Podcasts
Caveat
Ep 273
Caveat 8.14.25
Ep 273 | 8.14.25

Governments go on the offensive

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello everyone, and welcome to "Caveat," N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner, and joining me is my co-host Ben Yelin from the University of Maryland's Center for Cyber Health and Hazard Strategies. Hey there, Ben.

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: And our N2K CyberWire colleague and author of the "Caveat" newsletter, Ethan Cook. Hey, Ethan.

 

Ethan Cook: Hey, guys.

 

Dave Bittner: On today's show, Ethan takes us through his in-depth research on cyber operations and the roles offensive and defensive efforts play. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Ethan, let's jump right in here. You have put together a deep-dive document all about cyber operations. Can we start off with just some definitions here? What exactly is encompassed when we say cyber operations?

 

Ethan Cook: Yeah, so, you know, kind of a vague, often kind of when you think about it, like, okay, consider a lot of things. But the way I looked at it, the way it seems that most people define it, is anything that the government is doing that is related to both offensive or defensive efforts in cyberspace. So that could be efforts such as protecting critical infrastructure, to all the way on the flip side of it is disrupting hostile networks. So it's a pretty wide scope when we talk about operations and cyber operations. But I would say it's, you know, government motivated, things that we're doing to typically impact the space for the betterment of whichever country is doing it, whether that be the EU or the US or UK or Canada, whoever it may be, trying to secure themselves or take down a network or an adversary's network that they feel could -- maybe it's a ransomware network that they're trying to disrupt.

 

Dave Bittner: Well, let's dig into some of the specifics again, staying, just sort of laying out the framework here. Can you describe for us what we're talking about when we say offensive versus defensive efforts?

 

Ethan Cook: Yeah, so I would say that when we think defensive, this is kind of the staple that we've had for the better part of over two decades, where governments, and, you know, think about when we talk about cyber and if you think about how governments have approached it, a lot of the conversation has revolved around this, we need to protect critical infrastructure. We need to recover from attacks faster. We need to secure ourselves or secure vulnerable systems or manage vulnerabilities or engage in better intelligence sharing when it comes to defensive efforts. A lot of the conversation on the defensive side of it, which has dominated a lot of the conversation up until this point, has revolved around how do we secure ourselves and prevent a malicious actor, whether they be another nation state, whether they be a hacktivist, whether they be a crime syndicate who's just trying to make money. How do we protect our organizations and our critical infrastructure from any downtime, anyone that could, you know, disrupt services for the American people or, you know, another country, et cetera.

 

Dave Bittner: So off -- or I'm sorry. So defensive is kind of the castle gate, the moat around the castle.

 

Ethan Cook: Exactly.

 

Dave Bittner: Yeah. Yeah.

 

Ben Yelin: And now we're storming the castle. The other guy's castle.

 

Ethan Cook: Exactly. And now we have that other side of the coin, which is that offensive side. And I would say offensive for traditional, you know, US approach and many of its traditional allies does not mean let's target some random person and, you know, steal their information. That's not really what that entails, which is when we think of offensive cyber, you know, people think, oh, phishing, scams, all that kind of stuff. Not talking about that. We're talking about very targeted attacks to disrupt a hostile actor. So for example, the best thing that a lot of people would think of would be like Stuxnet in Iran when -- you know, a lot of classified information about that. But a lot of the -- for those who don't know, a worm was deployed and was able to infiltrate its way in and disrupt centrifuges. And it was a very, very sophisticated, very targeted attack to disrupt nuclear enrichment. And that is the kind of more offensive talks that we have traditionally thought of, which is we are going to deploy very sophisticated, very specialized malware or disruption efforts that are targeted against a very specific person, not broad sweeping, not like a widespread ransomware attack like we saw with WannaCry, which just didn't care who it hit. It hit everyone. That is more the offensive talks that we're thinking of.

 

Dave Bittner: So targeted and preemptive.

 

Ethan Cook: Yes.

 

Ben Yelin: Yeah, so there are a couple of interesting things going on here. One is the rise of AI-powered offensive capabilities. I think that's interesting because it makes the work of offensive cyber operations much more efficient and requires fewer or less human involvement, which I think is economically more feasible, particularly for nation states. So you have things like automated offensive agents, AI-driven simulations, that sort of thing. And then the other thing is allocation of resources. So what's been kind of striking over the past several years is to see not just in the United States but around the world, digging into the numbers, as you did in your deep dive, a greater percentage of money spent on cybersecurity is now being spent on offensive cyber operations. So you mentioned the UK launching a one-billion-pound cyber-EM command by the end of this calendar year. The United States has invested a significant amount of money in offensive operations while at the same time cutting money. At least there are proposed cuts and some cuts during the DOGE process from CISA, which is for all intents and purposes a defensive agency. So those are kind of the two aspects of this that I think are particularly interesting.

 

Dave Bittner: Where do we stand right now, Ethan, in terms of the priorities here in the US, specifically with the Trump administration?

 

Ethan Cook: Yeah, so within the US, you know, Ben alluded to it, but I would say, you know, while many other nations across the world are pivoting to this more offensive mindset and the US is following suit with that, the Trump administration is also taking the approach of it's not just about increasing offensive efforts, it's also about actively pulling resources from defensive ones. Now, on that offensive side, I think the mentality that they're employing is, one, defense is not working. We're still having breaches. We're still having issues. Hostile actors feel emboldened and that they can still come in here and disrupt our ports, our critical infrastructure, et cetera. So just pouring more money into defense is not really solving the problem. And I think that the mindset that they're employing is if hostile actors know that we have credible proof that we will target you. We will, I think the one quote was, we can put bombs, you know, cyber bombs into your port infrastructure as well. Right? Or something along those lines. That they will feel, okay, you know, we don't want to do this race to the bottom. Let's see who can, you know, disrupt each other more. It's going to be kind of like a Cold War detente on the cyber operation front.

 

Ben Yelin: That's a good way of putting it. I mean, it really is the equivalent of the buildup of nuclear weapons during the Cold War era. And there's a lot of literature out there that that is the foremost reason why deaths from armed conflict have decreased so significantly over the past 80 years is this mutually assured destruction that if you have credible offensive weapons that would cause such significant damage, that is a massive disincentive for any other entity to commit an attack. And I wonder if we can get to that place with cyber operations. I don't think we're there yet. I think we'd almost have to see the equivalent of the Hiroshima of offensive cyber operations to understand like, okay, what's the most catastrophic effect of this type of operation? The one that shows us how dangerous these tools are, that will prevent us, that will provide the proper disincentive from engaging in cyberattacks on other countries. I think -- we haven't had -- despite the massive amounts of cyberattacks on this country and on our critical infrastructure, we haven't had that type of massive scale interrupts everyday life for the entire country style event yet.

 

Dave Bittner: Yeah, I mean, it's funny, you mentioned Hiroshima. I was thinking of just nuclear weapons tests, demonstrations, right? Here is the power that we possess without actually using it against anyone. But you're right. I mean, that's a possibility as well. I wonder what is the cyber equivalent of a nuclear weapons test of showing off what we could do without actually causing harm?

 

Ben Yelin: The pictures of mushroom clouds in New Mexico or whatever.

 

Dave Bittner: Right, exactly.

 

Ethan Cook: Yeah, I think it's one of those things that it's really hard to test it without really impacting really negative consequences, because I think, you know, when we talk about these massive breaches that have happened or incidents that have happened, you know, whether it be like a WannaCry, an Equifax, a -- you know, we had UnitedHealthcare was down from ransomware earlier this year, et cetera. All these instances, while they certainly impacted people, they were either short lived or they didn't impact everyone or they weren't targeting a very specific country or something along those lines. They cost millions of dollars and definitely disruptive, but it wasn't like, oh, my life, I can't get to work today or I can't get -- you know, the grocery store is closed because whatever. Like, you know, it's one of those things where it would have to be like, oh, the entire Eastern Seaboard went offline. Right? Where that would be a -- or, you know, a whole city went down. Like that's kind of the level that I think would need to happen for people to actually understand what these vulnerabilities can be exploited to like, you know, enact.

 

Ben Yelin: I think the closest we've had in recent history locally here in Maryland was the pipeline, the Colonial Pipeline incident, just because that was a significant shock to oil supply on the Eastern Seaboard. So people were waiting in gas lines. And that's something that we haven't done before. I mean, we had this incident yesterday as we're recording where, I don't know about you guys, I got an alert from our gas and electric company saying we might need to have massive power outages, widespread power outages.

 

Dave Bittner: Right, rolling blackouts.

 

Ben Yelin: Rolling blackouts because one of our power stations has gone offline. Now they were able to fix the glitch and overnight we were told that we no longer needed to conserve energy. So that's good. But like if that had been seen to fruition and that had been a cyber incident and the scale was large enough that everybody felt it, then maybe that's the type of catalyzing event where we realize like we need to invest more in this and create a greater deterrence for our adversaries.

 

Dave Bittner: Yeah, and, you know, we see this stuff with, for example, Salt Typhoon, you know, Chinese being in our telecommunications networks. I wonder how much are we in the cat and mouse of this, the spy versus spy, right? How much are we in our adversaries' networks and how much do you let them know that you're in their networks or that you have the capability of being in their networks at a time and place of your own choosing [laughs] right? You know, that sort of thing, because we don't really hear much about that. We don't hear much about our own efforts for those sorts of things, and yet I think all of us assume that we're certainly up to those kinds of things. Right?

 

Ethan Cook: Yeah. I mean, you know, I think part of it is for the past two decades, the conversation has always leaned towards we are going to defend ourselves. You know, whenever a major breach happened, it was never about, okay, let's retaliate and go after those hackers like, right, or whoever was funding them. The conversation was, how do we prevent this from happening again? It was never about going after and punishing the bad guy. It was -- because, you know, they're in another country. It's really hard to go after someone and get -- you know, they're never going to get extradited to us. So how do we secure ourselves? And the conversation kind of always kept coming back to let's just, you know, get better infrastructure security, get better vulnerability management, et cetera. I think what we ignore, you know, that -- because that dominated the conversation so much, you know, I think we would all be foolish to assume that the US was never or any of our allied nations weren't doing the same or didn't have credible intelligence in other networks. And I think, you know, the obvious example that I come back to is Stuxnet, where if you -- there's a whole documentary on it. They have very high-profile, you know military commanders in there, and every single one of them is I can't talk about that, that's classified. I can't talk about that. Right? So I think when we think about offensive operations traditionally on, I guess, for, you know, lack of a better word for like westernized nations, the conversation has always been, you know, let's use it very sparingly. And if it goes public, we deny all accountability and instead we will just pretend like we don't do that. When we obviously do. Whereas I think on the flip side with, you know, whether it be Chinese hackers, North Korean hackers, Russian hackers, et cetera, the conversations would be, you know, they're kind of more throw it at the wall and if it works, it works kind of thing. And they, you know, will obviously publicly always say, oh, we don't do that. We never do that. But everyone, you know, you can go online, look at the APT tracker and it shows you all their tracking efforts. Right? Like it's not like they're secretive here, really.

 

Dave Bittner: We will be right back after this message from our sponsor. [ Music ] Ben, I'm curious for your take on where we stand when it comes to international norms for these sorts of things. Right? I mean, we have rules of armed conflict. Right? There are rule -- we know what a war crime is. It seems to me, and correct me if I'm wrong, that the norms are a lot fuzzier in this realm, in the cyber realm.

 

Ben Yelin: Yeah, I think they are. I mean, at the very least, they are underdeveloped. There isn't any international treaty that governs cyber operations. I mean, you can take principles from other international law agreements if you're willing to take international law seriously, which a lot of people aren't.

 

Ethan Cook: I wonder why that is [laughter].

 

Ben Yelin: Yeah, I mean, there are a lot of people who like so and so should be in the Hague. And it's like, yeah, if international law actually existed. But, you know, you have things like principles in the UN Charter, non-intervention principles. You've had the Tallinn Manual, something from, you know, maybe five or six years ago, which was a, was it NATO who did the Tallinn Manual interpreting how international law might apply to cyber operations.

 

Dave Bittner: I think that's right, yeah.

 

Ben Yelin: You have some bilateral agreements. I think we came up with agreements, like small-scale agreements with China.

 

Ethan Cook: A couple of with China. Yeah. For IP theft.

 

Ben Yelin: Right. And that was a while ago, if my memory serves me well. But we don't have like the Geneva Convention for cyber actions. So there is certainly a vacuum there. But it would be nice if we could get together and come up with standard rules of engagement that, you know, democracies would follow and totalitarian countries would ignore. And we'd be back where we were in normal offensive operations.

 

Ethan Cook: Well, I think part of that comes from this, how fast everything is changing. Right? It's really hard to get -- I mean, let's think about any other, you know, subject matter. By getting bilateral or multinat- multilateral or international agreements is already an incredibly difficult process. And, you know, half of them are non-binding and don't really result in too much. But it takes a tremendous amount of diplomatic effort and it takes years sometimes to form these treaties and efforts. And by that point, everything has already changed in cyber. Right? You know, we've already -- I'll throw the buzzword AI out there. But it's changing so fast. How do you create an agreement regarding safeguarding AI because the terminology on AI is going to change, the capability on AI is going to change in a year. So how do we successfully predict that and control that? And I think part of this hesitancy for offensive efforts earlier felt always to me that it was we don't want to bind ourselves into what could happen or into anything because we don't know what tech is going to be. And I still think there's that hesitancy where it's like we don't really know where tech is going to be in a couple of years so I don't want to sign anything that's going to curb our own power or put us in a position where we can't use tools that someone else has not signed onto this agreement for, you know, handicap themselves on. So instead of doing that, I think the Trump administration is taking the approach, and not just the Trump but a large portion of the world is now taking this approach of, okay, if we're not going to come together as a community, as a group of nations and self-regulate on this, fine. I'm going to make sure that everyone understands that I'm increasing my own capabilities here, and if you try something, I'll throw it right back at you.

 

Ben Yelin: Right. It's saying to our adversaries, like, we are not going to unilaterally disarm by, you know, coming up with a NATO agreement, for example, on cyber operations, because that implies that the rest of the countries of the world don't have to follow it. And then we've put ourselves at a competitive disadvantage. So I think there's a lot to that. It's maintaining the credibility that not only are we willing to engage in these offensive cyber operations, but now because of our budgetary decisions, we have the resources to do it. And it's much easier in an era of artificial intelligence tools.

 

Dave Bittner: Ethan, to what degree do you think that these offensive cyber capabilities actually act as a deterrent?

 

Ethan Cook: Yeah, I'm of the mindset personally that it's not going to be a huge deterrent for two reasons. I think first, we've already touched upon this one, but we don't really know the scale or impact of these efforts. Right? It's really hard to deter someone when I -- like we can look at nuclear weapons and go, ah, yes, even in non-nuclear cases. Right? Let's take a non- or a non-nuclear bomb case. Let's take, you know, Chernobyl. Right? We can understand the -- I mean, the impacts of that set nuclear energy back decades. We're just starting to like maybe come around to it again. But the whole -- that whole incident was it was such a setback for nuclear because we saw the dramatic impacts that could happen not just to people but to entire ecosystems if nuclear energy was not controlled properly and not supervised properly. I don't think we have that. So it's really hard to conceptualize, not just on a -- I'm sure politicians and advanced cyber people can conceptualize. But the average American, the average person is not really going to sit there and go, ah, yeah, if I, you know, if they use this vulnerability, it can result in this, this, this, and this because they don't get it. So I don't think there's that inherent fear. And that's coupled also with a desensitization of cyber efforts. I think the other aspect of it is, and I said this earlier, but it's really hard to hold people accountable. Like we can say we think that this was a China -- affiliated to a Chinese state, a state sponsored hacker or, you know, North Korean. But how are we going to -- we're never going to bring these people to justice. They're never going to extradite them to us. So if we want to launch a bunch of operations into us, sure, but I don't really see it as -- at least I don't think that in my personal opinion that it would be a hit like to those nations, to hostile nations. I don't think they're going to look at that and go, wow, that's such a negative because North Korea uses their hacking efforts to gain money. Right? They're not using it to disrupt the West. You know, they're using ransomware and things like that to siphon funds off and things along those lines. And for let's say China, if they're trying to disrupt efforts, they're trying to disrupt Microsoft because there's a valuable play in terms of disrupting a Western infrastructure and that gives them a credible advantage maybe to execute on a mission-oriented thing. So I don't think a race to the bottom is really going to be a credible deterrence in this instance.

 

Dave Bittner: I guess one of the things that leaves me scratching my head is that there really hasn't been much effort to even go after the low-hanging fruit when it comes to norms with this sort of thing. For example, we will not go after hospitals. Right? Like it seems to me like in the course of diplomacy, the United States should be able to go to even our adversaries, let's say Russia, and say, hey, you got to tell your people to knock it off. You know, like, okay, we understand ransomware. Okay, great. But no, you don't hit hospitals. Right? You don't hit -- you don't take lives. Take money, but don't take lives. That is a step too far. And yet we don't even -- we can't accomplish that.

 

Ben Yelin: That's just a norm right now.

 

Ethan Cook: Yeah, we've accepted that as a reality.

 

Dave Bittner: Right.

 

Ben Yelin: Right. I guess my point is that might not always be the case, depending on the actions of our adversaries and the willingness of our governments to take risks to establish this massive deterrent. You know, I actually don't think it's in the character of Trump's foreign policy to do something like that.

 

Dave Bittner: No, but I mean, this goes way back. I think this is beyond certainly President Trump. [ Multiple Speakers ] Yeah, I mean -- yeah, exactly, Ethan, this goes back decades, and presidents before and after and in between President Trump have had the opportunity to go after this sort of thing. And for whatever reason, no one has chosen to or been successful in even setting these sort of baseline norms for cyber conflict, let's call it. I'll put that in air quotes. Right?

 

Ethan Cook: Yeah. I think part of it is, again, this -- I don't think nations really want to self-regulate on this. Right? I don't think anyone wants to sit there and handicap their own power. Right? You know, I'm a big believer in that no matter who's in charge of the White House, whether it's a Democrat or Republican, the State Department is always going to be conservative. Because they're never going to want to give away US power. Right? Why would we want to do that as a country, as a leadership from a leadership perspective? And I think that's part of it. There's just no interest in saying, okay, sure. Like it sounds really great on paper, and it would obviously go over great with people to say, let's not hit hospital. Let's not do that. And I think everyone would conceptually agree to that. But then I think you get into this kind of conversation of, okay, well, what happens if some country doesn't want to abide by that rule? How do we hit them back? Right? What is the response effort? And then you get into this kind of weird gray zone where it's like, well, they're doing it to us. We should be allowed to do it to them. And then it just kind of spirals in there and you kind of just ignore the conversation because you move on to other conversations.

 

Dave Bittner: Yeah, I guess, you know, I could come at this from two directions. One, we agree to not use chemical weapons. Right? And seems to me we pretty much stick to that. We agree not to torture people. Eh --

 

Ben Yelin: [Laughter] yeah, yeah, yeah. Right? So -- As Barack Obama said, we tortured some folks.

 

Ethan Cook: You know, we're just going to ignore that little prison we have off the coast of America.

 

Dave Bittner: So, you know, there are degrees to which we can agree to do things diplomatically and then abide by them or not. I don't know. It's just frustrating to me that -- to your point, Ethan, that the complete resistance to establishing any of these norms, I think out of selfish or for selfish reasons, is frustrating that we can't accomplish just basic -- things that would respect basic human rights. And that's where we are. And what will it take?

 

Ben Yelin: I mean, I also think like you have to look at the historical analog here and the international agreements that established the world order of the 1980s and the 1990s. It took a lot of time and a lot of panic hiding under our desks, Cuban missile crises, et cetera, before we realized like, all right, this game is getting really dangerous. I know both of us don't want to unilaterally disarm. But now that like we have enough nuclear weapons that we could achieve global annihilation of both of our countries, like now is a good time to talk about maybe cutting down on our medium-range weapon supply or whatever. So like maybe we have to get to a point where the threats are so credible and so acute and we at least have gotten a taste of what it would be like to see them deployed, that maybe that's when countries are more driven to engage in these types of international agreements. But again, that's just one historical example, but it's the most prominent one.

 

Ethan Cook: Well, I think, you know, it is a very prominent one. I think the SALT treaties were massive. Right? You know, I think that the disarmament that came with those are really important, and I think it is a relatively good comparison. I think one wrinkle that gets thrown into this is the diversity of powers at play here. Right? Like when we're talking about the disarmaments, it was really US and USSR. Right? There were obviously other people there, but it wasn't -- there were two big dogs at the table. Right? This is not the case anymore. You have -- the UK has incredible offensive cyber operations that they've been building for four years now, five years now. Right? The US obviously, USSR, China, the EU as a whole --

 

Ben Yelin: Israel.

 

Ethan Cook: Israel, et cetera. You have Iran, Saudi Arabia. Like all of these countries now have very real, very credible offensive cyber capabilities. And, you know, how do you get -- it was hard enough to get the US and the USSR to come to the table and say, okay, let's agree not to nuke ourselves. How do we get 20 plus, 30 plus countries together when we already have a forum through the UN, which does not work, and get them to come to the table and say, how do we do this? Whether it's by regional blocks. Whether we say, okay, let's get all the, you know, the East Asian countries and Southeast Asian countries together, let's get all the Mediterranean countries together, whatever it may be, or European countries, et cetera. But how do you get one? And it's just, I think that's where, you know, I kind of sit there. I'm curious to see how it plays out in the next several years because I don't know how we get so many diverse opinions in countries that have fundamentally different views on cyber to come together and agree to this standpoint.

 

Dave Bittner: I think we all when imagining this, well, for me anyway, the first thing that comes to mind is usually just turning out the lights, right, the power grid. And in my mind and for the people that I've talked to and interviewed about this, there are kind of two stages available for that. There's the turning out the lights, which is basically flicking the switches, right? Take down someone's grid, turn the lights off, but then they can go through the process of turning them back on, you know, and that may take a day. It may take a week, but it's mostly a nuisance. Then there's taking down the grid. Which is remotely damaging the equipment, and my understanding is that sort of thing could lead to power being out for months because we don't have -- the equipment that would be damaged we don't just have sitting on a shelf, right? You can't just bring one in on a truck and put in a new transformer and off you go. Like some of these things are one-offs. They're -- you know, they're big, they're hard to move, they're hard to make and so --

 

Ethan Cook: Expensive.

 

Dave Bittner: Expensive. Right. So there's kind of two different things there, right? And I don't think we've -- we've seen the lights being turned off, which happened to Ukraine before the war.

 

Ben Yelin: In 2022, yeah.

 

Dave Bittner: Right. But I don't think we've seen the damage that is threatened. And I wonder what the response would be, even if someone did a test run of something like that. It seems to me like that would make everybody sit up in their seats.

 

Ethan Cook: Yeah, and I think Ben talked about this in one of our previous deep dives where we talked about, I think, Ben, you talked about Maryland's budget being very stretched on a state perspective and what would happen if that, you know, the lights went not just off, but went down. And how would we recover from that? And, you know, that's kind of the backdrop of that conversation was while we're engaging in more offensive mindsets, we're actively now pulling support from the defensive side. And what does that leave us open and vulnerable to?

 

Dave Bittner: Yeah, that -- I mean, that's an interesting component, too, which is that it's not -- particularly with this administration, we're not just adding to our offensive capabilities. We're shifting funds away from our defensive capabilities, the millions that are being cut from CISA, the many people who are being let go or simply leaving, going to the private sector because the uncertainty in the federal sector is untenable for them right now.

 

Ethan Cook: We've always talked over the past two decades how we need more defense, we're still vulnerable, the US's critical infrastructure security is so far behind, et cetera. That feels like a common theme that has just been emerging more and more over recent years. And while we still have had attacks and breaches throughout that entire time, I think of prevailing feelings for me has always been, you know, man, that was a really bad incident, but it was only one this year or two this year or a couple this year when it could have been way worse or it could have been way higher scope or scale.

 

Ben Yelin: Right. Or it only affected this one sector. Like even if it was awful for the healthcare ecosystem, it was just the healthcare ecosystem.

 

Ethan Cook: Exactly.

 

Ben Yelin: Yeah.

 

Ethan Cook: And I think that my fear now with this pulling, and this isn't just like, oh, my personal feeling like this is coming from -- you know, the discourse that I've seen from people in CISA, people in security groups, et cetera, that it's, okay, if we're going to start pulling all this defensive support from the federal government and, you know, imply that states should be the ones handling this, what does that leave us vulnerable to now? Especially as we're seeming to starting to kick the hornet's nest a little bit and say, okay, yeah, we'll start throwing some stuff into your networks if you're going to throw stuff into our networks. But the difference is at least what I'm not seeing in Europe is they're not cutting support for defensive efforts. They're simply adding support for offensive efforts. Maybe I'm missing something, but that's just what I saw. But unlike that, in the US, there is an active push to remove defensive support. And I think that's a huge concern that I have.

 

Ben Yelin: Yeah. You know, I also don't know, like, how much of this is intentional to cut funding for CISA and how much of it is just like if you're doing broad-based federal spending cuts, which they have done, and you don't like CISA because the former head of CISA in 2020 said some things about the 2020 election that you didn't like. Like maybe those are the reasons CISA is getting cut and it's not an intentional let's cut down on our cyber defensive capabilities. So, like, I think at least we have to consider the fact that maybe it's just kind of incidental. Now the effect is the same. But, like, would I be that surprised next year if CISA funding was fully restored to pre-2025 levels? No. Like I don't think this is like a key presidential initiative or anything.

 

Dave Bittner: Ben, I'm curious, you know, I know you do a lot of work at the state level. What are the conversations that legislators are having at that level in terms of being concerned about these things?

 

Ben Yelin: Well, I mean, there's a limit just resource-wise on what states can do offensively. And basically echoing what Ethan said, like, states are kind of doing what the federal government had done for the past 20 years is trying to protect our critical infrastructure kind of sector by sector. So we saw bills enacted in Maryland for the Public Services Commission, which controls our utilities. We have cybersecurity regulations and bills for state and local agencies. That's passed. There were proposed bills dealing with the water system, another with the healthcare ecosystem. So it is sort of this sector-by-sector approach, not attacking the last problem necessarily. I don't think it's entirely reactive. I think in some ways it's admirably proactive, but it's not like, how are we as the state of Maryland going to fire back against North Korean hackers? I just don't think they're in the position to do something like that.

 

Dave Bittner: Yeah, so they're counting on the support of the -- the superior firepower of the federal agencies to provide a certain level of protection.

 

Ben Yelin: Right, and I think constitutionally that is the proper role for the federal government is, you know, provide for the common defense. When we think about military affairs, that clearly includes offensive operations.

 

Dave Bittner: Yeah. Let's wrap it up here. Where do we think we're headed here with these things? Ethan, based on what you've seen in your research, what's the future hold here?

 

Ethan Cook: Yeah, I think from a global perspective, I think we're going to see a lot more uncertainty, I guess the right word is for it, or maybe nervousness regarding cyber. I think this new approach that's kind of been developing but is really starting to form now that countries are starting to throw a lot of money behind it to pivot to more offensive mindsets is going to result in a very unpredictable future for the next decade, I'd say. As countries put more money into it, the effects start to materialize, operational goals are starting to achieve, and that may result in the ideal world that we talk about where, you know, everyone is kind of on this [inaudible 00:37:20] where it's just like, oh, we're not going to, we're all cool, we're just -- you know, everyone is holding the classic Western standoff, but no one is pulling the trigger.

 

Ben Yelin: Put my hands on the red button.

 

Ethan Cook: Exactly.

 

Ben Yelin: You know what we should do is just completely reenact the Cold War era. Have like a Cuban Missile Crisis and then, you know --

 

Ethan Cook: Let's hit DEFCON 1.

 

Ben Yelin: Nixon in China, like we can just, we can really run through all of the big hits.

 

Dave Bittner: How about the movie War Games? Let's just do that.

 

Ethan Cook: Exactly [laughter].

 

Ben Yelin: I like that idea.

 

Ethan Cook: That seems like a good -- that seems good for my blood pressure. And so I think that that's going to be the global feel until we actually just start seeing what country's actual tolerance is to throw this out. And that's going to be something that I think is going to vary region by region and country by country and not just with country to country, but within a country as new administrations across the world take over, new people come into power, et cetera. Within the US, I think that the pulling back of defensive support and as quickly as it is being proposed, if it goes through the way it is being proposed, will result in a generally more unsafe US. I don't think that deterrence while actively saying and publicly saying we are going to pull support for defense is a good idea. And I don't think states by and large are going to be able to have the time to pivot that they need to actually support their defensive efforts.

 

Dave Bittner: Ben, what do you think?

 

Ben Yelin: Yeah, you know, I agree with what Ethan said. I think this is a dangerous time to be cutting funding for our defensive efforts, although like I said, I'm not sure how permanent it is. But I also think the future is very unpredictable here. I'm kind of hesitant to prognosticate until we saw some type of catalyzing event where countries on a large scale are retaliating against one another in a way that has effects beyond just an individual sector or a county or a state. And I think until we get to that point, we're just kind of playing a dangerous game of chicken. But the moral of the story for a game of chicken is not that you should abandon your car. It's that, you know, you just need to be careful and understand the concept of mutually assured destruction.

 

Dave Bittner: Yeah. All right. Well, Ethan, thank you for your efforts in putting together this information for us. Definitely interesting stuff. Reminder that Ethan is the author of the "Caveat" newsletter, which you should absolutely check out. You can learn more about that on our website. And of course we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's caveat@N2K.com. [ Music ] And that is "Caveat" brought to you by N2K CyberWire. We would love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There is a link in the show notes. Please do check it out. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yelin: I'm Ben Yelin.

 

Ethan Cook: And I'm Ethan Cook.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.