A

Hello, everyone, this is Tommy Wren. I'm here with the Grok for another between two nerds discussion. G', day, Grok, how are you?

B

G', day, Tom. Fine, and yourself?

A

I'm very well. This week's edition is brought to you by Sublime Security. They make a next gen super powered email security solution. You can find them at Sublime Security. So this week, Gruk, one of the things I wrote about was that Sean Cairncross, who is the National Cyber Director in the us, he gave a speech, he talked about, well, the main thing I'm going to pull out is that he said that the US had not been very effective in sending a message to China that much of its cyber activity was unacceptable. And he particularly talked about the hacking of US Critical infrastructure. So I wrote an article about that. I spoke about the Cyber Solarium Commission. They had said that basically there's been a whole lot of. They didn't use these words, but a whole lot of gutting of the US cybersecurity apparatus and cyber diplomacy. Funding had been cut, personnel had been cut, and the vast majority of the recommendations were just like, putting things back the way they used to be. You know, restore this, restore that. But the top recommendation was we need to empower the office of the National Cyber Director. So there needs to be this central.

B

Body who commissioned this. Again, because it sounds a little bit.

A

To me, it felt like a very realistic report in that if we're not going to get all these people and funding back, we may as well have a strong single leader. Like, this is the right. You know, what else are we going to do? Now, I didn't write about it, but my thinking was, well, what is can cross going to do? Because some of the things we've talked about is that if you want to deter or shape behavior, you really need a big stick. Because when it comes to China, over a long period of time, they've gained, in my view, massive benefits by hacking for intellectual property.

B

Right.

A

And so you need a massive stick or a massive carrot, I guess, to counter that. Right. And one of the things that I didn't realize at the time, but the first Trump administration imposed tariffs, and part of the motivation of those tariffs was to like, punish essentially the theft of intellectual property and unfair technology transfer practices. And part of that was also cyber espionage for intellectual property theft. So it seems like that had around the margins a little bit of an effect on certain practices, but then those tariffs just became background noise and they stayed forever. And now in this administration, there's like, you can't do anything with tariffs.

B

Right.

A

Because that economic.

B

That's not a cyber exclusive lever.

A

Yeah, yeah. Well, it's gone from like zero and I guess back in 2018, I think it was, it went to two and now it's set at 100. And you know, anything cyber related, you're just playing, you're fiddling, fiddling while Rowan Burns. Yeah, yeah. And so it's not as if Cairncross can go to President Trump and say we need to increase tariffs to get this cyber espionage under control or what is it not Salt Typhoon, Vault Typhoon is the, is the critical infrastructure. Salt Typhoon is the telecoms infrastructure one. And so what's left?

B

I think there's a huge amount to unpack there. One of the things being, I can't imagine that the US isn't completely up in China's telcos as well.

A

Right? Yeah, yeah.

B

I don't think that they're like, wait a minute, you can hack telcos we never even thought of. Let's get some people on that. That sounds useful. I think if anything, China was probably viewing this as a reciprocity. You want to do it, we can do it too. I think you'd be hard pressed to say telcos are out of scope, so you'd have to go with vault, I think, because just salt is. It might upset people. But I don't think it's like, it's not out of bounds, it's beyond the pale.

A

Right, right. So you're saying if the US wants to send a message, it should focus it on critical infrastructure, which is a Vault Typhoon volt, like electricity, and that it's kind of pointless, or maybe not pointless is the wrong word, but not as vital to send it for the telco hacking.

B

Well, if you want to say that this sort of hacking is unacceptable, I don't think that that applies to telcos. I think hacking telcos is acceptable. Like, you might not like it, you're not happy about it, but you're going to do it yourself. Like it's not a thing that you would deny yourself. During peacetime, you could say hacking critical infrastructure during war, okay, sure. But during peacetime you want to hack telcos anyway. So I don't think that it's something you would prevent yourself from doing just so that your enemy can't do it.

A

Yeah, right.

B

So, yeah, it's acceptable, I think. But if you want to say critical infrastructure is not, I think you dilute your message by saying critical infrastructure and.

A

Telcos are unacceptable because they are also critical infrastructure. Right.

B

So I think it doesn't help your case. Like, you're better off just focusing on the thing that actually matters. But then how would you. I mean, the next step is, okay, like, if you laser in on the one thing that's actually unacceptable, how do you message that? How do you communicate that?

A

There was a report that Vault Typhoon had been successfully rebuffed as well. So it seems a month or two ago. So it seems like there's a bit of conflicting messages there that, you know, we haven't sent a strong enough message yet. We've successfully dealt with it.

B

Yeah, we've mitigated the issue.

A

That's right. Yeah. So. So either you need to send a message because it's still ongoing, or like, there's no need to send a message.

B

It's not an issue anymore. Like, given how little of CISA is left, like, could you reliably say that it's been mitigated, or is it just we are no longer able to detect it? Does that. Does that mean that it's gone? Or that your detection capability has been degraded so much that you no longer know what's going on?

A

Let me just have a quick look.

B

Because it'd be an important point.

A

NSA Vault Typhoon was not successful at persisting in critical infrastructure. This is from July, and it's in the record. The good news is they really failed. They wanted to persist on domestic networks very quietly for a very long time, so that if and when they needed to disrupt those networks, they could. They were not successful in that campaign.

B

So that's why you need to send a message, because they were unsuccessful.

A

I've now moved into.

B

I just feel a little bit confused.

A

Yeah, yeah. I've now moved into the. Parsing the paragraphs very, very carefully. So this is from Christina Walter, Director of the NSA Cybersecurity Collaboration Center. We with the private sector, with FBI, found them, understood how they were using the operating systems, how they were using legitimate credentials to maintain persistence. And frankly, we equipped the entire private sector and the US Government to hunt for them and detect them.

B

So here's the thing is, when I parsed this, they wanted to persist in domestic networks very quietly for a very long time. They were not successful in that campaign. So if it's no longer quiet and yet they still persist, it's still technically not successful.

A

You're as cynical as I am. Because that's like. So this is from July, and yet last week or this week, we've got Cancerous saying it's a problem that they're in critical infrastructure. We need to send a message. These two things are not consistent.

B

Right. And there's. I mean, there's also been recent. I think last week there was a report that the FBI had disrupted one of their proxy bot networks, and it's been rebuilt.

A

So.

B

Here'S the thing. If you are a state security service and you get a directive, hack into the critical infrastructure, you get kicked out of the critical infrastructure, you don't go to your boss and be like, okay, we did that. We got kicked out. You know, check mark, we're done. Right. Like, we did it, we got kicked out. Next. Right. Like, it's not a to do list. Right. It's a. Like to keep doing this. So when you get kicked out, you have to go back. So I think even if whenever this was back in July, you could say, all right, we've hunted four and we've kicked them all out. It's now many months later. Yeah, they're probably back.

A

Yeah. So the overall vibe of the Trump administration has been to cut security functions like, cut cisa, cut people, cut personnel, cut funding, cut the State Department and try and replace it with at least the idea of being more aggressive in cyberspace and saying, you know, we've got the best.

B

We've got the most lethality cyber thing.

A

Yeah.

B

Because that's exactly the same as being well defended.

A

So I actually think that being more aggressive is probably a good thing. Right.

B

Yeah.

A

And it's been. The balance hasn't been quite right. I don't think restoring the balance, I necessarily thought cutting a whole lot of defense. So that would be like, yeah, maybe more balanced, but that's not necessarily what I would have done.

B

It's going to be like one of those crabs with that really huge, the gigantic pincer on one side and there's, like, tiny one on the other. It's basically switched from being a lefty to a righty. Like, it. It's still unbalanced. Right. Like, you could. You could say, like, yeah, it used to be too weak and now it's super strong, but it's not balanced. Like, you didn't. You didn't resolve that. That core issue.

A

Yeah. So the question really, I think, is can cross the National Cyber Directorate, what can the US do to actually send that message? And if you've taken away being better at defense and you've slashed your cyber diplomacy, people like, you know, you're left with more offensive operations. But what.

B

Right.

A

Are they even practically good at sending a message? What can you actually do there?

B

Right. So, I mean, I think this comes down to whether you believe empirical data or whether you believe the academic literature. Because the academic literature is full of discussions about using cyber to send messages. I don't think it's very good at how people will receive messages from cyber, which is, I think, the big problem. So, for example, I think as an academic writing about this, you're going to go, like, if I hack your computer and I make your mouse move arbitrarily, what I'm doing is I'm letting you know that I have this position of power. Don't make me use it. I want you to stop. Like, don't build that fence in the backyard. That's going to cut off my view to the ocean. Right. And you, as the person who's been hacked, is going to look at your computer and be like, oh, the mouse is moving weird. Must be the computer acting up. I'll get another one. Or you might go, I've been hacked. It's hackers. But what you are absolutely not going to do is go, the computer is acting weird. I wonder who's trying to send me a message. And what are they trying to say? Like, what's. What's behind this? You're not going to sort of like, bring up a Ouija board and have the mouse sort of like.

A

Yeah, one of the.

B

Moving slowly towards the. Yes. Yeah.

A

One of the stories around the Snowden Leaks was. I think it was some Guardian reporters had the material on a laptop and were maybe writing an email or something, and then the email started to backspace and delete itself. GCHQ is hacking us. And I was like, oh, man, you've just got a broken backspace key.

B

Right, right, exactly. I remember that. And it was like, yeah, like, if GCHQ hacks you, they're not going to just hit, you know, backspace. Like, they're going to. They're going to put up a thing that says, you know, get out. Stop what you're doing. Right. Like, they would communicate what they're doing. They wouldn't.

A

Yeah, well, I mean, it was anyways.

B

But anyway, they're not going to appear as, like, a buggy computer. That's not how you send a message. But I think that that's what a lot of this using cyber to send a message boils down to. Right. Is sort of hoping that, like, all of these contextual clues will be interpreted in the correct way. And, like, there's an entire academic discipline on how to use signals to convey meaning, like semiotics and, like, what does something mean? And so, like, there's the story that Genghis Khan sent a bird, a bottle of water and a fistful of dirt to a king. And the message that was being sent was, you need to surrender to me, like the air, the water and the land. But if you're just like some random king and a smelly Mongol walks in and gives you a dead bird, a handful of dirt and a bottle of water, you're not going to go, huh, I should probably surrender. It's very poorly communicated, even though contextually to the person sending it. Makes sense.

A

But isn't the that message is symbolic and the actual import is conveyed by the tens of thousands or hundreds of thousands of people that Mongols.

B

Master the border in the subtle hints around it. Like when the Mongols who have been cutting a swath across Asia show up, they're probably not saying, hi, we're just passing through, you know, have a free dead bird.

A

Yeah, yeah. So in that analogy, it would be not the symbolic, it's not message, but it would be the effects that you've achieved in cyber that would make the Chinese government go, whoa.

B

Right. But I mean in order to do that you'd have to, for example, hack into their. Like you couldn't, you couldn't do a one to one of like, we have achieved access to your critical national infrastructure, we have achieved persistence and we're being stealthy or even we're being overt so you can see us. Because they're just gonna go like, oh, we knew you were doing this anyway and now we have proof.

A

Yeah, yeah.

B

So if they're attacking the US because they know that the US is doing it, even if the US isn't, any message you try and send on that is just gonna confirm what they already believe.

A

Right. So a while back, Mark Warner, Senator Mark Warner in the States suggested that the US respond in kind to Salt Typhoon. So Salt is the one that was hacking us telcos. And I'm not sure if this is what he meant, but I interpreted that as hack Chinese telcos in an overt and in your face get caught doing it.

B

Basically.

A

Yeah, yeah. And now part of the motivation for Warner saying that is that I think he'd been given a brief on how much it would cost to remediate U.S. infrastructure. And so obviously there's a lot of it, a lot of it's quite old. It's was going to be like, I think the figures were huge and would take a long time, like maybe a decade or something just because threaten them.

B

So that they don't do it again.

A

Rather than yeah, well I think that was the logic, intent and my reading was, well, if you do it in a overt way, you maybe have a bargaining chip.

B

Yeah. But you lose signals intelligence that you're getting otherwise.

A

Yeah, but I guess you would also have the sneaky way that you don't.

B

You'd have to do both and just hope that when they, when they evict one, they don't detect and evict the other. Yes, I mean that sounds totally worth it rather than defending yourself because once you threaten the Chinese, then no one else is ever going to do it again. Right. Like you've, you've established. So like that's another thing where I think it doesn't work is if the point of doing it is because remediating is going to be too expensive. So you just want to deter. You can't deter by reciprocity against China because North Korea for example doesn't have telephone infrastructure that you could, that you can interfere with and it would disrupt them. Right. You know, a non state actor wouldn't have, have that exposure either. So it like, it, it doesn't seem like a useful approach to me just from that. I've got one more thing. I'm messaging from systemics. He's got this, this very good example of like communication. Right. So we can't not communicate. Physics can tell you what happens when you kick a rock, but physics has nothing to say about what happens when you kick a dog.

A

Right? Yeah.

B

Right. Because obviously what happens is entirely up to the dog. And that's sort of how messaging works. Like you can do the thing that makes sense to you, but how it's received and responded to is out of your hands. And this again is why I think that like the idea of messaging in cyber works so poorly because you're expecting Americans to get into the mind of a foreign person in a foreign country and understand the world from their point of view and then the Americans will craft an operation that can be interpreted from that perspective in the way that the Americans want it to be interpreted. Like that seems like a lot of steps that just won't ever happen.

A

Yeah. So I guess the original premise of this discussion was that Sean Kencross has a problem. How does he get this message across? When it comes to salt typhoon, it seems like first of all that's not the major problem. Like having US telcos hacked isn't the biggest deal. And also, even if you respond in.

B

Use signal use Tor and it's no longer an issue.

A

And even if you respond in kind, the Chinese would go, okay, well we knew we were hacked anyway, so let's move on. Or they would go, I don't know, what is the alternative?

B

I think they just go, we knew you were hacked anyway. I mean, I think that that's the assumption.

A

And so there's no bargaining chip. Because there's.

B

Right.

A

It's, it's just a confirmation of what they suspected because the US is the empire of hackers anyway.

B

Right. It's when you're the 800 pound gorilla, you can't sort of threaten people with like, and I will reveal that I am a large gorilla. Like, yeah, people kind of know that already. It's, it doesn't get you. Like, they assume that you're doing that as is, and if you aren't doing it, they'll be very surprised. Right. Like if, if China's telcos were not compromised, it would be a surprising result. I, I think the, the vault typhoon, the sort of critical national infrastructure that you have a little bit more leverage with because it's, it's something that, I mean, you'd have to communicate diplomatically, you know, like, we will be sending a message, you know, at noon Thursday on whatever, we will flick the lights in Shanghai to indicate that we can do it, we won't do it again as long as you stay out of our electrical grid. That's the sort of thing like if you explain what's going on and then you demonstrate that you can do something, that's a message that makes sense. If on the other hand, they simply flick the lights for Shanghai, all that would happen would be some people at the electrical companies would go, oh, we've been hacked, we better fix this. And everyone else would be like, I thought we were past the days of like, blackouts, wonky electricity, and they would move on. Like, it wouldn't. There's probably a strong incentive not to reveal that you've been hacked. And that's why it went. Oh, went badly.

A

Right.

B

You know, it's like, I just, I don't know, it's obviously a lack of imagination on my part, but I just cannot see how you're going to make cyber messaging work as a standalone thing without having all the other tools of statecraft available. Sort of, I think within, you know, that sort of dime diplomacy, information, military, economic. Within that, you can, you can use it to augment some stuff, but I don't think you can use it standalone. And that's sort of where we're at because everything else has been taken away now.

A

Right, right. Those tools are already Being used for bigger issues, I guess.

B

Right.

A

And so there's no capacity to use them for cyber related problems because they're relatively inconsequential.

B

I mean, which is obviously the wrong interpretation. Clearly cyber is probably the most important of all national security issues. Of all issues anyway, if you think about it.

A

So where do we go from here? Vault Typhoon is clearly the most pressing issue. That's one that can cross called out. But it's not the only cyber irritant in the relationship.

B

And I mean maybe how do you even get more aggressive and doesn't get you anything.

A

Where I thought and why I like the idea of being more aggressive is particularly when it comes to groups that are important. So whether that's important because they cause a lot of damage. So whether that's cyber espionage groups or ransomware groups or organized crime or cartels or whatever, whatever it is that's causing a lot of harm, I think it makes sense to have a prioritized list of those. And some of them some sort of disruptive cyber operation will make sense. And I think that makes sense because you pick something where it is causing an outsized amount of pain and if you can disrupt that where you haven't had success before with a cyber operation that I think is a good deal. Like it's a bang for the buck thing if the only thing stopping you from doing that has been your own sort of procedures or reluctance or risk appetite or whatever. Right now it's not clear to me exactly what those operations are and I don't. But I think they're value for money because you've prioritized them based on the harm they cause. Value for money, maybe not the right word worth doing perhaps is.

B

I can agree with that. But I, I think I'm. I'm gonna, I'm gonna have to double down on your. I'm not sure what those operations would be because like I, I think like the theory to me sounds sound like it makes a lot of sense.

A

It's a perfect theory.

B

Yeah. But then I think it's like all that you need is something that has an outsized effect, has not been disrupted otherwise can't be more effectively disrupted by any other mechanism and can be very effectively disrupted via cyber. But hasn't been up till now like.

A

So I think there have been a series of. And they seem to be getting faster operations that disrupt things like botnets that facilitate espionage.

B

Right.

A

And so KV Botnet Cyclops Blink VPN filter. I think some of those are Russian, some are Chinese and that seemed to be an accelerating trend. So now you're not solving the problem, you're not making it end.

B

Friction for the opposition.

A

Yeah, that's right. And I think that seems like worthwhile and so doing more of those and maybe like finding different avenues to do those, like devoting more time and effort on doing those so that they're more rapid and perhaps more effective, that would be good.

B

So I think sort of what you're talking about is like this, adding friction to operations. And I was just reading a paper recently on sabotage, basically the theory behind sabotage. And I think it's very applicable because it gives a way of thinking about that type of operation and how you can actually do it in a way that gets you some value, sort of. Rather than just doing it for the sake of doing it, but doing it to some objective. And so this is sand in the Gears. Sabotage and World Politics by Rovner, Joshua Rovner. And so basically he puts forward this idea that there are like three elements of sabotage, which is sabotage is the weaponization of friction to degrade the performance of a target systems from within. Sabotage has a strategic logic distinct from related concepts of covert operation, which hinges on non acknowledgment or plausible deniability, and subversion, which hinges on manipulating behavior. The idea is that its logic hinges on turning friction into advantage. Third, given this logic, sabotage is limited as a standalone tool, but rather works to enhance and enable other policy instruments. That's very much a cyber thing. You can use it to add friction and it can create an advantage that you could then take advantage of in some other capacity. But I think where this is going to fall down is we've already said that all those other avenues, all those other policy options have been taken away because they're occupied doing something else.

A

All you're left with is the friction.

B

All you've got is friction, which.

A

Well, it's better than nothing, but it's also not sending a message. It's just being a pain.

B

It's being very annoying. It's unlikely that someone's going to look at friction and be like, well, we better just stop, this is too annoying. I mean that, that might work for individual hackers who are looking at the. This is no longer fun. I'm not going to do it. But that's not going to be the case for like a military or an intelligence agency or, you know, a contract or anything like that where they, they don't make like their personal pain in doing something is not relevant to the decision of doing it.

A

Yeah, I think Salt Typhoon is contractors? I don't know that I've heard what Vault Typhoon is. I was just thinking that maybe adding friction just changes the contract. Makes it more expensive.

B

Yeah. Like, it seems to me that, like, adding friction, like, adding friction is inherently good, but if it creates advantage, is there any way of taking advantage of it? And I think that there isn't. So what's left? Like you, you can make it very annoying. You can raise the rates that the contractors charge because they find it an unpleasant task. So I think the thing is, when you're doing this messaging, what you're trying to do is you're trying to get to the policymaker and make them change their behavior. And I don't know if you can do that. By making it like this is a principal agent thing, you're making life difficult for the agent and hoping that the principal will change their behavior based on that. I don't think it works that way.

A

So I guess this is the. This will be BTN 143. The depressing episode.

B

You can't get there from here.

A

That's right. Thanks, Scott.

B

Thanks a lot, Tom.