Is America Ready for a Full-Blown Cyberwar? with Nicole Perlroth, Michael Schmidt & Lt. Col. Vindman

Hi, everyone. From New York Magazine and the Vox Media Podcast Network, this is On with Kara Swisher, and I'm Kara Swisher.
Today, I'm talking about cybersecurity, cyberattacks, and the potential for a full-blown cyberwar with Nicole Pearlroth, Michael Schmidt, and Lieutenant Colonel Alexander Vindman. Nicole Pearlroth spent a decade as the lead cybersecurity reporter at the New York Times before going inside the tent and joining the advisory board of the Cybersecurity and Infrastructure Security Agency and the Council on Foreign Relations Cyber Task Force.
She's a founding partner at Silver Buckshot Ventures and a producer and host of To Catch a Thief, a new podcast about China's rise to cyber dominance. Michael Schmidt is a Pulitzer Prize-winning investigative reporter for The New York Times and the author of the best-selling book Donald Trump v.
The United States. He's also the executive producer and co-creator of the Netflix show Zero Day, a political thriller about a devastating cyber attack on the U.S.
Lieutenant Colonel Alexander Vindman is the former director of European affairs for the National Security Council. Vindman was a key witness during President Trump's first impeachment and testified about Trump's infamous phone call with President Zelensky of Ukraine.
He is a senior fellow at the Johns Hopkins Foreign Policy Institute and the author of The Folly of Realism,

How the West Deceived Itself About Russia and Betrayed Ukraine.

So stick around. It's a panel of real experts here and on an important topic to me.
Support for today's show comes from Chevrolet. Whether it's just a quick jaunt or a long journey, Chevy's all-electric Equinox EV has you covered with a massive 17.7-inch diagonal touchscreen and starting at around $34,995, you can hit the

road and still afford snacks. Equinox EV, a vehicle you know, a value to expect, and a dealer

right down the street. You can go EV without changing a thing.
Learn more at chevy.com

forward slash equinox EV. The manufacturer's suggested retail price excludes tax, title,

license, dealer fees, and optional equipment. Dealer sets final price.
Support for the show comes from ServiceNow, which is enabling people to do more meaningful creative work, the work they actually want to do. You know what people don't want to do? Boring busy work.
But now, with AI agents built into the ServiceNow platform, you can automate millions of repetitive tasks in every corner of a business. IT, HR, customer service, and more.
And that means your people can focus on the work they want to do. That's putting AI agents to work for people.
It's your turn. Get started at servicenow.com slash AI dash agents.
Support for On with Kara Swisher comes from Arm. Have you ever wondered what's powering your smartphone and the other devices we interact with daily? Or what lies at the heart of life-saving drug discoveries and robotic surgeries? The answer is Arm.
Arm technology is moving the world forward, enabling AI to create a more meaningful, more connected life for everyone, everywhere. Arm believes the future isn't about technology.
It's about people and the possibilities technology can offer us all. The future is built on Arm.
You can discover more at arm.com slash discover. Nicole, Michael, and Alexander, thank you for coming on on.
Thanks for having me.

Thanks for having us.

Thanks for having us.

So I'm excited to have a panel with three smart people from different but related fields.

So let's start by setting the table.

I'd love each of you right now to say there's so many of them, but what's America's most worrisome cybersecurity vulnerability right now?

If there's a serious cyber attack or a series of attacks against the U.S. in the next three years, what will it look like? Nicole, why don't you start, and then Michael, then Alexander.
I think we got a glimpse of it with Colonial Pipeline, but if you remember, that was a ransomware attack by sort of this bumbling group of cyber criminals. And since then, what we've seen is China infiltrating pipeline networks, water networks, transportation networks, ports, grid.
And they're doing it in a way where all they're doing is getting in and just making sure that they can stay in for the event of some sort of geopolitical tensions. And so what we're really worried about right now is what we call the everything, everywhere, all at once cyber scenario, where you wouldn't just have one colonial pipeline, but you would maybe have five or 10 simultaneously, not just on gas, but on water networks.
So that's called the long game, essentially, the long game of being there just in case they need to do that. Michael? I mean, the whole thing that I have about cyber attacks and sort of attacks in general is like, how would the country actually respond if something really horrific happened? If there was something catastrophic that really shut down communications or stuff like water or electricity, what would the response from the country look like? We all lived through the aftermath of 9-11.
We saw how the country responded to a horrific, catastrophic attack. It's hard to believe the country would be united simply just on fact of what happened, let alone on response.
And I'm a believer that if society doesn't have an understanding of what's going on around it, it's less likely to make the right decisions. So not a technical answer, but I think a larger thing about the threat that a threat really poses to this country.
That's an excellent answer. Alex? Yeah, I think about it from the perspective of our adversaries.
They think about it in terms of information confrontation with cyber being a component of that bigger confrontation. And in the environment where the chances of an attack may be increasing, we're disarming.
And we are adding chaos to a potential response. I think in line with what Michael said, we don't have a predictable, reliable response from the federal government.
Potentially it's fractured and localized with different narratives about who the aggressive actor is. I mean, there's a reason to believe that if it was Russia, Trump would potentially downplay Russia as the threat actor and look for other different excuses.

Elon Musk was talking about, you know, Twitter coming down because of Ukraine, and that was a false flag. So I think that's part of what I see unfolding, disarmament in the midst of increasing threat environment.
Right. So essentially, long game, chaos, and we're not ready at the same time.

Or we're even worse than not ready, which is purposely incompetent, essentially.

So for the American public, the chances of cyber warfare actually affecting them can seem

remote right now.

Narrative fiction, in fact, is possibly the most effective way to make people wake up

to the threat.

So let's play a clip from Michael's Zero Day, which starts with a Wolf Blitzer cameo. We've received reports not only of widespread outages impacting multiple regional power grids, but of computer systems that control transportation, communications, and other infrastructure completely hijacked, with safety warnings somehow overridden.
Early estimates suggest a significant but unknown number of casualties. As subway cars and commuter trains filled with passengers found themselves switched onto the same track, resulting in head-on collisions and mass injury.
So, Michael, this show was number one in English-language TV on Netflix earlier this month. Talk about reactions you've gotten from the viewers.
Did this switch on a light bulb for people? They see it more as a Robert De Niro going out with Connie Britton sci-fi thriller. My hope is the former, but I'm probably going to say the latter.
I think the thing that that clip tries to show is something that as journalists, we really struggle with. And Nicole and I both covered cyber stuff together at the Times about this.
And when I started covering this stuff, I went to the Department of Homeland Security and I said, what would a cyber attack look like? This is like 10 years ago, 12 years ago. What would it be? Like, help me tell this story.
You had all these national security officials going up to Capitol Hill and saying there's going to be a cyber Pearl Harbor, cyber 9-11. But so I went to them and they had this like something that looked like it came from the 1950s and it had different light bulbs.
And they were well if this switch happens this light bulb goes off and if this and I remember thinking at the time man um this is a really hard story to tell people you have people really sounding alarms about it but even in text I don't know how to bring this to life and what the show allowed me and the other creators to do was to show you what this looks like in a way that no testimony from someone on Capitol Hill could give you. And sure, it's Hollywood, it's dramatized, but what it is is that it shows people, hey, this is what this could look like.
And it does it in a way that's accessible on a platform that millions and millions of people watch and in a forum where they can easily digest it. And for me, that was really exciting.
So, Nicole, you have a new documentary podcast called To Catch a Thief. It tells the story of how China used cyber attacks to steal our IP and also hack our critical infrastructure.
Now, the former has

been going on for a very long time, as you know, but the critical infrastructure is a whole new part of it. We've referenced this a bit already, but does the cyber threat get enough attention in D.C.? President Trump created the Cybersecurity and Infrastructure Security Agency in his first term, but its funding and staffing are getting cut.
It's getting decimated. And you obviously fired the head of it, famously, because he said the elections were fine.

So who are the lawmakers and people in power right now who are making it as a priority? Because they seem busy with every other distraction known to man. Yeah.
And I'm just going to back up and say, I did this podcast because I feel like, and really to Mike's point, we have failed at every institutional level to convey just how serious this threat is. And as we failed to convey it in media, you know, at the New York Times, I always said, we need 12 people covering cybersecurity.
I am one person. Mike was covering DHS, but there's a lot that goes on at DHS beyond cyber.
We need one person just covering what Russia is doing in our infrastructure every single day. We need someone that's covering what China is doing with the IP theft and now critical infrastructure attacks.
And we never did that. And so it was really hard to tell this story.
And I think there are some people in government who get it. And thank God cybersecurity is is still a bipartisan issue.
We are losing support for this on the right because of exactly what you just said, because it became a political issue with the 2020 elections and Chris Krebs getting out there and calling it the most secure election in history, and Trump never forgave him for that. Well, he fired him.
Right. So I think really where a lot of the back-channel lobbying going on right now is in making sure that this administration gets it.
Sean Blankey was just named as the new CISA director by all accounts. He's a great guy and he gets it.
Inside NSA so far, a lot of the leadership is still there and they have a very...— This is a national security agency, just for people to— That's right. The national security agency.
You know, of course, people on the Intelligence Committee still see this. Mark Warner is doing a lot on this topic.
But there's no longer someone I could say, this person in the Republican Party is being very loud and clear on cyber espionage. And because? Because Trump? Well, because everything is changing every 20 minutes.
You know, I would have said Marco Rubio really understands the threat of Russia on cyber and definitely China on cyber. But watching what happened in the White House, in the Oval Office a few weeks ago, I don't know who is holding the line on this anymore.
Alex, your new book, The Folly of Realism, shows how the U.S. has spent decades misunderstanding and mismanaging the Russia threat.
In case anyone missed it, the running theme here is that all three of you are trying to alert policymakers and the public to risk that haven't gotten enough attention, which is why I wanted to do this. First, read how the U.S.
has responded to Russia's developing cyber program in the last decade, and what is happening now, I would say. And obviously, the Russia-Ukraine war is the first major conflict to involve large-scale cyber operations.
Now, more than three years after the full invasion of Ukraine, what have we learned about the role it's going to play? And, you know, if there's nobody there, as Nicole says, on the Republican side, and they're running the table, what happens? You know, the book makes the point that we keep repeating the same mistakes of the past. We make the mistakes of catering to Russia's exceptionalism and buying into the hopes that we could do more with Russia or succumbing to fears that if we do too much with regards to Russia, that the relationship could break or spiral in a dangerous direction.
And we've done this repeatedly across six different administrations is the point I'm making. Same thing with regards to cyber, although we only really started paying attention to cyber over the last 25 years.
We are now in an era in which we are the most transactional. We don't understand any of the lessons of the past.
It's only what's immediately in front of us. So Trump, he's been in power.
He had four years in office. This is now really like month 60 or something like that of his presidential tenure.
But nothing beyond like last week or the week before, except for some key themes, Russia good, Ukraine bad, continue on. Everything else is highly transactional, immediately what's in front of him.
So we're looking at a reset here coming between a conversation between Russia and the United States, Putin and Trump, in which, you know, we could pivot further down the road of accommodating Russia, throwing out the playbook on the fact that we need to be hardening ourselves against Russian cyber attacks. We've already kind of unilaterally disarmed on offensive cyber, or it's hard to believe, you know, Trump is going to learn his lesson anytime soon, but eventually we get to the point where Trump is provoked and is made to look weak and might respond aggressively.
So those cyber threats to Ukraine have increased. Obviously, that's how they began softening up the country, right? That was their first move.
Sure. And I think the fact is that nobody really knows the Russians better than the Ukrainians.
and the Ukrainians are looking and constantly playing in the Russians' backyard very, very sophisticated manner. They may not have all the tools we have, but they certainly understand the Russians.
And the Russians have been attempting to exploit vulnerabilities, not entirely successfully with regards to Ukraine. Actually, Ukraine has been very effective at parrying a lot of these attacks on Ukrainian critical infrastructure.
That's why you see hard power. You see, you know, missile strikes to do the work that they thought that they might be able to achieve.
It could do through cyber. Yeah.
So, but there are, that's, Ukraine is a bit of a hard target. There are soft targets all around Ukraine for the Russians to exploit, either with hard power or in the cyber domain, that the Russians are aware of and are becoming increasingly comfortable with attacking.
So let's talk about where the cyber threats are coming from domestic groups a little bit. I'm not going to give away your whole plot, Michael, but there's also domestic threats throughout your series.
What domestic threats concern you most and America's politics become more and more fraught? Because that's a topic here. You know, I defer to Nicole on like the specifics on sort of like who has what capabilities and such.
But what we're trying to sort of show and raise in the show is the idea that these tools can be stolen, even they don't have to be created outside of the government, they can be stolen from the government. And whether that is a state actor, or that is, you know, someone sitting in their basement, you know, not to

simplify it, but that the threat of this is everywhere. And it's not just Russia.
It's not just state-sponsored folks. And, you know, Nicole understands it better than I do.
But what we're trying to say is that this is something that can rear its head from anyone in any different ways. And in a time in which things are so fraught and so divisive, you know, what does that mean for people that can get their hands on things like this? So, Nicole, your whole book was about this, obviously, using U.S.
government-created technology and then spread all around the world by lots of people. So, talk a little bit about what happening, because AI is another element here.
It can lower the barrier to entry for hackers. AI-enabled military systems are vulnerable in the way traditional systems aren't.
AI-powered cybersecurity tools can also be very powerful in the end. Talk about that impact and non-state actors in exploiting all this technology.
Well, you know, it really is the perfect weapon, which is the name of another of our colleagues' book, David Sanger's book, because all of these tools can be developed, reverse engineered, fired back on their maker. Yes, the U.S.
bears some responsibility for launching probably the most sophisticated cyber weapon of them all, Stuxnet, with Israel on Iran's nuclear facility way back when. And that has opened Pandora's box.
And right now, we are seeing a whole well-oiled economy of ransomware in particular, where anyone can pick up these tools. They don't even need to have any technical savvy.
They can pick up these tools, rent them, and fire them on anyone. And we've seen American teenagers, Canadian teenagers arrested in some of these hacks.
And the barrier to entry only gets lower every day because we've all somewhat come to realize what a Chinese phishing email would look like. But now with AI, it's really hard.
But let me just say something, you know, on Ukraine. Ukraine's defense is really the deterrence on Taiwan.
You know, China has been watching very carefully how Vladimir Putin's invasion has gone. And they've watched what we've done with our support, with sanctions, with funding, with weapons.
And now they're watching what we're doing on dithering on that

support, on trying to make a deal on minerals, et cetera. And they're taking the lessons to heart.
One thing I just want to say on what we've been witnessing with China creeping into our water networks and our pipelines is that this is, to Alex and Mike's earlier point, really, I think about it as a psychological weapon.

You know, we have incredible appetite in both parties still, maybe it's waning, to support Taiwan in the event of some larger military conflict. But what appetite will Americans have to support an island 7,000 miles away if we can't get gas for more than three days, or we can't get clean water, or our water is contaminated? And really, the goal with some of these weapons is to basically win a war without firing a single bullet.
And one of the things that makes cyber this perfect weapon is we wouldn't immediately know whether this is a Chinese cyber attack or a Russian cyber attack or a ransomware attack. There are a whole host of possibilities for false flags, which we saw last week with Elon Musk accusing Ukraine of hacking Twitter.
And I haven't followed that to its logical conclusion. But if it's coming directly from Ukrainian IP addresses, then you probably can be 100% sure that it's not Ukraine.
Yeah, right. So we'll come back to Taiwan, but first let's get to the foreign hacking gangs, which I think probably did something like this.
For example, the Russian-speaking cyber gang called, I think it's Alf v. Black Hat Hacked Change Healthcare, the subsidiary of UnitedHealthcare that processed 40% of all healthcare claims and caused chaos for providers and patients.
A lot of this stuff is not as well known because they try to keep it quiet, obviously. A few weeks ago, North Korean hackers known as the Lazarus Group stole $1.5 billion in crypto.
Alex, talk about the relation between criminal gangs and foreign adversaries like Russia, North Korea, Iran, and China. Generally speaking, they do have the tacit permission of

these governments to hit American targets. It's more than tacit.
In a lot of ways, they're extensions. It's well documented that the Russians have used Russian organized crime to do some of their dirty work, whether that's to channel hard currency or just muck around, mischief make.
Think about it from this way. When the Russians want their lawfully detained folks back, there have been a number of folks that have been cyber actors that were acting on behalf of the Russian government.
It wasn't because they were benign looking to repatriate their folks. It's because these were actors that were serving the Russian Federation.
Yeah, exactly.

So they're on a string. They have some latitude to engage in their own criminal activity just to

enrich themselves. But they are also oftentimes employed as part of the government apparatus.

Same thing in Ukraine.

We'll be back in a minute. Support for On with Kara Swisher comes from Delete Me.
All of us have had a moment in our life we wish we could just delete. Unfortunately, internet doesn't work that way and your sensitive information can live online for a long, long time.
And a lot of that data can be collected and sold to the highest bidder by data brokers, which leads to identity thefts, phishing attempts, harassment, and unwanted spam calls. But Delete Me wants to help you protect your privacy.
Delete Me is a hands-free data removal service that will monitor and remove the personal information you don't want on the internet. I've been using Delete Me for a while now, and I have to say I am still surprised by how much personal information of mine is on the internet.
Super easy to delete information from your sites, although it is an endless task. It's like weeding the lawn or something like that.
They always pop up again somewhere else. You can take control of your data and keep your private life private by signing up for Delete Me, now at a special discount for our listeners.
Get 20% off your Delete Me plan when you go to joindeleteme.com slash Kara and use the promo code Kara at checkout. The only way to get 20% off is to go to joindeleteme.com slash Kara and enter code Kara at checkout.
That's joindeleteme.com slash Kara code Kara. Support for On with Kara Swisher comes from Saks Fifth Avenue.
Saks.com is personalized and that can be a huge help when you need something real nice, real fast. So if there's a totem jacket you like, now Saks.com can show you the best totem jackets as well as similar styles from brands you might not have even thought to check out.
Saks.com can even let you know when the Gucci loafers you've been eyeing are back in stock, or when new work blazers from the row arrive. Who doesn't like easy, personalized shopping that saves you time? Head to Saks.com.
Today Explained here with Eric Levitt, senior correspondent at Vox.com, to talk about the 2024 election. That can't be right.
Eric, I thought we were done with that. I feel like I'm Pacino in three.
Just when I thought I was out, they pulled me back in. Why are we talking about the 2024 election again? The reason why we're still looking back is that it takes a while after an election to get all of the most high-quality data on what exactly happened.

So the full picture is starting to just come into view now. And you wrote a piece about the full picture for Vox recently, and it did bonkers business on the internet.
What did it say? What struck a chord? Yeah, so this was my interview with David Shore of Blue Rose Research. He's one of the biggest sort of democratic data gurus in the party.
And basically, the big picture headline takeaways are... On Today, Explained.
You'll have to go listen to them there. Find the show wherever you listen to shows, bro.
So, Nicole, in your podcast, The Catch a Thief, you quote Rob Joyce, the NSA's former director of cybersecurity. He says, Russia is like a hurricane, but China is like climate change, right? Can you talk a little bit about that? What is our offensive against them? And walk us through their long-term cyber strategy and defense for their endgame.
Yeah, I would say, you know, with China, they've been coming at us for a long time. They've been coming for our intellectual property.
In some cases, we're only just beginning to see how that has manifested. You know, we don't talk about Nortel anymore, but it disappeared long ago and Huawei stole all of its business.
And they've replicated that model across many different industries, solar panels, now electric vehicles, electric vehicle batteries, genetically modified seeds, over and over again, wherever you look now. There is a hacking story that no one ever connected the dots back to this company's bankruptcy, but that is what's happening.
And then they've added this critical infrastructure piece. And what's gnawing at me and why I did this whole podcast is that this is a very different actor from the one that I was covering at the New York Times 15 years ago.
You know, when China was hacking the New York Times, they phished us. We didn't update our software.
They took advantage of that. They weren't a very sophisticated actor.
But these days, there's no doubt in my mind that they have reached apex predator status. They are on par with what the US capabilities are.
They have found a way to really utilize their authoritarianism to their advantage. You know, if you are a hacker in China, and you are an elite hacker, you have been identified very early on in your student life, you are on a track.
Maybe you work at a private company. Maybe you work at Tencent.
Maybe you are a founder. Whatever you are, if you have these skills, you are now a gunslinger for the CCP.
They can tap you on the shoulder at any time and bring you into these operations. And some of their best people do not work inside the PLA anymore, or even inside the Ministry of State Security.
They work through this loose satellite network of contractors, which makes attribution that much more difficult. And what have they done with this entire apparatus that they have built? They've infiltrated our telecommunication networks, the threat we call Salt Typhoon.
They are inside our biggest telecommunication companies. We have not been able to get them out.
And frankly, we probably never will. And now they are in our water and transport and pipeline and grid networks as well.
So it's not a good situation. And now in terms of what our capabilities are, I do think we've entered this new era of mutually assured digital destruction.
And I was actually very concerned when Putin invaded Ukraine, when we started escalating how much we were willing to support Ukraine with weapons and funding, that Russia didn't do more here, right? that they didn't actually utilize the access they already have in too many cases to our pipeline networks and other critical infrastructure. And you would have to be a fly on Vladimir Putin's wall to understand why they didn't take advantage of that access.
But I think it probably comes down to the fact that they know we are in their systems too. This idea that we're in their grid, we're in their pipeline networks as well.
Now, one point that often gets overlooked when we talk about this is that actually Cyber Command, which does these operations and NSA, et cetera, is limited by law from hacking certain civilian systems that could lead to mass casualties. So we actually have laws that prevent how much we can infiltrate our adversary's infrastructure.
There are no laws like that in Russia and China. So it's not necessarily an even playing field.
So I saw you smile, Alex, about Russia's a hurricane. Can you talk a little bit about that? And also, we've talked about Russian cyber operations in Ukraine.
You mentioned Ukraine is successful repelling many attacks, which means they're not as good, right? If they're having trouble with Ukraine, they'll definitely have trouble with the U.S. So does it give the U.S.
any lessons in how to fight back? Because I suspect we're pretty good at fighting off Russia at this point, or maybe not. But talk about this idea of Russia as a hurricane.
I think the fact is that it's a microcosm of the bigger deterrence that we've achieved with regards to Russia. They understand that they do not want to provoke a direct confrontation.
Now, they'll dance around it. They'll issue threats, nuclear threats.
They've got this doctrine called reflexive control that they've really tested over decades. They understand what happens when they threaten a nuclear escalation or an exercise.
We go to the darkest place. We go to the consequence, a nuclear war, without understanding the probability.
But with regards to lower threats, they believe that there might be an escalation, a direct confrontation that could

start us on an escalatory spiral. They have no interest in doing that.
They're concerned about a direct confrontation with the West. They do believe that we're in a lot of ways schizophrenic, but we're 10 feet tall and we have lots of capabilities that we can employ, conventional cyber and And I think they just are generally deterred by happy to make noise, but directly attacking the United States.
That's a different kind of bar. Different kind of bar, yeah.
Yeah. So at the end of the day, I think focus should be on China, as you all pointed out.
It seems like the Chinese attempt, though, at reunification with Taiwan is one of the most likely events that could kick off a full-fledged not just cyber war, but other wars. What are the, each of you, what are the chances that China invades Taiwan in the next five years? And if it does, we'll be able to defend against accompanying Chinese cyber attacks that will come probably before.
Let's hear from each of you, Nicole first, then Michael, then Alex. I don't think it's inevitable, but why are they hacking into our water networks? Why are they hacking into these targets that have no espionage value whatsoever? The only reason you would go there is if you were looking to shut them down one day.
And the thinking is that this is all pre-positioning for an eventual invasion of Taiwan. Now, Xi Jinping has basically made this part of his strategy, and he's talked a lot about reunification being inevitable.
And I think he will see his success, his legacy, resting on whether Taiwan is quote unquote reunified, right? So the thinking is that in the next decade, we might see China take action on this. Do I think it's going to happen in the next two to three years? No.
We've seen people like Milley come out and say that they think China would be ready to launch their attack by 2027. I don't think that means that they're going to actually launch that attack in 2027.
I think five years, maybe in the decade, likely, I think the thinking is that they think this is somehow going to happen automatically, that Taiwan will just sort of acquiesce and stop being what they see as this renegade province. But we know that that is not how Taiwan sees things.
And I do think cyber is going to be a big determinant of what happens here.

You know, when you look at just TSMC, right, they're not going to bomb Taiwan Semiconductor. The thinking there is that to take it, they would hold it hostage with some kind of cyber attacks until they would basically hand over the keys.
Michael? Look, I don't know how to, it's hard to predict the future. I guess what I would say is that the thing that concerns me the most is that we seem to be in increasingly sort of fragile position where any sort of signal or any sort of miscommunication can set something off.
And the more and more that, you know, Trump increases the pressure on our foreign adversaries, whether that's through something as simple as tariffs or through his rhetoric. I just think that you're in a situation where something is more likely to be misconstrued.
There's a ton of rhetoric, for example, going on right now between the administration and Canada, right? Trump is saying all these things about Canada that are outside the norms of what politicians have said about Canada for decades, if not longer. And in that type of situation, you wonder if there is some sort of issue at the border or if there is some sort of miscommunication, what will the response be? Right.
So Alex, obviously Russia has paved the way for this with Ukraine, although some people say the situation in Ukraine has been a deterrent for China to move in there, even if they may engage in cyber attacks. Is that something they're looking at, what's happened in Ukraine, from your perspective? They're carefully looking at it.
And I think there was a significant level of deterrence based on the consolidated response of the democratic world, imposing costs, Russia failing to achieve its military objectives that looks like it's eroding, you know, three years on under the Trump administration. I think what she might be considering here is two different things.
I think there was a lot of rhetoric about the decadence and decline of the West, but the reality is that the economy in China was slowing down and maybe there was a diminished closing window of opportunity where China felt strong enough to take action. That 2027 mark could have been important in that regard.
But things have changed in a significant, look like they might change in a significant way in that the Trump administration is breaking our alliances. And that's not just in Europe with NATO.
Frankly, we're unreliable to our Indo-Pacific allies. The Japanese and the South Koreans are thinking that they need to be much more working, much more tightly together.

Same thing with Australians.

And in that kind of environment, you know, watching things unfold over the next several years as they build up capabilities, there's a decision point somewhere in that last year, whether the window is closing or it's likely to expand over the course of the subsequent decade or so.

So I don't think we're, you know, in the next year or two, we're there.

I think in the waning days of the Trump administration,

if there's a deal to be had, that might be an opportunity,

a narrow opportunity for the Chinese, or it could be in the aftermath.

So it's, I'd say short to medium term might be okay. But in the medium to long term, things could get dangerous for Taiwan in particular.
And the noise coming out of the administration, I'm not sure how many people caught Albert Colby's testimony. He's an uber China hawk for undersecretary defense.
He basically said, the game is not about securing Taiwan. It's about preventing Chinese dominance in the Indo-Pacific, which is a huge turn for him.
And that, you know, that is an interesting signal aligning closer with the Trump administration and not putting all our eggs on securing Taiwan. Right.
Yeah, that's interesting. So I want to shift gears then to talk about how Trump and Doge are affecting America's ability to defend itself from cyber attacks.
The National Security Agency houses the U.S. Cyber Command, and this month Elon Musk met with the head of NSA for a conversation that was reportedly centered on staff reductions and operations.
Doge already spearheaded cuts at CISA. Nicole, talk us through these cuts and any future reductions in staffing affect overall preparedness, even if the leadership of those agencies get it, as you said earlier.
Just for people who don't understand, it's not just cuts at CISA. There are cybersecurity agencies across the federal government that work on securing specific agency systems.
And so when their jobs get cut, it further degrades cyber capabilities, although the White House recently emailed agencies telling to avoid laying off cybersecurity staffers. So they seem to have some understanding that it's a problem.
And then Michael, I'll have a follow-up question for you on this. But talk about these doge cuts, because you wrote me right away when they started, like, oh, no.
Yeah. I mean, we have a crazy cyber workforce shortage in this country.
Already. And where that becomes most critical is on cyber defense inside government.
And so I have spent a lot of effort over the past four years trying to figure out what would it take to get our best and brightest at some of these private security firms, people who work in security at Google, Microsoft, etc., to do a tour of duty inside government. And it's really difficult, right? They all have stock.
They don't want to give up. They don't want to go work in a bureaucracy.
They're getting paid really well to work at these companies. And they see the most interesting threat data because in many cases, China comes first for Microsoft, as they did in 2023 or Google.
So it takes a lot to get these people inside government. And what's really disturbing is to see how viciously we've been firing them.
We need those people at CISA. We've never needed them more desperately inside government in these roles.
And so it's become a real national security threat, some of these doji cuts. And yes, there have been these sort of memos sent out saying, you know, refrain from cutting cyber people.
Well, it's too late. You know, these people who've been fired, they're not going to come crawling back to take these jobs.
They have many other options. And so that's a big problem.
Now, you know, on some of this reporting that Cyber Command has been told to stand down on some of its offensive planning operations around Russia, when I first read that, to be honest with you, I almost went and threw up. You know, this is, like I said, we are in a mutually assured digital destruction.
We have to keep up the pressure. We have to keep up what they call active defense or forward defense.
Otherwise, we're really screwed here. Now, I have heard in talking to people who are in the know that actually this isn't what it sounds like, that actually, you know, as part of any negotiation with a foreign actor, it is standard practice to basically stand down on some of these operations as we are trying to come up

with a deal on Ukraine. And so this might be more standard operating procedure than it is Trump

telling the people to basically stand down on any kind of offensive cyber planning or operations.

And let's hope that's all it is. Let's hope.
Well, we'll see.

We'll be back in a minute. So aside from cuts, Doge itself is gaining access to government databases with extremely sensitive information.
They seem to be violating protocols and regulations while they're doing it. Michael, talk about that risk that it poses.
Because this is, I mean, they seem to do one every day, largely probably out of ignorance. Who knows what they're taking? Some of these people have sketchy backgrounds themselves and love a good secret.
You know, I know these types. Talk a little bit about the worries you have here.
I think it's an interesting political calculation by Trump, and I'm not saying that that much thought went into it, but I understand that part of his desire is to, and Musk's desire, at least what they say, is to remake the federal government. But in the process, it certainly looks like they're destroying parts of it.
And maybe in the end, that results in better government. I'm open-minded to that.
But in the short term, I think that's a big political risk because it looks like they're doing it in a haphazard way. And it doesn't look like the Republicans on Capitol Hill have any interest in trying to understand that or to hold them accountable for that.
And that's, I think, another thing in the whole thing is that they're going about it in a way that looks haphazard. And if something were to go wrong, tying the lines directly back to them that the media or the Democrats would do looks like it would be pretty easy.
So I do think that is a big political risk. But look, I mean, Trump often proves us wrong.
Yeah, let me just jump in real quick. Yeah, you know, I think actually, the security blogger, Brian Krebs has done a great job covering some of this.
And he's called it, you know, the great national hack. And that is really what it is.
I mean, you have to think back to there was a Chinese hack on the Office of Personnel Management, OPM, right, about 10 years ago.

And it was a huge counterintelligence win for China. They basically got into the system.
They could see everyone who ever applied for a security clearance. And then they baked in machine learning and AI so that they can do these pairings.
So anytime there is an American person who once applied for a security clearance traveling repeatedly to the same place as a Chinese citizen, well, now that Chinese citizen is put on a list of suspected CIA informants, and you start to see how you could break down our entire intelligence apparatus that way in China, and that's what they've been doing. And so now what you have is you have Doji sending in 19-year-olds, 21-year-olds with their own little, you know, Rube Goldberg server, plugging it in and basically like doing whatever they want at these agencies.
There is no way that these people have not been identified and compromised on some level and that foreign actors and sophisticated nation states are taking advantage of this. and we have to look at it in that way.
And I'm surprised that there are not people inside this administration who aren't sounding alarms over this. It really is a very real security risk.
How many big balls jokes do we have to tell before we realize this guy's a creepy, creepy? You know he's making copies of everything. I'm like sitting there like he's amazed.
And it's on a hard drive that he hands to his mother or something. Anyway, I know, right? Right.
Now, you know how sloppy. One of the great lies in Silicon Valley is how precise they are.
They're not precise in any way. They're actually quite sloppy, and then they're venal at the same time.
So, Alex, I have to ask about Elon's attacks against you. He has posted X that you're a traitor, a puppet, a puppeteer.
You've committed treason. Now, I've been attacked by Elon for a long time now, and it's pretty vicious.
He said, my heart is seething with hate, which it isn't. But I'd like you to talk about that just briefly.
And as Nicole already mentioned, we're not sure if Pete Heggs has halted Pentagon cyber operations against Russia earlier this month, which was denied by the DOD. Is that Elon too, or what is happening there? Sure.
So I think it's a little bit of smoke and mirrors, kind of this idea that we're going to halt offensive cyber operations. It sounds good that we're in the midst of sensitive negotiations.
That's actually not necessarily the way it plays out. We are just much more, this is a knee-jerk reaction from an administration that is filled not with the practitioners that had the first go around, that would be a little bit more surgical and methodical, probably be continue operations, maybe do some sort of reviews, maybe an extra layer of caution around things that could derail the kinds of negotiations that they're undertaking.
But I think that's an afterthought because there was blowback on this idea of halting defense. It just doesn't ring true.
We conduct all sorts of different operations against adversaries. This is one in which there is constant attacks against our allies, against DATO, and to halt all operations.
That's not the way it works.

The other thing is, I don't understand how Elon is a successful businessman. I just don't.
I don't understand. What he's doing with Doge is, I see it as just completely destructive.
There's no element of efficiency unless you're just literally working on chipping away at the bottom line to return dollars to the federal budget. Because it's usually, you know, largely starts with probationary employees across the board, regardless of what kind of sensitive jobs that they're doing at NNSA or CIS or any other place.
So it is not in any way bringing around efficiency. I don't understand taking down the Wilson Center

and the Kennan Institute that studies Russia,

how that works, Voice of America,

our ability to compete in the information domain

around the world, how that's helping.

These are not steps towards efficiency.

This is potentially taking a hatchet

to the way that the U.S. employs both hard power and soft power.
With regards to me specifically, you know, I guess I, my wife says I tend to piss people off, right? So, you know, I guess I pissed off the most powerful man in the world and the richest man in the world at various points. I don't really take these folks all that seriously at the moment.
There are obviously lots of nefarious actors that have been brought into this administration. I'm mindful, and I don't think I'm at the top of that list.
You might be more, you could be higher on that list than I am, Kara. I don't care.
If they want to pick this fight, I've got nothing to hide, I would make it ugly for them. I mean, just think about the congressional testimony.
They came at me on my area of expertise that really, in a lot of ways, I'm kind of untouchable on. If they want to pick this fight, it's probably going to get ugly.
So last two quick questions. Trump administration is reportedly looking into a deal to let Oracle run TikTok.
Obviously, this is something I thought they would go with because they already were with Oracle and Project Texas. J.D.
Vance and Mike Walls are leading Texas Project 2, I guess, what they're trying to figure out. But there's virtually no way to ensure the Chinese government doesn't have backdoor access to American user data on TikTok unless they completely don't bring the algorithm over.
Nicole, you said you would never download the app and deserved urgency with which it was treated. Obviously, Congress voted to ban it.
So that's what they wanted to do, whether you agree with that or not. I'd love you to talk about, very briefly, about TikTok.
And do you think it's as big a deal? And what do you imagine is going to happen to it? Yeah, it turns out they're China hawks who happen to love TikTok. You know, I wish that the White House, and this is across administrations, would declassify the security risks that they have seen around TikTok.
It is not effective to go out there and say Huawei is a national security threat if you use Huawei when it's so much cheaper than the competition, or to say the same about TikTok, when honestly, it's more fun than any of the other social apps I've used. I finally downloaded it, and then I quickly undownloaded it.
On your phone? On my phone, yeah. I'm going into the election.
I know, I know. You need the fake phone like Kara Susha.
It's not on there anymore. I told you this five years ago, Nicole.
But let me just say this. You know, I have heard stories, too many stories now, about people who are in sensitive positions inside government whose wives and kids have been hacked potentially through their access to TikTok.

Okay, so it is a very real security risk.

Now, will it be less of a security risk if it is owned and operated by a U.S. company?

Yes, potentially.

But, you know, what I really worried about with TikTok was more on the misinformation

front that they would tweak the algorithm.

So, yeah, one day, you know, China invades Taiwan and oh, there are college protests supporting it. And we have no idea how that happened.
And there had just been a subtle tweak of the algorithm to basically serve up, you know, pro PRC content. But I also worry about the backdoor issue.
And I don't know, it's a big question mark. I think a lot about my old college buddy, Mike Gallagher, who headed up the China Committee and is now outside of government.
He's probably crying inside. Yeah.
He spent so much effort on TikTok. And now to sort of watch people in his own party say, never mind, we're actually okay with this and we're going to save it, probably has to hurt a little bit.
It does. I don't know.
I can tell you it does. I can tell you it does.
Also, that J.D. Vance, the world's most unsuccessful tech venture capitalist, is running the process really makes me feel good.
I'm sure we'll get a great deal. Anyway, last question.
Zero Day raises the question of national security versus civil liberties in the face of a cyber attack. But what would happen to U.S.
civil liberties if there's a serious cyber attack while Trump is president? All three of you.

But I think that if there were to be an attack, that the response of the country as a saying would be incredibly unpredictable and what Trump would do would be unpredictable.

And it seems like a lot of classical issues in the post-9-11 world, like civil liberties, sort of got lost in the Trump era. That was a big debate during the war on terror, like, you know, what does civil liberties mean and such.
But when Trump, you know, rose to power, and then even when he was out of power and back, those classical arguments sort of went by the wayside. So in the sense of the show, it was a way of raising that issue and saying, OK, what about the good old question of civil liberties and what would that mean? And if there was an attack, would the government seize power? And I think if we've seen anything based on Trump, Trump's basically willing to do anything here in this second term.
And the people who would say no to him are no longer in the room. Right.
So worse, worse than was already portrayed fictionally. Nicole? So, and I apologize, because this is a little bit of a technical answer, but it's as technical as I'll go.
You know, how is China infiltrating our infrastructure? They are using our civil liberty protections against us. They've actually hacked a lot of these systems by hacking home routers and home office routers that have stopped getting patches and we call that legacy software, right? And then they hack into these systems through like someone's house in Indianapolis, so that when you're the water operator, water treatment plant operator, you see this little traffic coming from some house down the street in Indianapolis, you don't think twice about it.
You would never suspect it's a Chinese state-sponsored hacker. And so we are really not set up well to be resilient against these threats because our adversaries have figured out that our Fourth Amendment protections are actually very exploitable.
And so if there were to be some kind of full-scale conflict where we would see this everything everywhere all at once cyber attack scenario play out, it's an interesting question. How do we defend ourselves when so much of this is coming in through American homes where the NSA and other agencies just don't have visibility? You know, we really are handcuffed when it comes to cyber defense.
And I don't know how those would play out, but, you know, the Fourth Amendment is still the Fourth Amendment. And, you know, for now, it's still holding.
And so that is actually why it is really disturbing that we are seeing these reports of Cyber Command and other agencies being told to stand down on our own preoperational planning. Because all we really have in the United States when we're blind to our own domestic traffic is the ability to hack these systems back overseas and to basically create pain for any adversary that would choose to create pain here.
Alex, why don't you finish up? I think for me, it's pretty simple. I see autocrats seeing opportunity in crisis and chaos.
So I think that that's just an opportunity for power grab. I started watching uh zero day and um basically very quickly you see the legislative branch seating authorities uh i'm not sure what other authorities uh can be seated to this president i mean he's already has immunity um for all official acts but i i think there's just enormous enormous opportunity depending on where it lands in the timeline.
That could mean delayed elections if it happens to land in 2026. It could mean, you know, if there is chaos and looting, that's an opportunity.
That's actually the perfect time to do a cyber attack would be right before the election. So no ideas.
Sorry, I shouldn't have said that. But I think in a moment where you're seeing civil unrest as a result of services collapsing, you could see martial law and suspension of posse comitatus or something of that nature.
So a lot of dangers in that kind of crisis. Okay.
Well, just watch Zero Days because it gets better in the legislative. You'll see what they do.
You'll see, right, what happens. They're a little, they've got a little more fire than you think they do, but not maybe in a good way.
We'll see. You should all watch it.
And everybody, please watch and read all these people. As I said, Alex's new book is called The Folly of Realism, and Nicole's new documentary podcast is called To Catch a Thief.
I recommend all of them, and I really appreciate you all, even though the topic is dire. Thank you.
On with Kara Swisher is produced by Christian Castro-Russell, Kateri Yoakum, Dave Shaw, Megan Burney, Megan Kunane, and Kaylin Lynch. Nishat Kerwa is Vox Media's executive producer of audio.
Special thanks to Maura Fox. Our engineers are Rick Kwan and Fernando Arruda, and our theme music is by Trackademics.
If you're already following the show, you have reached apex predator status. If not, watch out for your teenager as a security risk.
Go wherever you listen to podcasts, search for On With Kara Swisher, and hit follow. Thanks for listening to On With Kara Swisher from New York Magazine, the Vox Media Podcast Network, and us.

We'll be back on Monday with more.