A (3:13)

So the piece talks about different red lines. Some firms will do some of it, some of the negotiations, others will negotiate up until the point where it's time to pay. It really spanned across the map. So I'm wondering, what does that variance tell you about the risk and the ethics here? And did you find that the boundaries that you talked about with some of the subjects of the story, was it driven by morality, liability, or is just business model realities, or is it sort of a mix of all three in there?

C (3:53)

It's probably a mix of all three. I think we'd all like to think that it's morality, but I think often it comes down to just legal liability. I did find it interesting when you think about the largest firms in CyberSecurity, Mandiant and CrowdStrike, they don't get involved in ransomware negotiations. Palo Alto Networks, unit 42, they will, but they won't do the payment part of things. Right. They'll hand that off to a payment processor. So even at the top of the industry, there are different rules that they impose on themselves. And I think that's what's really fascinating here, is that this is. It's kind of up to the eye of the beholder. Everyone can decide how far they're willing to take this and what they feel comfortable with and again, what those legal liabilities might be.

A (4:41)

And look, now that we are dealing with the fallout from this case with these incident responders, you talk to John DiMaggio, who people in the industry will know as a pretty legendary ransomware negotiator, he has called out a lot of these bad actors, and, you know, he was pretty blunt in the story. He was like, look, this, this slice of the world is. There's no certification, there's no peer review. There's no, like, body to hold negotiators accountable. So he categorized it as the Wild West. So I'm wondering, you know, for some of the others that you talk to, and even going beyond what made it into the story, what really, like, bothered them about this area and, and, and their interactions with victims, is it worried about giving bad advice, conflicts of interest, sloppy compliance checks, something else? I mean, there's a lot to worry about. Even when you get out of dealing with the criminals, there's the cleanup that goes on Here. And there's a lot of spokes to that wheel.

C (5:48)

Yeah, I like that. I think there's a really interesting point here in that I think a lot of ransomware negotiators want everyone to think that they are operating above board and doing the best thing possible for victims. But because we rarely get to see what happens in those negotiations, it's difficult to pass any judgment on that. There are, as you said, really no agreed upon rules of engagement, which just makes the practice of ransomware negotiation open to potential exploitation. Some negotiators charge flat fees, others charge hourly rates, and then there are some that charge a percentage of the ransom reduction that they're able to achieve, which obviously just creates more conflicts of interest. So I think ultimately the challenge that they're all struggling with is that either way, these victims that do pay ransoms, they're. They end up paying twice. They're paying to the victims, sorry, the criminals, and then again to the people that, that claim to be helping them.

A (6:47)

So I'm wondering, on the payment side of things, did anyone offer defense of the contingency style pricing that you might have found persuasive? Because I hear that, and I'm like, well, if, if, you know, this can be a, A protracted affair. Obviously we're talking about billable hours. So I'm, I'm wondering whether you found anything persuasive or was there broad agreement that that can be sort of problematic?

C (7:12)

It's pretty broad agreement that it could be problematic. To me, I think a flat rate probably makes the most sense that way. They're not incentivized to drag out negotiations longer than necessary, and especially on a percentage of the ransom, whether it's a reduction in payment or percentage of the amount that's ultimately paid, that just seems impossible to overcome those conflicts of interest. So I do think flat rate makes the most sense. There are many that have been ransomware negotiators for a long time that have ultimately come back around to where they started. They just don't think that this should be a business. They admit that they're. They've made money doing this, but it just feels gross to them and they'd rather not be involved anymore.

A (7:56)

Yeah, speaking of the. I don't know, there is the gross side of it, but especially the like, like what John said with it being the Wild West. There is no, like, legal accountability or, or. Well, there's legal accountability, but there's no, like, organized sort of body that says these are the rules of the road. So I, I know that there were some people in the story that called for frameworks, whether that comes from vetted negotiations or recorded comms that then get, you know, put out for people to study and learn from or you know, anonymized action reviews after the fact. I'm wondering, was there any interesting side conversations that you had where if people had to pick one near term change, what would they do to make sure that they're not compromising victims but also not giving, not giving perpetrators more ammo to go after more companies and make it worse than it already is?

C (8:55)

Right. I mean everybody I spoke with said that open sharing of these ransom negotiations is just not going to happen. They just see it as a non starter. But I do think the one thing that most people agree upon is finding a way to share what happens in these negotiations in an anonymized fashion. Right. So that other potential victims can, can learn from what's worked in the past. They're all just very, they're, they're struggling to, to find what information is worth sharing without giving the attackers some, some ammo, as you put it. Right. It's empowering them with information that they can use to, to leverage to further compromise victims. So there's just, there's this ongoing sort of vacuum in which criminals can thrive because that information's not out there. And many victims make the same that others before them have as well.

A (9:49)

So finally, look, the piece obviously very well reported. I'm wondering what question do you still have regarding the industry Secrecy that is hard to answer and, and, and really like the overall questions that you still have based on the information presented because it is very open ended. Obviously this isn't going away and this is the lay of the land and it is still shrouded in, in you know, opaqueness. So I'm wondering, based on everything and now, you know, we're after the story, what questions still remain for you to dig into?

C (10:23)

Yeah, I think it comes back to just that simplified, you know, pay or not pay and what levers can be pulled to enforce a ban on ransom payments. It's been talked about on and off over the years. It seems very difficult to institute. But it seems like everything just keeps circling back around this. Without that money flowing to criminals hands, this, this wouldn't exist. Right. I think that that gets to sort of the crux of the problem.

A (10:53)

Great. The headline on the story, I'm, I'm going to have to, you know too my own horn here. Love the headline. The thin line between saving a company and funding a crime check out our story on cyberscoop. Matt Kapka always does a great job with this stuff and really appreciate you hopping on board to discuss it further.

C (11:12)

Thank you so much, Greg.

A (11:16)

Joining us now on our interview segment is Lieutenant General Charlie Moore. He is the former Deputy Commander of Cyber Command and he's also working with Vanderbilt University and he was a co author on a very interesting paper that was recently released that was titled Dominating the Digital Space. A Whole of Society Strategy for Securing the United States from Cyber Aggression. And look, if you've been reading cyberscoop and listening to our program, you know about how specifically under the Trump administration, there's been a lot of talk about bringing the private sector in to defend critical infrastructure and defend the nation as a whole. The paper gets into that and I talk to Lieutenant General about what digital dominance looks like, his feelings on what he calls analytic superiority, and specifically his ideas around a national Cyber Operations team, which would integrate government and private sector cyber talent into a single integrated team of teams that would be under the operational control of US Cyber Command. So it is a really interesting time and a really interesting idea that is being put forth here and we get into the nuts and bolts of how this would look and excited to really bring him aboard because of the wealth of expertise that Lieutenant Moore has. So check out our interview. Really interesting conversation. All right, joining us this week we have a really interesting guest, really looking forward to this conversation, Talking to retired Lt. Gen. Charles Tuna is his nickname. Tuna Moore Jr. Former Deputy Commander of U.S. cyber Command and visiting professor at Vanderbilt University. Thanks for joining us on the program.

B (13:09)

Thanks, Greg. Appreciate being here.

A (13:11)

So you're joining us because Vanderbilt, through Vanderbilt, you authored, co authored a paper talking about dominating the digital space, a whole of society strategy for securing the US from cyber aggression. And we can dive into that. But first I have to know, can you give us a little synopsis on why they call you Tuna?

B (13:35)

Well, sure, Greg. So I spent 33 years in the Air Force before I retired a couple years ago. I spent the first two thirds of that time flying F16s, the last third in the cyber environment. But I think as most people know these days in the fighter community, when you become mission ready, combat ready, they give you a call sign and I go by Charlie, although first name is Charles, but huge water sports fan. So I like doing anything in the water. And so Charlie, the Tuna is what I was given and it stuck whether I like it or not.

A (14:07)

Nice. Very nice. I didn't know whether you and your staff members and your peers were Just like big office fans. Because I know Big Tuna was a big, was a big office nickname too. So I just had to ask. Definitely an interesting nickname, but no, really appreciate you hopping on board to get into more serious matters with this report. Wanted to dive in off the top as particularly talking about how, you know, we talk about how this is such a, you know, not just a whole of government but really like a whole of nation issue right now. And the report looks at how we can go beyond what the military does with regards to cybersecurity. But there was an interesting quote early on in the report that characterizes the current situation as a continuous confrontation largely invisible to most of the American public. And I would have to agree with that, especially on the fact that when I'm in idle conversation with people outside of this realm and they're always asking me about cybersecurity, they really are interested because so much of what they think about cybersecurity wise is just like, like I think 90% of it is, am I being, is my social media being hacked or am I being scammed by somebody that's asking me to pay a toll for, you know, a turnpike ticket that I know that I didn't get? So I'm wondering from your perspective, since so much of this is invisible, like I can't tell you how many or how little conversations I have about, you know, just like apt threats among like common people, which is of course they've got other things to worry about. But the invisible nature of the conflict that we're in, you know, how does that build or really limit the ability to drum up like public consensus for a whole of society mobilization that is advocated for in this report.

B (16:12)

I think you put your finger, Greg, on a really important point, which is exactly that, that day to day most Americans don't see the outcomes of the conflict, and I use that term very purposefully, they were in persistently inside this environment. They also don't unfortunately get to see and hear about a lot of the actions that the US Government is taking to combat those adversaries and those malicious cyber actors, except when things become really big and really broad. And then of course, the public and members within the government ask the legitimate questions, what are we doing? How come this is happening? And again, they don't see the actions that we're taking. They do seem to see the effects that happen when adversaries do pull off some type of an operation. So it makes it difficult to really present this case in a meaningful way, which is one of the reasons why we wrote the paper is to really try to highlight the fact that the environment has significantly changed and we are at a very unique period in time here where we have ubiquitous nature of the cyber or digital environment. It underpins everything that we do from our economic prosperity, our social stability and our military power. And as you and I'm sure most of your viewers and listeners know, those capabilities are very dependent and interconnected. At the same time, we're seeing nation state actors and other malicious actors have finally gotten to the point where they have the capabilities, the tradecraft and tactic techniques and procedures, along with the desire and the will, the determination to attack us in that persistent manner. And in some cases, as many have now become aware of, position themselves in things like our critical infrastructure. And the only way we're going to be able to deal with the magnitude of this threat, especially because it cuts across all aspects of society, is through a whole society approach.

A (18:13)

So with that approach, for those that have been thinking about this, the report also talks about cyber deterrence. And we've been covering the conversation, especially with the, this new Trump administration and the conversation around deterrence, about how deterrence, you know, it falls below the threshold of armed conflict. But you argue that it's largely unachievable. And I think that the President has pretty much said as much himself. So I'm wondering, you know, is there any specific evidence that can that convinced you of this limitation and what are the implications for our defensive posture? Like how does the deterrence part fit into this or the changing nature of the way that we view deterrence as a government?

B (19:05)

Yeah, this is such an important question as well, because it comes up a lot in the public discourse. It comes a lot with members of Congress and others. Again, when you see operations like the Volt or Salt typhoon actors that's been well publicized now that they're in our critical infrastructure, what is the United States doing? How come we're not deterring actions like this? We must be failing in our actions. But this discussion is really nuanced, so it's great to have it on a format like, like your show here. We have no proof through our close to a decade now of really starting to get after operations that we can perform functions or take actions that deter adversaries from operations that occur below the level of use of force, or what we would call armed conflict. So things that would potentially be, would typically be considered wartime actions. So the stealing of intellectual property, for instance, going and committing espionage, types of actions that have significant impacts on our nation. We do know and we do see evidence that when we look at our traditional military and our nuclear capabilities that we can deter capabilities that do rise above that level of armed conflict or use of force. The problem is there's a little bit of a gray area or a sweet spot from an adversary's perspective between those two areas, and that is pre positioning themselves inside of our critical infrastructure, but not taking action, not causing an effect that could be considered again, a wartime action or something that arises above the use of force. So they're pre positioning themselves there, but they're not taking the action. And then we look and say, well, how come we're not able to deter this? And it's because all these actions below the level of use of force to include the one I just described in critical infrastructure, they, they're relatively cheap to perform, doesn't mean doesn't need a lot of cyber operators and expertise, but they can take these actions. They're hard to attribute. And then they sit there and they wait until the time that they want to actually cause some type of an effect. That's not something that the U.S. government or really our laws or our policies are set up to address is some type of wartime action. However, when you give the equivalent of that in the physical space and you say, well, the United States would never put up with another nation state putting, for example, explosives underneath bridges throughout the United States, they're not setting off those explosions, but they've pre positioned those explosives to be able to detonate when they want. We would never stand for it. And so we have to take more action for these types of actions that we're seeing from the adversaries so that we can better protect the United States and our interest. And we offer some examples of the types of things that we should do in the paper.

A (22:11)

So one of those examples I think is really interesting. It's from a people aspect. You set up a National Cyber Operations Team which integrates government and private sector cyber talent into more of like the operational control of U.S. cyber Command. The floor is yours. Expound upon that idea because I think that's really interesting and that's really something that jumped out in the report to me.

B (22:40)

Yeah, absolutely. Well, it's really encouraging. I think we're hearing this current administration talk a lot about wanting to get more aggressive against our nation's adversaries inside the cyber domain. And second, we're hearing them talk a lot about wanting to really utilize and take advantage of all that the private sector has to offer in this space. So what we present in the paper is what we call the National Cyber Operations Team. The name's not important. That's just the name that we came up to describe what we thought the United States should do. And you're hearing a lot of talk about things like hack back. Should, should private companies build a hack back or should we issue letters of mark like we did back in the, in the times where we had naval privateers going out and acting on behalf of the U.S. government? I think both of those types of actions are unwise. They'd probably lead to a lot of chaos inside the environment. There wouldn't be unity of action, which is one of the principles of warfare. And we'd probably see escalation when we didn't intend for it to happen. The National Cyber Operations Team is a concept that says let's bring the public and private sector teams together. So bring our Cyber teams inside U.S. cyber Command together with teams that can be stood up inside the private sector. Make them a team of teams where they're working together to help us solve our nation's problems. Like the critical infrastructure issue that we talked about previously. For this to work, they need to be under the direct and persistent oversight and control of Title 10, so US Cybercom uniform wearing members. That's how we maintain unity of action, unity of command and effort inside the domain. And we only go after the types of targets and achieve the types of effects that we want. I truly believe this is the only way we're going to be able to scale our offensive cyber capabilities to that is what is necessary to deal with the likes of China, Russia, North Korea, Iran, and of course all that we're seeing from the malicious cyber criminals and proxy forces that exist in the environment.

A (24:53)

Could you elaborate a little bit more on how that differs from what is going on right now, between the relationship that the military might have with its contracting community or bringing operators in that aren't necessarily employed by like the NSA or in some civilian role that is already active. And just how it differs from the

B (25:18)

state of play right now, certainly. So we use contractors right now at U.S. cyber Command, since that's what we're really focused on right now in this discussion. But we use contractors to give us certain capable standalone capabilities. They might develop a certain specific cyber tool or cyber weapon. It might help us with establishing some type of infrastructure that we're using. We use contractors throughout the command to help us perform all types of individual tasks. This concept is really about tooth to tail, if you will, the full spectrum cyber capability that will be presented by the private sector. So Think of it as a cyber team, just like we see present at cybercom now, but totally made up of private sector individuals. They just happen to be under the direct oversight again, command and control of uniform title 10 wearing members of US Cyber Command. That not only helps us scale very rapidly the type of operations that we can do, which we have to do, there's a lot of other great things that happen when we, when we take this approach. If we give those private sector teams very specific missions and effects that we want them to go after and to accomplish, and they, through their innovative approaches, develop new tools or techniques or capabilities to do that, they can bring them to bear right away. This isn't the same thing and meeting the same limitations in the bureau processes that we unfortunately see when you have to go out and try and acquire new tools or capabilities from the private sector as a standalone function.

A (27:00)

All right, that's really interesting to me because I was always wondering like, is it more of a technical aspect or are you talking about actually like civilian operators on the keyboard? Because I know in order to actually get to that point where you are an operator on the keyboard, like at least from a military aspect, there are a number of tests. I know the CNAB and the network operators test and there's the Forge test as well. Just to make sure that I'm clear, we're not talking about bringing in necessarily people to run through that program and then be sitting next to an operator that has to operate under the title 10 that you're talking about.

B (27:41)

Well, in some cases we're going to have people that are trained exactly the same way as we, we would have cyber operators that, that operate at Cyber Command today. In some cases they're not going to need to necessarily meet that standard. As a general rule, as we put in the paper, yes, you're going to want individuals that meet whatever the certification and training standards that are required by the command for them then to oversee those operations. What do I really mean by that? Look, in some cases what we need these civilian teams to do are very rudimentary basic operations where we would have them stand up infrastructure, conduct some type of operation and then burn that infrastructure down. You know, I call that the Dixie cup type of infrastructure and approach to cyber warfare. Obviously, the training standards and requirements there may not be the exact same as we would if we have people doing the high end missions where we need them to maintain their clandestine cover, where we don't want to be attributed and, or especially if we allow them to touch any aspects of cyber's infrastructure if we're going to be executing those missions. So I think it's both ends of the spectrum and everything in between, which would then affect the level of training that we would see necessary for those individuals.

A (29:02)

So you note in the report, too, that it's not just necessarily, you know, the people aspect of this is we head into 2026, AI is touching everything. And of course, AI is going to be leveraged by the best and brightest at Cyber Command. You know, in the report, it talks about, you know, cyber conflict is fought increasingly at machine speed. So I'm wondering how you look at how AI integration is fundamentally changing the human role in these types of operations.

B (29:33)

Yeah, Greg, as you point out, as we say in the paper, we are moving towards a machine versus a machine environment and world. And so the only question is, as our adversaries understand that and move that direction, are we going to be fighting machine versus human, or are we going to be fighting machine versus machine ourselves? Of course, with oversight by the human warfighter or the teams that we just got finished talking about. One of the ways that you really operationalize that is to bring AI into the mix. AI is going to give us several advantages and capabilities that we don't currently have, but one of them is speed. When you move into a machine versus machine environment, you have to be able to operate at machine speed or you get left behind and you're always in reaction mode. And if you're reacting and war fighting, you're losing. So if we want to be proactive, we have to be able to operate at the speed of relevance, which is machine speed. AI gives us the ability to do that. And of course, underpinning all of that is the use of AI to truly operationalize our ability to perform sections of all the missions, whether they're offense or defense, to sort through all the data and all the information that we're seeing, to look for those very unique behavioral changes as we move away from indications of compromise and get into very specific and hard to detect behavioral aspects of operations to know something that's going on to then help us develop what the response should be, help us take the defensive actions, and then help us go on offense. So, in short, we really have to fully operationalize in offense, defense, and information operations, the use of AI. We've taken good steps in terms of a lot of the administration functions inside the Department of War, but we haven't quite taken all the steps necessary to do what I just mentioned.

A (31:23)

Right. So the report also talks about, and you alluded to it, structural Agility, I believe, is the term in the report and using that to respond to unforeseen challenges. I'm wondering what aspects, in your opinion, what aspects of our current institutional architecture are most resistant to this agility?

B (31:44)

Well, unfortunately, you can start with simply how we go out and acquire new capabilities, whether it's tools and weapons or infrastructure, like I talked about before. I think any, especially any small business or even large business, large defense industrial based customer that works with the United States understands that those processes are quite bureaucratic and they're slow. And I don't say see really many aspects of those current processes being relevant to the speed with which we need to operate in the agility, since that's what you asked about, which, with which we need to be able to change direction or take different approaches. And so I think we're going to have to reimagine what it looks like to do those types of functions inside the Department of War.

A (32:31)

What would you also say about, from an operational standpoint, information sharing? Like I know information sharing, we've been talking about it, I feel like for a decade, but I feel like, especially when it comes to agility, moving beyond voluntary information sharing is definitely something, I mean it's talked about in the report, so I imagine you have opinions on it, but I feel like that's gotta be part of it. Right? Like the, the, the disconnect between what's going on on networks that the military can't oversee, but matching that with the responsibilities, what the military needs to do that, that can cause some problems for that structural agility.

B (33:08)

Yes, you're exactly right. So we, you know, we, we came, if you look back in history, we came from a time period where there was really the government's going to protect government networks, private sector, you need to protect private sector networks. Of course, the fatal flaw in that approach is and was we're all dependent upon so many things that cut across all those sectors of society. So then we moved into the hey, well, we need to be better partners and we need to share more information about what we're seeing in these environments. And it's largely voluntary, as you point out and as we talk about in the paper. And that was great, that was an important step forward. But if we're truly going to get to this level of digital dominance that we talk about and integrated resilience for very key aspects of society, we have to move into involuntary and hopefully it'll be voluntary, but it's not involuntary data sharing and persistent transparency into what's going on inside certain domains so that we can be proactive and not reactive. And I'm specifically talking about aspects of our critical infrastructure. And so everything from some of the laws that we currently have on the books to the approach that we see out of the Department of War or at the Department of Homeland Security and down to the state and local authorities, we have to change this or we're not going to be able to be again, proactive and not reactive.

A (34:29)

So there are just so many aspects to this that, you know, I feel like use another military metaphor, it's like trying to reverse a battleship in mid motion. And yet we are our attackers are moving at real time speed. And it's just, it's such a thorny problem that I think a lot of the things in this paper really get to and really show the efforts that are needed in order to get us to where we need to be when both defending against the adversary and moving upon the adversary when we need to. So General, really appreciate your time. Thanks for hopping aboard and walking us through this paper.

B (35:15)

Thanks Greg. Appreciate you having me.

A (35:17)

Thanks for listening to Safe Mode, a weekly podcast on cyber security and digital privacy, brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your dad, anybody that wants to know more about cybersecurity. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.