Summary6 min read

Risky Bulletin: Between Two Nerds – “Nerds at NATO”

Risky Business Media | June 8, 2026

Live from NATO Psychon, Tallinn, Estonia

Episode Overview

In this special live edition from the NATO Psychon conference, host Tom Muren and co-host The Gruk reflect on the evolution of offensive cyber capabilities, using an eight-year-old paper co-authored by Tom for the Australian Defence Force (ADF) as a touchstone. Their discussion moves from theoretical strengths and weaknesses outlined in 2018 to how real-world incidents—especially the Russian invasion of Ukraine—have tested and sometimes upended those predictions. The duo provide candid, often humorous, insight into whether offensive cyber warfare is living up to expectations, drawing on fresh case studies and trends like the impact of AI and drones.

Key Discussion Points & Insights

Grading the 2018 ADF Paper on Offensive Cyber

[00:00-03:00] Tom introduces the 2018 paper—its context and intent as Australia publicly announced an offensive cyber capability to reassure neighbors:

“…it really reflects what the Australian Defence Force was thinking at the time about offensive cyber…to reassure regional neighbours…” (Tom Muren, 01:16)

Strength 1: “Force Multiplier” for Military Operations

Integration Reality Check:
- The idea that cyber can “multiply force” is tested through recent conflicts—sometimes true (e.g. Russia’s initial attacks in Ukraine, Iranian Supreme Leader event), but often limited.
- [03:17] “They did huge numbers of wiper attacks…interfered with the ability of the government to operate as a normal government.” (The Gruk, 03:17)
- Discussion centers on wartime vs peacetime value, the issue of repurposed civilian infrastructure (e.g., Facebook in Ukraine), and the fleeting tactical benefits of cyber effects.

Weakness 1: Capabilities Must Be “Highly Tailored”

[05:51-07:01] Tom reads the paper’s claim that offensive tools lack flexibility and are expensive to develop—The Gruk disagrees:
- “What people are using are not that sort of high-end capability…like a wiper isn’t that sophisticated.” (The Gruk, 06:10)
- Many impactful attacks turn out to be relatively simple and quickly developed, not tailored “works of art.”

Impact Decays Over Time

Psychological Decay:
- [08:16-09:38] Repeated attacks lose impact—the first time is traumatic, later attacks are “just annoying.”
- “If you’re destroying someone’s infrastructure and it’s the first time…they feel violated…then they learn…next time you do it…they go through the playbook…” (The Gruk, 08:58)

Strength 2: Hitting Targets Off-Limits to Kinetics

[09:39-13:21] Offensive cyber can reach “virtual entities” not easily hit by kinetic force; limited in effect if not exploited properly.
- E.g., wiping a telecom like Keevstar may look impactful, but often ends up a symbolic gesture.
- “You cannot actually exploit that effect because friction will interfere with the timing.” (The Gruk, 12:07)
Political vs. Military Decisions: Poorly timed destructive cyber actions can be more about optics than strategy.

Cyber as Decisive (“Force Multiplier”) vs. Marginal Benefit

Marginal Returns:
- Several cases (e.g. Venezuela blackout, anti-ISIS phone-bricking) demonstrate that effect is often minimal and temporary.
- “Is it decisive? No. Is it fun? Yeah.” (The Gruk, 16:14)
Opportunity Cost: Intelligence value often outweighs the temporary tactical benefit of turning systems off.

Strength 3: “Global Reach” & Asymmetric Potential

[17:11-18:07] Theoretically possible to “hack anywhere,” but practical advantage is restricted by lack of physical force projection.
- “Unless you have force projection…what’s the point?…Being able to hack Iceland isn’t necessarily a great capability.” (The Gruk, 17:15)

Cost Efficiency

Relative vs. Absolute Cost:
- Cheaper than “buying submarines or shooting drones with Bugattis” but not always proportionate to effect.
Reputational/Credibility Risks:
- Failed or minor cyber attacks can actually reveal limits and erode deterrence (“worse than not trying at all”).

Weakness: “Use It and Lose It”

Deterrence & Opacity:
- Successful use of a cyber tool instantly exposes and devalues it.
- “Capability can’t be showcased as a deterrent in the same way that conventional capability can…” (Tom Muren, 19:44)

Overt vs. Clandestine: Different National Approaches

[20:25-23:16] National style and political context drive whether attacks are made public or kept secret.
- The US and Australia sometimes leak operations for deterrence or credibility; most remain clandestine.
- Political context (peacetime vs. wartime) entirely reframes how cyber is used and attributed.
- “It’s not the technology that determines if [cyber] is escalatory. It’s the use of that technology given the political context.” (The Gruk, 22:14)

Achieving Proportionality and Avoiding Collateral Damage

Countries strive for “responsible” cyber operations, contrasting themselves with disasters like WannaCry or NotPetya—though big accidents were arguably not deliberate state policy.
- “…it is entirely possible for anyone to write malware that misbehaves…” (The Gruk, 24:13)

What’s Changed Since 2018? Drones & AI

[24:52-26:56] The paper did not foresee the explosion in AI or drone warfare—both are game changers still settling out.
- Debate: Will the rise of automated vulnerabilities (“O-days”) peter out like a fire—“I just can’t believe that there’s infinite bugs in a piece of software”—or become an unstoppable flood?
- Lighter moment:
  
  “You are not a developer.” (The Gruk, 26:28)

Predicting the Future & Closing Thoughts

[26:56-29:00] Tom wonders if future retrospectives will see today’s cyber experts as insightful or missing the next big shift.
- Clever, tailored “Cyber Pearl Harbor”-style attacks are rare, mostly occurring at the outset of conflicts and limited to a few technologically advanced countries.
- Most nations now see cyber’s role as neither all-powerful nor irrelevant, but contextually useful and bounded.
Key Quote Summing Up the Dual Nature of Cyber:

“Cyber is weaker than its proponents think it is, but stronger than its detractors claim.” (The Gruk, 29:15)

Memorable Moments & Quotes

Humor and Self-Reflection:
- “Deceive, discombobulate, discombobulate, defenestrate.” (The Gruk, 01:13)
- “Make cyber, not war.” (The Gruk, 07:47)
- “It goes from like, this is the worst thing that’s ever happened to…It’s a Tuesday.” (The Gruk, 08:16)
- “I strongly recommend hiring outside consultants for billions of dollars, particularly podcast hosts…” (The Gruk, 30:11)
Guarded Optimism:
- “Adding offensive cyber to [espionage] capability seems like a no-brainer…doesn’t make sense to spend billions of dollars on active cyber.” (Tom Muren, 30:00)

Timestamps for Key Segments

00:00-02:55: Introduction, setting up the 2018 paper context
03:00-05:51: Discussing “force multiplier” and modern case studies (Ukraine, Iran)
05:51-07:01: The myth of necessarily “highly tailored” capabilities
08:16-09:38: Psychological impact decays over repeated cyber attacks
09:39-13:21: Cyber vs. kinetic; Keevstar, Midnight Hammer case studies
13:21-17:47: Temporary effects, phone-bricking, and intelligence opportunity costs
17:47-19:44: Global reach, asymmetric value, and cost comparisons
19:44-20:25: Deterrence limitations (“use it and lose it”)
20:25-23:16: Overt/clandestine actions, role of political context
24:52-26:56: AI, drones, and unpredictable “black swan” factors
26:56-29:00: Fast-changing field; are we getting closer to the truth?
29:00-30:11: Concluding remarks and signature wit

Overall Tone

The conversation is lively, self-deprecating, and grounded in both practical security experience and dry humor. Both hosts are skeptical of the extremes (“cyber will replace tanks!” vs. “cyber is useless!”) and advocate for a realistic, nuanced understanding of offensive cyber power in statecraft.

This summary captures the episode’s essential arguments and memorable moments, making it accessible whether or not you attended NATO Psychon or have read the 2018 ADF paper.

Loading summary

Transcript110 lines

[00:00]
Tom Muren
Foreign hello everyone, this is Tom Muren and I'm here with a special edition of Between Two Nerds. The Gruk and I were invited to speak at the NATO Psychon conference in Tallinn. Before I drop you into that live podcast, I'd just like to thank our sponsor, Spectrops, creator of the Bloodhound attack path analysis tool. Find them at SpecDrovsIO. Now here's our live podcast in Estonia. So this event, we're clearly at a conference on cyber conflict and the theme is securing tomorrow. So I happen to have this eight year old paper that I thought we should discuss securing yesterday. So this is a paper I co wrote back in 2018 and it's Australia's offensive cyber capability. And as a background, Australia had recently declared that it had an offensive cyber capability. To make sure we're all on the same page, people here have called it cyber effects. A sort of pithy way of describing it is Deny, degrade, destroy. What's the other one?
[01:14]
The Gruk
Deceive, discombobulate, discombobulate, defenestrate.
[01:17]
Tom Muren
And they were at the time, the Australian Defence Department was planning to spend some percentage of GDP on this capability. So like even a small amount of a country's GDP is a lot of money. And they commissioned us to write this paper and it really reflects what the Australian Defence Force was thinking at the time about offensive cyber. And it was a lot of it, I think was to reassure regional neighbours. We're going to spend a lot of money on this, like really a lot of money, but it's going to be okay because we'll use it responsibly. And it has actually a really nice section that we'll step through which has the strengths that they thought of offensive cyber at the time and it also has the weaknesses. And so this paper was released in 2018 and since then we've really learned a lot about how militaries are actually using offensive cyber capabilities. So we'll kind of in a way grade my paper and also see if it tells us what we can learn about the future. So this, like the adf, the Australians, we're part of the five Eyes, we think we're pretty good at cyber. So the internal perception would be this is a sophisticated view of what the capabilities were back in 2018. So what I'll do is I'll kick off, I'm not going to read the whole paper, don't worry. Once upon a time, by reading the first strength for military tasks, these can be integrated with ADF operations, adding a new capability and Creating a force multiplier.
[02:55]
The Gruk
Oh yeah, sounds reasonable. Next. I think that was probably very optimistic, particularly at the time.
[03:03]
Tom Muren
Now the things I think of this is that yes, it can be so. For example, we've got the taking down viasat at the beginning of the invasion of Ukraine. The Russians took down a ISP at the same time.
[03:17]
The Gruk
Yeah, I mean they did huge numbers of wiper attacks against government ministries and they interfered with the ability of the government to operate as a normal government.
[03:29]
Tom Muren
But that seems like a force multiplier.
[03:31]
The Gruk
Yeah, but they're under wartime conditions, not a normal government. It could be a force multiplier. But the, the problem is that there's so much civilian infrastructure that can be repurposed as like civil infrastructure. Right. So for example, when Zelenskyy starts using Facebook to send messages to the people like yeah, his email might be wiped, but that's not necessarily giving you like you are not achieving decapitation by interfering with his official email address.
[04:05]
Tom Muren
Okay. So in recent months we've had the story is that intelligence from Tehran's traffic cameras and mobile phone towers was used to target the Supreme Leader and actually
[04:20]
The Gruk
probably achieved their war winning and strategic effects.
[04:24]
Tom Muren
But surely that is also a force multiplier. Right. They achieved a particular tactical goal which was to eliminate the Supreme Leader based on the intelligence. And they also the story is they took down a mobile phone tower so
[04:38]
The Gruk
that the warnings couldn't get out.
[04:41]
Tom Muren
Warnings couldn't get out.
[04:42]
The Gruk
Yeah. Look, there's a lot of ways that particularly during the start of a, so like before a war actually gets going, when you've had time to pre position and you've had time to sort of plan out and say here's what we're going to do at this particular time to achieve this effect. There's no friction at that point. There's no difficulties necessarily in achieving that. But once you're beyond that point, once you've gotten beyond being able to pre position and pre plan and everything, when it's actually like a organic war with both sides involved and friction and all of these issues, I question how much of a force multiplier it can be simply because there aren't that many computers in a trench. And if you're a cyber commander and you go to your general and you say, look, we can assist you with your operations. Give us two to six months notice and a three week window after that we can tell you that we'll be able to maybe do something for either 15 minutes or possibly six hours. We can't quite tell. However
[05:52]
Tom Muren
One of the weaknesses, in fact the first weakness is that capabilities need to be highly tailored to be effective. Such as the stuck net worm that targeted around nuclear centrifuges, meaning that they can be expensive to develop and lack flexibility. So that actually hits on exactly the point.
[06:07]
The Gruk
Except that's wrong.
[06:09]
Tom Muren
How's it wrong?
[06:10]
The Gruk
Okay, so I think one of the things that we've seen is that that sort of high end capability does need to be highly tailored, but what people are using are not. That sort of high end capability like a wiper isn't that sophisticated.
[06:26]
Tom Muren
Right, okay, but like going back to the like viasat thing, right, that seems a bit more like this, like tailored to a particular network, to a particular time to achieve an effect. Ukraine and a few other countries.
[06:40]
The Gruk
Yeah, like it wasn't tailored enough, I would say. Right. But like, okay, but all they did was they downloaded bad firmware. Like that's not months and months of development, it's not millions of dollars of research. So like it's tailored but in the sense of like giving something to a hacker for a weekend to work on.
[07:01]
Tom Muren
So there's a couple of other examples I can. One is in Venezuela there's reports that when the US nabbed what's his name, Maduro, President Maduro, they flicked the lights and that under cover of darkness they were able to perform the operation more safely. So that seems like a multiplier, but a very small multiplier. Right?
[07:26]
The Gruk
Yeah, because you know, the US was really under threat from Venezuela and if they hadn't turned out the lights, they would have lost an aircraft carrier. Like, I mean it's a force multiplier when it's already like an elephant versus a gnat.
[07:39]
Tom Muren
To be fair, I think it's a useful capability to have. Right. If you turn it off. It is better to turn it off with a cyber operation than it is
[07:45]
The Gruk
to blow up, make cyber, not war.
[07:48]
Tom Muren
Right?
[07:48]
The Gruk
Yes.
[07:49]
Tom Muren
So one of the other things that I think you've already touched upon is that for operations short of cyber attacks, and this is another weakness, the effects can be relatively short lasting and limited. So the paper is a bit like, to be honest, confused because it says that for. They're talking about cyber attacks that degrade, destroy, deny, discombobulate. But in fact those tend to be relatively short lived as well.
[08:16]
The Gruk
And one of the things that doesn't come up here is that Those like the 5D sort of capabilities, ignoring to see for a minute, those are actually heavily dependent on psychological effects as well, which gets overlooked. So if you, if you have ever been hacked, then you know that the first time it happens, it's very distressing. And then the second time, it's not distressing, but it's very annoying. And, like, the third time, it's just kind of annoying. Right. Like, it goes from like, this is the worst thing that's ever happened to It's a Tuesday.
[08:55]
Tom Muren
Wow, you really do get hacked a lot more.
[08:58]
The Gruk
So the thing is, if you're destroying someone's infrastructure and it's the first time that's ever happened to them, they feel violated. They've never had to go through the process of rebuilding. They're not sure where to start, who's in charge, what they should do first, and then they learn all of that. And so the next time you do it, they go, oh, what did we do last time? And they go through the playbook, and then if you do it again after that.
[09:25]
Tom Muren
So you're saying that it's not only temporary, but it's also decays over time. So even if you can do the same thing a different way or they haven't patched or whatever, it's just less effective over time.
[09:38]
The Gruk
Absolutely.
[09:39]
Tom Muren
So, okay, the second strength, because we've talked a lot about weaknesses, they can engage targets that can't be reached with conventional capabilities without causing unacceptable collateral damage or overt acknowledgment. So that seems like it's true.
[09:57]
The Gruk
Yeah, Well, I think you can. Actually, it's a little bit more interesting than that because you have to take. Well, maybe this buries the lead. There are entities that exist which cannot be hit kinetically. So if you take a telco, it's made up of physical infrastructure and people and equipment and all that, but it's also just a cyber entity that's made up of databases and computers and so on.
[10:24]
Tom Muren
So you can take out a tower, but you can't take out. Right.
[10:26]
The Gruk
You could wipe a data center, you could wipe a headquarters. Sorry, yeah, you could blow these things up without taking out the telco. But on the other hand, you can take out the telco with wipers and ransomware. However, as we've seen, there's a limited duration. You do hit these diminishing returns of like.
[10:49]
Tom Muren
Right. So you're talking, I guess, in particular about Keevestar, which was wiped a couple of years ago now.
[10:55]
The Gruk
Yeah. December of 23, I believe. Yep.
[10:59]
Tom Muren
And you think that the actual impact of that was what people had to
[11:05]
The Gruk
cross the road and buy a SIM card for another network.
[11:08]
Tom Muren
So my take at the time was that that was a counterproductive operation, because if you're in a telco, there's just so many opportunities for intelligence connection that.
[11:18]
The Gruk
So I agree, but I think that.
[11:20]
Tom Muren
And I guess the point was that the first strength was creating a force multiplier, and in that case it seemed like there wasn't any force to multiply. Right.
[11:30]
The Gruk
So that gets back to the thing of, like, when cyber creates an effect that's only useful if you can exploit it, otherwise it's an effect that sort of comes and goes and to what end? Nothing. Right. So unless it's exploited, it's basically a waste. Unless there's something that you're getting out of it, you're just wasting capability. But as we've said, it decays over time. So you're not just wasting capability, you're making it less effective the next time. But back to what I was saying earlier, you cannot actually exploit that effect because friction will interfere with the timing.
[12:07]
Tom Muren
Right. So one hypothesis there is they would have liked to have wiped Keevstar at a different time, to combine it with a conventional military operation and they just weren't lined up or.
[12:20]
The Gruk
Well, no, I mean, for everyone who's not Russia, you would like to be able to do an effect and then exploit it. But I think in, in the case of Keefstar, the directive wasn't so much a strategic decision as a political decision. I'm not sure if anyone's aware of this, but a lot of the time organizations do not necessarily make decisions with pure strategy and the national. There's occasions where there might be internal politics or someone's a bit tired and makes the wrong decision and then doubles down because they don't want to look dumb. And any number of things can happen, but it turns out that probably happens with the enemy as well. And in this case, my suspicion is that the need to appear to be participating in the counter value campaign was stronger than the need to deliver usable intelligence. And so they made a poor strategic decision for very rational political reasons.
[13:21]
Tom Muren
Right.
[13:22]
The Gruk
Which obviously would never happen outside of Russia.
[13:26]
Tom Muren
There's another interesting example. Just recently in Operation Midnight Hammer, which was the us, they either successfully or unsuccessfully blew up Iran's nuclear program about a year ago. We can only presume unsuccessfully because we're in another war about it. The claim is that they disrupted some router, what sounds like a router, and that enabled air defences to go down.
[13:57]
The Gruk
Right.
[13:57]
Tom Muren
So that seems like a force multiplier finally.
[14:00]
The Gruk
Yes, I guess. I mean, but given that cost, would they have been better off doing drones like the Israelis Did.
[14:11]
Tom Muren
But I mean, the particular case was like, I think it was, was it B2 bombers, something like that. So very specific bombers with specific types of bunker buster munitions hitting a small hole somewhere in the ground.
[14:24]
The Gruk
I mean, like, so it seems like
[14:27]
Tom Muren
switching off air defense would be very nice.
[14:29]
The Gruk
Right. So I'm not going to say that cyber is never useful because I don't believe that. But I think every time that it gets pushed into a situation where it's a substitute for kinetics, that's not playing to cyber strengths. Like, cyber strengths are not like, it's like a missile but invisible, that's not what it's particularly good at. So whenever these operations come up where they're like, we will use it to do missile like things, but at the click of a button, that's not where the value is. And it's like square peg in a round hole sort of thing.
[15:01]
Tom Muren
Yep. So the example the Australians have talked about, the actual action took place a couple of years before this paper was written. And they only spoke about it, I think in 2023. But they talked about how in Iraq they were supporting a military movement and was it Iraq, isis? Daesh. People had mobile phones and they wanted to disrupt the mobile phones communications. And so they had something to just disconnect it from the Internet. So that seems like that's if you're going to spend an extra percent, not a percent, but an extra huge amount. It's like, well, we're going to turn people's phones off. And the effect was so temporary that if the terrorists rebooted their phone, they would work again.
[15:54]
The Gruk
Right.
[15:56]
Tom Muren
And then they came up with another capability that would just brick the phone. So that was the quick response capability.
[16:03]
The Gruk
Right.
[16:04]
Tom Muren
So that seems like. Yeah, that's kind of useful. Is it a force multiplier? I think you would achieve the same, exact same operation without turning people's foot.
[16:15]
The Gruk
Is it decisive? No. No. Is it fun? Yeah.
[16:19]
Tom Muren
So it seems to me that there's incentives to be on those phones in those terrorist networks for intelligence gathering purposes. Right, sure. And so if you can go, okay, turning them off at the exact right time, that would be nice. It seems like the marginal cost of doing that is actually like the opportunity cost is the biggest cost.
[16:40]
The Gruk
Right.
[16:41]
Tom Muren
It's not the, let's spend an extra.
[16:43]
The Gruk
Well, it's not like you're going to get a lot of ongoing information from a suicide bomber. Like at some point you'll run out of like the opportunity cost is quite limited because their future sort of.
[16:55]
Tom Muren
Well, and I mean also in the original conception, they would just reboot their phone anyway. So a win win. So they provide global reach. That to me, it seems fair enough. Like you can hack anywhere on the planet, but then I think about the number of militaries that want to.
[17:11]
The Gruk
Right, right.
[17:13]
Tom Muren
Have global reach. Right, yeah.
[17:16]
The Gruk
It's like just because you can hack anywhere in the world, it doesn't. Unless you have force projection that allows you to go anywhere in the world to take advantage of that. What's the point? I mean, sorry, I strongly endorse doing that because cyber is very cool and all, but it's hard to see why that would be a big selling point if you can't send a lot of people to Iceland to do something. Being able to hack Iceland isn't necessarily a great capability.
[17:48]
Tom Muren
Yeah. So it feels like there's a small number of countries, us, China, other countries with aspirations, like Australia, one of the great global powers. Yeah. They provide an asymmetric advantage against an adversary for a relatively modest cost.
[18:07]
The Gruk
I thought they had to be highly tailored, inexpensive.
[18:10]
Tom Muren
So, yeah, to be honest, there are different parts that say different things. So for example, in the paper, for relatively modest cost, and I think in this part of the paper, they're talking about compared to, say, buying $50 billion worth of submarines from the west, which is a thing that Australia is doing.
[18:32]
The Gruk
Yeah. It's cheaper than shooting down drones with Bugattis or whatever it is, like Lamborghinis.
[18:38]
Tom Muren
Right.
[18:40]
The Gruk
But here's. Here's one of the examples I have in my dissertation, which is, in my opinion, the Industroyer 2 attacks by Russia in October. So in October of 2022, there was two sets of attacks by the Russians that managed to turn off the grid in Ukraine for a few hours each. And in my opinion, that was an absolute disaster for the agency that did that, because beforehand you could say, yes, we have this capability. We could turn off the grid. We're invisible masters. We can come and we can do all this ninja stuff.
[19:16]
Tom Muren
Like when you don't show them monster in the horror movie.
[19:19]
The Gruk
Right, right. And then you get a chance to do it, and it turns out you can turn off the lights for four hours. After two months of work with however many people, and you turn off the lights for four hours. That is an absolute disaster. If they hadn't succeeded, it would have been so much better. They could have gone, ah, you know, if only we'd gotten through, then you would have seen something. But instead it turns out that they're less effective than, you know, a kilo of dynamite.
[19:44]
Tom Muren
Right, right, right, yeah. So that hits upon a couple of things I mentioned before, that it's, you need to be highly tailored, relatively short lasting and limited. I think there's another weakness here, that capability can't be showcased as a deterrent in the same way that conventional capability can because revealing specific capability renders it redundant as defenses are repaired. So I guess that hits upon the. They're more likely to be resilient as you continue to hit them. I guess this is the user or lose it or use it and lose it.
[20:19]
The Gruk
So I would say that what you should probably do is you should have a parade and then you could have goose stepping hackers.
[20:25]
Tom Muren
So one of the final strengths is they can be overt or clandestine depending upon the intended effect. My impression is that there's a number of countries that do relatively a lot on of actual operations and we hear about a small number that are made public. So until maybe the last year OR 2, the US they've spoken about. Well, have they spoken about it? I've heard about them disrupting ransomware groups. Like not the public parts, but the secret spooky parts. They've talked about the Iranian decapitation strike.
[21:06]
The Gruk
Yep.
[21:06]
Tom Muren
And when I say they, I mean that people have leaked it to the press and then also the nuclear strike. So it seems like they're becoming. There's this SETI drip, drip, drip. The uk, I've heard of a couple of stories. And Australia then a couple of stories, the one I mentioned before, and another case where they said there was a big data leak in Australia. The hackers got into medical records and they did like really nasty things, like releasing lists of people who'd had psychological problems or really sensitive medical issues. And so Australia went and wiped the bulletproof hosting service. And then the way the Australian Signals Directorate does it is they'll just talk to a reporter and say, yeah, we waited until they were out drinking, they're in this town in Russia, they go out drinking, we wipe their hosting server. And so it's got all the elements of a little bit of personal intrigue and they sort of wrap it up in a nice bow. But it seems like each country has got a different approach to whether they want it to be clandestine or overt.
[22:15]
The Gruk
Yeah. So I think this is one of the things of like cyber is very, very different depending on the political context. And so to a degree this is why I've always thought the discussion of like is cyber escalatory. That's not a useful discussion to have because it's not the technology that determines if it's escalatory. It's the use of that technology given the political context. So things like it's useful to be clandestine and not to be attributed, that is true at some points in time, but if you're, for example, in a shooting war, it no longer matters. So all of that framework of how to reason about cyber is bound up in the political context of peacetime, below threshold capability. And once you cross that, so much shifts and changes that those frameworks cease to be useful. They're just irrelevant.
[23:17]
Tom Muren
Yeah, so one of the things here, weakness, achieving the appropriate specificity and proportionality requires investment of time and effort. And there's basically a statement in here that like, you know, Australia would never do something as terrible as WannaCry or not Petya, because we're the good guys, basically. But that seems to be a concern of the time. Right. Like no one ever talks about we are using cyber proportionately and responsibly. The US has talked about normalizing it, and all the operations you see are as have appeared in the press, at least, I would say, perfectly fine. They're proportionate within targeted.
[23:59]
The Gruk
Yeah, but could you do something disproportionate in cyber, for example?
[24:05]
Tom Muren
Well, WannaCry. No, not Petra.
[24:08]
The Gruk
Probably a bunch of mistakes, though, both of them. They weren't intentional.
[24:12]
Tom Muren
Yeah, but you can do disproportionately.
[24:13]
The Gruk
I mean, even stuxnet escaped. Right. Those were not state policy, to quote the Dr. Strangelove. Right. Like that was not an intended effect. And it is entirely possible for anyone to write malware that misbehaves. So certainly it's more likely that one of the bad actors who doesn't put that much effort into making sure it's all done right and doing testing and whatever, it's more likely they would get it wrong than, you know, nsa. But again, it's not state policy, so I still wonder if it's, could you do something that terrible?
[24:53]
Tom Muren
So overall, I think the paper, I'm proud to say, I think it actually holds up pretty well. I guess the question is, almost eight years ago, this was sophisticated thinking. Now the things that I think have really changed, the rise of AI very recently and also like the rise of drones. So those are two things that people in ASD were never going to think about. Like they're totally out of the blue. It's impossible to know back then that they would happen. Right, Right.
[25:26]
The Gruk
So if you were to go back to 2018 and you said, all right, imagine the year 2026, which of these two scenarios is more likely 1 memory corruption exploits are dead or 2 PWN to own has so many entrants they have to turn people away, leading to a flood of people dropping OD's in public. It has blindsided people with coming out of nowhere. But then again, I guess the question with AI is how big is the change going to be when it settles down? Is it going to. Are we going to be having this endless stream of O days forever or is it going to burn itself out and then we'll be in a bare space with fewer things?
[26:18]
Tom Muren
My gut feeling is that it will burn out.
[26:20]
The Gruk
Yeah.
[26:21]
Tom Muren
Because I'm a forest fire kind of a guy. But I just can't believe that there's infinite bugs in a piece of software because it's not infinitely.
[26:29]
The Gruk
You are not a developer.
[26:33]
Tom Muren
Yeah. So to be honest, this is just my total personal belief system. I also don't believe that AI will be infinitely smart. But you talk to AI people who work for Anthropic and they go, yeah, you're screwed, you're obsolete. So those are, I guess in terms of predicting the future, I have absolutely no basis to believe what I believe. Except for me.
[26:56]
The Gruk
Yeah. On predicting the future. Right. So would you say that if we were to take however many predictions or the things that you put down eight years ago, if you were to do that same exercise today and then we come back in another eight years and you were to look at them, would you say, oh, wow, I could see how at the time these were important, but obviously we were missing whatever big things. Or would you say, oh, we had really like in that initial eight year period we'd learned a lot, so the next step was much tighter and much closer.
[27:33]
Tom Muren
Right, right, right. I think like thinking about the paper, I think it got a lot of conceptual things Right. I think in practice what has happened is that the clever, intricate Rube Goldberg operations occur right at the beginning of conflicts. And that means that I think the number of countries that are going to launch surprise attacks is like on other countries and have the capacity to do that kind of planning and development is like pretty small.
[28:05]
The Gruk
Right. And I'd say that making that even smaller is that a lot of the countries that would be doing that are developing nations on other developing nations.
[28:14]
Tom Muren
Right.
[28:15]
The Gruk
Until you get to like China and Taiwan or I guess Brussels and Luxembourg.
[28:21]
Tom Muren
So China, Taiwan, I think there is a thing to be worried about. Right. But in terms of the actual. So we're looking at it in the sort of cyber domain, offensive cyber. And right now if you said to Me, what I would predict that would happen is that people will gradually know that the offensive cyber in particular has got strengths and weaknesses. Obviously, it seems like we have been going through this. There was that wall of cyber, Pearl Harbor, I think a British general said that, you know, we won't need tanks, we'll just have cyber.
[28:53]
The Gruk
Yeah.
[28:54]
Tom Muren
And I think people have gotten over that, but it still hasn't settled down. Right.
[29:00]
The Gruk
So, like, there's the. Everyone was very excited. Then there was Russia's invasion of Ukraine, where the cyber war that was predicted didn't show up. And everyone got very depressed because it turns out that cyber is not decisive. And war winning, that was one of
[29:15]
Tom Muren
the weaknesses that we didn't get to.
[29:16]
The Gruk
Right. And then the Americans start using cyber in these sort of overwhelming operations and people get excited again, like, see, we told you. And it seems, it does seem to be oscillating between extremes. And it's like they're both wrong. Cyber is weaker than its proponents think it is, but stronger than its detractors claim.
[29:40]
Tom Muren
Right, well, let's time up. So thanks very much, everyone. I just wanted to have the last word and say that before you enter warfare. I think that cyber espionage is actually tremendously important and powerful and that adding offensive cyber to that capability seems like a no brainer because you can do different things for not very much extra money. I think it probably doesn't make sense to spend billions of dollars on active cyber.
[30:11]
The Gruk
I'm going to push back a little bit. I strongly recommend hiring outside consultants for billions of dollars, particularly podcast hosts with a broad vision of thanks very much, everyone. Thanks a lot.