The Lawfare Podcast: The Offensive Cyber Industry and U.S.-China Relations with Winona Bernson

Release Date: July 7, 2025

In the episode titled "Lawfare Daily: The Offensive Cyber Industry and U.S.-China Relations with Winona Bernson," hosted by Justin Sherman of The Lawfare Institute, expert Winona Bernson delves deep into the intricate world of offensive cyber operations, especially focusing on the competitive dynamics between the United States and China. This comprehensive discussion sheds light on the complexities of the cyber weapons market, procurement pipelines, and the broader national security implications stemming from these activities.

Introduction to Guest and Topic

Justin Sherman (02:11):
"Welcome to the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare and CEO of Global Cyber Strategies, with Winona Bernson, non-resident Fellow at the Atlantic Council's Cyber Statecraft Initiative and author of the report Crash, Exploit and Burn: Securing the Offensive Cyber Supply Chain to Counter China and Cyberspace."

Winona Bernson (03:24):
Shares her background, highlighting her five years in cyber threat intelligence at Recorded Future and Google, founding DistrictCon, Washington DC's newest hacker conference, and her current role at the Atlantic Council.

Understanding the Offensive Cyber Supply Chain

Justin Sherman (04:26):
Introduces the premise of Bernson's report, questioning whether the U.S. possesses a robust offensive cyber supply chain capable of countering Chinese cyber operations.

Winona Bernson (04:26):
Explains that the report analyzes how the U.S. supplies and acquires offensive cyber capabilities, particularly zero-day vulnerabilities, and compares it with China's approach. She concludes that the U.S. may lack the scale and efficiency of China's cyber supply chain.

Breaking Down the Offensive Cyber Supply Chain

Justin Sherman (05:43):
Asks Bernson to elaborate on the "offensive cyber supply chain," seeking clarity on its components.

Winona Bernson (06:06):
Describes the components of cyber operations:

• Infrastructure: Locations and systems used for operations (e.g., servers in the U.S. vs. abroad).
• Techniques: Use of malware or "living off the land" to exploit systems.
• Personnel: Trained individuals conducting operations.

She emphasizes the focus on zero-day vulnerabilities—previously unknown security flaws exploited before vendors can address them.

Notable Quote (06:30):
"Zero-day exploits are used... especially those conducted by nation-states. They allow attackers to break into modern, up-to-date systems which have strategic value to great powers like the U.S. or China."

The Zero-Day Market: A Billion-Dollar Industry

Justin Sherman (07:48):
Highlights the perception of zero-day exploits as cyber superweapons and probes into the reality of the market dynamics.

Winona Bernson (09:05):
Clarifies that zero-day exploits are essentially sophisticated software designed to exploit vulnerabilities. She outlines the commercial nature of the industry, involving:

• State-Like Contractors and Private Firms: Major players include large defense contractors and specialized spyware firms like NSO Group, Paragon, and Quadream.
• Brokers and Marketplaces: Middlemen facilitate the sale from developers to governments.
• Subcontractors and Individual Hackers: Smaller entities and lone researchers contribute to the ecosystem.

Notable Quote (11:16):
"The zero-day market is a billion-dollar industry selling code that exploits flaws in widely used products."

Challenges in Creating and Selling Zero Days

Justin Sherman (11:16):
Inquires about the requirements for businesses to succeed in developing and selling zero-day exploits.

Winona Bernson (11:26):
Distinguishes between creating and selling zero-days:

• Creation: Requires significant technical expertise to identify and exploit vulnerabilities, a process that can take 6 to 18 months.
• Selling: Involves navigating a murky market with middlemen, resulting in high markups. Developers might sell a zero-day for $100,000, but end buyers may pay up to $1 million due to intermediary markups.

Notable Quote (13:15):
"An individual researcher might sell a good bug for $100,000, but by the time it reaches the customer, it could be priced at $750,000 to a million dollars."

U.S. vs. China: Offensive Cyber Acquisition Pipelines

Justin Sherman (14:20):
Asks about the differences between the U.S. and Chinese offensive cyber acquisition systems.

Winona Bernson (15:12):
Explains that the U.S. system is fragmented and traditionally designed for tangible defense assets, favoring large prime contractors and creating inefficiencies. In contrast, China employs decentralized contracting methods, allowing state and local branches to procure cyber capabilities more fluidly. This decentralization in China facilitates broader and faster offensive operations without stringent international norms.

Notable Quote (15:12):
"Chinese acquisition processes use decentralized contracting methods and decentralized operations, allowing for broader and faster offensive cyber activities."

Implications of China's Offensive Cyber Pipeline

Justin Sherman (32:36):
Probes into the national security concerns the U.S. should have regarding China's offensive cyber capabilities.

Winona Bernson (32:48):
Highlights the scale of China's efforts:

• Human Capital: China produces more STEM graduates annually, feeding a larger workforce into offensive cyber operations.
• Integration of AI: China is advancing AI in exploit discovery, potentially enabling scalable offensive operations.
• Global Outreach: China extends its cyber influence into East Asia and the Middle East, attracting international cyber talent and showcasing its cyber operation model.

Notable Quote (34:38):
"Having more bodies and people and headcount to throw at offensive cyber should cause policymakers some concerns."

Recommendations for the U.S. to Strengthen Its Offensive Cyber Capabilities

Justin Sherman (35:07):
Requests Bernson’s recommendations on improving the U.S. cyber procurement system.

Winona Bernson (35:13):
Proposes several strategies:

1. Accelerator Programs for Vulnerability Research: Modeled after successful software accelerators to support smaller firms in the cyber domain.
2. Protecting and Supporting Security Research: Ensuring researchers are shielded from legal threats and providing support through entities like the Security Research Legal Defense Fund.
3. Greater Transparency: Enhancing communication between the government and vulnerability researchers about desired exploits to reduce inefficiencies and prevent the hoarding of vulnerabilities.

Notable Quote (35:13):
"Creating accelerator programs for vulnerability research... protecting and supporting security research in general... and being more open and transparent as a government about how or what vulnerabilities should be acquired or sold."

Addressing Counterintelligence and Supporting Hackers

Justin Sherman (39:08):
Asks how the U.S. can better protect hackers from foreign intelligence attempts.

Winona Bernson (39:47):
Offers practical advice for hackers:

• Verification: If approached by someone claiming to represent the government, insist on meeting at an embassy to verify legitimacy.
• Legal Protections: Encourage the use of legal defense funds and advocate for clear DOJ guidance to protect good-faith security researchers.
• Government Resources: Suggest that agencies like the FBI or CISA establish hotlines to support researchers against foreign threats.

Notable Quote (39:47):
"If somebody approaches you and says that they work for the US government, ask to meet them in the embassy."

Limiting China's Access While Securing U.S. Talent

Justin Sherman (42:20):
Queries strategies to limit China's access to offensive cyber capabilities while nurturing U.S. talent.

Winona Bernson (42:57):
Recommends:

• International Collaboration: Work with allies to protect and nurture cyber talent in East Asia, South America, and Europe.
• Talent Exchange Programs: Foster technical exchanges and collaborations to shield the U.S. and its allies' cyber experts from Chinese influence.
• AI Integration: Recognize and prepare for the role of AI in future offensive cyber operations, ensuring that the U.S. remains at the forefront of AI-enabled security research.
• Economic Incentives: Enhance the profitability for U.S. hackers to deter them from seeking opportunities abroad.

Notable Quote (42:57):
"The US Government should be cooperating with allies to work with some of the best minds in East Asia, in South America, in Europe."

Conclusion

The episode concludes with Bernson emphasizing the necessity for the U.S. to revamp its offensive cyber procurement processes to better compete with China. By fostering innovation, protecting researchers, and ensuring transparent government interactions, the U.S. can strengthen its cyber capabilities while upholding its national security and ethical standards.

Winona Bernson (45:48):
"Thank you so much for having me."

Justin Sherman (45:52):
Encourages listeners to support Lawfare and explore related content.

Key Takeaways:

• The offensive cyber supply chain is a complex, commercialized ecosystem involving developers, brokers, and state actors.
• China's decentralized and expansive approach to cyber operations poses significant challenges to U.S. cybersecurity and national security.
• Enhancing the U.S. cyber procurement process through support for smaller firms, legal protections for researchers, and greater transparency is crucial.
• International collaboration and proactive talent nurturing are essential to counterbalance China's growing cyber offensive capabilities.

Notable Quotes:

• "Zero-day exploits are used... especially those conducted by nation-states. They allow attackers to break into modern, up-to-date systems which have strategic value to great powers like the U.S. or China." (06:30)
• "An individual researcher might sell a good bug for $100,000, but by the time it reaches the customer, it could be priced at $750,000 to a million dollars." (13:15)
• "Creating accelerator programs for vulnerability research... protecting and supporting security research in general... and being more open and transparent as a government about how or what vulnerabilities should be acquired or sold." (35:13)
• "If somebody approaches you and says that they work for the US government, ask to meet them in the embassy." (39:47)
• "The US Government should be cooperating with allies to work with some of the best minds in East Asia, in South America, in Europe." (42:57)

This episode provides a critical examination of the offensive cyber landscape, underlining the urgent need for the U.S. to adapt its strategies to maintain cybersecurity dominance in an increasingly hostile digital environment.