Right? Yeah. So, yeah, I could see that they're probably expecting some way to respond to that sort of threat. But again, I do feel that the China target would be important enough that the US is going to put several million dollars into making sure that there's like carrier pigeon based backdoors if necessary. Right. That there's going to be some means of lighting signal fires across the Himalayas to send signals if they have to. You know.

A (15:55)

Now to me it seems that all these sorts of things would be more espionage based rather than like effects or disruption based, like.

B (16:03)

Right, well, yes, I'd say like there's probably, there's probably a Maslow's hierarchy of needs for states and it's at the top you've got effects, but at the very bottom you've got like knowledge of what other people are doing. Right. Like you probably have your, there's, there's effects at one end and at the bottom end it's like just intelligence is so much more valuable. Right. Like once you've got loads of intelligence, you could start building up and doing other things because it's just like having an effect would be interesting, but if you can't do effects, you're going to try and fall back to at least knowing what's going on.

A (16:41)

Right, right. I like framing it as if you can't see what's going on, you've got no idea where to what, what to actually do. Like you need to remove the fog of war as much of you as you can before you can try and disrupt anything.

B (16:54)

Yeah, absolutely. I think that's a good way of framing it. So I think that the issue is that if you're a top tier player, you've seen that the Internet gets shut off, you've realized this is actually a threat to what you're trying to do and you're going to put in some sort of contingency ahead of time. So I believe that this is true for Iran because it's happened several times. You've had, like, you've had ample warning by this point. You shouldn't be caught off guard anymore. And I think that with China, they must have just been so concerned that there'd be a redundancy. That said, China is the place where they were using incredibly bad cofcom. Like, are people.

A (17:40)

Oh, that's right, the CIA.

B (17:43)

Right.

A (17:44)

Well, I mean. Okay, so just to step back for people who weren't aware, there've been a couple of stories where I think the Iranians first found out that the CIA was running assets with like, just tremendously stupid covert websites. And the problem was that the websites were built off, not exactly a template, but they were. They were similar enough.

B (18:11)

Similar. Yeah.

A (18:12)

That you could. Perhaps it was a template, actually thinking about it, where you could just Google for particular strings and it would bring up all the other websites. And I think the assets were somehow logging on. And so they then told the Iranians, then told the Chinese. The Chinese rounded up a whole lot of CIA assets and executed a whole lot of them. So it was a massive setback for.

B (18:40)

We did an entire episode on this, actually.

A (18:42)

Yeah, I remember you talking about it being a translation from a human way of doing things to the cyber realm. And it just wasn't appropriate.

B (18:52)

Yeah, as I recall, it was basically, it appears like a dead drop conceptually. And so if you are a human type person and you go, here is an online dead drop, perfect. That's as safe as we can get. Whereas it's simply not because things don't translate.

A (19:13)

Now, I think that's slightly different because it is CIA rather than.

B (19:18)

So I think it would be fair that NSA probably has invested more into alternatives and ways of making sure that there's contingencies for their cyber stuff to keep working, given that it's so much of their mission. Yeah, yeah.

A (19:34)

I think in the case of Iran, it would almost be ludicrous to think the head of NSA turning up and saying, oh, yeah, we've got nothing. They turned off the Internet, so they

B (19:42)

flicked the switch that turned off the router. And we had never considered that, you know, they did it four times already. Who thought that they would have done it a fifth time? You know, that just came out of nowhere. Bolt from the blue. I think that let's say you're France. I'm not sure France was ready for this. Or you're Germany or Spain or whatever. If you're a top 10 tier, top 20, probably in the top 250 really of countries.

A (20:15)

Right. So you think that the ability to have non Internet reliant cyber espionage capability is very, very thin. Like there's a couple of countries that

B (20:27)

would be maybe a few more than a couple, but yeah, not very many because I think that the like so many. And here I think it's just a matter of resources. Right. Like, I'm not saying it's just a matter of like intelligence or.

A (20:41)

Right. They could do it if they really wanted to.

B (20:43)

Right. If they had the money that they invested in doing it, they would be able to do it. But because they've got all these other priorities going on and they've got so much budget and it's just going to be like, yeah, we could do the belts and braces, very expensive, you know, deluxe option or we could do the one that we can actually afford and some of them are going to be caught out. And you know, I expect that if you are Iran, like if you're sitting there and you're going like, oh well, we can't keep the NSA out so we may as well not bother. Right. Like I'm not sure that that's the logical approach that they would take. I think that they're going to go, we are going to keep everyone out. Maybe not nsa, but everyone else. So it's worth it.

A (21:29)

I mean I think all targets think that they can keep people out. Like it's Right. And I think maybe either they think they can keep people out or they think they don't have any choice but to continue on. Do you know what I mean? Where?

B (21:46)

Right, right.

A (21:47)

We're running an Islamic revolution. We're going to keep things secure.

B (21:50)

What are we going to give up because someone can read our emails?

A (21:52)

Exactly.

B (21:53)

Yes.

A (21:54)

Yeah. And unless it's proven that they're reading your emails, which most of the time it's invisible to you. Right.

B (22:03)

Until you get a JDAM for a wake up call.

A (22:06)

Yeah. And then, well, it's kind of too late. Right. And so I think that dynamic applies for a lot of countries that are target countries and.

B (22:16)

Right.

A (22:16)

And also a lot of the time they're right. You can't get into everything all the time and so.

B (22:22)

And you can't even monitor everything all the time that you could get into.

A (22:25)

Yeah, yeah, yeah. So I think for most people most of the time it's a fair assumption that you're not being surveilled. It's a big call. No, no, I think that's true. Most people most of the time, yeah.

B (22:41)

Well, we're probably gonna have to do a BTN episode on this because part of that is based on cost and I think that that's going down.

A (22:49)

I mean, we could get a bit philosophical about that. What does it really mean to be monitored if the computer.

B (22:56)

Right. Like if, if the computer is run by NSA rather than by Google, does it change what being monitored actually means?

A (23:03)

Yes. Yeah, exactly.

B (23:06)

So, you know, speaking of contingencies on contingencies, just a few Weeks ago the US sent something like 8,000 Starlink terminals into Iran.

A (23:17)

Right, Right. I think that was off the back of the first shutdown. Like, was it three months ago? Was it that long ago?

B (23:26)

How many decades has it been since three months ago?

A (23:29)

Don't know.

B (23:32)

Yeah. So like, I mean if, if I'm the US and I'm sending a bunch of Starlink terminals into Iran. Yeah, I'm probably.

A (23:41)

And the story was this was the US government as well. This wasn't just, it wasn't a philanthropist, NGOs or.

B (23:48)

Yeah, yeah. If that was me and I'm the government, I'm probably sending the special firmware pack with, you know, Like, why wouldn't you. You know, it's just.

A (24:02)

Yeah. I did think about Starlinks as egress or an alternate and my first thought was that it's tricky because they have a WI FI component which is easy to see. But I like, now that you mention it, it's sort of like, well, if they're funded by the US government, wouldn't it make sense to put something else in there? I don't know.

B (24:29)

Yeah, like an extra daughter board or you know, just something like. I.

A (24:35)

It's in the realm of possibility for sure.

B (24:37)

Right. It's. The Venn diagram is pretty close to a circle. Like it seems to me that, that unless Iran goes full shutdown and kills even their own internal access, which would count as an effect, if you're the US and you can't collect because the other side has completely shut down all Internet networking based computing everywhere, that's a win. You've sent them back to the 1950s. That's great. There's just no way that they can do command and control anywhere near efficiently enough to respond to anything. Like, I don't think you could achieve that effect with regular cyber that'd be so comprehensive that it wouldn't be realistic. Just because you'd have like, you wouldn't be able to order everything and you wouldn't be able to guarantee everything would go down. But they do it to themselves. It's perfect. Anyway, that's the way I would spin it if I was a Dodger Fantasy. This is a good thing. Thanks a lot, tom.

A (25:55)

Thanks, crazy.