BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange

I am very honored to introduce our very first Chief Cyber Rackintour, Nicole Perlroth. Nicole, take it away.
Hi, everyone. Well, welcome to a special live episode of To Catch a Thief.
And just to set the stage for the people who are not in this room, we are sitting here at the New York Stock Exchange today, surrounded by an audience of CTOs, CIOs, CISOs. These are the people who control the flow of information inside and outside some of our most vibrant American corporations and beyond.
And it's an honor to be here with you today. And before I get to introducing the very special people I have on stage, just a few words about this podcast.
Why did we do this on Chinese cyber espionage? This would have been a project that would have been unheard of 15 years ago, back when McAfee was picking up the pieces of some of the big Chinese cyber espionage campaigns like Night Dragon and Shady Rat. They were not even allowed to say the word China as part of their attribution.
It was a very sensitive thing at the time. Here we are 15 years later, and we have a whole podcast series about Chinese cyber espionage.
The reason I felt that it was critical we do this on Chinese cyber espionage is because this is the threat that in some ways I lived and breathed at the New York Times, but it's the threat that has been gnawing at me ever since I left the New York Times. Because I feel that I failed and that media failed and business failed and in some ways government failed to really connect the dots for the people on this particular threat.
We never went back to Nortel, for instance, when it went bankrupt. And, you know, when they wrote all these bankruptcy stories, no one ever mentioned, well, actually the company was hacked by China several years ago.
Huawei owns all that IP. They've been subsidizing it, rolling it into global markets, and now Nortel is gone.
And we never did that with solar companies. We never did it with turbine makers.
We never did it with electric vehicles now. China is now the biggest manufacturer of electric vehicles.
It's no longer Tesla as of 2023. We never did it with electric vehicle batteries.
We never did it with home routers. Now it's Chinese companies that own the U.S.
home router market, as Rob actually testified to Congress the other day. These are routers that have been used in attacks on American critical infrastructure.
In fact, just today I went on Amazon and looked up a TP-Link home router. It is Amazon's number one overall pick, and they own something like 60% market share of U.S.
home routers. And these home routers have been used to funnel attacks into America's critical infrastructure.

It's not a hypothetical threat.

It's a real threat.

And all of this has been going on kind of right under our noses.

But we've never really connected the dots.

So really the magic of this episode, of tonight, of where we are, is that sitting next to me are the people who are the dots. So really the magic of this episode of tonight, of where we are, is that sitting next to me are the people who are the dots, and we are about to connect them.
On my left here is my former colleague, David Barbosa, who will always be a colleague in my heart. David was the Shanghai Bureau Chief for the New York Times.
He is the reason that we were actually hacked at the New York Times. His coverage was that good.
It earned him a Pulitzer, but it also earned him the wrath of the CCP. And I wrote that story for the New York Times.
We actually have our former CTO, Rajiv, in the audience today. So we remember that very well.
And I remember when the hack first happened, we thought they were there to maybe shut us down. But very quickly, it became clear, nope, they were there for David, and more specifically, David's sources.
These days, David is the co-founder of The Wire China, which is doing some fantastic data journalism and news journalism, traditional journalism on China. So it's an honor to have you here today.
To his left is Rob Joyce. Until very recently, Rob Joyce was head of cybersecurity at NSA.
He served at the agency for something like 34 years, right? And had a very storied career there, including leading the Tailored Access Operations Unit at NSA, which is the agency that conducts hacking on behalf of our foreign intelligence collection program. So he knows better than anyone what the Chinese capabilities are.
To his left is Jem Easterly, who until very recently was the director of CISA, the nation's cyber defense agency. And before that was actually head of global security at Morgan Stanley.
And before that also had a storied career at NSA, which included setting up, standing up cyber command. And it's an honor to have her here today.
To her left was my favorite phone call at the New York

Times, Jim Lewis. I called him every time there was a cybersecurity disaster brewing.
Jim, until very recently also, was senior vice president at the Center for Strategic and International Studies in Washington, which tells you nothing about Jim. What you need to know about Jim is that Jim has been privy to, partaken in, supported almost every back-channel negotiation that the U.S.
has had with China on the cyber threat. And then to his left is Bipul Sinha, the CEO and co-founder of Rubrik, which is leading the charge on cyber resiliency in this country and making sure that our worst day, the day you get hacked, is not your last day.
So it's an honor to be here with all of you. These are the people who have been targeted by, instrumental in tracking and engaging the Chinese cyber espionage threat.
So without further ado, let's get started. I'm going to ask the first question to my friend David here, which I want to address right away the elephant in the room.
And I think the elephant in the room is this, you know, covering this threat at the New York Times and doing a whole podcast series about Chinese cyber espionage. You are walking a very tight rope because this is a very real threat, but you also don't want to stoke the kinds of disgusting xenophobia that we saw during COVID.
And it is a tough rope to walk. And I think you have covered these threats, you've been a target of these threats, and now you are basically covering China full-time through the wire.
So help explain how do you walk this tightrope, and how do you help, you know, for the novices to this subject, help them conceptualize this difference between the Chinese Communist Party and the Chinese people? Yes, thank you. Great to be here with you, Nicole.
I think this is one of the things, it's a great journalism question. It's also great that your first episode mentions, like, we need to deal with this issue.
As a journalist covering China, you know you've got to write about the Communist Party. You've got to write about the toughest things that China's doing.
Hacking my own email. But also, that's going to affect the readers.
That's going to affect politicians. That's going to lead to a little xenophobia.
As you probably know, there's FBI investigations. There's concerns about Chinese students at universities.
You may or may not know this, but the three major American chip companies are all Chinese Americans. So China is a source of talent.
You have just discrimination, human rights, all of those things. So I think as a journalist, maybe the first years I was in China wasn't a big deal.
But every year since then, especially now, you have to think in journalism, but not only in journalism, about what is the story? Is it the Chinese actors, the Chinese cyber spies? Could that become easily seen as Chinese? These are suspicions about Chinese students. Or my colleague is Chinese.
My wife is Chinese. So I do worry a lot about that.
I think every story we write, we need to think about not only is it true what we're saying, but what could be the impact of this story? Could it lead to xenophobia in the country? So I think saying that up front and thinking about that, there are lots of Chinese Americans, Asian Americans in this country. We know what happened during COVID.
So I think keeping that top of mind, we're going to say some really tough things about China, but we shouldn't think everyone who's Chinese is a spy, is a hacker, is the threat. Speaking of the threat, I'm going to toss this one to you, Rob.
You have, I think, what is one of the best quotes on how to conceptualize the threat. You just heard it all in the podcast trailer, and it's this.
So you said that basically Russia is the hurricane, China is climate change. Tell us what you mean by that.
If you look at the operational way that China comes at us, it is scope and scale and now sophistication. In the early days of China hacking, the US kind of laughed it off.
They weren't very sophisticated. They were easily detected.
It was blunt force. And now over time, they continue to come and come and come.
And they have such quantities around their ecosystem that does this hacking, whether it be the military government assets, the intelligence service government assets, and increasingly the commercial assets who support these activities by writing malware, by providing the infrastructure that the governments hack through.

But now they even do independent hacking operations themselves where they choose the target, they grab the data, and then they offer it back to CCP government officials to see if there's a profit in that space. So they have grown in scope and scale, sophistication on a level nobody else has seen and is, quite frankly, becoming a huge problem for us because of the critical infrastructure threat.
because of the pervasive nature they've gotten into things like our telcos and our ISPs. The way that they're able to operate at scale is just monumental.
Jen, talk to us about what you saw or how you saw this threat morphing at CISA. You know, you oversaw CISA during a period we saw an unrelenting Chinese assault on our federal cloud systems, on our telecommunication networks, and on our critical infrastructure.
Yeah. So great to be here with everybody.
I think it's important to understand how serious, urgent, and different the threat that we're talking about has evolved into. You know, as Rob alluded to, for years and years, we really focused on China as a threat of espionage, data theft, intellectual property theft.
And over the past few years, we actually saw a threat that was different in kind. We saw Chinese threat actors that were not looking to steal data, but rather to burrow deeply into U.S.
critical infrastructure so that they could be prepared to launch disruptive or destructive attacks in the event of a major conflict in Taiwan. So this

was really a deliberate effort by the Chinese Communist Party to hold U.S. critical infrastructure

at risk. So imagine a world where there is a conflict in the Taiwan Straits, and at the same

time you see mass disruption here in the U.S. So you see effects on communications being severed, transportation networks, you see effects on power grids, you see effects on water systems, in a way we used to call it everything, everywhere, all at once.
So in a intent by Chinese doctrine, specifically to incite societal panic and chaos across the U.S. and to deter our ability to marshal military might and citizen will.
And that was a threat that we started to really get our arms around working with our intelligence community partners, our FBI partners, and industry. and then based on that information started working with a variety of victims where we would show up, CISA and FBI, let them know that we think that their networks had been penetrated, and then work with them to actually hunt for those actors to attempt to shut down the access points and then to help them harden their infrastructure.
But we had done this across multiple sectors with multiple entities. And I'll tell you, the way that I've always talked about this is we believe what we were able to find when we were at CISA was really just the tip of the iceberg.
And it's a full range of targets. One actually was just out there publicly for the first time.
We obviously don't talk about targets because we protect victims, but one target actually talked about this publicly. I think it was in the record.
It was a very small water and power facility up in Littleton, Massachusetts. I think they serve about 15,000 citizens of Littleton and Boxborough, and they were one of the victims.
So think about what China is doing. They're doing this opportunistically, looking for vulnerabilities, looking for access points in multiple places across multiple sectors across the U.S., again, to be able to get in, to cause disruption and or destruction in the event of a conflict in Taiwan.
I think, you know, the only real public glimpse that we have of what this threat could look like that you just outlined is colonial pipeline. You know, and we all sort of remember people inexplicably showing up at gas stations with giant plastic bags to fill up with fuel.
And one of the things that hit me was there was a DOE assessment at the time that found that as a country, the United States could have only afforded three or four more days of Colonial Pipeline being down. And it wasn't so much the gas or the jet fuel we had, the reserves.
It was the diesel required to run our factories. So three more days.
And that was one target. I hadn't even heard of Colonial Pipeline until this ransomware attack happened.
That was one target by a bumbling group of ransomware criminals. And what Jen is describing is think about a coordinated attack on not Colonial, but five or seven colonial pipelines and then add in water and the grid, et cetera.
And when you think about it that way, it's not a hypothetical anymore. That's what hit me in the course of this podcast project.
It's a very real threat based on where we're seeing this targeting. You think about it that way, you think about the psychological deterrent that that would

create. It's a very real threat based on where we're seeing this targeting.
You think about it that way, you think about the psychological deterrent that that would create for the United States to summon the appetite to go support an island's independence 7,000 miles away. And then you start to think about how this is really a way to really win a war without firing a single bullet.
And when you start to look at these attacks like this, you start to see just how powerful these cyber attacks could be. So the one that always hits home for me is water.
And Jim, you've been in, I think, recent negotiations or conversations with the Chinese on, would they agree to draw any red lines around certain targets like water? How have those conversations gone? So I've been negotiating on and off with the Chinese for about 30 years, starting out as a child, I might add. And one thing that's changed, they're much more confident.
And I saw this with the Russians. I was at the UN, and the Russian ambassador was talking, and the Chinese ambassador opened the newspaper.
I think it was the Post. It's like, I could care less what you have to say.
And they feel that way about us now, right? And so they feel like they're winning. Why would they do anything different? And on targets, the previous administration had some ideas about perhaps proposing along the lines of what we've been discussing.
There's some targets that should be off limits, right? Now, point of fact, under international law, there are no targets that are off limits. If they're not, there are no targets that are off limits, right? We could debate that.
But the Chinese basically said, we don't think the way you think. You know, we don't think that you're going to have a set water facilities and you'll take them off the table.
We look at it in terms of what's the consequence if we do this? We judge it by consequence. If it's a little consequence, like Podunk, Massachusetts, or wherever the hell it was, we don't care.
Is it something else? So they have a very different way of looking at this and a very different attitude. They're cautious.
They're very cautious, but they feel like they're winning. And that seeing them over a couple decades, they've gone from, they started out doing the old, you're the master, we're the student, tell us what to do.
To now it's like, you guys are the past. We're here.
We're not that cautious anymore. So I think it's a very different ballgame than it was, say, even 10 years ago.
So the answer was no. We're not going to draw any red lines.
I had a specific request to them. Are you willing to engage in a...
I don't negotiate for the U.S. government, but I will occasionally ask questions that the U.S.
government has asked me to ask. And the answer was no, we're not interested.
And part of it was, and some of these are people I've known for a long time, and they had a good point. It's like, look, five years from now, 10 years from now, we're going to be much stronger than you.
So why should we make a deal with you now? Because we'll have a better hand to play five years from now. Before I get to Bipple, I want to ask you, Rob, you know, I think there is this idea that we have entered into a new era of mutually assured digital destruction where we're all holding guns to each other's heads and saying you better not hit us because we can just shoot right back at you.
And I think you'd have to be a fly on Vladimir Putin's wall to find out why he hasn't done more in the way of attacks on our infrastructure because of our support for Ukraine. Or maybe our defenses were just that good that we were able to deflect them.
And I know you can't speak to the U.S. capabilities, but what do you say about the deterrence of what we think might be this era of mutually assured digital destruction? And what are sort of the misunderstandings maybe about what our capabilities are in China? Yeah, so the first thing I'd point out, Nicole, is, you know, I am a firm believer that cyber doesn't stop cyber, right? You don't get a bigger cyber bat and hit somebody hard and they just go away, right? We had the salt typhoon intrusions into our telco, pretty heinous intrusions.
We've had the pre-positioning and critical infrastructure, pretty heinous strategic advantage for China. And we didn't curl up and say, we're going away, we're getting out of the cyber business, right? You now have congressmen and even administration people pounding on the table saying, we need more cyber, right? And so I don't see, you know, the effect that they've brought deterring us.
So why do you assume if we bring something, it will deter them? I think there is a strong assumption we're doing the same. We certainly have amazing, very capable cyber operators.
Between Cybercom, NSA, CIA, the defensive capabilities of CISA, the FBI, we are well-resourced and large, not as large as the Chinese assets, but we have impressive capabilities that hasn't deterred China. It's motivated them in some sense, right, to be better and bigger.
But the thing that really differentiates us is we are a rule of law country. And there is an effort in the law of armed conflict where you need to be differentiating military targets from civilian targets.
You need to have proportionality. The things you do must impact the military effects more than the civilian effects.

So civilian targets. You need to have proportionality.
The things you do must impact the military effects more than the civilian effects. And so when people say we ought to turn the lights off and shut off the water and stop the planes or crash trains, we don't do that because it's disproportionate on the civilian population.

And that's where the differences arise.

We would never get through the lawyers the ability to hold them at risk the way they're currently in some of our infrastructure.

And that's the differentiator.

But I say all of that, and now you've got a new administration that is willing to put the dial on 11.

And if you talk to folks in the administration, you talk to folks on the Hill, there's certainly a strong desire to have more capability in the cyber offensive arena unleashed. So we'll see where that goes.

I used to think that the Chinese had an advantage because when they showed up, they never brought lawyers.

We, of course, had thousands or even millions of lawyers with us.

It's like, geez.

One time I said, the worst thing we could do to you people

is teach you to do this rule of law.

I think that's the thing also that Chinese love is that they know you

can't punch back in certain ways. This is their advantage to use the U.S.
system, the openness of

the U.S., the universities, just an open freedom, rule of law society and say, let's take advantage

of that. Let's find the holes.
And we know they can't strike back in some ways, right? So I

Thank you. and say, let's take advantage of that.
Let's find the holes. And we know they can't strike back in some ways, right? So I think it's been, that's the game they've been playing for decades.
And now they're getting really good at it. One thing that you learn when you talk to these folks is just how creative the Chinese have been at exploiting some of our civil liberties, our Fourth Amendment.
You know, I think people don't realize, and I got a kind of front row seat to this on Jen's advisory committee at CISA, people don't realize that the U.S. is really blinded in some ways on cyber defense because we don't live in domestic traffic.
You know, We are not watching in real time what traffic comes in and out of our water treatment facilities. We really count on either our intelligence agencies or the FBI alerting these entities that they've been compromised or the entity discovering they've been compromised and telling the U.S.
government. And so in many ways, we're kind of flying blind in a way that some of our adversaries aren't.
And prevention, we need to do all of the things that you would need to do to prevent these attacks. No one knows that more than the people in this room, right? But we also need to start assuming that at some point they're going to get in.
And once they're in, how do we make sure that they don't get our crown jewels or they don't shut down the flow of gas and jet fuel and diesel to the eastern seaboard of the United States of America? You know, how do we build those cushions of resilience inside the enterprise, inside our infrastructure is really where the conversation needs to start going, especially based on the targeting that we are learning about. So Bipul, this question is for you.
What are those cushions of resilience? First of all, thank you so much for this invitation and great to be here. What is clear is that almost every company or government institution have been compromised.
They may not have been attacked, but they have been compromised so that one or more of the threat actor is sitting and figuring out what to do. So in some ways, we need to have defenses and we need to continue to invest on defenses so that things don't get in.
But this assumption that you can prevent the unpreventable is not going to work. So you need to really assume that the breaches are inevitable or might have already been happened.
but then how do you prepare yourself both on understanding the risk and then doing the remediation? And what we have been telling organizations, both government and private sector, is you need to truly understand what are the tier zero set of services, we call it minimal viable organization, that you need to keep your business up and. Whether if you're a bank, then even if you're breached and attacked and something bad has happened, how do you ensure that your counterparty transactions and risks are taken care of? If you're in hospitals, how do you make sure that you can take care of your patients and while admitting new patients, while you're trying to recover whatever activities you do.
So understanding of the critical assets, the crown jewel, and what is the risk of those assets, assuming that the breach has happened or will happen, and then how do you provide resilience and recovery on this tier zero minimal viable organizational concept. And the issue is that everybody is, and the cyber is such a cat and mouse game that everybody is playing whack-a-mole for the last 20, 30 years and not thinking that how do we protect the unprotected, which is like a small government, schools and water plant and local cities, because they don't have either talent or technology or even understanding of what is going on.
But they open up a whole new door because the kids take the laptop home, log into the home systems and all the rest of it remains open. So we are squarely focused on to ensure that people have this awareness of resilience inside-out security.
How do you fundamentally secure yourself, assuming all else has been compromised? And that's where the focus has to be, because you can't win this war by creating taller walls and wider moats. Jen, you know, we talked a lot at SISA about target-rich, cyber-poor environments, that this is really where they're coming for, and it's the water.
If you want to elaborate on some of those targets, that would be helpful. Right now, and this is probably a difficult question, but right now we're seeing a lot of cuts at the cybersecurity infrastructure security agency.
You hired more than 2,000 people to that agency. I am acutely aware of the cyber workforce shortage that we have and how hard it is to hire really good people into cyber defense for government.
And these are people who have plenty of other options working in the private sector, getting great stock, working at Rubrik, working at Microsoft, working at Google. Talk us through just your thoughts, having just left in January, on some of what's happening at CISA and across federal agencies.
There's a lot there. Yeah, so let me just go back to one thing that you said that I think is important.
Colonial Pipeline is always the canonical one we go back to. But frankly, think about CrowdStrike, just July of last year, when a lot of people couldn't access a lot of things.
Now, that was for a short period of time. But think about that disruption that was not just a technology outage or a bad update, but rather a deliberate disruption that could be in place and unable to just turn back.
Think about that for weeks and months on end. So I think that's a good mindset actually to take CEOs and boards and key leaders into the boardroom when you have that very important conversation that Bipple was talking about.
At the end of the day, given the complexity, the interdependence, the inherent vulnerability of the technology that we rely upon for businesses large and small, it is increasingly difficult to prevent bad things from happening. So you have to architect your systems, your infrastructure, train your people, prepare to be able to understand, prevent, but to respond, recover, and then learn continuously from the various incidents.

And to your point about the target-rich cyber-poor entities who didn't really have security teams or much vendors that they were working with, we made a deliberate effort to work with hospitals and water facilities and K-12 to help them understand the steps that they could take in a material way to reduce risk to their infrastructure. So most folks are familiar with the NIST cybersecurity framework, great tool.
But if you're at a big firm like Morgan Stanley, you can use that and you can actually say I'm aligning with the NIST cybersecurity framework, great tool. But if you're at a big firm like Morgan Stanley, you can use that and you can actually say, I'm aligning with the NIST cybersecurity framework.
If you're a rural hospital, the NIST cybersecurity framework becomes shelfware. Don't have the team to really go through that and understand how to align your security organization.
So one of the things that we did was do a distillation, kind of an extract of that document to less than 40 things that a hospital or a water facility or a K-12 school could do, and they were characterized by cost, complexity, and impact. And so you could do that in a way that could take advantage of your relationships with MSPs or vendors, but also the fact that you didn't have a lot of resources.
And then some of our field forces at CISA would work with entities and sit down with them and walk them through those cybersecurity performance goals to help them, again, materially reduce risk. Now, to your point about what's happening on the inside of CISA, you know, I've been gone for, I think it's two months today.
And from what I've heard and what I've been reading, there have been layoffs, largely the probationary folks. Now, we built CISA from about 2,000 to about 3,500 when I left.
As you said, we hired over 2,000 amazing, amazing people. And I understand that they have let probationary folks off, but now they're rehiring them.
Look, at the end of the day, my key message is the type of firings that are going on are really going to discourage the talent that the federal government

needs to be able to defend and protect the American people from joining the federal government,

whether it's CISA, whether it's the intelligence community. And I know people are sort of

dismissive to this idea of joining the federal government. I spent most of my life in the

federal government. What I would say is these are not bureaucrats, which has frankly been used as a pretty pejorative term.
These are public servants who want to defend their nation, who willingly raise their right hand to support and defend the Constitution of the United States of America against all enemies, foreign and domestic.

They're doing it because they believe in America. They want to defend the American people and democracy.
And, you know, my one message to anybody currently in the government is, yes, preserve the capability for us to be able to defend the nation, but also make sure that you are taking care of your workforce and your troops because they are there to take care of America. One thing that came at the bunch in these interviews is that Xi Jinping was watching very carefully what happened with Putin's invasion to Ukraine.
And Jen, you said Ukraine's defense is the deterrence on Taiwan. So I'll put this to you first, David, and then maybe you, Jim.
But first to you, David, since you're the only one who's spent significant time living inside China, what do you think Xi is thinking? What are his takeaways right now watching this administration's current approach to Ukraine? Yeah, I would imagine his takeaways are celebratory, right? That he sees a bit of chaos in the U.S. If they're laying off at CISA, he's like, wow, this advantage is going to come even faster.
And I think, back know, back to the earlier question that it's not just about Taiwan. I think even if Taiwan were not the case, they would still be in the infrastructure.
It's about leverage. It's about the rise of China, challenging the U.S.
in every realm. We're talking a lot about infrastructure, which is important, but they want to challenge the U.S.
in everything. The top universities, the top AI, our own semiconductors.
They want to be self-sufficient. So Xi Jinping, I think, is really looking at what's happening in the U.S.
and saying, this is a great opportunity for us. The decline may come faster because it seems that they're tearing apart the country.
And the is not sure what they're doing. I think it's emboldening actually China right now, which is sad to see.
I spent a lot of time with people who are in government or formerly in government. You really want the US to have the best capabilities.
I can tell you when I was when I was based in China and got death threats I went to the State Department I went to our embassy. You want to have a strong U.S.
and you want to have that leverage so when when Jim says that that they're not negotiating in the same way I agree with him I think even when I was there they felt each year we gain a little more economic leverage. We gain leverage by showing how we can get in the infrastructure.
We don't even have to use it. We don't have to take advantage of that, but we want you to know we're there.
They would do these same sort of games on the journalists. Is your wife Chinese? Hmm.
Do you want to spend time in China? So we want to build up the leverage that makes it very difficult for you to act. And every little thing is a bit of leverage on US companies.
One reason the companies don't want to talk to you or me about the intrusions is China will punish those companies. Right? So they want to be quiet.
It's very scary for them to go against maybe their fastest growing market. We've talked about this a little bit about how successful has this been? Has this strategy been? And actually when you just think of Hollywood, it's actually been pretty successful.
We saw the nine dashdash line in Barbie. I couldn't believe that.
I had to go back. It turns out Barbie is banned in Vietnam because the nine-dash line is in the background.
The NBA has faced this. We face this at more than just our infrastructure.
We're facing this at every level. It's becoming quite clear that China is operating off of a 100-year plan.
And they are executing flawlessly with some hiccups. We are operating off of a maybe four-year, two-year election cycle.
We are fighting with each other over our culture wars every single day. You know, it's almost like some days they're making a good case for authoritarianism and we're not making a great case for democracy.
Where do we go from here? I

know that's a big question. I'm not sure I can answer that, but I think to put in context, I mean,

think about even the time I went to China in 2004. If you are the rising economic power,

they were nowhere with cars and now they're the largest carmaker in the world by far. Right.
I was just looking up the other day ports. The top 10 ports, six of them are from China.
And their largest port is three times the size of Los Angeles. So if you think about that context, the U.S.
should also be very much aware of, okay, the game is changing. China has economic power that's just accelerated.
Even in the decline now with the economy, they just have great students, great universities, great companies. We need to recognize the challenge that they are, not only in the cyber front, but on every front, and to think about it holistically and not as, oh, if we deal with them in this one way, it's going to change things.
I think they're the rising power. They know they have strength.
That's why they're telling Jim Lewis, like, we don't have to negotiate anymore. Yes, we made promises.
Xi Jinping wakes up in the middle of the night screaming. He's dreaming of Gorbachev.
So the number one threat to China is their own population, which is why they've put such a huge effort into domestic surveillance. They feel like they're winning, but they are always looking over their shoulder, and they're really paranoid.
Their leadership, right? Because they know they don't have popular support. And some of that is to extent, they're Marxists, we're not, I don't know what we are, but capture the informational battle, capture the narrative.
And they've put a lot of effort into that. And we of course have this marketplace of ideas.
doesn't work so well anymore. But they do have a strategy.
And we have a let 100 flowers bloom approach. Let's see what happens.
At the end of the day, I think we'll do better. But don't assume that the Chinese feel comfortable.
If anything, that's bad, because it means they'll push harder on the accelerator. You actually are often quick to remind me of some of their incompetence.
And sometimes I think it's important to not make these adversaries, I guess you would call them at this point, out to be the boogeymen. We saw what happened with Putin's invasion of Ukraine.
It turns out that they weren't the big boogeymen that we had worried about. You know, talk to us a little bit about their incompetence on defense.
Quick, anyone want to guess the last time China won a war? 1949, right? Now, we aren't doing much better, frankly. But their Air Force, their Navy, their Army, not exactly a lot of experience.
The heads of their Air Force have, on average, two or three years' experience. And part of the problem is she doesn't trust them.
He gets mad at them, or he's suspicious of them, and they get thrown into jail. My favorite story, which I didn't tell you, it's anecdotal, so I don't know if it's true, but the guy who was the head of China's strategic nuclear forces currently resides in the Husqiao because he was caught doing something corrupt.
There are allegations that that corruption, you know what a silo is, a hardened silo for an ICBM? It's this reinforced concrete so that the pressure waves, the blast waves of people trying to blow up your silo won't have an effect. And, of course, the silo is buried in the ground.
So once you build it, no one can inspect it, right? Inspect it. And there are allegations, perhaps unproven or untrue, but certainly we can see them in other areas that maybe they just shave a little bit on the reinforced concrete to, you know, pocket it.
So they have a military that is not,

ignore their propaganda.

Their military has not won a war.

And the war they won was against the nationalist Chinese.

I don't know if I'd take that one to the bank.

So they have dilemmas here and weaknesses.

Do you want me, you don't want me to tell that incompetent story?

Guess.

No, but that's, I won't. But the big, when I used to want to tease them to annoy them, which is easy to do, I'd say, hey, most of the China used in, most of the software used in China is pirated, right? It's copied.
It's a problem for them. They even admit it.
Now, we don't have a software industry because when somebody comes up with a good idea, it's immediately stolen. So they're working on fixing their IP laws.
In the interim, though, you can say to them, hey, you know, that pirate is software use, you know, you know where it comes from. It comes from Russia.
And it's true. It's like, hack that sucker.
there was one of the opportunities in this podcast was to go back and retell some of these stories that are sort of tossed about as if everyone knows them, but we've never really heard the full story on the IP theft. And so we actually interviewed the head of biotech at DuPont, who talked about what it was like to go try to bring a hybrid rice germplasm, plant genetics, DNA, to China in this joint venture.
And they invested $30 million in this plant, three years worth of training. They brought over their own seedlings, their own DNA, you know, like I said, trained everyone up.
And the plant itself was $30 million, dollars, but really what they were bringing was billions of dollars of know-how and proprietary R&D from their soy and corn business and everything went swimmingly until the day that they were no longer getting permits to continue their experiments and they basically had to lock up shop leave a container full of rice behind and abandon the entire asset. And then everyone they had trained had actually set up shop across the street and they thrived.
And now China is one of the biggest strategic investors in germplasm development. And those stories just came up again and again and again.
And one of my favorite questions has been, you know, what is your favorite IP theft story? So, Jim, I'll ask you, what is your favorite IP theft story? Well, I have two, because I, you know, there's some Chinese guy whose job, he must have irritated his boss, was sneak out into the cornfields and wheatfields of the Midwest and steal genetically modified seeds in the dark, right? So you're some poor guy, and your assignment is to crawl around in the dark looking for seeds. But my favorite remains house paint that is white.
And apparently one American company makes really whippy white house paint. It can't be duplicated anywhere else.
It's shiny, durable, all this good stuff. And the Chinese borrowed the recipe for it.
And we actually had discussions with them. It's called a track 1.5.
So it was half government, half. And we said to them, look, we understand spying.
We spy on you, right? But we spy on military targets. If you want to steal a jet fighter, we get it.
But White House paint? And the Chinese response was, this was a senior colonel. He said, for us, building our economy is national security.
So it's the same thing. It's everything.
I'm going to come back to the infrastructure attacks and the mechanics of them, because I think it's really important. And you just testified about this to Congress, Rob.
Help people understand how the Chinese are hacking our infrastructure. I mean, the mechanics of it and how sort of we Americans and our ignorance of using legacy home routers or maybe Chinese routers might be facilitating some of these attacks.
Yeah. Well, we talked earlier tonight about how China has gotten good at finding the seams and using our strengths, our laws against us.
You start out with a hacker in China, and they need to connect through the infrastructure, through the internet, all the way over to their target. And they're not going to come straight from the China military building straight at a defense facility or a white paint production plant.
They are going to find ways to bounce through other places to get better reputation and wind up at that target. So what they've evolved to do is to make multiple stops on hacked things across the internet.
And the last hop is something that is inside the US, often high bandwidth and always connected, and is something that companies would expect to touch their internet perimeter. And the thing that is popular today is home Wi-Fi routers and small business Wi-Fi routers, because they're always on.
They're little computers themselves, so you can run programs on them. And these companies have worked from home.
They have customers. They expect people in Verizon and AT&T and Comcast to be connecting to the outer border of their network.
So what the Chinese are doing is they're collecting these routers and hacking them at scale. And then they put a little bit of malware on them so that they can bounce their signal through your home router and touch their eventual target.
What we're seeing now is a lot of the time, they're using routers made by TP-Link, who is now 60 percent of the home Wi-Fi market. The company is selling them at unprofitable levels, and they're driving out the Western and U.S.
manufacturers, and now they're growing in dominance. Sixty percent, you know, that's amazing market share, but it was like only a few short years ago they were nine percent, right? It's exponential growth, and now they have these routers in all of our homes that the software is maintained and updated out of China.
Whether TP-Link is complicit in these hacks or not today, at any point, the Chinese government can go under their intel laws and direct that company to support them and issue an update that either bricks a massive amount of our critical infrastructure, people's ability to get on the internet if they want to attack, or makes them even better bounces and redirectors for them to do their operations through. It's a huge problem, Nicole.
I just wanted to add that one of the things I covered in China was the city of

Shenzhen, which is one of the manufacturing capitals of China. And when you think about TP-Link or almost any electronic today, everything is made in China.
So if they have won over every market, and I've been to Huawei's facilities, so if they're involved in every part electronics chain, they know how to make them, how to rewire them, how to control them. A lot of the surveillance cameras in the U.S.
are Chinese-made surveillance cameras, even at, for a while, military sites, the drones. So this is a huge advantage China has, which is we're making everything.
So we can get in every home. It actually reminds me, I wrote it down.
There is a great quote about this by Ren Zhengfei, the founder of Huawei, who said, a country that doesn't have its own routers and switches is like a country that doesn't have its own military. They actually believe it, though.
From the first time I started talking to them about cyber stuff until now, they'll say, what are you complaining about? You do it too. Look up rivet joint.
But when they say that, what they are thinking is they really believe it. I had a Chinese official in charge of their chip making program who told me, and this was a while ago, he said, look, every Intel chip comes with a backdoor.
I said, no, you've got to be kidding. He said, no, every Intel chip has a backdoor.
You have controlled the beating heart of China. That's their point.
So they feel like, what are you complaining about? TikTok has been the big shiny object. And I forgot to issue a PSA to everyone to delete TikTok from their phones immediately before this panel.
But TikTok has been the big shiny object. Obviously, routers are a huge problem.
And actually, you also added, Rob, that on their new, whatever the next gen Wi-Fi router technology is, they actually have 80% market share, TP-Link does. So that really drives home this issue.
Like I said, I went on Amazon today and looked up home router. The number one overall Amazon pick is a TP-Link home router.
But you can replicate that across the cranes at our seaports. Drones, it's a Chinese company that owns majority market share in drones, including those used by U.S.
law enforcement in some cases. Go ahead, Jen.
Yeah, I do want to make the point. Yes, obviously, it's a huge issue, some of these Chinese manufactured routers, switches and firewalls, but it's not just a China issue.
Frankly, one of the things that we focused a lot on at CISO was the fact that the technology and the devices and the software that we rely upon for critical infrastructure is frankly inherently insecure because for decades it's been produced for speed to market, for driving down cost, for features, not for security. And so these can be clearly taken advantage of by China, but there are all kinds of technologies that are, some are created by U.S.
companies, other companies around the world that are just inherently insecure, that are unpatched or have default passwords, or essentially make it very, very easy for an actor, whether it's a sophisticated nation state or a cyber criminal, to be able to exploit that infrastructure. And so this really comes down to, we talk a lot about villains, right? We blame victims, but I think we don't talk enough about the vendors because vendors really need to be held accountable to ensure that they are building, designing, testing, and delivering products and software and devices that specifically are meant to be secure.
And that's the way you could make a real difference in terms of advancing a sustainably secure ecosystem. And it's one of the most important things that I think we need to focus on.
Pippo? So Biden administration actually came up with this cyber policy where they talked about the skin in the game. So as a vendor, when you're selling your technology to a company and particularly for cybersecurity, companies are spending $200 billion collectively in this market.
In some ways, the cyber has been the most bogus market because you give more medicine to the patient and patients get sicker and sicker every year. So one of the things that we thought about was that, how do we provide peace of mind to our customers and to give them like this confidence that on the worst day we'll be there with them.
And so we came up with this idea of warranty that if we can't recover your system when you have cyber ransomware attack, then we'll pay you $10 million per incidence so that you can do it by other ways. And for many organizations, $10 million is not a big amount.
But what it does is that for the company such as Rubrik, it brings the focus of the whole organization of writing secure code, making sure that you have all the angles figured out to be able to recover our customers because you're designing for the worst day of the customer's life. And so that is the culture that we have to have in the whole industry where we say that we are putting real dollars behind your success.
And it has not happened. In some ways, cybersecurity industry keeps getting bigger and bigger, selling more and more products, but at the same time failing more and more of the customers.
I'd love to ask you and Rob about the promise of AI and you too, Jen, to finally do these things that we have failed at as humans. Developing secure code, going back and maybe retroactively, Jen, you mentioned this to me the other day, refactoring code that is vulnerable.
Rob, you said the only hopeful thing that I heard at RSA last year was out of your mouth. You said using AI tooling, you could bring down the dwell times on these critical infrastructure Chinese hacks from months, years in some cases, down to weeks and days.
So maybe, you know, in our last four minutes here, we can take the conversation in a more positive direction. And I know that the threats are going to be significant from AI and we'll get there.

But talk to me about what the potential benefits are of AI. Let's start with you, Jen.
Yeah. So, you know, we should stipulate that there are a lot of risks with respect to this new technology.
And some of the work that we did at CISL was working with the labs to ensure that they were red teaming their models, that they were putting in place security to be able to ensure that they were also by design. But I have to say, I am increasingly encouraged and excited about the prospects of what powerful AI can mean for cybersecurity and cyber defense in particular.
I was actually rereading, some of you may have seen Dario Amadei, the CEO of Anthropic, wrote a piece called Machines of Loving Grace, and it focused very much on health and neuroscience and poverty reduction. But I actually think there's a lot to be said there about how this technology can fundamentally change what we're trying to do to secure infrastructure.
And I know Rob can talk about this as well. But the thing, the use case that I'm most excited about going back to my tirade on insecure technology, it's a lot of it is because you have insecure codes.
So two-thirds of software vulnerabilities are because of memory safety vulnerabilities, things like SQL injection or cross-site scripting or directory traversal. They've been around and frankly have been solved for 20 years.
But if you're writing in C or C++, you're going to continue to have these types of vulnerabilities. So there's a lot of companies now that are looking to write code prospectively that is much more secure in languages like Rust, which is memory safe.
But if you could use powerful AI to refactor insecure legacy code at scale to remove whole classes of vulnerabilities, that can advance a much more safe technology ecosystem. So that's what I think is the most exciting use case of some of the AI capabilities coming down the line.
Okay, Rob? One of the things China is doing in their operation today is a type of hacking called living off the land, where they don't bring malware, they don't bring code into the environment, they use the stuff that's part of the operating system already. And that makes it hard because antivirus doesn't work.
There's nothing to signature on and alert that there's somebody in your computer. How do they do living off the land? One of the ways is they assume an identity of somebody who already has access in that system.
And with AI, there's the opportunity to look at massive amounts of data and understand, you know, what does David do every day in his cyber persona? And is he now starting to do different things? AI so AI lets you look at scope, scale, and detail about these trends and flag the things that are unusual anomalies. It may be that you block it at that point, or you just put extra eyes on so that you can stop it and curtail it and cauterize that intrusion.
Pippal? I very much agree with this point that if you look at the volume, velocity, and variability of cyber attacks, and not to mention the complexity of the infrastructure at many organizations that we are dealing with, it has gone beyond human comprehension. We have been doing this patchwork for the last 20 years that we have now cloud, then you can create some tooling for cloud, take the log out and put it in Splunk, and then you have some in the endpoints and take the log out, and then somebody's manually figuring out, and then we've gone from SIM to SOAR to now XDR.
But there's no fundamental quantum shift in terms of how do we use the machine comprehension, the machine intelligence, what Rob said, AI, to truly comprehend what is really happening across the whole landscape in a holistic way. Because humans can't do it.
And you can't even augment human to do it. It has to be pure machine activity.
And that's where I believe is the next frontier because as much as I love as a past software engineer, people will never write good code. And as more and more developers are getting into the field of writing applications and software, the quality will only decrease because it's becoming more ubiquitous.
And now with the natural language programming, it'll be even next level. So we need to have the effort to have AI write better code, as Jen said, but at the same time, really use AI to assume that all else has already been bad.
And how do we protect? I'd be remiss in having a panel on China that mentions AI without asking some of you about DeepSeek. So Deep you know, DeepSeek, we don't know whether there was any stolen IP.
We don't know whether there was an evasion of export controls. But they've called it open source.
It's not really open source. It's open weight.
We're already seeing applications and new businesses built on DeepSeek because of its cost efficiencies and much the same way we saw Huawei spread very quickly because of its cost efficiencies. I'll probably throw it to you, Rob.
What is the risk of DeepSeek? It comes at us in a couple dimensions. DeepSeek is software that is run in China.
They're offering a service. So your data goes to China.
I think we all understand why that would be a bad thing to have any of the questions or intellectual property you give to the AI be housed in China. There's a second way where they've open-weighted the model so that you can move it here to the U.S.
and run it on your own infrastructure.

There's still an inherent bias inside that AI.

And people were famously asking it about Tiananmen Square and other things.

So I want to make sure that the AI I'm using isn't biased against free and open society. So those are the two big things that worry me.
But every time we've tried to block another country from getting a technology, all it's done is incentivize them. And this is the fourth or fifth time.
So you don't win through export controls. And the Chinese say, I think I said this the Chinese say all the time you guys are so entranced with your success in the Cold War that you can't get over it and you keep wanting to apply these Cold War tools today and they don't work yeah and how did they create it they distilled out of the investment of open AI right and literally trained their model off the US frontier models.
So export control doesn't stop that. It is the American innovation that's going to keep moving ahead of it.
Deep sequence is also pretty complex because it is also a PR exercise. Because out of all the model companies, they were the first one who came up with the open weight model and they also used the Nvidia chips by passing their software and directly that gave them the cost advantage.
So there was like a lot of like learning from the US companies but also a little bit of innovation and a lot more media. So it's a very interesting operation that they ran.
And it's an interesting case where in the developer community, it actually created goodwill. That they had a model which opened weight and now is at a reasonable cost because it was directly going after the hardware.
It was a little strange to see how much cheerleading there was in Silicon Valley for this from Andreessen Horowitz and others. David, I'm going to leave my last question to you.
When we look back on when these Volt Typhoon, these so-called Volt Typhoon attacks, I know Jen and I are big fans of these names, but this is essentially the Chinese group responsible for a lot of these infrastructure attacks. When you look at really when they started picking up in Cadence, it was around 2020 when-

Oh, shit. the Chinese group responsible for a lot of these infrastructure attacks.
When you look at really when they started picking up in cadence, it was around 2020 when Trump started calling COVID the China virus. Right.
And you and I have talked about how much the CCP cares about image control and how so much of their actions and cyber espionage and activities against dissidents, etc. Is because they are so concerned and to Jim's earlier point, paranoid about image control.
We are seeing a huge escalation in rhetoric right now. What do you think we can expect right now going forward in this administration?

You know, I don't think it really changes their strategy, but it sort of accelerates it at points, right? So they're going to do the cyber attacks. They're going to do the leverage.
But I think COVID and attacking China on COVID, the origins of COVID, just makes them more angry and says, let's unleash all the hackers in these different places. So I do think one is they get an extra jolt from that and they will push more.
But also they are thinking in the long term anyway, which is they're going to find the openings to do it. They're going to probably take advantage right now of the situation in the US if there are more tariffs on China.
If Trump calls out China more, I think you'll see them double down on getting into US infrastructure. You can guarantee that they're going to be more aggressive because if they see that as leverage, then this is what we need to do for the next negotiation.
And I think a lot of these things about Taiwan are also about giving them the leverage to say, if the U.S. in any way moves on Taiwan or changes the policy enough, just letting you know we're in everything.
We want you to know that. We want to show that.
And the other part of your question is about them disliking criticism. In your first episode, you talk about the Dalai Lama, the dissidents.
The Google hack was really about dissidents. It's certainly true, and in my own story, they're very worried not only about their own population seeing criticisms, but they don't want the outside world to badmouth China or to diminish China's prospects in other countries.
So with Huawei also, they really went aggressively at the US on Huawei and on Canada, right? So you can just expect that, as Jim was saying earlier, China is more powerful now. They're probably going to show that they don't have to bend or bow as much or even negotiate in the same way.
And this environment is ripe for them to be a bit more aggressive. So I think we should expect more from China, especially with export controls.
They hate the export controls, right? So they are going to figure out not only ways around it, but what are the other leverage points we need? Chinese export controls, right? We're going to put our own export control regime in place. So I think that's what we're going to expect in the next couple of years.
But to end on a positive note. Yes, please.
There's a saying from 1900 that says that God protects drunkards, lunatics and the United States of America. And I've used that with the Chinese because I've said, you guys are doubling down on Marxism, the great failure of the 20th century.
And you're saying we're having a crisis. And I tell them, we have crises every 30 or 40 years.
It's like, eh, you know, we'll come out stronger out of this. Do you really want to bet against Uncle Sam? And so I think that still shapes their thinking.
I mean, they see us being a little bit in disarray, but they aren't quite sure that it's permanent. And that is a good place to end.
I think we're going to wrap it up and let everyone get some alcohol in the discussion. But thank you so much for being here.
Thank you very much to our panelists who've come from long and far.

And thank you for having such a far-reaching discussion.

And just thank you for all that you all do.