It's challenging that our adversaries are information sharing better and better at the very same time that the United States and its allies are getting worse and worse at our
00:00:00 -
00:00:12
information sharing and coordination.
00:00:12 -
00:00:14
Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world.
00:00:16 -
00:00:25
I'm your host, Frank Cilluffo and have the privilege to sit down this week with Peter Singer.
00:00:25 -
00:00:30
Peter is a strategist at New America.
00:00:30 -
00:00:32
He is a professor of practice at Arizona State, and he is the founder of Useful Fiction, which is a fascinating company that uses storytelling to be able to inform organizations,
00:00:32 -
00:00:46
to help with their strategies and the like.
00:00:46 -
00:00:49
He is a bestselling author of numerous books.
00:00:50 -
00:00:53
I still remember to this day when Ghost Fleet came out, it was handed out in every national security conference that I was in, whether in the IC itself or around the
00:00:53 -
00:01:06
perimeter.
00:01:06 -
00:01:06
And bottom line, Peter, thank you so much for joining us today.
00:01:06 -
00:01:11
I appreciate you having me on.
00:01:11 -
00:01:12
You know, you were also a regular columnist in Defense One, writing about China, writing about technology, writing about competitiveness.
00:01:12 -
00:01:23
And I thought we'd start with some of that thinking as well.
00:01:23 -
00:01:28
And maybe to begin with, when you released Ghost Fleet in 2015, you envisioned not only conflict, but a war between the United States and China.
00:01:28 -
00:01:39
And I'd be curious how you think
00:01:39 -
00:01:41
It looks a decade later.
00:01:41 -
00:01:43
gosh.
00:01:44 -
00:01:45
Yeah, so you're bringing together two different parts of my work.
00:01:45 -
00:01:49
So one is the project that we have with Defense One and Blue Path Labs that's called the China Intelligence.
00:01:49 -
00:01:55
And what we do is every few weeks we put out a report using open source intelligence.
00:01:55 -
00:02:03
So sourcing from China, you know, while it is a censorship heavy state, there's still a massive amount of data that's out there.
00:02:03 -
00:02:13
they're waiting to be translated, but translated in two different ways.
00:02:13 -
00:02:17
One, the language translation, but two, there's a need to translate it for the rest of us, so to speak.
00:02:17 -
00:02:25
It's not of great use if it's only going to a 20 page report in the China Watchers community.
00:02:26 -
00:02:33
And so that's what we've been putting out.
00:02:33 -
00:02:35
And yeah, across the years that we've been doing this,
00:02:35 -
00:02:38
As you've hit it, we've seen a massive amount of advancement and advancement in just a wide range of areas.
00:02:38 -
00:02:48
We had a recent report looking at DeepSeq, but not what are Americans saying about DeepSeq, but what is the PLA and China saying about what it means for them to looking at
00:02:49 -
00:03:04
space operations and the like.
00:03:04 -
00:03:06
and sort of circle back to your question, you know, when Ghost Fleet came out, it was about a decade back, I think there was a couple things that have changed.
00:03:06 -
00:03:14
One, we could put this in the good and the bad category.
00:03:15 -
00:03:19
There is greater awareness of that we're in a world of competition and, you know, we don't want to be in a world of conflict, but it's a risk.
00:03:19 -
00:03:28
When we were doing Ghost Fleet, most of the focus back then was on counterterrorism, counterinsurgency,
00:03:29 -
00:03:35
The cyber side of the story was a little too much focused on criminal networks.
00:03:36 -
00:03:43
And so what we wanted to do is say, hey, what would happen if the trends as we see them, which is headed more towards great power competition and conflict, play out?
00:03:44 -
00:03:55
Secondly, what might advance in areas like AI and robotics and the like?
00:03:55 -
00:04:01
there's obviously a lot more attention being paid to these topics now than back then.
00:04:01 -
00:04:05
The bad side of that is the challenges only grown worse.
00:04:05 -
00:04:11
likelihood, the risk of conflict is only higher.
00:04:13 -
00:04:17
And unfortunately, we portrayed a world where there was China catching up to us in technology capability.
00:04:17 -
00:04:30
et cetera, we're not as ahead in the race as we were back then.
00:04:30 -
00:04:36
And so that's not a good news story either.
00:04:36 -
00:04:39
Excellent.
00:04:39 -
00:04:40
No, no, and I'm definitely going to pull that thread.
00:04:42 -
00:04:45
You're a little younger than me, but when you...
00:04:45 -
00:04:48
I grew up reading fibbes.
00:04:48 -
00:04:50
I would get the hard copy every day of what the press was saying around the world.
00:04:50 -
00:04:56
my office was a complete disaster and mess because I had them stacked up as high as you can imagine.
00:04:56 -
00:05:01
And seems like you're fulfilling that mission in this particular space, which is essential.
00:05:01 -
00:05:08
not only mirror imaging what we think, but actually getting a sense of exactly what they are thinking, saying, and doing, whether it's propaganda or whether it's actual policy and
00:05:08 -
00:05:20
strategy, I think that's essential.
00:05:20 -
00:05:22
Hey, let me ask, so given these investments that they are making, and it's across the board, and I do think you're right, it's...
00:05:22 -
00:05:32
probably beyond even a pacing threat in many ways.
00:05:32 -
00:05:36
But what do you think some of these investments and what indicators do you see in terms of how conflict, both physical, cyber, convergence, whatever that may be, how does that look?
00:05:36 -
00:05:48
Yeah, I was at a recent session where we were exploring, okay, there is a risk.
00:05:49 -
00:05:57
one says that it's a net.
00:05:57 -
00:05:59
Sorry, I should put it this way.
00:05:59 -
00:06:00
No one wants it to be inevitable.
00:06:00 -
00:06:03
But it is a it's not a black swan that the United States could go into a conflict with a major state power, be it a Russia, be it a China, or even an Iran.
00:06:03 -
00:06:14
They're planning for it.
00:06:14 -
00:06:15
We have to in turn plan for that kind of scenario.
00:06:15 -
00:06:19
But one of the aspects that's maybe not paid as much attention to is how would that play out not just for the US military, but for the rest of the network, for the corporate
00:06:19 -
00:06:32
world, public sector, you name it.
00:06:32 -
00:06:34
And a number of issues emerge from that and ones that we've actually been exploring too with our Useful Fiction project.
00:06:35 -
00:06:42
So some of the aspects I think that we can...
00:06:42 -
00:06:47
reasonably project, at least based off of what they have revealed about their plans, what we've seen in conflicts like Ukraine, what in turn discourse here is on.
00:06:47 -
00:06:58
So one is the idea that, you know, during the dating of things, how old we are, you know, both of us are very close to the age of the terminology cyber pearl harbor.
00:06:58 -
00:07:15
We've been worrying about, thinking about, talking about a cyber Pearl Harbor for much of your and my life.
00:07:16 -
00:07:23
If there was to be a conflict with a Russia, with the China, it probably would not just be merely that one Pearl Harbor incident.
00:07:24 -
00:07:35
It would be a series of attacks again and again and again, a campaign.
00:07:35 -
00:07:42
We explored this in a project where we talked about how the US network is so disparate.
00:07:43 -
00:07:52
There are so many different entities.
00:07:52 -
00:07:53
There's different types of vulnerabilities.
00:07:53 -
00:07:55
There's different levels of security that it isn't this scenario of everything going down at once or the EMP fantasies and we're all thrown back to the Middle Ages.
00:07:55 -
00:08:06
It's more likely that it would be
00:08:06 -
00:08:09
you know, day after day, a network goes down in Nevada of a water system and air communication network goes down for the Air Force on Guam, it gets built back up, oh, hold
00:08:09 -
00:08:19
it in Washington state, the financial sector is hit or whatever.
00:08:19 -
00:08:23
So you'd have that kind of campaign aspect to it.
00:08:23 -
00:08:26
Another part that I think is reasonable to project is we've seen the internet shift from being primarily about communication to more and more about operation.
00:08:26 -
00:08:37
So we would see targeting of the internet of things, physical change.
00:08:37 -
00:08:42
I think a good indicator of that are the typhoons.
00:08:43 -
00:08:47
Yep, blacks in particular, yeah, yeah.
00:08:47 -
00:08:50
Yeah, know, China didn't enter into, you know, a water system because it wanted the intellectual property of that water system, which, you know, that used to be the challenge
00:08:50 -
00:09:01
from China was theft of IP.
00:09:01 -
00:09:03
No, it was setting up a beachhead in case there was a conflict.
00:09:03 -
00:09:08
think another aspect that we can reasonably predict is the hybridization between traditional, putting in quotation marks, cyber threats.
00:09:08 -
00:09:19
And whatever you want to call them, information operations, disinformation campaigns, cognitive warfare, farm align influence.
00:09:19 -
00:09:29
There's a lot of different terminology for it now.
00:09:29 -
00:09:31
But basically, the idea that we would see trying to hack not just the networks, but the people on the networks.
00:09:31 -
00:09:39
And that might be either a campaign that is running alongside traditional cyber threats.
00:09:39 -
00:09:48
Think about the real world case of colonial pipeline where it wasn't actually the hack that caused most of the disruption.
00:09:49 -
00:09:59
mean, people reacting to it, that's why they're lining up at gas stations.
00:09:59 -
00:10:06
so any threat actor looking at that can go, hmm, that happened without us even trying.
00:10:07 -
00:10:13
Okay, let's do it together.
00:10:13 -
00:10:15
And we've seen examples of that in Ukraine where Russia
00:10:15 -
00:10:18
after its invasion has done a cyber attack simultaneous to an information operation spreading disinformation about it or trying to heighten the effect.
00:10:18 -
00:10:28
Or we could just see cognitive warfare attacks that are just staying on their own.
00:10:29 -
00:10:34
So micro-targeting of corporate leaders, political leaders, military leaders, sending them deep fakes as if they're from family members.
00:10:34 -
00:10:44
mean, we could go on and on, but I think the point is
00:10:44 -
00:10:48
if we were to see such a kind of scenario, the private sector would be touched by it and therefore it needs to start scenario building for it.
00:10:49 -
00:11:01
Again, in the same way that something like a pandemic was not a black swan.
00:11:01 -
00:11:07
We've been warned about it, we've been talked about it, but all of us put our blinders and said, let's not think about what we would do.
00:11:07 -
00:11:14
Same parallel here.
00:11:14 -
00:11:16
And I'll just end by saying,
00:11:16 -
00:11:17
He's us here, Peter, but yes.
00:11:27 -
00:11:30
You know, Peter, you teed up my next question perfectly, and it was looking at you and your colleague have, and is it Graham?
00:11:38 -
00:11:47
I cannot remember who you've been writing with.
00:11:47 -
00:11:49
August Cole.
00:11:49 -
00:11:50
Yeah, yeah.
00:11:50 -
00:11:51
And you talked about sort of the information support force, which...
00:11:51 -
00:11:59
That's one, yeah.
00:11:59 -
00:12:00
That gives a sense of how...
00:12:00 -
00:12:02
Again, the PLA and China more broadly are looking at conflict.
00:12:02 -
00:12:06
Anything you want to add there?
00:12:06 -
00:12:08
And then I do want to ask, what do you think President Xi, what lessons do you think he has learned about what's playing out, unfortunately, in Ukraine?
00:12:08 -
00:12:19
So it's a great way of going at that idea of what makes a capability.
00:12:20 -
00:12:27
It's not just the technology side.
00:12:27 -
00:12:29
It's having the right organization, the right people around it.
00:12:29 -
00:12:33
And that's a lesson for whether it's US military in the IC or you're a corporation or whatever.
00:12:33 -
00:12:40
And so the creation of the Information Support Force,
00:12:41 -
00:12:47
reflects a couple of things.
00:12:48 -
00:12:50
One, it shows a learning and a willingness to change.
00:12:50 -
00:13:00
This comes out of the strategic support force.
00:13:00 -
00:13:03
Essentially, she and the leadership looked at the situation, one of their prior signature reorganizations, and as best as we could see, said, it's not enough.
00:13:04 -
00:13:15
rather than sticking with it, they altered their organizational structures.
00:13:17 -
00:13:24
secondly, so that's a good business and political practice.
00:13:24 -
00:13:29
You don't like to see it your adversary's doing.
00:13:29 -
00:13:33
Secondly, that reorganization reflected their sense that this is a crucial critical area.
00:13:34 -
00:13:43
And in fact,
00:13:43 -
00:13:45
it was, I think, pretty strong indicator.
00:13:45 -
00:13:48
Xi only showed up personally at the founding ceremony.
00:13:48 -
00:13:52
So you had multiple different new organizations created.
00:13:52 -
00:13:56
So space, info support, et cetera.
00:13:56 -
00:13:59
He showed up at the cyber one.
00:13:59 -
00:14:01
And at it, he basically said, your mission is to win the nation's future wars.
00:14:01 -
00:14:08
there's no doubting his personal interest and the value that he places on this space.
00:14:09 -
00:14:15
And there's a lot that remains to be seen on how effective the reorganization will be, how much learning can be done and change can be made and organizations that are still at end
00:14:16 -
00:14:29
of the day authoritarian, so they're not as dynamic as they might be.
00:14:29 -
00:14:34
But yeah, it certainly, I think they feel it's put them in a better position than they were previously.
00:14:34 -
00:14:42
And that goes to your other question.
00:14:42 -
00:14:44
What are the lessons that they're taking from Ukraine?
00:14:44 -
00:14:51
They're looking, I mean, I think there was a little bit of a shock at how poorly their Russian partners performed at the start.
00:14:51 -
00:15:01
There's interestingly, they, in some of the writing, talked about they felt the Russians were insufficient.
00:15:01 -
00:15:10
and the level of their fires, the level of violence that they were inflicting upon Ukraine.
00:15:10 -
00:15:16
Now we're like, well, what do you mean?
00:15:16 -
00:15:18
But what they were getting at is that Russia faced two issues, one in the early stage of the conflict, it thought it was going to take over Ukraine.
00:15:18 -
00:15:28
So it was not striking at every facility, civilian, political, military.
00:15:28 -
00:15:36
Secondly, Russia has limited magazine depth.
00:15:36 -
00:15:39
It doesn't have as many missiles.
00:15:39 -
00:15:41
So the Chinese writers are looking at it and going, why are you using onesies and twosies and missiles?
00:15:41 -
00:15:46
Drop 100 on them.
00:15:47 -
00:15:48
And so that's one lesson they've taken is be with a higher level of intensity.
00:15:48 -
00:15:55
The second, they've taken a lot of lessons about the need for quality, NCOs, et cetera.
00:15:55 -
00:16:04
Most importantly, I think the big keys that matter to us is they've taken away a huge amount of lessons learned related to robotics and AI.
00:16:05 -
00:16:13
You've seen the huge takeoff within drones, and that's been reflected in Chinese military maneuvers that have been publicized to what they're showing off at their military trade
00:16:13 -
00:16:25
shows.
00:16:25 -
00:16:26
They jumped on board this full speed.
00:16:26 -
00:16:29
And then the other is there is clearly a information
00:16:29 -
00:16:34
So it's not just technology, but an information sharing complex between Russia, China, North Korea, and Iran, where they're sharing with each other everything from physical
00:16:34 -
00:16:50
drones to drone designs to cyber tactics.
00:16:50 -
00:16:54
People are literally going back and forth.
00:16:54 -
00:16:58
I think there's a couple takeaways from that.
00:17:00 -
00:17:03
Some of that self-inflicted, right?
00:17:21 -
00:17:23
Yeah.
00:17:23 -
00:17:24
Secondly, anyone who sees Russia as our pal, then ask yourself, why are they doing that?
00:17:25 -
00:17:43
If you are telling yourself that there is not a state of intense cooperation alliance between Russia and China,
00:17:43 -
00:17:54
you are telling yourself fiction.
00:17:54 -
00:17:56
Yeah, yeah.
00:17:56 -
00:17:58
No, and one thing that I have seen as well is that they're actually taking some of these lessons and literally shifting their doctrine and strategy, which is a big deal.
00:17:58 -
00:18:12
It's not as simple as, we got a cool toy and we're going to play with it.
00:18:12 -
00:18:16
It's actually enabling that into their war fighting strategy doctrine and the like.
00:18:16 -
00:18:21
And ultimately that will mean
00:18:21 -
00:18:23
the TTPs, the tactics, techniques, and procedures will be refined.
00:18:23 -
00:18:28
And there's a little hubris, tell me if I'm wrong, I wish I were, but there's a little hubris in the strategy community that they're still imitators.
00:18:28 -
00:18:40
Truth is, is they're innovating now, they're innovators.
00:18:40 -
00:18:43
And in some ways they're outpacing.
00:18:43 -
00:18:47
And that's where I wanna get to at some point, but before we jump there,
00:18:47 -
00:18:53
How does someone at a Belfour Center, how does someone who has all the credentials in a traditional policy making and think tank environment bring storytelling, which I think is
00:18:53 -
00:19:05
so essential to strategy?
00:19:05 -
00:19:11
I think it's sort of making strategy stick is your expression.
00:19:11 -
00:19:15
remember, I think it was Chip Heath making story stick.
00:19:15 -
00:19:18
It's a great, great set of issues.
00:19:18 -
00:19:20
So tell me how you got there.
00:19:20 -
00:19:23
You went against the grain.
00:19:23 -
00:19:25
I'm telling you, in my world, I thought it was pretty cool.
00:19:25 -
00:19:28
No, thank you.
00:19:28 -
00:19:30
There's two different answers, and it's essentially the fusion of the two.
00:19:30 -
00:19:34
So the wonky side, I'm a professor, I work in our national security community, is all the science and research shows that narrative is a more effective means of conveying newer
00:19:35 -
00:19:51
complex information.
00:19:51 -
00:19:53
It comes down to the way the human brain works.
00:19:53 -
00:19:56
If you read a white paper,
00:19:56 -
00:19:57
a threat report, one part of your brain lights up.
00:19:57 -
00:20:00
If you read it as told in a scenario, and it can be a true story, or it can be a fictionalized story, four parts of your brain light up.
00:20:00 -
00:20:10
Another value of narrative is narrative brings in emotion.
00:20:11 -
00:20:16
And while we like to think that all decisions are made by cold logic and facts,
00:20:16 -
00:20:21
That's just not the case.
00:20:22 -
00:20:24
It's not the case in voting behavior.
00:20:24 -
00:20:26
It's not the case in whether you buy a used car.
00:20:26 -
00:20:29
It's not the case in national security decisions.
00:20:29 -
00:20:33
Indeed, when they've pulled transcripts from the cabinet, even decisions on when to use military force or not, emotions weighing in.
00:20:33 -
00:20:43
Another value of narrative is it brings in innovation.
00:20:43 -
00:20:50
It allows you to look at issues from multiple points of view, characters, understand underlying complex causes, plot.
00:20:50 -
00:21:01
Another value of it, and indeed there was a study out of Harvard that found that it had, if I recall it roughly like a 70 % increase in innovation.
00:21:02 -
00:21:11
Another and a big one for those of us working in corporate or government world is narrative is more likely to drive change.
00:21:11 -
00:21:20
about 30 % of change programs succeed.
00:21:20 -
00:21:27
And change programs, know, the leadership says, here's our new strategy.
00:21:27 -
00:21:31
Does it actually, you know, aside from announcing it like six, nine months later, is it actually being implemented?
00:21:31 -
00:21:36
And what usually happens, and they've done studies on this, is that it fails largely because of narrative reasons.
00:21:36 -
00:21:43
One, they've either not made the case,
00:21:43 -
00:21:46
for why we need to change.
00:21:46 -
00:21:49
They've not told that story.
00:21:49 -
00:21:50
Secondly, they've not told the story of where we're headed to.
00:21:51 -
00:21:55
But third, and I think this is so huge in bureaucracies and corporate and government world, often strategies fail because of an internal bureaucratic insurgency.
00:21:55 -
00:22:10
The middle layer basically says, new strategy, sir, yes, sir.
00:22:10 -
00:22:16
and then walks away and is like, yeah, we're not implementing that.
00:22:16 -
00:22:19
And even sometimes sabotages it.
00:22:19 -
00:22:21
And the reason it actually comes down again to story, it's because that layer either doesn't see themselves as a character in the story of change, or worse, they're like,
00:22:21 -
00:22:35
yeah, I'm a character in the story.
00:22:35 -
00:22:37
I'm the victim.
00:22:37 -
00:22:38
And so if you don't change that, they will sabotage it.
00:22:38 -
00:22:42
And so.
00:22:42 -
00:22:42
All that coming together are the wonky reasons for why we've used what we call useful fiction, which is taking nonfiction and wrapping it with a narrative.
00:22:42 -
00:22:52
But the other part of it is the fun side.
00:22:53 -
00:22:55
People are more likely to read a narrative.
00:22:56 -
00:22:59
They're more likely to share it with others.
00:22:59 -
00:23:01
If I say to you, hey, I've got this incredible 75 page white paper.
00:23:01 -
00:23:09
or a 30 page explainer on what quantum technology means for cyber.
00:23:10 -
00:23:15
I'm giving you real world examples.
00:23:15 -
00:23:17
If you are either a leader who's busy or you're a student at Auburn, go, But if I say, hey, here's a story that helps explain cyber and it's a story about a commando mission
00:23:17 -
00:23:35
hunting down a terrorist who's trying to sabotage the World Cup.
00:23:35 -
00:23:39
But like a smoothie, you'll get the vitamins of how quantum works by reading it.
00:23:39 -
00:23:45
Which one are you going to choose?
00:23:45 -
00:23:46
And that's really what we're after with this useful fiction approach.
00:23:46 -
00:23:53
lastly, it's fun to be on the creative side to figure out, it's like a riddle.
00:23:53 -
00:23:59
How do you tell the story of X?
00:24:00 -
00:24:01
What are the best characters to go after that?
00:24:01 -
00:24:03
So we've been doing some of these on cyber, which has just been phenomenal because I think I'll end here by saying,
00:24:03 -
00:24:09
People think of cyber as highly technical and it is, but the importance of story is to find the human side of it.
00:24:09 -
00:24:17
And that also goes back to all the issues that we need to drive organizational change or to understand threats.
00:24:17 -
00:24:23
It keeps coming back to the people.
00:24:23 -
00:24:25
So there is story in cyber.
00:24:25 -
00:24:27
And there is a human behind the clickety clack of the keyboard until it's all automated in AI.
00:24:27 -
00:24:32
But there's even someone behind that initially.
00:24:32 -
00:24:35
So I think that does often get lost in the discussion.
00:24:36 -
00:24:41
And I think most notably, if you want to change and actually have impact, I think it does resonate.
00:24:41 -
00:24:51
And I think it gets to the why in a way that
00:24:51 -
00:24:55
we all tend to skirt over in the policymaking where we're looking at the how, the when, the where's, and not always spending enough time on why it matters.
00:24:55 -
00:25:08
And I think that's very cool.
00:25:08 -
00:25:11
I think you did a great job framing useful fiction.
00:25:12 -
00:25:16
Maybe giving a real world example, I was on the Solarium Commission and you wrote a very powerful foreword to the report that
00:25:16 -
00:25:24
not to pat ourselves on the back, had a lot more impact than most reports in DC.
00:25:25 -
00:25:31
You want to maybe pull that thread a little?
00:25:31 -
00:25:33
Because I think it did help in terms of putting into perspective what some of these recommendations are, and more importantly, promulgating them into law and policy.
00:25:33 -
00:25:46
Yeah, so that's a great example of this idea of a fusion.
00:25:46 -
00:25:52
So on the nonfiction side, the starting point, we had a set of key ideas that the commission wanted to share of both threats, but also the opportunity that if we acted upon
00:25:52 -
00:26:07
them, we could prevent bad things from happening.
00:26:07 -
00:26:12
Secondly,
00:26:13 -
00:26:14
there was a very specific target audience.
00:26:14 -
00:26:18
And we run these workshops with a corporator.
00:26:18 -
00:26:22
And we've even run them with Cyber Command on how to be a better communicator.
00:26:22 -
00:26:26
And one of the key parts of it is that idea of really understand your target audience, not just who it is, but what motivates them, how can you connect to them.
00:26:26 -
00:26:35
And so with the Solarium report, now while it was a public report, its audience was
00:26:35 -
00:26:41
Congress you want legislation, but even within that there's a more specific audience which was hey It's the staffers because they're the ones that write the legislation and you can
00:26:41 -
00:26:52
see that you know even in the slam report like at the end of it it had Sample legislation.
00:26:52 -
00:26:58
I'm gonna make your job easy for you not because it's exciting compelling But you know so is understanding that audience and so what we did
00:26:58 -
00:27:06
is, you know, it was like an introduction, but kind of like an executive summary, but told in scenario form is the scenario that we built for it was written from the point of view
00:27:06 -
00:27:18
of a congressional staffer who's experiencing maybe that most powerful emotion of all, which is regret.
00:27:18 -
00:27:27
And they are writing, they're sitting down to write legislation in the wake of
00:27:28 -
00:27:35
a major cyber attack that's living out all the threats that the Solerian Commission said, these are the things we've got to prepare for.
00:27:36 -
00:27:47
we've got little Easter eggs that a staffer would kind of, it really connects to their experience, like whether they've got a window in their office or not.
00:27:48 -
00:27:58
But the point is, is they're sitting down to write this legislation and regretting that
00:27:58 -
00:28:03
this had not been all done beforehand.
00:28:03 -
00:28:06
And then it closes with the text of the legislation.
00:28:06 -
00:28:12
And again, drawing from the real world, it's the actual text of the legislation issued after 9-11.
00:28:12 -
00:28:20
to flip to the, when we talk to the Slayered folks, your fear was we're going to be like all those commissions that write
00:28:20 -
00:28:33
a report and then no one listens to us like what happened to all the commissions related to terrorism pre-911.
00:28:33 -
00:28:41
This idea of the staffer, sort of say, don't want to be like those staffers who ignored past commissions and then had to write legislation when it was too late.
00:28:41 -
00:28:52
And so that was the scenario that was built.
00:28:52 -
00:28:55
And yeah, it resonated really well.
00:28:55 -
00:28:57
It's a great, I think, example of the lessons learned of...
00:28:57 -
00:29:01
You can share facts, but you can also target an audience, bring in emotion.
00:29:02 -
00:29:06
And there was an actual story arc, as you said.
00:29:07 -
00:29:10
So it starts with the story, and then there are the bits and pieces to get to a conclusion that I think you're right.
00:29:10 -
00:29:16
It is about regret.
00:29:16 -
00:29:18
And many of us, I think that's what drove us.
00:29:18 -
00:29:22
So very well said there.
00:29:22 -
00:29:24
One thing before we sort of jump on what's coming over the horizon from a tech perspective, I would like to, when you look at useful fiction,
00:29:24 -
00:29:35
often the Hollywood version is worst case scenarios and it's not that bad day, it's that really gosh darn bad day and that could cause paralysis, it could cause, if it's not
00:29:35 -
00:29:51
likely, people could undermine its credibility and say, we don't have to worry about that.
00:29:51 -
00:29:56
What are your thoughts on that from a useful fiction perspective?
00:29:56 -
00:30:00
Yeah, I mean, well, it's also from a policy side.
00:30:00 -
00:30:02
think our cybersecurity community has suffered from this.
00:30:02 -
00:30:08
Those Pearl Harbors,
00:30:08 -
00:30:10
It's the one like Pearl Harbor, Pearl Harbor, and then we have this sort of broader phenomena of, know, fear, uncertainty, doubt.
00:30:10 -
00:30:17
And we kept just trying to get people's attention.
00:30:17 -
00:30:19
And at a certain point, that loses its effect.
00:30:20 -
00:30:24
And, you know, we can see that within businesses.
00:30:25 -
00:30:27
Like we've had supporting like, you know, CISOs who are, you the board is like, you came in here last year, scared me about stuff.
00:30:27 -
00:30:37
We gave you what you wanted.
00:30:37 -
00:30:39
Why are you back a year later telling me bad things will happen?
00:30:39 -
00:30:43
We gave you what you wanted.
00:30:43 -
00:30:44
This is challenging.
00:30:44 -
00:30:47
It's different than regular IT.
00:30:47 -
00:30:49
There's a, just as we were talking about earlier, there's a threat actor who's learning and always changing and reorganizing.
00:30:49 -
00:30:55
And so if you're going to have an effect on someone, you can't just lay out the numbers, shoot at them bullet points.
00:30:55 -
00:31:05
You have to be able to tell a story of it.
00:31:05 -
00:31:08
And an effective story, like we were talking about before, makes someone feel.
00:31:08 -
00:31:13
And so you have to find the emotional contact point for that target audience.
00:31:13 -
00:31:22
So let's go to that example, the cyber-celerium one.
00:31:22 -
00:31:26
A major cyber attack has happened in the United States, but we're telling it through the personal experience of someone sitting down to write something that they really don't want
00:31:27 -
00:31:35
to do.
00:31:35 -
00:31:36
Right?
00:31:36 -
00:31:37
A different example that we did for that one that I mentioned of the CISO who's got a board that wasn't listening to them.
00:31:37 -
00:31:43
And it was particularly, I mean, the non-sexy topic of, we're doing a cloud migration.
00:31:43 -
00:31:48
We need to invest in the cyber side of it.
00:31:48 -
00:31:51
And they felt they weren't being paid attention to after their briefings.
00:31:51 -
00:31:54
And so what we did is we turned what they wanted the board members to know and the CEO to know, but as told through a story where
00:31:54 -
00:32:04
It's the nightmare scenario of a business leader.
00:32:05 -
00:32:08
They're flying to Washington to have to answer questions in congressional testimony.
00:32:08 -
00:32:17
basically what we were portraying is not, there's a ransomware attack, your stock price is gonna go down.
00:32:17 -
00:32:24
People know that.
00:32:24 -
00:32:25
It's what drove changes.
00:32:25 -
00:32:27
This is what your life is going to be like.
00:32:27 -
00:32:31
And for powerful people,
00:32:31 -
00:32:33
the idea of being on the back foot.
00:32:33 -
00:32:36
React to the demands of the hackers of the ransom react to the press that's calling you shareholders to I've got to go do this meeting and I'm not leading the meeting they're
00:32:38 -
00:32:49
asking me the questions and so even down to I've got to fly to Washington and I can't fly my personal jet because that looks bad I got a flight commercial all that and it was this
00:32:49 -
00:32:59
idea of saying
00:32:59 -
00:33:00
you know, this is why you want to act.
00:33:00 -
00:33:03
And again, so I think that's, you when we're framing our stories, we need to bring in these other aspects of it.
00:33:03 -
00:33:13
And again, we've talked about emotions of regret.
00:33:13 -
00:33:15
There could be, you know, emotions of FOMO.
00:33:15 -
00:33:19
We can portray what success looks like so that someone goes, man, that's incredible.
00:33:19 -
00:33:28
How can we make that happen?
00:33:28 -
00:33:30
We did a project for, it relates to cyber, it was for SOCOM where Special Operations Command is feeling that it's for very good reason.
00:33:30 -
00:33:40
It's got a pivot to these new kind of threats, China that we're talking about, but also that it's no longer just bullets on foreheads.
00:33:40 -
00:33:49
We're bringing in electronic warfare cyber and so that their people need to be skilled in these other areas.
00:33:49 -
00:33:56
And so the way that we accomplished, we took their strategy.
00:33:56 -
00:33:59
the way we shared it out was it was a soldier at their retirement ceremony 20 years from now looking back on their career and all the training that they received to be so
00:33:59 -
00:34:14
successful.
00:34:14 -
00:34:15
the idea is someone reads that and goes, man, they had a great career.
00:34:15 -
00:34:19
I want someone to have a career like that.
00:34:19 -
00:34:22
Huh, what do we have to start doing now?
00:34:22 -
00:34:25
so that someone 20 years from now can have that kind of retirement ceremony.
00:34:25 -
00:34:29
That's awesome.
00:34:29 -
00:34:30
That's very creative.
00:34:30 -
00:34:31
And that's a perfect segue to sort of look at emerging technologies and what's over the horizon.
00:34:31 -
00:34:37
I think, I don't want to put words in your mouth, but you also highlight here that the adversary is not static, but dynamic.
00:34:37 -
00:34:47
And in part, they base their actions on our actions.
00:34:47 -
00:34:50
And we need to keep up with that level of thinking speed and everything else.
00:34:50 -
00:34:55
And I would argue that
00:34:55 -
00:34:57
Behavioral science is very much a part of this as much as the zeros and ones are.
00:34:57 -
00:35:03
So I'd be curious not to lead the witness here, but what are some of the key tech or geopolitical trends you think the US isn't taking seriously enough right now?
00:35:03 -
00:35:14
I think we're taking seriously the central one that, you know, it's not a podcast or a business meeting or a military meeting that we don't talk about AI.
00:35:17 -
00:35:28
am worried that we're forgetting some of the lessons of the Cold War and, know, what led to, you know, before the Cold War, Manhattan Project or the creation of the internet
00:35:29 -
00:35:43
itself.
00:35:43 -
00:35:44
There, you can't rely solely on the private sector to fill the gap.
00:35:44 -
00:35:49
There is value and a role for government and a role for supporting research.
00:35:49 -
00:35:54
More than valuable, I'd say essential, but that's me speaking.
00:35:54 -
00:35:58
but you know, it seems controversial to say some things like that right now.
00:35:58 -
00:36:02
don't know.
00:36:02 -
00:36:03
But and so we are seeing that kind of investment and strategy coming from a China.
00:36:03 -
00:36:10
So but, know, on the AI side, I think, you know, what comes next is a couple of things.
00:36:11 -
00:36:17
One, greater use of AI as a a tool within cybersecurity.
00:36:17 -
00:36:26
You know, we've already seen Chinese cybersecurity companies adopt DeepSeq into their work.
00:36:27 -
00:36:37
Same thing if you work for me.
00:36:37 -
00:36:39
So one, helping to create more effective tools either on the offense or the defense.
00:36:39 -
00:36:47
Secondly, and we see that in coding or finding vulnerabilities or whatever.
00:36:48 -
00:36:53
Secondly, weaving it in
00:36:53 -
00:36:56
with those information operations.
00:36:56 -
00:36:59
So we talked about deep fakes and we've seen everything from already hacking attempts using faked CEO voices to even zoom video to try and persuade people to authorize a
00:36:59 -
00:37:17
This is the real Peter Singer just for our audience.
00:37:17 -
00:37:20
Yeah, who knows.
00:37:21 -
00:37:24
But so we'll see that more and more and on a conflict side.
00:37:25 -
00:37:30
But then you have what I think is interesting is the targeting of AI as we use it more and more in our society.
00:37:30 -
00:37:39
And so that kind of targeting might range from trying to poison the well before the conflict going after
00:37:39 -
00:37:49
the training data, trying to warp that or trying to inject malware into a design or something like that.
00:37:49 -
00:37:55
Then you have targeting it during an attack.
00:37:55 -
00:37:59
So providing inputs that try and trick sensors.
00:37:59 -
00:38:09
So basically if you're using AI for some kind of decision making, it's pulling off of information.
00:38:10 -
00:38:15
So how can I trick it by going after its sources of data?
00:38:15 -
00:38:19
And then finally, and I don't know if we've explored this enough, which is the good side of AI crossed with IoT is that we get these huge efficiencies.
00:38:19 -
00:38:28
We have less people working on our factories or ships or whatever it is.
00:38:28 -
00:38:34
But that also means if I can target a system that's highly automated, it's really difficult to almost impossible for you to recover and get it back going.
00:38:34 -
00:38:45
So one of the scenarios that we built for Cyber Command to help explain this was in shipping.
00:38:45 -
00:38:56
Freighters right now are becoming more more automated.
00:38:56 -
00:39:00
It means they can operate with crews that are like 1 100th the size they used to be.
00:39:01 -
00:39:06
Huge efficiency, but we also know that ships are quite vulnerable.
00:39:06 -
00:39:13
Stuxnet went after SCADA systems, which ships used to.
00:39:15 -
00:39:18
I and that's a data malware.
00:39:18 -
00:39:21
And so can you bring the ship back online if the systems go down?
00:39:21 -
00:39:26
So those are the, and again, we could be having a discussion about a factory, a water system, whatever.
00:39:27 -
00:39:33
And so I think that's that part, these different aspects of how we'll not just use AI as a tool, as a weapon, but how it might be targeted.
00:39:33 -
00:39:44
is something we're going to have to put a lot more thinking into.
00:39:44 -
00:39:46
Very well said and and and I couldn't agree more and and we're doing a little bit of work in that space my penultimate question is sort of and this isn't to make the case for grand
00:39:46 -
00:39:59
strategy, although I would argue we have a lot of tactics masquerading as strategy over the past 10 years and US thinking I have a hard time delineating and differentiating air
00:39:59 -
00:40:14
C, space, cyber, they're all kind of coming together, but we like to look at the world through our boxes and org charts and understandably, how do we get over that hurdle?
00:40:16 -
00:40:28
And if you've got a good answer for that, I'm all ears, because I do think we need to have unique TTPs around all these issues and strategy doctrine and add on top of that.
00:40:28 -
00:40:41
I have a hard time differentiating economic security from national security these days.
00:40:41 -
00:40:45
The battlefield includes all of society.
00:40:45 -
00:40:47
How do we as a country marshal and mobilize our resources to think about this differently?
00:40:48 -
00:40:54
I think you've hit it in a couple of ways.
00:40:55 -
00:40:57
So one is absolutely the silos are breaking down.
00:40:57 -
00:41:02
And if you are a organization that only focuses on one domain or one geography, you're not going to be effective.
00:41:02 -
00:41:15
If you are an individual who only has the ability to operate and have knowledge of that one domain.
00:41:15 -
00:41:21
you could be
00:41:21 -
00:41:22
If you are an Africa specialist, well guess what?
00:41:22 -
00:41:26
You have to have greater awareness of what China and Russia are doing in Africa, too.
00:41:26 -
00:41:31
You have to understand everything from cyber threats to the change in importance of rare earth minerals.
00:41:31 -
00:41:40
I was just an Africa specialist, right?
00:41:40 -
00:41:42
On flip side, if I'm a cyber specialist, well, by the way, I've got to understand its integration with IoT, or I got to know the law or policy.
00:41:42 -
00:41:51
who can't code, shame, shame, shame.
00:42:21 -
00:42:24
And there's the flip side, which is to people like, hold it, it's not about coding, it's about law, it's about policy.
00:42:24 -
00:42:30
Well, by the way, to do effective law and policy, you need to understand the technology.
00:42:30 -
00:42:36
And so I think what we're seeing more and more is the need for people that can operate across multiple silos and organizations too that can operate that way.
00:42:36 -
00:42:47
So the two versions of
00:42:48 -
00:42:50
ways that if that's been dealt with, one, if you are being trained in China's National Defense Academy, you learn about, I wish I could show you the diagram of it, but it
00:42:50 -
00:43:05
basically lays out there's the physical world, there's the information world, and then over everything is the cognitive, our understanding of it.
00:43:05 -
00:43:14
That's how they're being trained.
00:43:14 -
00:43:16
Alternatively, Star Trek.
00:43:16 -
00:43:19
three-dimensional chess.
00:43:20 -
00:43:22
The chessboard moves in lots of different ways.
00:43:22 -
00:43:27
either one, I think, gives us insights for how we should be thinking about the future.
00:43:27 -
00:43:33
Roger that.
00:43:33 -
00:43:33
And maybe in addition to 3D chess go, because I think that has some cultural, many moving parts and outcomes that you can't predict based on one individual's actions, but the
00:43:33 -
00:43:51
engagement.
00:43:51 -
00:43:52
Hey, Peter, what questions didn't I ask that I should have?
00:43:52 -
00:43:55
gosh, well we need to, you as you and I recording this, who's going to win the final four and all that, but...
00:43:56 -
00:44:03
I have my views, they're biased.
00:44:04 -
00:44:07
I know it's a deer there.
00:44:07 -
00:44:11
So for me, I think a question that I wish we could explore a lot more is this idea of not merely the technology or the organization, but how we're thinking about the human talent
00:44:13 -
00:44:31
side of things.
00:44:31 -
00:44:33
To put it quite directly, if we are
00:44:33 -
00:44:37
recruiting the same way, training, educating the same way, assessing people, promoting people the same way.
00:44:37 -
00:44:46
Why would we think we're going to have different outcomes?
00:44:46 -
00:44:50
And what I just said could be applied to the changes in universities, but also professional military education or government education, but it could also be applied to
00:44:50 -
00:45:03
workforce again in the
00:45:03 -
00:45:06
government cyber community or in the corporate cyber community, I think we need to put a lot more attention on that side of things.
00:45:06 -
00:45:14
What are the new requirements?
00:45:14 -
00:45:17
What are the changes that we're gonna make to reflect everything that you and I talked about?
00:45:17 -
00:45:21
How is AI changing not just the organization, but what people need to know within that organization?
00:45:21 -
00:45:29
But there's another part of it, which is how are we gonna bring in this new talent when
00:45:29 -
00:45:36
all of our messaging right now is you're back, get out.
00:45:36 -
00:45:42
And so we're going to have to start to think through not just the next days and weeks of workforce, but the next year, years, decade.
00:45:42 -
00:45:56
And I think an approach to do it is a little bit of how we were talking earlier, which is let's start from our destination.
00:45:56 -
00:46:04
What do we want?
00:46:04 -
00:46:06
that workforce to look like 10, 20 years from now.
00:46:06 -
00:46:12
What needs to be in place to have that kind of human talent, to have talented people want to be in that role, and then say, what are we doing right now to make that happen or to
00:46:12 -
00:46:22
make that not happen?
00:46:22 -
00:46:23
So I'd just love to see a lot more about the workforce side of the discussion.
00:46:23 -
00:46:29
Peter Well said, keep opening people's eyes, keep most importantly getting people to think and act in a way that's needed and really glad you're continuing to fight the good fight.
00:46:29 -
00:46:43
Thank you so much for spending so much time with us today and onward and upward.
00:46:43 -
00:46:47
Thank you, Peter.
00:46:47 -
00:46:48