Summary6 min read

Risky Bulletin: "Between Two Nerds: How the US can win the cyber war"

September 22, 2025
Host: Tommy Wren
Guest: The Gruk

Overview of the Episode

This episode features Tommy Wren and The Gruk discussing a recent report from the Center for Strategic and International Studies (CSIS): a comprehensive seven-chapter playbook on how the United States can "win" the cyber war. The discussion critically examines the report's conclusions, its framing of global cyber operations, and the practical challenges of implementing its recommendations. The hosts bring a skeptical, sometimes wry perspective to the idea of "winning" in cyberspace, questioning many underlying assumptions and highlighting the disconnect between policy papers and real-world politics.

Key Discussion Points & Insights

1. CSIS Report Framing and Structure

The CSIS playbook includes chapters on Russia, Iran, China, and US cyber strategies, as well as several case studies and final recommendations for US policy ([00:11]).
Tommy highlights a core framing from the report: “Cyber operations are already a central feature of global competition.”
- The Gruk challenges this, noting that while cyber is important, it's not universally central—it's asymmetric, much more so for Russia and China than the US ([02:04], [02:20]).

2. Asymmetry in Cyber Strategy

The US has been "losing a war it did not know it was fighting.":

“Russia and China have fully integrated cyber tools into their larger foreign policy toolkits, and Iran is a growing cyber powerhouse. Meanwhile, the US has built a powerful offence, but has dangerously neglected defence.” ([02:58])
The Gruk pushes back:

“I would say that they're not ignoring defence. I just think defence is an incredibly hard problem... If that's defence, then give me weakness. Like, we don't want that in a free society.” ([03:48])
- He further contends that Russia and China’s defensive postures (heavy surveillance, censorship) come with massive own vulnerabilities and leaks ([04:23], [04:36], [04:40]).
The effect of attacks: Russian ransomware pushes the US to improve, but US offensive operations haven’t forced Russia or China to do the same ([04:58]).

3. Targeting Weaknesses, Not Strengths

The report argues, “China and Russia figured out how to bring down a superpower... They operate where [the US] is complacent, forgetful, and weak.” ([05:29])
The Gruk responds with skepticism:

"...Rather than attack its strengths... they attack its weaknesses. Like, what did you expect?" ([05:50])
- He compares this to the US not handicapping itself in war just to fight on its enemy's strongest terms ([06:17]).

4. Cyber's Real Impact on Geopolitics

Both hosts agree: Cyber incidents are often overhyped compared to more tangible instruments of power like trade, military capability, and economic relations ([07:16], [07:45]).
Tommy imagines pushing for drastic government action on IP theft and concludes that politicians consistently prioritize larger strategic or economic concerns ([07:57]-[09:20]).
The Gruk notes, “it's not as important as $30 billion worth of soybeans every year or consumer goods stuff.” ([09:09])

5. Proportionality and US Response

The CSIS report suggests the US should move away from one-to-one “proportional” responses and instead respond to campaigns, not individual incidents:

"...allowing these attacks to continue with little or no response destroys any semblance of deterrence...the US needs to shift its thinking on proportionality, to consider the entire pattern of behaviour..." ([10:29]-[11:38])
Both hosts agree in principle but see profound real-world obstacles, especially the lack of political will to escalate beyond what is tolerable to US consumers, businesses, or policymakers ([11:44]-[13:16]).
The Gruk emphasizes:

"Cyber needs to be viewed not as a standalone, individual, separate thing, but that it's part of the tools of state power.... It's just, you have to view it not from the point of view of like, oh, if someone hits me with cyber, then I need to hit them back with cyber." ([13:16])

6. "Octopus" Analogy for Offensive Operations

CSIS: Offense should “think like an octopus”—camouflage, flexibility, decentralized intelligence ([17:41]-[19:21]).
Both hosts find the analogy weak and overly “bubble-insider”; the need for lengthy explanation makes it a poor metaphor ([18:11]-[21:03]).

7. Decision-Making and Realism in Policy Response

The report’s scenario planning for policymakers (three case studies with different levels of casualties and attribution) is seen as insightful for understanding how Americans think, but not how adversaries operate ([23:01] onward).
The Gruk:

"The interesting thing is how does China think about cyber war? What do they want to do? ... when someone doesn't capture that. Exactly, that's what I'm going to hone in on." ([24:50])
Both agree: US responses to major cyber events are mostly limited (e.g., minor sanctions, indictments, symbolic gestures like seizing Russian diplomatic properties), and thus, the report's recommendations are unlikely to be implemented ([25:13]-[28:30]).

8. Fundamental Constraints: Political Will and Prioritization

The Gruk introduces “Martin’s Law”: fixing big problems requires (1) political will, (2) resources, (3) technicalities last ([29:08]).
Final conclusion: While the CSIS report has good technical advice, it “starts at step three,” ignoring that the US lacks the political will to make cyber security a top priority ([29:52]-[30:43]).

Notable Quotes & Memorable Moments

On asymmetric interest in cyber:

"Cyber is important and it can make a difference, but I don't know that it rises to the level of, like, geopolitical balance shifting." — The Gruk ([07:45])
On the real costs of IP theft:

"It's not as important as $30 billion worth of soybeans every year or consumer goods stuff." — The Gruk ([09:09])
On US policymakers’ incentives:

"I want cheap Chinese goods. And so there was never a time where it would make sense to have a big grand response to IP theft." — Tommy ([10:22])
On cyber as just another tool:

"You need to see cyber within the context of state power." — The Gruk ([13:16])
Wry skepticism toward analogies:

"The octopus bubble, which in this case the octopus means people who know about cyber." — The Gruk ([20:29])
On the limits of analytic frameworks:

"You're at step three without even doing step one." — The Gruk ([30:43])

Timestamps for Key Segments

00:11-02:20 – Introduction to the CSIS playbook and its framing
02:58-05:29 – Asymmetric rivalry: Russia/China vs. USA in cyber
05:29-07:16 – On adversaries targeting weaknesses; analogy to military conflicts
07:16-09:20 – Limitations of cyber as a lever of state power
10:22-13:16 – Proportionality, deterrence, and political realities
13:16-16:11 – Cyber as part of broader toolkit, not a domain for deterrence
17:41-21:03 – The “octopus” analogy: strengths and weaknesses
23:01-25:13 – Case studies: scenario exercises for US policymakers
29:08-30:43 – Martin’s Law: the politics of cybersecurity

Tone and Takeaways

The episode is analytical, skeptical, and wry, critiquing the tendency of both policy papers and the cybersecurity community to overstate the standalone importance of cyber operations. Both hosts appreciate the work in the CSIS report but highlight that absent political motivation and public will, US strategy will remain reactive and incremental, regardless of technical playbooks. The discussion is rich with practical insight, plain language, and a touch of black humor—a guide for understanding both what’s possible (and what’s merely theoretical) in cyber statecraft.

Loading summary

Transcript100 lines

[00:04]
A
Hello everyone, this is Tommy Wren. I'm here with the Gruk for another between two nerds discussion. G', day, Gruk. How are you?
[00:10]
B
Fine, Tom. Yourself?
[00:12]
A
I'm well. This week's edition is brought to you by Spectrops. Spectrops make Bloodhound, which is a way of searching through your active directory and finding all the different ways that malicious actors can navigate their way through it. Check them out at Spectrops IO So Gruk, the Center for Strategic and International Studies, csis. It's an American non partisan think tank. They published at the beginning of this month seven chapter playbook for winning the Cyber War. There's a lot I like in it, but of course, just saying that I like a lot of things. It's not a very interesting podcast. So we're going to nitpick our way through some of this report and I thought we'd start by just reading out a couple of the framing sentences. Before I do that, I should say it's got a chapter on Russia's cyber strategy, Iran cyber strategy, China's Cyber strategy, the US's cyber strategy. It's got a examination of different case studies. They did. And then they have, I guess, a recommendation chapter what the US should do a Playbook for winning the Cyber War. So it's quite comprehensive, a lot of work went into it. So I'll start by just reading a couple of sentences that appear right at the beginning of different, I guess, introductory pages to the report. So very first sentence. Cyber operations are already a central feature of global competition. This is where you start to get your face if you're, if you're listening and not watching on YouTube.
[01:59]
B
I don't know about central. I would say that they are a feature of global competition.
[02:04]
A
I think there seems like they're central for some players, but not in a symmetric way. Like maybe for Russia and China, they're central for the way that they compete with the us. But the opposite is not true.
[02:21]
B
Right. Well, it's just like the US does not compete with China for exports of iPhones.
[02:27]
A
Yeah, yeah. So it doesn't seem like it's symmetric. And I guess this follows on from our discussion last week where it seems that the US has other instruments of national power, like other tools that it thinks it will win the game. So off to a good start. Very first sentence issues. So another sentence just going to say.
[02:51]
B
Like four hours later. And on page three, if you go to.
[02:58]
A
So I'll read these two out together. So this is from the executive summary. The United States has been Losing a war it did not know it was fighting, and it has been losing for the last 20 years. Russia and China have fully integrated cyber tools into their larger foreign policy toolkits, and Iran is a growing cyber powerhouse. Meanwhile, the US has built a powerful offence, but has dangerously neglected defence. So, so to me, this is basically similar to what we were saying just a minute ago, that it's an asymmetric benefit, and so Russia and China have been taking advantage of it. But I don't see how the US probably could have done better on defense for sure.
[03:49]
B
Right? Well, I would say that they're not ignoring defense. I just think defense is an incredibly hard problem. I mean, they say later that one of the ways that Russia and China have implemented defense is with heavy Internet surveillance, censorship and strict monitoring and things like that. And I think that if that's defense, then give me weakness. Like it's, it seems like we don't want that in a free society. Like I, I would very much not like to live in a place where that is the norm.
[04:23]
A
Yeah. My impression is also that a lot of Russian and Chinese firms are very vulnerable as well, and that if you look at the Chinese Internet and the Russian Internet, it's just rife with leaks.
[04:36]
B
Oh yeah, yeah.
[04:38]
A
And so I don't know that they're doing any better.
[04:40]
B
I think they're doing much worse, to be fair. Like, I think that the US gets pummeled so much that they're sort of forced to, to have a level of cybersecurity. I don't know if it's adequate or decent or good, but it is better than the people attacking them.
[04:58]
A
Right, right. So Russian ransomware has driven the US to be better.
[05:03]
B
Yes.
[05:03]
A
US ransomware has not done the same for Russia or China.
[05:08]
B
Right. And China stealing intellectual property has actually driven a lot of companies to have better cybersecurity, typically after they've been hacked and had their stuff stolen, but still it is happening. Whereas I think if you want to go and steal intellectual property from China, you can do it with 20 year old tools and have no problem.
[05:29]
A
Now, third sentence. So this is from part seven, which is actually how the US a playbook for how the US could win. China and Russia figured out how to bring down a superpower more than a decade ago. Rather than attack the superpower's strengths, they operate where it is complacent, forgetful and weak.
[05:50]
B
Right. So I have several comments. One of them is a decade ago. Like what they're like? No, like I think they've known about how to bring down superpowers for a lot longer. And second of all, I'm gonna say, rather than attack its strengths, which would be an incredibly dumb idea, they attract, they attack its weaknesses. Like, what did you expect?
[06:16]
A
Yeah. Yep.
[06:17]
B
So when, when the US fought the Taliban, they didn't say, sorry, using air power gives us an unfair advantage because you're weak in that area. Let's do this. IED to ied, right? We're going to do this, you know, one on one. You send your best fighter, we'll send our best fighter, and we'll shoot it out.
[06:35]
A
This makes me think that the us, at least in the medium to long term or short to medium term, is just destined to be the 800 pound cyber weakling because it's got tremendous technical capabilities. But that's just never how it's going to win in geopolitics.
[06:56]
B
Yeah, it's not the weak man of Asia, but sort of the sleeping giant of cyber, right? Yeah, yeah. Like China's going around kicking sand into the US, the US's face, and the US is like, yeah, I own the beach. What are you going to do?
[07:16]
A
Well, I mean, I think this is the danger of being a cyber specialist. Right. And I think this is the exact same trap our podcast falls into in that our premise, the premise of what we talk about is that cyber is important and makes a difference, which is obviously true.
[07:34]
B
However, when we're looking at these things, we can point out that they make the mistake of thinking that cyber is important and makes a difference. That's right.
[07:43]
A
They've fallen into the same trap we have.
[07:45]
B
Ha. I think that cyber is important and it can make a difference, but I don't know that it rises to the level of, like, geopolitical balance shifting. Right.
[07:57]
A
Yeah. So I was thinking about this and I imagined myself in the White House, and I can imagine that in every presidency since, I don't know, the late 90s or something, I could go up to the president and say, Mr. President, the Chinese theft of intellectual property is so important that we need to do something really drastic about it. 100% tariffs, start a trade war or threaten a trade war. And every single president, until Shanghai night.
[08:29]
B
Just to send a message, Right.
[08:32]
A
And every single president would respond, and I think, correctly, that you're crazy. This makes no sense. Who the hell are you?
[08:39]
B
How did you get in here? Get out. They would probably start with, that's insane. I think the thing is, intellectual property theft is very bad and it's a strategic problem, but it is soloed down in order of magnitude of impact compared to the other things that are going on. Right. Like, not to dismiss it completely, but to say that, like, compared to all of the other things that exist in.
[09:07]
A
The broader relationship between the two countries.
[09:09]
B
Yeah, yeah. It's just. It's not as important as $30 billion worth of soybeans every year or consumer goods stuff. Right. Like getting stuff.
[09:21]
A
I think you. You sort of slice it into different levels and for every company involved, they're like, we don't want to lose access to the Chinese market. And so they would put up with basically unfair terms of. For trade and intellectual property transfer. And a lot of these were seen as a cost of doing business. So I think for individual businesses, that was true. They wouldn't want the US government to start some big argy bargie to stop IP theft. And then for industry as a whole, that's also true. We've got more to gain than we do to lose from trade with China. And then for the American average consumer, it's like, I want cheap Chinese goods. And so there was never a time where it would make sense to have a big grand response to IP theft. Now I think President Trump would do it, except, like, his issues that he really cares about.
[10:23]
B
Probably not. I don't think that's a major motivator for him. I think, yeah, he'll just. He'll do whatever he wants to do.
[10:30]
A
Yeah, yeah. So there's this section here which I quite like, which is about redefined proportionality. Like, I'll read a few lines. The old model of retaliating against cyber attacks, largely for cyber attacks, is outmoded and a guaranteed losing strategy. For the us, any single cyber attack is unlikely to cause enough damage to merit strong economic or even kinetic response. For example, the US should not respond to a ransomware demand with a cruise missile. However, pinpricks add up to an intolerable chorus of pain for US business and government entities. And allowing these attacks to continue with little or no response destroys any semblance of deterrence. As a result, the US needs to shift its thinking on proportionality, to consider the entire pattern of behaviour and draw on a wider toolkit, such as a combination of sanctions, regional diplomacy, cyber retaliation, and, in extreme circumstances, kinetic action. So it's basically arguing that, essentially what I just said, that you need to respond to the campaign rather than any individual instance.
[11:38]
B
Right.
[11:39]
A
But the problem is the strategic implications.
[11:41]
B
Not the individual tactical issues. Yeah, yeah, yeah.
[11:45]
A
And I'm sure that I've said that before, but the problem is that you run into that dynamic I just spoke about where the President would say, are you crazy?
[11:54]
B
Right.
[11:55]
A
Because there's so much else at stake.
[11:57]
B
Here's the thing. There are very, very few companies that went to China and saw the rules of operating in China, which is, you know, like, you need to have a partnership factory. It needs to do technology transfer, and in three years, the Chinese need to be able to stand up their own and, you know, copy it. If companies are willing to do that. Right. Because they think that the value of being in China is so great, that that is an acceptable cost, then it's an acceptable cost Overall for the U.S. right. They can make the same decision. And you could say, like, this is completely. It adds up and these are terrible ideas and you're selling out your future. Anything you want to say, that's fine. But at the time, that's the decision that all of these people are making, all of these companies and individuals, and the state follows through on that. I think.
[12:55]
A
Yeah. So I think to me, this part seems right. People have said to me that this kind of deterrence hasn't worked. And my response is, well, you haven't really tried because you haven't really tried to deter the campaign. Like, you've tried to deter incidents, which is, like, pointless. But I think the dynamic is that there is no way you can try and deter the campaign. Like, it's just unreasonable.
[13:17]
B
I think that there's actually some very good points there that will be maybe missed because I think the emphasis is a bit wrong. What stands out to me is that cyber needs to be viewed not as a standalone, individual, separate thing, but that it's part of the tools of state power and it's part of the strengths of a state as a. As a nation state. Like, it's just. You have to view it not from the point of view of like, oh, if someone hits me with cyber, then I need to hit them back with cyber. You need to view it as if a state does something to me, I need to evaluate what that thing is and then respond proportionally in some way that will impact that state. Right. So if they hit me with cyber, I hit them with sanctions. Because if I hit them with cyber, they're not going to feel it, but if I hit them with sanctions, it will impact the people involved in a way that will make them feel pain. You need to see cyber within the context of state power.
[14:22]
A
Yeah. So maybe trying to navigate that somewhat proportionally is if they were stealing, let's say, solar cell technology, maybe sanctions against their Solar industry would be, and then.
[14:36]
B
Throw tariffs on it to make it even, even though it's stolen, you can't cyber them back. Right. You can't go and steal your intellectual property back. Cyber is just, it's, it's no longer a domain that is relevant to the offense that has been caused. Right. And I think it's worth understanding that because I, I think that this comes up with cyber during wartime as well, where people want to say, like, cyber as a part of war, cyber does this, cyber does that. And I think it's like, whenever there's talk of like, is cyber escalatory? I think that that misunderstands cyber because what you're talking about is, is a political action by a state escalatory. And that's entirely context dependent. It's got nothing to do with the medium that they use, except in the context that it's interpreted. Right. So if you hack Russia, that's not necessarily escalatory, but if you're in a high stake, very tense standoff and you hack them, it is escalatory because of the context. Right. It's got nothing to do with the medium. So the medium is not the message is what I'm getting at.
[15:46]
A
Right, right, right. Yeah. So the whole proportionality discussion in the paper I quite like, I agree with that. I think it's good. I don't know that it's a soluble problem. So whether the people have the political will to actually implement or even if the US people want that kind of response, it's not clear to me that that is true.
[16:12]
B
I want to push back just a little bit because I, I think that it's mostly very, very correct. I think that linking all of this to deterrence is a mistake because I think deterrence is the wrong framework to understand this as. So I don't think that deterrence as a sort of feature of cyber makes sense. I will say that the way that they've contextualized it is like cyber is part of a complete breakfast.
[16:40]
A
Right.
[16:40]
B
Like the whole breakdown system. Right. Cyber is a sometimes food. It's. If deterrence is everything that you do, cyber is part of that. Correct. But cyber on its own is not going to achieve that. Right. Like, it's just, it's part of this big package that you have and you select the parts that achieve what you're trying to achieve. And I, I question whether cyber will ever be the instrument for that for the U.S. right. I think, generally speaking, at least for now, there's very few cases where cyber is the best Proportional response to something that happens from the US against another state.
[17:26]
A
Right.
[17:26]
B
Yeah.
[17:27]
A
I don't think that they're arguing that. I think that they're on your side. That it's part of the packages.
[17:34]
B
Yeah, no, that I completely agree with. And I. So I'm not pushing back. I'm pushing with them.
[17:42]
A
So one thing that I thought was not incorrect, but I just thought was a bit funny was one of the recommendations they have is that offensive operations should think like an octopus.
[17:58]
B
Ah, okay, so that's. That's because an octopus has got copper for blood. So it's blue. So it's the blue team. So we need to. Blue team offense.
[18:11]
A
Is that correct? So the problem I have with this is that, like, the reason you use an analogy is that you try and make something a bit alien more understandable by relating it to something that you relate with, like analog and analogizing it.
[18:26]
B
Right. So something that you intuitively understand is then mapped to something that you're not familiar with.
[18:31]
A
Yeah. So, yeah.
[18:33]
B
For example, you would pick state power politics, and you would map it to an alien creature that has absolutely nothing to do with humanity and that no one has any practical experience with that also does cyber.
[18:50]
A
Yeah. So after they explain, makes sense. You know, an octopus camouflages itself perfectly, uses its tentacles to explore nooks and crannies and squeezes into impossibly small corners to wait for its prey. It solves problems, learns, and strikes decisively. Further, each tentacle acts independently, but also as part of a whole. The central nervous system guides the effort, but a brain in each tentacle manages the search. So after I read that, I went, okay, right, I see where they're going. I just think it's a terribly poor analogy to choose.
[19:21]
B
Well, I mean, those are the first things that come to mind when anyone says octopus. Right. Like, it just. You immediately go, oh, right. You know, it looks in nooks and crannies, it can squeeze through a hole. It perfectly camouflages itself. It's got brains in every tentacle. You know, these are just common facts that.
[19:41]
A
Yeah, so the. The big things I took away were kind of decentralized, yet also working for a common goal. So, yeah, I think I'm nitpicking here, and I think it's a funny example.
[19:54]
B
In that it might capture some of the. I guess the big problem I do have with this paper, and I think it might be. That might be a microcosm of it, which is that it's so inside this bubble where if you talk to people who know about Octopus octopi. So if you talk to people that know about octopuses and you're all discussing this and it just seems obvious to you, then you would put this down because everyone you know understands what you're talking about. But I think once you go outside the bubble of cyber.
[20:29]
A
The octopus bubble.
[20:30]
B
The octopus bubble, which in this case the octopus means people who know about cyber. Yes, that's the analogy I'm using.
[20:37]
A
Right, okay, yes, I'm with you.
[20:39]
B
Now you see why it's a good analogy? Of course, Yeah. I think once you go outside that bubble of people who are familiar with this topic, it just, it's completely alien and it makes no sense. Right. Or it's. They have a vague sense that it exists and they go, oh yeah, that's interesting, but it doesn't viscerally mean anything to them. They don't.
[21:04]
A
My problem with it was it was an analogy that I couldn't grok until I had read the explanation, which to me makes it a not very good analogy. Now, I couldn't think of a better one. So there's that.
[21:14]
B
Right. So it seems to me like what they're talking about is commander's intent for at least part of it, which is the. It's supposed to be the way that the US military works. But that actually follows that is an open debate. But the idea is that the higher up you are, the more general your plans are, and the lower down you go, the more specific they are because you have better situational awareness of the specific details. And the idea is as long as you know the general plan, like what the commander is trying to do, then you can make it fit within the context. And it's sort of, it goes all the way back to. A Prussian commander was sent with his like regiment or whatever to go and defend, like the left flank or something. And the army that was being attacked ended up retreating and they went parallel to like across, you know, down the road that this guy was on. But because he had been given the order to defend and here was an army not attacking, he just let them go. And so the prince who was in charge sacked him because he was like, I don't need idiots in charge of my things. Like, you should know that, like you're supposed to defend in case they attack, but if they're retreating, you're supposed to stop them. You shouldn't be blindly following something that no longer makes sense.
[22:38]
A
The letter of the law, rather than what I want.
[22:41]
B
Yeah, yeah, right, yeah, do what I say, not what I said.
[22:49]
A
Do what I Meant not what I told you to do.
[22:55]
B
Yeah. So we're coming off a bit negative, but I do want to say that there was a lot that I did like about this paper.
[23:02]
A
There's a chapter in the report where they took different policymakers through three different case studies to see how US People would react given different scenarios with different levels of uncertainty and different levels of casualties. I guess.
[23:20]
B
Yeah. So I think they divided it into low casualty, low attribution confidence, like medium casualty, low attribution, and then high casualty, high confidence attribution. And that certainly makes sense for how to parcel things up and then explore those different options. But I think that when you look at the way that these other countries use cyber, they don't necessarily look at how can we cause a high casualty event with a low attribution probability. They're not looking at those things. They're saying, how can we change the social dynamics and the psychology of, of this country to have weaker moral cohesion internally? That's the sort of thing that they will look at. They will look at how can we impact the way that these people operate overall?
[24:15]
A
I mean, I have a bit of sympathy for them here in that what they're trying to pull out is US Policymakers like what they're thinking, how they respond, I guess the gaps or the, the weaknesses in their thinking. And so even though I think it's.
[24:31]
B
Very valid for all of those things, I don't think it's valid for understanding how they would be attacked. Right, right, right.
[24:38]
A
Yeah. But I skimmed through that part, so I kind of accepted that they're going for something that is about. Focused on how US Policymakers think rather than Right.
[24:50]
B
So I'm. This is probably my misreading of them or my misreading of their intent. Because for me, the interesting thing is how does China think about cyber war? What do they want to do? How does Russia. So, like, that's what interests me. So when that, when someone doesn't capture that. Exactly, that's what I'm going to hone in on.
[25:14]
A
My problem with making it realistic is we already know what US Policymakers would do, which is mostly just nothing. So, you know, that's not a very, it's not a very illuminating question. I guess it's a, you know, maybe it's.
[25:28]
B
Imagine that Russia breaks into a major software vendor and installs a backdoor that gives them access to 18 specific targets, most of which are in the US government. Go, you know, like, we know exactly what happens. Nothing.
[25:51]
A
There was some sanctions. Yeah.
[25:54]
B
I think someone Was indicted or something. It was.
[25:56]
A
And they took away a building that the, that the Russians owned in New York State or something like that.
[26:02]
B
Yeah.
[26:03]
A
So there was a building involved kind of.
[26:05]
B
That's kind of a big deal because that's where they would go to vacation, like, because they're only allowed in a certain number of areas.
[26:10]
A
And I think it was a safe house or something.
[26:13]
B
So they, they have a dasha, basically, from their understanding. And what's funny is it's like if you work at an embassy and you have top secret cipher equipment that you use for communications, when you get a replacement, upgraded new cipher thing, you have to decommission the old one. But you can't just like throw it in the trash because it's a top secret cipher machine. So you have to send it back to the home country via diplomatic pouch so it can be disposed of appropriately or you need to destroy and dispose of it to, like a certain thing. And there's only, you know, there's strict requirements and all of that. Now the thing is, you are only given so much space in a diplomatic pouch per year. Right. Because it has to be flown on, you know, your Aeroflots, whatever. And so cipher machines are not like the, they're not small, like, it's not an ipod. Right. Like, these are big heavy things. And if you send that back, it means you can't send other stuff back or you can't use it to get a new kit that you want imported. So what the Russians ended up doing was they had a basement that they filled up with cipher kit until they had like 70 tons of cipher equipment that they couldn't get rid of because they couldn't, they couldn't throw it away and they couldn't ship it. So they arranged to have a boat purchased for like a nice boat, not a yacht, but like a boat purchased for this like, dasha thing so that they could take visiting dignitaries out on the river. And then what they did was they smashed all of the cipher kit into small pieces. And at night they took the boat out and threw the pieces in the river. So taking that away means that they. I was just saying, like, there could be this knock on impact of like, now they have to ship their cipher equipment back in the diplomatic pouch, which is then going to impact the amount of spy equipment they could bring into the country. So there could be this compound knock on effect. Yeah.
[28:21]
A
Yep, yep. And the CIA divers no longer have to fish around in the river trying.
[28:26]
B
To dig up the little pieces, dredging up little pieces of Trying to stick.
[28:30]
A
Them back together, the consequences, they just keep on rolling on the ramifications. So the proportion. This whole discussion makes me think that the US Is just destined to never compete very well in this domain because it's got other options. And so, in a way, this paper is laying out and, like, for the majority of it, I like and agree with. Like I said, we're nitpicking. The. The paper is laying out a solution that will never be implemented.
[29:08]
B
Yeah. So I'm going to bring up Martin's Law, which I learned about a while ago, which basically says that the way that you solve a problem is politics first, money second, and technicalities last. Meaning essentially, that you need the political will, you have to want to solve it or do whatever, otherwise it doesn't matter. And then if you want to do it, you need the resources available so that you can actually do it. And then whatever specific implementation details can be worked out once you have the will and the resources to actually do it.
[29:47]
A
Yeah, this is the Manhattan Project, where it starts with the President going, I think we need an atom bomb.
[29:53]
B
Exactly. And then it's like, move heaven and earth to make it happen. Right. And I think the problem here is that those first two elements are missing. Like that there's no political will. Like, there's money that gets made available, not right now, but, like, there's certainly a lot of money in cybersecurity, but it doesn't necessarily matter because there's no political will to solve the issue, because it's not perceived to be a big problem. And so where this paper comes up and says, when we get to the technicalities, here's how we should approach it. We can agree with 80, 90% of what they say, but it's sort of fundamentally, we're still missing the political will. You're at step three without even doing step one.
[30:44]
A
And, yeah, it's like this podcast, an entertaining way to spend a little bit of time.
[30:52]
B
Thanks a lot, Tom. Thanks, guy.