BONUS: Live Panel with Top China & Cyber Experts at The New York Stock Exchange

1h 8m
Start listening Download the MP3
For this special live recording of To Catch a Thief at The New York Stock Exchange, host and former lead cybersecurity and digital espionage reporter for The New York Times, Nicole Perlroth sits down with those who have been directly targeted by, traced, or directly engaged China’s state-sponsored hackers, diplomatically, or in the cyber domain: Pulitzer Prize winning journalist David Barboza, the National Security Agency’s former Cybersecurity Director Rob Joyce, former Cybersecurity and Infrastructure Security Agency Director Jen Easterly, Jim Lewis, of the Center for Strategic and International Studies and Rubrik CEO Bipul Sinha. They discuss how the Chinese hacking threat has morphed from corporate espionage to insidious attacks on infrastructure, the strategic leverage China hopes to gain with these hacks, how Xi Jinping views Trump 2.0, and what levers the United States can still pull to salvage what’s left of its cyber defense.

Jump to transcript

Press play and read along

Runtime: 1h 8m

Transcript

Speaker 1 I am very honored to introduce our very first chief cyber racingur, Nicole Perlroth. Nicole, take it away.

Speaker 2 Hi, everyone.

Speaker 1 Well, welcome to a special live episode of To Catch a Thief.

Speaker 1 And just to set the stage for the people who are not in this room, we are sitting here at the New York Stock Exchange today, surrounded by an audience of CTOs, CIOs, CISOs.

Speaker 1 These are the people who control the flow of information inside and outside some of our most vibrant American corporations and beyond. And it's an honor to be here with you today.

Speaker 1 And before I get to introducing the very special people I have on stage, just a few words about this podcast. Why did we do this on Chinese cyber espionage?

Speaker 1 This would have been a project that would have been unheard of 15 years ago.

Speaker 1 Back when McAfee was picking up the pieces of some of the big Chinese cyber espionage campaigns like Night Dragon and Shady Rat, they were not even allowed to say the word China as part of their attribution.

Speaker 1 It was a very sensitive thing at the time. Here we are 15 years later, and we have a whole podcast series about Chinese cyber espionage.

Speaker 1 The reason I felt that it was critical we do this on Chinese cyber espionage is because this is the threat that in some ways I lived and breathed at the New York Times, but it's the threat that has been gnawing at me ever since I left the New York Times.

Speaker 1 Because I feel that I failed and that media failed and business failed, in some ways government failed to really connect the dots for the people on this particular threat.

Speaker 1 We never went back to Nortel, for instance, when it went bankrupt.

Speaker 1 And, you know, when they wrote all these bankruptcy stories, no one ever mentioned, well, actually, the company was hacked by China several years ago. Huawei owns all that IP.

Speaker 1 They've been subsidizing it, rolling it into global markets, and now Nortel is gone. And we never did that with solar companies.
We never did it with turbine makers.

Speaker 1 We never did it with electric vehicles now. China is now the biggest manufacturer of electric vehicles.
It's no longer Tesla as of 2023. We never did it with electric vehicle batteries.

Speaker 1 We never did it with home routers. Now it's Chinese companies that own the U.S.
home router market, as Rob actually testified to Congress the other day. These are routers that have been used

Speaker 1 in attacks on American critical infrastructure. In fact, just today I went on Amazon and looked up a TP-Link home router.

Speaker 1 It is Amazon's number one overall pick, and they own something like 60% market share of U.S. home routers.

Speaker 1 And these home routers have been used to funnel attacks into America's critical infrastructure. It's not a hypothetical threat, it's a real threat.

Speaker 1 And all of this has been going on kind of right under our noses, but we've never really connected the dots.

Speaker 1 So really the magic of this episode, of tonight, of where we are, is that sitting next to me are the people who are the dots, and we are about to connect them.

Speaker 1 On my left here is my former colleague, David Barbosa, who will always be a colleague in my heart. David was the Shanghai Bureau Chief for the New York Times.

Speaker 1 He is the reason that we were actually hacked at the New York Times. His coverage was that good.

Speaker 1 It earned him a Pulitzer, but it also earned him the wrath of the CCP.

Speaker 1 And I wrote that story for the New York Times. We actually have our former CTO, Rajiv, in the audience today.
So we remember that very well.

Speaker 1 And I remember when the hack first happened, we thought they were there to maybe shut us down.

Speaker 1 But very quickly, it became clear, nope, they were there for David and more specifically, David's sources.

Speaker 1 These days, David is the co-founder of The Wire China, which is doing some fantastic data journalism and news. journalism, traditional journalism on China.
So it's an honor to have you here today.

Speaker 1 To his left is Rob Joyce. Until very very recently, Rob Joyce was head of cybersecurity at NSA.
He served at the agency for something like 34 years, right?

Speaker 1 And had a very storied career there, including leading the Tailored Access Operations Unit at NSA, which is the agency that conducts hacking on behalf of our foreign intelligence collection programs.

Speaker 1 So he knows better than anyone what the Chinese capabilities are. To his left is Jem Easterly, who who until very recently was the director of CISA, the nation's cyber defense agency.

Speaker 1 And before that, was actually head of global security at Morgan Stanley. And before that, also had a storied career at NSA, which included setting up standing up cyber command.

Speaker 1 And it's an honor to have her here today. To her left was my favorite phone call at the New York Times, Jim Lewis.
I called him every time there was a cybersecurity disaster brewing.

Speaker 1 Jim, until very recently also, was senior vice president at the Center for Strategic and International Studies in Washington, which tells you nothing about Jim.

Speaker 1 What you need to know about Jim is that Jim has been privy to, partaken in, supported almost every back channel negotiation that the U.S. has had with China on the cyber threat.

Speaker 1 And then to his left is Bipol Sinha, the CEO and co-founder of Rubrik, which is leading the charge on cyber resiliency in this country and making sure that our worst day, the day you get hacked, is not your last day.

Speaker 1 So it's an honor to be here with all of you. These are the people who have been targeted by, instrumental in tracking and engaging the Chinese cyber espionage threat.

Speaker 1 So without further ado, let's get started. I'm going to ask the first question to my friend David here, which

Speaker 1 I want to address right away the elephant in the room.

Speaker 1 And I think the elephant in the room is this, you know, covering this threat at the New York Times and doing a whole podcast series about Chinese cyber espionage, you are walking a very tight rope

Speaker 1 because this is a very real threat, but you also don't want to stoke the kinds of disgusting xenophobia that we saw during COVID. And it is a tough rope to walk.

Speaker 1 And I think you have covered these threats, you've been a target of these threats, and now you are basically covering China full-time through the wire. So help explain how do you walk this tightrope?

Speaker 1 And how do you help, you know, for the novices to this subject, help them conceptualize this difference between the Chinese Communist Party and the Chinese people?

Speaker 4 Yes, thank you.

Speaker 4 Great to be here with you, Nicole. I think this is one of the things.
It's a great journalism question. It's also great that your first first episode mentions, like, we need to deal with this issue.

Speaker 4 As a journalist covering China, you know, you've got to write about the Communist Party. You've got to write about the toughest things that China's doing, hacking my own email.

Speaker 4 But also, that's going to affect the readers, that's going to affect politicians, that's going to lead to a little xenophobia.

Speaker 4 As you probably know, there's FBI investigations, there's concerns about Chinese students at universities.

Speaker 4 You may or may not know this, but the three major American chip companies are all Chinese Americans. So China is a source of talent.

Speaker 4 You have just discrimination, human rights, all those things. So I think as a journalist,

Speaker 4 maybe the first years I was in China wasn't a big deal, but every year since then, especially now, you have to think in journalism, but not only in journalism, about what is the story?

Speaker 4 Is it the Chinese actors, the Chinese cyber spies? Could that become easily seen as Chinese? These are suspicions about Chinese students. Or my colleague is Chinese.
My wife is Chinese.

Speaker 4 So I do worry a lot about that. I think every story we write, we need to think about not only is it true what we're saying, but what could be the impact of this story?

Speaker 4 Could it lead to xenophobia in the country? So I think saying that up front and thinking about that,

Speaker 4 there are lots of Chinese Americans, Asian Americans in this country. We know what happened during COVID.

Speaker 4 So I think keeping that top of mind, we're going to say some really tough things about China, but we shouldn't think everyone who's Chinese is a spy, is a hacker, is the threat.

Speaker 1 Speaking of the threat, I'm going to toss this one to you, Rob. You have, I think, what is one of the best quotes on how to conceptualize the threat.

Speaker 1 You just heard it all in the podcast trailer, and it's this. So you said that basically Russia is the hurricane, China is climate change.
Tell us what you mean by that.

Speaker 5 If you look at the operational way that China comes at us, it is scope and scale and now sophistication. In the early days of China hacking,

Speaker 5 the U.S. kind of laughed it off.
They weren't very sophisticated. They were easily detected.
It was blunt force. And now over time, they continue to come and come and come.

Speaker 5 And they have such quantities around their ecosystem that does this hacking, whether it be the military government assets, the intelligence service government assets, and increasingly the commercial assets who support these activities by writing malware, by providing the infrastructure that the governments hack through, but now they even do independent hacking operations themselves where they choose the target, they grab the data, and then they offer it back to CCP government officials

Speaker 5 to see if there's a profit. in that space.

Speaker 5 So they have grown in scope and scale sophistication on a level nobody else has seen and is quite frankly becoming a huge problem for us because of the critical infrastructure threat, because of the pervasive nature they've gotten into things like our telcos and our ISPs.

Speaker 5 The way that they're able to operate at scale is just monumental.

Speaker 1 Jen, talk to us about what you saw or how you saw this threat morphing at CISA.

Speaker 1 You know, you oversaw CISA during a period we saw an unrelenting Chinese assault on our federal cloud systems, on our telecommunication networks, and on our critical infrastructure.

Speaker 3 Yeah,

Speaker 1 so great to be here with everybody.

Speaker 3 I think it's important to understand

Speaker 3 how

Speaker 3 serious, urgent, and different the threat that we're talking about has evolved into.

Speaker 3 You know, as Rob alluded to, for years and years, we really focused on China as a threat of espionage, data theft, intellectual property theft.

Speaker 3 And over the past few years, we actually saw a threat that was different in kind.

Speaker 3 We saw Chinese threat actors that were not looking to steal data, but rather to burrow deeply into U.S.

Speaker 3 critical infrastructure so that they could be prepared to launch disruptive or destructive attacks in the event of a major conflict in Taiwan.

Speaker 3 So, this was really a deliberate effort by the Chinese Communist Party to hold U.S. critical infrastructure at risk.

Speaker 3 So imagine a world where there is a conflict in the Taiwan Straits and at the same time you see mass disruption here in the U.S.

Speaker 3 So you see effects on communications being severed, transportation networks, you see effects on power grids, you see effects on water systems.

Speaker 3 In a way, we used to call it everything, everywhere, all at once. So

Speaker 3 in a

Speaker 3 intent by Chinese doctrine, specifically to incite societal panic and chaos across the U.S. and to deter our ability to marshal military might and citizen will.

Speaker 3 And that was a threat that we started to really get our arms around working with our intelligence community partners, our FBI partners, and industry, and then based on that information, started working with a variety of victims where we would show up, CISA and FBI, let them know that we think that their networks had been penetrated, and then work with them to actually hunt for those actors to attempt to shut down the access points and then to help them harden their infrastructure.

Speaker 3 But we had done this across multiple sectors with multiple entities.

Speaker 3 And I'll tell you, the way that I've always talked about this is we believe what we were able to find when we were at CISA was really just the tip of the iceberg. And it's a full range of targets.

Speaker 3 One actually was just out there publicly for the first time. We obviously don't talk about targets because we protect victims, but one target actually talked about this publicly.

Speaker 3 I think it was in the record. It was a very small water and power facility up in Littleton, Massachusetts.

Speaker 3 I think they serve about 15,000 citizens of Littleton and Boxborough, and they were one of the victims. So think about what China is doing.

Speaker 3 They're doing this opportunistically, looking for vulnerabilities, looking for access points in multiple places across multiple sectors across the U.S., again, to be able to get in, to cause disruption and or destruction in the event of a conflict in Taiwan.

Speaker 1 I think, you know, the only real public glimpse that we have of what this threat could look like that you just outlined is is colonial pipeline.

Speaker 1 You know, and we all sort of remember people inexplicably showing up at gas stations with giant plastic bags to fill up with fuel.

Speaker 1 And one of the things that hit me was there was a DOE assessment at the time that found that as a country, the United States could have only afforded three or four more days of colonial pipeline being down.

Speaker 1 And it wasn't so much the gas or the jet fuel we had, the reserves, it was the diesel required to run our factories. So three more days, and that was one target.

Speaker 1 I hadn't even heard of colonial pipeline until this ransomware attack happened. That was one target by a bumbling group of ransomware criminals.

Speaker 1 And what Jen is describing is think about a coordinated attack on not colonial pipeline, but five or seven colonial pipelines, and then add in water and

Speaker 1 the grid, et cetera. And when you think about it that way, it's not a hypothetical anymore.
That's what hit me in the course of this podcast project.

Speaker 1 It's a very real threat based on where we're seeing this targeting.

Speaker 1 You think about it that way, you think about the psychological deterrent that that would create for the United States to summon the appetite to go support an island's independence 7,000 miles away.

Speaker 1 And then you start to think about how this is really a way to really win a war without firing a single bullet.

Speaker 1 And when you start to look at these attacks like this, you start to see just how powerful these cyber attacks could be. So the one that always hits home for me is water.

Speaker 1 And Jim, you've been in, I think, recent negotiations or conversations with the Chinese on would they agree to draw any red lines around certain targets like water?

Speaker 1 How have those conversations gone?

Speaker 2 So I've been negotiating on and off with the Chinese for about 30 years.

Speaker 2 Starting out as a child, I might add.

Speaker 2 And one thing that's changed, they're much more confident you know and I saw this with the Russians I was at the UN and the Russian ambassador was talking and the Chinese ambassador opened the newspaper I think it was the post it's like I could care less what you have to say and they feel that way about us now right and so they feel like they're winning why would they do anything different and on targets The previous administration had some ideas about perhaps proposing along the lines of what we've been discussing.

Speaker 2 There's some targets that should be off-limits, right? Now, in point of fact, under international law, there are no targets that are off-limits.

Speaker 5 If they're not,

Speaker 2 there are no targets that are off-limits.

Speaker 2 You could debate that. But the Chinese basically said,

Speaker 2 we don't think the way you think.

Speaker 2 We don't think that you're going to have a set water facilities and you'll take them off the table. We look at it in terms of what's the consequence if we do this.
We judge it by consequence.

Speaker 2 If it's a little consequence, like Podunk, Massachusetts, or wherever the hell it was, we don't care. Is it something else?

Speaker 2 So they have a very different way of looking at this and a very different attitude. They're cautious.
They're very cautious, but they feel like they're winning.

Speaker 2 And that seeing them over a couple decades, they've gone from, they started out doing the old, you're the master, we're the student, tell us what to do, to now it's like, you guys, you're the past, we're here.

Speaker 2 We're not that cautious anymore. So I think it's a very different ballgame than it was, say, even 10 years ago.

Speaker 1 So the answer was no, we're not going to draw any red lines.

Speaker 2 I had a specific request to them. Are you willing to engage in a,

Speaker 2 I don't negotiate for the U.S. government, but I will occasionally ask questions that the U.S.
government has asked me to ask. And the answer was no.

Speaker 2 We're not interested. And part of it was in some of these are people I've known for a long time.
And they had a good point.

Speaker 2 It's like, look, five years from now, 10 years from now, we're going to be much stronger than you. So why should we make a deal with you now?

Speaker 2 Because we'll have a better hand to play five years from now.

Speaker 1 Before I get to BIPOL, I want to ask you, Rob, you know, I think there is this

Speaker 1 idea that we have entered into a new era of mutually assured digital destruction where we're all holding guns to each other's heads and saying, you better not hit us because we can just shoot right back at you.

Speaker 1 And I think you'd have to be a fly on Vladimir Putin's wall to find out why he hasn't done more in the way of attacks on our infrastructure because of our support for Ukraine.

Speaker 1 Or maybe our defenses were just that good that

Speaker 1 we were able to deflect them. And I know you can't speak to the U.S.
capabilities, but what do you say about the deterrence of what we think might be this era of mutually assured digital destruction?

Speaker 1 And what are sort of the misunderstandings maybe about what our capabilities are in China?

Speaker 5 Yeah, so the first thing I'd point out, Nicole, is, you know, I am a firm believer that cyber doesn't stop cyber.

Speaker 5 You don't get a bigger cyber bat and hit somebody hard and they just go away.

Speaker 5 We had the salt typhoon intrusions into our telco, pretty heinous intrusions. We've had the pre-positioning in critical infrastructure, pretty heinous strategic advantage for China.

Speaker 5 And we didn't curl up and say, we're going away, we're getting out of of the cyber business, right?

Speaker 5 You now have congressmen and even administration people pounding on the table saying we need more cyber, right? And so I don't see

Speaker 5 the effect that they've brought deterring us. So why do you assume if we bring something, it will deter them?

Speaker 5 I think there is a strong assumption we're doing the same. We certainly have amazing, very capable cyber operators, right? Between Cybercom, NSA, CIA, the defensive capabilities of CISA, the FBI,

Speaker 5 we are well resourced and large, not as large as the Chinese assets, but we have impressive capabilities that hasn't deterred China. It's motivated them

Speaker 5 in some sense, right, to be better and bigger. But the thing that really differentiates us is we are a rule of law country.
And

Speaker 5 there is an effort in

Speaker 5 the the law of armed conflict where you need to be differentiating military targets from civilian targets. You need to have proportionality.

Speaker 5 The things you do must impact the military effects more than the civilian effects. And so when

Speaker 5 people say we ought to turn the lights off and shut off the water

Speaker 5 and stop the planes or crash

Speaker 5 trains,

Speaker 5 We don't do that because it's disproportionate on the civilian population, right? And that's where the differences arise. We would never get through

Speaker 5 the lawyers the ability to hold them at risk the way they're currently in some of our infrastructure. And that's the differentiator.
But

Speaker 5 I say all of that. And now you've got a new administration that is willing to put the dial on 11.

Speaker 5 And if you talk to folks in the administration, you talk to folks on the Hill, there's certainly a strong desire to have more capability in the cyber offensive

Speaker 5 arena unleashed. And so we'll see where that goes.

Speaker 2 I used to think that the Chinese had an advantage because when they showed up, they never brought lawyers. We, of course, had thousands or even millions of lawyers with us.

Speaker 2 It's like, geez, one time I said, the worst thing we could do to you people is teach you to to do this rule of law stuff.

Speaker 4 I think that's the thing also the Chinese love is that they know you can't punch back in certain ways. This is their advantage to use the U.S.

Speaker 4 system, the openness of the U.S., the universities, just an open freedom, rule of law society and say,

Speaker 4 let's take advantage of that. Let's find the holes, and we know they can't strike back in some ways, right?

Speaker 4 So I think it's been, that's the game they've been playing for decades, and now they're getting really good at it.

Speaker 1 One thing that you learn when you talk to these folks is just how creative the Chinese have been at exploiting some of our civil liberties, our Fourth Amendment.

Speaker 1 You know, I think people don't realize, and I got a kind of front row seat to this on Jen's advisory committee at CISA, people don't realize that the U.S.

Speaker 1 is really blinded in some ways on cyber defense because we don't live in domestic traffic. We are not watching in real time what traffic comes in and out of our water treatment facilities.

Speaker 1 We really count on either

Speaker 1 our intelligence agencies or the FBI alerting these entities that they've been compromised or the entity discovering they've been compromised and telling the US government.

Speaker 1 And so in many ways, we're kind of flying blind in a way that some of our adversaries aren't. And prevention, we need to do all of the things that you would need to do to prevent these attacks.

Speaker 1 No one knows that more than the people in this room, right?

Speaker 1 But we also need to start assuming that at some point they're going to get in. And once they're in, how do we make sure?

Speaker 1 that they don't get our crown jewels or they don't shut down the flow of gas and jet fuel and diesel to the eastern seaboard of the United States of America.

Speaker 1 You know, how do we build those cushions of resilience inside the enterprise, inside our infrastructure, is really where the conversation needs to start going, especially based on the targeting that we are learning about.

Speaker 1 So, Bipol, this question is for you. What are those cushions of resilience?

Speaker 6 First of all, thank you so much for this invitation and great to be here.

Speaker 6 What is clear is that almost every company or government institution has been compromised.

Speaker 6 They may not have been attacked, but they have been compromised so that one or more of the threat actors is sitting and figuring out what to do.

Speaker 6 So, in some ways, we need to have defenses and we need to continue to invest on defenses so that things don't get in. But this assumption that you can prevent the unpreventable is not going to work.

Speaker 6 So, you need to really assume that the breaches are inevitable or as might have already been happened

Speaker 6 but then how do you prepare yourself both on understanding the risk and then doing the remediation and what we have been telling organizations both government and private sector is you need to truly understand what are the tier zero set of services we call it minimal viable organization that you need

Speaker 6 to keep your business up and running.

Speaker 6 Whether if you're a bank, then even if you're breached and attacked and something bad has happened, how do you ensure that your counterparty transactions and risks are taken care of?

Speaker 6 If you're hospitals, how do you make sure that you can take care of your patients and while admitting new patients, while you're trying to recover whatever activities you do?

Speaker 6 So understanding of the critical assets, the crown jewel,

Speaker 6 and what is the risk of those assets, assuming that the breach has happened or will happen, and then how do you provide resilience and recovery on this like tier zero minimal viable organizational concept?

Speaker 6 And the issue is that everybody is, and the cyber is such a cat and mouse game that everybody is playing whack-a-mole for the last 20, 30 years.

Speaker 6 And not thinking that how do we protect the unprotected, which is like a small government schools and water plant and local cities,

Speaker 6 because they don't have either talent or technology or even understanding of what is going on. But they open up a whole new door because the kids take the laptop home, log into

Speaker 6 the home systems and all the rest of it remains open. So we are squarely focused on to ensure that people have this awareness of resilience inside out security.

Speaker 6 How do you fundamentally secure yourself assuming all else has been compromised? And that's where the focus has to be because you can't win this war by creating taller walls and wider modes.

Speaker 1 Jen, you know, we talked a lot at CISA about target-rich, cyber-poor environments, that this is really where they're coming for, and that it's the water.

Speaker 1 You know, if you want to elaborate on some of those targets, that would be helpful.

Speaker 1 Right now, and this is probably a difficult question, but right now we're seeing a lot of cuts at the Cybersecurity Infrastructure Security Agency.

Speaker 1 You hired more than 2,000 people to that agency. I am acutely aware of the cyber workforce shortage that we have and how hard it is to hire really good people into cyber defense for government.

Speaker 1 I mean, these are people who have plenty of other options, working in the private sector, getting great stock, working at Rubrik, working at Microsoft, working at Google.

Speaker 1 Talk us through just your thoughts, having just left in January on some of what's happening at CISA and across federal agencies.

Speaker 3 There's a lot there. Yeah, absolutely.
All right.

Speaker 3 So let me just go back to one thing that you said that I think is important. Colonial pipeline is always the canonical one we go back to.
But frankly, think about CrowdStrike just July of last year.

Speaker 3 when a lot of people couldn't access a lot of things.

Speaker 3 Now, that was for a short period of time, but think about that disruption that was not just a technology outage or a bad update, but rather a deliberate disruption that could be in place and unable to just turn back.

Speaker 3 Think about that for weeks and months on end. So I think

Speaker 3 that's a good mindset, actually, to take CEOs and boards and key leaders into the boardroom when you have that very important conversation that Bipple was talking about.

Speaker 3 At the end of the day, given the complexity, the interdependence, the inherent vulnerability of the technology that we rely upon for businesses, large and small, it is increasingly difficult to prevent bad things from happening.

Speaker 3 So you have to architect your systems, your infrastructure, train your people, prepare to be able to understand, prevent, but to respond, recover, and then learn continuously from the various incidents.

Speaker 3 And to your point about the target-rich, cyber-poor entities who didn't really have security teams or much vendors that they were working with, we made a deliberate effort to work with hospitals and water facilities and K through 12 to help them

Speaker 3 understand the steps that they could take in a material way to reduce risk to their infrastructure.

Speaker 3 So most folks are familiar with the NIST cybersecurity framework, great tool, but you know if you're at a big firm like Morgan Stanley, you can use that and you can actually say I'm aligning with the NIST cybersecurity framework.

Speaker 3 If you're a rural hospital, the NIST cybersecurity framework becomes shelfware. You don't have the team to really go through that and understand how to align your security organization.

Speaker 3 So one of the things that we did was do a distillation, kind of an extract of that document to less than 40 things that a hospital or a water facility or a K through 12 school could do.

Speaker 3 And they were characterized by cost, complexity, and impact.

Speaker 3 And so you could do that in a way that could take advantage of your relationships with MSPs or vendors, but also the fact that you didn't have a lot of resources.

Speaker 3 And then some of our field forces at CISA would work with entities and sit down with them and walk them through those cybersecurity performance goals to help them again materially reduce risk.

Speaker 3 Now to your point about what's happening on the inside of CISA, you know, I've been gone for I think it's two months today.

Speaker 3 And from what I've heard and what I've been reading, there have been layoffs, largely the probationary folks. Now, we built CISA from about 2,000 to about 3,500 when I left.

Speaker 3 As you said, we hired over 2,000 amazing, amazing people.

Speaker 3 And I understand that they have let probationary folks off, but now they're rehiring them. Look, at the end of the day, my key message is

Speaker 3 the type of firings that are going on

Speaker 3 are really going to discourage the talent that the federal government needs to be able to defend and protect the American people from joining the federal government, whether it's CISA, whether it's the intelligence community.

Speaker 3 And I know people are sort of dismissive to this idea of joining the federal government. I spent most of my life in the federal government.
What I would say is

Speaker 3 these are not bureaucrats, which has frankly been used as a pretty pejorative term. These are public servants.

Speaker 3 who want to defend their nation, who willingly raise their right hand to support and defend the Constitution of the United States of America against all enemies, foreign and domestic.

Speaker 3 They're doing it because they believe in America, they want to defend the American people and democracy.

Speaker 3 And, you know, my one message to anybody currently in the government is: yes, preserve the capability for us to be able to defend the nation, but also make sure that you are taking care of your workforce and your troops because they are there to take care of America.

Speaker 1 One thing that came up a bunch in these interviews is that Xi, Jinping, was watching very carefully what happened with Putin's invasion to Ukraine. And Jen, you said

Speaker 1 Ukraine's defense is the deterrence on Taiwan. So I'll put this to you first, David, and then maybe you, Jim.

Speaker 1 But first to you, David, since you're the only one who's spent significant time living inside China,

Speaker 1 what do you think Xi

Speaker 1 is thinking? What are his takeaways right now watching this administration's current approach to Ukraine?

Speaker 4 Yeah, I would imagine his takeaways are celebratory,

Speaker 4 right? That he sees a bit of chaos in the U.S.

Speaker 4 if they're laying off at CISA. He's like, wow, this is, we're going to, this advantage is going to come even faster.

Speaker 4 And I think, you know, back to the earlier question that it's not just about Taiwan.

Speaker 4 I think even if Taiwan were not the case, they would still be in the infrastructure. It's about leverage.
It's about the rise of China challenging the US in every realm.

Speaker 4 We're talking a lot about infrastructure, which is important, but they want to challenge the US in everything. The top universities, the top AI, our own semiconductors.

Speaker 4 They want to be self-sufficient. So Xi Jinping, I think, is really looking at what's happening in the US and saying, this is a great opportunity for us.

Speaker 4 The decline may come faster because it seems that they're tearing apart the country and the government is not sure what they're doing.

Speaker 4 So I think it's emboldening actually China right now, which is sad to see. And I spent a lot of time with people who are in government or formerly in government.
And you really want the U.S.

Speaker 4 to have the best capabilities. I can tell you when I wasn't when I wasn't based in China and got death threats, I went to the State Department, I went to our embassy.
You want to have a strong U.S.

Speaker 4 and you want to have that leverage. So when Jim says that they're not negotiating in the same way, I agree with him.

Speaker 4 I think even when I was there, they felt each year we gain a little more economic leverage. We gain leverage by showing how we can get in the infrastructure.
We don't even have to use it.

Speaker 4 We don't have to take advantage of that, but we want you to know we're there.

Speaker 4 And they would do these same sort of games on the journalists. Is your wife Chinese? Hmm.

Speaker 4 Do you want to spend time in China? So we want to build up the leverage that makes it very difficult for you to act. And every little thing is a bit of leverage on U.S.

Speaker 2 companies.

Speaker 4 One reason the companies don't want to talk to you or me about the intrusions is China will punish those companies, right?

Speaker 4 So they want to be quiet. It's very, you know, scary for them to go against maybe their fastest growing market.

Speaker 1 We've talked about this a little bit about

Speaker 1 how successful has this been, has this strategy been? And actually, when you just think of Hollywood, it's actually been pretty successful.

Speaker 1 We saw the nine-dashed line in Barbie.

Speaker 1 I couldn't believe that. I had to go back.
It turns out Barbie is banned in Vietnam because the nine-dashed line is in the background.

Speaker 1 The NBA has faced this. We face this at more than just our infrastructure.
We're facing this at every level.

Speaker 1 It's becoming quite clear that China is operating off of a 100-year plan and they are executing flawlessly with some hiccups. We are operating off of a maybe four-year, two-year election cycle.

Speaker 1 We are fighting with each other over our culture wars every single day.

Speaker 1 You know, it's almost like some days they're making a good case for authoritarianism and we're not making a great case for democracy. Where do we go from here? I know that's a big question.

Speaker 4 I'm not sure I can answer that, but I think to put in context, I mean, think about even the time I went to China in 2004. If you are the rising economic power, they were nowhere with cars.

Speaker 4 And now they're the largest car maker in the world by far, right?

Speaker 4 I was just looking up the other day ports. The top 10 ports, six of them are from China, and their largest port is three times the size of Los Angeles.
So if you think about that context, the U.S.

Speaker 4 should also be very much aware of, okay, the game is changing. China has economic power that's just accelerating.
Even in the decline now with the economy, they just have

Speaker 4 great students, great universities, great companies.

Speaker 4 We need to recognize the challenge that they are, not only in the cyber front, but on every front, and to think about it holistically and not as, oh, if we deal with them in this one way, it's going to change things.

Speaker 4 I think they're the rising power. They know they have strength.
That's why they're telling Jim Lewis, like, we don't have to negotiate anymore. Yes, we made promises.

Speaker 2 Xi Jinping wakes up in the middle of the night screaming, he's dreaming of Gorbachev. So the number one threat to China is their own population.

Speaker 2 which is why they've put such a huge effort into domestic surveillance. They feel like they're winning, but they are always looking over their shoulder and they're really paranoid.

Speaker 2 The leadership, right? Because they know they don't have popular support. And some of that is to extent their Marxists.
We're not, I don't know what we are, but

Speaker 2 capture the informational battle, capture the narrative. And they've put a lot of effort into that.
And we, of course, have this marketplace of ideas. It doesn't work so well anymore.

Speaker 2 But they do have a strategy. And we have a let 100 flowers bloom approach.
Let's see what happens. At the end of the day, I think we'll do better, right?

Speaker 2 But

Speaker 2 don't assume that the Chinese feel comfortable. If anything, that's bad because it means they'll push harder on the accelerator.

Speaker 1 You actually are often quick to remind me of some of their incompetence. And sometimes I think it's important to not make these

Speaker 1 adversaries, I guess you would call them at this point, out to be the boogeymen. You know, we saw what happened with Putin's invasion of Ukraine.

Speaker 1 It turns out that they weren't the big boogeyman that we had worried about. You know, talk to us a little bit about their incompetence on defense.

Speaker 2 Quick, anyone want to guess the last time China won a war? 1949, right? Now, we aren't doing much better, frankly, but their Air Force, their Navy, their Army, not exactly a lot of experience.

Speaker 2 The heads of their Air Force have on average two or three years experience. And part of the problem is she doesn't trust them.

Speaker 2 He gets mad at them or he's suspicious of them and they get thrown into jail right my favorite story which i didn't tell you it's anecdotal so i don't know if it's true but the guy who is the head of china's strategic nuclear forces uh currently resides in the huskau uh because he was caught doing something corrupt there are allegations that that corruption you know what a a silo is a hardened silo for an icbm it's this reinforced concrete so that the pressure waves the blast waves of people trying to blow up your silo won't have an effect.

Speaker 2 And of course, the silo is buried in the ground. So once you build it, no one can expect it, right? Inspect it.

Speaker 2 And there are allegations, perhaps unproven or untrue, but certainly we can see them in other areas that maybe they just shave a little bit on the reinforced concrete to, you know, pocket it. So

Speaker 2 they have a military that is not,

Speaker 2 ignore their propaganda.

Speaker 2 Their military has not won a war and the war they won was against the nationalist Chinese I don't know if I'd take that one to the bank right so they have dilemmas here and weaknesses do you want me you don't want me to tell that incompetent story you want me yes no but that's I won't but the big when I used to want to tease them to annoy them which is easy to do I'd say hey most of the China used in most of the software used in China is pirated right it's copied it's a problem for them they even admit it.

Speaker 2 We don't have a software industry because when somebody comes up with a good idea, it's immediately stolen. So they're working on fixing their IP laws.

Speaker 2 In the interim, though, you can say to them, hey, you know, that pirated software used. You know, you know where it comes from.
It comes from Russia.

Speaker 4 And they...

Speaker 2 And it's true. It's like, hack that, sucker.

Speaker 1 There was one of the opportunities in this podcast was to go back and retell some of these stories that are sort of tossed about as if everyone knows them, but we've never really heard the full story on the IP theft.

Speaker 1 And so we actually interviewed the head of biotech at DuPont, who talked about what it was like to go try to bring a hybrid rice germplasm, plant genetics, DNA, to China in this joint venture.

Speaker 1 And they invested $30 million in this plant, three years worth of training. They brought over their own seedlings, their own DNA.

Speaker 1 you know, like I said, trained everyone up.

Speaker 1 And the plan itself was $30 million, but really what they were bringing was billions of dollars of know-how and proprietary RD from their soy and corn business.

Speaker 1 And everything went swimmingly until the day that they were no longer getting permits to continue their experiments. And they basically had to lock up shop, leave a container fulls of rice

Speaker 1 behind, and abandon the entire asset. And then everyone they had trained had actually set up shop across the street and they thrived.

Speaker 1 And now China is one of the biggest strategic investors in germplasm development. And those stories just came up again and again and again.

Speaker 1 And one of my favorite questions has been, you know, what is your favorite IP theft story? So Jim, I'll ask you, what is your favorite IP theft story?

Speaker 2 Well, I have two because I feel, you know, there's some Chinese guy whose job, you must have irritated his boss, was to sneak out into the cornfields and wheat fields of the Midwest and steal genetically modified seeds in the dark, right?

Speaker 2 So you're some poor guy and your assignment is to crawl around in the dark looking for seeds. But my favorite remains

Speaker 2 house paint that is white. And apparently one American company makes really whippy white house paint.
Can't be duplicated anywhere else. It's shiny, durable, all this good stuff.

Speaker 2 And the Chinese borrowed the recipe for it. And we actually had discussions with them.

Speaker 2 It's called Atrack 1.5, so it was half government, half. And we said to them, look,

Speaker 2 we understand spying. We spy on you, right? But we spy on military targets.
If you want to steal a jet fighter, we get it. But White House paint?

Speaker 2 And the Chinese response was, this was a senior colonel. He said, for us, building our economy is national security.
So it's the same thing.

Speaker 1 It's everything.

Speaker 1 I'm going to come back to the infrastructure attacks and the mechanics of them, because I think it's really important. And you just testified about this to Congress, Rob.
Help people understand

Speaker 1 how the Chinese are hacking our infrastructure.

Speaker 1 I mean, the mechanics of it, and how sort of we Americans in our ignorance of using legacy home routers or maybe Chinese routers might be facilitating some of these attacks.

Speaker 5 Yeah, well, we talked earlier tonight about how China has gotten good at finding the seams and using our strengths, our laws against us.

Speaker 5 You start out with a hacker in China, and they need to connect through the infrastructure, through the internet, all the way over to their target.

Speaker 5 And they're not going to come straight from the China military building, straight at

Speaker 5 a defense facility or a white paint production plant. They are going to find ways to bounce through other places to get better reputation and wind up at that target.

Speaker 5 So what they've evolved to do is to make multiple stops on hacked things across the internet.

Speaker 5 And the last hop is something that is inside the US, often high bandwidth and always connected, and is something that companies would expect to touch their internet perimeter.

Speaker 5 And the thing that is popular today is home Wi-Fi routers and small business Wi-Fi routers because they're always on. They're little computers themselves, so you can run programs on them.

Speaker 5 And

Speaker 5 these companies have work from home, they have customers, they expect people in Verizon and AT ⁇ T and Comcast to be connecting to the outer border of their network.

Speaker 5 So what the Chinese are doing is they're collecting these routers and hacking them at scale and then they put a little bit of malware on them so that they can bounce their signal through your home router and touch their eventual target.

Speaker 5 And what we're seeing now is a lot of the time they're using routers made by TP-Link, who is now 60% of the home Wi-Fi market.

Speaker 5 The company is selling them at unprofitable levels and they're driving out the Western U.S. manufacturers and now they're growing in dominance.

Speaker 5 60%, you know, that's amazing market share, but it was like only a few short years ago they were 9%, right? It's exponential growth.

Speaker 5 And now they have these routers in all of our homes that the software is maintained and updated out of China. Whether

Speaker 5 TP-Link is complicit in these hacks or not today, at any point the Chinese government can go under their intel laws and direct that company to support them and issue an update that either bricks a massive amount of our critical infrastructure, people's ability to get on the internet if they want to attack, or makes them even better

Speaker 5 bounces and redirectors for them to do their operations through. It's a huge problem, Nicole.

Speaker 4 I just wanted to add that

Speaker 4 one of the things I covered in China was the city of Shenzhen, which is there like one of the manufacturing capitals of China.

Speaker 4 And when you think about TP-Link or almost any electronic today, everything is made in China.

Speaker 4 So if they have one over every market, and I've been to Huawei's facilities, so if they're involved in every part of the electronics chain, they know how to make them, how to rewire them, how to control them.

Speaker 4 A lot of the surveillance cameras in the US are Chinese-made surveillance cameras, even at for a while military sites, the drones.

Speaker 4 So this is a huge advantage China has, which is we're making everything so we can get in every home.

Speaker 1 It actually reminds me, I wrote it down.

Speaker 1 There's a great quote about this by Ren Zhengfei, the founder of Huawei, who said, a country that doesn't have its own routers and switches is like a country that doesn't have its own military.

Speaker 2 Yes.

Speaker 2 They actually believe it, though. From the first time I started talking to them about cyber stuff until now, they'll say, what are you complaining about? You do it too.
Look up Rivet Joint.

Speaker 2 But when they say that, what they are thinking is

Speaker 2 they really believe it. I had a

Speaker 2 Chinese official in charge of their chip making program who told me, and this was a while ago, he said, look, every Intel chip comes with a back door. I said, now, you got to be kidding.

Speaker 2 He said, no, every Intel chip has a back door. You have controlled the beating heart of China.
That, to their point, is so they feel like what are you complaining about

Speaker 1 tick tock has been the big shiny object and I forgot to issue a PSA to everyone to delete TikTok from their phones immediately before this panel but TikTok has been the big shiny object obviously routers are a huge problem and actually you also added Rob that on their new whatever the next gen Wi-Fi router technology is they actually have 80% market share tp link does so that really drives home this issue like I said I I went on Amazon today and looked up Home Router, the number one overall Amazon pick as a TP-Link home router.

Speaker 1 But you can replicate that across the cranes

Speaker 1 at our seaports. Drones, it's a Chinese company that owns majority market share in drones, including those used by US law enforcement in some cases.
Go ahead, Jen.

Speaker 3 Yeah, I do want to make the point. Yes, obviously it's a huge issue.
Some of these Chinese manufacture router switches and firewalls, but it's not just a China issue.

Speaker 3 Frankly, one of the things that we focused a lot on at CISA was the fact that the technology and the devices and the software that we rely upon for critical infrastructure is frankly inherently insecure because for decades it's been produced for speed to market, for driving down cost, for features, not for security.

Speaker 3 And so these can be clearly taken advantage of by China, but there are all kinds of technologies that are, some are created by U.S.

Speaker 3 companies, other companies around the world that are just inherently insecure, that are unpatched or have default passwords, or essentially make it very, very easy for an actor, whether it's a sophisticated nation state or a cyber criminal, to be able to exploit that infrastructure.

Speaker 3 And so this really comes down to we talk a lot about villains, right?

Speaker 3 We blame victims, but I think we don't talk enough about the vendors because vendors really need to be held accountable to ensure that they are building, designing, testing, and delivering products and software and devices that specifically are meant to be secure.

Speaker 3 And that's the way you could make a real difference in terms of advancing a sustainably secure ecosystem. And it's one of the most important things that I think we need to focus on.

Speaker 2 Pepo?

Speaker 6 So the Biden administration actually came up with this cyber policy where they talked about the skin in the game.

Speaker 6 So as a vendor, when you're selling your technology to a company and particularly for cybersecurity,

Speaker 6 companies are spending $200 billion collectively in this market.

Speaker 6 And in some ways, the cyber has been the most bogus market because you give more medicine to the patient and patients get sicker and sicker every year.

Speaker 6 And so one of the things that we thought about was that how do we provide peace of mind to our customers and to give them like this confidence that on the worst day we'll be there with them.

Speaker 6 And so we came up with this idea of warranty that if we can't recover your system when you have cyber ransomware attack, then we'll pay you $10 million per incidence so that you can do it by other ways.

Speaker 6 And for many organizations, 10 million is is not a big amount.

Speaker 6 But what it does is that for the companies such as Rubrik, it brings the focus of the whole organization of writing secure code, making sure that

Speaker 6 you have all the angles figured out to be able to recover our customers because you're designing for the worst day of the customer's life.

Speaker 6 And so that is the culture that we have to have in the whole industry where we say that we are putting real dollars behind your success. And it has not happened.

Speaker 6 In some ways, cybersecurity industry keeps getting bigger and bigger, selling more and more products, but at the same time failing more and more of the customers.

Speaker 1 I'd love to ask

Speaker 1 you and Rob about the promise of AI and you too, Jen, to finally do these things that we have failed at as humans.

Speaker 1 developing secure code, going back and maybe retroactively, Jen, you mentioned this to to me the other day, refactoring code that is vulnerable.

Speaker 1 Rob, you said the only hopeful thing that I heard at RSA last year was out of your mouth.

Speaker 1 You said using AI tooling, you could bring down the dwell times on these critical infrastructure Chinese hacks from months, years in some cases, down to weeks and days.

Speaker 1 So maybe, you know, in our last four minutes here, we can take the conversation in a more positive direction.

Speaker 1 And I know that the threats are going to be significant from AI and we'll get there, but talk to me about what the potential benefits are of AI. Let's start with you, Jen.

Speaker 3 Yeah, so we should stipulate that there are a lot of risks with respect to this new technology. And some of the work that we did at CISEL was working with the labs to ensure that they were red teaming

Speaker 3 their models, that they were putting in place security to be able to ensure that they were also by design.

Speaker 3 But I have to say, I am increasingly encouraged and excited about the prospects of what powerful AI can mean for cybersecurity and cyber defense in particular.

Speaker 3 I was actually rereading, some of you may have seen Dario Amadez, the CEO of Anthropic, wrote a piece called Machines of Loving Grace, and it focused very much on health and neuroscience and poverty reduction.

Speaker 3 but I actually think there's a lot to be said there about

Speaker 3 how this technology can fundamentally change what we're trying to do to secure infrastructure.

Speaker 3 And I know Rob can talk about this as well, but the thing, the use case that I'm most excited about going back to my tirade on insecure technology, it's a lot of it is because you have insecure code.

Speaker 3 So two-thirds of software vulnerabilities are because of memory safety vulnerabilities, things like SQL injection or cross-site scripting or directory traversal.

Speaker 3 They've been around and, frankly, have been solved for 20 years, but if you're writing in C or C,

Speaker 3 you're going to continue to have these types of vulnerabilities.

Speaker 3 So there's a lot of companies now that are looking to write code prospectively that is much more secure in languages like Rust, which is memory safe.

Speaker 3 But if you could use powerful AI to refactor insecure legacy code at scale to remove whole classes of vulnerabilities, that can advance a much more safe technology ecosystem.

Speaker 3 So that's what I think is the most exciting use case of some of the AI capabilities coming down the line.

Speaker 1 Okay, Rob.

Speaker 5 One of the things China is doing in their operation today is a type of hacking called living off the land, where they don't bring malware, they don't bring code into the environment, they use the stuff that's part of the operating system already.

Speaker 5 And that makes it hard because antivirus doesn't work. There's nothing to signature on and alert that there's somebody in your computer.

Speaker 5 How do they do living off the land? One of the ways is they assume an identity of somebody who already has access in that system.

Speaker 5 And with AI, there's the opportunity to look at massive amounts of data and understand, you know, what does David do every day in his cyber persona, and is he now starting to do different things?

Speaker 5 And so AI lets you look at scope, scale, and detail about these trends and flag the things that are unusual anomalies.

Speaker 5 It may be that you block it at that point or you just put extra eyes on so that you can stop it and curtail it and cauterize that intrusion.

Speaker 2 Pepol?

Speaker 6 I very much agree with this point that if you look at the volume, velocity, and variability of cyber attacks, and not to mention the complexity of the infrastructure at many organizations that we are dealing with, it has gone beyond human comprehension.

Speaker 6 We have been doing this patchwork for the last 20 years that we have now cloud, then you can create some tooling for cloud, take the logout

Speaker 6 and put it in Splunk, and then you have some in the endpoints and take the logout, and then somebody is manually figuring out, and then we've gone from SIM to SOR to now XDR.

Speaker 6 But there's no fundamental like shift quantum shift in terms of how do we use the machine comprehension the machine intelligence what rob said ai to truly comprehend what is really happening across the whole landscape in a holistic way because it's humans can't do it and you can't even augment humans to do it it has to be pure machine activity And that's where I believe is the next frontier because as much as I love as a software engineer, past software engineer, people will never write good code.

Speaker 6 And as more and more developers are getting into the field of writing applications and software, the quality will only decrease because it's becoming more ubiquitous.

Speaker 6 And now, with the natural language programming, it will be even next level.

Speaker 6 So, we need to have the effort to have AI write better code, as Jen said, but at the same time, really use AI to assume that all else has already been bad. And how do we protect?

Speaker 1 I'd be remiss in having a panel that mentions AI well on China that mentions AI without asking some of you about DeepSeek.

Speaker 1 So you know DeepSeek, we don't know whether there was any stolen IP. We don't know whether there was an evasion of export controls.

Speaker 1 But they've called it open source. It's not really open source.
It's open weight.

Speaker 1 We're already seeing applications and new businesses built on DeepSeek because of its cost efficiencies and much the same way we saw Huawei spread very quickly because of its cost efficiencies.

Speaker 1 I'll probably throw it to you, Rob. You know, what is the risk of DeepSeek?

Speaker 5 It comes at us in a couple dimensions, right? DeepSeek is

Speaker 5 software that is run in China. They're offering a service, so your data goes to China.

Speaker 5 I think we all understand why that would be a bad thing to have any of the questions or intellectual property you give to the AI be housed in China. There's a second way where they've open-weighted

Speaker 5 the model so that you can move it here to the US and run it on your own infrastructure.

Speaker 5 There's still an inherent bias inside that

Speaker 5 AI and people were famously asking it about Tiananmen Square and other things. So I want to make sure that the AI I'm using isn't biased against free and open society.

Speaker 5 So those are the two big things that worry me.

Speaker 2 But every time we've tried to block another country from getting a technology, all it's done is incentivize them. And this is the fourth or fifth time.
So you don't win through export controls. And

Speaker 2 the Chinese say, I think I said this, the Chinese say all the time, you guys are so entranced with your success in the Cold War that you can't get over it.

Speaker 2 And you keep wanting to apply these Cold War tools today.

Speaker 2 And they don't work.

Speaker 5 Yeah. And how did they create it? They distilled out of the investment of OpenAI, right, and literally trained their model off the US frontier models.

Speaker 5 And so, you know, export control doesn't stop that. It is the American innovation that's going to keep moving ahead of it.

Speaker 6 And deep sequence is also pretty complex because it is also a PR exercise. Because out of all the model companies, they were the first one who came up with the Open Weight model and then also used

Speaker 6 the NVIDIA chips bypassing their software and directly, that gave them the cost advantage. So there was like a lot of

Speaker 6 learning from the US companies, but also a little bit of innovation and a lot more media. So it's a very interesting operation that they ran.

Speaker 6 And it's an interesting case where in the developer community, it actually created goodwill.

Speaker 6 that they had a model which opened weight and now is at a reasonable cost because it was directly going after the hardware.

Speaker 1 It was a little strange to see how much cheerleading there was in Silicon Valley for this from Andreessen Horowitz and others. David, I'm going to leave my last question to you.

Speaker 1 When we look back on when these Volt Typhoon, these so-called Volt Typhoon attacks, I know Jen and I are big fans of these names, but this is essentially the Chinese group responsible for a lot of these infrastructure attacks.

Speaker 1 When you look at really when they started picking up in cadence, it was around 2020 when Trump started calling COVID the China virus.

Speaker 1 And you and I have talked about how much the CCP cares about image control and how so much of their actions and cyber espionage and activities against dissidents, et cetera, is because they are so concerned and to Jim's earlier point, paranoid about image control.

Speaker 1 We are seeing a huge escalation in rhetoric right now.

Speaker 1 what do you think we can expect

Speaker 4 right now going forward in this administration you know I don't think it really changes their strategy but it sort of accelerates it at points right so they're going to do the cyber attacks they're going to do the leverage but I think COVID in in attacking China on COVID the origins of COVID just makes them you know more angry and says like like let's unleash all the hackers in these different places.

Speaker 4 So I do think one is

Speaker 4 they get an extra jolt from that and they will

Speaker 4 push more.

Speaker 4 But also they are thinking in the long term anyway, right? Which is they're going to find the openings to do it. They're going to probably take advantage right now of the situation in the U.S.

Speaker 4 If there are more tariffs on China, if Trump calls out China more, I think you'll see them double down on getting into U.S. infrastructure.

Speaker 4 You can guarantee that they're going to be more aggressive because if they see that as leverage, then this is what we need to do for the next negotiation.

Speaker 4 And I think a lot of these things about Taiwan are also about giving them the leverage to say, if the U.S.

Speaker 4 in any way moves on Taiwan or changes the policy enough, just letting you know we're we're in everything. We want you to know that.
We want to show that. And the other part of your question is about

Speaker 4 them disliking criticism. In your first episode, you talk about the Dalai Lama, the dissidents, the Google hack was really about dissidents.

Speaker 4 It's certainly true and in my own story, they're very worried not only about their own population seeing criticisms, but they don't want the outside world.

Speaker 4 to badmouth China or to diminish China's prospects in other countries. So with Huawei also, they really went aggressively at the US on Huawei and on Canada, right?

Speaker 4 So you can just expect that, as Jim was saying earlier, China is more powerful now. They're probably going to show that they don't have to bend or bow as much or even negotiate in the same way.

Speaker 4 And this environment is ripe for them to be a bit more aggressive. So I think we should expect more from China, especially with export controls.
They hate the export controls, right?

Speaker 4 So they are going to figure out not only ways around it, but what are the other leverage points we need? Chinese export controls, right? We're going to put our own export control regime in place.

Speaker 4 So I think that's what we're going to expect in the next couple of years.

Speaker 2 But to end on a positive note. Yes, please.
There's a saying from 1900 that says that God protects drunkards, lunatics, and the United States of America.

Speaker 2 And I've used that with the Chinese because because I've said, you guys are doubling down on Marxism, the great failure of the 20th century. And you're saying we're having a crisis.

Speaker 2 And I tell we have crises every 30 or 40 years. It's like, ah, you know, we'll come out stronger out of this.
Do you really want to bet against Uncle Sam? And so I think that

Speaker 2 still shapes their thinking. And they see us being a little bit in disarray, but they aren't quite sure that it's permanent.

Speaker 1 And And that is a good place to end. I think we're going to wrap it up and let everyone get some alcohol in them

Speaker 1 discussion. But thank you so much for being here.
Thank you very much to our panelists who've come from long and far. And thank you for having such a far-reaching discussion.

Speaker 1 And just thank you for all that you all do.

Speaker 1 So that's it.

More episodes from To Catch a Thief: China’s Rise to Cyber Supremacy

Ep 9: The New Frontline

Ep 9: The New Frontline

May 29, 2025
Ep 8: Living Off The Land

Ep 8: Living Off The Land

May 05, 2025
Ep 7: Everything Everywhere All At Once

Ep 7: Everything Everywhere All At Once

April 28, 2025
Ep 6: The Gunslingers

Ep 6: The Gunslingers

April 14, 2025
Ep 5: A Cyber Detente

Ep 5: A Cyber Detente

April 07, 2025