Jen Easterly

We have to understand that we really don't have a cybersecurity problem. We fundamentally have a software quality problem. And the reason why we have hacks and breaches and data theft and disruption is really because of decades of misaligned economic incentives where technology vendors and software manufacturers have been allowed to develop and deliver essentially flawed, defective, insecure software because they've prioritized. They've been allowed to prioritize speed to market and cool features and driving down cost and convenience all over security.

John Finer

Welcome back to the Long Game. I'm John Finer.

Jake Sullivan

And I'm Jake Sullivan. It's Thursday, May 20th, and we're gonna step back from the crush of day to day crises to explore a subject that is vital to the future of national security and geopolitics. And that issue is cyber. Now, we thought this would get us away from the headlines for a bit, but literally, as we record this episode, President getting ready to sign an executive order on AI and cybersecurity. So this topic is actually about as timely as it gets. And we have the ideal guest for this conversation, our friend and former colleague, Jen Easterly. Jen is a giant in the world of cyber. She was the Director of the Cybersecurity and Infrastructure Security Agency CISA from 2021 to 2025. As a West Point graduate and a U.S. army officer, she helped create United States Cyber Command. She also commanded the Army's 1st Cyber Battalion. And oh yes, along the way she earned two bronze stars. She served twice at the White House, once as Special Assistant to President Obama and Senior Director for Counterterrorism, and once as senior Policy advisor to then National Security Advisor Condoleezza Rice. She also has top level private sector experience serving as the head of firm resilience for Morgan Stanley, leading that firm's cybersecurity and physical security resilience strategies and and establishing the financial sector's first cybersecurity fusion center. And now she is the director of the RSA Conference, the world's premier global cybersecurity convening. Most importantly, she has earned the Jake Sullivan and John Finer award for being the biggest badass in the world. We call it the BBBW Award. So, Jen, welcome to the long game.

John Finer

First and only recipient. Congratulations.

Jen Easterly

Wow. Okay. All right. I'm glad to be here. It's great to see you guys.

Jake Sullivan

Good to see you.

John Finer

We obviously face cyber threats as a nation from both state actors and non state actors. It would be helpful, I think, for our listeners if you could characterize those threats a bit in a concrete Way, we sort of speak abstractly about the specter of cyber attacks a lot. But tell us what we have in mind when we worry about this.

Jen Easterly

You know, we talk about the cyber threat landscape, right? And people, you know, I sort of glazed over, what does it all mean? But you know, it comes down to essentially nation state actors that we know are very focused, focused on a variety of things to go after our critical infrastructure. Whether that's stealing data, whether that's implanting capabilities to disrupt the ability to operate, or essentially it's cybercriminals. It's the whole range of gangs that are either given safe haven or sponsorship by Russia, China. And much of what they're doing is deploying ransomware, essentially malicious software that can allow them to lock up data, hold it for ransom, and then force many of these owners, operators that we were working with, to pay money to get their data released. That is how typical citizens will look at what is affecting me. Is my data safe? Am I going to get breach? Am I going to get hacked? That is the experience that most people think about when they're concerned about cyber, cyber threats out there. But I think it's really important to sort of take a step back and to think about broadly the context of where we're at. Because we talk so much about cyber threats and about the dangers of espionage and disruption. And we can talk about these crazy names which always bother me. Volt, Typhoon, Cozy Bear, Fancy Bear, Midnight Blizzard. I think we spend way too much time glorifying the bad actors. But I think fundamentally we have to understand that we really don't have a cybersecurity problem. We fundamentally have a software quality problem. And the reason why we have hacks and breaches and data theft and disruption is really because of decades of misaligned economic incentives where technology vendors and software manufacturers have been allowed to develop and deliver essentially flawed, defective, insecure software because they've prioritized, they've been allowed to prioritize speed to market and cool features and driving down cost and convenience all over security. So for years and years and years, security has been a bolt on. That's essentially what created the multi billion dollar cybersecurity industry. So when we talk about these hacks and these attacks and all of that, it's not this sort of organic, there's nothing I can do about it. I just live in a world where I'm constantly vulnerable to attacks from Russia or China or these cyber criminals. It really comes down to the fact that, Frank, we've built this rickety mess of infrastructure and there are real things that we can do to fix it. And frankly, that's why I'm excited to have this discussion. I'm excited about the EO in AI and cybersecurity because we are in a moment where I think we can be much more optimistic about long term reduction of cyber risks so that our citizens can be safer from these very serious threats.

Jake Sullivan

What are the steps we need to take? How do we change that structure so it's no longer rickety, but it's much more robust.

Jen Easterly

We did a lot of work even before these capabilities were released, these mythos and ChatGPT 5.5 cyber, essentially these frontier AI capabilities that are very, very good at writing code and therefore very, very good at recognizing flawed code. I know we'll talk a little bit more about that, but when I was at ciso, one of the things that the team did that I think made perhaps the biggest impact was this launch of a secure by design campaign that again was rooted in changing the incentives for vendors to actually design and develop and test and deliver much more secure software. And so we launched this multifaceted campaign. We work with hundreds and hundreds and hundreds of technology vendors who voluntarily sign CISA's Secure by Design pledge, essentially committing to taking very material steps across several different pillars to reduce risk to software. We also did things like work with universities to emphasize not just writing code, but actually writing secure code. We worked with lawmakers and legislators, regulators around the world to advance the idea of a software liability regime, one that was rooted in an articulable standard of care, and one that could provide safe havens, essentially provisions for those technology vendors that were responsibly innovating using secure development practices. And then importantly, and this is what I spend a lot of time talking to CEOs and boards of big companies. You know, we, we worked hard to turn this secure by design, the sort of technical side on the supplier side, into secure by demand. Really rooted in the, the fact that we really need to use our purchasing power. Particularly think about big companies that have choices in terms of the kind of technology that they integrate, complicated supply chain. So the idea is these companies actually should be using that consumer choice, that purchasing power to demand much, much more of their vendors in terms of what they buy from them. A great example of this was JP Morgan. Their CISO actually issued an open letter to software providers last year, basically saying that the modern software delivery model was weakening the global financial ecosystem and actually enabling cy cyber attacks. And they called for vendors to prioritize Secure design over rushing features to market. So it was both on the supply side and on the demand side. And that was, I think, one of the really important things we did, and one of the last things we did was work with all of the frontier AI labs as part of our joint cyber defense collaborative, the JCDC AI, to advance this idea of secure by design AI. Because when you think about these capabilities moving much faster, much more powerful, and, oh, by the way, unpredictable, these labs have a real burden they should be bearing to ensure that these capabilities are built with security as the top priority. No longer can we just transfer risk to customers as we've been doing for 40 years.

John Finer

So we'll talk more obviously about the intersection of cyber and AI. But I want to come back to this concept of SOFTW vulnerability and purchasing power as a tool to try to incentivize the creation of better software. It's a subset, I think, or the core in some ways, of a larger problem in the cyber landscape, which is that the threat surface, this phrase we use to describe essentially the targets of cyber attacks, are largely held in private hands, held by the private sector, controlled by the private sector, protected to some extent at least by the private sector. And I guess my question is, if all of this critical infrastructure, or the vast quantity of it, banks, the electrical grid, hospitals, pipelines, transportation infrastructure is in private hands, what can the government do to incentivize or force better practices, given that the national security implications of an attack are felt by all of us?

Jen Easterly

The biggest issue is the government has never address the clear market failure that is created by software. Not to get too geeked out from my teaching economics days, but software is essentially a credence. Good customers can't look at a piece of software and say, oh, that's super secure, or oh, I'm going to be massively hacked. So they don't really know what to ask for. And therefore the vendors, the makers of that software, are not incentivized or rewarded to have actually focus on security. And so therefore they don't. They focus on speed to market and features and driving down cost and convenience. And so you have a market failure. So what of course happens when you have a market failure, the government steps in with some sort of regulation to try and deal with that market failure. But at the end of the day, we've bought into this myth that software vulnerabilities, the flaws and defects that lead to the hacks and the breaches, software vulnerabilities are this myth of they're just these inevitable things. There's nothing we can do about it. It's like an act of God or a weather event. And so the government has never solved that market failure. So anybody here who is in business, I'm sure a lot of folks listening, go back and look at the contracts that your folks have signed when you buy, acquire, purchase software. And I will bet you that inside that contract language that I'm sure is multiple pages, there's somewhere that says you bear the entire risk of this purchase. I've looked through a lot of contract language and it's pretty surprising that essentially in the making of a lot of these technology products and softwares, we've seen the greatest transfer of risk in modern history since the dawn of the Internet. The transfer of risk from the makers of these technology products to the consumers of these technology products. So market failure never fixed either by any sort of technology focused regulation or what I think could make the most difference, which is some sort of a software liability regime. You have liability for cars that are made badly or for medical devices. Those are the things that could make a difference. But we've never done that. So again, we spend a lot of time glorifying the villains. The Salt Typhoon and the Volt typhoon and the midnight blizzard and the Cozy Bear. I remember Jake, you and I were talking about this when, you know, in the days of solar wind, like what is this cozy Bear? What are these fancy bear things? These glorify and glamorize these villains. We spend time blaming the victims, right? You know, somebody gets breached, oh my God, how could that happen? Why didn't they put the procedures in place? And we don't spend very much time at all holding vendors accountable for creating higher quality products. And so that is, you know, essentially the embodiment of why we're at where we're at. I think there are legislative sol solutions to this and I hope that we have legislative solutions on the AI side. But there are also things that I think AI can fundamentally do to reduce risk because they can solve the issue on those flaws and defects by writing more secure code and by using capabilities as we've seen released in the last month, whether that's Mythos from anthropic or chatgpt 5.5 cyber released as part of their Trusted Access to Cyber program. These are tools which can actually very, very rapidly find those flaws and defects in the software and then enable us to remediate them. And so that's part of why I'm excited and optimistic about these new tools being able to accelerate us to a world where we have much more secure and resilient software underpinning our critical infrastructure.

Mitch Purse

I'm Mitch Purse, two time NWSL Champion, Championship MVP and forward for the US Women's National Team. Before I went pro, I graduated from Harvard with a degree in psychology, which comes in handy more than you think. Any athlete pursuing greatness knows there's a certain mentality you have to have. What people don't know is what that costs. In my podcast, Confessions of an Elite Athlete, I sit down with the best athletes in the world and explore the psychology, mindset, and unseen battles on the path to greatness. So take a seat and learn from the Confessions of an elite athlete on YouTube or wherever you get your podcasts.

Matt Buchel

Hey, I'm Matt Buchel, comedian, writer and floating head you may or may not have seen on your fy, and I'm starting a brand new podcast. Wait, Don't Swipe Away. It's called that sounds like a lot. I'm gonna start by breaking down whatever insanity is happening in the world and then I'll sit down with a comedian or actor or writer or honestly, anyone who responds to my DMs. This is not the place to get the news, but it is a place to feel a little bit better about it. You can watch on YouTube or listen wherever you get your podcast. That sounds like a lot part of the Vox Media podcast network.

John Finer

Let's get to the news of the month, which we've referenced now a bunch of times. It's been in the headlines Cybersecurity because of the announcement by Anthropic of a new model called Mythos Jen, which you referred to, which was quickly followed by a similarly capable model from OpenAI called GPT 5.5. What do you make of these models for cyber threats specifically? How big of a game changer is this even just compared to the previous generation of models? And how do you think about how the government is handling the onslaught, the advent, I should say, of these these models so far?

Jen Easterly

Yeah, I mean, I think it is a step change. I do not have direct access to these models, but I've spent a lot of time over the last month having conversations with folks who are actually using them and employing them. And everything that I have heard is they are a step change in the ability to find vulnerabilities in infrastructure. And again, going back to sort of the canonical issue that has led to the cybersecurity problem set all about these flaws and defects which we have normalized to call vulnerabilities in the code. These capabilities Mythos Preview, which was released, constrained release as part of Anthropic's what's called Project Glasswing and then shortly followed by OpenAI's 5.5 GPT released in a also a constrained way through their trusted access for cyber. The key thing to know about these is they have a extraordinary ability at speed and scale to find those flaws and defects in code bases. Right now I think the really important thing and actually like the fascinating thing to me you guys, is the fact that you had a private sector companies, first anthropic and then OpenAI voluntarily decide to constrain deployment. I think that is pretty incredible when you think about the history, the history of technology development and deployment is all about rush to market, get that feature out first, get your product out first, competing on, driving down costs. So having a private sector company and there's a big debate out there, was it marketing, was it hype? And they called it this thing, Mythos and all of that. Having talked to the technical folks and the security folks, I think at the end of the day they made a very responsible decision to actually limit and constrain the deployment to key technology companies, key cybersecurity companies, and select critical infrastructure owners and operators so they could deploy these tools, so they could find and fix those vulnerabilities, those flaws, those defects in their infrastructure, remediate them because it's, you know, it's, I don't want to say trivial, but it's much easier to find these flaws and defects than it is to fix them. And so that's why this constrained deployment is so absolutely notable and I think think should be welcomed and applauded in some sense because again, these private sector companies, there's no regulation and their only incentive to constrain those deployment is their belief that it was the right thing to do from a security perspective. So again, you saw that with Anthropic, you saw that with OpenAI and we should be pretty realistic about this given the speed of how these things are going. You've seen anthropic, it's about five weeks now, GPT 5.5 pretty recently. But these models, these very powerful, what I call frontier cyber models, they are going to be widely available within nine months to a year. We'll see open weight models available, meaning that they can be essentially used and implemented much more widely than we're seeing now in this constrained deployment. And so at the end of the day, I think the fact that defenders have essentially been given a head start to use these tools to reduce risk to the critical infrastructure that Americans rely on every hour of every day. Again, finance, water, power, communication, transportation, health care. The fact that it is a constrained, limited deployment to allow defenders to get that head start, I think is a very notable and important thing. And now it looks like the administration is going to put out an executive order that to some extent codifies what the private sector is already doing. There's already been voluntarily providing their models to the Commerce Department, the AI Standards and Security. Casey within used to be the AI Safety Institute. They have been allowed access to these models so they can benchmark them and kind of get an understanding of how powerful they are. There's also been given access to the AI Security Institute in the UK again to be able to analyze how these models can be used, how effective and powerful they are. And now it looks like this EO, I think, and I welcome this as well, is going to essentially say when these models can implicate significant risk. Again, if they get out from just the defenders to potential adversaries who could use these capabilities. We want to know that. And I think the government rightly wants to put some sort of constraints around how these models can be deployed. Because what you don't want to have and you can do a thought experiment of if China had the compute and if they had gotten to a model like Mythos before the US did, whether it was Deep SEQ or any of their companies, I think we would be in a really, really bad place. And so we should be pretty thoughtful about how these models are going to be deployed and really ensuring that defenders have the capability reduce risk to critical infrastructure. Now, all that being said, these models will get out, our adversaries will have these models. And I do believe, even as we are on a path to what I optimistically believe is a significant reduction in cyber risk and a significant improvement in software quality in the next two to three years where ransomware will not be a multi trillion dollar business, but rather a shocking anomaly on the way to that path, we will likely see be some significant disruption.

Jake Sullivan

So Jen, just to put a fine point on it, you think within the next year, I think you used nine months as the timeframe. You think our adversaries will basically have ready access to this type of capability.

Jen Easterly

There's been some writing on this. I think Anthropic published something about how to prevent China in particular, which is, you guys know, is the pacing threat when it comes to cyber capabilities. How to keep the delay, their ability to get the right computer so that they can compete on a level of mythos But I think unless we are pretty purposeful about preventing these models from getting out, really being able to constrain them, I think we're going to see either development or there may be sort of leaks or abuse. Obviously there's distillation issue, which is essentially having access to a powerful model to train a less capable model. There was something put out by the Office of Science and Technology Policy. I think Director Kratzio has talked about this, specifically our concerns about adversaries distilling. Essentially you can say stealing access to models to create something just as capable. But the big answer to your question is yes, I think within a year our adversaries will have access to these, which is why to some extent these are the most powerful capabilities, cyber capabilities that we have seen developed. And so in some sense defenders are in a race to be able to use them to find and fix vulnerabilities,

Jake Sullivan

to follow up for a second on this offense defense balance, because it's always a cat and mouse game. And here the same capability to detect vulnerabilities can be used on the one hand to attack and exploit them, and on the other hand to defend and fix them. As you were just laying out and you just talked about the head, so start the project glasswing and the provision of these models to the government and to tech companies and banks and cybersecurity companies and others, the head start that's given to defenders. But as you look out over the next two to three years, during this window where we could see disruption, does offense or defense have a greater advantage in this new age of AI enabled cyber? As these capabilities continue to develop, I

Jen Easterly

mean, it's always this AI. The hackers get a little bit better, the defenders get a little bit better, but bring you back to something that all of us grappled with. And that was what I thought was the most serious issue when I was the director of cisa. And that was the hackers from the Chinese People's Liberation army burrowing deep inside our most sensitive, critical infrastructure. As you recall. Water, power, transportation, communication. And it wasn't to steal our data or to spy on us. Rather it was to be able to launch disruptive attacks in the event of a crisis in the Taiwan Strait. So this is a world where a war in Asia would be accompanied by mass disruption. I always talked about it. Everything, everywhere, all at once. You could think about power unavailable, water unavailable, trains derailed, comms severed, all to incite societal chaos and panic and to deter our ability to marshal military might and citizen will. So that was one of the, I would say, the most serious thing that we dealt with at cisa. And of course, as you can imagine, we had a full court press effort. My team's working with critical infrastructure owners and operators across the country to help them identify and hunt for and eradicate these PLA hackers from critical infrastructure. But at the end of the day, we thought what we found was just the tip of the iceberg, which again, which is why resilience is so important. But the thing about that campaign that really illuminated to me this idea of cybersecurity versus software quality is these very sophisticated, very well resourced hackers from the Chinese People's Liberation army were not using exotic cyber weapons to hack into our critical infrastructure. They were just taking advantage of basic defects, the common flaws that were in things like routers and switches and firewalls. Technology that every one of us uses, whether it's in our home office or whether it's in our business. And so, and so we have failed to create friction for these threat actors. We've actually made it pretty easy on them to be able to go after our critical infrastructure. And so I think we think of these actors as these hugely powerful and well resourced things. No, at the end of the day, we have made it easy, their jobs easy because of the market failures and the lack of liability and real regulation at the software layer that I talked about. So all of which to say, I think if we are able to use these capabilities, both of the things, all of the things we put in place, secure by design, but very importantly, these powerful capabilities to fix the fundamental issues in our software that we rely upon both to create more secure code going forward, but to be able to find and remediate the flaws and the defects in the code that we've been relying on for years and years and years, that all we've done is patch and patch and patch and patch into a big rickety mess. And until now it's been too risky and too expensive to do anything about it. But this is where these capabilities deployed responsibly by the labs and by the critical infrastructure owners and operators, the big tech companies, the cybersecurity companies, can actually significantly, significantly reduce that cyber risk and improve that software quality. And that is where I am extremely optimistic about a path to, you know, it's no longer clean up on Aisle 9, which is the way it's been for years and years, but a path towards much greater resilience. And so that is why I'm optimistic, Jake, is because it hasn't been exotic cyber weapons against super strong and resilient infrastructure. So this is finally the way to make a much more effective playing field for the defenders.

Jake Sullivan

Can we talk for one more minute about deterrence? Because this is something obviously we all dealt with when we were in government. We have a kind of mental model for how you deter other countries from attacking us physically, from bombing us or firing missiles at us. Basically by saying, if you do that, we will hit you back hard physically, we will bomb you or fire missiles at you. And that form of deterrence is quite legible to us. Deterrence in cyberspace has been more difficult. Part of that is the challenge of deniability. Even if we can attribute it, there's a little bit of muddiness in that part of it. Is this orel else? Yes, you can hit back in cyberspace, but that doesn't necessarily create the same level of deterrence. So if you're sitting there in the White House or at DHS or at Cyber Command or the National Security Agency and you're thinking, how do we get adversaries not to do this in the first place? Not just how do we defend effectively. You just mentioned the use of offensive cyber. To this end, do you have further thinking on how to conceptualize deterrence in light of the nature of this threat?

Jen Easterly

Yeah, I mean, I always go back to Joe Nye wrote a great piece in 2017, I think, in International Security Policy, where he sort of talked about deterrence and dissuasion in cyberspace. And the four basic things were defense, offense, norms, and then economic entanglement. And you could argue that norms, at the end of the day, they don't really matter. They're only for the good guys. Our adversaries are not going to pay much attention to norms. You could say, like economic entanglement, but are we really in more like economic coercion right now? At the end of the day, I think you all are going to do a readout on the discussion. I think ensuring that we have some connection with China from an economic perspective, that could have a deterrent impact. So there was a ton of things that we did at CISA to really help us on the defensive side. But we did work very closely with NSA as well as the federal cyber ecosystem and Cyber Command. So that what they were doing, whether it was through hunt operations or understanding how our adversaries were operating on our networks or other networks, really informed what we did defensively. And then what we were doing defensively could help inform that offense defense flywheel in terms of how they could take. Take certain actions to hold our adversaries at risk. And, you know, I think attribution got, frankly, easier. You know, there was time maybe 10, 15 years ago where we're sort of, you know, struggling. Is it North Korea? Is it, you know, the Iranians? But I think we're better and better at attribution. It's just the. With respect to the Volt Typhoon issue, I think it really came down to the fact that we believe from what we found, China was very willing to hold the full range of critical infrastructure at risk, to include civilian critical infrastructure. Right. I think the question is, how do we think about that? Is that something that we want to do? Because we look at it differently. We make a distinction, as you well know, between civilian and military infrastructure. So in terms of how we hold our adversaries, I think there are a lot of policy decisions that need to be made in terms of how do we actually level the playing field with respect to what we can do to incentivize our adversaries not to take certain steps against our own infrastructure.

John Finer

I do want to stick with this theme of cyber as a weapon of war, because we have some recent experience with it, Jen, in particular, in the context of Russia, Ukraine, you were in the seat, as we were, when Russia launched its brutal invasion, full scale invasion of Ukraine. You helped Ukraine actually set up its defenses. I'm wondering what you. We as a country have learned from that experience, about how cyber has been used by a very, very adept cyber adversary, the Russians in this case, in the course of that conflict. And has there been anything that surprised you as that war has unfolded over the last now several years?

Jen Easterly

Yeah, it's such a fascinating case study when you go back to that. I mean, everything around what you all did from a White House perspective, to get information out so that we could actually use a lot of that information, and some of it was declassified by the intelligence community. We could use that to help critical infrastructure entities prepare for potential Russian retaliatory cyber attacks. Now, they didn't end up manifesting, but by using that information, we were so much better prepared if there were significant attacks. And so I think that was a very good news story in terms of it's all about preparation. It's not about panic. It's the same story with Mythos. Nobody should be screaming like, oh, there's nothing I can do. There's a lot that can be done from a preparatory perspective. Perspective. That was one early lesson that I learned in terms of how do you actually bring the federal government, the ecosystem, cisa, but also FBI, nsa, US Cyber Command, together on one platform with the private sector to be able to provide the information at different levels of classification. Some of the ts, some of the secrets, some of the state and local level, we would talk to them about, here's the information we have and here's how you reduce risk. So, so I felt really good about that shields up campaign. Now, again, we did not see any massive retaliatory attacks against the US And I think that at the end of the day, part of that was because I think Russia just miscalculated in terms of how difficult it was going to be. And a lot of their cyber was very much focused on Ukraine, but then it was overshadowed, certainly by the kinetic attacks. But because of the brutal nature of those kinetic attacks, I think we don't often really focus on how much Ukraine itself, the Ukrainian cyber defenders, have weathered very serious cyber attacks. I think the big lesson I learned, frankly, was how important it is to develop systems that are resilient, meaning we use the R word a lot, but what does that actually, actually mean? So it means that you are architecting your systems and your networks so that when the inevitable disruption occurs, you can actually respond very quickly and importantly recover, because you have an alternate way to operate that system and you've exercised it. So if you have to move to another data center, if you have to move to manual controls from an automated controls, all of that were things that we were learning in real time as the Ukrainian cyber defenders were dealing with an onslaught of attacks. And I think the thing that perhaps surprised me, but just incredibly impressive, was just watching them deal with very, very powerful and very, very capable early threat actors and being able to maintain their infrastructure to continue to keep going. I was there with Ambassador Nate Thick in February of 2024 as part of their Cyber Resilience forum. And just seeing resilience, the words that come to mind are like innovation. It's almost like my time in the military. You always loved being with the really junior folks in the army and the Marines because they were always coming up with incredibly innovative ways to deal to get the mission done. And that's how I looked at the Ukrainian CY Cyber defenders. You know, incredibly smart, incredibly innovative, great partners, and just a model of how to be resilient in the face of an onslaught.

John Finer

We've got two major wars going on right now. One in Europe, obviously, one in the Middle east, which we've talked a little bit about, the war in Iran. And at first glance, to me, at least you may feel differently. It doesn't seem that cyber has played a particularly prominent role in the sort of outcome of either of them. David Sanger has called cyber the perfect weapon. But I just wonder, given how these conflicts are playing out, whether that overstates the case for what cyber can do or have countries just pulled their punches. Is there more going on below the surface, cyber wise, than people realize? How would you characterize why it feels, at least to me, like cyber has played less of a role in each of these than we might have feared it would before they started.

Jen Easterly

Well, let's talk about Iran specifically, because, you know, at the end of the day, we have seen Iranian actors, obviously the Handala attack against Stryker. We've seen, you know, recently, the attack

John Finer

very early in the war.

Jen Easterly

Yeah, very early on. And then more recently, I think so put out an advisory about some sort of an attack against the automated tank gauges. So, you know, didn't have a. It just affected what the tank. What the gauge readings were, didn't actually affect the tanks themselves. And so there is a bit of this going on. I think what we have to remember about Iran is, you know, the long history of Iranian cyber, which is. I wouldn't put it up there with China and Russia. I would sort of put it second tier with Iran and with North Korea. But look, and we should keep this in mind, not just for cyber. I mean, going back to my old hat as the head of counterterrorism, when I first got to know Jake in the Obama administration, Iran looks at revenge as a dish best served cold. And so I don't think we should assume that we would see massive cyber attacks or massive or massive terrorist attacks or sleeper cell attacks. Right now, I think we need to be very concerned that these are things that may manifest in the longer term. Right. If you think about those, you know, whatever you want to think about Stuxnet, you know, it was several years later that we actually saw the Al Qassam cyber fighters, which of course were the Iranians that went after the banks. That's how I ended up at Morgan Stanley being asked to build their cyber fusion center was because of the extension, extensive Iranian distributed denial of service attacks against most of the major banks on Wall street which occurred in the 2020 retaliation for an attacking time frame. Yeah, but that was years between that, John, is my point. And so we should just not assume because things. And there may be, to your point, there may be stuff going on that we're just not seeing, but because we're not seeing it now I don't think we should, particularly with respect to. To Iran. I don't think we should expect that things are going to be over and we're out of the woods both in terms of terrorist attacks with respect to IRGC or Lebanese Hezbollah or sleeper cells or cyber attacks.

Jake Sullivan

Artsa, Jen, you've been extremely generous with your time. We're really grateful. We would like to try something now just out of our deep sense of gratitude, which is a lightning round where we throw out a phrase and you respond to it in one word or a few words and we'll see how this goes.

Jen Easterly

Wow. Okay.

Jake Sullivan

This is the first time we've done this, so you are the guinea pig. Fantastic. I'll give it a start and then we'll go back and forth between me and John TikTok.

Jen Easterly

So this is interesting. It's not going to be a word or a phrase, but I was actually looking to see how we could start using TikTok for our social media tools. So becoming more open to using the these types of capabilities, particularly given the change in ownership. Deep fakes, lots of concern, particularly given the upcoming midterm elections. Crypto bros don't really think about them, to be honest.

John Finer

Open source, a phrase you used a bit earlier in this conversation.

Jen Easterly

Yeah, well, let me give you a sentence on this. This is one of the things that I think the government really needs to be focused on for folks that care about open source, which is really the plumbing of the commons of our software ecosystem. Much of the businesses draw upon open source software, open source libraries, as they're called, to build their own applications and to shore up their infrastructure. And we need to help open source software withstand some of these onslaughts used by these mythos like tools. So it doesn't become. So the software commons does not become a tragedy at the commons. This is something government should be focused on. This is something the frontier AI Labs should be putting money into to actually look at. How do we take some of the insecure libraries and make them much more secure?

Jake Sullivan

Ransomware, negotiators, ransomware.

Jen Easterly

I'm going to take it a different way is this whole issue of should we be paying a ransom? And I never liked, particularly as you remember, we were on the whole hostage policy. How do we think about hostage paying a ransom given the material support to terrorism? And you remember in the hostage policy we actually DOJ gave a comfort letter to families in terms of those who were negotiating with terrorists who had taken hostage. So obviously a little different. But you think about hospitals or small businesses that are being held, their data is being held ransom. You know, at the end of the day, it's a very difficult thing. And if they have to work with a negotiator to get their data back so they can continue to operate and provide services, certainly I don't, you know, I have a certain amount of empathy with them. The problem is, you know, we're continuing to feed the ransomware ecosystem, which I will say, once again, the key to success is, is for us to actually reduce cyber risk by improving the quality of software. And that will lead to a world where ransomware is not a multi trillion dollar business, which it is, but rather a shocking anomaly that is where tools like mythos and GPT 5.5 cyber and there's frontier cyber capabilities. I hope the conversation that we're having in two to three years from now is that cheese ransomware has plummeted. That is my hope and my optimism.

John Finer

Maybe the last one for me, Rubik's Cube.

Jen Easterly

Rubik's Cubes are the best you see on my collection over my. I've got a whole bunch of them. Yeah, I've been doing Rubik's Cubes since I was 10. And the reason, there's a whole bunch of reasons. I love them and I won't go into them. But Erno Rubik, who invented the Rubik's Cube, has this wonderful quote. He said, if you are curious, you will find the puzzles around you. If you are determined, you will solve them. And when I'm trying to hire people at CISA who were the right type of talent that we needed to build America's Cyber Defense Agency to catalyze that collaboration and trust and solve the hardest technical problems. I was looking with people for people who had that intellectual curiosity. Curiosity, but also that relentless determination to solve the hardest problems to keep Americans safe.

John Finer

I thought you were gonna say you put a Rubik's Cube on the table during the interview.

Jen Easterly

I did some of that.

John Finer

That stressed me out a bit. That stressed me out a bit.

Jen Easterly

I did some of that, too. I'll send one your way finer.

Jake Sullivan

I didn't know that Rubik's Cube came from a guy called Rubik. So that was new for me.

Unidentified Narrator

Really?

Jake Sullivan

Yeah.

Jen Easterly

Who did you think it came from?

Jake Sullivan

I don't know. I wouldn't have been able to answer it.

Jen Easterly

Hungarian sculptor and professor of architecture. Yeah, it was 19.

Jake Sullivan

I don't think there's a better note that we can end this interview on than that. So, Jenny Strle, thank you. We would love to have you back on the long game as we see all of these developments unfold fast before our eyes.

Jen Easterly

Great to spend time with you all. Thank you.

John Finer

Great to have you, Jenn. Thank you.

Unidentified Narrator

Okay, so today we're driving to southern New Jersey and heading to a data center. A couple weeks ago, I read a story in NJ.com and it was all about how there's a data center going up in Cumberland county, the poorest county in New Jersey, that's receiving some community pushback. And this immediately got my attention because data centers are going up all across the country. I feel like we should be hearing politicians talk more about this, but we haven't really heard a consensus. Are data centers really a necessary evil? Let's find out.

Jake Sullivan

This is technology we've never seen before.

Jen Easterly

Right? Experiment. We're going to experiment down here. And we're the guinea pigs. And we're the guinea pigs. Exactly.

John Finer

One thing that happens in this country is there's no planet for the future.

Jen Easterly

Is it benefiting people or is it benefiting the elite and the money that's going into their pockets?

Jake Sullivan

This is not about abstract politics. It's about people's everyday lives.

Unidentified Narrator

That's this week on America actually.

Matt Buchel

Where exactly do u. S. China relations stand?

Jake Sullivan

The Chinese side came in feeling as if they had figured out how to work both with and against Trump. He was inclined to try to create moments of. Of crisis, and then if they stood up to him, they were almost uniquely capable of making him back down.

Matt Buchel

I'm Preet Bharara, and this week Evan Osnos of the New Yorker joins me to discuss the Trump xi summit, which he reported on from Beijing. The episode is out now. Search and follow. Stay tuned with preet wherever you get your podcasts.

Jake Sullivan

So, John, every time I hear Jen talk, I think she's even more impressive than her bio, which is saying something because her bio is ridiculously impressive. I was struck in particular by two things she said. One theme she carried throughout is that the reason that we have such extreme difficulties with cybersecurity is because the basic software upon which everything runs is fundamentally not secure because it's not being secured at the front end.

John Finer

And.

Jake Sullivan

And that leads to the second thing that I was struck by, which is she thinks this advent of AI capabilities is actually more a good news story than a problematic story because it can help solve that problem. So I actually left this conversation, I guess, a little more optimistic than I came into this conversation. And she definitely gave a different spin on the ball with respect to what the implications are of mythos and GPT 5.5 than we've heard from a lot of the commentary that's out there so far. And so I'll be looking at this

John Finer

differently, way less apocalyptic about the impact of AI on the cyber landscape than I might have expected. And then I read in the commentary the other thing I kept thinking is it's come up a few times in the course of our episodes the kind of advantages and disadvantages of an authoritarian system versus a democratic system. When it comes to cyber vulnerability, it does feel fairly disadvantageous to be a capitalist society, a democracy, where everything is held in private hands and you cajole and you incentivize and you coerce, but it's very hard to actually compel people to behave responsibly when it comes to these vulnerabilities that again, we pay the price for as a society. And you know, Jen, in just her one of her last few answers referred to the upcoming election. And we will come back at some point to this question of election security during the course of these podcasts. But that's another area where we have this profound vulnerability that other countries have at various points tried to mess with and exploit. And it's just one of the unique challenges of being a society like ours wouldn't trade places with those that have a different system. But you got to be eyes open about the downsides as well.

Jake Sullivan

Yeah, it's interesting when you think about physical geography. The United States has the Atlantic Ocean and the Pacific Ocean. We have Canada and Mexico. So. So the most secure great power in history, perhaps physically. But when it comes to cybergeography, we are exposed beyond belief, as you use the phrase. Yeah, exactly, exactly. So we'll keep tracking this issue, we'll bring Jen back at some point, but also other incredible cyber professionals who can share their perspectives on a fast moving landscape. So for now, let's turn back to a crisis of, of the moment. When it comes to Iran and the ongoing war in Iran, things really do seem to hang in the balance. There are indirect negotiations unfolding as we speak, trying to produce a deal, or at least the concepts of a plan, of a deal. And maybe a deal will be imminent. There's also threats from President Trump to escalate and resume military operations if a deal doesn't come to pass. And there's obviously the ever present prospect that whether a deal is announced or not announced, this whole thing just drags on with compounding impacts on energy and commodity prices in the American people's pocketbook. So we'll watch the news out of the negotiations, see what happens. That may lead us to do a break from our regularly scheduled programming and come to you live if something really does get announced in the next few days. But today, John, I think it's worth us touching on this jaw dropping article from the New York Times on how Israel wanted to install the former hardline president of Iran, Mahmoud Ahmadinejad, as the new leader of Iran after they killed the what did you make of that story?

John Finer

Honestly, had I not read it in the New York Times and then seen that it has not been basically denied by any of the protagonists in that article, at least in a very convincing way, I might not have believed it. This is a guy who, to the extent he's still familiar to Americans, it is as an almost cartoonish villain from the recent past in Iran during his time as president in which he was known for, among other things, denying the Holocaust. One of the main proponen of this death to Israel, death to America kind of mantra that is at the core of the Islamic Republic's ideology. A guy who advanced the nuclear program considerably was not at all open to negotiation about curtailing Iran's nuclear program and someone who I think lacks any meaningful constituency inside Iran that could provide him a base from which to actually govern. So even if they succeeded in installing him, hard to imagine how and and why he would have lasted. But yeah, I think this made everybody who follows Iran's head, if not explode, at least start to spin around and hard to understand where this idea came from. But even more to the point how decision makers actually settled on this as a viable way forward, which ultimately obviously it wasn't. To me though, the best part of the whole piece, and I want to get your reaction too, is that so they decide that they're going to try to install Ahmadinejad, he's under house arrest, so they gotta get him out of house arrest. So what do they do? They bomb his house and I guess inadvertently wound him in the process, the guy that they wanted to become the new leader of the country. So kind of ham handed all around.

Jake Sullivan

I mean, just crazy stuff, theater of the absurd. But Jon, it did get me to thinking this whole Iran excursion, to borrow the President's phrase, has, has gone awry. And so this looks especially absurd in that light, though it would have looked absurd up front as well. But if the Venezuela operation had gone awry, let's say a helicopter had gotten shot down and Maduro and his wife came out and said the Yankees tried to get us and they didn't get us, I Probably would have said to you on this podcast, get this, John, the administration had this crazy plan. They were going to actually fly into the heart of Karak caucus, extract Maduro and his wife under fire, somehow get his vice president to become their ally. This person, Dilsey Rodriguez, who's denounced the US as a criminal and a colonizer, a vandal, an aggressor, an imperial master, and on and on and on. But they think she's gonna run the country for them and do as they ask. Okay, if that had all gone south, that story would have seemed totally crazy. And the lesson here is not that both of these were smart plans and we just got unlucky in Iran. It's kind of the opposite. It's both are crazy plan. And we got really lucky in Venezuela. And then Donald Trump decided to press his luck and here we are. And I think basically after the Maduro thing, the flights of fancy and imagination of what we could do to engineer other countries, including countries like Iran, just had no limit to them. And so I do think you can kind of draw a direct line between what happened at the beginning of this year and how things unfolded here in Iran. And the chickens have kind of come home to roost and we're all paying the price for it.

John Finer

Yeah, it's interesting. I keep thinking about the Bay of Pigs, the Kennedy administration's totally unsuccessful effort to overthrow the Castro regime with a mix of Cuban dissidents and diaspora coming from the United States, totally upended and thwarted by the Cubans. We've almost had two versions of Bay of Pigs attempts by this administration just, just in 2026. One in Venezuela, which is a version of operational success, strategically, I'm not sure the import of it. And one in Iran that is going, as you said, awry, I think is charitable. And by the way, this may not be the last one of the year. We'll come back, I'm sure, in a future episode and talk about developments in Cuba itself. Not to put too fine a point on the Bay of Pigs, where we are seeing signal and indicator after indicator of potential interest by the administration in a milit military operation there as well, potentially in the near term. So that is one we'll obviously be following.

Jake Sullivan

I mentioned Cuba at the outset. Things really do seem to be coming to a head there, given a whole bunch of indicators, including Marco Rubio's direct to camera video yesterday, calling on the people of Cuba to seek a new Cuba with the support of the Trump administration, the indictment of Raul Castro for murder and many other steps. So we will definitely be coming back to that issue and probably sooner rather than later. And then there's there's this other major event, which is an outbreak of a strain of Ebola in the Congo that is not actually susceptible to vaccines or treatments, as far as we know. And we have to watch to see how that unfolds as well. Something we'll come back to. But let's use the remaining minutes of this episode, John, just to reflect on the outcome of the US China summit in Beijing, the meetings between President Xi and President Trump. We had Kurt Campbell on last week ting a all this up. What stood out to you in terms of the outcome of President Trump's visit to Beijing?

John Finer

So on the one hand, it was a summit that was much more about atmosphere and theatrics and pomp and circumstance and vibes than it was about tangible announced accomplishments of any kind. There were some business deals that were announced, some of which were underwhelming even compared to expectations. But this atmospheric vibe stuff can be quite actually important. And if anything, there was a pretty strong signal sent by the United States, in my mind, by the president of the United States, that he was not interested in actually an era he launched of kind of fundamental strategic competition with China, and much more interested in having a good relationship at the state level, but even at the personal level between himself and Xi Jinping, who he praised in quite unusual terms, quite enthusiastic terms over and over again in front of of the cameras. So that was the main, I think, atmospheric takeaway is just this desire, strong desire that did not actually seem to be reciprocated by the Chinese, particularly for this positive effusive relationship between the two leaders. The main substantive development, to my mind, and we previewed some of this, was the conversation about Taiwan, which does seem to have featured prominently in the meetings. And we don't really know what the two leaders discussed or whether anything was agreed. But we do know what the president said after the the meeting, which was two things primarily to my mind. One is he reflected on how difficult it might be for the United States to actually defend Taiwan if push came to shove. Taiwan is only 60 miles off the mainland Chinese coast, and it's 9,500 miles away from the United States. And doesn't that mean they would have this enormous advantage, almost kind of openly expounding on the fact that the United States might actually not be able to do all that much for Taiwan? He didn't quite put it in those terms, but it's hard not to infer that that's basically what he was indicating and then saying, and this is really the main development, that the United States was basically holding $14 billion in arms sales to Taiwan, not just the United States, the president himself, as a, quote, unquote, bar bargaining chip to use with Beijing. One, that has never happened before, a president being explicit about negotiating Taiwan arms sales with the prc. Two, we have commitments to Taiwan that we will not pre clear or pre negotiate those arms sales with them. And so both the atmospheric part and then this kind of policy change by the president, even if he didn't call it as such, I think was pretty unsettling to leadership in Taiwan and probably to other allies in the region as an indication of kind of how committed the president is to deterring military action by the prc.

Jake Sullivan

Just to pick up on this Taiwan point, the main thing I took away from that is Trump clearly wants to do a deal, a bigger deal with China and to use, as you said, Taiwan as a bargaining chip in that deal. But China doesn't see Taiwan as a bargaining chip. So any concessions on Taiwan are basically a one way street. And boy, did Trump actually float concessions, as you said. He floated holding back on arms sales to Taiwan. He said our 1982 assurance to Taiwan that we wouldn't discuss arms sales with Beijing might not hold anymore because 1982 was, quote, a long time ago. You made the point that he asked whether it made any sense for U.S. troops to travel 9,500 miles to, quote, fight a war. China's going to hear all of that and see it as positive. Taiwan is going to hear all that and see it as destabilizing. And the most important thing is you can bet that Beijing is now going to going to ratchet up its pressure and propaganda in Taipei saying basically, you guys are on your own, the Americans aren't with you. President Trump is essentially talking about pulling the rug out from under you. So resistance is futile and you should capitulate. I don't want to overstate that because Trump didn't actually commit to anything one way or the other. But I do think there's a real danger here that China will keep extracting concessions from Trump on Taiwan and this will have the opposite effect that the president intends that will it? That will actually destabilize the situation in the Strait. So that's worth keeping a close eye on. I just would offer two other things that stood out to me as outcomes. First, I really do believe China achieved what it set out to achieve. China believes, as we discussed with Kurt, that the US Is A nation in terminal decline, and that China is ascendant. And so on this premise, their primary interest is in keeping with things calm while they surpass us. And the outcome of this summit, from their point of view, was exactly the kind of relationship they were looking for. In fact, they even gave it a name. I think it was constructive China, US relationship of strategic stability. Basically, that translates to let's keep things stable and constructive and let nature take its course until we become number one. So, to me, from China's perspective, this played out very nicely. And then the other thing I wanted to flag, which I think is more of a positive outcome, is the two sides do seem to be headed towards a dialogue on AI risk. The Chinese Foreign Ministry this week announced that there was agreement to pursue this. What exactly it will cover and not cover, still very much up in the air. And we have to be clear right about that. But this kind of dialogue, I think is absolutely essential. There is nothing inconsistent in America competing vigorously on AI on the one hand, trying to maintain and expand our lead at the frontier, and then also engaging in diplomacy on the risks of AI with China so that we can work together to prevent harms. And I think this is a topic at some point that we should come back to. We didn't get a chance to talk to Jen about it today, but even as we compete in cyberspace, there are reasons for both the US And China not to want these advanced cyber capabilities falling into the hands of third party threat actors. So those were a couple things that I pulled away from this. And then, of course, Xi Jinping using the phrase Thucydides trap, kind of describing a declining power and a rising power was a little bit icing on the cake. President Trump tried to ultimately say no, no, he was talking about the US before, not the US now, which I thought was quite striking. But for me, the main takeaway of this summit is that China has been trying to steer this relationship into a place that it thinks serves its longer term strategic purposes. And I think they walk away from the summit feeling they have things pretty much where they want them. But to the point you made, President Trump seems pretty comfortable with that. So we'll have to see where things go from here.

John Finer

Only thing I'd add is we talked about three big concerns that we had going to the summit with Kurt Campbell last week. A potential announcement about Chinese investment in the United States, an explicit shift in declaratory policy towards Taiwan, and a reduction in US Export controls. We did not see any of those things. So that is good news. What passes for good news these days for policy coming out of the administration, but with two big caveats. One is there are several more summits between the two presidents planned during the course of the year, so stay tuned for potential developments on those and other issues. And second, it is sometimes the case that things are discussed and agreed in these conversations, but don't actually trickle out into the public domain as announcements until later. And I would just point to the first meeting between the president, Xi Jinping, a couple of weeks after which he made a major announcement that may or may not have been discussed. We don't exactly know about reducing U.S. export controls of advanced semiconductors, so there may be more that we learn in the coming days and weeks and certainly in the in the subsequent meetings.

Jake Sullivan

I think especially where the semiconductor issue is concerned, China's continuing to kind of pretend it doesn't want them. The US has been reduced to basically asking China to take them, so we'll have to see how that plays out. And then this question of Chinese investment in the US Is not going away. As you say, there are more summits to come, potentially more shoes to drop. So I think that does it for us today, and we'll be back next week with a new episode of the Long Game.

John Finer

We love to hear from you. Send us your questions and comments@long gameoxmedia.com

Jake Sullivan

and subscribe to our feed so you never miss an episode. The links are in the show notes.

John Finer

That's it for this episode of the Long Game.

Jake Sullivan

If you like the show, please follow, share with friends and leave a review. It really helps listeners find us and

John Finer

more analysis in your inbox. Join the community@staytuned.substack.com the long game is

Jake Sullivan

a Vox Media podcast Network Production Executive Producer Tamara Sepper Lead Editorial Producer Jennifer Indig Deputy Editor Celine Rohr Senior Producer

John Finer

Matthew Billy Video Producers Nat Weiner and

Jake Sullivan

Adam Harris Supervising Producer Jake Kaplan Associate Producer Claudia Hernandez Marketing Manager Leanna Greenway

John Finer

Music is by Nat Weiner. We're your hosts, John Finer and Jake Sullivan.

Jake Sullivan

Thanks for listening.