Risky Bulletin: "Between Two Nerds: How the US can win the cyber war"

September 22, 2025
Host: Tommy Wren
Guest: The Gruk

Overview of the Episode

This episode features Tommy Wren and The Gruk discussing a recent report from the Center for Strategic and International Studies (CSIS): a comprehensive seven-chapter playbook on how the United States can "win" the cyber war. The discussion critically examines the report's conclusions, its framing of global cyber operations, and the practical challenges of implementing its recommendations. The hosts bring a skeptical, sometimes wry perspective to the idea of "winning" in cyberspace, questioning many underlying assumptions and highlighting the disconnect between policy papers and real-world politics.

Key Discussion Points & Insights

1. CSIS Report Framing and Structure

• The CSIS playbook includes chapters on Russia, Iran, China, and US cyber strategies, as well as several case studies and final recommendations for US policy ([00:11]).
• Tommy highlights a core framing from the report: “Cyber operations are already a central feature of global competition.”
  • The Gruk challenges this, noting that while cyber is important, it's not universally central—it's asymmetric, much more so for Russia and China than the US ([02:04], [02:20]).

2. Asymmetry in Cyber Strategy

• The US has been "losing a war it did not know it was fighting.":

  “Russia and China have fully integrated cyber tools into their larger foreign policy toolkits, and Iran is a growing cyber powerhouse. Meanwhile, the US has built a powerful offence, but has dangerously neglected defence.” ([02:58])

• The Gruk pushes back:

  “I would say that they're not ignoring defence. I just think defence is an incredibly hard problem... If that's defence, then give me weakness. Like, we don't want that in a free society.” ([03:48])

  • He further contends that Russia and China’s defensive postures (heavy surveillance, censorship) come with massive own vulnerabilities and leaks ([04:23], [04:36], [04:40]).
• The effect of attacks: Russian ransomware pushes the US to improve, but US offensive operations haven’t forced Russia or China to do the same ([04:58]).

3. Targeting Weaknesses, Not Strengths

• The report argues, “China and Russia figured out how to bring down a superpower... They operate where [the US] is complacent, forgetful, and weak.” ([05:29])
• The Gruk responds with skepticism:

  "...Rather than attack its strengths... they attack its weaknesses. Like, what did you expect?" ([05:50])

  • He compares this to the US not handicapping itself in war just to fight on its enemy's strongest terms ([06:17]).

4. Cyber's Real Impact on Geopolitics

• Both hosts agree: Cyber incidents are often overhyped compared to more tangible instruments of power like trade, military capability, and economic relations ([07:16], [07:45]).
• Tommy imagines pushing for drastic government action on IP theft and concludes that politicians consistently prioritize larger strategic or economic concerns ([07:57]-[09:20]).
• The Gruk notes, “it's not as important as $30 billion worth of soybeans every year or consumer goods stuff.” ([09:09])

5. Proportionality and US Response

• The CSIS report suggests the US should move away from one-to-one “proportional” responses and instead respond to campaigns, not individual incidents:

  "...allowing these attacks to continue with little or no response destroys any semblance of deterrence...the US needs to shift its thinking on proportionality, to consider the entire pattern of behaviour..." ([10:29]-[11:38])

• Both hosts agree in principle but see profound real-world obstacles, especially the lack of political will to escalate beyond what is tolerable to US consumers, businesses, or policymakers ([11:44]-[13:16]).
• The Gruk emphasizes:

  "Cyber needs to be viewed not as a standalone, individual, separate thing, but that it's part of the tools of state power.... It's just, you have to view it not from the point of view of like, oh, if someone hits me with cyber, then I need to hit them back with cyber." ([13:16])

6. "Octopus" Analogy for Offensive Operations

• CSIS: Offense should “think like an octopus”—camouflage, flexibility, decentralized intelligence ([17:41]-[19:21]).
• Both hosts find the analogy weak and overly “bubble-insider”; the need for lengthy explanation makes it a poor metaphor ([18:11]-[21:03]).

7. Decision-Making and Realism in Policy Response

• The report’s scenario planning for policymakers (three case studies with different levels of casualties and attribution) is seen as insightful for understanding how Americans think, but not how adversaries operate ([23:01] onward).
• The Gruk:

  "The interesting thing is how does China think about cyber war? What do they want to do? ... when someone doesn't capture that. Exactly, that's what I'm going to hone in on." ([24:50])

• Both agree: US responses to major cyber events are mostly limited (e.g., minor sanctions, indictments, symbolic gestures like seizing Russian diplomatic properties), and thus, the report's recommendations are unlikely to be implemented ([25:13]-[28:30]).

8. Fundamental Constraints: Political Will and Prioritization

• The Gruk introduces “Martin’s Law”: fixing big problems requires (1) political will, (2) resources, (3) technicalities last ([29:08]).
• Final conclusion: While the CSIS report has good technical advice, it “starts at step three,” ignoring that the US lacks the political will to make cyber security a top priority ([29:52]-[30:43]).

Notable Quotes & Memorable Moments

• On asymmetric interest in cyber:

  "Cyber is important and it can make a difference, but I don't know that it rises to the level of, like, geopolitical balance shifting." — The Gruk ([07:45])

• On the real costs of IP theft:

  "It's not as important as $30 billion worth of soybeans every year or consumer goods stuff." — The Gruk ([09:09])

• On US policymakers’ incentives:

  "I want cheap Chinese goods. And so there was never a time where it would make sense to have a big grand response to IP theft." — Tommy ([10:22])

• On cyber as just another tool:

  "You need to see cyber within the context of state power." — The Gruk ([13:16])

• Wry skepticism toward analogies:

  "The octopus bubble, which in this case the octopus means people who know about cyber." — The Gruk ([20:29])

• On the limits of analytic frameworks:

  "You're at step three without even doing step one." — The Gruk ([30:43])

Timestamps for Key Segments

• 00:11-02:20 – Introduction to the CSIS playbook and its framing
• 02:58-05:29 – Asymmetric rivalry: Russia/China vs. USA in cyber
• 05:29-07:16 – On adversaries targeting weaknesses; analogy to military conflicts
• 07:16-09:20 – Limitations of cyber as a lever of state power
• 10:22-13:16 – Proportionality, deterrence, and political realities
• 13:16-16:11 – Cyber as part of broader toolkit, not a domain for deterrence
• 17:41-21:03 – The “octopus” analogy: strengths and weaknesses
• 23:01-25:13 – Case studies: scenario exercises for US policymakers
• 29:08-30:43 – Martin’s Law: the politics of cybersecurity

Tone and Takeaways

The episode is analytical, skeptical, and wry, critiquing the tendency of both policy papers and the cybersecurity community to overstate the standalone importance of cyber operations. Both hosts appreciate the work in the CSIS report but highlight that absent political motivation and public will, US strategy will remain reactive and incremental, regardless of technical playbooks. The discussion is rich with practical insight, plain language, and a touch of black humor—a guide for understanding both what’s possible (and what’s merely theoretical) in cyber statecraft.