Risky Bulletin: Srsly Risky Biz – When Cyber Campaigns Cross a Line

Podcast: Risky Bulletin
Host: Patrick Gray (B) with Tom Uren (A)
Date: December 4, 2025
Episode Theme:
Exploring the limits of acceptable behavior in state-sponsored cyber operations, with a deep dive into proposed “red lines” for offensive cyber campaigns and current real-world trends in state cyber activity.

Main Theme and Purpose

In this episode, Patrick Gray and Tom Uren discuss the concept of "red lines" in nation-state cyber operations, prompted by a recent paper from a German think tank. They explore the feasibility of establishing global norms around cyber behavior, the challenges of governance, and recent cases illustrating the ongoing evolution of cyber warfare tactics. The episode blends policy discussion with real-world cyber incidents and state-level maneuvers, offering both analysis and wry commentary.

Key Discussion Points & Insights

1. Defining Cyber Norms: The German Think Tank Paper

(00:50 – 08:16)

• Paper Overview:
  Tom outlines a German think tank's effort to define behavioral norms for state cyber operations, emphasizing practical “red flags” that would warrant robust responses.

  • “There’s basically red flags…the idea is that by defining them, it allows people who are victims to know, to think more clearly about what has actually gone on and is it important?” (A, 01:16)

• ‘How Mad Should You Be Matrix’:
  Patrick quips that the paper acts as a decision framework for outrage—“So have they developed a how mad should you be Matrix, basically?” (B, 02:00). Tom agrees that this captures the practical value.

• Death and Bodily Harm as a Red Line:
  The paper (and states in practice) widely agree that cyber operations causing death are beyond the pale—though this mostly applies in peacetime.

  • “States, by practice, agree…you don't see cyber operations that result in people's deaths in general.” (A, 02:06)

• Accidental Collateral Damage & Losing Control:
  The most thought-provoking red flag: states losing control technically (malware spreading like NotPetya, WannaCry, Stuxnet) or organizationally (e.g., contracted Chinese hackers acting independently).

  • “No state really wants hacking to get out of control for whatever reason—whether it’s because you don’t control your hackers or…malware.” (A, 04:30)
  • Patrick: “Someone in Russia cooked [NotPetya] up thinking it was going to be a, you know, loltastic adventure of destroying computers in Ukraine. And to say it got out of hand is…a bit of an understatement.” (B, 06:00)
  • Stuxnet discussion includes skepticism about it being a red flag since it was designed not to trigger on unintended targets (B, 06:05).

2. Challenges Building Universal Agreement

(07:04 – 11:27)

• Physical Destruction as a Red Flag:
  Cyber-caused physical destruction is rare but not unheard of (Iran’s facilities, German steel mill, Ukraine’s power grid). It often occurs during “power imbalance” scenarios where larger states act against smaller ones.

  • “These are incidents that happen when big states just feel they can get away with it, and they’re basically punching down on relatively weak states.” (A, 07:47)
  • Patrick disputes the example of Germany as a “minnow” (B, 08:16).

• Political Interference:
  Interfering in domestic political processes is a clear red flag in theory but difficult to govern in practice due to frequency, power imbalances, and domestic incentives or denial.

  • Tom: “If you’re not in control of your own domestic politics, what is the point of being a state?” (A, 09:09)
  • “Tackling this turns into a domestic political problem, which is why probably a lot of the time people are just going to move on from it.” (B, 10:32)

• Pre-Positioning for Disruption:
  Discussion of practices like China’s “Volt Typhoon” campaigns, where adversaries pre-position within civilian critical infrastructure in peacetime. Both hosts are skeptical such norms will be observed regardless.

  • “You shouldn’t pre position for civilian disruption a la Volt Typhoon … I mean, I think people are going to continue to do them and it’s unrealistic to think that they won’t.” (B, 11:04)

3. State Cyber Rhetoric and Hypocrisy

(11:28 – 13:09)

• China’s Cyber Arms Control White Paper:
  Patrick pokes fun at Chinese hypocrisy; their official statements denounce exactly the behavior they themselves exhibit.
  • “It is like they literally wrote a paper getting mad at themselves for what they do. Like, it’s just so bizarre… China the World’s most innocent and Fluffy Cyber Bunnies.” (B, 11:27)

4. Emerging Trends in State-Sponsored Cyber Operations

(12:50 – 13:41)

• Iranian Operations and Real-Time Targeting:
  AWS’s new report describes Iranian hacking of Israeli IP cameras for missile targeting and post-strike assessment, and accessing ship location data to aid Houthis in targeting.
  • “That’s kind of interesting that the Iranians have the wherewithal to actually…do real time sort of intelligence on ship locations and actually get that information across to a proxy for targeting.” (B, 13:09)
  • Tom: “Doing that in a real time way is actually surprisingly hard…you actually need some organizational structures and the good kind of bureaucracy.” (A, 13:16)

5. AI, Disclosure, and Industry Incentives

(13:41 – 15:28)

• Anthropic CEO Testifying Before Congress:
  Tom notes that reports on misuse of AI (e.g., Chinese Ministry of State Security using Claude) create internal tension at vendors between transparency and self-protection.

  • Patrick: “If we sweep this under the rug, it could blow up in our faces and we'll look like we've been concealing stuff and that will be much worse.” (B, 14:13)
  • Tom: “That dynamic exists in companies all the time and many times they do sweep things under the carpet and it blows up in their face. And so it's the short term, long-term point there, guy.” (A, 14:34)

• Meta’s Ad Fraud Example:
  Patrick’s “shocker of the year” is a report that Meta knew 20% of its ad revenue was fraud but did little to fix it—showing the recurring challenge of aligning corporate incentives with the public good.

  • “That was a kind of shocking report. And so I think that dynamic goes on all the time in companies and it's a battle to get to a place that the public should be happy with.” (A, 15:16)

Notable Quotes & Memorable Moments

• On Red Flag Fatigue:
  “It’s a red flag when a cyber operation where they either lose technical control…or they lose control of the operators because…people get a bit excited and do dumb stuff. And we see that with the Chinese all the time.” (B, 06:43)

• China’s ‘Fluffy Bunnies’ Rhetoric:
  “China the World’s most innocent and Fluffy Cyber Bunnies. They are the baby dears of cyber operations.” (B, 11:28)

• On Political Interference:
  “I like the idea of lawmakers agreeing to some framework well before an election occurs…because you never know which side that interference is going to benefit.” (A, 10:41)

Important Timestamps for Segments

• [00:50] – Start of cyber norms discussion, overview of German think tank paper
• [02:00] – “How mad should you be” matrix analogy
• [04:30] – Losing technical/organizational control in state hacking ops
• [07:47] – Cyber-caused physical destruction and power imbalances
• [09:09] – Political interference as a red flag, but hard to police
• [11:04] – Volt Typhoon-style pre-positioning debate
• [11:28] – China’s cyber hypocrisy and “Fluffy Cyber Bunnies” commentary
• [13:09] – Iranian real-time cyber targeting and operational sophistication
• [13:41] – Anthropic, AI misuse, and testimony before Congress
• [15:16] – Meta ad fraud scandal as an industry cautionary tale

Conclusion

This episode delivers a nuanced, skeptical look at the global conversation on cyber warfare “red lines.” Patrick and Tom blend policy analysis with expert commentary on current events, showing how difficult (and often political) it can be for states and tech companies to draw, recognize, and respond to boundaries in cyber activities.