Srsly Risky Biz: Special guests Rob Joyce and Andy Boyd on offensive cyber - Risky Bulletin

Summary8 min read

Detailed Summary of "Srsly Risky Biz: Special guests Rob Joyce and Andy Boyd on offensive cyber"

Podcast Information:

Title: Risky Bulletin
Host/Author: risky.biz
Description: Regular cybersecurity news updates from the Risky Business team...
Episode: Srsly Risky Biz: Special guests Rob Joyce and Andy Boyd on offensive cyber
Release Date: May 15, 2025

1. Introduction to the Episode and Guests

The episode kicks off with host Patrick Gray introducing the special edition of the "Seriously Risky Business" podcast. Unlike the usual format featuring Tom Uren discussing his newsletter, this episode features an in-depth conversation with two high-profile former intelligence officials:

Rob Joyce: Former CyberSecurity Director at the NSA and former advisor on cyber during the Trump administration.
Andy Boyd: Former head of the Center for Cyber Intelligence at the CIA.

Gray sets the stage by highlighting the shift in focus towards offensive cyber operations, the impact of recent governmental changes on agencies like the NSA and CIA, and the integration of artificial intelligence in intelligence work.

Notable Quote:

"We brought together a couple of fantastic guests to have really a conversation about offensive cyber and what's happening with US Government intelligence agencies in the age of the Trump White House." — Patrick Gray [00:06]

2. Government Staffing Changes in NSA and CIA

Rob Joyce opens the discussion by addressing significant staffing upheavals within U.S. intelligence agencies. He points out that while some agencies like CISA have faced extensive cuts, other parts of the NSA remain relatively stable. However, the removal of key leadership positions has led to uncertainty and a subsequent loss of talented personnel.

Notable Quote:

"There are very real things happening now. The good news is it doesn't progress that much farther down into NSA, but sister agency CISA. The best word I can use is eviscerated." — Rob Joyce [02:21]

Andy Boyd corroborates Joyce's observations from the CIA's perspective, noting that although there haven't been forced departures at the leadership level, several senior leaders are opting for voluntary early retirement to secure their benefits sooner. This trend is concerning as it leads to the loss of experienced and qualified individuals within the agency.

Notable Quote:

"They're really quality people. They're the kind of people that would frankly be qualified to take my former job as director for the center for Cyber Intelligence in a couple of years." — Andy Boyd [04:38]

3. Offensive Cyber Operations: Policies and Streamlining Efforts

The conversation delves into the Trump administration's approach to offensive cyber operations, specifically referencing National Security Presidential Memorandum (NSPM) 13. Joyce explains that NSPM 13 aimed to streamline the previously cumbersome interagency processes that hindered effective offensive cyber actions. By providing more mission-type orders and defining clear boundaries, NSPM 13 empowered Cyber Command to execute campaigns with greater agility.

Notable Quote:

"NSPM 13 gave a little bit more mission type orders, meaning you talk about what the end goals were. You define some left and right boundaries that gets pre coordinated and Then the title 10 Actors in Cybercom would then be able to do a campaign based around that approval and it was better." — Rob Joyce [07:31]

Andy Boyd adds that while the administration has clear national security priorities—such as focusing on China and combating drug cartels—there remains a gap in translating these grand strategies into actionable cyber operations. He emphasizes that cyber tools should complement, not replace, concrete national security policies.

Notable Quote:

"Cyber operations are not a panacea for a lack of a concrete national security policy. You have to actually apply them like you'd apply any other tool of national power." — Andy Boyd [06:05]

4. Active Defense vs. Offensive Cyber: Defining Boundaries and Strategies

Patrick Gray introduces the topic of active defense, which involves disrupting attacker infrastructure targeting U.S. interests. He queries whether active defense has become an accepted norm in cybersecurity practices. Rob Joyce likens active defense to a sports strategy—preventing opponents from scoring while simultaneously creating opportunities to score oneself.

Notable Quote:

"The active defense is the idea that we're going to challenge them and put friction into those operations so that they don't just get continual tries to get the goal." — Rob Joyce [23:37]

However, Joyce points out the significant communication and terminology gaps that exist when discussing offensive measures. The lack of clarity on what constitutes "active defense" versus "offensive cyber" leads to misunderstandings among policymakers and operatives alike.

Andy Boyd concurs, highlighting that varying interpretations of offensive actions can lead to ineffective or counterproductive strategies. He stresses the importance of establishing clear definitions to ensure cohesive and effective cyber operations.

Notable Quote:

"Beauty is in the eye of the beholder. And it even the term active defense means different things to different people." — Rob Joyce [23:37]

5. Cyber Threats to Critical Infrastructure: Vault and Salt Typhoon

The episode examines specific cyber threats like Vault Typhoon—a Chinese state-sponsored campaign targeting U.S. critical infrastructure—and Salt Typhoon in Australia. These operations involve pre-positioning attackers within vital systems to prepare for potential future disruptions.

Patrick Gray challenges the notion that responding to such threats should involve aggressive offensive measures, questioning whether the U.S. is adequately prepared to escalate its response without compromising its own infrastructure.

Notable Quote:

"We are not ready to for this fight, you know, so if we do escalate that way." — Patrick Gray [27:38]

Rob Joyce emphasizes the necessity of enhancing both defensive and offensive capabilities to impose significant costs on adversaries. He advocates for a more robust application of diplomatic and economic tools alongside cyber measures to deter hostile actions effectively.

Notable Quote:

"We need to be more muscular in all elements of imposing costs and response." — Rob Joyce [30:40]

Andy Boyd draws parallels between combating cyber threats from cartels and counterterrorism efforts, noting that although the nature of these threats differs, the strategic approach in utilizing intelligence and law enforcement remains crucial.

Notable Quote:

"These guys know what they're doing and they have huge business enterprises and they're sub state actors." — Andy Boyd [20:15]

6. Role of AI in Cyber Intelligence

The discussion shifts to the integration of artificial intelligence (AI) in cyber intelligence operations. Rob Joyce outlines how AI, particularly machine translation, has been instrumental in managing the vast amounts of data collected by intelligence agencies. AI aids in curating workloads, prioritizing critical information, and enhancing the efficiency of human analysts.

Notable Quote:

"AI augmenting people who have a base level of skill and accelerating them." — Rob Joyce [35:16]

Andy Boyd adds that AI serves as a productivity booster, freeing up analysts to engage in more complex and intellectually demanding tasks. He envisions AI handling routine data processing, thereby allowing intelligence personnel to focus on strategic decision-making and operational execution.

Notable Quote:

"If you could take that off an analyst plate and have them focus on much deeper intellectual activities, that is great." — Andy Boyd [38:36]

Patrick Gray echoes these sentiments by sharing an anecdote about how AI tools have enabled individuals to manage increased workloads efficiently, underscoring AI's role as a transformative productivity tool rather than a replacement for human expertise.

Notable Quote:

"It's amazing because it writes up perfect notes, then you just go through, correct the spelling of people's names and call it a day." — Patrick Gray [38:50]

7. Startups and the Intelligence Community: Opportunities through Q Tel

The conversation concludes with a focus on how startups can collaborate with the intelligence community to address technological needs. Rob Joyce highlights Q Tel as a pivotal platform where the NSA communicates its technological challenges to the venture community, fostering partnerships that drive innovation.

Notable Quote:

"NSA literally gives in Q Tel the list of problems that it's hoping to have solved and they then canvas the venture world and do annual conferences and other venues where they talk about what we're looking for and kind of mine and harvest those needs." — Rob Joyce [40:29]

Andy Boyd praises the U.S. startup ecosystem's dynamism, expressing confidence that future breakthroughs in intelligence technology will emerge from initiatives like Q Tel. He encourages entrepreneurs and innovators to engage with these platforms to develop solutions that align with national security objectives.

Notable Quote:

"I'm very confident that whatever that technology is, it's going to be invented in the United States or maybe Australia." — Andy Boyd [41:05]

8. Conclusion and Strategic Recommendations

As the episode wraps up, both Joyce and Boyd emphasize the importance of a balanced and strategic approach to cyber operations. They advocate for enhancing both defensive measures and offensive capabilities to effectively deter and respond to cyber threats. Additionally, they underscore the need for clear communication, well-defined operational boundaries, and robust collaboration with the private sector to bolster the nation's cybersecurity posture.

Notable Final Remarks:

"We have not really, we have not really leaned in on the diplomatic levers, the tariff levers, some of the sanctions levers, and a whole array of tools that are tools of statecraft." — Rob Joyce [32:45]

"The intelligence community is a supporting actor in that." — Andy Boyd [21:06]

Key Takeaways:

Staffing Challenges: Significant cuts and leadership changes within agencies like CISA and CIA are leading to the loss of experienced personnel.
Policy Evolution: NSPM 13 streamlined offensive cyber operations, allowing for more agile and mission-focused actions.
Active Defense vs. Offense: Clear definitions and strategies are crucial to effectively balance defensive and offensive cyber measures.
Critical Infrastructure Threats: Operations like Vault Typhoon highlight the need for enhanced defensive and offensive strategies to protect vital systems.
AI Integration: Artificial intelligence plays a pivotal role in augmenting human analysts, improving efficiency, and managing large data sets.
Startup Collaboration: Platforms like Q Tel facilitate collaboration between the intelligence community and startups, driving innovation in cybersecurity technologies.

This episode provides a comprehensive exploration of the current state and future directions of offensive cyber operations within the U.S. intelligence community. Through insightful discussions with former NSA and CIA officials, listeners gain a nuanced understanding of the challenges, strategies, and technological advancements shaping the cybersecurity landscape.

Loading summary

Transcript54 lines

[00:00]
Rob Joyce
Foreign.
[00:06]
Patrick Gray
And welcome to this special edition of the Seriously Risky Business podcast. My name's Patrick Gray. Now, normally in Seriously Risky Business, you'll hear Tom Uren and I talking about his newsletter. His newsletter, of course, is the Seriously Risky Business newsletter that you can find at Risky Biz. But this week, we're doing something a little different. A couple of weeks ago, during RSA week, I recorded this interview live from in front of an audience from an event being held by Decibel, which is the VC firm that we partner with here at Risky Business Media. And, yeah, we brought together a couple of fantastic guests to have really, a conversation about offensive cyber and what's happening with US Government intelligence agencies in the age of the Trump White House. So we have with us Rob Joyce, who most recently was the CyberSecurity Director at NSA, but prior to that, he'd run tailored access operations there. He even served in the first Trump administration as the President's advisor on cyber working in the White House Terror, you know, terrifically knowledgeable guy. And our other guest for this recording is Andy Boyd. And Andy ran the center for Cyber Intelligence at CIA. He's out of there now. So they're both formers, but, you know, who better to talk to about all of these topics because, you know, now that they're not in the government anymore, in government jobs anymore, they have a bit more freedom to talk about all of this stuff. So the topics we cover is everything from Vault Typhoon and how the US should respond. You know, where AI fits into the intelligence world and where all of that's going. But I'm going to drop you in here to the conversation where we talk about staffing levels. Oh, before I do, we want to say a big thanks to this week's Seriously Risky Business sponsor, which is corelight. Corelight make a terrific network security sensor. And yeah, they have the industry standard, terrific technology. But, yeah, I'll drop you in here, where I started off by talking to Andy and Rob, really about how all of these changes in Washington are affecting things like staffing levels at agencies like NSA and CIA. Enjoy.
[02:22]
Rob Joyce
The thing I'd point out is there is so many big visible moves throughout the government, whether it is Elon with the chainsaw parading around talking about the government cuts down to the removal of the director, NSA and the deputy director of nsa. There are very real things happening now. The good news is it doesn't progress that much farther down into nsa, but sister agency cisa. The best word I can use is eviscerated. Very, very talented people Big programs cut in major ways, and then people inside the government who are not in those places being forced to vacate, they're looking around and saying, well, maybe I better look and figure out my options before it does happen to me. So I still mentor and talk to a bunch of people, and I'm telling them, the nation needs you, and so keep your head down, do the important work of the government, do your job, and get through this. And hopefully we have a lot of people stay with that. But I know just from friends and colleagues that are announcing their departures, we're losing good, talented people. And that just hurts me kind of in the core of my being.
[03:52]
Patrick Gray
Well, there are a lot of people eyeing the exits. I mean, something I heard recently is, of course, when you want to depart an organization like NSA and you want a resume that you can publish, quite often that will need to be reviewed. And there is a backlog currently for that review process for two reasons. First of all, due to the people who do that work actually no longer being there. And second of all, the number of people who are updating their LinkedIn, basically. Andy, I want to get your perspective on this as well. You know, we've just heard from Rob that the real cuts seem to be at CISA and the intelligence community. It's more a case of maybe some changes around leadership and that causing people to spontaneously kind of eye the exits. Does that vibe with your understanding of what's happening as well?
[04:39]
Andy Boyd
That vibes my understanding of the other agencies. My own, my former agency, CIA, hasn't had any forced departures at the leadership level, but we do have a voluntary early retirement program. And the windows for that open up periodically. And there's going to be another window that opens up this summer. And I know of at least half a dozen senior leaders that I put into place when I was running the center for Cyber Intelligence. And they're looking to leave to take that voluntary early retirement, because otherwise they'd have to wait several years to get to that place in retirement. And they're really quality people. They're the kind of people that would frankly be qualified to take my former job as director for the center for Cyber Intelligence in a couple of years. And like Rob, it's very disappointing that that's happening. That being said, John Ratcliffe, the Director of CIA, made it very clear in his testimony, his confirmation testimony in the Senate, that he was, as director, you know, if he was confirmed, he was going to double down on cyber operations. And in general, that is the atmosphere in CIA that people are going to be taking cyber operations quite seriously, that it's an enterprise function across the intel community. What I would caution leaders is you can't start eating your seed corn. These senior leaders that are going to be running entire enterprise apparatus, if that is your actual operational goal.
[06:06]
Patrick Gray
Yeah. And herein lies a bit of a contradiction. Right. Because what we saw in the Trump term one was a president and a White House that was much more comfortable exercising state power through cyber means than the administrations that came before it or the one that came after it. So we've got this situation where the White House is sort of performing actions where they want to, you know, get rid of people, clear the decks. I mean, there's this new sort of doge for the intelligence community thing being spun up by Tulsi Gabbard. You know, all in all, it's looking like not as comfortable a workplace as it was, but at the same time, they're going to start asking these agencies to do more. Rob, let's bring you in on that. You know, is it the case that that reputation of Trump being sort of, you know, pro offense, you know, and letting people do fun stuff, is that a reputation that you think is accurate?
[07:04]
Rob Joyce
I do believe there's the intent. Right. As you talk to the both the people who have moved into positions already and those who are nominated, there's a common theme of, you know, we have not done enough offensively and there's a desire to enable offensive cyber operations in this administration. It's a clear talking point.
[07:24]
Patrick Gray
I guess we did see what was that. There was that DoD policy, I can't remember the acronym. You'll tell me.
[07:31]
Rob Joyce
NSPM 13.
[07:33]
Andy Boyd
NSPM 13 and then NSPM 21 and all the related ones.
[07:38]
Patrick Gray
Yeah. So for those who are unfamiliar, during Trump's first term, he made changes to, I guess, would you call that the rules of engagement for cyber or the boundaries around what's doable?
[07:48]
Rob Joyce
It was streamlining. You know, before that change, there was a lot of interagency bureaucracy surrounding offensive cyber operations. And, you know, the kind of the feeling was everybody got a veto and so very few things made it all the way up the stack and got out with A yes. And NSPM 13 gave a little bit more mission type orders, meaning you talk about what the end goals were. You define some left and right boundaries that gets pre coordinated and Then the title 10 Actors in Cybercom would then be able to do a campaign based around that approval and it was better. It still is not weapons free that I think some would want and that's what I would expect. Some of the discussion going on right now is how do we unencumber and give more commanders intent to the execution arms and then let them, within a certain predefined set of boundaries, be much more agile?
[08:55]
Andy Boyd
I think from a grand strategy perspective, the new administration has been pretty clear what their national security goals are. A significant focus on China, a pivoting of some resources to countering the cartels and the fentanyl drug problem, especially on the southern border. That is an intelligence problem as much as it is a law enforcement problem. Continuing our negotiations with the Iranians, but also having various levers of power to use. What I would say is sometimes there's a translation problem between that grand strategy and how to operationalize intent. And what I do think, and a lot of folks, I think, you know, folks like Rob and I who are retired but still in the community in certain ways, we'll be spending. And frankly, in conversations here at our rsa, is sort of explaining how those tools work and what is within the realm of the possible in cyber operations and what is not within the realm of the possible. Cyber operations are not a panacea for a lack of a concrete national security policy. You have to actually apply them like you'd apply any other tool of national power. And I do think the administration hasn't quite decided how they're going to operationalize offensive cyber beyond information collection and intelligence collection.
[10:12]
Patrick Gray
Yeah. I mean, that said, what I find really interesting about the times when Trump is in the White House is it drives home this sort of new way of understanding cyber, which is where it connects to politics and where it connects to state power. Okay. Because you've got the cautious approach and, you know, indeed, before those changes, but before, you know, to NSPM 13, you know, you would have a situation where the State Department would say, no, no, no, no, we're not going to do this. Because, you know, it was very much like, you know, how do we maintain the status quo? How do we balance things? Right. Whereas you come in with a more aggressive political mindset and it sort of changes the, you know, what you're actually trying to achieve, to your point, Andy. Right. And what, what can realistically be expected to be achieved by. But that can also change, Right. So to what degree do you think that the politics here could actually change the reality of what's possible? Because I feel like there's probably a bit more wiggle room there than people quite realise. You know, just look at what North Korea gets up to, for example. Right? That's that's state cyberpower being used to steal vast amounts of cryptocurrency. Now, I'm not expecting that the United States government is going to start behaving by like, like North Korea, but indeed, you look at China, you look at Russia, you look at the sorts of things that they do, and you look at how constrained the United States is by comparison. Surely there is, you know, the spectrum of what's possible here is pretty wide.
[11:42]
Andy Boyd
So I'll list a bunch of things that we certainly will not do. You talk about stealing cryptocurrency to fund WMD programs in North Korea. Yes, we're not going to do that. We're not going to do disinformation operations or hacking in political parties to steal information to inform whatever it is that the Russians tend to do. We're also not going to be stealing intellectual property across every imaginable corner of the defense industrial base like the Chinese do. But what we will do is, I think, again, this is, you know, my educated guess is take our tools, operationalize them, and no offense to my State Department friends, but put them under the command of the geographic commander, be it Indo pacom, be it, be it the NATO commander, European Command, or centcom, for whatever the mission may be, and then the execution of that will be by Cyber Command. But again, it'll be considered a, a operation short of war, but under the command of a military element where the State Department is aware of it. But to your point, Pat probably won't have a veto.
[12:59]
Patrick Gray
I mean, I'm going to actually push back on you a little bit there. You say you won't steal cryptocurrency to fund WMDs. Would you steal cryptocurrency from cartels to inconvenience their operations? Is that something that could happen? You say you won't steal. Exactly. You say you won't steal intellectual property from the defence industrial base. I would hazard a guess that some of Rob's former colleagues are crawling all over the networks at this very moment of Chinese defense contractors looking for ideas that American R and D teams might have missed. So, you know, we often talk about certain things having Chinese characteristics. Right. That's the euphemism. I mean, it's almost like we could have, you know, similar sorts of operations but with American characteristics. And, you know, what I've just described there is not, you know, really at a conceptual level, outrageous. So is this what we can expect in the future? Maybe we get Rob to chime in on this one.
[13:58]
Rob Joyce
Yeah. I do think that the Measuring stick will change. Right. But there are still core American values, and I think that's what Andy was going to, you know. Yes, there is an intent to gather intelligence about the military capabilities of China, Russia, and others. The difference is that those ideas for understanding their capabilities fuel things like the defensive capabilities we're going to build. It doesn't go into the intellectual theft and the productization of new profit centers for companies operating out of the US There is just that subtle difference. But I do think you're right, Pat, that the rules change and things become freer and you get to be more creative in that operational space. I think that's going to be encouraged.
[15:03]
Andy Boyd
On the cryptocurrency front. Yeah. I mean, there's a whole variety of things, but I wouldn't use the word stealing because that would mean we were trying to profit off of whatever the cryptocurrency. Bitcoin.
[15:14]
Patrick Gray
I know that you would much prefer, because Americans love euphemisms, right? You would love to use a word like appropriating.
[15:20]
Andy Boyd
I think it would just be. I think the appropriate word would be disrupting the cartel's ability to make money, which is, at the end of the day, as a criminal enterprise, what they do. And if we disrupt that, wherever that cryptocurrency goes, and it's not going to go to the US treasury, is a disruption of that operation.
[15:38]
Rob Joyce
I'd like to see this strategic bitcoin reserve enhanced. Right. And you may see that.
[15:45]
Patrick Gray
Yeah, well, I mean, this is the thing, right? Like, cryptocurrency is used by transnational criminal organizations. I'd hazard a guess that if you added it all up, there's probably a fair bit of bitcoin in that cartel ecosystem.
[15:57]
Rob Joyce
You know, I joke about that, but it happens today. You know, U.S. law enforcement seizes property all the time from criminal activities. What they don't usually do is reach out into other sovereign nations to grab those assets. But in the digital world, when you're talking cryptocurrency and things, that could be an operationally viable idea. We do sanction and seize bank accounts. We freeze bank accounts. Accounts. So I think in the crypto world, I would very much imagine those kind of things would be, at the very least, talked about in the operational discussions.
[16:43]
Patrick Gray
I mean, the thing that I'm finding hilarious here is there's probably some people at Cyber Command who are reading all of the incident response reports based off what North Korean actors have done, trying to pick up some tricks for how to do this sort of thing. I guess I Got a question on the cartel stuff. Right. Which is, you know, this is a. I guess there are some similarities between the cartel networks of people and the technology that allows them to communicate and conduct their. Their businesses. There is a little bit of a difference between. A little bit of a similarity. I'm sorry, between the. The cartels and terrorist organizations in that they're not states. Right. They often will have people whose job it is to try to protect them, to try to, you know, stand up something resembling, you know, operational security procedures and ways of doing things. But it doesn't seem to hold up very well. Right. Like, we can. We can say that by looking at how various, you know, terrorism networks were sort of intercepted. You know, there was. There was a lot. Very easy collection on them and, you know, a lot of disruption operations as well. I'd imagine that for people inside your former agencies. I hope this doesn't come out sounding wrong, but I'm guessing that this sort of gig would be fun. Right. Like, if you're tasked with going after the cartels, it's like fish in a barrel kind of thing. Would you. Would you, you know, would you agree with that? Andy, we'll start with you.
[18:13]
Andy Boyd
I wouldn't consider it fish in a barrel. And I don't know if I'd say they're excited. I mean, you know, this is the way the intelligence community works. The. The president and his administration set the policy and the priorities. It was made clear on January 20 that fighting the cartels would be a priority for law enforcement. And then, ipso facto, the intelligence community had to get in line and support that. And so my former colleagues are supporting that enthusiastically because that is their mission, I would say, at least in communications and certain behavior patterns and how one. And I use this word loosely. We don't have lethal authorities on the cartels. It's a law enforcement issue. But hunting these folks is not dissimilar from the counterterrorism fight, the only major issue, and again, this is where the intel community plays a supporting role and law enforcement is in the lead. A major portion of infrastructure that's associated with the cartels is actually in the United States. And that was very, very different from the fight against Al Qaeda or ISIS or any of the other designated terrorist organizations. Now, the cartels have been designated in certain ways as terrorist organizations, which changes a whole array of things on how we can apply our tools of national security against them, which is a good thing. But I think it's going to at least be in the beginning. It's Going to be akin to the beginning of the ct war, post 9 11. And a lot of the same tools will be applied. It will not be fish in a barrel. These guys know what they're doing and they have huge business enterprises and they're sub state actors. They're not, you're right to point out that they're state actors, but they're something more than just a criminal enterprise. I mean, they are substate actors that control entire states in Mexico. And again, that's not unlike the Taliban, ISIS and Al Qaeda at their peak.
[20:15]
Patrick Gray
I'm thinking back to the Snowden leaks of. When was that? 2013. And some of the most interesting stuff that came out. I mean, obviously I, you know, have issues with the way that Ed Snowden framed a lot of the material that he leaked, because I don't think he really truly understood most of it, if I'm honest. But there was a very interesting material in there that showed that DEA actually had a much more developed SIGINT capability and sort of authorities around that stuff than people expected. You know, how much are we expecting the intelligence around these groups to be enhanced by bringing in, say, NSA into the mix? This is probably a good question for you, Rob. I mean, wasn't it the case that, you know, the United States government, through the DEA already had good collection on these organizations? Like, what else are they going to learn?
[21:03]
Rob Joyce
Yeah, I'm going to leave that to Andy.
[21:07]
Andy Boyd
That's great. I love it. When Rob lets me comment on nsa. I mean, I'll go back to the comment I made before. I mean, the national intelligence collection agencies, be it CIA, nsa, NGA and other supporting organizations. I mean, if the President of the United States asks us to pivot and reprioritize and have the cartels, the fentanyl smugglers become one of those, those priorities, we are going to pivot resources, whether it's human resources, SIGINT resources, broader cyber collection. And that's just the way it works. And the intel community is a supporting actor in that. Again, this is a law enforcement problem set. But we will bring all the tools and national power in the context of the intelligence community to that problem set because we are directed by the national command authority to do so.
[21:59]
Patrick Gray
I mean, it seems very clear what you're saying is the difference here is going to be scale, priority resources, that sort of thing. And it is very interesting what you said about them having that infrastructure within the borders of the United States, because you might find that by doing, treating them as a high priority, you're going to learn a lot about their activities in the United States that might not already be known, I guess, by authorities. That's the idea, isn't it?
[22:21]
Rob Joyce
Yeah, but therein is the rub for the NSA capabilities. It is a foreign intelligence capability. So I can't, you know, can't see that crossing the border. It's going to inform the overseas elements of them and the activity that starts and originates outside the U.S. well, I'd.
[22:41]
Patrick Gray
Imagine a lot of the information that would be actionable would be stored on systems outside of the United States, which would make it fair game, right?
[22:48]
Rob Joyce
Exactly. Yeah.
[22:49]
Patrick Gray
Yeah. Okay, so look, let's have a bit of a chat. I mean, I guess we've kind of touched on this already, but one of the things in our notes that we, that we prepped for this session was to sort of talk about active defense, active offense. You know, what's sort of changing there? I mean, active defense is, I guess, a bit of a euphemism, isn't it? I mean, it's about when you discover, you know, attacker infrastructure targeting, you know, interests in the United States, you go and then disrupt that attacker, that attacker infrastructure. This was something that was, I guess, kind of regarded contra as a controversial thing maybe 10 years ago. It's. I feel like this isn't even a discussion anymore because it's just an accepted. It's just an accepted part of how we do business. I mean, to what degree do you agree with that, Rob?
[23:38]
Rob Joyce
Yeah, I think the concept has matured. People understand it's easy to get a visual. You know, if you are a soccer or football team, you don't let the opposing team kick on your goal over and over and over again. You want to try to drive that ball downfield and shoot on their goal, too. So, you know, the active defense is the idea that we're going to challenge them and put friction into those operations so that they don't just get continual tries to get the goal. I think where the gap is today is there's a huge communication and lexicon gap amongst the community as we talk about more offense. Because beauty is in the eye of the beholder. And it even the term active defense means different things to different people. So talking to policymakers, executive branch and people in the operations, there's not clarity about what more offense means. Is it going after the large botnets that are enabling activity into the U.S. well, great. You tear those down. How long and how much impact does that have today? Not so much. Those are pretty ephemeral. You can spin them back up. Are you going at the jump server that the data moved to when it came out of your organization. Great. What if that is an open share in a company that's abroad? Are you allowed to burn that all down? How specific do you need to be? You know, there are certainly folks in the political realm who pound on the table and say, I want the lights to go out in Beijing and Moscow so that they feel the same sense of angst and urgency and they're afraid to come at us. And, you know, is that something, you know, you want to take on? Are you willing to cross that Rubicon? And, you know, I think one of the questions I have is it feels a bit like, you know, we're covered in gasoline and starting a match fighting, match throwing fight. And so, you know, where do you want to set these lines for what end and what outcome? And I think the most important thing as we enter these debates is just to talk through and game out who is the actor that's doing it. Is it private? Is it inherently governmental? Is it a mix? And what are the roles? What are the inbounds and out of bounds at each step as you define defense, the active defense, and then offense, and then what's inbounds and out of bounds as you consider offensive activity? Is it against infrastructure? Is it against the operational servers of an entity? Or is it into the critical infrastructure of another country? And we frankly don't have clarity on what everybody means. And we do talk past each other a lot.
[26:44]
Patrick Gray
It's pretty clear what you're referring to there, at least in part, is stuff like Vault Typhoon. Right. So for those who are unfamiliar in the audience, Vault Typhoon is a campaign being conducted by, you know, someone working at the behest of the, of the Chinese state to pre position these attackers inside US Critical infrastructure and infrastructure that is important to American interests outside of the United States. Indeed, it's, it's a campaign that is targeting critical infrastructure here in Australia or all around Asia Pacific. Now, you know, you said, well, are we, are we dousing ourselves in, in, you know, kerosene or gasoline and then, you know, starting a match fight. I mean, I'd sort of argue that the people pouring the, the flammable liquids here are probably the Chinese, right? So there is this. I think policymakers to a degree are a little bit stuck in how to respond to this.
[27:38]
Rob Joyce
The point I really wanted to make was, are we prepared to do the defense as we ratchet up the offense?
[27:44]
Patrick Gray
Yes, yes. Now this is where it gets very interesting, right? So we recently heard from Mark Warner, Senator Mark Warner, some comments he made recently, which is, well, we should be doing the same thing to China. And you know, we reported on those comments and I had some mail come in from a listener who said, look, I work securing critical infrastructure in the United States and we are not ready. Quite to your point, Rob. We are not ready to for this fight, you know, so if we do escalate that way. But then again, I mean, you know, we're already in a situation where attackers are pre positioning into that infrastructure. So Andy, I'll ask you first and then I of course want to get your opinion on this, Rob, but as a matter of policy, what should the response to something like that be like? Because it doesn't seem like anything that we've tried so far has managed to put a dent in it or slow it down.
[28:37]
Andy Boyd
Yeah, and so, I mean, I would agree with Rob's comments on this. You know, there are conversations happening in Washington and sidebar conversations here in RSA between private sector company leaders, nominees to positions in the federal government, White House officials, DHS officials and whatnot about how we put together a strategy on defense, on active defense, and on the far right of that scale, actually offensive cyber operations. And I think as a community we're going to coalesce around that strategy and probably come to the realization that shutting off the lights in whatever country or doing exactly as Senator Warner made reference, doing exactly what the Chinese have done to us in Volt Typhoon and Salt Typhoon, I think we'll come to the conclusion that that's probably not the best approach. Likewise, some of our private sector friends that are attending RSA currently, you know, they have desire to hack back, so to speak, in the lexicon. What does that hack back mean? I really don't. And they don't have the authorities to do it, you know, overseas, because that's inherently government activity. I don't think we'd ever get to the point where we authorize medium sized large companies to basically take their red teaming tools and start hacking away at Beijing. I just don't think we'll do that. But what we will do, I think is empower companies that have understanding of vulnerability research and what collectively we would call offensive cyber tools to, under the authorities of, be it the intel community, under dod, under law enforcement, to augment our capabilities on the active defense and offensive cyber side so that we can at least approach the hundreds of thousands of folks that the Chinese apply to these problems. Affiliates of the mss, affiliates of the People's Liberation army and whatnot but I think that's going to take several years. But we first have to coalesce around a strategy and that conversation is happening.
[30:40]
Patrick Gray
So I guess what you're saying is if you fight fire with fire, like basically everybody's just going to get burned to a crisp.
[30:45]
Rob Joyce
Yeah. So, Pat, I do believe offense is part of the answer. My basic belief is we need to be more muscular in all elements of imposing costs and response. I don't think we've had enough freedom in the offensive space. But I also think that, you know, we haven't done a good job on defense. We also haven't really, really leaned in on the diplomatic levers, the tariff levers, some of the sanctions levers, and a whole array of tools that are tools of statecraft. We've done each of them to some extent, but we have not really in a forceful way applied those to the point where other countries kind of take the step back and go, wow, they are really, really serious. We better stop. And I also make the distinction, we're talking Volt Typhoon a bunch here, right? That pre positioning for destructive effect, the strapping of digital explosives to our virtual infrastructure, that's beyond the pale. We've got to convince them that that is not in their interests to undertake those operations. The Salt Typhoon, where they got into our telcos, that's embarrassing to us, right? That's an intelligence success for them and failure for us. But you don't convince these other nations to stop digitally spying. I don't see that going away. But I absolutely think that as we turn the dials on the response for the pre positioning, you know, 1 to 10, we've done twos and threes. We need to get to 9, 10 and 11 across multiple settings and multiple tools so that they get the message that it is not in their benefit to undertake this. It's more cost than value.
[32:45]
Andy Boyd
And Pat, you and I have talked about on a previous show about the tools of coercive diplomacy. I mean, that would be an operation short of war, but it would be coercive diplomacy to change whatever nation state actor we're talking about to change their behavior. And a much more mundane example than Volt Typhoon, the Iranian government hacked water treatment or water transportation, water treatment plants in a number of states last year. I would argue if they did that again, a similar level of a cyber attack against the Iranians in the vein of a, a coercive diplomacy move would make a lot of sense. I think the Volt Typhoon, to Rob's point, turning it up to 11, I mean that we would have to do a lot of operational thinking and how it would nest in with the rest of our relationship with the Chinese before we pulled that trigger.
[33:36]
Patrick Gray
Well, that was something I was thinking as Rob was speaking there, when he brought tariffs into it, which is one of the ways that the United States has been driving with the handbrake on a little bit vis a vis. Its response to all of this is the high level of interdependence between the Chinese and American economies. And with everything that's happening right now, it looks like that interdependence is going through some changes, shall we say? So who knows what sort of opportunities that brings with all of this. But look, let's move on to another topic now. And one thing that we wanted to touch on with you is AI, Right. And how AI is sort of, you know, possibly changing the game in the cyber domain from a sort of. I see a military perspective. Rob, before we, you know, during the preparation for this session, I, we. We had a document I put some notes in. I thought, well, I would imagine one thing that would be very useful for, for an organization that does a lot of signals collection is translation. So we know after 9, 11, there was this huge push to get Arabic translators into agencies like NSA and FBI because they just didn't have enough of them. They had some. But all of a sudden, tasking priorities change. There's a volume of material coming in that needed to be translated. So I would have thought that would be useful. But as I said to you, NSA probably has already had that capability for a while because it's so important. And indeed, you pointed me to some public resources that said that, yes, this is something that NSA has had for the past 10 years. So the question becomes, where does AI plug in and fit into this whole, you know, cyber domain?
[35:16]
Rob Joyce
Yeah. So our research organization has talked about, you know, AI and some of the history of use inside nsa. And, you know, one of the most powerful use cases was machine translation. Not to the point where it replaced our human analysts, but it curated the workloads, it moved interesting things to the top of their queue so that they would go through it first. And I do see that that is the general philosophy, at least in my history, is those that use AI outperform those who don't. And so you're looking at those accelerants. And yes, in the history of hacking, there's always been script kiddies, people that don't understand but can run somebody else's tool and get an effect. But the really powerful People understand the theory, the execution, and then they have that tool that they can play like a magical instrument and produce beautiful music. And that's where I see AI augmenting people who have a base level of skill and accelerating them. And what you get is speed and quantity combined with the expertise and imagination of the good people who can use it.
[36:39]
Patrick Gray
I mean, I was in Sydney last week just for a week off with my family. I had dinner with a friend down there who does not work in cyber. But it's interesting what you say, because that came up in my conversation with him where he's restarting a business that he found too difficult to run. It involves sort of events and webinars and whatnot. Previously, the workload was just too high, and now he finds that by using AI tools, he can run this business as one person. Right. So this idea that it's this incredible sort of efficiency and productivity tool definitely vibes with my understanding. But, Andy, you know, obviously you've worked in this space for a long time as well. You know, where do you think the opportunities are to plug AI into the sort of. I guess the entire sort of SIGINT intelligence lifecycle or the Cybint Intelligence lifecycle?
[37:29]
Andy Boyd
Yeah, I mean, I'll let Rob talk to the SIGINT part of it, but, I mean, in the agency, I mean, a lot of analysts, not the analysts that worked for me in cci, but outside of the cyber realm, were afraid they were gonna be replaced by AI bots. And then they got their head around what it meant, and, like, oh, the easy sort of like biographical details on some world leader. And I have to write a redo that report every month as things evolve. If you could take that off an analyst plate and have them focus on much deeper intellectual activities, that is great. So I think AI is sort of a Rorschach test for a lot of people, but what it means for the workforce in a place like CIA is reducing workload and making humans more efficient. Same thing on the defensive cyber side or in doing vulnerability research. I mean, if you can have AI tools execute that. Frankly, as a former field CIA guy, if I could have had an AI tool write up some of my meetings so that I could go do more important things, I would have saved myself, like, maybe a year of my life.
[38:36]
Patrick Gray
It's so funny that you say that, because that's basically the only thing that I use AI to do, is meeting summaries and notes. It's amazing because it writes up perfect notes, then you just go through, correct the spelling of people's names and call it a day.
[38:50]
Andy Boyd
And again, back to CIA field people. Then you have those people with deep expertise in whatever area of the world they're serving in deep language experience that aren't wasting their time writing up things in the office. They're out meeting sources or if they're more senior in their career, meeting leaders of that country and advancing the ball on US national security goals.
[39:14]
Patrick Gray
I imagine too that just having some large language model trained on a bunch of intelligence would be very useful for analysts just to be able to ask it questions as well, like, what do we know about this guy? Who are their associates? And, you know, instead of having to enter in, you know, something in a specially internally developed scripting language, they can just ask things questions. But again, this is, yeah, this is a change in interface, isn't it? It's a productivity change, not a, you know, it's not changing the information you have. It's just really about being more efficient with it. So just one last thing we wanted to talk about is this, I guess, how can startups get involved? How can startups help the ic? Because one of the things that, you know, that's interesting about trying to serve intelligence agencies is their requirements are pretty opaque, right? Like, it's not like you can just say, well, you know, NSA is struggling with this particular technology requirement, so we're going to raise a bunch of money and build this thing. So how can you, how could your former agencies go out to bright young things and get them to build things without sort of giving away too much information? Like, is this a problem for agencies like NSA and CIA?
[40:30]
Rob Joyce
Pat? It is, at least in the NSA ecosystem, a fairly insular and because it's the government bureaucratic process. But there is one easy button in the startup world and that is in Q Tel. So NSA literally gives in Q Tel the list of problems that it's hoping to have solved and they then canvas the venture world and do annual conferences and other venues where they talk about what we're looking for and kind of mine and harvest those needs.
[41:05]
Andy Boyd
Yeah, and obviously as the CIA guy in qtel's been a godsend throughout my career, but I didn't really get it until I retired 18 months ago and then got very involved in the VC world. Spent a lot of time within Q Tel, also spent a lot of time with the private equity world. And I'm astounded with the innovation in that entire ecosystem. And you see it at rsa, you see it at various conferences across the country and niche companies that are set up on a shoestring and then you get a viable product and then there becomes a use case in the intel community and then that company takes off and becomes quite profitable. I think it is a very healthy cycle in the United States, and I doubt there's any country in the world that quite has that innovation cycle. So I'm very confident that the. There's probably someone in this room, definitely someone who's listening to your podcast, Pat, who's going to invent the next amazing thing for the intelligence community. And maybe it will be incubated by Incubel, maybe it will be incubated by one of the venture capital firms represented here, but I'm very confident that whatever that technology is, it's going to be invented in the United States or maybe Australia.
[42:22]
Patrick Gray
There you go. We actually, in Q Tel, actually do have an office here, funnily enough, so for quite a few years now. But look, I think we're going to wrap it up now and move to questions which will not be part of the recording. Fantastic to see you both again. I'm very sad I can't be there. Rob Joyce, Andy Boyd, thanks a lot for your time.
[42:41]
Andy Boyd
Thank you, Pat.
[42:41]
Rob Joyce
Thanks, Pat.
[42:49]
Patrick Gray
Sam.