A

Dan I'm Dan Kurtz Phelan, and this is the Foreign affairs interview.

B

I actually believe that we can get our cyber defenses to where we have confidence that our most important networks cannot be disrupted by an adversary. And that's really the question we have to ask ourselves. Can we prevent the most critical military power pipeline networks from being disrupted during a crisis or conflict? And I believe that we can.

A

In 2024, the US government discovered that Chinese hackers had penetrated a huge swath of the American telecommunications system and remained there for years. That attack came to be known as Salt Typhoon. And from what we know, China has not just managed to steal the data and surveil the communications of hundreds of millions of Americans, it also embedded itself in the United States most important infrastructure, giving Beijing a crucial advantage in a conflict. Anne Neuberger was, until recently the top cybersecurity official on the National Security Council. She was in that position when Salt Typhoon was discovered. And to her, the attack is not just an isolated incident of cyber espionage. Rather, it is evidence of American weakness and Chinese dominance in a central arena of national security. Decades after the widespread adoption of the Internet opened a new realm of geopolitical contestation, she writes in the current issue of Foreign affairs, the United States has fallen behind, failing to secure a vast digital home front. Neuberger warns that as artificial intelligence grows ever more sophisticated, the threat of a cyber attack that could paralyze the country in a time of crisis has never been higher. Anne, very glad to be having this conversation and to have your important and frankly, fairly disquieting essay on our latest issue. It's called China Is Winning the Cyber War. That that follows a couple of pieces you did for Foreign affairs during and just after your time serving as the senior official on the National Security Council overseeing cyber and emerging technology issues that ran until early this year, and those four years in the White House followed many more years working on cyber and tech issues at the nsa, the National Security Agency, and the Defense Department. So you bring a ton of experience to these questions.

B

Thanks so much. It's great to be here with you, and it was really great to write about those issues and frankly, work with the editors at Foreign affairs on getting them there. These are complex, esoteric topics sometimes, and getting them out there in a way, hopefully that's digestible and can be a drive for action.

A

I hope that's right. Let's go right to that recent piece because it opens with fairly astonishing, and I think astonishing really is the word for it. Chinese cyber attack on the United States that has unfolded over the last few years and is, in some sense, still unfolding. It's gotten plenty of coverage in recent months, and yet I don't think most people have fully registered just how dramatic and distressing that attack has been. So let's start very simply. What is Salt Typhoon, the name for that cyber attack, and what exactly happened?

B

You're exactly right. You know, many have said afterwards, we didn't quite understand what that was. So Salt Typhoon was China's compromise of a large number of telecommunications companies around the United States. Frankly, it's part of a campaign where China compromised telecoms around the world as well, with the goal of collecting the kind of information that rides on our telecom networks, corporate secrets, private communications, whether political leaders or individuals, and national security secrets, of course, because telecommunications networks really are the gold mine of data, and that's what China was targeting here.

A

And just to be a little bit more concrete about it, you know, you go into some of the details in the piece. I imagine in a classified setting, you'd be able to go into many more details. But you note that China did something, I'm quoting you here, that the United States, the tech powerhouse, could not adequately defend against. They gained and maintained access to major US Telecommunications networks, copying conversations and building the ability to track the movements of U.S. intelligence officers and law enforcement agents across the country. And that, of course, goes well beyond just people who work in the intelligence community or in national security positions. It really means they can track movements and listen to conversations of probably most Americans. Is that a fair way of putting it?

B

Yes, it is a fair way of putting it. China essentially turned our telecommunications companies into an espionage vehicle, you know, into a global SIGINT system, a signals intelligence system. The Salt Typhoon attack was really a window into China's espionage campaigns around the world. And what was remarkable was, in some cases, they gained a foothold. It could have been as much as three years ago. The companies didn't detect it, they certainly didn't block it. And that enabled China to get deeper and deeper into the networks, hide their tracks, and frankly, get into some of the most valuable parts of the networks and turn them into a tool of signals intelligence, essentially able to collect, we're concerned, any conversation at will, make a copy of it, whether that's political leadership, whether that's potentially tracking individuals, because from cell towers, you can geographically track individuals in the United States. So China really turn. Turned our own telecommunications company into a vehicle of their intelligence.

A

Are we confident that we have a full picture of this, or is There a chance that they're still in some.

B

Of those networks because a number of those telecom companies did not have adequate detection capabilities. We really don't know in many cases when the Chinese campaign first got a foothold or how much they moved across the network.

A

One question that I think people have asked in reading about Saltaifin and reading the piece is whether this is any different when you look at this specific example of Chinese cyber activities, whether it's any different from the kind of espionage that's happening constantly at this point, what our NSA is doing to the Chinese and Russians and Iranians and many others as much as possible. The Stone revelations more than 10 years ago at this point, I think, revealed just how aggressive and skilled the United States is in surveilling others, which suggests this all may just be kind of a part of great power dynamics and competition at this point. Is that tu blase or in some ways kind of not registering the extent of what the Chinese have done?

B

I think it is a bit too blase because as a country, we want to protect our nation's secrets. We want to protect sensitive conversations from the eyes of a competitor or an adversary. So the fact that as a country, as a technological and innovation leader in the world, we, when I say that our overall system of companies and government could not detect, could not block, and that China was able to maintain this kind of presence and collect this vast scale, and potentially the scale and the particular information that was of interest is something we definitely should not be blase about. We can be better, and that's what the piece talks about. What are the steps we can take to prevent this kind of Chinese intelligence success in the future?

A

So I want to get to a lot of the elements of prescription, some of the recommendations that you make in the piece, but still want to talk a bit about the larger campaign that salt typhoon is just the latest example of. You note in the piece that I'm quoting you here. China is positioning itself to dominate the digital battle space. The United States has fallen behind failing to secure a vast digital home front and the physical assets that depend on it. One really striking aspect of that campaign that you described in the piece is the way in which China has put in malware into American energy and water and pipeline and transportation systems, which suggests that China has something else in mind than just kind of traditional espionage. What is that campaign? What are the steps that China has taken, and why do you find that so concerning, especially in a crisis scenario?

B

Your listeners may have heard the term vault typhoon, particularly from the former Director of FBI Chris Wray, who talked about how Chinese malware had been found in various sectors in the US from pipelines to ports to water systems. The reason that's concerning is because we're a connected country. Our critical infrastructure is connected to the Internet. And when you think about, for example, the average port or water filtration system, those systems are reachable via the Internet. They can be turned on or off. And our concern is that China, as part of its overall strategic goals, really views cyber and space, for that matter, as a part of its broader competition with the United States. And as such, given that the US Military, for example, relies on the power pipelines and ports of the broader nation, that China could use its position and critical infrastructure to disrupt or disable those components, either to impede military mobilization or to, or to put pressure or COERCE A future U.S. leadership from staying out of a conflict or crisis. And there are unique aspects of cyberspace that make it a useful tool to achieve both of those goals.

A

And just to give this a degree of concreteness, the scenario you would worry about would be something like some kind of crisis in the Taiwan Strait and China suddenly threatening to disable American hospital systems or prevent American military bases from mobilizing in the way they might in that moment in order to deter American involvement. Or is it just kind a sense of how to understand that risk?

B

Pretty close to that, right. Our nation, soldiers and service members deploy from our ports and airports. So you could see China causing issues in the port navigation system or in an air traffic control system in order to disable flights for a period of time that could be a critical period of time, delaying service members ability to deploy in the event of a crisis or conflict. That's a great example in parallel to that, because cyberspace is not like a traditional geographic space where there's homeland and battleground. It's all one connected set of systems. So one could see China potentially threatening to disable parts of critical infrastructure and leaving future US leadership having to balance and consider the impact on the homeland if the US gets involved in a particular crisis. So it's either buying time potentially, or as a tool of coercion or information warfare, as part of China achieving its strategic goals in the Indo Pacific.

A

It was really striking that you note in the piece that Chinese military theorists refer to this as an important part of strategic deterrence.

B

Right.

A

That this is not a kind of marginal part of their national security strategy, but really central to it.

B

It is if one keeps us out of the fight, that could be a key goal of Chinese military planners.

A

I imagine there's some Sun Tzu quote that we could invoke here that would capture it, but we won't strain for that. Instead, I want to go back into some of the history of this. You've, of course, worked on these issues, I think, much longer than most people have who are in this space, and probably longer than most of us who are not kind of steeped in these issues day to day, have been paying close attention to it. And yet you assess that, you know, even after a decade and a half of pretty intensive focus on these risks and these vulnerabilities by the U.S. national Security Community and state more broadly, that our cyber defense is, quote, unready for battle, that we have not done a great job of addressing vulnerabilities. As you look back at our efforts to address this problem over the last couple of decades, why do we remain so vulnerable? Why are we still so unprepared for the threat?

B

It's a really important question. So I would say first, I've been fortunate to lead both offensive and defensive operations, and as a result, I've seen the continuum across them. Our strategy overall for deterrence in cyberspace needs to reflect both, because if we can't defend our most important critical networks that Americans rely on, that our military relies on, we are, and we can be hesitant to actually use our offensive capabilities because we're concerned about escalation and a potential uncontrolled tit for tat. So that leads me to the first point to say that we have to look at cyberspace as a continuum across defense and offense. A lot of progress has been made over the last decade, but also, as we saw China's program increasingly move beyond espionage to also building cyber attack capabilities for potential cyber warfare, our model and the asymmetry between the United States as a democracy and China as an authoritarian country truly came to bear in that the United States doesn't monitor private sector networks, and the vast majority of our critical ports, pipelines, and water systems are owned by the private sector sector. That means that really, until the last administration, not only did the United States not monitor those communications, but there was pretty bipartisan Democratic and Republican resistance, even putting in place minimum cybersecurity requirements to ensure the companies that own those networks were taking the basic steps to defend those networks. And in contrast, China as an authoritarian country deploys a great firewall, a system of sensors and controls that, goal number one censors the conversations, the discussions of its domestic population. But goal number two also monitors its networks for attacks, and in many cases, can block and prevent those attacks as well. So that asymmetry between our two systems has meant that China stays a step ahead in the battles in cyberspace.

A

And the key part of that is it's not so much that the United States is less capable of launching offensive cyber operations or these kinds of espionage operations. It's that we are so much more vulnerable at home because we can never hope to get our defenses to the point that China can. Is that the right way of capturing the dilemma?

B

I actually believe that we can get our cyber defenses to where we have confidence that our most important networks cannot be disrupted by an adversary. And that's really the question we have to ask ourselves. Can we prevent the most critical military power pipeline networks from being disrupted during a crisis or conflict? And I believe that we can. It's more challenging in our system because that responsibility is across government and the private sector. But we must.

A

Another area where we've spent a lot of time and a lot of focus in the past several years in the United States, but where USS US as still being quite behind Chinese efforts, is the attempt to develop global telecommunications infrastructure. This was about Huawei's dominance in developing 5G, which probably during Trump's first term became a major issue. But UCS is still not having made up much ground and being kind of set to lose the race not just for 5G, but in the future for 6G infrastructure. Why have we not made more progress there? And what will it take to really offset Chinese advantage in that regard?

B

You know, 5G is so interesting because it's a window into how China focuses on strategic technologies and plays to win. And in fact, it's particularly notable because the United States led in wireless technologies and was a leader all through the 90s. And in the early 2000s, China noted the importance of telecommunications. We talked about everything rides on telecom and started to take strategic steps. And really, the three components of China's policy are a focus. Government investment in areas of strategic technology that it views are a priority. Second, a closed domestic market that's massive, which enables Chinese companies to both refine their product, but also make vast amounts of money that are then used to subsidize and essentially sell below cost their products overseas. I think some would say that in the case of telecom, China also used extensive theft of American and European intellectual property to really drive the first products that Huawei and ZTE produced. But those three components are really a key part of how China built dominance in telecommunications and in other strategic technologies. Now, what's unique about telecom, which is so interesting is China also recognized that once they had subsidized a country's 3G or 4G infrastructure, the replacement cost, the cost of ripping and putting in a system from a non Chinese vendor was really significant. And that's what's become the major barrier. The Trump administration started focusing on this as a real strategic area during the first Trump administration and called on allies and educated allies to have them realize the significant national security risk of having a Chinese company subject to Chinese law that requires them to make data available at any time, deployed in their networks. However, what was missing was a viable economic approach to actually compete with that. During the Biden administration, continuing the Trump policy, we broke new ground in actually using EX IM and DFC to finance 5G deals, notably in Costa Rica.

A

That's the Export Import bank and the Development Finance Corporation, right?

B

Exactly. So for the first time we noted that you got to bring money to the fight. You had to compete economically. And even though the key vendors were no longer us, US vendors don't remain. We went to bat for Western vendors because we felt this was a battle between essentially democracies and China on the other side. So The United States ex im, the Export Import bank, provided $300 million in financing to Costa Rica. But the story didn't end there, Dan. And that's what's so interesting. Huawei sued the Costa Rican government in their court to try to block the deal. It took over a year, but eventually the Costa Rican government won. But what it showed was the degree to which Huawei and the Chinese government would be willing to go hand to hand combat to maintain their predominance. We did the same. You know, the President Biden invited the President of Costa Rica to the White House and talked about the importance of this topic. We provided the financing as well, but it just shows what needs to be scaled and where European allies frankly need to join us in order to counter China and telecommunications.

A

I'm sure you've spent plenty of time talking to foreign officials about why having Huawei technology, this less expensive Huawei technology and quite effective in terms of how it functions, as I understand it, Huawei technology in telecoms infrastructure, why was that so important? As you discussed this with foreign officials, how do you make the case to them that they should perhaps pay a bit more for Ericsson or Nokia technology given those risks?

B

Telecommunications networks are so complex, there's millions and millions of lines of code and there's legitimate reasons why the company providing the telecom equipment would maintain remote access to fix a problem, for example, or to help a system recover if it's down. So, as such, it is nearly impossible to secure a Huawei telecommunications system in a country that's of interest to China. And the point we would make was, you know, as you know, the UK for example, tried to pilot efforts where Huawei would deliver its code and gch, the NSA equivalent in the UK would assess its code first. They found that there were so many vulnerabilities in the Huawei code at the time, it was hard to determine what was intentional, what was just bad programming. But bottom line, they learned from that that the model couldn't work. It was very, very difficult, if not impossible actually, to actually secure Huawei telecommunication systems because of the legitimate rights that they would have for remote access. So that was the first part of our message. The second, particularly with our European allies in the European Union, was a call for partnership to say that we're going all in to ensure Western telecom equipment companies survive, and we're going all in to ensure China can't use standards bodies to maintain its predominance. We need your partnership. We can do this together.

A

But you say pretty clearly in the piece you wrote last spring for Foreign affairs, that despite all this effort, and I'm quoting you here, we have not resolved the core issue, the absence of alternative technologies that can compete with China's on price. That has not changed.

B

I imagine that hasn't changed. Companies willingness to really go all in to compete with Huawei, and frankly, government's willingness to ensure that those companies can compete has increased. But we need to scale that. We have the tools that we need to help finance and compete with Chinese subsidies, whether that's Export Import bank, whether that's the Development Finance Corporation. In fact, across Europe, those same tools exist. When President Biden visited Finland, for example, we signed an agreement between the US and Finnish financing agencies to partner together on deals, and I think, if I recall correctly, actually financed a major deal of Nokia's deployment in India together. So the bottom line is to say that what we need to connect are our strategic goals, compete with China in the most important technolog areas with the tools we have, financing alliances, intelligence sharing, to highlight where China uses Chinese companies to conduct its cyber warfare and espionage campaigns. We've made a lot of progress, and I think there is an opportunity around the discussions now of deepening economic ties to go further to ensure that we can Compete effectively in 6G.

A

A couple elements of past efforts that you're fairly dismissive of in the piece that we're talking about? I mean, the first is diplomacy. You note that both President Obama and President Biden made cyber issues pretty central to US China bilateral diplomacy. I think in an early Obama Xi Jinping meeting, there was a kind of headline, agreement on cyber and restraining cyber operations. What failed there? I mean, is there any role for diplomacy and potential value to diplomatic commitments and allaying some of these risks and addressing some of this competition?

B

So first, at the time that Obama engaged China, China's campaign, we believe still at the time, was largely focused on espionage. In fact, it was focused espionage, stealing corporate trade secrets, American corporate trade secrets, to benefit Chinese strategic industries. So the purpose of Obama's engagement with Xi was to put in place constraints and controls on that. And indeed they reached agreement to do so. China soon broke that agreement. And indeed, over the ensuing years, we also saw China's program expand from espionage, as I noted, to creating disruptive capabilities and positioning themselves in parts of critical infrastructure where there was limited intelligence value, like a water system. One question what intelligence value does China seek with a presence on a water system? Which led us, combined with the evolution of Chinese doctrine, to understand that it was indeed pre positioning more for disruption than for espionage.

A

And as you were watching this over your time, both at the White House and then previously at the nsa, what were the kinds of options that we had for addressing it? As we thought about the response, what was the development of our own thinking about either defense or offense when it came to our own cyber operations?

B

So our first focus was on intelligence sharing, improving the way the US Government, the intelligence community, shared information with the companies, largely critical infrastructure owners and operators who were affected. And indeed, you know, the US Intelligence community made significant progress in ensuring that when we had insights, we shared those with affected companies and also bringing together sectors to ensure that companies collaborated with each other. And as a result, over the last number of years, you've seen an increase in intelligence, really unclassified products coming out of the US and coming out of the US and its allies, pointing to China's actions and outlining the specific cybersecurity steps that the U.S. government and its peers and allies recommended. However, it wasn't until the last administration that the US Government took a second step, which was to say, we're not just recommending companies take these steps, we're requiring them to do so. Because while some companies did indeed follow recommendations and put in place better cybersecurity, some did not. And as a result, in the last administration, the White House used emergency authorities to put in place requirements that water systems, pipelines, airports actually put in place basic cybersecurity steps. So that was one part of cybersecurity. The gap between China system monitoring networks directly to be positioned to block attacks, and the US Remained. The United States also started building out its offensive cyber capabilities and considering how it could use offensive cyber in a crisis or conflict as well the link between defense and offense. The fact that the US Relatively more vulnerable in cyberspace, could hesitate to use offensive cyber capabilities because of the potential that an adversary's response could disable significant parts of critical infrastructure was a hard part of policy and doctrine that we grappled with across multiple administrations, Republican and Democrat.

A

We'll be back after a short break.

C

A mechanical watch is an investment for life and a statement of values. Nomos Glashute is one of only a handful of truly independent watchmaking companies worldwide. Its timepieces are crafted in Glashute, Germany, a town which has been renowned for Mechanical watchmaking since 1840. The rich heritage of Glashutte watchmaking can be found in every Nomos timepiece combined with modern Bauhaus inspired aesthetics, carefully crafted from high quality materials with patented mechanical complications at work inside. Discover a wide range of sports models, robust world timers and automatic dress watches such as Tonghenta 41 NeoMatic update at nomos-glashutte this October 28th to 31st. Don't miss the APEC CEO Summit Korea 2025 taking place in Jeongju, Korea. As one of the most prestigious multilateral gatherings, the summit will bring together global CEOs, distinguished experts and economic leaders under the theme Bridge Business. Beyond highlighting innovative industry industries and emerging trends, the four day summit offers distinguished programs, exclusive side events and world class speakers. Foreign affairs is proud to be a media partner for this year's event. For more information and to register to attend, visit www.apecceosummitkorea2025.com.

A

And now back to my conversation with Anne Neuberger. Your former boss at the nsa, General Paul Naccizoni, used to talk about persistent engagement. He in fact wrote a piece for Foreign affairs in 2020 laying out some key elements of this doctrine. And one notable piece of it, at least as I read it from the outside, was the need to be much more aggressive in degrading adversary capabilities in cyber. Is the conclusion of that experience that we're less able to do than we might want because of the vulnerability?

B

On the defense side, persistent engagement plays an important role and in fact I co led while at NSA some of the first joint NSA Cyber command, offensive cyber operations that really brought together the intelligence community and the military community to engage persistently, to use the intelligence we had about adversaries, infrastructure, their tools, the actors, to try to take them offline, make it harder for them to operate. I think what we learned when it came to the Chinese, and I should say those efforts were successful and did indeed, you know, engage with and disable, take offline some adversary capabilities, expose, in some cases the individual actors, in some cases the companies that were part of China, and I would say also Russia and Iran's campaigns. But I think what it also showed us was that the vast scale of China's capabilities, the number of units, the scale of their units, the number of companies that China uses in conducting its operations, means persistent engagement to be really effective, needs to be done at significant scale. And that was not the scale we were operating at a B. It also showed us that even if we try to throw sand in the gears of China's cyber operations, we still ran the risk because of the vulnerabilities of our own systems. Of that question I posed at the beginning, which is, do we have confidence that in a crisis or conflict, China couldn't disable or disrupt our military communications or critical parts of our infrastructure in order to delay military mobilization or put pressure on the homeland? And that is a key question that we need a more integrated approach across defense and offense, including persistent engagement, to be able to answer affirmatively.

A

Which means if we go and try to take out some Chinese cyber unit, that we are quite confident that they can't respond in a way that would be equally or more damaging.

B

Agreed. And that brings us to the key question, which is to say, if we are setting clear lines vis a vis China, if we are saying that an attack that disrupts critical infrastructure, we will identify, we will attribute, and we will respond, we need to have that visibility across our defensive and offensive capabilities.

A

That sounds a lot like deterrence, what we would traditionally call deterrence. I think there was a time, as I said, read the debate about cyber strategy, that there was a lot of talk of deterrence. And then people became more skeptical that the doctrine really applied in the cyberspace. You see an ability to kind of bring it back. Is that a kind of new development in thinking about deterrence in cyber?

B

You know, the writing on deterrence, A number of the principles, I believe, do carry over into cyberspace. They're very different. For example, attribution is far harder in cyberspace, and it can take a bit of time, which can delay a response. But building the capability to attribute. And in fact, you may have seen over the last number of years, the number of US and ally products have been released, attributing different activities to different actors. Russia, Iran, ransomware actors. China has been to demonstrate that we have that capability and are continually strengthening to be able to attribute. Because the difficulty of attribution has made cyberspace more of a free for all than a traditional kinetic space. So that first we will attribute the second, that we are resilient, that if an attack occurs, we will of course, aim to prevent it, but at the very least, we will recover very quickly. And that we will, and we maintain the capability and the will to retaliate those three parts. I think in deterrence language, it's, for example, deterrence by denial, that we are resilient, that we can recover. I believe do very much carry over from traditional deterrence theory, albeit with some changes and adaptations. Because cyberspace is different from the traditional kinetic space.

A

Where are the other places where it diverges from the traditional view of deterrence?

B

The number of actors and the availability of capability? So in the beginning, people would often compare nuclear deterrence and cyber deterrence. The difference is that there are cyber attack capabilities freely available online. In fact, we see criminal actors have been disrupting numerous American hospitals in the last couple of years, many given haven in Russia, for example. So there's more capabilities and more actors in this space, which does indeed sometimes make attribution harder, and it makes enforcement far harder.

A

But the attribution question has become easier in recent years than we thought it was. I don't know, seven or eight years ago, when this seemed like a kind of insoluble problem.

B

It is. And AI plays a key role in that and in the Future as well. AI's ability to make sense of vast amounts of data to, for example, trace the paths from an adversary's network through various covert infrastructure or compromised devices. They may stand up to hide their tracks all the way through to the target. AI has been playing a key role in noting the patterns of that and tracing that back as well. AI helps both offense and defense. It is a major help on one of the key problems in defense, which is collapsing the space between red and blue, as we say in military terms, between attack and defense, and to enable us to draw those links and identify who the ultimate attacker is.

A

Which means, just to put a fine point on it, if we say that we think the Chinese government or the North Korean government, or for that matter, the Iranian government or or Russian government is behind an attack, we now have more confidence than we might have a few years ago.

B

We now can identify it in many cases. Yes. And can do so faster and can have more confidence in our conclusions.

A

I want to draw you out more on this question of how AI can enhance defense in this space and address some of those vulnerabilities that have been exposed by that Chinese campaign. More broadly, the kind of fundamental asymmetry you focus on in the peace between an autocratic system and a democratic system, where the US Government, at least at this point, does not force companies to put in certain defenses or reveal certain information as aggressively as it might, and certainly as aggressively as the Chinese do. Your answer to that is not to change the American system, but to use AI to kind of creatively work around that. How does AI help us address that asymmetry?

B

Yes, I believe that AI can help us use our own system, our technological and innovation leadership. America is a leader in the world and within our system of democracy, where there is private sector ownership of critical infrastructure to still have visibility and be able to prevent attacks from being successful. One of the hardest questions we have in national cyber defense is the question of where should we spend our cybersecurity dollars, given the vast scale of America's critical infrastructure and given the degree of what the community calls technical debt, old systems. You know, I recall visiting a Louisiana water system with President Biden to view the rebuilding. And it was still, in many cases, a very old system. Some parts of it were manual and analog. In some ways, that's easier. The systems weren't yet connected to the Internet. But that kind of old systems that have been connected to the Internet, while not being secured are across US Industry. They're the reason, for example, we've seen so many hospital disruptions. So where does the private sector and government spend its scarce cybersecurity dollars to really buy down risk? And the challenge we have is that even though in the intelligence community we may often have insights about adversary attack capabilities or planning, there's a limited degree to which we can test those out against live systems. Nobody wants to risk running a Russia or Chinese war plan or cyber attack capabilities that we may uncover against the US Energy grid for risk of actually causing negative impact. So digital twins AI allows us to create virtual replicas in the corporate world. Those have been used for quite some time. You know, Rolls Royce creates a digital replica of its engines in order to test different safety scenarios. You have companies that take manufacturing processes and create digital replicas in order to figure out where do you optimize it without taking those manufacturing processes offline. We can do the same with our most critical infrastructure, creating, for example, a virtual replica of a part of our energy grid in order to model different cyber attack capabilities and frankly, model resilience responses to determine which investments we should make and how secure and resilient our grid actually is against real attack. So, to sum up, I would say today too much we have the US Government and intelligence community and cyber and other intelligence experts on one hand, passing information to private sector owners and operators, but they're not working together on the same system. They don't have a copy of an important critical infrastructure system to actually model attacks and resilience and ensure that we can make the right investments.

A

We're having this conversation at a time when the Trump administration is blowing through all kinds of long standing norms about the relationship between the state and the private sector and demanding investment and information and concessions from private companies that would have seemed, I think, fairly shocking not long ago, given perhaps some of these shifting norms. Without suggesting that that's the right approach, do you see more need for a kind of fundamental change in the balance between the private sector and the government? Whether it's, you know, requiring certain investments in cybersecurity that are now kind of a patchwork driven by the bottom line and by financial considerations, as you note, or demanding more information sharing or something else?

B

Absolutely. The risk has only grown. AI helps on offense significantly in terms of finding vulnerabilities and more rapidly building exploits. One of the benefits we've had in cybersecurity is that it's truly been a bipartisan field. You know, Republicans and Democrats come together to say, ensuring that the nation's secrets can be protected digitally, ensuring that people's communications can be protected has really been a bipartisan goal. And in fact, you know, as we've seen, whether it's here or whether it's in 5G policy policies have remained pretty much. President Trump put in place certain 5G policies to start countering Chinese dominance via Huawei. President Biden continued those. President Biden cyber executive orders. President Trump continues those. So I think that bipartisanship is our strength. In the last administration, President Biden overturned decades of bipartisan Democratic and Republican resistance to having minimum cybersecurity requirements. And President Biden put those in place for ports, for pipelines, for airports. I recall, you know, I would have a spreadsheet of every airport in the country, every pipeline in the country provided to me by the regulatory agency that rated them red, yellow or green. And the plan the agency had as A regulator to work with those companies to get them to yellow and to get them to green. And significant progress was made in the last four years. That's foundational. The second step now is, is to take that work, deepen the partnership between America's AI companies, the technological leaders, the companies that own and operate the grid, that own and operate. Other key important sectors are telecoms, going back to our earlier conversation, and government intelligence. Cyber experts bring them together to work together on digital replicas of that critical infrastructure to secure it to the level needed to use our AI expertise for national cyber defense.

A

As you look with the last few years of experience at the ways in which AI enhances offensive capabilities and enhances defense, how do you think it changes the offense defense balance in the space?

B

It's a great question. It changes the equation. If we use AI for cyber defense aggressively to find enclosed vulnerabilities, AI will help both. As I mentioned earlier, AI helps find vulnerabilities. The second step determines whether one's an attacker or defender. If one finds vulnerabilities in order to exploit them, get a foothold into a network either to collect intelligence or to stay there or hide your tracks for a later period in time to disrupt the operations potentially of that network, then one is an attacker. If one uses AI to find vulnerabilities to then close them, then one is a defender. And in fact, during the last administration, we launched an innovative program with DARPA, which is essentially DoD's R&D agency, to really challenge the AI companies to use AI to find and close vulnerabilities in open source code. And indeed the program was really successful in year one. They found nearly all of the pre placed vulnerabilities and were also able to identify significant patches in the last year that went even further. So there's massive promise in this space on cyber defense.

A

So I understand the ways in which these AI tools help defenders. But it does seem that there are plenty of ways that offensive capabilities have surely gotten much better in the last few years in ways that should, I think, scare us a bit.

B

Yes, indeed. You know, the purpose of the piece was a call to action, because if we do not move fast, artificial intelligence will only accelerate China's advantages, will only accelerate the advantages for offense. And China's ability to use its great firewall to integrate it with AI to find and block attacks even more effectively. We truly believe the US possesses the technical capabilities, the innovation, and the work across government and private sector to reclaim the advantage in the digital battle space. And this is really a call to action, to say, we can't wait any longer. We need to act now.

A

Your time at the NSC and the National Security Council did not just involve working on cyber issues. It also involved emerging tech more broadly. Emerging tech has, I think, become one of the central arenas, if not the central arena of competition between the U.S. and China and more broadly at this point. So I think it's worth zooming out and looking at the state of that competition more generally, I think, starting with AI. You wrote a piece, I think, in the last week or so of your time in government earlier this year about the ways in which AI is changing intelligence more broadly, not just in the cyberspace. A lot of the focus here has been on the ways in which this has made surveillance much more powerful and ubiquitous. That makes human intelligence much harder. It's harder to be a covert operative when you're being surveilled all the time. And AI enabled facial recognition and gait analysis technologies and everything else enable governments to identify who you are. But as you look at the kind of transformation of intelligence more broadly, how do you see those effects sort of shaking out and what really strikes you about the way this changes the way intelligence works?

B

You know, that piece that I wrote in Foreign affairs actually started as a classified piece a year before to outline for the intelligence community the promise and the significant peril and risk to intelligence operations from AI. And the reason that is, is that people design intelligence operations. And as such, there's a predictability and a pattern to them, whether they're signals intelligence operations, human intelligence operations, or imagery collection, you know, when satellites move over particular places. And AI strength in amassing and making sense of vast amounts of information and seeing patterns in them, is a real risk to our intelligence operations. So red teaming with AI, our own operations, is needed to ensure we find those patterns and predictability and fix them first so that it doesn't lead to uncovering operations. On the flip side, AI's abilities similarly can help us deliver faster, better, and more focused intelligence for policymakers and for the nation's security. And there are a number of exciting pilots happening across the intelligence community and changes to incorporate AI into operations.

A

As you look forward three or four or five years, do you think human intelligence, by which we mean the kind of traditional thing we think of as spying with operatives, kind of going to other countries and trying to get information from government officials, trying to steal secrets, do you think that will become all but impossible just given the power of those surveillance technologies?

B

I think I'll need to dramatically change you know, the rise of deep fakes. You may have seen, for example, a company called eleven Labs can now take voice and change it. Multiple languages, different genders, different Personas easily. So that will make human operations different. So the challenge really for us is to reimagine how we do intelligence in the age of AI. One good example, actually, two good examples, I would say today the intelligence community is very much organized as a collect and collect by different domains, images, signals, human interactions, process, analyze and report. That process has different controls built in to ensure that it's accurate. To ensure, for example, there's multiple sources for particularly sensitive insights. But it is a process with very distinct steps. When you think about where we are today, if one can deploy an AI model into when we're doing satellite collection to identify at that point, you know, based on the shape, based on the behaviors, for example, of ships in the Indo Pacific or of different platforms in the Indo Pacific, a threat or an opportunity. We need to ask ourselves, what's the fastest, most effective way to get those insights to the consumer? And perhaps the traditional set of steps and sets of integrity validation need to change. They need to be updated while still feeling confident that the outcome of that is correct. AI is making everything move more quickly. Collapse of decision cycles in the kinetic space in cyberspace. So I think going back to the drawing board to say with the power of AI to make sense of massive amounts of information, to add precision at the point of collection, to translate at scale, how do we ensure that our intelligence community makes the most of that, to protect the nation and inform policymakers rapidly on a broad scale of topics?

A

You noted that a lot of these efforts have seen bipartisan support, have been bipartisan efforts over the last several years. I think to some degree that has changed, at least in certain ways in the last several months since Trump has come back into office. You've seen lots of firings within the intelligence community, including the head of nsa, for reasons that I think are still not entirely clear, what the substance was, other than the fact that Laura Loomer, the right wing activist, had focused on him. And he may have once worked with General Mark Milley, the former chair of the Joint Chiefs, whom Trump hates. And your old boss, Paul Nicasone, is not someone especially popular in Trump circles because of work he did on kind of election integrity. Does that kind of politicization worry you? You've seen pretty stark warnings from senior former intelligence leaders, including Mike Hayden, who was the head of NSA and CIA under George W. Bush. So not a partisan. Exactly. Warning that this could lead to just a degradation in American intelligence capabilities and the risk of a real intelligence failure that we could see in the coming years. How do you, how do you assess those risks?

B

You know, I served in the intelligence community for almost 15 years, coming in at mid level and then rising to be deputy head of our global intelligence operations and standing up our cybersecurity mission. And perhaps in many ways, most importantly for your question, dan, serving as NSA's first chief risk officer, rebuilding internal controls and operations following the Snowden media leaks of 2013. And from that time inside the halls, I grew to deeply, deeply respect the intelligence community. Intelligence professionals who often work very long hours in unglamorous spaces where their successes are secret and their failures are publicly known. And there very much is a culture of non partisanship. People keep politics out of the workplace because the nation's security is not political. And we feel a commitment in the intelligence community when we take an oath to the Constitution and when that oath is renewed, that that's who we're protecting, America and the American dream. And I would say in fact that one of the most moving ceremonies that I've ever observed is within NSA. They're both military and civilian professionals. About 40% of NSA, I believe, is military. When you walk in to at least the, the old building I worked in for many years, as you walk in, there is a black granite wall and it's engraved with names, some of which still say anonymous. And at the top of the wall it would say they served in silence. And during my time at the agency, a number of names were added to that wall, engraved by hand. And when family members of the individual who fell came, professionals, military and civilian, would line up on the whole so that the family would see the respect everybody had for the individual who had fell in the line of duty. That's who the intelligence community is. And I think full stop. I also recall my own experience serving as Chief Risk Officer Post Snowden. It was a deeply disconcerting time. And I think what I found so disconcerting was that inside NSA people genuinely felt we're here to protect America. Of course we live by American values and laws. Outside nsa, when I would be talking with broader American public or with American companies, that was severely questioned. And I think the gap really was within the walls of the intelligence community because in a democracy, it's on the intelligence community to, while keeping its operations in the shadow, talk enough about its goals, its values, its people, so that the average American trusts what's going on inside those walls. And I think when we look at our current time, clearly that trust, it doesn't exist across some swaths of America. So some deep reckoning and reflecting on how to rebuild that to ensure our military and the intelligence community particularly continues to play that role in America, is very, very much needed.

A

I mean, I'm struck, though, that you have senior intelligence community officials being removed from their positions because they've given answers to questions that parts of the Trump administration don't like. Surely that has some effect on the quality of analysis that gets to policymakers. It's just hard to imagine that doesn't have some detrimental effect.

B

It is deeply concerning. It's deeply concerning. You know, the intelligence community's policies and processes are meant to ensure that doesn't impact analysis. And I no longer am in the intelligence community, so anything I would say would be a hypothetical. But I would hope and trust that the culture of the community, the sense of its past and its future, would continue to ensure intelligence professionals are doing their work to ensure that what policymakers need to know, they know, and it's unaffected by the processes around them. That's obviously very, very difficult, though. But it's something that I would hope when people reflect on their oath to the Constitution, they reflect that that's who they're doing their work for.

A

I think the other interesting difference between the Trump and Biden administrations on this issue has to do with kind of theory of emerging tech more broadly. I think some of this you can chalk up to idiosyncratic factors and probably some private sector influence and corruption. But there is, I think, also a different underlying theory when it comes to how the US should win AI competition, what AI competition means. You had the Biden administration much more focus on export controls and keeping some of our technology out of Chinese hands, especially the AI diffusion rules. That was fairly restrictive about what kinds of AI tools could be shared with others around the world. I think the Trump view is, you know, we should let American companies make as much money as possible, and that's the best way of staying ahead. How do you understand those differences and how do you assess the kind of state of that competition at this point? As you look at the changes in.

B

U.S. policy, export controls, and ensuring that America's edge in chips are not available to. To our adversaries to promote their military and intelligence capabilities? Because AI power is so transformative is a fundamental part of that competition, but it's only a part. The real way you win a competition is by running faster, not by holding a competitor down. So I think, as Important as export controls are, what's as important is America's adoption of AI in our economy, in the transformative fields like drug discovery, and in our national security. And all the ways we talked about producing more, faster and better intelligence by adopting AI and streamlining processes to fully take advantage of AI, incorporating AI in our military operations, for example, so that we can detect adversary platforms that may have been covert until now. That's the way that we will truly win across our economy and across our national security, while still doing our best to ensure that our most capable technologies don't fall into the hands of our adversaries. Of course that's important, but we need both components for success.

A

Where, as you look at our attempts to run faster, do you think we're doing well? And where do you think we're not doing enough?

B

We have a lot of exciting pilots. I think what's important is that we scale those and scale those to transform our operations. So, for example, one could see where in the intelligence community there are tens of thousands of intelligence reports that were produced over the last 10 years on various topics. Imagine training a set of specific models across those intelligence reports to enable policymakers and analysts to engage, as we do with ChatGPT, to ensure that we're gaining the benefit of all of that insight and using it rapidly and effectively. Those are places where we can move faster to ensure that we're using the promise of AI both for our economy and our national security, to a degree.

A

That I think would have surprised both of us a year ago. The Trump administration has taken aim at some of the pillars of the American innovation ecosystem. As we talk about it, some of the drivers of American success in emerging tech, whether you look at attacks on universities or really making it much harder for both researchers in academic context and at companies to bring in foreign talent and work with foreign talent. Big cuts to research budgets at NASA and other parts of the US Government, obviously all the tumult at the FDA and the CDC and other parts of our kind of health infrastructure. What of those changes worries you? If they're sustained, what would really kind of undermine the ability of the United States to stay ahead in some of these emerging tech races, as you put it?

B

America's a technology and innovation leader globally. That's, of course, due to our dynamic and entrepreneurial private sector. It's also due to government funding of R and D, particularly R and D. That's foundational science and isn't necessarily applied to existing problems. That certainly is a source of our innovation and something that we know that we need to continue. And I think now is really the opportunity to consider what are the fields of R and D that are most changing and where is it most important for programs to focus, particularly given that in the area of AI, so many of the advancements are coming from the private sector. So in many ways government focus in those areas need to complement the advancements that are happening in the private sector today.

A

Anne that is a good note to end on. Thank you so much for doing this today and thanks for the series of great pieces you've written for Foreign affairs in the past several months. We will look forward to more in the months ahead.

B

Thank you so much for having me, Dan. And thank you for the role Foreign affairs serves in talking about difficult issues and a way that people around the world can learn, reflect on and act. So truly appreciate the time with you today.

A

Thank you for listening. You can find the articles that we discussed on today's show@foreign affairs.com the Foreign affairs interview is produced by Kanish Tharoor, Molly McEnany, Ben Metzner, Caroline Wilcox and Ashley Wood with on audio help from Todd Yeager. Our theme music was written and performed by Robin Hilton. Special thanks as well to Arina Hogan. Make sure you subscribe to the show wherever you listen to podcasts and if you like what you've heard, please take a minute to rate and review it. We release a new show every Thursday. Thanks again for tuning.

B

SA.