A (2:55)

Ago, it would still be espionage and you could have done it 100 years ago, whereas you couldn't hack into, you know.

B (3:01)

Yeah. Trying to get people employed at particular places. So sometimes it's in the government so that you can steal documents, sometimes it's in a media outlet so you can shape reporting and receive. It says early warning of critical stories. Spies convinced a state bureaucrat to log into a database to obtain the names and addresses of individuals considered dissidents by a foreign regime. So that, I mean, I wouldn't call that the combination of the two either, because it's just stealing something from a database.

A (3:37)

I mean, that's where the information was. Right. If it was on index cards or if it was printed in a book, that's what they would have stolen. Instead. It's not.

B (3:46)

Yes. So it's interesting to me that he says it often happens and then he gives no examples whatsoever, like by my criteria, and I think there's probably a reason for that.

A (3:56)

Right. So I was going to say, like, that would be an embarrassing omission unless there was some sort of reason behind. So, yeah, like you wouldn't come out and just say, you know, this happens all the time. For example, here's a case where it didn't happen and here's another case where it didn't happen.

B (4:13)

Yeah. So my thinking was that you could have that kind of combined operation that is in a sense below the noise threshold from a Humint operation point of view. Like, it's not a big flashy Humint operation operation. And by the same token, it's not a very noisy cyber espionage operation. Like together it could be quite powerful, but it may be harder to detect and disrupt. And so perhaps they just don't want to talk about what those examples are, even in those rough general details.

A (4:46)

Yeah, I mean, I could construct an example that would make sense here. So like, maybe you want to steal a database, but it's like 200 gigabytes. Right. It's like if you pulling it out over FTP or via DNS or whatever, it's going to be a lot of data and it's probably going to stick out because that much data shouldn't flow in that direction that quickly. So you want to have an asset inside, but he doesn't have permissions to access that database. So you could perhaps use cyber to compromise, grant him permission, allow him to move it onto a USB stick, remove that, and then he can walk the USB stick out like that.

B (5:30)

I'm just thinking that perhaps the reason they're not in this speech is because they're too boring or technical to make any Sense.

A (5:39)

So he didn't have capabilities for netadmin, which was necessary to sniff the packets as they were going through. Does that make sense to everyone? Anyway.

B (5:53)

This combination, plus the fact that Burgess didn't give any examples, made me think about the structure of Western intelligence agencies where these are separated. Like cyber espionage tends to be separated from security. Intelligence tends to be separated from human satellites, from human.

A (6:13)

From mass ends like measures and specs.

B (6:17)

Yep. And are we missing a trick? Because if the game is at the intersection by having your organization split.

A (6:25)

So like, I think, I think the thing is like, that's what CIA does in a way. Like they're very much. We steal secrets. Like it doesn't matter if we have to hack, if we have to convince someone, if we have to take pictures, wherever they are, we're going to get them. That's our job. So I think CIA squares that circle. But I don't, like, I don't think it's a good idea to have everything be a CIA for the reason that like, these are highly technical fields. Right. Like SIGINT is. It's things like antenna design and how radio waves interact with the atmosphere at different heights and during different weather.

B (7:07)

Skywave, ground wave.

A (7:09)

Yeah, These are things that are like, these are not like just straightforward things that you pick up as you go along. Like you're not learning it on. I mean you can learn on the job, sure. But it's. These are highly technical things that you need specific training for. And then once you know them, it doesn't necessarily transfer to like recruiting people.

B (7:31)

Or sweet talking potential agents.

A (7:35)

Right. Turning friends. Yeah, it's, you know, if you spend five years learning how to do satellite imagery analysis, you can't just switch over and be like, well, you know about satellites, so you're going to be able to help us with intercepting satellite communications. Right, right, right.

B (7:52)

I guess you're strongly saying that there's reasons that these specialist disciplines are separated and it's like a functional reason. It's because of the, the technical requirements. Now that doesn't mean that they have to be in the same agency, I guess.

A (8:09)

Well, it doesn't mean that they have to be in separate agencies. They could be.

B (8:12)

Right, yeah. Yes.

A (8:14)

There could be a combined. The intelligence agency that just does all of it.

B (8:20)

Yes. That's what, 200,000 people or something like that. But that also made me think about the broader cyber threat intelligence industry, which we spend a lot of time talking to and about and thinking about. And it makes sense that that industry is not agglomerated. Into the 100,000 consultant type jobs. Right. And so that industry is very focused.

A (8:52)

Yeah. So I was watching an interview with an author of a book that I'd like to read called Counterintelligence at Its Core. So he brought up something that I've been thinking about, which is, I think it's related to this. So he was talking about how the problem as he sees it with cyber is, first of all, cyber is siloed off from other things. And. And he doesn't believe that it should be. He calls it. It's just espionage with computers. I think he's right. But as we've said, there's functional and technical reasons that you need to silo it off. I also think that cyber is special because.

B (9:29)

Because we're special people.

A (9:31)

Yes. That's probably the best way to put it. Right.

B (9:39)

I mean, to expand on that, I guess it's a relatively new discipline that requires relatively deep technical understanding to know what's going on. And so that is the reason maybe it's different.

A (9:52)

So, yeah, anyway, I think there's important reasons for it to be separate. I also think that cyber is special, that it can do things that other espionage disciplines simply cannot. It can manipulate minds and the way that people interact with things in ways that are much more powerful and interesting than other intelligence disciplines. But one of the other things that he brought up, which is a criticism that I've been making in some of the research I've been writing up for my doctorate stuff, I've been looking at the way that the Russia, Ukraine, cyber war has been covered, and there's this thing where the threat intelligence companies cover the technical details and then they go hands off. Right. So it's like, you know, the Russians used this malware to do these attacks.

B (10:48)

Yep.

A (10:48)

And then it stops. And that's useful information if you're worried about that malware. But that's not relevant to what was actually happening. Right. Like, the important thing was that they were doing the destructive attack against these computers.

B (11:02)

So what's missing seems to be the. Is the actual impact and the strategic import of whatever happened.

A (11:09)

Right. I would go so far as to say the context.

B (11:13)

Right.

A (11:13)

Yeah.

B (11:14)

I guess it's like talking about Notpetcher and saying it wiped out a whole lot of domain controllers.

A (11:19)

Right.

B (11:20)

Without mentioning that it affected the operation of many, many different companies around the world.

A (11:27)

Right, right. I think on the one hand, you need to have that context to understand what was going on and why it was happening. But I can actually see why, as a threat intelligence company. You don't want to touch that with a 10 foot pole. You don't want to show up and be like, hi, here's what China is doing with their grand strategic plan for how they're going to do, how they're going to dominate solar power. And these are the things that they're going after and this is what they're doing and it's part of their intent to do like this, that and the other on the global stage. If you get any of that wrong, which is very likely because you probably don't have sources inside China providing, you know, humans and so on. You can't combine your intelligence. You only have this, these technical. So if you, if you get any of that wrong is going to blow up your entire report.

B (12:25)

Yeah, yeah. So we've spoken a number of times about think tank style reports and there are a couple of security consultancies who have now China specialists like Dakota careys@sentinel1, and I think there's another group, Margin Rhee, that we spoke about with the cyber militias. They've got a couple of people who are China specialists. And I always find those reports very fascinating and really interesting. But I'm also always a bit cautious because they're not government intelligence agencies. They're not sitting behind government intelligence agencies. They're collecting all source intelligence and collating. So they're looking at, is it like a kabuki theater where you've got the shadows on the wall and they're drawing conclusions.

A (13:14)

Kabuki is where it's very stylized. They're looking shadow puppets.

B (13:20)

The shadow puppets. Maybe that's the better analogy. They're looking at the shadow puppets without having whatever deep insight a government intelligence apparatus might have. And so it's the best picture we've got, but it's not a complete picture.

A (13:34)

Right? Yeah. So I mean, part of his criticism was the problem is that you're not combining cyber with traditional intelligence and you.

B (13:43)

Need to do that.

A (13:44)

And then he said like, and that's why CTI gets things wrong. And it's like, dude, CTI doesn't have a human branch that they're just deliberately not including in their reporting. They don't have this line of intel coming in from recruited agents that they're managing through their large network of officers that they've got stationed in embassies around the world or whatever.

B (14:07)

Right. So yeah, there is a lot of back and forth between what I would call the industry and the intelligence community.

A (14:15)

Especially industry and the other industry.

B (14:20)

Yes, especially in the cyber fields. And I Think it shapes people's attitudes and perceptions of what's going on. So that makes me wonder.

A (14:31)

It's shaped the vocabulary that we have in cyber. Right. So there's been quite a lot of that.

B (14:36)

Yeah. So that makes me wonder if as a group of people working in this field, we're all a bit too narrowly focused on the technical at the expense of the. What's it actually mean.

A (14:48)

So I think that there's. There's space for that analysis, but it's not inside of the CTI companies.

B (14:54)

Yes.

A (14:55)

And I think there's a number of reasons for that. You know, as. As we've covered, like, they just don't. They don't have that information. Second of all, if they get it wrong, it's a huge reputational damage. Like it's a lot of harm for them getting it wrong and they don't have the information to make sure they get it right.

B (15:12)

Right. Yeah. It seems to be all risk, no return. What does it get them?

A (15:18)

Right. I think that that's the final part, which is that even if they did have it, it doesn't matter to their customers. Their customers are not looking for geopolitical insights. They just want to know how to protect themselves or how to not get hacked, how to recognize when they have been hacked. And so they are narrowly focused on cyber. That's what their customers want. They have this narrow focus on cyber. Therefore the vendors supplying those customers are going to be focused on the same thing the customers care about.

B (15:47)

Yep. So it totally makes sense for security companies to not care is basically what you're saying. Maybe they care, but like they don't devote any time or effort to it because there's.

A (16:00)

Right.

B (16:00)

They're on a hiding to nothing doing that now it makes sense for intelligence agencies to care very much.

A (16:07)

So. Yeah.

B (16:08)

But I guess, of course we don't see the intelligence agency reports.

A (16:14)

Unless they show up on the War Thunder forum or on Discord.

B (16:17)

Oh, yeah, yeah. So I was wondering whether that tendency, that focus of the industry, which makes sense, actually kind of works its way maybe upstream into intelligence agencies. Because. Because a lot of the people in there start with technical data, the bits and bytes that they can see, the malware they've intercepted, the signals, intelligence, what have you. So that's the pieces of the puzzle that they're working with. There's also the siloed nature of the agencies for signals, cyber, et cetera.

A (16:56)

They sort of have this need to know attitude, just very detrimental to information sharing. Right.

B (17:02)

Yeah. And also, like, once you've done that technical analysis and come up with, I don't know, maybe it's a battle damage assessment or something like that. Half of what you're going to write is unintelligible to someone from a different agency.

A (17:16)

Right, right. And it's. So I think one of the things that's very interesting about CIA is half of the agency is analysts. Right. Like, half is operations, but the entire other half is just people who analyze information that comes in and put it together. And I don't think there's any other agency that sort of has that sort of breakdown of like attempting to just collect things and then process it in a way that can make sense. Obviously, other agencies have their analysts who do stuff, but it's that huge focus inside CIA, I think, is quite interesting.

B (17:55)

So I guess your answer is there's reasons to have functional separation and specialist skills in specialist organizations. For everything else, there's CIA's analytical division, whatever that's called.

A (18:10)

Yeah, well, it used to be the Directorate of Intelligence, which I think is funny. So there's the DI and do the Director of Intelligence, which did the analysis, and the Director of Operations, which did everything else, like, you know, overthrow regimes in Central America, get rid of democratically elected Middle Eastern governments, prop up Chiquita banana in, you know, Honduras and Guatemala. So sort of one of the interesting things is if you take an agency that doesn't have that culture of analysis as its own discipline, the KGB initially, and now the FSB and the SVR as their descendants, have this culture of viewing documents like the thing that you actually get as ground truth. So if I talk to you and say, what is the intent behind this? And you tell me like, oh, this is what they're thinking, and kind of like the vibe is this thing that gets discarded as just complete bull because no one cares. All we want is the document that came out of it, the actual proof, which means that they have a very stilted understanding of things because they take all of these documents at face value and then try and interpret them from what's in them without. They don't have concepts of unreliable narrator. You need people. If that's what you're doing and you want to do document analysis, that's great. But you're going to need humanities majors, people who've been trained at looking at documents and teasing out what the author's intent was behind it and who would understand the organization to be able to say, all right, they always produce the sort of document at this sort of time, and it's generally just to show whatever for their promotion packages that are coming up. It's not relevant to their actual operations, it's just part of their cycle. Like you need that sort of in depth knowledge to be able to understand the artifacts that are being produced. And you have that with CIA because they have people who do that, whether they're actually allowed to do that and whether they're working on that. They'll have someone who's a Central American specialist, but they only have an opening in the Southeast Asia division. So that's where he has to work. And he's just going to have to forget his Spanish and start learning, you know, Burmese or something. But that skill set is its own discipline. And I think that this is reflected again with the CTI thing of like, you don't necessarily have people who are just pure analysts who can deeply understand the broader geopolitical context and the organizational context of what you're looking at and then piece it together. Like you can do that at a technical level. Like, I don't think they employ people doing that. It just, it doesn't seem like something that would be productive for them for all the reasons we listed earlier.

B (21:09)

So you're basically saying the outside the intelligence community cybersecurity industry is just a slice of what goes on in the intelligence world.

A (21:20)

Right.

B (21:20)

And it's a narrowly defined slice based on what people think they can make money off. I guess.

A (21:30)

Yeah. So you have this like, you know, intelligence is always produced for a customer. Right. Even within the intelligence community, that's the way they view it. To produce good intelligence, you need to have a good customer. Right. Like you have to have someone who can ask the right questions or who can understand what's given to them, you know, who wants to know the right things and then who uses it. So if you take that approach and then you think about the customers for CTI companies for like these threat intelligence companies, good customers for them are not going to be asking the penetrating questions about what is China's five year goal in our sector and what can we do to frustrate it and what can we do to beat them at their own game or whatever they want to.

B (22:16)

Know, what should we patch next?

A (22:19)

Yeah, right, yeah. What is China using and how do we detect it? Which just, it's not going to benefit from the other analysis. It was something I was thinking of earlier when we were discussing and one of the things from terrorism studies, like it's the way that organizations at different levels have different types of myopic focus. Right. So if you get down into the trenches and the frontline stuff. They don't see the big plan and they don't understand where their attack over here is actually just part the of. Part of a broader strategy to achieve something. Right. So from a terrorist point of view, violence has to be part of a political context, just broadly speaking, obviously not in every case, etc. Etc. But if you're trying to achieve something with violence, I mean, this works for the military as well. Like the military is trying to achieve a political outcome, Right. And they're using violence to get there. The people who do the violence will think the reason this isn't working yet is we're just not doing enough violence. We need to do more violence. Whereas the politician at the center, like the people making the political decisions about what they're trying to achieve, can see that you need to ramp up political violence at some point, and then you need to ramp it down again because you start achieving your goals and you want to create an environment that allows you to progress closer to your actual political goals. Right. Like, it's not violence for violence sake. And so I think part of the problem we have maybe in cyber, is everyone's in the trenches, right? So there's always this. You know, what we're missing is more cyber. If there was more cyber, this would be more better. And you do need to have people sort of above that who can see where that actually fits into the broader strategy and where it fits into this context of what you're trying to do. I think this shows up, for example, inside companies where you'll have the security division. You know, this is a trope that gets talked about all the time, you know, like the Department of. No. Or.

B (24:21)

Yeah.

A (24:21)

You know, just like you're there to enable the business, and you have to see that there's the strategic vision that the business has, and it needs to use security to achieve that strategy. Like it needs to. To. To achieve that vision. But security is only part of that vision. Like, it needs to make sure that that's possible. But it's not the center of the universe.

B (24:43)

No, there's no organization where security is the top priority.

A (24:47)

Right, right, exactly. Very much so. So it is a very valid criticism to say that CTI is too focused on cyber and technicalities and these technical sort of tactical myopia, and they're just. All they care about is these technical details and who did what when and so on. But that's exactly what you would expect from a frontline group that.

B (25:11)

Yeah, that's what it's for. That's its purpose.

A (25:13)

Yes.

B (25:13)

That's literally obsessed over technical details that no one else cares about.

A (25:20)

Yeah, that's why they're there. Yeah, that's literally the point.

B (25:24)

Well, I was actually just thinking that the entire audience for our podcast is maybe not the entire audience, but I imagine that there's many people who do very technical things day in, day out and just enjoy a little bit of discussion about the broader context once a week.

A (25:43)

A bit of geopolitical context as a treat. Now I would say that there's a deep personal richness and wealth that comes from knowing that stuff. And so you should actively go out and seek out perhaps a podcast that can provide that sort of information because it will make you feel good and sleep better at night.

B (26:03)

I don't usually say this, but yeah, like and subscribe etc, etc, etc. Thanks a lot, Craig.

A (26:13)

Thanks a lot, Tom.