A

Hello everyone, this is Tom Yu Ren bringing you another between two nerds discussion with the Gruk. G' day Grok, how are you?

B

Good day, Tom. Fine, and yourself?

A

I'm good. This week's edition is brought to you by corelight. I had a chat with James Pope from Corelight, all about what it's like to run and defend the network at Black Hat. That was actually very interesting. That's out on the podcast channel this week. So a little while ago last month, Stuart Baker, who is the former host of the Cyber Law podcast, which I used to quite enjoy, and he was a former NSA general counsel, once upon a time he published this piece in Lawfare. Should American spies steal commercial secrets? And we've talked about the rights and wrongs of IP theft some time ago. So that was looking more generally at is there an ethical or a moral reason that you should or should not do IP theft? So that was BTN44, way back in 2023. So Stuart is arguing in favor of the US engaging in commercial espionage or intellectual property theft, commercial secrets. So I guess to sort of summarize his argument very, very briefly, China has risen to be an economic powerhouse. And part of the reason they've done that is because of state support to their industry that has included a lot of intellectual property theft by state backed actors. Cyber espionage actors, not always cyber espionage. In fact, there's a whole range of different tactics they've used. But that it's time for basically the US to respond in kind. It needs more industrial policy and part of that policy could be or should.

B

Be stealing back the secrets that the Chinese stole the first time.

A

Yeah.

B

So they can. Yeah.

A

I guess the first thing is it presumes that there are secrets that are worth stealing. And Stuart dives into how the difficulties, not exactly how it would work in practice, but the difficulties to get it working well. Yeah. So in our previous discussion we looked at the rights and wrongs of IP theft. And my somewhat cynical view was that the US tried to impose a norm of not stealing IP because it felt it had the advantage when it came to ip. So I guess you could see that in copyright law how it's very vigorous about pursuing trademarks, copyright claims, the lifetime of copyright for Disney, for example. And so it just reflected the US felt it was ahead.

B

Yeah. Particularly now that so much of what the US does is around services and ip. Right. Like licensing IP that the wealth generation comes from, I would say exploiting these laws, but I'd say you could frame it as people respecting these laws. As well.

A

I mean, I don't really have strong moral feelings about it. It just makes sense, the US to do that. And I think that's why I think.

B

The morality is like it basically always is for states. It's whatever is self serving. Right. So yeah, like it's morally correct that you shouldn't steal from me, but it's morally okay that I should appropriate from you.

A

So in terms of stealing from, well, anywhere I'd like Baker's explicitly saying China. I guess the one reason you might shift is if you feel that China is actually ahead, if it's dominating technologies now that you've got a positive incentive to try and steal stuff.

B

Yeah, So I would. There's a number of things that stood out in his article and one of them sort of touches on that specifically where he lists areas that China is ahead of the US and then he lists areas where China has been stealing a lot from the US and there is no overlap. Right. So China is now a global leader in five tech industries. Drones, solar panels, graphene and high speed rail.

A

I mean I thought the US was a high speed rail powerhouse.

B

Hyperloop capital of the world. Yeah.

A

It's so like further down he says Chinese intelligence has not ignored military technology. Chinese espionage has focused even more heavily on civilian industries such as agriculture, biotech, healthcare and robotics.

B

Right. Which are not drones, high speed rail, graphics or solar power. So it's. It seems to me that stealing doesn't work. If you were to use the evidence from his article, it looks like stealing is not a winning strategy to pursue.

A

Now I had thought that in some indictment I'd read there was theft from a solar company at some point, but long ago.

B

Yeah, to bootstrap. I think that because I remember there's a thing where they didn't even file the serial numbers off. Basically the firmware was identical and it was just a binary. They didn't steal the source code, so they just had a binary that they made work.

A

Yeah. So I think high speed rail is an interesting example because clearly they're not stealing from the US to get high speed rail. It's possible they stole from someone else.

B

The thing is, China actually has a very, very innovative high tech culture and they are leading in a lot of ways. But I said culture specifically because it's not built around the same sorts of approach that you have in the US.

A

What I was thinking is that maybe it's a culture and an ecosystem as well, because people who want to manufacture stuff, they go to Shenzhen and they walk around the markets there and they find whatever they need. So I think, is it Bunny Huang? He's got a book or a pamphlet or a guide about how to rock up in. I think it is Shenzhen. And here's all the things you need to think about when you're shopping. And like, part of the reason is they manufacture so many phones, not just iPhones, but all sorts of phones. There's this massive supply chain that provides many, many components that you want to use. So none of that is stolen. That's just. Maybe it was state supported. I don't know how much you can attribute that to state support.

B

You can't replicate that in the U.S. for example, because, like, there's just a lot of regulations and approaches and ways of viewing things that would interfere with that freewheeling environment that produced that ecosystem.

A

Right, right. I mean, it sounds a bit to.

B

Me like Silicon Valley, beyond just IP theft is what I'm saying. It's just there's a lot.

A

Yeah, well, what I was going to say is Silicon Valley is like a similar ecosystem, but for software nowadays. And it's not as if you could steal anything that would then be able to create a Silicon Valley.

B

Right. That's a great example. Because people have tried to create policies to generate their own Silicon Valleys because they've always looked at it and they're like, oh, ok, clearly you need some universities and some investment. And then it just spontaneously generates. And when that doesn't work, they're like, okay, well maybe we need to interfere a little bit more. And then it will spontaneously generate. And it's like, you can't force the network effects.

A

Yeah. So where I was heading when I started was that I think drones are more a symptom or an outgrowth of having that kind of rich ecosystem of hardware that you can whack together stuff quite easily. That's probably more why DJI exists.

B

Yeah. I think that's a better competitive advantage than the fact that they've got some special IP that the US doesn't know about. That would be. Yes, that would be my guess. Yeah.

A

Yep. Now, there is an interesting bit at the end of that paragraph where he says the haul from its commercial espionage is so massive that China has built an elaborate pipeline for stolen intellectual property, providing the tech to two dozen scientific universities that obtain Chinese patents, which are then distributed to Chinese companies. Was that a skeptical sigh I heard?

B

So I think that the problem with that is you're looking at the output end of this sort of espionage pipeline. And there's again, as we were saying, there's this ecosystem. It's the same thing with espionage. You can't just say, all right, let's go and steal IP 007. Go and find us some IP that's going to help the economy. That's simply not going to get you anywhere. You need so much stuff. So you need guidance from your own people in that commercial sector who can.

A

Tell you what's important.

B

Right? What's important, what you need, what you lack, and then who the players are to go after, you know, who's. Who's making the best solar panels that we can steal, and then what are the parts that we need to steal from them? Like, these are the things that we can do indigenously. And it's, you know, it's a straightforward ramp, whereas this is something that we're struggling with. And, you know, having that little extra edge would really help. So you need that. But then you also need, once it's been collected, a way for that to go back to that community, collect feedback and then iterate. You need a lot of stuff. You can't just decide that you're going to do solar, go out and steal a bunch of stuff from solar companies, patent it and then.

A

Yeah, so I guess that would be, in intelligence terms, that would be the SIGINT cycle, where in theory you've got this tasking, collection, analysis, refocusing. I'm sure I'm missing stuff, but it's an iterative thing where you hone in on what you want and you're always learning new stuff. Baker does go into that in his piece. He talks about like, this would be one of the problems. You would have to stand up some process to get commercial people involved.

B

Right. And I think he identifies one of the problems there, which is that there's just going to be favoritism, lobbying, and it's going to.

A

That doesn't sound like anything that would happen in a Western government.

B

Basically, like, as soon as you've got a thing set up to give economic advantage to some companies, then obviously that's going to be a useful thing to try and capture. And I think he admits that there's no way of stopping that. So I think what the Chinese have done, and this is speculative because I don't know the specifics, but I know that what they used to do at least was they had these fusion centers where there would be conferences which would bring together industry, the military, basically, public private partnership, if you will. Yeah. And they could exchange huge things that are important to us. Basically, that's where you could do your tasking to the military and they could feedback saying like that seems super hard. I don't think we can do it. What's a better first step? Or yeah, we've done that one already. What should we do next? And then at the next conference there's a sort of this feedback iterative process that you get where you have the same people meeting again and again and again to see what's working and what isn't. And it allows the customers to drive the intelligence cycle intelligently and that needs to be stood up. But then, you know, the US doesn't have a good way of, for example, sharing secrets with the public, which would be another thing because I think the Chinese are not quite as concerned about sources and methods. Like I think that they're very aware of how to steal the good stuff. Because when they have these low level agents where they're like, you know, make the students do things like, you know, when our business people go abroad, they should be looking for this stuff. You're basically finding the people that know the domain and know what's important and what would be useful and telling them to go and gain access to the secrets that would be useful. That's very different from trying like you're not taking James Bond and teaching him how like graphene works so that he can go and like figure out the important graphene stuff to steal. You're taking a graphene engineer and saying, here's how to put data on a USB and encrypt it and then bring it back to us. It's just a completely different mindset and approach. And I don't think the US could do it because it's not set up to operate in that way. It's just not.

A

Well, okay, let's step back a step. Do you think it would be worthwhile in the first place at all?

B

No.

A

So why wouldn't it work?

B

I don't know what there is to steal that would like. Is the US so desperate for high speed trains that they're going to get ahead?

A

It seems to me that the US economy is the way it is because of the world and not because of Chinese cyber espionage. Yeah. Now another thing that occurs to me is why not just let companies steal their own stuff?

B

So I think that's actually a more.

A

Useful approach because you sidestep all the stuff about giving out secrets. You sidestep the tasking, they can figure it out themselves. You sidestep the loss of capability because it's, well, they'll find some commercial person who's Willing to do this. There's lots of people who can do like non cooperative penetration testing and.

B

Surprise remote system administration.

A

That's right.

B

No, I think that's a good point. And I think that there's already a lot of dodgy business intelligence companies that do this already just sort of under a different, you know.

A

Well, I guess there's all the Indian hacker for hire companies.

B

Well, yeah. And you know who was hiring them was Western firms via lawyers. Right.

A

You know, in this case, I guess the argument here would be an America first argument. We should have American hackers doing this kind of work rather than why are we outsourcing.

B

Yeah, Fishing to India when phishing was invented. Over here, that is an American technology. We should bring that home.

A

I mean now, other than the fact that we think that that kind of stuff is illegal, it seems like, I.

B

Mean, what is illegal anyway? If you think about it really, I think that that's probably the way to go. But it would be very difficult to get the word out. So I don't think that the US can come out and say publicly if you commit like a CFAA violation against a foreign entity, that doesn't count.

A

Yeah, yeah. I mean lots of countries have signed up to, what is it, the Budapest convention, like an international cybercrime convention, basically. And it seems like a bad idea to be encouraging cybercrime globally because your population gets hurt. Right. So I guess that's an argument for more control than just carte blanche. There was that argument a while back. It was often abbreviated as hack back, which is that companies should be allowed.

B

To hack back and steal their data back.

A

Like it's just something like that, which.

B

I don't think it was developed beyond. I've been punched and I want to punch him back.

A

Right? Yeah.

B

Like it seemed like a very emotional thing. Like I don't like that I've been ripped off. I want to retaliate in some way. Like I need an eye for an eye, tooth for a tooth sort of approach. When that analogy just doesn't apply in cyber. Like if someone has copied your thing, if you copy it back, there's just three copies now.

A

And so I guess in this case, if it was narrowly scoped to intellectual property, the blind eye. If you steal intellectual property, well, you know, no harm here, I guess you seem to think that it may be beneficial for American industry. Question mark.

B

It at least has the potential to be beneficial, whereas I think if it's state led, it won't be. I think that the barriers and like all the stuff that has to be put in place. Like, it would take a lot of time, it would take a lot of ironing out, and there'd be so many iterations of political leadership that it's bound to get dropped before it finishes.

A

It also seems that this is, I call it a strategic target in the sense that if you steal even a very important secret tomorrow, it's not going to pay off for probably five years, just based on the timelines of industry. And there's many, many intelligence requirements that will pay off tomorrow or the next day, where lives literally can be on the line. So I'm kind of skeptical that it would get the prior that it needs as well, because it's always hard to prioritise something that pays off after you've retired or are out of office.

B

I mean, if you look at the places where that sort of intelligence work has taken place, like the Soviets had a line which used to do technical intelligence or economic intelligence, where they would steal things that were beneficial. And I think that the officers working on that had a sense of, we are the underdog, we're behind, we're better in every way, but we need to ramp up our technical capabilities by stealing from the enemy. So that is a thing that I'm willing to devote myself to. It was a career path that went somewhere, like you were contributing to the greater superiority of the motherland sort of thing. Whereas I think if you're a CIA officer and you're tasked with stealing the secret to the Pepsi formula, you're not going to feel like this is a sort of great use of your years of dedication and training and skills. Like, that might be the thing that you do in retirement, where you want to keep your finger in the game and you'll take commercial clients and that's what they want. But if your boss is saying, you know, let's go after some random company so that Lockheed Martin can shave a few percentage points of their bottom line.

A

Right? Yep.

B

Not only does it seem like it wouldn't be rewarding, it seems like it wouldn't be rewarded. Right.

A

I think this speaks to the separation between state and private industry. One of the quotes Baker has, he's quoting former CIA Director Robert Gates. One of our clandestine service officers overseas said to me, you know, I'm prepared to give my life for my country, but not for a company.

B

Exactly. Right. I mean, just like, there's that quote of, like, how do you ask someone to be the last person to die for a mistake, which was about the Vietnam War? It's, how do you Ask someone to be the first person to die for Coca Cola or Barbie or, you know, it just. It doesn't make sense.

A

I guess one of the reasons that the US has not done this kind of espionage in the past is that they think that there is a separation between state and industry. And so when you're benefiting a private.

B

Company, it's like, well, right, and I think this is a good point because one of the things that Baker is complaining about is that there are companies that are state backed. And that's actually a critical part of being able to have the state steal secrets. Like they know which company they're giving it to. It's their own company, it's vertically integrated. It makes sense. You're not going out and being like, okay, who do I bless out of all of the competitors in this field who should get this right? Because that just leads to corruption and all sorts of problems.

A

One of the interesting paragraphs in here, Baker talks about, he speculates that this dynamic that you're talking about, the relationship between industry and government workers, is ripe for corruption. And he speculates that that's perhaps why the pla, the People's Liberation army, used to be a really prolific intellectual property theft outfit. And then that all went away and it's since been shifted to the mss. Now his theory is that Xi Jinping took that role away from the PLA because he realized that it was right for corruption, because you develop those relationships. I'm not sure that I'd buy it, but I thought it was interesting.

B

I think it's a reasonable theory. I don't know if it's true.

A

Yeah. And don't you have the same problem if you then take it from the PLA to the mss, you've just sort of shifted the corruption around to a different place. And maybe the MSS is better.

B

Well, I mean, you've gone from one state security service to another state security service, and I don't know, it seems like much of a muchness, like six of one, half a dozen of the other. I don't think that you. It seems more likely to me at least, that he had a problem with the power that was accruing to these corrupt generals who were making a lot of money and a lot of connections and stuff. So this was a way of reducing their power and kicking the can down the road by then moving to an agency that didn't have that already in place. And then he'll figure out what to do once they start getting corrupt and rich.

A

When we had Alex Joske on who's written a book about the mss. He said the MSS that they select people for ideological purity. So that's, that's a very strong selection criteria. Whereas the pla. I remember hearing stories that there was.

B

A bribery culture and the ability to actually do their job as opposed to.

A

Well, no, it was that they would buy a job and then they would use the bribes they got to pay back the people who had lent them the money.

B

Okay, and so you'd sort of purchased your commission.

A

Yeah, yeah. The CIA was the funder for many people. And so, I mean, in that context, maybe this makes sense to shift that kind of work to the mss. I don't know.

B

Well, in that case, wasn't the CIA already involved in stealing secrets from commercial vendors? I mean, if they were funding the PLA and the PLA was then stealing the secrets, sure. Maybe they've got more experience in this than we thought. Speaking of theories that may or may not be true, I'm not sure I buy all of the assertions that he makes. For example, where he suggests that the five eyes are the only people who don't steal from each other. And that's not even true because the British have a clause, the economic security of the state is within the remit of the security forces. And to me, that doesn't read like they're allowed to steal secrets to help their own industry. It reads like protecting strategic industries and stuff.

A

Okay, yeah. So the actual part there is he says no country other than the US has sworn off commercial espionage. So I think somewhere in the piece he talks about an Obama.

B

The listeners who don't have the video, this is the sound of me rolling my eyes so hard.

A

Not even American allies France and Israel are routinely accused of spying for their companies. Even the British have adopted a law expressly treating the economic well being of the UK as a legitimate objective for intelligence operations. So Australia also has a similar thing where one of the roles of ASD is similar words, economic well being. And the way I kind of thought about that is that there's a spectrum. Whereas if, if you're spying against another, and we've talked about this somewhere, if you're spying against another country in trade negotiation, that's kind of fine, that's kosher, even though that ultimately benefits your companies.

B

Right. This is a thing I know we've talked about because I find that this sort of distinction is very, very self serving with the US is like we don't do economic espionage outside of spying for trade agreements. It's very much, you know, except for the areas where it benefits us and it doesn't benefit anyone else.

A

We don't do it aside from trade agreements where we want to get our copyright laws imposed on those trade agreements. So that benefits Disney and media conglomerates and Hollywood.

B

But we're not out there stealing, you know, the Indonesian Mickey Mouse, if you will. Like that's.

A

Yeah, yeah. So you were taking. Not offense, but you were objecting to some of that framing.

B

Yeah. So I think that. I'm not sure that that's fair because, yeah, he brings up France and Israel, but what about the Dutch, the Germans, you know, the Spanish, the Italians? Like, I just, I don't think that it's fair to paint that broader brush. I think there are many countries who do not engage in economic espionage. One, because it's actually quite hard to do, as he notes, and we've highlighted. But two, because it's just like they don't think that that's a good way to spend their espionage resources.

A

I guess that goes to a couple of things we've spoken about. Many countries have this idea that state and private industry or private enterprise are different and also that of priorities, like there's important stuff, the important secrets that we want to know, and your commercial stuff is not that important to us as a government.

B

Yeah. So I'd also say that I think if you're looking at policies that will help strategically to maintain dominance or to not lose ground, stealing secrets is probably the least effective way of pursuing that.

A

Commercial secrets.

B

Right, sorry. Stealing commercial secrets is the least effective way of doing that. Whereas not allowing Nortel or Lucent to go under so that you no longer have a telco equipment manufacturer. It strikes me that letting the free market determine which of your strategic industries survives is a bad idea. When you need those strategic industries, you probably want to step in and cheat a little bit and be like, okay, well, tell you what, Nortel, we're going to buy 50,000 routers to put in a warehouse, or we're going to invest $10 million in cash and tax credits for R and D so that you make it through this quarter and then we figure out what to do afterwards. I think that that sort of thing makes a lot more sense and would be better overall, like identifying the industries that are strategic and are important and then investing in them, as the Chinese have done. They're not just stealing, they're also fun.

A

Okay, I guess to paraphrase your argument is stealing secrets is not going to help if your companies go broke and I guess because of the time frame, stealing a secret is not going to turn around going broke necessarily overnight. Right. So I guess your argument is just, well, fix the problem with your industry with plain old industrial policy rather than trying to steal things to try and fix it. I mean, it's probably not an either or situation.

B

Yeah. I think that if you're going to be spending policy, sweat on, like, if you're going to spend political capital getting something done, you're better off doing it on something that's going to be high reward. If they both have the same amount of effort, the one that's going to generate a better reward should be the one that you do. And I think that preserving strategic industries via just industrial and economic policy is a better idea than trying to set up a way of stealing secrets that you could feed to industry at some point in the future that they could maybe exploit at some time in the future.

A

Yeah. So despite there being many, many factors, you still think it is a more attractive idea to let companies just try and find their own way into stealing commercial. Why is that? Is it because they just know what they want?

B

Yeah. No, like it seems to me that if, if you're the number two in an industry, you probably know what you can steal from number one to make you more competitive. Right. But if you're just looking at the number one and the number two and you're trying to figure out what you should steal from the number one to give to the the second.

A

Like, I guess your argument is then that the reason you wouldn't get a state agency to do it is because firstly, they don't care. There's this cultural issue of dismissing commercial interests. There's other priorities to get done. And plus you'd need some process to extract that from the company. And because it would be secret, it would be difficult to both extract it from the company, like what you need, and it would also be difficult to give it back.

B

Right. And then you'd have to iterate on that process, which means that the difficulty doesn't go away. It just keeps happening again and again.

A

And again and all those difficulties go away.

B

If you just say, have at it.

A

Yep.

B

But so I think the other thing is that if you say to a company, we're going to invest a lot of money in doing a difficult thing and you get the proceeds for free, they'll say, oh, yeah, great, sure. Well, in that case, here's a huge list of stuff that we would like to have. Right. Whereas if they have to pay for it, they're going to be like, okay, well, let's actually prioritize and figure out.

A

What makes sure it's. Yeah, yeah, it's justified on a return on investment basis.

B

And I think it makes sense to let the companies figure that out on their own. Let them decide where to invest, how it's going to benefit them.

A

So there we go. There's the answer, Stuart. States shouldn't do it, but every bloody company should.

B

Thanks a lot, Tom.

A

Thanks, Crock.