Lawfare Daily: The Offensive Cyber Industry and U.S.-China Relations with Winnona Bernsen

Podcast Host

The following podcast contains advertising to access an ad free version of the Lawfare Podcast. Become a material supporter of lawfare@patreon.com lawfare that's patreon.com Lawfair also check out Lawfare's other podcast offerings, Rational Security, Chatter, Lawfare, no Bull and the Aftermath.

Winona Bernson

I'm not.

Advertisement Voice

Switching my team to some fancy work platform that somehow knows exactly how we work, and its AI features are literally saving us hours every day. We're big fans, and just like that, teams all around the world are falling for Monday.com with intuitive design, seamless AI capabilities, and custom workflows, it's the work platform your team will instantly click with. Head to Monday, the first work platform you'll love to use. Better Help Online therapy bought this 30 second ad to remind you right now, wherever you are, to unclench your jaw, relax your shoulders, take a deep breath in and out. Feels better, right? That's 15 seconds of self care. Imagine what you could do with more visit betterhelp.com randompodcast for 10% off your first month of therapy. No pressure, just help. But for now, just relax.

Winona Bernson

So if you don't know a government customer, you'll probably want to find a middleman, which is where things get a little bit more sketchy. But because you don't necessarily know who will end up using your zero day, especially when middlemen sell to other middlemen. And so you get this weird murky industry where there's markups and bugs that are going for crazy prices and then you have this lack of trust on the consumer side.

Justin Sherman

It's the Lawfair Podcast. I'm Justin Sherman, contributing editor at LawFair and CEO of Global Cyber Strategies, with Winona Bernson, non resident Fellow at the Atlantic Council's Cyber Statecraft Initiative and author of the just released report Crash, Exploit and Burn Securing the Offensive Cyber Supply Chain to Counter China and Cyberspace, it's.

Winona Bernson

Statistically more likely that China will have more people in the offensive security space and in a highly manual field like vulnerability research, where even though you're producing software, this software does not necessarily scale. Having more bodies and people and headcount to throw at offensive cyber should cause policymakers some concern.

Justin Sherman

Today we're talking about the offensive cyber industry, the private sector and individual players, the US versus Chinese procurement pipelines, and what it all means for the future of competition and cybersecurity. Why don't you start by telling us about yourself? I always ask this of every guest and how did you get started in cybersecurity and what are some of the things you are up to currently?

Winona Bernson

Sure. I worked in cyber threat intelligence for five years before heading to law school, first tracking Chinese nation state threats at Recorded Future, then at Google and currently I'm the founder and head of Washington DC's newest hacker conference, DistrictCon. And I also work of course for the Atlantic Council who published this wonderful paper that you're having me on for.

Justin Sherman

I'm glad you mentioned distrokon. I was going to plug that. Oh, with that we can just jump right in. So as you noted, you're the author and as we heard in the intro of an excellent new report which I encourage folks to check out and we will link as we always do in the show notes titled Crash in Parentheses, Exploit and Burn Securing the Offensive Cyber Supply Chain to Counter China and Cyberspace. And again, we'll link it. You can find this on the Atlanta Council website. Broadly speaking, just to get us started here, what is the overall premise of this paper?

Winona Bernson

Sure. And honestly, Justin, congrats on saying the entire title of the piece. I know it's kind of a mouthful, but the premise of the paper largely relates to this renewed call out of D.C. if it's the White House or Congress about cyber offense, particularly this concept of hacking back the Chinese or CCP hackers. Right. My approach to this concept is a little bit deeper than that, which is that if the US actually does want to bolster its cyber offense and increasingly use offensive cyber operations internationally, do we have the capabilities in our supply chain to do that? Particularly if the adversary we're trying to go up against is China. And so what I try to do in this paper is illustrate either via open source research or interviews, how the U.S. supplies and acquires offensive cyber capabilities, focusing in this case on zero days versus how China supplies and acquires those tools. And when you compare the two systems up against each other, the answer to that question do we have the supply chain to really measure up to China? And offensive cyber is probably actually that we don't, at least not to the same scale or just the way that our processes are currently set up.

Justin Sherman

Interesting. And you mentioned a few things I certainly want to circle back to. Let's zoom in a little bit more. So in the subtitle and throughout the report, you talk, as you just referenced, about this concept of an offensive cyber supply chain. So break this down for us a little bit. What is that offensive cyber supply chain and what are some of its core components?

Winona Bernson

Yeah, sure. So there's a couple of different components that go into any cyber operation. When you're thinking about how to hack someone, you have to figure out what infrastructure are you conducting your operation from. Is it a server in the United States that you're using to stage all of this, or is it somewhere else? Are you using malware or are you living off of the land? That's a concept where you're just using stuff that's on the victim machine rather than making a user download malware. And do you have someone actually trained to conduct the operation or to hack into things? All of those parts are components of a cyber operation. But as I said earlier, the focus of my paper is on zero day vulnerabilities and exploits for listeners of this podcast and especially your episodes. Justin, I'm sure many of these folks are not strangers to what a zero day is, but for newer listeners, zero day vulnerabilities are issues or bugs in software or hardware that are previously unknown to the vendor of that software or hardware. That is the vendor has had zero days to fix the issue. And so if you can write code to take advantage of that vulnerability, this results in a zero day exploit. And so zero day exploits are used. Famously, Stuxnet had a Large number of 0 days back in the day. Plenty of cyber operations nowadays use zero days, especially those conducted by nation states. It's important to note that you can break into plenty of systems without one, especially if people don't install the latest software update. And also there's always phishing. But a zero day allows an attacker to break into modern up to date systems which are kind of the ones with strategic value to great powers like the US or China.

Justin Sherman

I'm glad you're digging a bit into the zero day definition and some of the surrounding concepts. I mean, you mentioned phishing and still the simple ways that some folks are able to first get into systems. But I want to zoom in on the zero day thing because a lot of, a lot of policy discourse and media discourse and you know, innumerable terrible Hollywood, you know, cyber doomsday things on Netflix and such that I don't watch make people think of zero day exploits as these sort of cyber super weapons. I'm not sure what the right phrase is, but essentially that you can set off with a click and it's impossible to stop. But as you're noting at the same time there is something to be said there. And then the second piece I think folks often think of is that zero days are built by government hackers. But something that you explore in this study is that there's in reality, a very complex market in the private sector for the development and sale of these zero days and related capabilities, including to be sold to governments. So talk to us about what that industry looks like globally for offensive cyber capabilities and who are some of the major players? Maybe some that folks might be familiar with and others that they are likely unfamiliar with?

Winona Bernson

Yeah, for sure. Thanks Justin. I think. Oh man, where to start? I think the biggest thing that people need to understand, and it's super easy, kind of like you said, to imagine a zero day vulnerability or zero day exploit as like the closest thing to a cyber weapon that exists. But ultimately the zero day market is a billion dollar industry that sells software that's ultimately what a zero day exploit is, it's code. And this code just happens to take advantage of mistakes in commonly used products. And that's the way that I kind of think about it. Because it's not going to be a perfect weapon. Potentially there's mistakes in that software too. Or that software isn't entirely reliable. It's not going to be 100% accurate because it's all made by like all other software engineers and hackers. And going back to your point about this industry not really being in government just like in regular software industries, engineers and hackers don't necessarily really vibe with that culture. They don't necessarily want to work in a secure environment or have to put on a military uniform, especially if they could get paid double, triple out in the private sector. So of course there is a huge difference between the engineer writing zero day exploits and an engineer writing regular software. But the industry is quite commercialized. You have this enormous system of state liked contractors and private firms. Think large prime contractors. Here in the US defense industrial base. You also have these spyware firms that are, you know, either producing zero days in house or purchasing them to then sell on. Think NSO Group, Paragon, Quadream, all of these Israeli firms that I feel like have been in the news for the last five years. And then you also have these huge brokers and marketplaces, so firms that act as middlemen to go get a zero day and then sell it onward to either another middleman or a government. And then underpinning all of this are smaller subcontractors, startups and individual hackers. It's a really robust ecosystem.

Justin Sherman

What does it take for a business to succeed in this area and to effectively create and then sell one of these zero day exploits you're talking about?

Winona Bernson

Ooh, that's a great question. So I'll say creating and selling A zero day are two almost entirely separate verticals. Fundamentally, when you're creating a zero day, what that requires is talent. You have to be able to find a vulnerability in a widely used technology, product or system. And how you do that is by looking through the code. And if you think about how much code is in the newest iPhone or in a Google Pixel or an imac, that's millions and millions of lines that somebody is just poring through and trying to find where somebody else may have made a mistake. And after, maybe you found some sort of bug, you have to figure out, like, can that bug be exploited in the first place? Can it be exploited reliably, or would it alert the target that something is wrong? Does that exploit only work on this version of the iPhone or every iPhone all the way back to 2014? And so that process in itself of creating a zero day, or an o day, as some people call it, can take, at least nowadays in modern software, between six to 18 months to go from nothing to something marketable. Now, selling is actually where it gets even more complicated. Now that you have an oday, you need to know a customer or get in touch with one. And it's not like you can kind of waltz up to the NSA and go, hi, I have this fun bug. Would you like to buy it? And so if you don't know a government customer, you'll probably want to find a middleman, which is where things get a little bit more sketchy, because you don't necessarily know who will end up using your zero day, especially when middlemen sell to other middlemen. And so you get this weird, murky industry where there's markups and bugs that are going for crazy prices, and then you have this lack of trust on.

Justin Sherman

The consumer side to deviate for just a second. Winona, now that you mention it, you highlighted some. I found this fascinating in the report. Specific numbers on what that markup can look like, from the original developer of zero day exploit to the middleman reseller to the end buyer. Can you just tell us what those numbers are and a little bit of the context there?

Winona Bernson

Sure. So with the caveat that this industry is super murky, and what I've reported on is really only likely a sliver of what the global market looks like. I've had interviews where people have said it's anywhere from double to triple to 10x the markup. The quote that I've put into the report specifically is by a former US government official who states that an individual researcher who isn't informed on what Bugs are selling for might sell a good bug for $100,000, but by the time it makes it to a customer, that individual bug could go for 750,000 to even a million dollars.

Justin Sherman

I just found that fascinating. And I think as we're saying, if we think of these as highly valuable, as you mentioned, the idea that governments are paying so much, not necessarily or inherently because it's valuable and difficult to procure per se, but because of a markup, is really, really interesting. You, you mentioned up top the differences between the procurement ecosystems in the US and China. So I want to get into this. What does the US will go in order. So what does the US offensive cyber acquisition pipeline look like? How much of it is centralized, decentralized, top down? Are sellers being responsive to specific government requests? Is it very entrepreneurial where people are pitching things proactively? How does this ecosystem operate in the United States?

Winona Bernson

So in all of my interviews it was pretty difficult for me to talk to individuals about their specific contracts for good reason. Many of these contracts are classified. But I'll break down my answers in terms of supply first and then acquisition. On the supply side, multiple five eyes vulnerability research companies, that is the companies that create and sell zero days have said that they hire talent not just in other five eyes countries, but also from Europe and South America. And so much of this talent is decentralized in smaller firms. Some are in the bigger prime government contractors, but many can be in tiny companies comprising of as few as three people. From that perspective, it's really interesting to see how diverse and international and small business forward a lot of these communities are in. Then when you look at the acquisition, it's kind of taking that and turning it completely on its head. US acquisition is neither top down nor bottom up, but it's largely people trying to work around a system that is DoD acquisition. It was built for tangible things like bombs or bullets or trucks and not software. And so the contracting ecosystem, because it's hyper compliant and requires all of these different audits, does inherently favor the large prime contractors. And it treats zero days as this product to be purchased on a schedule. And that creates these feast or famine contracts where you're getting a windfall if you get the bug purchased. But that entire time that you're developing the bug, say for six to 18 months, you may not see any money because they're treating this product as a one and done piece of code. I'll also say that it's pretty frustrating to these smaller businesses because they don't necessarily have that direct line to the government. And I think the most frustrating part of this is that sometimes government customers won't even let a seller know what type of bug they want, which means all the work that a vulnerability research firm might put into research and productize a bug may turn out to be for nothing. And this is a point that I really want to hammer home, because I get get asked the question like, oh, who cares? Particularly from people who don't necessarily want governments to acquire zero days. And I get that. But this particular inefficiency where the government does not tell people who are producing cyber weapons for the government what they want should bother everybody, regardless of whether they're pro national security or software security. Because if you're pro national security, this is a waste of government resources. You have someone with talent working on something that the government doesn't want to. But if you're pro software security, this is alarming because the government is not telling the seller that they don't want that bug either. So the seller might just sit on the bug and not tell anybody about it.

Justin Sherman

All these market dynamics are instructive. In that vein, you write in the report that going through layers of middlemen to sell to a government may be a uniquely Western in quotes phenomenon. China analysts posit that the Chinese government has deliberately created avenues for foreigners to offer bugs to the Chinese government in a relatively frictionless way. So how does the offensive procurement ecosystem, if there is that, that idea that it's frictionless, how does it work in China? And what is, if any, the different approach that the government takes?

Winona Bernson

I would say that fundamentally everything is a lot more decentralized in China, which is kind of ironic considering that they are the country with of the two, the more centralized, quote, unquote planning. But I would argue, and I do argue in the paper, that China's acquisition processes use decentralized contracting methods and then also decentralized operations. On the decentralized contracting methods. Over a year ago, I came on the podcast to talk about the ISOON leaks, which was this contracting company that got all of their internal documents leaked online. And in those leaks, you could actually see that they weren't getting contracts from a particular centralized organization like the Ministry of State Security, like headquarters or whatnot. They were actually getting them from state, local and municipal government branches, suggesting that, you know, the equivalent of an FBI field office out in Pittsburgh could be doing the contracting requirements for getting zero days. The other aspect of this is that these companies weren't just providing the zero days, they were using them. They were actively conducting operations on behalf of the Chinese state. And that provides a company with a ton of freedom to be able to get access to systems however way they want, use cyber capabilities however way they want, in a way that doesn't have the same restrictions and you know, abiding by international law and norms that the the US might have. And that doesn't even mention all of the different regulations that makes multinational corporations or other domestic firms unwilling to vulnerability providers or reluctant vulnerability providers to the ccp.

Podcast Host

Right now the headlines are chock full of data breaches and regulatory rollbacks, making us all vulnerable. But you can do something about it. Deleteme is here to make it easy, quick and safe to remove your personal data online. We all want an easier way to deal with data breaches. And and I'm telling you you should get Deleteme. The fact is we're all at risk. How many times have you gotten an email or a letter saying your data has been stolen? It's unsettling. But the good news is Delete me can help. It's not just a one time service. You give them the information you want to remove from the public Internet. And Deleteme is always working for you, constantly monitoring and removing the personal information you don't want out there. I am somebody with an active public presence. I antagonize people, I bother people. But privacy is important to me. I don't want people knowing things about my private life, about my family, about all sorts of things where they can kind of mess with me. And I keep hearing about these data breaches in the news. A recent Coinbase data breach, for example. A hacker obtained names, addresses, phone numbers and the last four digits of users Social Security numbers plus masked bank account numbers. They vacuum it up, they create a searchable profile and they sell it to whoever wants it. Thankfully, Deleteme can help you preserve it from those sites and keep your information from falling into the wrong hands. So take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners. Get 20% off your Delete Me plan when you go to JoinDeleteMe.com Lawfare20 and use the promo code Lawfare20 at checkout. The only way to get 20% off is to go to JoinDeleteMe.com lawfare20 and enter the promo code Lawfare20 at Checkout. That's JoinDeleteMe.com Lawfare 20 code Lawfare20.

Winona Bernson

Oh.

Advertisement Voice

I'm not switching my team to some fancy work platform that somehow knows exactly how we work, and its AI features are literally saving us hours every day. We're big fans, and just like that, teams all around the world are falling for Monday.com with intuitive design, seamless AI capabilities, and custom workflows, it's the work platform your team will instantly click with. Head to Monday.com, the first work platform you'll love to use.

You know how we all have that one friend we go to with all our financial questions? Well, meet Experian, your bff, as in Big Financial Friend. I'm telling you, Experian is going to be your go to app when it comes to taking control of your finances. Experian not only has a bunch of ways to help you save, but lets you check your FICO score, match you with credit cards, and a bunch more things you'd expect from a big financial friend. Just download the Experian app and get started for free. Trust me, you'll be up to speed with this BFF in no time. Based on FICO Score 8 model offers an approval not guaranteed Terms apply Offers not available in all states. See experian.com for details. I can't tell you how often I hear oh, I'm a little ocd. I like things neat. That's not ocd. I'm Howie Mandel and I know this because I have ocd. Actual OCD causes relentless unwanted thoughts. What if I did something terrible and forgot? What if I'm a bad person? Why am I thinking this terrible thing? It makes you question absolutely everything and you'll do anything to feel better. OCD is debilitating, but it's also highly treatable with the right kind of therapy. Regular talk therapy doesn't cut it. OCD needs specialized therapy. That's why I want to tell you about NO cd. NOCD is the world's largest virtual therapy provider for ocd. Their licensed therapists provide specialized therapy virtually and it's covered by insurance for over 155 million Americans. If you think you might be struggling with OCD, visit nocd.com to schedule a free 15 minute call and learn more. That's nocd.com.

Justin Sherman

That'S a great segue because many people in the west especially these days tend to talk about I mean I have this similar complaint about Russia discourse China in a way that characterizes it the country writ large as very top down sometimes or maybe not that specific firms could be coerced by the state, but that they're constantly working for the state. So how would you characterize the relationships between different white hat hackers in China and the government, different private sector cyber companies in China and the government. How integrated, if at all, are those relationships when it comes to vulnerability, discovery and exploit development? And are there places where folks might be surprised to hear that there isn't, is or is not state interaction and influence?

Winona Bernson

That's a great question, Justin, and I hesitate to give a good answer to it only because if you flipped that on its head and said, oh well, Winona, can you describe how hackers interact with the government from the five eyes, there's never going to be an answer that really encapsulates the entire community. Right? So I hesitate to use such a broad brush. But what I'll say is that, and going back to the original question that you had asked me previously, this frictionless manner has less to do with the relationship between the hacker and the state and more about like writ large and more about the number of avenues that the Chinese state has. For a hacker who, you know, excited or reluctant or otherwise, is providing these services or products to the Chinese government, it's definitely easier and more resourced to do and get into offensive security in China in a lot of ways. There's a lot of state sponsored capture the flag teams or live hacking events or offensive security programs in universities and grad schools. There's also a lot of funding of vulnerability research teams under big state sponsored or state owned enterprises and large Chinese tech firms. So the resourcing is there, the avenues are there. What I'll say about the international hacker community and the Chinese hacker community, at least based off of the limited interactions that I've personally had at hacker funds and otherwise, is that hackers are far more similar than they are different. And I say this in the report, there's three large reasons why people would want to stay in vulnerability research. One is profit. Like we talked about, the profit margins for some of these bugs and exploits are quite large, even if you're potentially in a feast or famine contract cycle. The second is patriotism, motivation, mission. Obviously there will be hackers in the five eyes or hackers in the Chinese government who truly do care about serving their country. And then the last one, which I think is pretty universal, is this act of really considering vulnerability research and exploitation as this art, where it's a complex thing that's really cool to be able to have the power to do. And there are plenty of vulnerability researchers internationally that will appreciate the work of another researcher in a different country, while knowing that the two of them may never meet or be able to work together because of geopolitics. It's a field that, like other sciences, appreciates the work despite the inconvenient truth of geostrategic relations.

Justin Sherman

And I appreciate even the context on the way I framed it, which as you said in part, sort of notes that there's no one model. So if we look then, now that we have a picture of what the ecosystem looks like in the US and China respectively, if we compare the two, including with the acquisition process, are there major differences in how the two governments balance stealth and speed and flexibility in offensive cyber procurement?

Winona Bernson

Oh, for sure. And the reason for that, I think, is because these models showcase the underlying values and priorities of the respective nations. Right. So the US is definitely more focused on defense and prioritizes high levels of trust and stealth. So if you think about the US's cybersecurity talent pipeline, a lot of it is geared towards defensive jobs. You see the ONCD cyber talent report that came out in the Biden administration, you see this huge bug bounty community having better cybersecurity budgets out of cisa, dhs, all of that tailoring to defense. We also, when we do offense, have this vulnerabilities equities process, which while imperfect, is more than what certain other countries have. Right. For those of whom aren't aware, anytime the US acquires or creates a vulnerability, there's an interagency process that determines whether or not they're going to disclose it or use it, which has agencies both from defensive and offensive sides of the table come together. There's also long procurement timelines from the US and high quality assurance requirements because they're treating these offensive tools as bespoke, high sensitivity items. They don't want to get caught when they're, they're doing these cyber operations. Right. And ultimately I would say that a huge thing about the US is that these policy priorities show that the US has a lot to lose from an economic perspective if they're caught breaking into their own US tech firms and products. And this is pretty obvious in the mobile market, where Android, I think is on 71% of all mobile phones globally and iOS is on 28% of all phones globally. Which means that 99% of the global mobile market is made by US tech firms. So the US government inherently does not really want to be caught breaking into their own tech companies, and they also don't want that to have an economic detriment to on the global markets. So that's the US side. But when you think about China, China does not have those same Market caps. If you think about the global market caps, Huawei, I think, only makes up 4% of the global smartphone market, at least based off of data from a couple years back. And their policy priorities clearly showcase a desire for offense. You see the decentralized procurement allowing a wide array of researchers and contractors to do this, sort of the regulations that pull Chinese companies towards forced disclosure or partnership of vulnerabilities, and then the offensive operations being broader and faster, sometimes at the expense of deniability. The Chinese government doesn't necessarily care about getting caught. And so you see these two separate models that inherently showcase why we're valuing certain things in cyberspace.

Justin Sherman

In your mind, what are the biggest national security or cybersecurity or policy broadly issues that China's offensive cyber pipeline raises for the United States?

Winona Bernson

I think, and this is kind of a common theme throughout this discussion, that the issue is really scale. I really like this fact a lot. China produces every year more STEM grads than the United States produces college grads. Fundamentally, from a population perspective, it's statistically more likely that China will have more people in the offensive security space and in a highly manual field like vulnerability research, where even though you're producing software, this software does not necessarily scale. Having more bodies and people and headcount to throw at offensive cyber should cause policymakers some concerns. On top of that, I write in the report that China is already working to integrate artificial intelligence into its exploit discovery and offensive operations. Which means that they might have at some point very soon down the line, a breakthrough where they can create offensive operations that do scale, create zero day exploits that do scale. And finally, even with this enormous pipeline of supply, they're continuing to reach out of their domestic sphere of influence more into East Asia and the Middle east to not only get more researchers, but to show other countries that this model, that this model of prioritizing national security and cyber operations in their wider ecosystem works. And I think that this type of scale and showcasing to the international community is, is quite concerning, especially as, as we're trying to put forward more responsible cyber stakeholdership, not just through the United States, but also within the five eyes, the EU, and reaching out into East Asia ourselves.

Justin Sherman

Let's end with some of your recommendations. You highlight that the U.S. procurement pipeline is more or less dominated, you mentioned this earlier, by large prime contractors, and that it can, as in other areas, be difficult sometimes for a small business or an individual to compete. How might we fix this contracting system both in an ideal world and then in terms of what you think can be practically done in the short term.

Winona Bernson

Justin, are you asking me to fix the DoD contracting system?

Justin Sherman

Pretty much in one to two sentences would be good. Thank you.

Advertisement Voice

Yeah, sure.

Winona Bernson

Great. Cool, cool, cool, cool. So I think the overarching recommendation that I really do have is while it's pretty much impossible to overhaul our US Government contracting system, there are ways to fix this pipeline that adheres to our values. And I think that's the common theme here. Because we don't necessarily want to change the way that we prioritize economic security and international norms and making our allies know that we care about them. We can do things that don't tie our hands in the offensive security space while still adhering to the things that we hold dear. So I list quite a few recommendations in the report, but I think the three big things would be creating accelerator programs for vulnerability research. Accelerator programs exist for software. We have the model. DIU does this all the time. So does SCO like taking a model for more enterprise software and moving it towards vulnerability research is something that would provide these smaller firms the resources to continue to be in this space. The second would be protecting and supporting security research in general, especially when these bespoke cyber capabilities are created by a finite pool of international talent. We don't necessarily want them to be worried about lawsuits or the threat of being arrested, especially if they're being contacted by foreign intelligence. For example, which has happened not just by China, but also, I think, very famously, North Korea has been reaching out to a lot of US vulnerability researchers and trying to steal their wares. And then the last thing would be just being more open and transparent as a government about how or what vulnerabilities should be acquired or sold. The fact that this inefficiency comes from all of this cloak and dagger around vulnerability research and around this industry is kind of needless to some extent. Obviously there's some security requirements and people want to know that they are working with trusted parties. That makes sense. But human rights organizations have been pushing for more transparency for years and. And no one has really talked about the amount of money we're wasting by keeping this concept a secret.

Justin Sherman

And when it comes to vulnerability research and the changes that you recommend in the paper for the US approach, are there risks if we focus on China as the competitor in intentionally or unintentionally adopting any tendencies that could actually be detrimental to the US cybersecurity and ethical independent hacker ecosystem?

Winona Bernson

Oh, yeah, for sure. And I think this goes back to abiding by our values while finding ways to make this more efficient. Right. I think ultimately the act of vulnerability research is a necessary good. And I know that there are people who will disagree with me. And also the fact that US has a defensive focus funnel is also good. We want people to trust US products in the international market. Right. I think there is this temptation here to start thinking about, okay, can we mandate bugs or can we create backdoor laws or you know, prevent technology firms from fixing their products? I think that's definitely not the route that we should go down. Instead, talking about how the US and Five Eyes are doing offensive hacking and using sunlight as a disinfectant is the antithesis to the rigid regulatory mandate approach that China is using.

Justin Sherman

You also mentioned the counterintelligence issues associated with foreign governments trying to recruit really bright independent hackers and technologists, both winning and unwitting. How can the U.S. government, but maybe also the hacker community, I'm not sure how can we better support, support those hackers who, who might independently decide that they do want maybe some guidance or some tips or something like that to mitigate the risk that, you know, someone comes up to them at an overseas CTF capture the flag competition?

Winona Bernson

Yeah, that's such a great question. I'll say for all of the hackers listening in on this call. If somebody approaches you and says that they work for ex government and they want to buy your bug, especially if it's the US government, ask to meet them in the embassy. I feel like that's like a pretty calm way of either shutting down the situation because they're not actually who they say they are, or then you know for sure that they are who they say they are. Right. But from a US government side vulnerability researchers in the private sector actually already use companies or funds like the Security Research Legal Defense Fund to defend themselves from lawsuits that seek to chill their research. And the basis of that actually comes from a DOJ guidance or policy opinion where the DOJ said, hey, if it's good faith security research, we're not going to prosecute, or you could use it as a solid defense. And I think there are moves at least in the private sector to try and get some that exception codified in the CFAA, which is the US's computer fraud and Abuse act primary anti hacking law. I'll say that there is already a national security exception in the CFAA, little known section 1030F that has not yet been tested in the courts or in any sort of public document that I've been able to find. And potentially having the DOJ issue certain Guidance around what, what is protected national security research? Are you a company that provides these services to the United States government is a possible avenue to explore. But that doesn't necessarily solve the foreign intelligence issue. Right? That's only if you accidentally get caught up within US law or get sued by a US company on the counterintelligence issue. I think it's really important for the FBI or CISA to be able to have some sort of hotline to provide resources. I think the fact that Google was one of the first companies to come out and say, hey, the North Koreans are targeting security researchers, and then to have the government pretty silent on it was pretty chilling to the wider security research community, where ultimately the US Government at the time effectively signaled, sure, you can provide these services that are crucial to our national security, but we're not going to help you if even the Hermit kingdom decides to go after you. I think that that's something that the US Government should change, especially if they want to support this sort of research.

Justin Sherman

Certainly. And I incidentally was watching some communique earlier built for businesses generally just to be aware of nation state issues. And so those are all helpful recommendations. One of the last things you mentioned is recommendations to limit China's access to some of these offensive cyber capabilities while ensuring the United States has continued access to the right talent. I'm wondering if you could explain to us how you think the United States government and country generally can make that happen.

Winona Bernson

Saving the spiciest question for last, Justin. I'll say that in 2017, Chihu360 or the CEO at the time of Qihu360, which is currently on our US government entities list, stated that vulnerabilities are now a national strategic resource. And I think that the US government is only really now in the year 2025, catching up and realizing that that is the case. And so we are in a little bit of a disadvantage just from a temporal perspective. We're eight years behind. And so at this point, Chinese firms, Chinese vulnerability researchers, Chinese offensive security conferences are already reaching out to the international community and saying, hey, come work with us, come work with us. Which is kind of interesting when you think about the fact that there's only a couple of thousand people who are really in this game and in this industry seriously, and only probably in the low hundreds of people who can do this job really well. And so the US Government should be cooperating with allies to work with some of the best minds in East Asia, in South America, in Europe. I mean, if we're thinking about China's backyard, South Korea, Singapore, Thailand, all of these countries have phenomenal CTF players, researchers, bug bounty contributors, and shielding those up and coming talents from the regulatory pipeline of the Chinese intelligence apparatus I think will be crucial to maintaining a long term competitive advantage. And this doesn't have to be on the US right? We are in a five eyes alliance. We are going through the Pall Mall process with the UK and France creating diplomatic programs potentially through any of these avenues or with these other countries. Focusing on technical talent exchange and industry wide collaboration would also be an avenue and I would be remiss to not talk about how AI security research is also going to need to be under this umbrella, particularly as AI enabled offense becomes more prevalent. I'll also add this one last tidbit which I found interesting from the ISOON leaks and then also with interviews with China analysts and that is that the Chinese government deliberately depresses payment of vulnerabilities instead of the US model, which by contrast has huge, huge margins. So at least you know for hackers who may be listening to the Law Firm podcast out in Asia, like we'll pay you better. That's probably my rallying cry though to the government is to treat these hackers like the strategic resources that we are and to appreciate the work. Because this is the work that underpins what a cyberpower can do.

Justin Sherman

That's all the time we have. Winona, thank you for coming on.

Winona Bernson

Thank you so much for having me.

Justin Sherman

The lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other lawfare podcasts by becoming a Lawfare material supporter through our website lawfaremedia.org support. You'll also get access to special events and other content available only to to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Allies, the Aftermath and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work@lawfaremedia.org the podcast is edited by Jen Patia and our audio engineer. This episode was Kara Schillen of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.

Advertisement Voice

Ready to level up your everyday Quint makes premium essentials without the premium price tag. From quality clothing and stylish accessories to travel staples and high end home goods, Quince has it all. And by partnering directly with top artisans and ethical factories, Quince delivers high quality at half the cost of similar brands. Shop elevated essentials without the markup at quince. Go to quince.comlevelup for free shipping and 365 day returns. Quince.comlevelup.