Summary6 min read

Risky Bulletin: Srsly Risky Biz – When Cyber Campaigns Cross a Line

Podcast: Risky Bulletin
Host: Patrick Gray (B) with Tom Uren (A)
Date: December 4, 2025
Episode Theme:
Exploring the limits of acceptable behavior in state-sponsored cyber operations, with a deep dive into proposed “red lines” for offensive cyber campaigns and current real-world trends in state cyber activity.

Main Theme and Purpose

In this episode, Patrick Gray and Tom Uren discuss the concept of "red lines" in nation-state cyber operations, prompted by a recent paper from a German think tank. They explore the feasibility of establishing global norms around cyber behavior, the challenges of governance, and recent cases illustrating the ongoing evolution of cyber warfare tactics. The episode blends policy discussion with real-world cyber incidents and state-level maneuvers, offering both analysis and wry commentary.

Key Discussion Points & Insights

1. Defining Cyber Norms: The German Think Tank Paper

(00:50 – 08:16)

Paper Overview:
Tom outlines a German think tank's effort to define behavioral norms for state cyber operations, emphasizing practical “red flags” that would warrant robust responses.
- “There’s basically red flags…the idea is that by defining them, it allows people who are victims to know, to think more clearly about what has actually gone on and is it important?” (A, 01:16)
‘How Mad Should You Be Matrix’:
Patrick quips that the paper acts as a decision framework for outrage—“So have they developed a how mad should you be Matrix, basically?” (B, 02:00). Tom agrees that this captures the practical value.
Death and Bodily Harm as a Red Line:
The paper (and states in practice) widely agree that cyber operations causing death are beyond the pale—though this mostly applies in peacetime.
- “States, by practice, agree…you don't see cyber operations that result in people's deaths in general.” (A, 02:06)
Accidental Collateral Damage & Losing Control:
The most thought-provoking red flag: states losing control technically (malware spreading like NotPetya, WannaCry, Stuxnet) or organizationally (e.g., contracted Chinese hackers acting independently).
- “No state really wants hacking to get out of control for whatever reason—whether it’s because you don’t control your hackers or…malware.” (A, 04:30)
- Patrick: “Someone in Russia cooked [NotPetya] up thinking it was going to be a, you know, loltastic adventure of destroying computers in Ukraine. And to say it got out of hand is…a bit of an understatement.” (B, 06:00)
- Stuxnet discussion includes skepticism about it being a red flag since it was designed not to trigger on unintended targets (B, 06:05).

2. Challenges Building Universal Agreement

(07:04 – 11:27)

Physical Destruction as a Red Flag:
Cyber-caused physical destruction is rare but not unheard of (Iran’s facilities, German steel mill, Ukraine’s power grid). It often occurs during “power imbalance” scenarios where larger states act against smaller ones.
- “These are incidents that happen when big states just feel they can get away with it, and they’re basically punching down on relatively weak states.” (A, 07:47)
- Patrick disputes the example of Germany as a “minnow” (B, 08:16).
Political Interference:
Interfering in domestic political processes is a clear red flag in theory but difficult to govern in practice due to frequency, power imbalances, and domestic incentives or denial.
- Tom: “If you’re not in control of your own domestic politics, what is the point of being a state?” (A, 09:09)
- “Tackling this turns into a domestic political problem, which is why probably a lot of the time people are just going to move on from it.” (B, 10:32)
Pre-Positioning for Disruption:
Discussion of practices like China’s “Volt Typhoon” campaigns, where adversaries pre-position within civilian critical infrastructure in peacetime. Both hosts are skeptical such norms will be observed regardless.
- “You shouldn’t pre position for civilian disruption a la Volt Typhoon … I mean, I think people are going to continue to do them and it’s unrealistic to think that they won’t.” (B, 11:04)

3. State Cyber Rhetoric and Hypocrisy

(11:28 – 13:09)

China’s Cyber Arms Control White Paper:
Patrick pokes fun at Chinese hypocrisy; their official statements denounce exactly the behavior they themselves exhibit.
- “It is like they literally wrote a paper getting mad at themselves for what they do. Like, it’s just so bizarre… China the World’s most innocent and Fluffy Cyber Bunnies.” (B, 11:27)

4. Emerging Trends in State-Sponsored Cyber Operations

(12:50 – 13:41)

Iranian Operations and Real-Time Targeting:
AWS’s new report describes Iranian hacking of Israeli IP cameras for missile targeting and post-strike assessment, and accessing ship location data to aid Houthis in targeting.
- “That’s kind of interesting that the Iranians have the wherewithal to actually…do real time sort of intelligence on ship locations and actually get that information across to a proxy for targeting.” (B, 13:09)
- Tom: “Doing that in a real time way is actually surprisingly hard…you actually need some organizational structures and the good kind of bureaucracy.” (A, 13:16)

5. AI, Disclosure, and Industry Incentives

(13:41 – 15:28)

Anthropic CEO Testifying Before Congress:
Tom notes that reports on misuse of AI (e.g., Chinese Ministry of State Security using Claude) create internal tension at vendors between transparency and self-protection.
- Patrick: “If we sweep this under the rug, it could blow up in our faces and we'll look like we've been concealing stuff and that will be much worse.” (B, 14:13)
- Tom: “That dynamic exists in companies all the time and many times they do sweep things under the carpet and it blows up in their face. And so it's the short term, long-term point there, guy.” (A, 14:34)
Meta’s Ad Fraud Example:
Patrick’s “shocker of the year” is a report that Meta knew 20% of its ad revenue was fraud but did little to fix it—showing the recurring challenge of aligning corporate incentives with the public good.
- “That was a kind of shocking report. And so I think that dynamic goes on all the time in companies and it's a battle to get to a place that the public should be happy with.” (A, 15:16)

Notable Quotes & Memorable Moments

On Red Flag Fatigue:
“It’s a red flag when a cyber operation where they either lose technical control…or they lose control of the operators because…people get a bit excited and do dumb stuff. And we see that with the Chinese all the time.” (B, 06:43)
China’s ‘Fluffy Bunnies’ Rhetoric:
“China the World’s most innocent and Fluffy Cyber Bunnies. They are the baby dears of cyber operations.” (B, 11:28)
On Political Interference:
“I like the idea of lawmakers agreeing to some framework well before an election occurs…because you never know which side that interference is going to benefit.” (A, 10:41)

Important Timestamps for Segments

[00:50] – Start of cyber norms discussion, overview of German think tank paper
[02:00] – “How mad should you be” matrix analogy
[04:30] – Losing technical/organizational control in state hacking ops
[07:47] – Cyber-caused physical destruction and power imbalances
[09:09] – Political interference as a red flag, but hard to police
[11:04] – Volt Typhoon-style pre-positioning debate
[11:28] – China’s cyber hypocrisy and “Fluffy Cyber Bunnies” commentary
[13:09] – Iranian real-time cyber targeting and operational sophistication
[13:41] – Anthropic, AI misuse, and testimony before Congress
[15:16] – Meta ad fraud scandal as an industry cautionary tale

Conclusion

This episode delivers a nuanced, skeptical look at the global conversation on cyber warfare “red lines.” Patrick and Tom blend policy analysis with expert commentary on current events, showing how difficult (and often political) it can be for states and tech companies to draw, recognize, and respond to boundaries in cyber activities.

Loading summary

Transcript42 lines

[00:00]
A
Foreign.
[00:05]
B
And welcome to Seriously Risky Business, the podcast we do here at Risky Business Media with Tom Uren, which is all about cyber policy and intelligence. My name is Patrick Gray. This edition of Seriously Risky Business is brought to you by MasterCard, which does a whole bunch of stuff in cyber threat intelligence these days. They even acquired recorded few future recently. And yeah, big cyber shop in addition to being, you know, a massive card brand. So there we go. Tom, thank you for joining me. And of course, what we're going to do now is talk through your newsletter this week and the first thing that you've written about in the Seriously Risky Business newsletter, which of course people should subscribe to by going to Risky Biz. The first thing that you have written about this week is a paper from a German think tank which has tried to kind of define what the norms in cyber operations should be. But of course, just because a bunch of Germans write these things down on a piece of paper doesn't mean necessarily that states are going to suddenly click their heels and do what the Germans want. But why don't you walk us through the paper and give us the gist of what they think the norms should be?
[01:16]
A
Yeah, yeah. So it was an interesting piece of work and I know the author consulted with a whole lot of people from all around the world. So even though it's German based, it reflects the reviews of a lot of us people, for example. So there's basically red flags, which the author says, you know, these are things that you should consider as crossing a line and basically respond more robustly to. And the idea is that by defining them, it allows people who are victims to know, to think more clearly about what has actually gone on and is it important? And it also hopefully allows aggressors to go, oh, we should think a bit more carefully about doing this because it might cross a line now.
[02:01]
B
So have they developed a how mad should you be Matrix, basically? Is it that sort of thing?
[02:07]
A
I think that is one actually reasonable way to think about it. And I think that the idea is that a lot of operations just go on and they happen and people sort of scratch their heads thinking, shh, how bad is this? Like, what's, what's the, how angry should we be? I don't know. And so it starts off with causing death, bodily harm, killing people, basically. And this seems to be something that states, by practice, agree on. You don't see cyber operations that result in people's deaths in general. And so that, that, that's okay. We're off to a good start. That's non contentious.
[02:50]
B
Well, hang on, hang on. I mean, if you are in a state of war, killing people with the cybers in a, you know, within the.
[02:59]
Within the framework of an international armed conflict, you know, it could be entirely justifiable. But I mean that's, that's stretching because what's the scenario going to be where you are, you know, doing a lethal cyber strike in wartime?
[03:11]
A
Like, it's ridiculous.
[03:13]
B
I guess I just wanted to be the, the final boss of pedants there and say.
[03:18]
A
But actually, no, you're actually correct. The paper's aimed at what happens during peacetime. So it's like if you're in war, it's, that's, you know, you're in a different state. So all the examples it talks about. So it has these red flags that he's the author Sven Herbig has come up with and he gives case studies, well, not case studies, examples of when they've been crossed or you might consider them crossed, or they're getting close to the red line.
[03:51]
So for that first example of causing people to die, there are no examples that you can come up with.
[04:00]
Now I thought the most interesting one was maintaining control of what you're doing, basically. And it actually, the paper splits that into technical control and organizational control. So when you think of technical control, it's your malware gets out of hand. And so the examples that the paper lists there are NotPetya, WannaCry and even Stuxnet, because Stuxnet propagated beyond where it was meant to.
[04:30]
Now those first two, not PETRA and wannacry, I think it's pretty clear that they caused huge collateral damage and no state wants that to happen by accident. And so there's a strong reason, a logic to having.
[04:48]
Encouraging states to maintain control of what they're doing. Now the second example is actually organizational control. And basically the paper refers to the very loose system, particularly of Chinese hackers, contract hackers, where they seem to be very loosely controlled. It cites the Isoon hackers, a technology company that is doing some hacking for the Chinese state. And it talks about the mass compromise of Microsoft Exchange servers. And the point there is that no state really wants hacking to get out of control for whatever reason, whether it's because you don't control your hackers or because you don't control your malware. And I think that was very interesting as a place where maybe policymakers could get to some agreement. You need to control your hackers, maybe.
[05:40]
B
You know what I mean?
[05:41]
A
Maybe.
[05:41]
B
I don't know. I don't know how much the Chinese actually care about the mayhem. But, you know, as you point out, like this paper says, that one of these red flags is, you know, if you're going to do cyber operations, you can't let them get out of control. I think the Not Petra example of that 2017 is a fantastic example of where, you know, someone in Russia cooked this up thinking it was going to be a, you know, loltastic adventure of destroying computers in Ukraine. And to say it got out of hand is. Is a bit of an understatement. I think lumping stuxnet in there, I don't know that it really belongs there, because Stuxnet, although it spread, was very clearly designed not to activate or cause damage to any computers that weren't its intended target. So I don't know that that feels like a red flag. Flag, necessarily. That feels a little bit. I don't know, it feels like they're trying to point the finger at at least one operation that's kind of like western adjacent so that they can say, look, we're not. We. We don't have double standards.
[06:41]
A
Yeah, yeah. In an adversary agnostic way.
[06:44]
B
Yes, exactly. Right. Yeah. No, no, like what you say. What you say really is interesting because they're saying, like, you know, it is a red flag when a cyber operation where they either lose technical control, control of malware or whatever, or they lose control of the operators because they've ecosystem where people get a bit excited and do dumb stuff. And we see that with the Chinese all the time.
[07:04]
A
Yeah, yeah. So I thought that was. That was the best part of the paper. That was the highlight for me. And so then there's a whole lot of other red flags that I think it would be hard to find universal agreement on. And some of them, for example, are causing physical destruction. And that takes place.
[07:25]
I wouldn't say it happens. It's rare, but it happens relatively often. So it's rare in that not many states do it, but the states that do do it do it relatively frequently. So the examples here are destruction of things in Iran, the.
[07:48]
Destruction of a German steel mill, and disruption of Ukraine's electricity network before 2022. And these are incidents that happen when big states just feel they can get away with it, and they're basically punching down on relatively weak states. And so when there's a power imbalance, like states just exert power.
[08:17]
B
I don't know that Germany is like a minnow, really.
[08:20]
A
No, I think that that is. I don't know a lot about it, Anderson. It feels to me, like it was just a bizarre. I'm not even sure that that was state backed. So that's perhaps not the best example in the report. Yeah, but when you've got that imbalance, it's not a universal interest to say this is off limits. So I think from a US perspective or from a European Union perspective, that's something that you should try and deter because you're like one of the bigger power blocks. And in a way, I think this paper is probably most useful for the European Union because you're trying to get like 27 different member states on the same page. And I think it's quite clarifying the thinking in it. Now, another example of a red flag that I think probably everyone agrees with is interference with domestic political processes. Now this is problematic, I think, because people do it relatively frequently. It's happened in the US election, the French election, Ukrainian elections, and you see examples again of larger states trying to influence smaller states all the time. Like this is not uncommon at all. And so it's very difficult to. The logic of saying that it's a red flag is very clear because if you're not in control of your own domestic politics, like what is the point of being a state, yet at the same time, just the frequency and how often it occurs, I think undermines the ability to get any sort of agreement about putting it off limits. And at least in some cases you can see that there's a domestic constituency that benefits from the interference or doesn't want to acknowledge it. And so we've seen that in the states and so it's very hard to mount a robust response.
[10:18]
B
Yeah, because it turns into a domestic bun fight, basically. And you know, we've seen Romania is another example of where there was, you know, a lot of interference and. Yeah, So I mean, I think the. I think you're right in that tackling this.
[10:32]
Turns into a domestic political problem, which is why probably a lot of the time people are just going to move on from it. Right.
[10:39]
A
Yeah. So.
[10:42]
I like the idea of lawmakers agreeing to some framework well before an election occurs where they kind of tie themselves to the. Is it tying themselves to the mast, agreeing to a set of standards? Because you never know which side that interference is going to benefit.
[11:01]
It doesn't really happen like. But I'm, you know, a naive optimist.
[11:05]
B
Yeah. And there's other red flags here too, which are interesting, which are like, you know, you shouldn't pre position for civilian disruption a la vault typhoon, which is what the Chinese are doing and you know, prepare the military battleground. You know, you shouldn't do these pre positioning sort of attacks. Eh? I don't know. I mean, I think people are going to continue to do them and it's unrealistic to think that they won't. Just as an aside though, the Chinese put out something recently. Where is it?
[11:28]
A
That's right.
[11:29]
B
The Chinese government released a white paper on arms control and their cyber section. They were talking about how China opposes attempts to own the domain from a position of strength and carry out large scale systemic and indiscriminate theft and cyber attacks around the globe. I mean, gee, who could they be talking about? It condemns a certain country's wanton targeting of other nations critical infrastructure and cyber attacks, which places global critical infrastructure at grave risk. It's like, it is like they literally wrote a paper getting mad at themselves for what they do. Like, it's just so bizarre. And you have a little write up of that in this week's show Notes and I was very proud to come up with the headline for that one, which is China the World's most innocent and Fluffy Cyber Bunnies. They are the baby dears of cyber operations. Little poor baby dears. You've got a couple other pieces in here we'll just touch on real quickly. The Iranian government, you know, AWS released a report looking at a couple of cyber operations conducted by the Iranians. I think one thing that was interest here is that they were using cyber means to gather, you know, to do targeting. Two examples they cited, one was breaking into IP security cameras in Israel and using that to do more accurate targeting of missile strikes and also post battle damage assessments. We've seen the Russians do this in Ukraine as well and probably vice versa. This, this seems like a pretty standard thing these days. But also it looked like the Iranians broke into some computers on ships so that they could access like local AIs information, identify ships for targeting by the Houthis, which are essentially an Iranian proxy. That's kind of interesting that the Iranians have the wherewithal to actually.
[13:09]
You know, be able to do real time sort of intelligence on ship locations and actually get that information across to a proxy for targeting.
[13:16]
A
Yeah, yeah. I think doing that in a real time way is actually surprisingly hard. Like if, if you naively think about it, it's just, well, I don't know, don't you just get on the phone and tell someone? But to do it as a process, you actually need some organizational structures and the good kind of bureaucracy. So I think it is like an interesting nugget of information there.
[13:41]
B
Yeah, yeah. And of course, you've got a very short write up here about how Anthropic, the CEO of Anthropic, has been called to testify before Congress. You know, you make the point that, you know, and similar point when talking about this on the, on the main weekly show where there's going to be forces within these companies that are going to want to stop the sort of reports coming out that led to them being called before Congress. Of course, Anthropic released a report report a couple of weeks ago looking at how the Chinese Ministry of State Security was using Claude to automate parts of its cyber campaigns. You know, I mean, I'm. You seem more worried about that than I am. I can imagine that the people who are pro releasing this sort of information are going to win the argument, which is if we sweep this under the rug, it could blow up in our faces and we'll look like we've been concealing stuff and that will be much worse.
[14:34]
A
I mean, I think the thing is that dynamic exists in companies all the time and many times they do sweep things under the carpet and it blows up in their face. And so it's the short term, long.
[14:47]
B
Term point there, guy. Yeah, solid counterpoint.
[14:50]
A
So I think that it's an opportunity to Congress to say these reports are excellent, we need to keep them coming. We want you to devote time and effort to doing that. And I think just setting an expectation would be great.
[15:02]
B
Yeah, I mean, I think the biggest shocker of the year actually was the meta thing recently where it turned out something like 20% of their ad revenue came from fraud and they knew it and didn't actually want to tackle it so much because it would hurt the bottom line.
[15:16]
A
Yeah, yeah, that was a kind of shocking report. And so I think that that dynamic goes on all the time in companies and it's a battle to get to a place that the public should be happy with.
[15:29]
B
Yeah, I might be a little different in that. Well, I mean, if they got half a brain, they will not try to conceal this sort of stuff because it is a sector that so many people want to see regulated and heavily. Right. So. But you're right. I mean, there's dumbasses everywhere. Right. And they might try to do the wrong thing here and then it'll blow up in their faces and then we'll be talking about it in a podcast in like a year or two from now. So that'll be fun. Yeah. All right, Tom. Tom, you're in that is it for this edition of Seriously Risky Business. Thank you so much for your wonderful work on this week's newsletter and for discussing it with me. Cheers.
[16:01]
A
Thanks, Peter. Sam.