A (4:55)

Right? Yeah, yeah. So Itel's got some. A nice graph chart down at the bottom where it's got different axes, you know, persistence, sourcing and networking. And so you get this kind of triangle features inside. And the bigger the triangle, the kind of better an agency is. And that seemed to me to be a good way of comparing the technical capabilities of agencies, if you could get accurate measurements on whatever dimensions you chose. But it doesn't necessarily tell you how well they're applied or what they achieve for the state themselves.

B (5:38)

Right. I think that those are in descending order of importance, like, what does it achieve for the state? How well can you apply the capabilities that you have and then how good are the capabilities that you have? Right. And so a measure of like, capability, that's a useful thing, but it's very, very low down on the ladder in terms of understanding how powerful cyber has made the state or how powerful cyber is. For the state.

A (6:09)

So I'm thinking of a sporting analogy where you can have very, very highly skilled teams that are just in certain sports. Size and speed really matters. So being technically skilled allows you to get beaten to a pulp less badly.

B (6:25)

Right. So you could be an amazingly skilled rugby player, but unless you're 6 foot 6 and 250 kilos of solid muscle, it's not really going to do you very much good when the All Blacks come running. You know, like there's just.

A (6:44)

Yeah, yeah. So I think that to me is like an analogy that kind of works. The technical is part of the answer, but it's not the whole answer. So we had a podcast a while ago where we talked about whether cyber power could be strategic and in the sense that could influence the fate of nations. So that was BTN117 actually earlier this. That's right. Our conclusion at that time was that, yes, it can, but it's not the same sort of power as, like military power and that it tends to be incremental and occur over a long period of time. And I guess one example we spoke about a bit was the Chinese theft of intellectual property. And over a long time, decades, I think that that's had quite a significant effect on the Chinese economy and its manufacturing prowess.

B (7:39)

Right. But I. I think it would. It would also be a mistake to chalk everything up to only that. Right. Like, it's not just that they stole things, it's that they sort of operationalized what they stole and then built on it, that they were able to use it and make it work for their national power base. Like the things that they wanted to do as a state, it helped them. The US could steal far more intellectual property than China could, just in terms of volume. Right. And they could probably do it without getting caught, but so what? Like, it. Like it wouldn't help them. Like, it's just. It's not a useful thing for them to do. And even if it was a useful thing for them to do, I think we've discussed this, that they would have a lot of difficulty actually integrating it into their economy in a way. Like, they wouldn't be able to convert what they've stolen into state power directly. Whereas I think obviously China has. So they've. In a way, you could say that they've integrated cyber better into their state power matrix.

A (8:45)

Yeah. So that was BTN120. Should u. S. Spies steal Chinese commercial secrets? What I was going to say, this is.

B (8:55)

This is. This is our recap episode.

A (8:58)

What I was going to say is that the stealing of intellectual property was just one part of a broader strategy. So they had a lot of different things that were aligned. Trade policy, industrial policy.

B (9:13)

Internal economic policy, where they. I saw a discussion with a China expert who was speaking about how does China succeed so well, how do they produce these giant companies? And part of the thing is that they're very willing to accept a lot of corruption and privacy problems at the early stage. So if you show up and you say, I want to be an electronic vehicle manufacturer, they will fund you, even if it's like you're the nephew of the mayor and your big plan is to, you know, take out a million dollars and then put a sign up of your garage saying, you know, EV research department and do nothing but spend the money. Like they'll accept that because there'll be enough people who really do it that you'll end up with an ecosystem where they have to compete against each other in this sort of very vicious race to the bottom on prices, but also race to the top on quality. And what you have left is sort of like these gladiator companies that have defeated all of their rivals. And then not only that, because all of their rivals have lost out. After investing in factories, after investing in infrastructure, these winner companies can then gobble up that infrastructure and make themselves even bigger. It's a lot like actually how Silicon Valley approaches things where you fund a lot of startups and some of them win and a lot of them don't. And that's sort of the approach that China has, but at a state level to things that it cares about.

A (10:41)

Right? Yeah, yeah. So I think what's interesting there is that they're bringing all those different mechanisms or tools together in a single purpose. And for me, it seems like the US has not really done that using cyber, except for intelligence gathering. And so it makes it very hard to say the US has won in the cyber domain because it collected the most, it did the best collection intelligence.

B (11:13)

It got caught the fewest number of times per gigabyte of data stolen.

A (11:21)

And I think collecting intelligence is very important. It makes a difference. It makes a difference to the decisions that you make. But it's very hard to see how it's made a difference after 20 years. And so, yeah, when it comes to measuring the success of cyberpower, I'd have to put China ahead of the US with the caveat that I've got no idea.

B (11:47)

Right. I mean, we don't know about the successes that have never been publicized. But, you know, I think I'd go A little bit further than that as well, actually, that we could measure. Like, how powerful has cyber been? Not just is this a cyber power, but how powerful has cyber been for this state? And I think China is going to far and away the leader, but I think a close second is going to be Russia. If you include the information domain, which I do, I would say that that's part of it. I'd say that they have achieved their state goals far more frequently with the use of cyber than any other state that I'm aware of. And I would then say North Korea, with Lazarus, again, is an exceptional cyberpower, even though they're financially motivated and they're only stealing crypto. Right, right. That's what they want to do.

A (12:50)

Yeah, yeah. So what is interesting to me about that list is that the more what the weaker a country is in terms of traditional, I guess I call them instruments of power. So there's that definition where you break down the state instruments of power to diplomatic, informational, military, and economic. And over the last 30 years, you'd have to say that for the vast majority of the time, most of the time, the US Would be ahead on most of those.

B (13:20)

Right. That's probably why they like that metric.

A (13:24)

Yeah. But the weaker a state is, the more that it's relied on cyber. So it's like North Korea probably. Probably you'd rank them the bottom on that. Those for the diametric.

B (13:37)

Yeah. Not a huge power in any of those other metrics, but yeah.

A (13:41)

And so it's relied on cyber the most. It. And. And because it's an asymmetric. And then it's kind of in reverse order. So Russia next, because, yeah, they're pretty.

B (13:55)

Good, but they're a middling power on all of the other levels.

A (14:00)

Yeah. And I also, like you say that they've been very successful. They've been successful kind of narrowly, but it hasn't really helped their economy or their military in Ukraine.

B (14:12)

I think they haven't been able to take advantage of the success. Right. Maybe, like. So I think they've achieved their goals in terms of what the operations were supposed to do, generally speaking, but then I don't know that they've been able to capitalize on that. China, on the other hand, is obviously very tightly integrated, and they've managed, at least most of the time to capitalize on their successes. So I think that in terms of the number of operations that they've done that have been successful, it might be a comparable number, but China has exploited a far greater percentage of those operations than Russia. Has. So Russia has done things that have worked and then sort of fumbled it. Right.

A (14:55)

And so when you say things that have worked, you mean like interfering with the presidential election, sowing discord in the.

B (15:04)

Sort of poisoning the. Well in terms of political discourse, which they played some role in in the us Obviously not the only role, but they. They were certainly successful in their goal was to make greater animosity and more fractures. And that happened, and they were trying to achieve that. Now, whether that would have happened without them is possible, maybe even probable, but we don't know because we can't run it a second time. Like, we can't redo those years. So I'm going to chalk that up to. As a success. But they haven't really benefited from that massively. Like they haven't been able to exploit that. On the other hand, I think that they. They played a big role in getting Brexit to happen, which wasn't with cyber. It was a lot more with money. Like they invested into the. The leave campaigns. And I think that that was successful for them. They got what they wanted, but I'm not sure that they were able to exploit that either.

A (16:08)

Yeah, it feels like they've been successful at being a spoiler for other people, but they haven't. Like they've stopped other people scoring goals or. But. But haven't actually scored goals of their own.

B (16:21)

Yeah, I'm sort of. I'm getting this feeling like that it's a little bit like they're biting off more than they can chew. Like they can actually do the bite. Like they can. They can certainly do this big grand vision thing that they have, like the first parts of it, but then once they've done that, it sort of falls apart because they're not powerful enough to actually exploit these sort of conditions that they create.

A (16:50)

Yeah. So I'm not convinced how much difference they've actually made in terms of, I.

B (16:56)

Think, advancing the state.

A (16:58)

Yeah, I think they're advancing what is going on. Well, they're pushing in the same direction as what is going on anyway, so it's like they're pushing on an open door. How much difference does that make? I'm not sure, but I agree that they're pushing in the same direction as things have turned out. So they haven't hurt it, certainly.

B (17:20)

Yeah. Like I. In my view, they've been more successful in some regions than in others in terms of information operations. They've been pushing in the US at least on this. You know, we need to stop helping Ukraine. This is defeat, is Inevitable and all of that. That's been very successful. It hasn't immediately, like, it has stopped help for Ukraine a few terms and it's.

A (17:44)

It's become part of the debate.

B (17:46)

Absolutely.

A (17:47)

The narratives that they push.

B (17:48)

Yes. So that's been very successful and I think it's worked for them, and I think it's generally working for them. But I think that the problem is that the invasion of Ukraine has created conditions that are so unfavorable to Russia that information narratives are not sufficient to change the field in any way. You can convince the US not to help Ukraine with money or whatever, but Europe being so close to the actual conflict, has existential fears that are coming up, which you can't argue away as you can with someone who's a continent and an ocean away. It's much more visually present for them, so they are unlikely to be swayed by narratives, whereas someone much further away is more open to be swayed by narratives. I don't think that the information stuff can work for them in the conditions that they've created. Like, they've actually, they've used their military to work against their cyber. And I think the military is stronger in this case. Right.

A (19:06)

So I guess this is coming up to the. The. What are the limits of cyberpower? And so to me, the very question, how do we measure cyberpower? In some dimensions, the US Is probably the best. Like, technically, they probably have the best techniques or whatever.

B (19:26)

The number of people working on it or the amount of money invested, or the square footage of parking lots devoted for people who are employed exclusively in cyber. You know, any. Like, there's a large, There's a large number of metrics you could come up with that the US is far and away the winner. I don't think one of those metrics is how far has cyber advanced the interests of the state. I think that that's an area where whatever it's doing for them, it's not public and it's in the realms of informing decisions rather than affecting the world, you know, shaping the environment.

A (20:10)

Yeah, yeah. So this is a dilemma, I guess. The more powerful the state, the less useful cyber is. Is that. Is that what we're saying?

B (20:20)

I think that might be the paradox in a way. Like, the more you can invest in cyber, the less you need it, maybe. Or like, the less it can do for you.

A (20:32)

I guess the less of a game changer it is maybe. Like, because know, if the US had the will, it could change the game with military power, it could do anything.

B (20:42)

It. Well, it could do it with just leaning economic pressure on people. Like, it could use any of the instruments of national power from, from dime, the diplomatic, informational, military, economic, any of those. It's so like, it's so overpowered that cyber sort of doesn't, doesn't even enter into it as, as a thing that they need to consider.

A (21:07)

Yeah. So at this point, it seems that China is becoming more of a peer adversary, is close to if, if, if it's not already.

B (21:18)

Right.

A (21:18)

And so that would imply that cyber becomes less and less useful for the prc because it's got other.

B (21:27)

Believe that. Yeah.

A (21:28)

Because it's got other tools that would be more effective.

B (21:33)

And also I think that the way that they've been using the information they've stolen, all that IP has been to bootstrap their own economy and their own industries. But then they're not resting on their laurels and just saying, well, any advances that happen, we'll just steal those as well. They are investing now. Like, I think Huawei has a $30 billion R&D budget or something insane like that. I think if there's a Bell Labs producing the new technology of the future, it's more likely to be in China than in the US These days. There's more money flowing into things and there's probably more intellectual freedom to work on long shots that are aligned with goals, even if there's less political freedom to disagree with what those goals are or whatever. But you certainly, you have the space to work within the system and go very, very far because it supports you so much. And I think that maybe that's what counts. Right. Like maybe if you want to be a powerful state, maybe you don't actually need political freedoms, you just need to be able to integrate all those tools and use them. All of which is to say that because China has sort of bootstrapped itself so far with so much already, I think that there's diminishing returns to keep stealing more information. I think that the lead that the US has is getting shorter and shorter and I think China is probably advancing perhaps beyond them in some areas. So it's less useful now to have cyber to augment yourself because there's just less that it can do for you.

A (23:15)

I guess there's. In the last couple of years, there's been the Salt Typhoon Group, which is focused on compromising US and other telecommunications.

B (23:26)

If you look at it, they're switching more towards an NSA style operation like intelligence gathering. Right. But they're turning away from economic focus to a more political intelligence focus.

A (23:42)

Yeah, it's always hard to tell if it's a shift when it's public reporting. Like it's hard to get right, right picture of the whole landscape. But yeah, that's where I was going with that as well by mentioning Saltai. That would be consistent with our hypothesis.

B (23:57)

Yeah. And although, although, just, just to push back on what I've, I've just said and what we both agree, Dan, is, is Salt Typhoon happening now because they're more interested in doing intelligence collection or because they now have the capability to do that? I would argue that they had the capability before, right? Like it's hacking telcos is not like it's not flying to Mars. So I don't think that they've suddenly leveled up to the point that now they can do telco hacking. You know, they've been doing telco hacking for a long time. I think they've leveled up to the point where telco hacking is something that's more useful than, I don't know, like Boston Robotics hacking.

A (24:44)

So in, in this big picture world where China and the US are close to peers, our prediction is that cyber becomes less and less relevant because they've got other options that are, that are more useful. And so in the future we'll see Russia still being a spoiler, causing countries to kick own goals despite never kicking a goal itself. North Korea I guess will continue to be a cyber power until they launch.

B (25:13)

Their own blockchain, at which point.

A (25:18)

And I guess in a way they're also experimenting with different forms of money raising. I suppose, I guess they too are bumping up against the limits of cyber power because they're just, there's only so.

B (25:31)

Much people can steal.

A (25:34)

Getting people to apply for jobs not particularly cybery.

B (25:39)

It's, it's probably not, it's probably not as lucrative as draining an exchange of their, you know, cash reserves. There's like, we haven't mentioned Iran, right. And so Iran has some cyber capabilities. But then I wonder how useful for Iran can those capabilities be given how weak they are in the other dimensions, but also how limited cyber is for what they're trying to achieve. Right. Like can, can cyber stop other countries from invading or attacking them? No. Like, can cyber get them nuclear capabilities? No. Like, can cyber jumpstart their economy? Like, no, because they're sanctioned to hell. Given out a thing of like, you know, the more, the more powerful you are, the less useful cyber is. I think there might also be a bottom floor of, you know, if you are below this level of economic integration into the global economy, cyber can't help you either.

A (26:47)

I actually think of it as the other way around where Iran is actually a lot bigger and more integrated than North Korea. And so it's got options in terms of selling oil.

B (26:57)

Right.

A (26:58)

Maybe they're not great options, but they're better than.

B (27:02)

Yeah, North Korea's. Yeah, whatever they have.

A (27:06)

Yeah, yeah. Like North Korea steals billions, which is significant for North Korea. I think if Iran stole billions, it would be not that significant because it's a bigger country.

B (27:15)

Cover two days of government spending or something or whatever it is, but it's, it wouldn't be a double digit part of their gdp.

A (27:26)

Yeah, yeah. It's not a game changer. And I guess it's the, I mean, I suppose it's the same dynamic as for the US where cyber is not a game changer.

B (27:35)

Maybe it's Iran's aspirations don't align with cyber's strong points. Points. I mean, similarly, I think you could say that the Netherlands has been very successful when they've applied themselves to cyber. Like they punch way above their weight in terms of skills and capability. But they're the Netherlands. Right. Like just how, how much advantage could they get given that contextually they can't, they can't steal everything and then pour it all into their industrial base and build up as an industrial power. Right. That they, they can't steal billions of crypto and have it massively boost their budgets. You know, they, they can't influence, let's say British political narratives and have it somehow help them in a way. Are the things that cyber has been proven good at useful for, like France or Germany or the Netherlands? Like, are those, are those dimensions where cyberpower helps for these states? I think that's, I think that's probably where the US lands as well in that it's, there's a lot of diminishing returns, but also there's not a lot of space to take advantage of those power dynamics.

A (28:52)

I was just thinking about the amount of money that states tend to spend on intelligence collection and it's like significant, but in terms of an overall national budget, it's like a drop in the bucket. And compared to defense, like it's a fraction of the defense budget and cyber.

B (29:10)

Is a fraction of the intelligence budget. So you're.

A (29:13)

Yep, yep. And I think that puts it in perspective and we're. Yeah, cyber people always wanting it to be the thing that'll change the planet.

B (29:24)

Clearly all of these states are just very misguided. There's. If, if they were to invest as much in cyber as they invest in the military. Yes. You know, cyber people think that cyber is special, that cyber has this outsized role to play and I agree with that. But I, I think in terms of, like, proportion overall, yeah, it's very small. Like, I think it can do more than it's actually doing. Like, I think there's, there's room, there's room to improve how you use cyber and how you can exploit it and so on, but I don't think that that's sort of like, oh, if you had a, like, if you had 10 nuclear attack submarines, that's a huge deal, right? Like having, having a bigger cyber force. I don't think that's a huge deal. I don't, I don't think it changes the dynamics as much as having, you.

A (30:18)

Know, an aircraft carrier, which is so it's. The cyber is really the underutilized 0.01% of the national budget just going there to waste. Thanks, Crush.

B (30:37)

Thanks, Tom.