Lawfare Daily: Grading the Trump Administration's Cybersecurity Efforts, with Rear Admiral (Ret.) Mark Montgomery - The Lawfare Podcast

Summary6 min read

Podcast Summary

Podcast: The Lawfare Podcast
Episode: Lawfare Daily: Grading the Trump Administration’s Cybersecurity Efforts, with Rear Admiral (Ret.) Mark Montgomery
Date: December 1, 2025
Host: Jonathan Sederbaum, Lawfare’s Book Review Editor
Guest: Rear Admiral (Ret.) Mark Montgomery, Senior Director, Center on Cyber and Technology Innovation, Foundation for the Defense of Democracies

Main Theme

The episode centers on evaluating the Trump administration’s early cybersecurity policy moves, as reflected in the fifth Annual Implementation Report of the Cyberspace Solarium Commission 2.0. Rear Admiral (Ret.) Mark Montgomery, a key member of the original and follow-up commissions, breaks down where U.S. efforts are stalling, what's improved, and what critical issues are emerging for U.S. cybersecurity strategy and policy. The conversation critically assesses the strengths and weaknesses in current federal cyber defense, workforce, funding, regulatory posture, and the future challenges posed by adversaries and technology.

Key Discussion Points & Insights

1. The Solarium Commission: Origins and Purpose

Established in 2018 to devise a strategy for protecting U.S. critical infrastructure in cyberspace ([03:03]).
Found "the government wasn’t properly organized," private sector control over critical infrastructure was a unique challenge, and public-private collaboration was lacking ([03:55]).
Led to dozens of recommendations for legislative and executive action.

2. Layered Cyber Deterrence

The necessity of a multifaceted approach involving all elements of national power—legal, defensive, and offensive measures—to deter adversaries ([06:16]).
- “Deterrence by entanglement”—law enforcement and sanctions
- “Deterrence by denial”—robust defense
- “Deterrence by cost/imposition”—the willingness and capability to retaliate
U.S. is still not deterring adversaries effectively in cyberspace ([06:46]).
- "We are not equipped to deter the adversary in cyberspace... we are not preventing them from taking the actions they want to take." —Montgomery ([06:45])

3. 2025 Annual Implementation Report: Troubling Trends

Main Finding: “Our nation’s ability to protect itself and its allies from cyber threats is stalling and in some cases even slipping.” ([09:08])
- Prior annual reports saw improvement, but current findings reflect backsliding.
- Delays in confirming key officials and turbulence after administration changes have lasted longer than the typical 3–5 months, now stretching over eight months ([09:18]).
Staffing and Budget Cuts ([10:57]):
- CISA: Loss of one-third of the workforce, including probationary (future leaders) and senior talent:
  - "No leader ever came up to me and said... the key to my success is cutting one third of my workforce randomly. Come on." —Montgomery ([13:24])
- NIST: Mounting responsibilities without matching funding; subjected to further cuts under the Trump 47 administration ([14:02]).

4. More Concerns: State Department Reorganization

Mishandling of the Bureau for Cyberspace and Digital Diplomacy, violating the Cyber Diplomacy Act ([16:51], [17:01]):
- "They reorganized it in violation of the law... it's... kind of insulting that you reorganize something without reading the law. We are a nation of laws." —Montgomery ([18:10])
Lack of leadership and clarity harming U.S. policy, engagement, and international standard-setting ([19:10]).

5. Positive Steps by the Administration

Recognition that some sectors (e.g., water utilities) require a state and local/regional approach, supporting grant programs and capacity-building ([28:00]).
NSC Cybersecurity Directorate shifting focus to offense and global partnerships; National Cyber Director designated as lead for national cyber defense ([31:10]).
- “They have drawn a line in the right direction… there’s hope, there’s potential… Next year they’ll be good grades.” —Montgomery ([31:56])

6. Looking Forward: Major Challenges and Priorities

Understanding Chinese “Operational Preparation of the Battlefield”:
- China's "Volt Typhoon" campaign: prepositioning for possible future disruption or destruction of U.S. infrastructure ([33:22]).
- Public and policymakers must grasp the gravity of this threat.
- “This operational preparation of the battlefield has gone unremarked.” ([35:29])
Improving Recovery Capabilities:
- With attacks inevitable, rapid recovery is crucial, especially for small and medium enterprises ([35:58]).
- “The real value is speed of recovery. How fast can you be up and running again?” ([36:15])
Cyber Workforce Modernization:
- U.S. cyber operating forces have only grown ~3% since 2012; China’s numbers possibly increased by ~1000% ([37:41]).
- Need for new recruitment, training, and retention models focused on cyber skills ([37:55]).

7. AI and the Future of Cybersecurity

Offense vs Defense: Both sides will benefit from AI, but U.S. investment lags ([39:23]).
- “The conviction rate on cyber crimes is... in the 1 or 2%, if that.”
AI-powered Influence Operations: Enhanced risks of disinformation and manipulation, especially as AI enables highly convincing forgeries ([40:18]).
- “AI tools are going to make influence operations look more and more like a text or an email from your spouse or your... child, and have a much higher likelihood of success.” —Montgomery ([40:38])
Concern: Trump administration is dismantling disinformation-fighting initiatives across agencies ([41:36]).
- “That worries me the most. So I guess that's a bad, pessimistic line to end on, Jonathan, but that's where I sit.” —Montgomery ([42:22])

Notable Quotes & Memorable Moments

On organizational missteps:

"This was an absolute own goal." —Montgomery, on State Department's mishandling of cyber diplomacy office ([21:09])
On staffing cuts:

"No leader ever came up to me and said... the key to my success is cutting one third of my workforce randomly. Come on." —Montgomery ([13:24])
On differences between sectors:

“I would tell you there’s three sectors that I don’t lose sleep over at night. Financial services, energy, and the defense industrial base... water being one of them [of concern].” —Montgomery ([30:25])
On public indifference to major threats:

“People like me are still spun up about it. 99.9% of America came out of warble a day later, right. And they're fine with it.” —Montgomery, on Volt Typhoon’s ongoing risk ([34:28])
On the need for new cyber force structure:

“The people I need to be a Ranger don't look like the people I need to be cyber. There can be one or two that look the same, but the vast majority I'm okay with. Overweight face, tattoo, a little bit extra weed usage, that's okay, but the Rangers are not.” —Montgomery ([37:55])
On AI-driven influence:

“AI tools are going to make influence operations look more and more like a text or an email from your spouse or your... child, and have a much higher likelihood of success.” —Montgomery ([40:38])

Timestamps for Key Segments

[03:03] — Solarium Commission origins and findings
[06:16] — Definition and need for layered cyber deterrence
[09:08] — Top-line findings of 2025 report: "slippage"
[10:57] — CISA and NIST in crisis: budget/staffing cuts
[16:51] — State Department's cyber diplomacy mismanagement
[28:00] — Positive steps: support for state/local cyber capacity, right direction in NSC/NCD roles
[33:22] — Top forward-looking risks: China’s “preparation of the battlefield,” need for resilience, workforce overhaul
[39:23] — AI’s promise and peril: defense/offense balance, influence operations concerns
[42:22] — Closing thoughts and concerns about U.S. cyber posture

Tone and Flow

Rear Admiral (Ret.) Montgomery maintains a frank, occasionally critical but ultimately constructive tone, mixing policy insights, strategic assessments, and a touch of wit. Host Jonathan Sederbaum moderates a mostly technical but accessible discussion, weaving in policy, law, and technical capability questions, and consistently pressing for actionable recommendations and forward-looking views.

Conclusion

This conversation offers a candid, expert-driven review of the Trump administration’s early record on federal cybersecurity efforts. It identifies clear warning signs—especially in workforce and funding slippages—and shines light on both the importance and the fragility of forward momentum in U.S. cyber policy. The discussion bridges criticism with practical ideas for improvement and a sober assessment of adversary and technology trends, making this episode essential listening for anyone interested in national security, policy, and cyber threats.

Loading summary

Transcript39 lines

[00:01]
Host/Announcer
Nearly every News alert in 2025 has raised questions, some old, some new, about the law and national security. And now you get the chance to ask Lawfare directly. It's time for our annual Ask Us Anything Mailbag podcast, an opportunity for you to ask Lawfare this year's most burning questions. You can submit your question by leaving a voicemail at 202-6438-8474, or by sending a recording of yourself asking your question to Ask Us anything lawfair@gmail.com by December 16th.
[00:39]
Paige Desorbo
So good, so good, so good.
[00:41]
Host/Announcer
Just in thousands of winter arrivals at your Nordstrom rack store, save up to 70% on coats, slippers and cashmere from Kate Spade New York, Vince Ugg, Levi's, and more.
[00:54]
Retired Rear Admiral Mark Montgomery
Check out these boots. They've got the best gifts.
[00:57]
Host/Announcer
My holiday shopping hack join the Nordiclobe. Get an extra 5% off every rack purchase with your Nordstrom credit card. Plus buy it online and pick it up in store the same day for free. Big gifts, big perks. That's why you rack who drives the world forward? The one with the answers or the one asking the right questions? At Aramco, we start every day by asking how how can innovation help deliver reliable energy world? How can technology help develop new materials to reshape cities? How can collaboration help us overcome the biggest challenges? To get to the answer, we first need to ask the right question. Search Aramco Powered by How Aramco is an energy and chemicals company with oil and gas production as its primary business.
[01:46]
Retired Rear Admiral Mark Montgomery
Particularly in the workforce, or needs a workforce to execute it. That's where you saw the degradation, the slippage, where we where we changed our assessment of where the government stood.
[01:57]
Jonathan Sederbaum
It's the Lawfare Podcast. I'm Jonathan Sederbaum, Lawfare's book review editor, with retired Rear Admiral Mark Montgomery, who is senior director of the center on Cyber and Technology Innovation at the foundation for Defense of Democracies.
[02:15]
Retired Rear Admiral Mark Montgomery
From my point of view, these things are small but important, and they add up to a very important element of US Foreign policy that is kind of in tatters right now. No one nominated to lead anything. People leaving left and right because there's no you don't know what the final organization is going to be like. You know this. This was an absolute own goal.
[02:37]
Jonathan Sederbaum
Today we're Talking about the 2025 Annual Report on Implementation produced by the Cyberspace Solarium Commission 2.0. Before we get into your recent Annual Implementation Report, I wondered if you could just remind our listeners about the work of The Solarium Commission in its original form and some of its overarching or key conclusions.
[03:04]
Retired Rear Admiral Mark Montgomery
Yeah, thanks. So the Solarium Commission was set up in 2018 in the National Defense Authorization act. That then allowed us to start the commission in March of 2019. There was going to be a three year commission, about $4 million. I'll say right up front, we finished on time and under budget. You don't hear that every day in the government, but mostly because we had Senator Angus King as our chairman and Representative Mike Gallagher as our chairman from the House. He had one Democrat or one Independent with the Democrats, one Republican. We also had a really important member named Jim Langevin from the House who if you study cyber and legislation at all, you know that over the last 25 years, he's responsible for probably 50% of the legislation that's gotten done. He's now retired. He was from Rhode island as a Democrat. Anyway, so with that group and with legislators, US government members like Deputy Secretary of Defense, Deputy Secretary, Homeland Security, Director of FBI. By the way, potentially not a completely legal commission. We could talk about that some other time. And then some private sector personnel as well, former government, private sector, including the CEO of Southern Company, Tom Fanning. So good mix. We went out there, we spent one sharp year studying the, the problem. And the problem was, as Senator McCain kind of articulated when he signed off on the, on the commission, was we need to come up with a strategy to ensure that America's critical infrastructure stays secure in cyberspace, with the implication being that it wasn't at that time. And Senator McCain was correct. Whether you're looking at criminal actors or nation state actors, we were not secure in 2018. I would say we're not secure today. But his idea was, hey, go, come with a strategic approach so we can at least start getting the government aligned. And he had a suspicion that the government didn't have a proper quarterback. A few other that, you know, to use his terminology, we weren't properly organized to lead and win. And you know, over one year we studied this issue, came up with some significant findings that they'll basically, you know, number one was the government wasn't properly organized. Number two was the private sector was responsible for a whole lot of secure, you know, the cyberspace. This is different than say undersea warfare where Russian submarines, the problem of Russian submarines was not a problem for Southern Company, you know, a power company. It was a problem for the US Navy, it was a problem for the government. And so it was fundamentally different than in cyberspace was a different mission Area where the. The battle space, so to speak, was 85% owned and operated by the private sector or state and local governments, not the Department of Defense. And then third, probably that we had not developed the public private collaboration to work through that problem of a tough threat problem not owned by the government, owned by the private sector that wasn't investing enough, and then a government that wasn't helping enough. So that's the point. That was kind of our conclusions from which we drove a whole lot of legislative and executive branch recommendations.
[05:58]
Jonathan Sederbaum
Excellent. Thank you for that overview. I remember that one of the central themes of the commission's report was that we needed in the United States a strategy of, quote, layered cyber deterrence. What did that notion mean, layered cyber deterrence that we had been missing?
[06:17]
Retired Rear Admiral Mark Montgomery
That's a great. It's a good terminology. And we had two really smart cyber strategists, Dr. Erica Lonergan, who's at Columbia now, but at the time was at West Point and was seconded over to the commission of work. And a second was, we hired Dr. Ben Jensen, who is the lead professor at Marine Corps University on cyber and cognitive warfare kind of issues, and in addition, a colonel in the US Army Irregular Warfare program. So, you know, we had two very strong thinkers. They've both written extensively, published extensively on the issue. And. And we collectively came up with the idea of layered cyber deterrence. I have to say, Senator King, he wouldn't like me calling him this, but he's kind of like a broken record in the sense that he's like, we are not deterring in cyberspace. In fact, if you go to a hearing today, five years later, he would invariably say, as I've said for the last five years since I was on the Slayer commission, we are not equipped to deter the adversary in cyberspace. We are not preventing them from taking the actions they want to take, but beneath a certain level of warfare. So the idea of later decided returns was that you actually had. And Joe Nye wrote on this. Joe Nye, a pretty famous soft power strategist at Harvard and in the Department of Defense, who coined the term soft power recently passed away. But he wrote some op EDS on cyber, in fact, that were very consistent with our definition of layered cyber deterrence. And what it really means is that if you're going to deter someone in cyberspace, you have to use all the elements of national power, and you have to engage them in all the different types of deterrence. So deterrence by entanglement, that's where you try to use law enforcement sanctions Legal regimes, international negotiations, deterrence by denial, which is kind of the one we most think about, which is I'll defend myself to such a degree it's not, it's not, it's too expensive or not, you know, not effective for you to strike me. Or the third one, deterrence by cost and position. Sometimes it's called punishment, but in either case it's the idea that I'm going to punch you back in the nose so hard that you determine this is not a, a habit you want to continue and so or an attribute you want to continue. So layered cyberturn says you have to work across all three of these and in order to build the public private collaboration that's necessary to deter an adversary in cyberspace.
[08:46]
Jonathan Sederbaum
Very good. So with that background on the Commission's initial work, let's turn to your most recent implementation report released just a few weeks ago, which I gather was the fifth in a series of these annual reports. For this most recent one, what would you identify as your most important issue? Know two or three findings?
[09:08]
Retired Rear Admiral Mark Montgomery
Well, I think the first and foremost finding is that, and I just read it to make sure I get exactly right. We said right up front our nation's ability to protect itself and its allies from cyber threats is stalling and in some cases even slipping. That's a tough thing to say because for the last four years we've been saying things are getting better. Now I will say, I would always caveat that in an administration change, particularly when you change parties, there's always a three to five month perturbation in policy development. It's unavoidable. I get it. Cabinet member like the SecDef or Secretary of State, they're confirmed in the first week of administration, but there's a lot of ligature, there's a lot of assistant secretaries and undersecretaries and such that don't get, and deputy secretaries that don't get confirmed for months or even a year. And this is party agnostic. No matter who's the presidency, who's got the Senate, there's delays and sometimes the, the underlings to that, the deputy assistant secretaries in the GS15, the Schedule C, which is political point D, GS15s underneath that are sometimes delayed while we, quote, wait for the guy to make his or the man or woman to make their choice. You know, frustrating. So I understand there's three or four months, but we're writing this eight months into it. They're publishing it in, you know, in late September, you know, writing it basically in August, you know, the Final parts of it, and our final assessments are around. I think our cutoff time was August 31st. I'll just say this was beyond the normal three or four months perturbation. There was slippage and there was obvious reasons for the slippage.
[10:47]
Jonathan Sederbaum
Let's take those up a little bit, one by one. So what are some of the important respects in which you and your colleagues concluded that there has been this stalling and slippage?
[10:58]
Retired Rear Admiral Mark Montgomery
You know, I think the first one was cyber workforce. I mean, I'll take one agency, the Cybersecurity Infrastructure Security Agency, our civilian cyber defense agency, developed, you know, before the commission, you know, put into law in like 26:17, at the beginning of the first Trump administration. And Chris Krebs was the first director, and then Jen Easterly was the director for four years of the Biden administration. But heavily supported by our report. You know, our report gave 10 different areas to support it with authorities changes and appropriations changes. And eight of those 10 were done. I mean, we did significant assistance, created organizations within it, put lots of it in law. That just wasn't in law before. It was just in practice. And that's always dangerous to not be in law. And then the appropriations were then raised between 2019 and 2024 from 1.3 billion to almost 3 billion. And by the way, John Catko, a Republican from New York, was on record as saying it's probably a $5 billion organization when done right, and that's in 2022, you know, numbers. So it still hadn't fully grown into itself. And this administration came right in and cut that. And so to me, manpower was one of the most important issues. And then the authorities to operate and exchange information. I this was not on my bingo card of stuff they might accidentally remove. I, I'm still of the opinion it was an accident. And most administrations have trouble admitting a mistake. I get it. This administration, you know, has a PhD in that, you know, characteristic. And so as a result, they're like, no, no, no, no, this is all on purpose. We have a master plan. And, you know, we're eight months into the master plan, and I don't see it. So I saw things like that. So in my mind there was, look, there are some good things as well, but some bad things. But if I could, I just start by saying those are. Was that particularly in the workforce or needs a workforce to execute it. That's where you saw the degradation, the slippage, where we, where we changed our assessment of where the government stood.
[13:01]
Jonathan Sederbaum
Were there examples of that outside of cisa yeah.
[13:06]
Retired Rear Admiral Mark Montgomery
So I ought to say one thing about cisa. It shocks me. There's a temporary leader says, look, the Senate owes the government, the executive branch. The confirmation of Sean Planky, the CISA director. He's being held up over the provision of a. Of a report from the last administration demanded by. Mostly by a Democratic senator. I'm just like, come on, guys, just let it go. I mean, let the guy get. I want to criticize them for not doing the right thing. It's hard to criticize them when they're kind of rudderless without a leader. But the acting leader said something along the lines of this, like, we've lost. We've gone from 3300 to 2200. No appreciable change in our ability to our job. And I'll just say gently that in 35 years of leading a whole lot of military organizations, many of which were bigger than cisa, no leader ever came up to me and said, sir, the key to my success is cutting one third of my workforce randomly. Come on. And especially the way they did it. They took away the probationary employees, the seed corn of your future leadership. And they took away. They accelerated the departure of senior leaders through early retirements and forking the road list. Boy, talk about how I would not remove one third of my personnel. That's the opposite of the right. I mean, I wouldn't really just take it all from the middle, but I take most of it from the middle part of the workforce. Instead, they went to the top and bottom of it. Really poorly done. So I'd say I just need to say that. And look, there's other examples. Nist. Nist, which is the National Institute of Standards and Technology at the Department of Commerce, we assessed that in 2020 as about $120 million organization in terms of workload with an $80 million budget. And neither the Trump 45 nor Biden truly corrected the budget, but they did get it up to about 100 to 110 million on cybersecurity. This is just the cybersecurity part. Unfortunately, every executive order put out at the end of Trump 45 or all of the Biden administration would say, and NIST go do this. And let me tell you how much money is attached to an executive order? Zero. Right. So the reality is they'd become, like $160 million worth of. Of assignments and had about $100 million. So the Trump 47 rolls in on this already, like, stressed and strained organization, one that, by the way, had kind of, like, stuck it to the Biden administration in early 2024 by stopping funding some national vulnerability database work, to say, this is how bad our funding is, we will make it something that's public and embarrassing, which I thought was a pretty, you know, ballsy move by nist. And they got their money from Biden's OMB to fix that. So they're under stress, under duress, and in comes DOGE and, you know, the Department of Commerce, and they just start cutting within that. And, you know, both in the budget appropriations and the personnel. This is so taking an organization that's critical to cybersecurity standards, regulate, not just really regulation, but cybersecurity standards, education. Understanding in the government and in the private sector and kicking it in the backside a few extra times was not a good move. So that's a second one. There's more, but I think that gets the point across.
[16:27]
Jonathan Sederbaum
Very good. Okay, so as you say, I gather one of the central concerns in this most recent report is budget cuts and staffing cuts at a number of the departments or agencies that play an important role in U.S. cybersecurity policy and U.S. cybersecurity defense and resilience. Were there other major concerns beyond the staffing and budget cuts?
[16:52]
Retired Rear Admiral Mark Montgomery
Yeah. So in State Department, we had set up something called the cybersecurity and the.
[16:58]
Jonathan Sederbaum
Ambassador at large for cyberspace and digital diplomacy, I believe.
[17:02]
Retired Rear Admiral Mark Montgomery
Yeah, Cyberspace and digital diplomacy was a bureau there to work, and it was underneath the deputy. Every time you do legislation, you have the perfect legislation and you have the legislation you get. And there's a series of compromises you have to do to get things through. And one of the compromises was, and this was a problem we had with the Biden team. They wanted. They didn't like putting it under the deputy. I felt it needed to hang for some period of time, five or seven years outside of the normal hierarchy. I would say State Department. You know, I've lived in Department of Defense, which has some parochialism to it, but so I've heard the State Department is Olympic gold medal winning, you know, world record setting, parochial, you know, siloed bureaus. And so I was afraid to get. And this administration came in and here's the killer as they're breaking it, reorganizing the State Department because it obviously couldn't be right because it was done by Biden. You know, they're breaking up the State Department. The guys come into the. I know for a fact they came into the cyber digital policy office and started to show what they're going to do. And the per. One of the people they're interviewing said, you know, there's a law about this called the Cyber Diplomacy act, and the person was unaware of it. You know, so they're reorganizing it without even reading basic law, and they reorganized it in violation of the law, by the way, a law that Senator Rubio aggressively supported before he became Secretary of State. And so his own guys came in unaware of the law, and they weren't his guys, in my opinion. They're probably White House guys, but, you know, in State Department, and they did this. And so it's. I mean, it's. It's mildly. I'm not insulted by this easily, or I'd be insulted all the time. But it's kind of insulting that you reorganize something without reading the law. We are a nation of law. I mean, I believe we're a nation of laws. And you probably. And you literally. This wasn't a law. Like, you know, that reorganization from 1862 is a little old. This was a reorganization from 2023. I mean, come on, You. You took the maximum time to implement it. So it was really fully. I mean, the law was 2021 to be implemented by 2023. You know, it had been in effect for two years. Yeah, have a little bit of due diligence and, you know, find that out, but, okay, they didn't. And then Senator Rubio, when confronted by Senator King, who talked to him and said, what's up? You know, basically was, you know, mildly denied. You know, he was aware that he had been part of the law. You know, I mean, this is not helpful. It's not how you run government. And now we're in a position where the administrator, you know, Republicans in the House are trying to, you know, clean up the spill on. On aisle three, you know, by writing legislation that kind of supports what the administration's doing. And, you know, the rest of us are like, well, I would like it to work, but on the other hand, I'd like you to just follow the damn law, which you just passed and you guys supported, and the Secretary of State supported before. He didn't support it. So I'm a little frustrated. That one's bad. Now, here's why that's bad. It's not just, like, someone to talk to for our partners and allies, that's important, but we do need some cyber capacity building. Like, when our forces move with and through a country, we want the cyber to be secure for our military forces. So that matters. Cyber capacity building and Very specific. Even in a make America great thought process, you want our forces to do well. There's standard setting like the State Department kind of leads our participation. International standard side of things like the International Telecommunications Union, the World Intellectual Property Organization. We don't get the right, if China's working very aggressive at those places to get a China centric solution in place. One that doesn't believe in personal rights and responsibilities and privacy. One that's focused purely on sovereignty, which is, you know, coded language for authoritarian, you know, control, you know. So from my point of view, these things are small but important and they add up to a very important element of US foreign policy that is kind of in tatters right now. No one nominated to lead anything. People leaving left and right because there's no. You don't know what the final organization is going to be like. You know, this, this was an absolute own goal.
[21:11]
Lawfare Podcast Host/Advertiser
I'm a last minute holiday shopper. I often don't do it at all until it's too late. You know the feeling everything's gone already. You don't have ideas. But here's an idea for you. If you're like me and that's your situation. Aura frames is the solution with a gift that feels perf personal. I love my aura frame, but more important than that, I love my aura frame is that the people that I buy Aura frames love them. I got two aura frames for the lawfare office. We share them. They're hanging around the office. One of them is just pictures of lawfare people. One of them is the lawfare dependence pets, kids, all the people that we care about. And we upload them to the aura frame and we all share them. We all get a kick out of it. And it's super moving to see both of these frames develop over time. You upload unlimited photos and videos. You individually or a group of people like say the Lawfare community. You just download the Aura app and connect it to wi Fi. You. You preload photos before it even ships and you can just keep adding them from anywhere, anytime. You can personalize the gift, add a message before the frame arrives. You share photos and videos effortlessly straight from your phone all year long. The gift box is included. Every frame comes packaged in a premium gift box with no price tag. You can't wrap the this kind of togetherness, but you can frame it. So for a limited time, save on the perfect gift by visiting auraframes.com to get $35 off Aura's best selling Carver mat frames named number one by Wirecutter by using the promo code Lawfair at checkout. That's a U R A frames.com promo code lawfare. This deal is exclusive to listeners, and frames sell out fast, so order your now to get it in time for the holidays. Support the show by mentioning us at checkout. Terms and conditions apply. Deleteme makes it quick, easy, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable. The New York Times Wirecutter has named Deleteme their top pick for data removal services. And I'll tell you why. Because data brokers make a profit off of your data, which is a commodity. Anyone on the web can buy your private details, and this can lead to identity theft, phishing attempts, and harassment. But Deleteme lets you protect your privacy. I do it with Delete Me and I think you should, too. I have an active online presence. I. I do wacky stuff. I dressed up as a inflatable frog the other day, and, you know, I put myself out there. I threw dead sunflowers in front of the Russian embassy. But my privacy is, at the end of the day, still really important to me. I want a separation between my public activity and my private life. I've been a victim of harassment, identity theft, and that sort of thing. It's not pleasant. And if you haven't, you probably know someone who has to. Delete me can help. So take control of your data and keep your private life private by signing up for Delete Me now at a special discount for Lawfare listeners. Get 20% off your Delete Me plan when you go to JoinDeleteMe.com lawfare20 and and use the promo code lawfare20 at checkout. The only way to get 20% off is to go to JoinDeleteMe.com LawFair20 and enter the promo code Lawfare20 at checkout. That's JoinDeleteMe.com Lawfare20 code Lawfare20.
[25:44]
Host/Announcer
Who drives the world forward? The one with the answers or the one asking the right questions? At Aramco, we start every day by asking how. How can innovation help deliver reliable energy to the world? How can technology help develop new materials to reshape cities? How can collaboration help us overcome the biggest challenges? To get to the answer, we first need to ask the right question. Search Aramco Powered by How Aramco is an energy and chemicals company with oil and gas production as its primary business.
[26:14]
Paige Desorbo
Hi, it's Paige Desorbo from Giggly Squad. You ever stand in front of your closet and just say I have nothing to wear while you're literally surrounded by clothes because same so I started listing pieces. I'm over on Depop and honestly, it's been amazing. You can sell what you're done with and someone out there will love it. And the best part about it is there's no seller fee, so the money you make actually stays in your pocket, which feels very chic. It's also insanely easy. I listed something while watching TV and it sold before the episode even ended. So download the Depop app and list your first item today because your old outfit could be someone else's new favorite. Depop where taste recognizes taste. Payment processing fees boosting fees still apply. For more info, visit depop.com so good, so good, so good.
[27:02]
Host/Announcer
Just in thousands of winter arrivals at your Nordstrom Rockstar, save up to 70% on coats, slippers and cashmere from Kate Spade New York, Vince Ugg, Levi's and more.
[27:15]
Retired Rear Admiral Mark Montgomery
Check out these boots. They've got the best gifts.
[27:18]
Host/Announcer
My holiday shopping hack join the Nordiclobe. Get an extra 5% off every rack purchase with your Nordstrom credit card. Plus buy it online and pick it up in store the same day for free. Big gifts, big perks. That's why you rack.
[27:36]
Retired Rear Admiral Mark Montgomery
We've talked about.
[27:36]
Jonathan Sederbaum
A number of the critical elements in the report, that is Ways in which the report has been critical of the Trump administration's early moves. Does the report identify any initiatives by the new administration that it considers beneficial, perhaps in some cases carrying forward efforts that had already been underway before it came in?
[28:00]
Retired Rear Admiral Mark Montgomery
Yeah, this is a tough yes. So there's a little bit in there. So look, I like the idea in their first executive order they emphasize the importance of state and local governments. Look, I've lost my confidence in top down regulation driven solutions for some industries. Look, Americans like regulation on nuclear power. They prefer something not go really wrong. They're pretty cool on regulation on flight safety. They don't want to fall out of the sky. They're pretty cool about regulation, about their money, so that it stays in their bank account. After that the list gets tougher. So trying to force in like water regulation at the top, that comes down. Especially you know the difference between New York City Water, LA Water and like Fuckwar County Rural Collective Number 7's water utility. There are big differences there. So I get that water probably has to be they'll bottom up or ground up, no pun intended. And to do that you really need state and local empowered to do that. You know, understand, provide them with standards, and then incentivize through grant program support. Now, look, I'm not talking about a grant program for a Fortune 50 company. I'm talking about a grant program for rural collective number seven, you know, in Farquhar County, Right. Which is, you know, doesn't have two wood nickels to rub together for this threat. So if we could help them out with a grant program where they meet, they assess themselves to a government standard, show the gaps, and then use an approved solution that we help fund. To me, that's how you get at this. And it should make Republicans happy, Democrats should be happy with the end result. You know, I think it's a winner. Winner. So he says that, and you're like, oh, good. I like this. Of course, the next thing that happens is the administration does nothing to prevent the state and local cybersecurity grant program from expiring. Now, in the cr, the House Republicans and Senate Republicans. The Senate Republicans did add it in. It's reauthorized through, like, January of 2026. But long term, you're going to have to reauthorize and appropriate to that. In other words, the next step is to have grant programs that incentivize us. Believe it or not, the energy, rural energy, does have some grant programs. There's some areas where you see congressional committees have shown an interest, or maybe the federal agency showed an interest, and we're doing all right. In general, I would tell you there's three sectors that I don't lose sleep over at night. Financial services, energy, and the defense industrial base. There's 17 or eight, depending on, you count them, 17, 18, 19 sectors. So that does leave a lot of Fs, you know, in the. In the programmatics, water being one of them. And so I like the fact that the Trump administration recognized, hey, this is a state and local solution. I also like that they have kind of put the NSC and the N. The National Security Council Cyber Security Directorate focused on offensive operations, on international partnership. And I like that. And then told the National Cyber Director, you're really responsible. You're the lead for the National Cyber Defense, which makes sense from the name of your office. And that was our intent. We'll see how that plays out over the next 40 months. But I would tell you, good intent there. So there's two pretty big areas where I would say the administration's done, you know, stepped off on the right foot. The problem is when you're assessing them, they haven't produced yet. What I'd say is they've drawn a line in the right direction. We'll have to see if they resource and move along that track and then next year they'll be good grades. And, and I would say right now it's equally likely that they have good grades as bad grades next year because this perturbation's over. I think the personnel perturbation is over. I, you know, there's something involved with the coming out of the stand down and the people that were supposedly rift during the stand down coming back. That would be good. But they've got to get in. They're going to get appropriations that well exceed their current manpower. Right. Sizzle will get, you know, probably $2.7 billion. They'll have more than enough money for the people they have and money to hire more. And hopefully a new director will come in and do that. So there's hope, there's potential, but those are two areas where they, I can actually see them pointing themselves in the right direction.
[32:15]
Jonathan Sederbaum
Excellent. So we've been talking about findings in your, you know, most recent report, both critical and potentially positive. I wondered if we might step away from this kind of report card, which, as the report itself notes, is necessarily a backward looking assessment. You know, it takes a look back over the prior year and tries to assess what was good and what was bad. Step back and look forward. Because as the report notes, of course, cybersecurity risks are ever evolving. And to shape cybersecurity policy, one can't only look back to a set of recommendations from the commission from several years ago. However, you know, prescient the commission was. So we've had the benefit of more years of experience now and of course you and others are looking forward as you look out, say, you know, ahead the next two or three years. Are there one or two important trends or developments that you think the United States has to focus on as it tries to improve its cybersecurity posture?
[33:23]
Retired Rear Admiral Mark Montgomery
Yeah, there are, there's a few things and I'll bend them into. And the kind of one of them is a technology thing, one of them is a people thing, and one of them is a kind of a policy processing. So on the policy process side is can we get everyone to understand what Volt Typhoon and similar activities that are operational preparation of the battlefield are really doing. In other words, make it so people understand this is China preparing for a future crisis with us or conflict and putting in either malware or like an access so at a later time they can rapidly conduct a destructive or disruptive attack on that critical infrastructure. You would say, mark, well of course everyone's worried about that. They're not, right? So the FBI director does this, announces this last January. Director Ray says, hey, operate volt typhoon did this. Thousands of penetrations into dozens of infrastructures. But you know, they went right at our military mobility, rail, aviation, ports, right at our economic productivity, financial services, energy, right at our public health and safety, healthcare, water. Right. All the different attack vectors. And I'd say people like me are still spun up about it. 99.9% of America came out of warble a day later, right. And they're fine with it. Now let me give you another version of this. Director Ray comes out and says, hey, there's a thousand attacks, 16 sectors. And what the Chinese did was put a, a backpack with semtex in it on this infrastructure so that a later date they could, you know, initiate it and disrupt or destroy the infrastructure. We would still be talking about that. You know, we, we might have had a war in between. I mean a war might be too far, but we'd have certainly had a collapse in u. S. Chinese relations. This operational preparation of the battlefield has gone unremarked. And so the first development's gonna be the next two or three years. We have to understand the adversary, we're learning the criminal adversary because of ransomware. It's made people understand this is significant, it's real, and I better invest in it now. I still think the vast majority of companies that kind of come to Jesus, so to speak, are the ones who just got attacked. But still if your neighbor just got attacked, you're like, I'm going to come to Jesus. But the others, to me, this nation state, operational preparation of the battlefield, which is a relatively new phenomenon, has needs to be understood. That's number one. Number two is a technology one. We've got to figure out how to have better recovery tools. Here's the bottom line, lesson learned for the last five years is you're going to get hit. If you get hit, you're probably can only mitigate it slightly. And the real value is speed of recovery. How fast can you be up and running again? Is it through redundancy, through resilience, through training? But how fast can you get back up off the, off the canvas? And the most important companies on this are the small medium sized businesses that have four or six weeks float, that is excess cash, because the normal ransomware is one to two weeks till you get the key or go without the key, three to four weeks to get your system fully aligned and integrated. That's five or six weeks. Around that same period, you're laying people off, selling assets, declaring bankruptcy kind of weeks, 4, 5, 6. So the question is, are we going to get technology that helps that recovery faster? To me, that would be if I was making, if I wanted to as a venture capitalist, that's the tools I'd be looking for. And the third one I'll make quick is on personnel. It's on the offensive side. We're not currently generating enough forces, properly trained and ready forces. We have different every service. The Army, Navy, Air Force, Marines, Space Force, all build cyber people and then send them over to Cyber Command. Cyber Command is the force employer. They're doing okay given the quality we're giving them. We're giving them substandard quality. But the fourth generation, I think, requires a single service doing it that focuses on cyber. When we're recruiting kids out of high school, the people I need to be a Ranger don't look like the people I need to be cyber. There can be one or two that look the same, but the vast majority I'm okay with. Overweight face, tattoo, a little bit extra weed usage, that's okay, but the Rangers are not. So we need to get cyber. So that's the first thing you recruit. Then you specifically train them for this mission at a certain high level and then you pay them properly. And there might be a split there of uniform versus non uniform. That's much different than the army and Navy and Air Force. And then you'll end up retaining them properly. So we need to do a big thing on this. And just to show you the math on it, our cyber operating forces have got. We were about 65. 6400 was our target goal in 2012. 6700 is our target goal now, so about a 3% increase. In that same time frame, our estimate is China may have gone from 6,000 to 60,000. I'll just say their thousand percent may not be right, but our 3% is definitely wrong. And so to me, those things, understanding OP operational preparation, battlefield technology through recovery, and then Cyber Force, those are three things I'd be working.
[38:35]
Jonathan Sederbaum
Excellent suggestions. Let me ask you one final question, which every cybersecurity analyst is at least speculating about because it's early days. And that is the implications of the development of ever more sophisticated artificial intelligence systems on cybersecurity, offense and defense. There's more and more writing trying to gauge, you know, who in the offense, defense balance will get greater benefit from artificial intelligence systems. In what ways? How quickly do you have any initial views about that? And if so, what evidence do you think is the most helpful evidence for those of us interested in trying to assess the impact of AI on cybersecurity should be looking to.
[39:24]
Retired Rear Admiral Mark Montgomery
I'm not the right person to decide which one will go better. Here's what I do know, though I do understand well enough that both will benefit from it. And here's the challenge. The challenge is I do think the criminals, people who are exploiting AI will invest enough to have a tool that works. Cybercrime has been a, a, I mean it's not a unicorn, but it's a pretty good startup, right? They've done pretty well. And the criminal, you know, conviction rate on cyber crimes is, you know, avert your eyes bad. You know, it's in the 1 or 2%, if that. And usually that's 1 guy, 40 crimes, not 40 guy, 40 crimes, 40 guys. And it is mostly guys. So they're going to invest what they need. The question is, are we going to invest what we need defensively? So far in cybersecurity, the answer has been no. The problem with AI is it will, it will exponentially grow the risk of your. No. If you don't invest properly in cyber security and whether the tools are traditional or AI based tools, you're exposing yourself to greater and greater risk, I think over time in this environment. So that'd be number one. Number two is there's an element to AI that really worries me and it has to do with influence operations. We study that here at fdd we look for AI misuse and then AI, you know, we look for influence operations being conducted by China, Russia and Iran, particularly North Korea does a lot of bad stuff in cyber, but not these. They're not doing influence operations to try to change how Americans feel about the state of democracy or things like that. But I think these AI tools are going to make influence operations look more and more like a text or an email from your spouse or your daughter or your, or your child, you know, and have a much higher likelihood of success. So these influence operations are going to be more effective over time. And we already are fragile society, we can see that in a lot of ways. And this will amplify. I think AI has the risk of amplifying that greatly if we don't figure out how to take a listen. And one last thing, I'll say another reason they got a bad grade. The Trump administration has kind of consistently across all of government, remove the disinformation efforts, whether it's a justice, FBI State Department of Homeland Security. It was under the guise of they somehow were involved in election security and suppressing conservative thought, which I just don't think they were. You know, maybe I'm, maybe I'm blind, but I didn't see that. What I saw was a lot of bad. What we saw at FDD in studying this election cycle, and we've written three reports on it, was a lot of bad Russian behavior trying to help Trump, some bad Iranian behavior trying to help Harris, and then a lot of Chinese behavior not caring who they helped. All they cared about was undermining Americans faith and belief in the credible execution of democracy. That worries me the most. So I guess that's a bad, pessimistic line to end on, Jonathan, but that's where I sit.
[42:42]
Jonathan Sederbaum
Okay, but we will have to end it there. Admiral Montgomery, thank you so much for taking the time to talk with us today.
[42:48]
Retired Rear Admiral Mark Montgomery
Thank you for having me.
[42:52]
Jonathan Sederbaum
The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfairmedia.org support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts as well, including Rational Security, Allies, the Aftermath, and Escalation. Our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work@lawfaremedia.org the podcast is edited by Jen Pachep and our audio engineer. This episode was Hazel Hoffman of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you you for listening.
[44:02]
Paige Desorbo
Hi, it's Paige Desorbo from Giggly Squad. You ever stand in front of your closet and just say I have nothing to wear while you're literally surrounded by clothes? Because same so I started listing pieces. I'm over on Depop and honestly it's been amazing. You can sell what you're done with and someone out there will love it. And the best part about it is there's no seller fee, so the money you make actually stays in your pocket, which feels very chic. It's also insanely easy. I listed something while watching TV and it sold before the episode even ended. So download the Depop app and list your first item today because your old outfit could be someone else's new favorite. Depop where taste recognizes taste. Payment processing fees, boosting fees still apply. For more info, visit depop.com.