Loading summary
A
Hello, everyone, this is Tom Uren. I'm here with the GRUK for another between two nerds. G', day, Grok. How are you?
B
Good day, Tom. I'm fine. And yourself?
A
I'm very well. This week's edition is brought to you by Corelight, who makes and maintains the open NDR network detection and response platform. Find them@corelight.com so you've been thinking about, I guess, how best to organize cyber forces. Is that what you would call them? And you, you very provocatively came to me and said, housing cyber, your cyber people, your cyber forces within a SIGINT organization or a signals intelligence organization. It's just not the right place.
B
Yes.
A
So I guess to just sort of step back. I can think of two countries offhand, the US and the uk, where the US has got nsa, which does signals intelligence and cyber espionage, and it has the Cyber Command, which is responsible for military cyber stuff, including effects. And then the UK has gchq, which does intelligence collection, cyber espionage, and it has the National Cyber Force, which is relatively new, I think maybe three years, something like that, four, maybe. But other countries that I'm familiar with, they tend to keep them together.
B
So the claim I'm making is sort
A
of
B
less of a practical one of, like, this is the wrong organization to deal with this and more of a philosophical one that these sorts of organizations don't necessarily have the right mindset. So I'll lay it out for you and you can tear it apart as we go. So, as you said, the starting point is that SIGINT is the wrong home for cyber. And there's a bunch of reasons for that. One of them is that by being within sigint, you have these sort of legacy things that come with it. So you tend to think about, like, equities. Like, as soon as you think about your cyber stuff, you're going to start thinking in equities of, like, how, like, now that we have access, if we were to use this for an effect, it would have an. Like, it would be an opportunity cost for all the potential intelligence we could collect.
A
Right, right. So you're talking about, I guess I would call it, protection of capability.
B
Right.
A
So the traditional signals intelligence attitude is signals intelligence can be really valuable, but it's also relatively fragile in that if the adversary knows that you're listening in on their conversations, like, it's relatively easy to change their practices. And so secrecy was always fairly, fairly very important.
B
Yeah. Like, it's. This is. This is a sort of. I want to say it's a legacy from World War II, but obviously it goes back further. But I think World War II really brought it home a lot when the, like the, the battle for the Atlantic with the Enigma machines, every time they changed codes or they added like an extra wheel and stuff like that, you just, you'd go dock for a period and the losses would go up and then you'd crack it again and the losses would come back down. So it was a very life, right? It was life and death. You could see it and you could plot it on a graph, like, here's when we could read it and here's when we couldn't. So I think that, like, I'm not saying it's the wrong mentality to have, I'm saying it's the wrong mentality to have for cyber. Right? Like within reason. Like, I think if you haven't, if you have access to like an incredibly hard target, that's different from most of the time where targets are just. They're not that hard.
A
Right, right. So I guess, to paraphrase what I think you're saying is that as a default position, it's not correct for cyber operations. Because, because they're just different from. Well, I guess we'll get into why they might be different, but.
B
Right. So basically I'm, I'm suggesting that the SIGINT mindset subordinates action to collection. Right? You'd say that collection supersedes pretty much everything else. Now, I'm not suggesting that the siking organizations cannot do effects or that they do bad effects or whatever. They absolutely do do actions, but I'm suggesting that they're the wrong place for it because they still have this collection first mentality, which is going to bias them against taking action. To me, the way it looks is that SIGINT agencies come to cyber and they say, great, now we have a new pipe to get information. We've got a pipe to targets and we can collect through this pipe and there's nuances and differences and all that, but it's still very much a, this is a thing that allows us to do our intelligence job that, you know, we've always done. And I think that these days for most societies, by which I mean the very, very small number of highly advanced Western societies. Yeah, but I think that, you know, if you have a digitized society, right, if you've got like, you know, your, your grocery delivery app, your, your ride sharing apps, all of these things, I think that you sort of have to look at cyber as. It's not just a pipe, but it's a substrate in which society is embedded. Like cyber is this much, much broader and more integrated thing. It's not just a simple access point. And what that translates to me is that it means it's somewhere to operate, not something to collect through. And so, like, that's the mindset that I'd say would be different.
A
Okay. Right now this may be a difficult question because it's a hypothetical one, I suppose, but what would that get us, though? Yeah, so I can see that's.
B
That's the question.
A
Yeah, yeah, that's the question.
B
What?
A
Yeah, yeah. Well, I think.
B
No, that's a very fair question.
A
I think, I think from the perspective of, of an intelligence agency, maybe even a government, it would be. Collecting intelligence is good. Right. It seems that for some of the things that adversaries do in, on the Internet cyber operations, they're much more aggressive. But it doesn't seem like many of those, or many of those things, it seems like they're something we would just not do because they don't match our values or there would be. They would undercut our own. Yeah, this is a loaded term. But moral, moral superiority. Right.
B
No, I completely agree. Like, it's sort of. And the other thing you could say is a lot of them are just not that effective. Right, right. Like, the things that tend to be the most effective have been meddling in elections and even that is sort of hit and miss. Right. It's not a, or hit or miss, I guess it's, it's, it's not a guaranteed thing. Like, you don't just show up and be like, okay, we're going to do the, like the Twitter bots and the, the, the paid TikTok influencers, and now we win and our guy gets in charge and he's going to do exactly what we want. That's not, not that the, the west would do that anymore.
A
Because I was just thinking, I read a little while ago, it was about the Iranian revolution in, I think, was it 54, where. Yeah, yeah, the author, I think it was all the Shah's men. And the author spoke to people who'd been involved in the fomenting the revolution. And the CIA in particular spread a lot of money around and like, you know, everything that's happened in Iran is kind of downstream of that. And it struck me, by the way,
B
is one of the things I find particularly amusing when people will say, like, we've been at war with Iran since 1979. And I'll be like, why do you pick that as a date like, why not 1954? Like, if you're going to go all the way back, you may as well
A
go all the way back.
B
Yeah. Like, there's an arbitrary number of points in time that you. Like, ever since Darius the Great tried to invade, you know, we've always been at war with Persia.
A
So what struck me was like, the story itself is really interesting. It's unclear to me how much difference that foreign interference made. Like, you can construct a story of the CIA money went to these places and these people did these things, and you can construct A, A to B to C to D. It's unclear to me whether that would have happened regardless.
B
Anyway. Right.
A
Yeah.
B
Right.
A
And it seems like if you were to interfere with other countries, that that story is a lot more compelling than the. Oh, we went on social media and posted about things.
B
Yeah.
A
In a deceptive way.
B
So. Yeah, well, so this reminds me. So, like, at one point in, like, I think the late 50s, early 60s, or it might have just been in the 50s, the UK was trying to do all these propaganda radio broadcasts into Arab nations, and then they went to the diplomatic arms in all of these places, like all the embassies, and they said, can you give us a report of how well we're doing? Like, is there a lot of uptake? Are you hearing feedback about these things? And a bunch of places just wrote back, like, there are no radios in Oman.
A
So, I mean, the good news is that nowadays, I think everywhere on the planet has at least a mobile phone, Right?
B
Yeah.
A
Whether you can cut through, of course, is a totally different question, because there's probably a lot more competition. So, anyway, I guess we. We've, like, one possibility is you can interfere in elections in a way that's probably less effective than, like, just directing and throwing a lot of money into opposition groups.
B
Right. So here's. Here's where I'd say it's actually useful. You have the entire counterintelligence repertoire available to you, and I think that this is something that's not being taken advantage of enough. So, for example, if you're on the GRU networks and you see that they've compromised at. No, like Australia Electric, whatever it's called. Right. That they've compromised something in their critical infrastructure, because let's just keep it very easy and straightforward. You could then go to that critical infrastructure company and you could arrange for them to organically discover this penetration. Like, you could say, you could show up at their office, speak to CEO and be like, here's what you have to do. You need to hire an outside firm to audit your networks, particularly this network, and, you know, follow up on their findings. And that would be able to be like a. Like a natural way of discovering this penetration that's happened, evicting them. And you don't, like, you're doing sufficient source protection that you're not losing your access, but you are disrupting an enemy operation.
A
Right, but how is that different from what an organization might do today? So my understanding vaguely is that if a counter intelligence agency discovers a compromise in an important organization, they just knock on the door or whatever.
B
Right. So my. My contention is they could be more aggressive. Right, right. That it's sort of like you don't need to be weighing the equities of, like, oh, but it's the water supply. Oh, but we might, like, tip off that we've got our thing. Like, I guess the water supply is really important, but what could they actually do? Well, you know, like, you don't. You wouldn't need to do that. But I think that there's, like, a lot of other things that you can do. Right. Like, it opens a lot of opportunities for sabotage and inserting friction into foreign societies that could be useful.
A
I mean, I kind of think that the GRU example, it would be, we're on the GRU network. Here's a way that we can meddle with their internal operation or maybe their politics or something, I don't know. And from an intelligence point of view, being on that network is great, but from cyber operations point of view, perhaps that disruption is worth it. And so I guess it would be the default signals intelligence position. And again, I said default would be, let's just sit there and will use that access to tip off all the critical infrastructure that happens to get hacked. Whereas a more aggressive approach might be, how can we disrupt it so that we don't have to worry about it for, I don't know, six months or something.
B
Sure. Yeah. So one of the things I was thinking of is the fast 16 malware where they introduced this bug into the specific piece of software that would make the engineers believe that their equations were wrong.
A
Right, right. This was the Iranian nuclear program. It appears that perhaps the US Likely the US Put probably not a very subtle male.
B
Which is my guess.
A
Yep.
B
Yeah. And like, it was. It was subtle. It tweaked just a little bit of one thing to achieve the specific aim. And so, you know, this was maybe a bad example for my case of like, yeah, but that was. That was a signal intelligence. However, I'm suggesting that there should be more of those and there should be
A
more frequent, more common. Right, Yep.
B
Right.
A
And so that in that case it was presumably Iran in those days was a very high priority target, you would think. And so it occurs in the very highest of priorities because you can get your act together to organize it, but it's not a natural thing. That's happening all the time in a signals intelligence organization.
B
Right. So I sort of, if you look at historical examples, there's sort of signals intelligence is a bit of a, like it's been around for a little while. Right. And so it's coming with a lot of legacy stuff that is, it's got these, I mean, I'm going to say legacy mindsets, but that, that's a little bit unfair.
A
Historical. Traditional.
B
There we go. Traditional, right, yeah.
A
Like they're proven by practice, even. Bad, intuitive,
B
Battle hardened.
A
Yes, exactly.
B
Yeah. Okay. So what I was thinking is that the SOE is more what I'm thinking
A
of Special Operations Executive.
B
Right, right. So it's a, a very aggressive organization that's still doing intelligence work. It still does collection, it still views collection as an important part of its role. But it is biased. And I'm not suggesting that you have to be biased, but they are biased towards operations. Right. So the way I sort of phrasing that is that SIGINT is collection terminal and SOE is actions terminal. Meaning that like for a SIGINT organization, the goal is to just collect. And while they might do other things as well, their primary mission remains the this collection. And with soe it would be sort of like, I think it would be a bit more of a 50 50, like not necessarily the historical SOE, but what I'm proposing, they'd be CO equal as opposed to collection, and then underneath collection is action. So they'd be given equal weight. Like you wouldn't discount actions just because it might interfere with collection. You'd look at what are all the things that we would get from this action and then value those equities against what you have. Not necessarily.
A
So one thing, the Special Operations Executive, that was World War II, right? So.
B
Yes, correct.
A
Was it when in World War II was that formed?
B
So it started in, I think 1940. And so Churchill started it because the
A
SIS, which is the Special Intelligence Service, I think. Is it a secret?
B
Yeah, I think special.
A
So they're also known as MI6.
B
Yeah. So the MI6, Military Intelligence 6. And like, basically their bias was very much like, don't rock the boat, we've got collection in place, we don't want to disrupt our networks. We don't want to draw attention to ourselves. We're getting a lot of good intelligence by just sitting here. And Churchill was like, but you've got like someone in that office, so why can't you just blow up the office? Which.
A
Very direct.
B
Yeah, yeah. Like you like. Their directive was to set Europe ablaze.
A
Okay.
B
So was very, they were very aggressive in their stuff. They weren't particularly long lasting. Like as soon as the war was over, they were disbanded in 46. Okay, yeah, 1946.
A
I, I guess I really like that as a historical example. I think it's kind of neat that you would look like that or look back to that and I can see why that is. But two things occur. One is that they were in an existential war. So it seems like maybe get to this.
B
That's great. Yes.
A
The, the stakes maybe not high enough right now that you would want to do that. And then the second thing is being in an office collecting intelligence and blowing up the office. Like they're very extreme differences. And I don't know that cyber operations get you to that, that extreme. Like we talked about, like the GRU and I suggested maybe you could disrupt them for six months, maybe that is probably even optimistic. Right. Or yes, I guess what you would hope is that you could impede them or embargo them like a little bit for a long ongoing period of time.
B
Right. So from my, from my PhD dissertation, I have a thought experiment to try and show why I think effects from like the grand like deny, deceive, destroy, disrupt sort of thing. Like I feel that that military mindset is not a good fit either. And the thought experiment I have is, let's say that you have access to the Russian rail network. Like you are Ukraine and you've got access to the Russian rail network. You could wipe all of their network stuff. And we saw with Belarus what happened right. When the Belarus cyber partisans wiped the Belarus network, that caused an eight hour delay for troop shipments, which is very impressive for a hacker group to do that sort of disruption. But for a state in war, like buying eight hours on a Wednesday and you could like, you could increase that. You could say like it's 24 hours or it's 48 hours. Right. That's just, it's not useful. Like it doesn't get you anything and it loses your access to all of the train movements, which is useful. However, what I'd say is there would still be interesting things you could do. So I don't know if it happened and it probably didn't. But for example, when the Kerch Bridge was blown up, there was a fuel train that was stopped right where the bomb went off.
A
Right, right. This is the bridge between Crimea and Russia.
B
Right.
A
It was kind of.
B
It's symbolic as well as vital artery.
A
Yeah, yeah.
B
So I would say, like, that sort of thing would be interesting if you've got this capability and you could misroute some things in an organic way. So it looks like an honest mistake that I think is an interesting attack and it doesn't necessarily cost you the access. So I would say, like, I would be biased towards subtle things that allow you to achieve other goals as opposed to, like, let's just wipe everything.
A
Right, right. And so I guess in the example or what you're thinking of, an organization that is Cyber Native would go, okay, we've got this access. What are all the other opportunities we can use to enable other things? Right. Whereas a signals intelligence organization would go, we've got this access. Let's make sure that we hold onto it because of the intelligence that will enable other things.
B
Right. So there's that. And if we ignore SOE for a minute, because that's sort of the mental model that I think makes sense historically. But the alternative way to think about it is a hacker army. Right. If you have a hacker army, you can do different things than if you just have a SIGINT organization. A SIGINT organization doesn't think in terms of like, what can we do within the medium that will allow us to do something creative and interesting and useful. You know, it doesn't necessarily have the same default mode of operation. Just like, how can we exploit this in a good way that gives us some advantage directly? They're thinking more like we are getting the advantage from what we collect and our access needs to be preserved so that we can keep collecting to get that advantage on the back end. So the general argument I'd make here, as you said, we're not in an existential war, but I think it would not be fair to say that the Internet is a state of peace.
A
No, I guess what I was thinking, which is maybe a bit broader than that, or less. Less binary, I guess, is that we're in a state where to me, it's not clear what is more important right now, like collecting intelligence to do things with that intelligence or conducting effects, different sorts of effects, operations. And I would agree that we're in a state of continual contest in. In cyberspace. But it's not clear to me that having better effects Operations leaves us in a material, materially better place. Like, so it seems like, I guess maybe, maybe the UK thinks it does, but to me it's. It's not clear at all. Right. And so there's. You've got your cyber personnel, the people who are good at that or all those sorts of things, and there's no perfect way to cut them up to do different things. Right. When you hive off some, pull them
B
out of, you know, asd, and then ASD can figure it out on their own. They can keep listening to satellites and radar and radios as much as they like.
A
I mean, you cut them up or you divide them or you organize them in different bureaucracies based on what you think is most important.
B
Yeah. Which would be great because having two bureaucracies is better than one, particularly for intelligence organizations, because then you've got all the sharing.
A
Yes, exactly. I guess there's other things about. There's a significant crossover. But I guess my broader point was it's not clear to me which is most important right now. So why change? And I think you were going to talk to that.
B
Yes. So, you know, the cyber persistence theory basically says that the way that you, the way that you create strategic advantage from being engaged in cyberspace is that you. It's a domain that is initiative advantaged. So the side that has the initiative has the advantage. And to me, that speaks very much to the. You have to do something to have initiative. Right. Like if you break into a network and you could see something's happening, like they're preparing an attack of some sort against critical national infrastructure, and you go, okay, this is good to know. We'll inform people up the chain and they could see that this is happening. That doesn't necessarily give you an initiative that's squandering this advantage that you've now had because you're not acting on it. Right.
A
I mean, it just strikes me that this is like the, in the U.S. cISA saying you need to patch these devices because they're shields up, because they're being hacked. And so I would concede that if that is fed by secret intelligence as opposed to just threat intelligence, that's not very effective way to use it.
B
Yeah. Right. So like, like, I think you need to be a bit more biased towards action because once you have the initiative, you can do a thing or you can do many things, but it's like being able to do something is the point. And I don't think that simply collecting gets you there.
A
Right.
B
I'm not saying that collecting is bad and that you shouldn't do it. Of course, I tend to think that it's overall more important in a lot of cases. However, I don't think it's more important in all cases, particularly because I think that there's an over reliance on this belief that if you lose access, it's gone forever. And I think that that's true for a very, very small set of extremely hard targets. Whereas for most organizations. Right. It's, it's, it's one of the things that we have, like we have this problem in cyber security or infosec as a profession is that when we think about companies getting broken into, we tend to think about exploits because we like to be at the high end of top tier operators who would use exploits against top tier organizations. But 80% of all incidents start with credential theft or default credentials or phishing or whatever. It's not exploits, it's this very, very low level stuff. And I think that that's going to be, that's going to hold true for the majority of organizations that you would be doing intelligence collection on. There's few of them, like the GRU or FSB might be the exceptions as incredibly hard targets, but like the railroad network or the oil company for Russia or a telco even is probably much weaker. And so I think that it's not necessarily useful to think about this one precious thing that we will never have again.
A
I mean, so a lot of compromises are enabled by the criminal ecosystem, things like info stealers and markets where you can buy credentials. Right. And it seems like to me that intelligence agencies might be reluctant to buy credentials from Russian cyber criminals especially.
B
I don't believe that actually. Right.
A
Well, I don't know. Like this strikes me as a dilemma that maybe they've crossed or maybe they haven't. Right. But at the same time they could be running effects operations against the very same criminal services that they're credentials of.
B
There you go. They wouldn't have to buy the credentials, they could steal them. Yeah, two wrongs make a right. How about that?
A
That actually seems to me to be more plausible than buying them.
B
Right. But I mean, I think we've talked about the. Was it lockbit, asd disrupted lock bit, or was it revolt?
A
I can't remember the name. So asd, they've told a couple of stories. There was a bulletproof hosting service that they wiped and then I don't think they gave the name, but they said that there was some malware that was sp around Covid time and they Basically trashed the reputation of the developer and made his malware not work properly. So they fiddled with the malware. Since you mentioned asd, there's an example of an organization that's doing effects and those operations seem like very reasonable for what they were trying to achieve. And it seemed to me that what's happened there is, it seems to be a political led decision in the sense that here's this person that's having an impact upon the Australian government. What can we do about this person? So it's like, here's a priority that led to an effects operation. So this probably doesn't support the idea that those organizations organically come up with those operations because it felt like there was a political imperative to do something about this person, this malware, rather than, oh, here's all these ideas, which one bubbles up as something that would be worth doing.
B
Right. So I mean, those are the sorts of operations that I would think would be what you'd want to do if, with this sort of, this, this cyber native organization. And you know, I think like the, the UK's Responsible Cyber paper that also puts forward a lot of things that I would expect this sort of organization to do where it's a lot more of like we're going after a small group of people and we're injecting distrust, like we're breaking up their ability to work together smoothly. Yeah.
A
So I was just thinking about the process for coming up with intelligence requirements. So in Australia it is that basically a group of senior people get together and they say, you know, here are the top intelligence requirements. And it might be, you know, we want to learn about the intent of this country and their leadership, yada, yada, yada, yada. And there is no effects requirements process that I'm aware of. And it also, that seems like the sort of thing where we know what we want to know. Like we know that we've got, you know, in Rumsfeld's. What's the word? Known. Unknowns.
B
Yeah.
A
So we want to know some of those unknowns.
B
Yeah, unknowns.
A
Yeah. But from an effects point of view, I think that everyone would be, I don't even know what is possible, like, how can I prioritize the unknowable. And so I think that may be an advantage for having a native organization where maybe the requirement would be we want to disrupt people who are threatening the, I guess in the, for the national cyber force, it would be people who are threatening the interests of the uk. And that's a very broad direct.
B
It's a large enough remit that you can figure out within there and you can start prioritizing as well. Right. You could say like this group out of, I don't know, like Rotania is very annoying, but they've only impacted like a small number of businesses and that's not as bad as this other like backwater Tania.
A
Yeah.
B
Who has a number of cyber groups that have caused massive disruption and actually impacted like the GDP due to their level of attack. We should go after them and make them cease to be effective, however we have to do that.
A
Yeah. So the sort of bringing it back to the Australian example, I'm sure that the requirement to go and disrupt a particular malware developer did not exist before the incident.
B
Right.
A
But in a perfect world you would be disrupting the people who are trying to do you serious damage. And I think, you know, one malware developer is not serious damage, but you, there would be people who you would like to disrupt before they have an effect. Right. And so I guess that's another argument for a separate. Does it need to be a separate organization though?
B
I don't know that it needs to be separate, but there needs to be like there needs to be a change of mentality. Sort of.
A
It needs to be someone's job.
B
Yes. Yeah. Like it needs to be understood that like this is its own thing and it needs to be treated as like a first class citizen along with the other, you know, like along with collection. There needs to be an understanding that like cyber provides all these opportunities and they need to be evaluated on their merits equally against these other opportunities. And that's someone else's problem. I wouldn't know how to do that. But I very much believe that remaining with a SIGINT mentality is sort of holding back things that could be done. And I'm not necessarily suggesting doing like the Russian playbook, which I think is not necessarily the most effective use of cyber. But I am absolutely advocating for things like disrupting a group by creating distrust amongst them or trashing one particular person's malware stream or causing someone to start doing OPSEC leaks and allowing like the police to then organically discover who they are so they can be, you know, dealt with that way.
A
So like, I'm thinking that what you're saying is that it's like, you know, signals intelligence, like we imagine it on a Venn diagram and there's some overlap with military, conventional military.
B
Right.
A
And, but you're saying that cyber is another circle entirely that overlaps with intelligence collection and it overlaps with the military. But if you're sitting in one of those Venn diagrams, if you're operating in an organization that's focused on, like, conventional military warfare or on intelligence collection, you're not really looking in that third circle which overlaps.
B
Exactly, exactly. And I would say that that circle is bigger overall than the second or the military one in its own way. Right. Like, it doesn't necessarily encompass everything, but it's a very large space that's not being explored properly.
A
Right, right. So there's just missed opportunities.
B
Correct, Right. Like, I think that there's, like, There's a lot of opportunities for, like, audacious actions that could be carried out meticulously, To coin a phrase.
A
Well, so, I mean, before we started, we were talking about the ASD values and, like, the joke is, it's not a joke that some of them are meticulous in execution, which talks about being legal, proportionate, ethical, I guess. And then audacious is operating, I think the phrase was operating in the slim area between the difficult and the impossible. So ASD actually has a history of very occasionally talking about these things. I'm actually interested to hear what the NCF has been up to, because it's been around for a couple of years. The responsible power in practice that was
B
in 23, I think, or 24. Like a very good document for years
A
that set out how they intended to do effects. But I've. I've not heard a single story from them. I'm hoping for, you know, it's. It's not the transparent power in practice, but still hoping for something there. Hoping for a good story we can talk about.
B
So all I'm going to say is my friends over there have been calling it the notional cyber force.
A
Oh, well, I guess we'll. We'll be waiting for a while. Yeah, then. Thanks. Crack.
B
Thanks. Tomorrow.
Host: Tom Uren
Guest: The GRUK (The Grok)
Date: June 29, 2026
This episode dives into the organizational philosophy and structure of government cyber forces: Should cyber operations be housed within traditional signals intelligence (SIGINT) agencies, or do they need their own distinct home? Tom and Grok debate the practical and philosophical consequences of legacy mindsets, the nature of cyberspace as a domain of contest, and how action and collection should be weighed. They explore historical analogies, cyber's unique opportunities, and why current approaches may lead to missed chances in defense, disruption, and strategic advantage.
"The SIGINT mindset subordinates action to collection...collection supersedes pretty much everything else."
— Grok (04:21)
"SIGINT agencies come to cyber and they say, great, now we have a new pipe to get information...But, cyber is not just a pipe—it's a substrate in which society is embedded."
— Grok (05:30)
Effectiveness & Constraints:
Disruption Opportunities:
"You could arrange for [a target] to organically discover this penetration...evicting them. You are disrupting an enemy operation."
— Grok (11:23)
SOE (Special Operations Executive) as Historical Model:
Limitations of Military-Style Thinking:
"SIGINT is collection terminal and SOE is actions terminal...SIGINT: the goal is to collect. SOE: actions might be 50/50 [with collection]."
— Grok (16:12)
"Bias towards subtle things that allow you to achieve other goals as opposed to, like, let's just wipe everything."
— Grok (21:44)
Cyber as Distinct Domain:
Missed Opportunities:
"I would say that [the cyber] circle is bigger overall than the intelligence or the military one in its own way...it's a very large space that's not being explored properly."
— Grok (36:57)
Theory of Advantage:
Exploitation Realities:
"The side that has the initiative has the advantage...once you have the initiative, you can do a thing or you can do many things, but being able to do something is the point."
— Grok (25:32)
How Effects Operations Arise:
Requirement Setting:
Practical Bureaucracy:
"So all I'm going to say is my friends over there have been calling it the notional cyber force."
— Grok (38:42)
| Timestamp | Speaker | Quote | |-----------|---------|-------| | 04:21 | Grok | "The SIGINT mindset subordinates action to collection." | | 05:30 | Grok | "Cyber is this much, much broader and more integrated thing. It's not just a simple access point." | | 10:27 | Tom | "The good news is that nowadays, I think everywhere on the planet has at least a mobile phone, Right?" | | 11:23 | Grok | "You could...arrange for them to organically discover this penetration...evicting them. And you don't...lose your access, but you are disrupting an enemy operation." | | 16:12 | Grok | "SIGINT is collection terminal and SOE is actions terminal." | | 21:44 | Grok | "I would be biased towards subtle things that allow you to achieve other goals as opposed to, like, let's just wipe everything." | | 25:32 | Grok | "The way that you create strategic advantage...is that you...have the initiative. So the side that has the initiative has the advantage." | | 29:11 | Grok | "[Worrying about] this one precious thing that we will never have again...is true for a very, very small set of extremely hard targets." | | 36:57 | Grok | "I would say that that [cyber] circle is bigger overall than the second or military one...it's a very large space that's not being explored properly." | | 38:42 | Grok | "My friends over there have been calling it the notional cyber force." |
The conversation is characteristically thoughtful and lightly irreverent, mixing historical detail with cyber policy critique and dry humor. Both Tom and Grok stress that as digital societies mature, legacy intelligence structures—rooted in secrecy, caution, and single-mission focus—may be failing to seize opportunities for resilience, disruption, and initiative in cyberspace. A "cyber-native" mentality is needed, whether it finds a home in a restructured SIGINT organization or a new entity entirely.
Summary prepared for those seeking deep insight into organizational design and philosophy for government cyber operations, with practical, historical, and future-facing perspectives articulated by two leading experts.