B (3:48)

Right? Well, I would say that they're not ignoring defense. I just think defense is an incredibly hard problem. I mean, they say later that one of the ways that Russia and China have implemented defense is with heavy Internet surveillance, censorship and strict monitoring and things like that. And I think that if that's defense, then give me weakness. Like it's, it seems like we don't want that in a free society. Like I, I would very much not like to live in a place where that is the norm.

A (4:23)

Yeah. My impression is also that a lot of Russian and Chinese firms are very vulnerable as well, and that if you look at the Chinese Internet and the Russian Internet, it's just rife with leaks.

B (4:36)

Oh yeah, yeah.

A (4:37)

And so I don't know that they're doing any better.

B (4:40)

I think they're doing much worse, to be fair. Like, I think that the US gets pummeled so much that they're sort of forced to, to have a level of cybersecurity. I don't know if it's adequate or decent or good, but it is better than the people attacking them.

A (4:58)

Right, right. So Russian ransomware has driven the US to be better.

B (5:02)

Yes.

A (5:03)

US ransomware has not done the same for Russia or China.

B (5:07)

Right. And China stealing intellectual property has actually driven a lot of companies to have better cybersecurity, typically after they've been hacked and had their stuff stolen, but still it is happening. Whereas I think if you want to go and steal intellectual property from China, you can do it with 20 year old tools and have no problem.

A (5:29)

Now, third sentence. So this is from part seven, which is actually how the US a playbook for how the US could win. China and Russia figured out how to bring down a superpower more than a decade ago. Rather than attack the superpower's strengths, they operate where it is complacent, forgetful and weak.

B (5:50)

Right. So I have several comments. One of them is a decade ago. Like what they're like? No, like I think they've known about how to bring down superpowers for a lot longer. And second of all, I'm gonna say, rather than attack its strengths, which would be an incredibly dumb idea, they attract, they attack its weaknesses. Like, what did you expect?

A (6:16)

Yeah. Yep.

B (6:17)

So when, when the US fought the Taliban, they didn't say, sorry, using air power gives us an unfair advantage because you're weak in that area. Let's do this. IED to ied, right? We're going to do this, you know, one on one. You send your best fighter, we'll send our best fighter, and we'll shoot it out.

A (6:34)

This makes me think that the us, at least in the medium to long term or short to medium term, is just destined to be the 800 pound cyber weakling because it's got tremendous technical capabilities. But that's just never how it's going to win in geopolitics.

B (6:56)

Yeah, it's not the weak man of Asia, but sort of the sleeping giant of cyber, right? Yeah, yeah. Like China's going around kicking sand into the US, the US's face, and the US is like, yeah, I own the beach. What are you going to do?

A (7:16)

Well, I mean, I think this is the danger of being a cyber specialist. Right. And I think this is the exact same trap our podcast falls into in that our premise, the premise of what we talk about is that cyber is important and makes a difference, which is obviously true.

B (7:33)

However, when we're looking at these things, we can point out that they make the mistake of thinking that cyber is important and makes a difference. That's right.

A (7:42)

They've fallen into the same trap we have.

B (7:45)

Ha. I think that cyber is important and it can make a difference, but I don't know that it rises to the level of, like, geopolitical balance shifting. Right.

A (7:57)

Yeah. So I was thinking about this and I imagined myself in the White House, and I can imagine that in every presidency since, I don't know, the late 90s or something, I could go up to the president and say, Mr. President, the Chinese theft of intellectual property is so important that we need to do something really drastic about it. 100% tariffs, start a trade war or threaten a trade war. And every single president, until Shanghai night.

B (8:29)

Just to send a message, Right.

A (8:32)

And every single president would respond, and I think, correctly, that you're crazy. This makes no sense. Who the hell are you?

B (8:38)

How did you get in here? Get out. They would probably start with, that's insane. I think the thing is, intellectual property theft is very bad and it's a strategic problem, but it is soloed down in order of magnitude of impact compared to the other things that are going on. Right. Like, not to dismiss it completely, but to say that, like, compared to all of the other things that exist in.

A (9:07)

The broader relationship between the two countries.

B (9:09)

Yeah, yeah. It's just. It's not as important as $30 billion worth of soybeans every year or consumer goods stuff. Right. Like getting stuff.

A (9:20)

I think you. You sort of slice it into different levels and for every company involved, they're like, we don't want to lose access to the Chinese market. And so they would put up with basically unfair terms of. For trade and intellectual property transfer. And a lot of these were seen as a cost of doing business. So I think for individual businesses, that was true. They wouldn't want the US government to start some big argy bargie to stop IP theft. And then for industry as a whole, that's also true. We've got more to gain than we do to lose from trade with China. And then for the American average consumer, it's like, I want cheap Chinese goods. And so there was never a time where it would make sense to have a big grand response to IP theft. Now I think President Trump would do it, except, like, his issues that he really cares about.

B (10:22)

Probably not. I don't think that's a major motivator for him. I think, yeah, he'll just. He'll do whatever he wants to do.

A (10:29)

Yeah, yeah. So there's this section here which I quite like, which is about redefined proportionality. Like, I'll read a few lines. The old model of retaliating against cyber attacks, largely for cyber attacks, is outmoded and a guaranteed losing strategy. For the us, any single cyber attack is unlikely to cause enough damage to merit strong economic or even kinetic response. For example, the US should not respond to a ransomware demand with a cruise missile. However, pinpricks add up to an intolerable chorus of pain for US business and government entities. And allowing these attacks to continue with little or no response destroys any semblance of deterrence. As a result, the US needs to shift its thinking on proportionality, to consider the entire pattern of behaviour and draw on a wider toolkit, such as a combination of sanctions, regional diplomacy, cyber retaliation, and, in extreme circumstances, kinetic action. So it's basically arguing that, essentially what I just said, that you need to respond to the campaign rather than any individual instance.

B (11:38)

Right.

A (11:38)

But the problem is the strategic implications.

B (11:41)

Not the individual tactical issues. Yeah, yeah, yeah.

A (11:44)

And I'm sure that I've said that before, but the problem is that you run into that dynamic I just spoke about where the President would say, are you crazy?

B (11:54)

Right.

A (11:54)

Because there's so much else at stake.

B (11:57)

Here's the thing. There are very, very few companies that went to China and saw the rules of operating in China, which is, you know, like, you need to have a partnership factory. It needs to do technology transfer, and in three years, the Chinese need to be able to stand up their own and, you know, copy it. If companies are willing to do that. Right. Because they think that the value of being in China is so great, that that is an acceptable cost, then it's an acceptable cost Overall for the U.S. right. They can make the same decision. And you could say, like, this is completely. It adds up and these are terrible ideas and you're selling out your future. Anything you want to say, that's fine. But at the time, that's the decision that all of these people are making, all of these companies and individuals, and the state follows through on that. I think.

A (12:54)

Yeah. So I think to me, this part seems right. People have said to me that this kind of deterrence hasn't worked. And my response is, well, you haven't really tried because you haven't really tried to deter the campaign. Like, you've tried to deter incidents, which is, like, pointless. But I think the dynamic is that there is no way you can try and deter the campaign. Like, it's just unreasonable.

B (13:16)

I think that there's actually some very good points there that will be maybe missed because I think the emphasis is a bit wrong. What stands out to me is that cyber needs to be viewed not as a standalone, individual, separate thing, but that it's part of the tools of state power and it's part of the strengths of a state as a. As a nation state. Like, it's just. You have to view it not from the point of view of like, oh, if someone hits me with cyber, then I need to hit them back with cyber. You need to view it as if a state does something to me, I need to evaluate what that thing is and then respond proportionally in some way that will impact that state. Right. So if they hit me with cyber, I hit them with sanctions. Because if I hit them with cyber, they're not going to feel it, but if I hit them with sanctions, it will impact the people involved in a way that will make them feel pain. You need to see cyber within the context of state power.

A (14:22)

Yeah. So maybe trying to navigate that somewhat proportionally is if they were stealing, let's say, solar cell technology, maybe sanctions against their Solar industry would be, and then.

B (14:36)

Throw tariffs on it to make it even, even though it's stolen, you can't cyber them back. Right. You can't go and steal your intellectual property back. Cyber is just, it's, it's no longer a domain that is relevant to the offense that has been caused. Right. And I think it's worth understanding that because I, I think that this comes up with cyber during wartime as well, where people want to say, like, cyber as a part of war, cyber does this, cyber does that. And I think it's like, whenever there's talk of like, is cyber escalatory? I think that that misunderstands cyber because what you're talking about is, is a political action by a state escalatory. And that's entirely context dependent. It's got nothing to do with the medium that they use, except in the context that it's interpreted. Right. So if you hack Russia, that's not necessarily escalatory, but if you're in a high stake, very tense standoff and you hack them, it is escalatory because of the context. Right. It's got nothing to do with the medium. So the medium is not the message is what I'm getting at.

A (15:45)

Right, right, right. Yeah. So the whole proportionality discussion in the paper I quite like, I agree with that. I think it's good. I don't know that it's a soluble problem. So whether the people have the political will to actually implement or even if the US people want that kind of response, it's not clear to me that that is true.

B (16:11)

I want to push back just a little bit because I, I think that it's mostly very, very correct. I think that linking all of this to deterrence is a mistake because I think deterrence is the wrong framework to understand this as. So I don't think that deterrence as a sort of feature of cyber makes sense. I will say that the way that they've contextualized it is like cyber is part of a complete breakfast.

A (16:40)

Right.

B (16:40)

Like the whole breakdown system. Right. Cyber is a sometimes food. It's. If deterrence is everything that you do, cyber is part of that. Correct. But cyber on its own is not going to achieve that. Right. Like, it's just, it's part of this big package that you have and you select the parts that achieve what you're trying to achieve. And I, I question whether cyber will ever be the instrument for that for the U.S. right. I think, generally speaking, at least for now, there's very few cases where cyber is the best Proportional response to something that happens from the US against another state.

A (17:25)

Right.

B (17:26)

Yeah.

A (17:26)

I don't think that they're arguing that. I think that they're on your side. That it's part of the packages.

B (17:33)

Yeah, no, that I completely agree with. And I. So I'm not pushing back. I'm pushing with them.

A (17:41)

So one thing that I thought was not incorrect, but I just thought was a bit funny was one of the recommendations they have is that offensive operations should think like an octopus.

B (17:57)

Ah, okay, so that's. That's because an octopus has got copper for blood. So it's blue. So it's the blue team. So we need to. Blue team offense.

A (18:11)

Is that correct? So the problem I have with this is that, like, the reason you use an analogy is that you try and make something a bit alien more understandable by relating it to something that you relate with, like analog and analogizing it.

B (18:25)

Right. So something that you intuitively understand is then mapped to something that you're not familiar with.

A (18:31)

Yeah. So, yeah.

B (18:32)

For example, you would pick state power politics, and you would map it to an alien creature that has absolutely nothing to do with humanity and that no one has any practical experience with that also does cyber.

A (18:49)

Yeah. So after they explain, makes sense. You know, an octopus camouflages itself perfectly, uses its tentacles to explore nooks and crannies and squeezes into impossibly small corners to wait for its prey. It solves problems, learns, and strikes decisively. Further, each tentacle acts independently, but also as part of a whole. The central nervous system guides the effort, but a brain in each tentacle manages the search. So after I read that, I went, okay, right, I see where they're going. I just think it's a terribly poor analogy to choose.

B (19:21)

Well, I mean, those are the first things that come to mind when anyone says octopus. Right. Like, it just. You immediately go, oh, right. You know, it looks in nooks and crannies, it can squeeze through a hole. It perfectly camouflages itself. It's got brains in every tentacle. You know, these are just common facts that.

A (19:40)

Yeah, so the. The big things I took away were kind of decentralized, yet also working for a common goal. So, yeah, I think I'm nitpicking here, and I think it's a funny example.

B (19:53)

In that it might capture some of the. I guess the big problem I do have with this paper, and I think it might be. That might be a microcosm of it, which is that it's so inside this bubble where if you talk to people who know about Octopus octopi. So if you talk to people that know about octopuses and you're all discussing this and it just seems obvious to you, then you would put this down because everyone you know understands what you're talking about. But I think once you go outside the bubble of cyber.

A (20:28)

The octopus bubble.

B (20:29)

The octopus bubble, which in this case the octopus means people who know about cyber. Yes, that's the analogy I'm using.

A (20:37)

Right, okay, yes, I'm with you.

B (20:39)

Now you see why it's a good analogy? Of course, Yeah. I think once you go outside that bubble of people who are familiar with this topic, it just, it's completely alien and it makes no sense. Right. Or it's. They have a vague sense that it exists and they go, oh yeah, that's interesting, but it doesn't viscerally mean anything to them. They don't.

A (21:03)

My problem with it was it was an analogy that I couldn't grok until I had read the explanation, which to me makes it a not very good analogy. Now, I couldn't think of a better one. So there's that.

B (21:14)

Right. So it seems to me like what they're talking about is commander's intent for at least part of it, which is the. It's supposed to be the way that the US military works. But that actually follows that is an open debate. But the idea is that the higher up you are, the more general your plans are, and the lower down you go, the more specific they are because you have better situational awareness of the specific details. And the idea is as long as you know the general plan, like what the commander is trying to do, then you can make it fit within the context. And it's sort of, it goes all the way back to. A Prussian commander was sent with his like regiment or whatever to go and defend, like the left flank or something. And the army that was being attacked ended up retreating and they went parallel to like across, you know, down the road that this guy was on. But because he had been given the order to defend and here was an army not attacking, he just let them go. And so the prince who was in charge sacked him because he was like, I don't need idiots in charge of my things. Like, you should know that, like you're supposed to defend in case they attack, but if they're retreating, you're supposed to stop them. You shouldn't be blindly following something that no longer makes sense.

A (22:38)

The letter of the law, rather than what I want.

B (22:40)

Yeah, yeah, right, yeah, do what I say, not what I said.

A (22:49)

Do what I Meant not what I told you to do.

B (22:54)

Yeah. So we're coming off a bit negative, but I do want to say that there was a lot that I did like about this paper.

A (23:01)

There's a chapter in the report where they took different policymakers through three different case studies to see how US People would react given different scenarios with different levels of uncertainty and different levels of casualties. I guess.

B (23:20)

Yeah. So I think they divided it into low casualty, low attribution confidence, like medium casualty, low attribution, and then high casualty, high confidence attribution. And that certainly makes sense for how to parcel things up and then explore those different options. But I think that when you look at the way that these other countries use cyber, they don't necessarily look at how can we cause a high casualty event with a low attribution probability. They're not looking at those things. They're saying, how can we change the social dynamics and the psychology of, of this country to have weaker moral cohesion internally? That's the sort of thing that they will look at. They will look at how can we impact the way that these people operate overall?

A (24:14)

I mean, I have a bit of sympathy for them here in that what they're trying to pull out is US Policymakers like what they're thinking, how they respond, I guess the gaps or the, the weaknesses in their thinking. And so even though I think it's.

B (24:30)

Very valid for all of those things, I don't think it's valid for understanding how they would be attacked. Right, right, right.

A (24:37)

Yeah. But I skimmed through that part, so I kind of accepted that they're going for something that is about. Focused on how US Policymakers think rather than Right.

B (24:50)

So I'm. This is probably my misreading of them or my misreading of their intent. Because for me, the interesting thing is how does China think about cyber war? What do they want to do? How does Russia. So, like, that's what interests me. So when that, when someone doesn't capture that. Exactly, that's what I'm going to hone in on.

A (25:13)

My problem with making it realistic is we already know what US Policymakers would do, which is mostly just nothing. So, you know, that's not a very, it's not a very illuminating question. I guess it's a, you know, maybe it's.

B (25:27)

Imagine that Russia breaks into a major software vendor and installs a backdoor that gives them access to 18 specific targets, most of which are in the US government. Go, you know, like, we know exactly what happens. Nothing.

A (25:51)

There was some sanctions. Yeah.

B (25:53)

I think someone Was indicted or something. It was.

A (25:56)

And they took away a building that the, that the Russians owned in New York State or something like that.

B (26:02)

Yeah.

A (26:03)

So there was a building involved kind of.

B (26:04)

That's kind of a big deal because that's where they would go to vacation, like, because they're only allowed in a certain number of areas.

A (26:10)

And I think it was a safe house or something.

B (26:12)

So they, they have a dasha, basically, from their understanding. And what's funny is it's like if you work at an embassy and you have top secret cipher equipment that you use for communications, when you get a replacement, upgraded new cipher thing, you have to decommission the old one. But you can't just like throw it in the trash because it's a top secret cipher machine. So you have to send it back to the home country via diplomatic pouch so it can be disposed of appropriately or you need to destroy and dispose of it to, like a certain thing. And there's only, you know, there's strict requirements and all of that. Now the thing is, you are only given so much space in a diplomatic pouch per year. Right. Because it has to be flown on, you know, your Aeroflots, whatever. And so cipher machines are not like the, they're not small, like, it's not an ipod. Right. Like, these are big heavy things. And if you send that back, it means you can't send other stuff back or you can't use it to get a new kit that you want imported. So what the Russians ended up doing was they had a basement that they filled up with cipher kit until they had like 70 tons of cipher equipment that they couldn't get rid of because they couldn't, they couldn't throw it away and they couldn't ship it. So they arranged to have a boat purchased for like a nice boat, not a yacht, but like a boat purchased for this like, dasha thing so that they could take visiting dignitaries out on the river. And then what they did was they smashed all of the cipher kit into small pieces. And at night they took the boat out and threw the pieces in the river. So taking that away means that they. I was just saying, like, there could be this knock on impact of like, now they have to ship their cipher equipment back in the diplomatic pouch, which is then going to impact the amount of spy equipment they could bring into the country. So there could be this compound knock on effect. Yeah.

A (28:21)

Yep, yep. And the CIA divers no longer have to fish around in the river trying.

B (28:26)

To dig up the little pieces, dredging up little pieces of Trying to stick.

A (28:30)

Them back together, the consequences, they just keep on rolling on the ramifications. So the proportion. This whole discussion makes me think that the US Is just destined to never compete very well in this domain because it's got other options. And so, in a way, this paper is laying out and, like, for the majority of it, I like and agree with. Like I said, we're nitpicking. The. The paper is laying out a solution that will never be implemented.

B (29:08)

Yeah. So I'm going to bring up Martin's Law, which I learned about a while ago, which basically says that the way that you solve a problem is politics first, money second, and technicalities last. Meaning essentially, that you need the political will, you have to want to solve it or do whatever, otherwise it doesn't matter. And then if you want to do it, you need the resources available so that you can actually do it. And then whatever specific implementation details can be worked out once you have the will and the resources to actually do it.

A (29:46)

Yeah, this is the Manhattan Project, where it starts with the President going, I think we need an atom bomb.

B (29:52)

Exactly. And then it's like, move heaven and earth to make it happen. Right. And I think the problem here is that those first two elements are missing. Like that there's no political will. Like, there's money that gets made available, not right now, but, like, there's certainly a lot of money in cybersecurity, but it doesn't necessarily matter because there's no political will to solve the issue, because it's not perceived to be a big problem. And so where this paper comes up and says, when we get to the technicalities, here's how we should approach it. We can agree with 80, 90% of what they say, but it's sort of fundamentally, we're still missing the political will. You're at step three without even doing step one.

A (30:43)

And, yeah, it's like this podcast, an entertaining way to spend a little bit of time.

B (30:51)

Thanks a lot, Tom. Thanks, guy.