Ep 9: The New Frontline - To Catch a Thief: China’s Rise to Cyber Supremacy

Summary5 min read

Detailed Summary of "To Catch a Thief: China’s Rise to Cyber Supremacy" - Episode 9: The New Frontline

Release Date: May 29, 2025

Introduction

In Episode 9 of "To Catch a Thief: China’s Rise to Cyber Supremacy," host Nicole Perlroth delves deep into the escalating cyber threats posed by Chinese state-sponsored hackers. The episode underscores the sinister evolution of these cyber operatives from "polite, mediocre hackers" to "apex predators" targeting America's critical infrastructure. Through interviews with experts, victims, and cybersecurity specialists, Perlroth explores the motives behind these attacks and the profound implications for national security.

1. The Colonial Pipeline Attack: A Wake-Up Call

The episode opens with a vivid portrayal of the chaos unleashed by the Colonial Pipeline ransomware attack in May 2021. The disruption led to gas shortages across the East Coast, causing panic buying and widespread economic ramifications.

Reporter’s Account [00:01-02:23]: Describes the immediate aftermath of the pipeline shutdown, highlighting long lines at gas stations and the nationwide panic.
Analyst Insights [02:23-03:26]: Explains that the attack targeted Colonial Pipeline’s IT systems rather than the pipeline itself, forcing a shutdown. A confidential Department of Energy assessment revealed that the U.S. could have faced total economic collapse with just a few more days of downtime.
Expert Commentary [03:26-04:01]: "You would see clear panic, you would see clear chaos." This incident was meticulously observed by Chinese leaders as a demonstration of the vulnerabilities within the U.S. infrastructure.

2. China's Strategic Cyber Infiltration

Nicole Perlroth shifts focus to the broader strategy of Chinese hackers infiltrating critical U.S. infrastructure sectors such as transportation, water, power, and communications.

Expert Analysis [04:24-04:59]: "It is a very real threat that the hunt teams that we have at CISA have identified and we've found them in transportation and water and power and communications." Experts believe that the revealed cyber threats are just the "tip of the iceberg."
Analyst Reflection [04:59-07:06]: Emphasizes the distinction between the Chinese government and the Chinese people, warning against xenophobia and its potential to escalate tensions.

3. Taiwan and China's Reunification Goals

A significant portion of the episode examines China's strategic objective to reunify Taiwan with the mainland, viewing it as essential to the "Great Rejuvenation of the Chinese nation" by 2049.

Analyst Insights [07:29-16:32]: Details Xi Jinping's unwavering stance on Taiwan, viewing it not just as a province but as a crucial geostrategic asset essential for China's military dominance in the Pacific. Taiwan's position in the "first island chain" serves as a natural barrier against Chinese naval expansion.
Expert Commentary [12:23-16:13]: "Must share in the glory of national rejuvenation." Highlights the economic and military significance of Taiwan's semiconductor industry, particularly TSMC, which produces over 60% of the world's advanced chips.

4. Cyber Warfare Strategies: Unrestricted Warfare Doctrine

The episode delves into China's "Unrestricted Warfare" doctrine, a 1999 manifesto by PLA colonels that outlines strategies to incapacitate adversaries without direct military confrontation.

Analyst Explanation [08:07-09:41]: Discusses how China's strategy involves targeting civilian infrastructure to induce societal panic and weaken the adversary's will to fight.
Expert Insight [09:41-11:04]: "This threat is about being able to launch disruptive and destructive attacks in the event of a major conflict in the Taiwan Straits."

5. Telecommunications Breaches: The Salt Typhoon Case

Perlroth highlights the Salt Typhoon hack, where Chinese hackers infiltrated major U.S. telecommunications providers, accessing sensitive data from high-level officials and private citizens.

Analyst Overview [42:34-44:32]: Describes the breadth of Salt Typhoon’s infiltration, which affected AT&T, Verizon, T-Mobile, and others, stealing records, intercepting voice calls, and compromising wiretap systems used by the Justice Department.
Consultant Analysis [43:24-44:18]: Emphasizes the severe risks posed by such breaches, including the potential exposure of intelligence agents and national security information.

6. Cyber Resilience and Defense Strategies

The episode underscores the importance of cyber resilience—preparing for and rapidly recovering from cyber attacks to minimize damage.

Expert Advice [57:12-63:44]: Experts advocate for a dual approach of prevention and recovery. Heather Adkins from Google emphasizes the necessity of quickly recovering from breaches to maintain infrastructure functionality.
Consultant Recommendations [62:58-66:03]: Encourages organizations to identify critical assets ("crown jewels") and establish robust backup and recovery systems to ensure continuity during cyber disruptions.

7. AI and Cybersecurity: Double-Edged Sword

Perlroth explores the role of artificial intelligence in both enhancing cybersecurity defenses and posing new threats.

Analyst Discussion [75:03-85:51]: Examines how AI can be leveraged to detect and mitigate cyber threats more efficiently. However, the rapid advancement of AI technologies, exemplified by the emergence of China's Deep Seek, raises concerns about AI being used offensively to automate and scale cyber attacks.
Expert Opinions [88:19-91:54]: Highlights the potential of AI in hunting vulnerabilities and improving defense mechanisms. Conversely, warns against the lack of regulatory guardrails, which could allow AI tools to be exploited maliciously.

8. Recommendations and Call to Action

The episode concludes with urgent recommendations for strengthening cybersecurity across all levels of society.

Analyst's Plea [92:23-100:36]: Advocates for a comprehensive national strategy encompassing secure-by-design principles, mandatory security standards for manufacturers, and bipartisan support for cybersecurity measures. Emphasizes the collective responsibility of individuals, businesses, and government to enhance cyber defenses.
Expert Suggestions [54:16-57:47]: Urges the adoption of secure coding practices, regular security assessments, and investment in advanced cybersecurity technologies to build a resilient infrastructure capable of withstanding sophisticated cyber threats.

Conclusion

Episode 9 of "To Catch a Thief" serves as a stark reminder of the pervasive and evolving cyber threats posed by China’s state-sponsored hackers. Through detailed analysis and expert testimonies, Nicole Perlroth elucidates the strategic intent behind these cyber infiltrations and the urgent need for a unified, resilient response. The episode calls for a paradigm shift in how America perceives and defends its digital borders, emphasizing that cybersecurity is not just a technical issue but a fundamental aspect of national security that requires collective vigilance and action.

Notable Quotes

Expert [03:26]: "You would see clear panic, you would see clear chaos."
Analyst [07:29]: "The PRC is inside the house."
Consultant [15:29]: "The party sees Taiwan's independence as an existential threat."
Reporter [32:26]: "What happens when or if they decide to detonate on the access they already have."
Former Official [25:02]: "Beijing is next to certain that the United States would intervene militarily if they attack Taiwan."
Expert [49:06]: "We are a Rule of law country..."
Reporter [76:46]: "AI clearly poses an imminent security threat, imminent in our lifetimes to humanity."
Expert [53:18]: "This is way over the line."
Analyst [100:36]: "Welcome to the battle of our lifetime."

This comprehensive summary captures the essence of Episode 9, providing a clear and engaging overview of the critical discussions surrounding China's cyber strategies and their implications for the United States.

Loading summary

Transcript172 lines

[00:01]
Reporter
Tonight we are learning more about a cyberattack forcing the shutdown of one of the main pipelines supplying gas and diesel fuel to the East Coast. You can see hundreds of cars here and this is just one gas station. Drivers here telling me they're waiting up to an hour. That's where the line starts. We can't even see where it ends. The lines for gas getting longer from the Carolinas down to Florida. Panicked drivers overwhelming gas stations.
[00:27]
Analyst
It's May of 2021. Jets are grounded up, up and down the Eastern Seaboard. Lines at gas stations snake for blocks. Panicked Americans vie to fill up garbage bags with gas.
[00:42]
Expert
I suspected just prices would go way up. I didn't suspect that there wouldn't be any.
[00:47]
Reporter
We put a stop to the can sales today. People were coming in and trying to buy, you know, five and 10 cans worth of gasoline. They're just hoarding it. The partial shutdown of the Colonial pipeline.
[00:59]
Analyst
Is causing panic buying. The US Consumer Product Safety Commission can't believe they had to warn the public.
[01:05]
Reporter
About this, but they did.
[01:06]
Analyst
They warned people about filling plastic bags with gasoline. The warning comes after images surfaced on social media of the trunk of a car holding bags filled with gas and video of a woman pouring gas into a plastic bag. Colonial pipeline, the 5,500 mile artery that carries America's lifeblood gas, diesel jet fuel from Texas up to New Jersey, had been shut down. A cyber attack took the company's IT systems out of commission, jolting all operations to a sudden halt. People panicked. If someone, say China wanted to wreak chaos and havoc on the United States, this was how to do it. But this wasn't the work of China or Russia or Iran for that matter. This was a group of cybercriminals looking for a quick payday. Colonial Pipeline was hit by ransomware and the attack didn't even hit the pipeline itself. But without any way to bill its customers, and with shaky confidence in the air gap between employees, computers and its pipeline operation, Colonial preemptively shut that down too. The country's largest pipeline was out of commission for five days. And had Colonial Pipeline not paid off its extortionists or had backups they could tap into, the paralysis could have been much, much worse. Back at the times, we got our hands on a confidential Department of Energy assessment that found that as a country, we could have only afforded three or four more days of downtime before that attack brought the entire US economy to its knees. It wasn't so much the gas or jet fuel we had the reserves for Those it was the diesel required to run our factories. The attack and the dependencies it revealed caught the nation completely off guard. And China's leaders paid careful attention.
[03:26]
Expert
You would see clear panic, you would see clear chaos. And, you know, just on a very micro level, we saw this with the ransomware attack on Colonial Pipeline that ended up shutting off gas to the Eastern seaboard for a couple days. You saw the panic that that induced. Well, the Chinese saw that as well. The Chinese government is watching very closely what is happening in America and some of the fragility that they see, quite frankly, within our democratic processes.
[04:02]
Analyst
That was Jen Easterly who led cisa, the nation's cyber defense agency, under Biden. Cut to present day, when China's PLA hackers right now, right this instant, are inside hundreds of Colonial pipeline equivalents across the country.
[04:24]
Expert
It's not an assessment from the intel community. It is not a hypothetical threat. It is a very real threat that the hunt teams that we have at CISA have identified and we've found them in transportation and water and power and communications. But when you talk about what's the breadth and depth of the targets, the answer is we don't know. We think what we found to date is likely the tip of the iceberg.
[05:00]
Analyst
The tip of the iceberg. So what's lurking beneath the surface? Before I continue, let me say again what I said at the start. We cannot confuse the Chinese government with the Chinese people. Paranoia and xenophobia can and have push nations towards authoritarianism, fascism. They risk turning us into our worst enemy. China's grip on our infrastructure has nothing to do with everyday Chinese people, who in too many cases are themselves held hostage by the party's digital dragnets. And this isn't just a moral distinction, it's strategic. Because xenophobia isn't just repulsive, it's reckless. It fuels violence, pulls us further up the escalation ladder and drags us closer to a fight that frankly, the United States is not ready for. As you'll hear, it's time to pause, prepare, and think hard about where this road leads. I'm Nicole Prolorath, and this is To Catch a Thief. If you ask me, the most under reported issue of the past five years is not what's happening on our physical borders. It is the total collapse of our digital borders and the fact, and it is now fact, that China's hackers are at this very moment lurking inside our water, our power, our ports, our communications, our railway, our aviation networks, sitting idle, waiting, as Andrew Scott put it in the last episode.
[07:07]
Cybersecurity Specialist
And one thing that I really wanted to emphasize here, I've even gotten questions recently of what's fundamentally different now. And the answer really is we've now confirmed they're there. The PRC is inside the house.
[07:30]
Analyst
I repeat, the PRC is inside the house. Through meticulous infiltration of our most critical infrastructure, the PRC has assembled a big red button, one they can press at any moment to trigger nationwide panic and chaos. That's terrifying enough all on its own. But then you take a closer look at China's own military doctrine. In 1999, two senior PLA colonels, Wang Xiongsui and Qiao Liang, wrote a book, a manifesto, really. They called it Unrestricted Warfare. And here is a direct quote. Whether it be the intrusions of hackers, a major explosion at the World Trade center, or a bombing attack by bin Laden, all of these greatly exceed the frequency bandwidths understood by the American military. Littered throughout their manifesto are haunting references to bin Laden and a bombing at the World Trade Center. And again, this published in 1999, two years before 9 11. But their real focus was how China could gain the upper hand against the most advanced military in the world. Their answer, Unrestricted warfare. Essentially, their premise is that China should widen the battlefield, go beyond direct military confrontation with the United States, and take the fight directly to civilians. By hacking into our civilian infrastructure, and they specifically name the US Power grid, our banking systems, transportation and telecommunications systems, the PRC could not only physically incapacitate the US but weaken our will to fight. And they could do all of this without firing a single bullet.
[09:41]
Expert
I think if you go to what the Chinese themselves have said, what is in their doctrine, it's pretty clear that the strategy is about holding US Critical infrastructure at risk in order to deter our ability to marshal military might and citizen will. So this is really about inducing societal panic and chaos. And that would be the result of water systems being polluted or inaccessible, human transportation lines being derailed, communication systems being severed, pipelines exploding. You would see clear panic, you would see clear chaos. And this is part of their strategy to enable them to be able to reunite with Taiwan. Something that President Xi has made it clear is a strategic goal. The thing that is so different and so serious is that this particular threat is not just about espionage. This threat is about being able to launch disruptive and destructive attacks in the event of a major conflict in the Taiwan Straits.
[11:05]
Analyst
Taiwan, for listeners coming in blind, what we've been seeing with these cyber attacks has really brought Taiwan to the foreign.
[11:13]
Reporter
So the Chinese will be cautious about attacking us. Very cautious. But they may not be so cautious in attacking Taiwan if the Taiwanese forget the request to not declare independence.
[11:29]
Analyst
That was Jim Lewis, who specializes in and has been directly engaged in talks with the CCP on Chinese cyber threats. And like he noted, the CCP has long, shall we say, tolerated Taiwan's de facto autonomy so long as it didn't push for formal independence. But that shifted when Xi Jinping came to power in 2012. He took a much harder line on Taiwan. China's president says unification with Taiwan is inevitable. President Xi Jinping has said reunification with Taiwan must be fulfilled. Mr. Xi added that unification should be achieved peacefully. But he didn't rule out the potential use of force to achieve that goal. Xi said the central government has taken a firm and unwavering stance on national reunification. In his speech, Xi said that compatriots on both sides of the Taiwan Strait.
[12:24]
Expert
Must share in the glory of national rejuvenation.
[12:27]
Reporter
Unification is the hope of all Chinese people. If China can be unified, all Chinese.
[12:35]
Analyst
Will enjoy a happy life.
[12:38]
Reporter
If China can't unify, everyone will suffer.
[12:43]
Analyst
Xi steps up the rhetoric dramatically. He starts calling China's reunification with Taiwan inevitable. Pretty quickly, he makes clear that Taiwan is the final puzzle piece in his grand vision for what the Chinese Communist Party calls the Great rejuvenation of the Chinese nation. And that great rejuvenation is not just rhetorical flourish. It has a deadline. 2049. 2049 marks the 100th anniversary of the founding of the People's Republic of China. The CCP sees it as China's comeuppance. If they consider the century leading up to 1949 as their century of humiliation, as they call it, then the party sees the period between 1949 and 2049 as the century that rightly restores China to its place as a global superpower.
[13:41]
Reporter
China's made no secret that it hopes.
[13:43]
Analyst
To be there by 2049.
[13:46]
Reporter
The Centennial Party. They're building up their military at an alarming rate. They want to be the number one economic power of the world and the number one economic military power in the world by 2049.
[13:59]
Analyst
And in Xi's grand vision, anything less than total reunification with Taiwan would render China's great rejuvenation incomplete. It's Xi's version of Manifest Destiny. And it's not just symbolic. It's a strategic imperative. In the party's eyes, Taiwan is more than just a renegade province. It's a US outpost, a threat to China's territorial integrity. Geographically, Taiwan sits at the heart of the first island chain. A natural barrier to China's naval dominance in the Pacific. Taiwan sits at the heart of what we call in the United States the first island chain.
[14:41]
Reporter
The first island chain stretches from Japan through Taiwan and the Philippines to the Malay Peninsula.
[14:48]
Analyst
This line of defense is designed to stop China's military from expanding into the Pacific. If you look at the first island.
[14:54]
Reporter
Chain, these are all formal treaty allies.
[14:57]
Analyst
Of the United States or close partners.
[14:58]
Consultant
In the case of Taiwan, the islands.
[15:01]
Analyst
Form the first major geographic barrier between mainland China and the Pacific. The US and our allies see it as a containment line. China sees it as a strategic chokehold. And at the center, just 100 miles off the coast of mainland China, sits Taiwan, a linchpin geographically, militarily and symbolically. Because lest we forget, China's all consuming five poisons.
[15:29]
Reporter
Well, it's the Uyghurs, it's Tibetans with the Dalai Lama, it's Falun Gong, the democracy movement, and then finally Taiwanese independence.
[15:41]
Analyst
The party worries that the longer it puts off Taiwan's so called reunification, the more Taiwan drifts away and inspires the party's other poisons, the Tibetans, the Uyghurs, the Falun Gong and pro democracy activists to pursue their own autonomy. And from that perspective, Taiwan's independence is more than just a geographic impediment, it's an existential threat. And then there's the not insignificant issue of the chips.
[16:13]
Reporter
Although many Americans may not know it, all of our lives depend on Taiwan.
[16:19]
Analyst
The island has a near monopoly on semiconductors.
[16:22]
Expert
So much of the production of advanced semiconductors especially are in Taiwan. Those chips that we use in our phones, computers, our cars.
[16:32]
Reporter
Taiwan semiconductors are one of the best managed companies and important companies in the world. There's nobody in the chip industry that's in their league, at least in my view.
[16:42]
Analyst
If data is the new oil, then Taiwan is the Saudi Arabia of semiconductors. Taiwan Semiconductor, or TSMC, produces more than 60% of the world's chips. But it has over 90% market share where it counts the advanced microchips that are mission critical to winning the battle for global economic supremacy. The AI arms race and the next war. Because next generation weapons like drones and other AI enabled precision weapons like smart missiles and autonomous combat vehicles, they require those advanced chips. The tighter the US squeezes China's access to advanced chips chips through blacklists and export controls, the more critical China's control of Taiwan and TSMC becomes. Here's Jim Lewis at our live panel in March.
[17:43]
Reporter
Every time we've tried to block another country from getting a technology. All it's done is incentivize them, and this is the fourth or fifth time, so you don't win through export controls.
[17:55]
Analyst
But more than anything, experts say Taiwan is personal. For Xi Jinping, it's the great unfinished business of the Chinese Communist Party. Xi seeks to resolve what Mao and every other leader since has left unfinished. But Xi is 71, a spring chicken by US political standards. But if he waits until 2049, the PRC centennial, he'll be 96. The thinking goes, if Xi moves on Taiwan, it won't be decades from now. It will be in the next five to 10 years. What that looks like exactly, we don't know. Here's Dakota Carey, a china consultant at Sentinel One and the Atlantic Council.
[18:45]
Consultant
By 2049, the Taiwan question is meant to have been resolved. How that question is resolved is not part of public communications. It's not an explicit line to say that there will be either a political or military solution to the question, only to say that Xi Jinping has tied reunification with Taiwan to this 2049 goal of the great rejuvenation of the Chinese people. We do know from public statements by US government officials that a diktat has been issued to be prepared to take Taiwan by 2027. And I think it's really important to note that 2027 is the 100 year anniversary of the People's Liberation Army. And when you zoom out and you go, well, at 100 years, what should a military be able to do for China and specifically for Xi Jinping? He thinks that after 100 years of being in service, the military should be able to cross a body of water and take an island that that is near to its periphery.
[19:46]
Analyst
But being ready isn't the same thing as pulling the trigger. It is true that China has significantly upped its military budgets and been flexing its military might in a series of drills. As recently as March and April of this year, in what the PLA itself called a stern warning, China has launched large scale military drills in the waters around China. Taiwan to deter the self governing island from seeking independence. In a show of force, China sent a dozen warships and over 70 military aircraft in drills encircling Taiwan. China also unveiling a deep sea cable.
[20:25]
Reporter
Cutter capable of cutting undersea communications lines up to 4,000 meters deep. That's almost two and a half miles. This could sever Taiwan's undersea Internet and power lines.
[20:36]
Analyst
In a wartime situation now, you'd have to be a fly on Xi's wall to know whether these drills are strategic deterrence, saber rattling, or rehearsals for the real thing. For the first time ever this year, Taiwan's annual military drills identified 2027 as the potential timeline for a Chinese invasion.
[21:01]
Reporter
The Taiwanese military is finishing up a week of rapid response exercises aimed at building boosting the island's ability to react to threats from China.
[21:09]
Analyst
And this week, Taiwan's defense ministry cited 2027 as a year of a potential.
[21:15]
Consultant
Chinese invasion for the first time.
[21:18]
Analyst
Most analysts consider an invasion by 2027 unlikely. More cite 2029-2032 as a pivotal window to resolve Taiwan. But the reason these timeframes become so important is because it means China would have to start prepping the battlefield right now. And that battlefield preparation experts say it would look exactly like the cyber attacks we're witnessing on America's critical systems right now. Here's John Holtquist, Mandiant's chief analyst.
[21:54]
One of the strange things about this space is that you are fighting the next cyber war now, regardless of how far along it is to the actual game time.
[22:07]
Right?
[22:08]
You have to do it now because when the big conflict comes, it's too late to root out these adversaries and it's too late for them to get access. The reality is most adversaries want to be in place in advance so that they're prepared where they are, digging in for contingency.
[22:28]
Now, what's clear in hindsight is rarely clear before the fact. But looking back on Russia's twin cyber assaults against the Ukraine grid back in 2015 and 2016 is like reading the tea leaves for Putin's eventual military invasion in 2022. So should we be reading China's incursions into our own infrastructure as tea leaves for a Taiwan invasion? Even saying that out loud risks falling down the creeping determinism trap. The economic and military risks to China of a Taiwan invasion would be massive. But China's cyber assaults on our infrastructure, and by the way we're seeing various similar intrusions in Japan and Taiwan, suggests at the very least that Xi is keeping his options open and ensuring that if he ever does pull the trigger, the battlefield is already tilted in his favor. Here's Andrew Scott again.
[23:28]
Cybersecurity Specialist
I think much of what we may see in a Taiwan environment from the PRC is inside Taiwan, very much a intel gathering, maybe disruption of services to support sort of military activity, along with disinformation and misinformation in all of those avenues. I think the thing that is fundamentally different here that we are most concerned about is the implications for the US Homeland.
[23:56]
Analyst
The implications for the US Homeland. This brings me to Matt Turpin. Turpin spent his career tracking the PRC's battlefield preparations. His resume spans decades and administrations. As she was stepping into power in 2012, Terpin was in Honolulu serving as the chief war planner for the US Pacific Command. In 2013, he moved to the Pentagon where he served as China Advisor to the Chairman and Vice Chairman of the Joint Chiefs of Staff under Obama. When Trump first came to office, Turpin became China Director to the National Security Council and Commerce Departments. These days, he's a senior advisor at Palantir and visiting fellow at Stanford's Hoover Institution. And in his view, we are already locked into a cold war with China. It's just that only one side has admitted this to ourselves. And I should warn you that when Matt Turpin talks, things get very real very quickly.
[25:01]
Reporter
I think we should be very clear.
[25:02]
Former Official
That Beijing is next to certain that.
[25:08]
Reporter
The United States would intervene militarily if they attack Taiwan.
[25:12]
Analyst
Right.
[25:12]
Former Official
So if you take that as a given.
[25:14]
Reporter
So if Beijing calculates the United States is going to intervene militarily, and I.
[25:19]
Former Official
Think increasingly just kind of over the.
[25:21]
Reporter
Past three, four years, they've increasingly concluded that Japan would also intervene militarily.
[25:26]
Former Official
And we've seen similar sorts of actions.
[25:28]
Reporter
Across Japanese infrastructure, then you need to develop and create the kinds of capabilities.
[25:36]
Former Official
That would make that intervention much more difficult.
[25:39]
Reporter
And that means sort of a whole scale look at the infrastructure that would support any sort of US Military mobilization.
[25:49]
Former Official
Now, we may think of this as.
[25:51]
Reporter
Sort of a regionally contained conflict, but.
[25:54]
Former Official
Of course, as soon as the US.
[25:56]
Reporter
And the PRC are involved in direct military conflict, it will become a global affair.
[26:03]
Former Official
So they have looked through our entire.
[26:05]
Reporter
Infrastructure chain to figure out where do they place themselves to ensure that they have optionality to be able to do that. And if they're willing to sink US Aircraft carriers, then they're going to be.
[26:17]
Former Official
Willing to turn off U.S. energy supplies.
[26:20]
Reporter
And pipelines and refineries and go after factories. Like, we just should be very clear.
[26:26]
Former Official
That if they've made the decision to.
[26:28]
Reporter
Start killing American service members, it isn't.
[26:31]
Former Official
As if they're going to say themselves, well, we just kind of think the US Infrastructure is off the table.
[26:35]
Reporter
So I think we have to be very clear about where this goes. And so all of the folks that run that infrastructure need to be very.
[26:42]
Former Official
Serious about you're a target of a.
[26:45]
Reporter
Nation state actor for destruction and disablement.
[26:50]
Analyst
Which brings me to the crux of our national security Predicament, the one few in our country seem willing to accept. And it's this. If you manage any system that Americans depend on, be it a hospital, a water treatment plant, the grid, a port, a pipeline, air traffic control, or any of the technology that those systems rely on, you are right now a prime target for a catastrophic Chinese cyber attack. You are the new front line. And the reason you have to worry about this right now is because in order to destroy or disable any of those systems, you don't just hack them the day you attack, you have to get in there well ahead of time. Here's Dale Peterson. You may remember Dale from the last episode. He specializes in the security of critical systems.
[27:54]
Former Official
You have to pre position yourself if you want to be able to do this. I actually wrote a paper on this, I think back in 2014, that the leaders of a country can't just go to their cyber arm, their equivalent of whatever their offensive team is, and say, I want you to bring down this power, this manufacturer, every critical infrastructure in this region, and expect it to happen the next day. You have to be pre positioned, you have to learn their system. You mentioned Stuxnet earlier. You look at all the time involved to create that system. So you have to do the work ahead of time so that you can press the button if you choose to.
[28:34]
Analyst
Stuxnet, if you'll recall, was a surgical US Israeli cyber strike that sabotaged Iran's nuclear program. But Stuxnet's code was only half the magic. The other half was in the years of preparation, the groundwork, learning the system, sneaking the code in on a USB stick, the pre positioning. And that is exactly what China is doing with its living off the land attacks. Only this isn't a precision strike. It's a mass infiltration campaign targeting hundreds of of critical systems. Power, water. And these systems, they're far easier to infiltrate than Iran's nuclear lab. The bulk of our gas, our water pipelines were built decades ago when their primary threat was a tree root, not nation state. Hackers.
[29:30]
Cybersecurity Specialist
You're talking about networks and environments that for decades have been architected and run in a way that was never intended to take into account these sorts of risks. They were intended to take into account how do we maintain delivery of services in the event that a water pipe breaks or a lightning strike takes out a power generation facility?
[29:52]
Analyst
Volt Typhoon, China's elite infrastructure hackers have radically changed the calculus. For now, they're lurking, lying in wait. The fear is what happens when or if they decide to detonate on the access they already have, the everything, everywhere, all at once cyber attack. To state it plainly, should they so choose, the PRC has the capability to cut off our access to water, power, transportation, gas. And a shutdown might be our best case scenario. The worst case scenario. It's almost too gruesome to spell out, but we've caught flashes.
[30:40]
Reporter
In the summer of 2017, Russian hackers launched a more brazen and potentially much more dangerous attack, this time on Petro Rabig, a massive oil refinery along the Red Sea in Saudi Arabia. On a Friday night in August, a safety system triggered the whole to shut down. The hackers made a small coding mistake and they ended up shutting down the refinery instead of triggering a deadly explosion.
[31:09]
Analyst
Saudi Arabia, 2017 Russian hackers got into Petro Rabig, a major petrochemical facility, and were able to shut off the safety locks that prevent an explosion. Hackers have already demonstrated they have the ability to contaminate our drinking water by hacking into the chemical controls at water treatment facilities. Now, none of these scenarios have come to fruition, but what these incidents, and Colonial Pipeline and Stuxnet before them did show was the art of the possible. With China's strategic embedding of our critical infrastructure, they could do more than cut off access to power, water, gas. They could contaminate the drinking water, trigger explosions at pipelines and chemical factories, send planes colliding or trains careening off track. And in the everything everywhere, all at once cyber scenario, they could do it all simultaneously. We just had a very real glimpse of what happens when air traffic control goes dark over one of the busiest airspaces in the country. And that was just for 90 seconds.
[32:27]
Reporter
A major communications breakdown at Newark Airport. Sources telling ABC News tonight, Air traffic control computer screens went dark for up to 90 seconds. Controllers losing communications with packed passenger planes approaching for landing and planes taking off, unable to see, hear or talk to the pilots of the aircraft. Pilots could be heard learning of the outage over the radio. A number of controllers on duty during that outage so, so shaken, they've now taken medical leave.
[32:52]
Analyst
Now imagine that wasn't an accident. Imagine it was a coordinated cyber assault, one that didn't just hit Newark, but air traffic control nationwide. What political appetite do you really think we'll have to support an island 7,000 miles away when we can't get Internet? We're under a boil order. Flights are grounded or worse. I think we all know the answer, and Beijing does too.
[33:21]
Expert
I say this not as somebody who knows Taiwan well, but as somebody who spent 21 years as an army officer, being an intelligence officer, where you are always trained to think like the adversary, it's the adversarial empathy that I think ultimately makes me a better defender. You want to take out the power, you want to take out the communications, you want to take out the rail lines. You want to affect the basic life services and hold that at risk to, you know, essentially force your adversary to give up for citizens not to have the will to fight.
[33:59]
Analyst
Now, a word of caution here. Just because the CCP can pull the trigger doesn't necessarily mean that they will. It's possible. They simply want us to know they can. Here's David Barbosa, my former Times colleague, whose reporting put him in the CCP's crosshairs back in 2012.
[34:20]
Reporter
China is, like, incredibly strategic. I don't need to pull the trigger. I can use a lot of different leverage points to scare you or to intimidate you. So I could pull it, and it depends on whether I will pull it. But just you knowing that we're in that infrastructure, they can say we have some leverage into everything and, you know, we may not use it. But just so you know, just so you. When you think twice about doing something, that we also have this.
[34:54]
Analyst
And here's John Holtquist again, there's some.
[34:57]
Question over whether those are signaling things, right? They want us to know that they can get access, right? And then they sort of hold. Hold that access over our heads and maybe change our calculus, or if these are practical targets that they expect to have military effects or essentially potentially slow a military response or change our ability to respond in any conflict. The weird thing about almost all the critical infrastructure stuff I've covered in my career is a lot of it wasn't about practical effects. A lot of it was probably about just undermining the adversary, like, trust in the adversary. Your power goes out for a few hours, power outages happen, whatever. But you recognize now that the foreign power did it, and suddenly you distrust the government's ability to secure you.
[35:52]
Psychological warfare. That's what David and John are getting at. Maybe it's not the everything everywhere scenario. Maybe it's a gun to our head. Just knowing our infrastructure is held hostage to make us think twice about defending Taiwan. Now, again, you'd have to be in Xi's inner sanctum to know the end game. I don't actually believe China's just going to send American passenger jets colliding, at least not until we're in the throes of World War three. That's precisely the Kind of attack that, if recent history is any guide, would push Americans towards a fight, not away from it. More likely, in my view, is a strategic blackout here, a pipeline shutdown there, an outage of air traffic control. Maybe just for a few minutes or hours, maybe a day or two. Just long enough to send a chilling stand down or Americans will feel real pain. That's the thinking behind why Russian hackers only cut Ukraine's power for hours, not days, back in 2015 and 2016. It was to shake their confidence, their resolve, and it didn't work there. But here, we're far more digitally dependent than Ukraine ever was. And if there's One takeaway from 2025, it's that our politics can make us an unreliable ally. China sees these cyber attacks as leverage. They watch the panic and chaos that ensued from the colonial pipeline ransomware attack. They also watched the US support for Ukraine and its more recent backpedaling. It's not clear Americans have the stomach for a drawn out fight, especially one that hits home on American soil. Here's Jenny Sterley and I discussing this point just ahead of the 2024 election when she was still leading CISA. So we've heard a lot of different theories about these living off the land attacks on our infrastructure. Dmitri Alperovich has said he thinks it's an effort to delay military mobilization. Others have said that this is a great political lever to pull. It might make us think twice before we would support Taiwan militarily when we know that China's inside and could shut off our gas or shut off our access to clean water. Others say watching Ukraine and the political debates about continuing funding for Ukraine, perhaps there would be an event where we would support Taiwan. But China could basically use their access to diminish the political appetite of Americans to continue to support Taiwan if, say, they couldn't get gas for more than three days. Some have said this is just the new era of mutually assured digital destruction. We're all in each other's business. We're all sort of holding a gun to each other's heads saying you better think twice before you turn off access, because we could turn around and do the same to you. But you're really in the nexus of this. What in your mind is their end goal?
[38:57]
Expert
Well, I wouldn't choose like A or B or C. There's probably a little bit of all of the above in the scenarios and the rationales that you just painted. The Chinese government is watching very closely what is happening in America and some of the fragility that they see, quite frankly, within our democratic processes. And this is part of their strategy to enable them to be able to reunite with Taiwan, something that President Xi has made it clear is a strategic goal. And to your point on Ukraine, I would just comment that I think we all need to recognize that the defense of Ukraine is the deterrence of China. China is watching very closely whether we end up just giving up on Ukraine because it sends a message to what our political will would be in the event of an invasion or a blockade of Taiwan. And I think it's one reason why it's so important that we continue to be very forward, leaning on the support that we're providing to Ukraine along with our international partners as well as the private sector.
[40:17]
Analyst
As of this recording, President Trump's position on Ukraine has been anything but consistent. He initially cut off military aid and intelligence sharing, only to reverse course a couple of weeks later. More recently, he's been threatening Putin with sanctions if the missile strikes on Ukraine don't stop. But all of this could shift at any moment. Under Trump, the US has revealed itself to be an unpredictable trading partner and military ally. Taiwan might still be able to count on the US Coming to its defense. But what appetite will Americans have to support an island halfway around the world when we can't get access to clean water or even just working WI fi?
[41:04]
Expert
So let me just go back to one thing that you said that I think is important. Colonial Pipeline is always the canonical one we go back to. But frankly, think about CrowdStrike, just July of last year when a lot of people couldn't access a lot of things. Now that was for a short period of time, but think about that disruption that was not just a technology outage or a bad update, but rather a deliberate disruption that could be in place and unable to just turn back. Think about that. For weeks and months on end.
[41:42]
Analyst
We'Ve largely shifted the focus to China's attacks on our infrastructure. But lest you think the CCP has let traditional intelligence go by the wayside, let me introduce you to Volt Typhoon's colleagues. Salt Typhoon. In early October 2024, news broke that America's biggest, biggest telecoms AT&T Verizon, T Mobile, others we don't even know about yet, had been hacked by a Chinese group that Microsoft calls Salt Typhoon. According to the White House, China's Salt Typhoon hack has now been underway for upwards of two years, hitting at least eight of the major US Telecommunications providers. FBI and federal cybersecurity officials say these Chinese government affiliated hackers managed to steal Records, intercept some voice calls, even penetrate the wiretap system used by the Justice Department to investigate people suspected of crimes or spying. Chinese hackers breached US Telecom and Internet service providers, accessing the cell phones of top US officials and private citizens. Salt Typhoon is now considered the most significant cyber intrusion we've had on our telecommunications systems to date. And we're still unpacking the damage. We know that they access the private calls of President Trump and J.D. vance, Kamala Harris staff and Chuck Schumer. We know they got access to metadata, texts and phone calls. And perhaps most damaging of all, we know they got a counterintelligence gold mine.
[43:24]
Consultant
Based on what we know about what Salt Typhoon accessed, it's the type of system that is the coin of the realm and intelligence and counterintelligence games on the street. When you think about the people who are asked to protect US secrets or go identify and collect secrets from foreign governments, it comes down to actual people who are doing that work in and outside of allied and adversarial countries. And their safety is at risk when those people are identified. And some of the information that was accessed through Salt Typhoon allegedly would help those individuals and would help the Chinese state identify known and unknown intelligence officers that are operating in the US and when you access that type of information, people's safety can be at risk.
[44:18]
Analyst
That was Dakota Carey speaking to China's hacks of our biggest telecom providers. And the worst part is, we don't even know if they're out. In fact, we have to assume they're still inside.
[44:32]
Expert
And now the FBI is warning Android and iPhone users to be careful when texting one another, urging them to stop sending unencrypted text messages. According to officials, the Chinese hackers hacked into the SMS system.
[44:47]
Analyst
Stepping back here, if China can access our most personal data, eavesdrop on our highest level officials and our most private moments, if they can manipulate our supply chains and have the power to disrupt our critical infrastructure at will, then we don't control our own destiny. By any honest definition, we're not a sovereign nation. That is where we are. Now, here's where I'm often asked, aren't we in their systems too? Can't we do the same to them? And aren't we better? It's what I call mutually assured digital destruction. China and Russia are in our infrastructure and we're in theirs. We know less about what the US Is doing overseas, but it's no secret that the US is actively exploiting these systems too. Here's Dale Peterson.
[45:45]
Former Official
This is being Done now by everyone, including the US across the world, you can find just as many quotes from Chinese leaders complaining about US hacking into Chinese systems. It's the state of the world right now. What is interesting is there is a line. While there aren't official agreed upon cyber norms in this theory, there is a line that you can say, I can do up to this and it will be accepted without retaliation.
[46:14]
Analyst
Starting about seven years ago, U.S. officials began publicly acknowledging their own digital forays abroad. It was part of a strategy that then NSA Director and Cyber Command Chief Paul Nakasone called Defense Defend Forward or persistent engagement.
[46:29]
Reporter
Our strategic approach is persistent engagement. We seize the initiative in this domain. We are not ceding space or time to our adversaries. This approach is shaped through campaigning with our Defend Forward approach and our supporting relationship to the priorities of the Joint Force. This allows us to hone our focus, knowing where to commit ourselves, effectively managing resources and risk while in a constant state of adversary engagement.
[46:58]
Analyst
But if we're really counting on mutually assured digital destruction to hold China back, we need to take a sober look at just how mutual that destruction would be. And the hard truth is that the battlefield may be tilted in China's favor. For one, we live in the glassiest of glass houses. Our digital attack surface is larger by a significant margin. We dove headfirst into cloud computing, smart devices, automation, and now AI. It makes us incredibly efficient, but also deeply vulnerable when it comes to our core infrastructure, our economy, our everyday life. We're simply more reliant on tech than they are. Secondly, most of our technology, routers, phones, chips, even the cranes running our ports, is made overseas, much of it in China. Meanwhile, China controls its supply chains and runs a closed Internet, the Great Firewall, giving it far greater visibility and control. Third, the Chinese Communist Party is quite willing to absorb massive amounts of pain in ways that, frankly, we aren't. Think back to Mao's Great Leap Forward. Millions died from famine, and the Party didn't flinch. That legacy still shapes the Party's tolerance for suffering in pursuit of strategic goals. Here in the U.S. americans can stomach a day without tickets. TikTok. Even after Congress voted to ban TikTok or forced China to divest, the PRC didn't blink. We did. What happens when it's not access to TikTok, but clean water? And finally, when it comes to offensive cyberattacks, as a democracy, we play by different rules. That, here's Rap Joyce, NSA's former cybersecurity chief, who previously led hacking teams at NSA.
[49:06]
Reporter
We are a Rule of law country. And there is an effort in the law of armed conflict where you need to be differentiating military targets from civilian targets. You need to have proportionality. The things you do must impact the military effects more than the civilian effects. And so when people say we ought to turn the lights off and shut off the water and stop the planes or crash trains, we don't do that because it's disproportionate on the civilian population. And that's where the differences arise. We would never get through the lawyers, the ability to hold them at risk the way they're currently in some of our infrastructure. And that's the differentiator.
[49:55]
Analyst
Here's what most people don't realize. We are locked in a cyber battle where only one side is actually authorized to attack civilian systems. By law, the US can't hack civilian targets like the Chinese power grid or its water systems unless it directly supports some PLA purpose. Here's Dakota. Carry on that small but critical point.
[50:20]
Consultant
When we consider what is an appropriate target in cyber operations. One of the key distinctions when we talk about operations against foreign adversaries or foreign militaries is that when considering attacks on critical infrastructure, the US would require that critical infrastructure be supporting a military asset, for example, an electrical grid attached to a military base or electrical grid on the military base itself. We have very distinct targeting requirements for what would count as acceptable use in both cyber operations, but also in kinetic operations. A lot of the public, shall we say, attention drawing to Volt Typhoon on part of the US Government, I believe is because China is pre positioning on civilian critical infrastructure that does not serve a direct military purpose. And in doing so, our government is trying to, I think at the track 1 and 2 level in direct communications with China has communicated that attacks on civilian infrastructure that do not serve military purposes is unacceptable.
[51:21]
Analyst
Track one and Track two diplomacy. Track one is official government on government communications. US officials meeting directly with their CCP counterparts. Track two is unofficial communications between non government actors. Jim Lewis is a regular presence in those Track two dialogues. Last year he broached whether the PRC would be open to drawing red lines around civilian targets like water.
[51:51]
Reporter
I don't negotiate for the US government, but I will occasionally ask questions that the US Government has asked me to ask. And the answer was no, we're not interested. Some of these are people I've known for a long time and they had a good point. It's like, look, five years from now, ten years from now, we're going to be much stronger than you. So why should we make a deal with you now because we'll have a better hand to play five years from now.
[52:14]
Analyst
So the answer was no. So long as the US Abides by the law of armed conflict, there will be targets that are off limits to us but fair game to the ccp, and they know it. Which starts to make the mutual and mutually assured digital destruction ring a little hollow.
[52:34]
Reporter
I used to think that the Chinese had an advantage because when they showed up, they never brought lawyers. We, of course, had thousands or even millions of lawyers with us. It's like, geez, one time I said the worst thing we could do to you people is teach you to do this rule of law stuff.
[52:50]
Analyst
And speaking of red lines, here's Jenny Sterling, conversation at our live panel in March.
[52:55]
Expert
Well, first of all, they're not tiptoeing over the line. They're like way over the line, man. They're like. I mean, this was the whole point, right? This is not a theoretical threat. It's a very urgent threat where China is deep into our critical infrastructure. Water, power, transportation, communication, specifically to lay in wait so they can launch disruptive and destructive attacks. I think that is way over the line.
[53:19]
Analyst
So here we are. China has tilted the digital battlefield in its favor. They're not respecting red lines. They've already crossed them. They're inside the house, inside our most critical infrastructure. And as tensions rise with Trump's trade war, the escalating rhetoric, this dangerous game of chicken, the economic entanglement that once acted as a break is giving way. And that that may have been our last real deterrent. A cyber war with China isn't inevitable, but with every breach of American infrastructure, it's clear they're preparing for one. As for us, we're only expanding the attack surface, and we've barely begun to think about new modes of deterrence, not just in cyber, but across government. Here's Rob Joyce on that point at our live panel last March.
[54:16]
Reporter
When I said don't use cyber against cyber, I don't mean use it. It's got to be part of a whole portfolio of things. There's got to be, from the very top, a strategy and aggressive messaging that we won't tolerate this. There's got to be diplomatic law enforcement. There's got to be some of the naming and shaming, some cyber. We've got to use that whole portfolio and in very aggressive ways. So. So I'll ask this question, right? When we get annoyed by the actions of another government, what do we often do? We expel their diplomats, right? We Expel their spies. I have never seen us expel somebody because of a hack. They're in our infrastructure and there has been no diplomatic repercussion for that. Those are the kind of things that, you know, we've got to turn the knob up and use all of that portfolio.
[55:11]
Analyst
Recently, we've heard various Trump officials talk about the need to pull the gloves off and punch back in cyber. Here's Alexi Bolezel, the highest ranking cyber official on Trump's team and the head of cyber at the National Security Council, speaking at rsa, the security conference, back in April.
[55:30]
Reporter
I think there's a lot we could do to impose costs on these adversaries. Say, if you come do this to us, we'll strike back at you. We'll punch back. I'm very interested in, again, working on offensive cyber and destigmatizing and normalizing the use of offensive cyber as a tool of national power.
[55:47]
Analyst
I don't necessarily disagree with what he's saying. We've absolutely handcuffed ourselves on offense. But if we plan to go full tilt on offense, we sure as hell need to shore up the defenses. Because from what I've seen, cyber is not. Not unlike physics. For every action, there is an equal and opposite reaction. Every cyber attack has a way of boomeranging back. Unlike bombs and traditional weapons, we don't just drop these things and watch them blow. This is code we're talking about. And code can be dissected, reverse engineered, and ultimately turned back on its maker. So if we're going there, then cyber defense absolutely should become our number one national priority. And that defense has to go beyond government targets, because we know the CCP unrestricted warfare on civilian systems. And we don't just know it, we're seeing it. We don't know if or when they'll pull the trigger or how far they'll go. But it's long past time we pull our heads up out of the sand. This is happening. Pretending it's not is a losing strategy. It guarantees America loses before the real battle has even begun.
[57:12]
Expert
We don't want to be scaring the hell out of people, because that's not effective when you scare people. Minds just close off and they really don't want to talk about horrible things happening, so. So they'll just ignore and go something else. And you don't want to be seen as the girl that cried wolf. You, as a storyteller, know that. The other thing is we do not talk about this threat without talking about all the things that we're doing and can do about it, and what businesses large and small can do about it. And that's what I think is the important thing.
[57:48]
Analyst
In the 15 years I've been tracking cyber threats, one thing has held true. Human nature tends to ignore the warning signs until it's too late. Even those who are running our most critical infrastructure don't want to believe that they're targets. They want to think that this doesn't apply to them or that they're immune until they're not. People don't get religion on cyber until they're breached. And only then do they truly understand the stakes, take stock of their dependencies, and do what is necessary to limit the blast radius for the next attack. Everyone else, we're just waiting our turn. And that's where the real danger lies. Because the targets we're seeing Chinese hackers infiltrate these aren't paint and beverage companies anymore. Without solid mitigation and recovery plans in place, it's not just going to be disruption. It's game over. There might be nothing left to recover. Here's Dale Peterson. And just a quick definition. Repeat here. Dale will refer to OT systems. It stands for operational technology. If it is the business network, OT refers to the computers that control the pipeline, the grid, the actual train switches on the track.
[59:12]
Former Official
A lot of these companies have never suffered a major impact, an outage, a financial loss, equipment damage due to a cyber incident on ot. So there's still this belief that they're immune to the OT security threat. If you even look at the numbers, we're seeing about 75% of the OT outages over the last two years, when there is actually something happened in cyber that caused a factory or a water utility or anything like that to go down and not be able to do its physical function. That was ransomware on it. So that's still by far what's causing the most problem. It's almost this barbell issue. You have these common attacks that you have to worry about, and then you have these potentially very serious attacks for a company or a community or a country. And that's the one that really isn't getting the attention. I think that's, you know, when you keep going back to China, that's the one that's a little scary because we're not up to that challenge today.
[60:20]
Analyst
How we rise to that challenge is the question we all have to reckon with. I wish I could tell you it's as easy as setting up a firewall and updating your antivirus software, but unfortunately, it's A lot harder than that. I've long said that if cybersecurity was purely a technical problem, we would have solved it decades ago. But we didn't solve it. And that's because technology is only part of the solution. This is a whole of society problem. It's an education problem, it's an incentives problem, it's a question of resource allocation, it's a leadership problem, a culture problem. To truly solve our cybersecurity predicament requires a complete rewiring of how we think about our borders. Americans still like to pretend we live on an island protected by two vast oceans. But on the Internet, those oceans no longer exist. Our enemies, they're mere milliseconds away. And in too many cases, they're all.
[61:25]
Cybersecurity Specialist
So I think we have to hope for the best and plan for the worst. And what I mean by that is there's no way to definitively know what you're describing, whether what we're seeing on a network is simply intended as a signal of, here's how bad it could be, then a choice not to employ that capability, or if it might be multiple networks all at once where they're disrupted. Particularly concerned across government is the breadth of the pre positioning that we see. We see it in the transportation sector, we see it in the water sector, we see it in the communications sector, we see it in the energy sector. And the worst day is an everything everywhere all at once scenario that all of a sudden some other factor or thing happens in the environment, environment. And all of a sudden we see disruption in multiple sectors simultaneously with services to the American public going out. Now, that may not be what actually happened, and it may be that nothing happened. But with what we see here at ciso, we can't afford to hope that that's not the outcome that we come to. And so that's where we are really taking an approach of saying we have to sort of drive security with industry, so industry helping these customers defend their network. And we have to drive resilience within these networks so that even if they're disrupted, they know and can operate in a degraded environment.
[62:59]
Analyst
That was Andrew Scott and what he's talking about here is cyber resilience. Now, resilience can come across as just a buzzword or worse. If you turn your attention to what to do once intruders are inside, it might seem like you're throwing up your hands, throwing open the doors. But shifting our focus to resilience isn't giving up, it's facing the reality of the situation. If we can't deter them from getting in and we can't keep them out, then how do we make sure that the worst day is not the last day? That a breach of you, of your supplier, of your local water department, the power that it's limited in scope, in duration, in impact.
[63:44]
Cybersecurity Specialist
How do we sort of prepare for and do all the things that we need to in order to ensure that the critical services that Americans rely on every hour of every single day can maintain delivery in a degraded or contested environment? Should the PRC undertake an effort to reunify with Taiwan? Because we think there's real risk. So for us, that confluence of what we at CISA have found through our victim engagement of no, they are on these networks. They have access. They could pivot to operational technology environments if they wanted to. And if directed to. It's a clarion call to action, both for us as well as all of our industry partners to do everything that we can to prevent those goals from becoming a reality.
[64:37]
Analyst
A clarion call to action. Which brings me to you, dear listener. It's incumbent on each of us to think very hard about where we fit in this ecosystem, because it only takes one of us to be an entry point or a roadblock. It is true that security is only as good as its weakest link. And in too many cases, that weak link is us. Hackers aren't breaking in anymore. They're logging in. They're using our recycled passwords. They're exploiting our lack of multi factor authentication. That's how hackers breach Colonial Pipeline and more recently change healthcare and the entire health system with it. We need to start taking cyber hygiene dead seriously. But we also need to start gaming out fallback systems that hold even when the lights go out. I'm talking about backups, backup control rooms, backup data rooms at alternate locations, tighter controls, air gaps. So if a hacker does get into the business systems of say, Colonial Pipeline, they can't de facto shut down our pipeline system too and take the nation down with it. Or if they do get into the pipeline, we have ways to override their commands to limit the scope and hasten the recovery. Back to Dale Peterson.
[66:03]
Former Official
Any company right now has to say, my IT network could be compromised at any time. Any sort of security program I put in place, I can't feel highly confident that this will not happen, so I'm going to assume it happens. What is my response in recovery? And not that there won't be pain, but will the pain be acceptable? And that should be doable for most companies, but it seems like Every time it happens, it's a big surprise. And I think that we're really missing the boat when it comes to recovery almost more than we are. On the security angle, there's a great.
[66:39]
Analyst
Untold story in the early days of the Ukraine war. The abbreviated version is that Russia launched an unprecedented cyber assault on Ukraine from all angles. It didn't get much attention at the time. It still doesn't, especially when the bombs started to drop. But in those first days, Russia launched an attack on viasat, the Internet satellite broadband provider that cut off Ukraine's access to the Internet. But in came Starlink, which kept Ukraine's connection to the outside world alive and really gave the country a fighting chance. Russia did launch an unprecedented denial of service attack on Ukraine's banks, on government agencies, but in stepped Amazon and Google and cloudflare and they were able to mitigate the onslaught. Russia did get into Ukrainian power stations, but security experts in private industry and at Ukraine's Cyber Defense Agency and our own detected the malware before it was time to detonate. And they rooted it out. That is cyber resilience. Here's Heather Adkins, who you may remember from our first episode as a founding member of Google's security team. You cannot prevent everything and it will ultimately come down to how quickly you recover. Super inspiring to see what the Ukrainians are doing. They get hacked, they recover, infrastructure keeps going. And I think that that is a lesson for all of us doing defense. You should be 100% focused on prevention and recovery. It's not one or the other. Do both, you'll prevent as much as you can. Eventually something will get through. You should be recovering fast and recovering well. A big part of this is gaming out the worst case scenarios. Resiliency is taking stock of your crown jewels and all of your dependencies. It's asking yourself one simple question. What is my one thing? The one thing that if it were to be taken or degraded, would be game over for you. And then it's asking, how do I wrap that asset with as much protection and redundancy as possible. Your answer to this question will vary depending whether you're answering it as an individual or as a professional. As a mom, my one thing might be photos of my kids as babies, letters from deceased relatives. So I do what I can to prevent those from getting hacked. I use mfa. I use a password manager. But resilience is accepting that they might be stolen or that I get hit with ransomware. So I also back them up on hard drives and keep those offline. I Print those photos out. I make copies. These days, it only takes 15 seconds of a voice recording to be used in a deep faked phone call. So I have individual code words with my kids. If they call me in distress, my first question will be, what's the code word? As a journalist, it was very different. My one thing was my sources. So in the most sensitive cases, I took those conversations completely offline. I met in person. I didn't drive to meetings in my car, which is now a smart device. I didn't take Uber. I didn't even bring devices. I used pen and paper and I made my notes unintelligible to anyone but me, so that if or when anyone got a hold of them, it wasn't all out compromise. That same thinking and vigilance should guide companies. There's a line I think about a lot from Andy Grove, the former intel CEO. Only the paranoid survive. You should absolutely do everything you can to prevent the breach. But perfect security is a pipe dream. So you need to think long and hard about what happens when they do get in, because the odds are they will. So you need to make sure the compromise of one account, one supplier, one pipeline doesn't lead to a whole nation shut down. You have to run tabletop exercises starting from hour zero through however long it takes to get you back up and running. And you need to do this repeatedly until it becomes second nature to you, to your company, to our culture.
[71:26]
Expert
In the military, you always talk about the most probable course of action and the most dangerous course of action. You work through the most serious, dangerous course of action, and you exercise through that so that you're working through, well, what will I do knowing that these systems will come down and what do I need to do to build them, to have the right workforce, to have the right architecture so that I can respond rapidly but that I can recover within this certain time. Recovery time, objectives. So, you know, I'm not going to be down for two weeks. I can be down for three days. And you work through that very deliberately.
[72:06]
Cybersecurity Specialist
Ultimately, at the end of the day, you know, some of this is a goal of make a cyber attack have the same effect as a lightning strike. Can we live without power for a day, an evening, a couple days? Because you're recalling constituting the physical infrastructure. Absolutely. It happens all the time. I think the real key is how do we prevent these outcomes from being sustained in duration?
[72:30]
Analyst
I do think it's vital for each of us to be more aware, more vigilant. But I want to be realistic here saying that One individual alone can gird themselves against the full might of a major world power is absurd. It's like saying that one person's decision to use a single paper straw is going to resolve climate change. You should absolutely be changing the default password on your home router using MFA where you can. But that's not going to do any good. If router makers keep shipping us devices with gaping holes in them, then refusing to service those devices with patches or other technical support when speaking, they reach end of life. That's on them. And because these companies are more beholden to their shareholders than they are to the security of their customers, it's really on government to force it upon them to mandate that they sell software and hardware that's secure right out of the box. Like automakers. If there is a defect, they should be forced to fix it and bear the cost of the recall. All of this is what's called secure by design. And under Jenny Sterle this became a major priority at cisa.
[73:48]
Cybersecurity Specialist
You've seen out of CISA and out of the administration in the Biden administration very much a focus on like shifting the burden of security to those who can bear it, to the manufacturers of hardware and software that quite frankly need to do better with building in security by default into their hardware and software. We can't keep expecting small to medium sized critical infrastructure to owners and operators who have limited bandwidth, limited resources to bear all the burden of securing their networks and infrastructure. And we think that there's a lot more that industry can do in that space to really build in and bake in security.
[74:32]
Expert
From the beginning, Secure by Design is really focusing on technology vendors doing everything they can to prioritize security and product development so safer, more secure products so that the burden isn't placed on customers and the end users and small businesses or even the big businesses to have to constantly patch vulnerabilities.
[75:03]
Analyst
Secure by Design is perhaps most urgent. In one particular burgeoning field, AI artificial intelligence is rapidly embedding itself in how we communicate, how we diagnose illness, in surveillance and national defense. It promises incredible advancements and efficiency, freeing us to focus on higher order tasks. But behind the scenes, it's unleashed a Pandora's box of complexity. And complexity is security's greatest enemy. It allows for entirely new points of entry and an entirely new range of dependencies. Many we don't and won't understand until someone exploits them. Every time we engage Genai, we're not just asking a question, we're handing over the keysto our private lives. Our medical histories, our business secrets, even our unspoken thoughts. I find the whole exercise to be a quiet, compounding surrender of trust. And soon that trust will be granted to AI agents, not just to answer our questions, but to manage business operations on our behalf as a society. It appears we're determined to dive head first into AI without a second thought as to how this might one day be used against us. On this, I want to play you an interview that Paul Tudor Jones, the hedge fund manager, recently gave to Andrew Ross Sorkin this May.
[76:47]
Reporter
I went to this tech conference about two weeks ago out west, and I just want to share with you what I learned there. There was a tech panel that had four of the leading modelers of the AI models that we're all using today. The quick three takeaways. Takeaways from that are One, wow, AI can be such a force for good. And we're going to see it immediately in both health and education, very quickly. That's the good news. Two, the neutral news, these models are increasing in their efficiency and performance. And then thirdly, and the one that disturbed me the most, is that AI clearly poses an imminent security threat, imminent in our lifetimes to humanity. And kind of about halfway through, someone asked him on AI security, well, what are you doing on AI security? And they said, the competitive dynamic is so intense among the companies and then geopolitically between Russia and China that there's no agency, no ability to stop and say, maybe we should think about what actually we're creating and building here. And then he went on to say, I think it's going to take an accident where 50 to 100 million people die to make the world take the threat of this really seriously. Well, that was. That was a freaky dig to me. And no one pushed back on him on that panel.
[78:25]
Analyst
What he just told you is that behind closed doors, the leaders of every major AI model are deeply afraid that the very systems they're building could one day be used to kill off millions. Not necessarily because AI becomes sentient and suddenly takes over everything, but because it could be used to operate automate what we have discussed here. It could be used to do what hackers currently are doing, manually hacking into our critical systems like food and water, at scale. And yet no one is hitting pause. Why? Because the AI arms race, especially with China and very recently with Deepseek, is so intense that there is simply no incentive at the national or industry level to pause and do what is necessary to mitigate against these harms in the build. Trump already gutted biden's AI executive order, which, among other things, required AI developers to test for potential harms before they released these tools into millions of hands. And buried in Trump's new big beautiful bill, the one that just passed the House, lawmakers snuck in a clause that explicitly bans state or local governments from regulating AI on critical systems like our elections. For 10 years. We don't even know what offensive AI is going to look like a year from now, let alone a decade. And we're tying our own hands behind our back. And that, that is truly terrifying because AI is still very much an infant. And like a child's earliest years, these first stages are formative. We have a critical but narrow window to get this right, but that window closes a little faster every day. AI is already outpacing Moore's Law. We're in the midst of a full blown paradigm shift. The question now is, will we repeat the mistakes of our past or will we do what is necessary to get this right? The emergence last January of a little known Chinese AI startup called deepseek may be an early stress test.
[80:50]
Reporter
There is a new model that has all of the valley buzzing and it.
[80:54]
Analyst
Does not come from OpenAI or Meta.
[80:57]
Reporter
Or Google or any of those names.
[80:59]
Analyst
It's called Deep Seek. It took Google and Open Air years and billions and billions of dollars to build the latest AI large language models. But now a Chinese research lab has built a competitive model in just two months with dumbed down GPUs for less than. Get this $6 million, not billion, $6 million. We've got a bit of a tech.
[81:21]
Reporter
Sell off this morning and it's being caused by earth shattering developments in the AI space. And here's why. There's a Chinese startup that has emerged as a real player in the AI arms race.
[81:34]
Analyst
It's called Deep Seek.
[81:37]
Reporter
And Deep Seeks AI Model has developed.
[81:41]
Analyst
Technology that can actually be competitive with.
[81:43]
Reporter
Open AI and Google and XAI and all these more established players. Investor Marc Andreessen calls the new Chinese AI a Sputnik moment. Somebody else called it Chat gp.
[81:56]
Analyst
When Deep Sea first dropped its AI model last January, it landed like an earthquake. Not just for what it did, but for how it did it. Deep Seek was able to accomplish much of what OpenAI and Google and Anthropic and Meta could do with their AI models at a fraction of the cost and computing power. And then came the kicker. DeepSeek released its model as, quote, unquote, open source. And those quotation marks are very much intended. Here's Igor Yablokov an AI pioneer who sold the technology to Amazon that would later form the basis of Alexa, and more recently serves as the founder and CEO of Prion. What does it mean that Deepseek is quote unquote, open source?
[82:48]
Reporter
Yeah, in some ways it allows experimentation to be built on top of it. So, meaning you can fine tune models because you have open weights and things of that sort. It's a little bit differently than the way that most have viewed open source in the past, which means think of it in a code context where you can see all of the lines of code and then compile it for yourself so that you can go ahead and investigate in terms of what influences were put into the actual code.
[83:15]
Analyst
The distinction between open source and what Igor refers to as open wait is a critical one. With a truly open source approach like Wikipedia, you can click in and interrogate where all the information you're reading came from, down to who wrote the words. And when you can see which sources they reference, you can investigate those sources, you can check the work, edit and make improvements. Deep SEQ is not actually open source in that sense. DeepSeq is open weight. The pre trained model weights are available for download and use, but the actual training data, the training code, are still a black box. You can't replicate it, you can only build on top of it. Sticking with the Wikipedia analogy, it'd be like going to a page and reading the content, but the footnotes and author sections are blacked out. You can add to it, you can build on it, but you can't check the work.
[84:19]
Reporter
So in some ways, I have to say, the AI industry has been using the term open source rather loosely because it's fooling people into thinking that you can actually rebuild and recompile this thing for yourself, which you can't because you need the source training data. And that's where a lot of risks could be induced in these style of models.
[84:39]
Analyst
And therein lies the risk.
[84:41]
Reporter
What is it not showing us? We don't know if it has embedded agents or not. From a supply chain perspective, we just don't know. So there's certain things it's not revealing to us. So without knowing what's an ingredient, I mean, you're eating the final product and basically at a cursory level, it's like taking a delivery of an eclair and saying, I can't really affect the creation of the eclair or recreate it, but I can change the icing on it. That's basically how you have to think about these things.
[85:09]
Analyst
So you can build on top of it, but you can't completely understand what's inside. And you can use it at a tiny fraction of the cost of OpenAI's GPT, and we're talking cost savings of 96%. In some sense, it's Huawei in a different form. Its pricing and efficiency all but guarantee that without some intervention, these cheaper Chinese AI models will become the de facto backbone of the next generation of technology. And that presents real risk. Now, how much risk depends on how you use it, right?
[85:52]
Reporter
It depends on how you're using it, whether as a local model or through their iOS app or through the API. So through the iOS app, I mean, that's literally, you know, it made it to the top of the App Store. All these folks are downloading it and potentially compromising client or employee data as a result, not knowing that it's going to hosted service, and potentially even through contact centers that are monitoring what's flowing through the system.
[86:17]
Analyst
We don't know exactly how these risks will materialize, but deepseak is already seeing wide global adoption, predominantly in Asia, but we're also starting to see it adopted here. More than a thousand enterprises, including some in the Fortune 500, have integrated deep Seq into their operations. The bans are starting. Italy moved quickly to ban it. Taiwan and South Korea have banned Deepseek from government and critical sectors like energy, Canada and India banned it from government here. We've banned it inside the Pentagon, the Navy and other federal agencies like NASA. States like Texas and Tennessee are implementing their own bans. And Microsoft is now banned it for its employees and from their App Store. No doubt others will follow suit. But again, it's still early days. We still have the ability to establish guardrails. We can and should limit how much autonomy we give these tools, and we should start now. But I also want to acknowledge that AI is more than a liability for many of the experts I spoke with. It's also a beacon of hope. Here's Nate Fick, our inaugural Cyber Ambassador who served under Biden.
[87:38]
Reporter
Is AI being used offensively? Yes, undoubtedly. I mean, I think it's intrinsic. We have to recognize that these technologies are always going to be used to generate advantage. But I'm even more excited, actually, about what AI can do on the defensive side. I think about the years that I spent running a company that was doing its best to build safe and secure software and investing an enormous amount of time and energy and money and quality assurance, and yet still, when you're talking about millions and millions of lines of code. It was buggy stuff. And using AI to build better software, to create things that are more truly secure by design, I think is pretty exciting.
[88:20]
Analyst
What Nate's saying is, yes, AI is already being used to hunt for vulnerable systems to generate 00 days and break in. But the same capabilities that can find flaws can also fix them. All those bugs we introduced in our rush to move fast and break things, AI can do what our puny human minds seemingly cannot build secure code from inception. And theoretically, it could even be used to go back and refactor faulty code at scale. All those sitting deck routers out there, the ones that reached end of life, the ones Chinese hackers are using right now to burrow into our infrastructure, AI could theoretically be used to hunt them, lock them down, and kick hackers out. Not yet. But that application is not far off. And maybe most exciting of all, right now, AI tools exist that can spot the tiniest blips, the faintest signal. Like a Bolt Typhoon hacker pinging a system every 90 days just to check they still have access. AI could help slash those dwell times from years and months down to days, maybe even down to minutes and seconds. Here's John Holtquist.
[89:54]
But I'll tell you what, we did a hackathon security AI hackathon to see how some of the security engineers at Google could use AI. And I think there are 43 teams competing to just show us what cool thing you could do with AI for security. Nicole, if you sat in that room and you're a VC, you could have walked away with 20 new companies. Like, it is massively powerful for what security practitioners do because it's really good at finding anomalies, finding efficiencies. There's just a lot of really cool applications for what we do every day that are really exciting. And I actually think it's going to be ultimately a better tool for us than them, because what we're really lacking against them is efficient means to hunt them and essentially track them. And AI is really good at a lot of those pieces. And, and I, I was blown away. Like, I was shaking my boss's like, arm. Like, I can't believe this. This is incredible. It's really powerful tool. So I'm excited. I think it's going to be a game changer for defenders. You know, we talk about the defenders dilemma or the adversary advantage, and let me tell you, like, I'm a military history nerd. There was a time when they said the same thing about the calvary. Dudes on horses would roll through you know, a formation, and that was it. There was the offensive advantage. And then the machine gun came and the game changed like that. It is completely possible that we could shift the game here, and I'm hoping that this will do it, but we're not there yet. We're very much in the experimental phase of this whole thing. So we'll see how a lot of this shakes out.
[91:30]
Exactly how we let this shake out could determine whether AI revolutionizes our cyber defense or undermines it. In the early days of software creation and the Internet, we never paused to imagine how all this digital connectivity could be used for information, mayhem and mass destruction. Now we don't have to imagine, and.
[91:54]
Expert
We have to keep in mind we had no guardrails around the creation of software. We just let it eat the world and give everybody food poison. You know, that's why we have a world where the Internet is full of malware, software is full of vulnerabilities, social media is full of disinformation, and we can't make that mistake with AI. So those guardrails that we put in place are incredibly important for the safety and security of global citizens everywhere.
[92:23]
Analyst
And here's where I believe it's time for us to stop admiring the problem and actually move towards solutions. Because cybersecurity is national security, none of this will be easy. Addressing our cyber vulnerability is complex, arguably too complex to enumerate in a podcast. And if you really want my full thoughts here, I suggest you read the final 25 page chapter of my book, this Is How They Tell Me the World Ends. Solving our digital predicament will involve hard compromises to our economy, to the way we do business, to our way of life. It will involve identifying and defending our weakest links, the so called target rich cyber poor, among us, the local water treatment facility that may not have the money or the people to meet this challenge. Today, we've seen progress. Think back to Nick Lawlor in Littleton, Massachusetts. His attack was detected and rooted out by the very same agency, cisa, that's undergoing massive cuts right now. The worst thing we could do is go backwards. We have levers to pull. We have clear, established ways to shore up our security, our resilience. Doing nothing is leading us down a dangerous path. We can demand our government representatives do more to mandate and support basic security requirements. And we can and should do this in a bipartisan way. It doesn't have to mean red tape and fines. We could offer tax credits to those that meet security standards and show that they're improving their attack surface over time. We can and should mandate that the products we rely on are secure right out of the box and that our suppliers, whether they sell HR software or H vac systems, meet these standards too. And very soon, if not already, we can deploy AI to do what we humans are too lazy or too overwhelmed to do on our own. We have new tools to pick up and isolate attacks in ways that simply weren't possible as recently as last year. We should find ways to democratize the use of those tools because at the end of the day, we exist in an ecosystem. You could be a multi billion dollar enterprise with all the security bells and whistles, but what good is that going to do you when your municipal water supply goes dry or worse? We're all in this together. And while it may feel impossible now, we can and should pursue new levers of diplomacy. We have to climb our way out of this 25 year deterrence hole we're in with China. Here's David Barbosa at our live panel back in March.
[95:23]
Reporter
If there are more tariffs on China, if Trump calls out China more, I think you'll see them double down on getting into US infrastructure. You can guarantee that they're going to be more aggressive. If they see that as leverage, then this is what we need to do for the next negotiation. And I think a lot of these things about Taiwan are also about giving them the leverage to say if the US in any way moves on Taiwan or changes the policy enough. Just letting you know we're in everything, we want you to know that we want to show that China is more powerful now. They're probably going to show that they don't have to bend or bow as much or even negotiate in the same way. And this environment is ripe for them to be a bit more aggressive. So I think we should expect more.
[96:18]
Analyst
From China in this period of rising tensions. We should absolutely expect more hacking, more IP theft, more targeting of critical infrastructure from China. But this current approach to China, it's not the solution. In many ways, it's too late. Listen, we let China take some of our most valuable assets, our ip. We looked away as companies went bankrupt, factories shut down, entire towns were hollowed out. I believe that economic devastation helped sow the resentment that is shaping much of our current politics. But what no one ever talks about is the hacking. In an ideal world, my view is we would have exacted tariffs on China 15 years ago, stiff tariffs or even outright bans on any Chinese product that relied on our own stolen ip. And ideally, we would have done this together with our allies to make sure that these Chinese copycats didn't eat up our global market share and wipe out our companies and factories. And then. And again, this is Nicole's ideal world. Here, we would have all ratcheted up those tariffs and upped the pain. Each and every time, we caught Chinese hackers rifling through our critical infrastructure. Instead, we let them do all of this for free. But what we're doing now, this impulsive trade war we're in, where we carve out exemptions for some but not others, implement one tariff rate one day, another the next, it's not deterrence. Deterrence requires coherent policy and universal enforcement, and we can't do it on our own. We need allies in this fight. And in case you've been living under a rock lately, we're losing our allies left and right. Just this month, May, the Democracy Perception Index released a survey of 96 countries. For the first time ever, the vast majority, nearly 80%, said they held a more favorable view of China than the United States, and that that might be the most glaring red warning light of all. Because a country is more than its borders. It's a story. And once the world stops believing in the story of America, it's not just our alliances we lose. It's our leverage, our legitimacy, and eventually our ability to solve the problems that will define the next era. These are the critical assignments of our time. Many will say that they're impossible, but we've summoned the best of our scientific community, government, industry, and everyday people to overcome existential challenges before. There's no reason why we can't do it again. So my plea to you is this. Identify where you can put your own finger on the scale and press down. It's all too easy to tune this out, to think it couldn't be further from you, that some cyber guy somewhere has it all taken care of. But that couldn't be further from the truth. Solving this takes all of us. Even if your job couldn't feel further from the digital realm, even if you're thinking to yourself, but I'm just a pipeline operator. I run a small town power company. Ready or not, you're on the new front line. Welcome. Welcome to the battle of our lifetime.
[100:14]
Reporter
But if you think these issues are just an intelligence issue or a government.
[100:19]
Former Official
Problem or a nuisance largely just for.
[100:22]
Reporter
Big corporations who can largely take care of themselves, you could not be more wrong. It's the people of the United States who.
[100:29]
Former Official
Who are the victims.
[100:36]
Analyst
To Catch a Thief is produced by rubric in partnership with Pod People with special thanks to Julia Lee. It was written and produced by me, Nicole Perleroth and Rebecca Chasson. Additional thanks to Hannah Petterson, Sam Gabauer and Amy Machado. Editing and sound design by Morgan Foose and Carter Wogan.
[100:55]
Reporter
It.