Cybersecurity, Espionage, and National Defense with Martin Matishak

Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host Frank Cilluffo and this week I have the privilege to sit down with Martin Matishak. Martin has been doing some phenomenal writing, goes after stories that most are not covering or if they are covering it. He always tends to find an interesting and relevant angle that others haven't necessarily. He's currently with the Record, previously had written for Politico as well as I was just reminded, the National Journal before that. So really excited to have Martin sit down with us today and really excited about the discussion. Martin, thanks so much for joining us.

Thank you very, very much for having me. Appreciate it. So Martin, we're going to

have some of your stories up on the screen, but I thought we'd start with the. The story that is everyone's story and that's Salt Typhoon as well as, as Volt Typhoon. And I, I don't mean to be cutesy, but each one of these in their own is a really bad storm collectively I think it literally is demonstrates a perfect storm in terms of concerns. But why don't we start with some of your reporting around Salt Typhoon since it's most relevant. Sure. So Salt Typhoon is the,

is the infiltration, if you will, of our telecom networks. There are up to nine telecoms that have been impacted by this we believe, or people I talk to believe number is going to go much, much higher. Not only the telecoms, but also some of the companies supporting the telecoms, connecting the telecoms. They might also be influenced as bad as sounds, trading nine telecom networks. It is traditional espionage in a lot of people's eyes that they were after a certain type of person in a certain type of area, specifically DC where we're sitting in this sort of area. And that's what they wanted to know, where they were, who they were talking to and what they were texting. The universe gets smaller and smaller as you try and, and try and figure that out. So as bad as it is, it really is traditional espionage as we think about pilfering information data. It would however, I would say what changed about Soul Typhoon is it gave the Chinese, it showed them they could collect an even deeper level. We have signals intelligence, we have the National Security Agency. That's what we get our foreign secrets from. This is the way they found that they can do this. Now we can get that granular that we can geolocate someone, we can read their text, we can see who they're Talking to. And I think that is a scary part of this. There's a lot of scary parts, but also another scary part is we don't know the full extent of it yet. The government still doesn't know the full extent of it. Now we're in the middle of a transition and it could be we might never know the full extent. And the reality is when you

think of critical infrastructure, not everything's equally critical. But you always thought the telcos were at the very top of the list. So it just makes you think about some of the other critical infrastructure owner operators. It does. And the telcos are unique because

their technology stack is bizarre. Byzantine, I think, is the way someone described it to me once. Yes, yeah, yeah. It's this right there alone. They're building equipment on equipment on equipment for decades now. And they have all sorts of issues, not only about old tech, foreign tech in their systems. Idaho management is a big problem. And there's just so many different ways and I think there's going to be a real question about the access that was gained and are they ever truly, the Chinese ever fully truly out of these networks. And you bring up it is traditional espionage, which is

very different than the intent when we're going to talk about Vault Typhoon, which in some ways should be more disconcerting. Volt Typhoon is norm breaking and that's the way

that many Biden administration officials talked about it was that it broke the norms. It went beyond surveillance or IP theft, things like that. This is pre positioning in our networks. To to which has no espionage value, no financial value. Exactly. For and, and for the purpose of catastrophe could be they could set up a cast catastrophic series of events. And so there's no value in that, like you said. So that should be more concerning. That's another instance where it's are they out or ever know they're out? They were living off the land for potentially months before this. Are they still living off the land? Can they regain their access if we kick them out? Could they regain their access some other way? There's a lot of questions about that. But I would say Volt Typhoon, as bad as Salt Typhoon was, as we've discussed, Volt Typhoon really is. It has people aghast at what could. Happen here and especially the

intentions. Yes. And I think we've all known that cyber intelligence preparation of the battlefield has occurred for a long time. What we didn't necessarily know is not only do you have a foothold, but you have a beachhead into some of those at the time of Their choosing. Exactly. And I think what made Vault a little unique is also some of the targets themselves. Wastewater. Yeah. Guam. Yeah. So clearly indicative of some of their intentions. Some of their intentions and also some of their craft. If you

want looking at edge devices, like going back to your water example, there might be one person in charge of 20 water districts in the state of Kansas and he does it all on their phone because that's all his department can afford is just have him, he can't have 20 people out there. And may have five other jobs

on top of that. Exactly. He might be a part time employee, but he has

this device and if that device is not secure, then all of a sudden, boom. So I think it exposed edge devices in our critical infrastructure and I think that's why you're seeing people like looking at the whole totality, the tech stack, because where are the weak points and edge devices when it comes to bull? Typhoon is a big one and I'm. Glad you brought that up because the intentions here do matter.

Not all hacks are the same. Hackers differ, obviously the tactics, techniques and procedures they engage in differ. And here when you look at how do you think this fits into the broader Communist Party of China's strategic plan. What it says to me is

that in the past few years we've seen a lot of ramp ups from doj, FBI saying we've taken down this bot network, we've taken down this, we've taken down this hacking group. You've seen Cyber Command, NSA share essentially ttps with the public, CISA share TTPS with the public. And what it says to me is. All tactics, techniques

and procedures. Most of our viewers will know that, but in case there are a couple that don't. But what it says to me is that despite all of that,

across all those agencies and all those different kinds, including let's say, let's throw treasury in their sanctions, all of that has not been enough to change China's calculus when it comes to cyber. They will do what they want to do, when they want to do it and they are not scared by anything we've done to them so far. And the Volt Typhoon even more than Sol Typhoon, which we talk about as espionage. But Volt Typhoon shows plain as day that sure, you can hit us on the nose with the newspaper, but we're going to still get in your house. And

I know you haven't written a whole bunch about Silk Typhoon, but, but at the end of the day you mentioned sanctions and it just seems to me, surprise, surprise, surprise, that Some of the entities that are responsible for promulgating these sanctions might have been hit as well. Yeah, yeah. And I think that. I think one fact. Exactly.

And I think when that comes out, when more is revealed about that, I think that it also show more traditional espionage. They want to know what these people were thinking. It makes me think about Secretary Blinken, our former Secretary Blinken's email being hacked because they want to know what he was thinking, who he was talking to, things like that. That to me is espionage. Now, we could find out that they were trying to do something, do something else, plan something in OFAC systems, things like that, something that could flag if one of their people were about to be on there or something like that. But right now, that also strikes me as espionage. Yeah, I

would agree with that. I think there is a big issue and not one we're going to have a whole lot of time discussing, but the whole question about signaling and what are. Do we have lines in the silicon or red lines or Which I do think we do need to differentiate espionage CNE computer network exploit from attack, which would clearly be where both typhoon intentions lie. And I think we do have to get to the point where we at least start defining some of those, not necessarily in ten Commandments etched in stone, but something that at least does have. Otherwise our adversaries are going to continue to get as close to the line as they can. I agree. And that line keeps moving. If you're in the red zone, you want to punch it through, but if it keeps going on forever, you're never going.

Yeah, yeah, agreed. So what about fcc? You've written a little bit about some of

the potential in terms of regulations there. And I know we've got Chevron deference world and where regulations fit in and all this, but what were some of your findings there? And I think they were specific to. Obviously salt type to salt typhoon. Yes.

So the FCC is. So let's be clear. Let's start top level. There is no clear government response yet. There's no one silver bullet. Everyone's about to try a lot of things. Senator Mark Warner of Virginia, the top Democrat on Senate intel, he's trying to get a bipartisan bill that would. And put more regulations on critical infrastructure, including telecom, such kind of both. The SEC voted in some new rules in the last week of the Biden administration with the fcc. What lawmakers did with the FCC is there was a program that is essentially known as RIP and replace. It started during the first Trump administration and supposed to be about $5 billion to rip out old Chinese tech. It was ideally what the Huawei was in mind when this started. It got 1.9-ish billion to start and then it just set fallow for a while. So when the tele. When Soul typhoon or sorry, yes, salt typhoon. So many typhoons. Lots

of typhoons. Yeah. So when salt typhoon came out, people said this might be one

way to potentially address that tech stack is let's get rid of all this old tech and put in US made stuff that we trust. And so the last defense bill that was signed in the law authorized $3 billion for that, which is what advocates were calling for. They're like for about 3 billion we can. Including me. Yeah, yeah, exactly. We can redress this. So that's in the NDA and that work was probably going to start this year. Yeah. And I think it's does beg a bigger

set of questions around supply chain and whether or not we have visibility into our supply chains and what all that. I mean rip and replace is a last resort. But at the end of the day, if you don't know what's in your system, you don't know what's in your system. I like to look at what's on what I'm eating and I like to know what the ingredients are, but we don't necessarily have that for cyber, do we? And it's. And in terms of the things I

laid out, the Warner effort, the sec, this is like the most easy, tangible, wrap your head around. Oh, that makes sense when you say what it does. And why even redress this according to your food analogy? Like why don't I know what's in my. I should know. We should know what's in. We should know what's in these tech stacks. So if we don't, that should go away. Yeah, yeah, yeah. I do

think you'll see some activity around that, but it's easier said than done. Yeah, I, I did lead an initiative for the government. Just getting visibility is hard. Yeah, yeah.

It's going to put. Especially now that the Republicans have a trifecta here in Congress and on Capitol Hill and in the White House being tough on China but also being anti regulation, which the Republicans traditionally are. So you can talk a big game about we got to drive out our system, things like that. We got to strike back. But let's. Okay, that might include regulation. That might have to be an arrow in the quiver. And I just don't know how many Republicans are there yet on this, despite the seriousness of the typhoon hacks. Yeah, no, well said. And I don't

see them as mutually exclusive, but I do think you, you raise a really good point there. Strategically. Let's jump to. You've also done some great reporting around military issues in cyber. I think there are three big issues that you've written on that are obviously on the tops of a lot of people's minds. And first, being sort of Cyber Command 2.0 and Interesting Timing at the very bottom of the 9th inning, you're dropping some key findings, but also one that I think we'll be talking about for quite some time and that is looking at whether or not we need a cyber force. And then finally the an age old set of questions and that's dual hat of NSA, CyberCom. But let's start with Cyber 2.0. With Cyber Command 2.0. Sure. So

thanks for teeing up the question because I think I've covered Cyber Command for the part of a decade now, and I think we're about to hit some of the most consequential years of the command's life history in the next year or two. Even so, Cyber Command 2.0 is this umbrella term that the command gave to a lot of homework it got from Congress. Congress was sending them a lot of demands about readiness, about personnel, about acquisitions, about things like that. So there are all these unfulfilled reports. And the former chief of Cyber Command and nsa, Paul Nakasone, was like, why don't we just put under this big term Cyber Command 2.0 and map out the next 10 years of what this command is going to look like? Let's just do that. He wanted to be bold. So that work wrapped this year. It has not been shared publicly yet. It has not been shared, I don't think, even with the Hill just yet. But it's been signed. It was signed off on by Secretary Lloyd Austin. And essentially what it came down to was five recommendations for how Cyber Command could refigure itself to do business for the next decade. And I think one of them was a talent management task force, Cyber Warfare and Innovation center, another sort of training center, and then something about readiness because these Cyber warriors are up 24,7 in cyberspace. Sometimes they're not as ready as they should be. People I talk to who are familiar with these conclusions, which again, those are the conclusions that we've reported out. They might have changed in the interim. We don't think so, but there's always that possibility. These changes, people I talked to say, are just changes in the margin. They are not revolutionary. And yes, Their execution could improve things as cyber. But if you're looking to really change the game. Change the game. This isn't the. You missed it. You whiffed. Yep. Cyber 2.8 baseball analogy. You pulled that nice thing. Like it. Yeah. When. When do pictures and pictures. Like a few more weeks since I'm already not paying attention to the Super Bowl. But, but the. So besides not really being as impactful as people wanted, it was signed off on December 18th by the outgoing SEC. And so like just about a month before Inauguration Day. And if you're looking at how aggressive Trump and now Secretary Hes want to be about the military, this might not fly. That something was signed that essentially the 11th hour for four year administration. They might say go back to the drawing board or this isn't bold enough or they might just say good job, put in a drawer somewhere and forget about it. It's really unclear. There's an implementation plan that's being drawn up right now. Secretary Hawk. I said not secretary. Excuse me, General Hawk. General Hawk, the head of Cyber Command, nsa today he's leading that along with the Assistant Secretary of Defense for cyber, the acting Assistant Secretary, Defense Cyber Policy. They're drawing that up. We'll see that the proof will be in the pudding about what this is actually changing if this lasts beyond this new Trump administration. Because they might say this too little too late, fellows. Like get rid of this. Yeah. And the proof will be in the pudding. And obviously

lots of moving key personnel around different issues. But it does bring up a more revolutionary discussion and that is around cyber force. Yes. And I think it's fair to say there's some momentum around this and you've written about it and Secretary Hegseth has weighed in on some of this and very much so on the NSA Cybercom dual hat issue. We'll discuss in a minute. But what are you hearing? What are you thinking? What are you writing on Cyber Force. Sure. So cyber force, it seems like

they've. So proponents of setting up a separate cyber specific service have tried for two years now to get a independent study conducted to say is this feasible? Can we do this? Should we do this? The first year it was in the Senate defense bill, got taken out in conference, moved on. This past year it was in both the House and Senate bills. But then the final compromise bill, it was massively watered down. Week tea. Yeah, Weak tea. That's a good way of putting. Because it went from looking specifically at a cyber force to cyber forces in the armed branches and there's no deadline. So Therefore, who. No, no offense to the people working at the Pentagon, but if you have. A deadline, like, what's the point? What's the point? But in a few weeks ago, Congressman Morgan Luttrell out of Texas, a Republican, said that they're going to try again this year to add some teeth to that study and, and to accelerate it if they can, because. And try and get some sort of. You give them some sort of deadline, like by the end of the calendar year or something to keep this going. Because Congress, there are very large swaths of Congress that are just fed up with the lack of readiness of our cyber forces. And that's. And those are legitimate arguments. Descriptively, I think there's a lot of there. There

in that. The question is prescriptively, is it the answer? Exactly. Exactly. Someone told me

this is a few years on. I believe the numbers have gotten better. They're classified readiness numbers, so I wouldn't know them. I mean, if I did, I don't know if I'd talk about them. On a podcast a few years ago, someone told me about the Cyber Mission Force, which is about 6,000 personnel who do the offensive and defensive operations for Cyber Command. They said that. This person said that if the. If the services were at the same readiness levels as the cmf, the Cyber Mission Force, planes would not fly, boats would not sail, soldiers would not march, Marines would not deploy. It was that bad. Anemic numbers. And Congress is just tired of. The service is giving short shrift to cyber, and they're saying that either get your house in order or we're going to look at this and if this comes back positive, we're going to do this. We're going to move ahead and set up a new. A new armed service. Yeah, well said. There'll be much more discussion about that podcast as

well as obviously in the halls of Congress as well as the executive branch. And we're probably going to end up doing issue brief of our own on. On. On some of what that looks like. Not, not to lead the witness or even shape what my own thinking is. But at the end of the day, something does need to change. The question is a change for change sake, or how do you find a way to maximize what it is you're trying to achieve? And I think the services have been laggard, and I don't think you can generalize. Not every service is the same. Navy is not exactly. Air Force. Exactly. Or the Army. The army does

it. The army does. Army does it pretty well. Does it pretty well. Yeah. But

businesses because It's a Title 10 mission. They do well. Which tees up our next question. But I would just say there, there is. I see proponents who say a

cyber force. I understand there are people who say no cyber force because we've already been doing this certain way for so long. And to do that now, especially with China, the typhoons, this 2027 day for Taiwan, are we really going to unplug and replug everything in while we're supposed to be focusing on these big issues in the middle of. Yeah, no. Well said. And I think smart minds can disagree on all

of those issues. Anyway, I'm slow to get to that answer yet. Again, not descriptive.

Sure. Just not sure. Prescriptively, it maximizes. Let's go to the other hot one right

now. And there you have Secretary Hegseth weighing in on whether or not the dual hat of U.S. cyber Command and NSA should be split. I think there's been a lot of discussion around this for a number of years, going back to the first Trump administration on some of these issues. So first, just help us frame the issue and then. And the pros and the cons from your perspective. But maybe before we even do that. Frame. Frame the discussion. Sure, sure. So I would say I'll lead

off by saying this topic proves that time is a flat circle. Screw that. Yeah. When Cyber Command was set up, and I believe it was 2010, if I'm remembering my dates correctly here. So up in 2010, it was, it was decided that the head of the NSA should also be the head of Cyber Command. That if you're going to use electronic means to spy, but you're also going to carry out electronic warfare. Not electronic warfare, cyber. Cyber warfare. It makes sense to have one as the head of that. And it was always envisioned to be temporary, but here we are 15 years later and it's still there. Now. It almost ended under the Obama administration and then it was seemingly put to bed during Trump. But then to the last hour, 11th hour, we're talking about 11th hour with Cyber Command 2.0, December of 20. December 2020, there was this push inside the Pentagon to split the hat and it eventually time ran out. There was enough resistance from General Nakasone and General Mark Milley, who was the head of the Joint Chiefs at the time, and it just went nowhere. Meanwhile, then you go flash Biden administration. And they pick former Joint Chiefs Chairman Joe Dunford to lead a small group to of Cyber Command people. DOJ joint. Only four members on this team, small. Group included a skeptic it did split, right? It did. Yes, it did. And no, the picks were interesting. Those of who have followed the issue and the report, the findings are classified. But as General Nakasone has referred to in, you know, public testimony, they found, quote, unquote, substantial benefits to having one person doing both of these missions, heading both of these organizations. And that's where it's been. Now we're more. Now we're in Trump 2.0. And I reported back in December that advisors who were in the orbit of the transition are proposing to split the dual hat once again. Now, the arguments for and against the arguments for are that having one person do that makes us fast, agile and lethal. You can't have someone at NSA say, oh, this is interesting, and then walk down the hallway to the cyber Command and be like, hey, have you seen this? Okay, maybe we should do this. What do you think? I don't know. What do you think? And that sort of thing. But then you have other people who say that the jobs are just too big for one person to do. And there's also, if we're being honest, there are large swaths of the intelligence community who are not comfortable having a uniformed military officer as the head of the biggest US Spy agency. Never have been, never will be. There's apparently this sort of push Now. Secretary Hesgath and his written questions to Congress said that he would bring a conclusion this debate. There is something in law that you can split the dual hat if there's a certification done by the SecDef and the chairman of the Joint Chiefs of Staff and it's signed off on. The President has to look at, has to look at certain issues. But in terms of how that's done, the process is vague. I mentioned the Dunford review. That's how Biden chose to do it. He got Joe Dunford in because Joe Dunford was well respected and cut through the red tape quickly. But what does it look like in Trump 2.0? No one can really say. So I want to be surprised if in the upcoming defense bills, my, my money would be on the Senate more than the House, that they might layer in some things like these. Certain officials have to look at it, too. There has to be a 180 day review before you turn in a report. You can't just. Someone I talked to for the story in December said Trump could just take out a piece of paper that says Office of the President on it, slide across the desk and have the two guys sign off on it. And that's the review because it's that it can be that vague. And the reason this might appeal to President Trump is with his promise to break up or revamp the Pentagon and the intelligence community. It would allow him to pick an NSA chief. And while General Hawk would probably take it's not a demotion. He'd probably just be fine shunting off their NSA responsibilities. Trump might turn him and say you're a Biden guy and you're gone too. So he might have his own four star at Cyber Command and his own chief at NS, a civilian chief at. @ NSA. And that's appealing to someone like President Trump. One of the things I struggle with because if you

had asked me over eight years ago, I actually had this was a theme for my students to debate and it was their final project that they had to do when I was teaching at GW many years ago and and there are strong arguments on both sides. If 10 years ago I think we didn't lean forward. So the guys who and gals who stole secrets for a living never wanted to comprom exquisite means or a technique or a zero day or whatever fun terminology we want to use. The I Got a Secret world was running circles around the title 10. Yeah. Combat World. I think we're seeing a slight shift in that. And the question I have is do we have the men and women to be able to provide for the intelligence? Here's the bottom line. NSA is a combat support command for all the other co comps. Yes. Special Operations Command, Central Command, Africa Command, you Europe etc Pacific obviously. But do we have the people is the question. It seems like we're struggling. We're all fishing from one pond and. Right. And I'm okay with the intellectual argument almost either way. Yeah, yeah. Smarter people than me can come up with that. Right. What I don't want is to stymie our ability to do things right. And, and if it slows down, if you want a more lethal Pentagon. Yeah. You better have the capability to do that. Exactly. In terms of the workforce. The whole dual hat

debate, especially now that this might happen is this opens Pandora's box for questions. If you were to go to NSA right now and sit at a table like this one with 10 other people from the fort from Fort Meade. If we went like who are you with NSA? Who are you with Cyber Command? Who are you with nsa? How do you start. How do you start separating those people out? How do you start paying for those billets on either side or for those sellers on either side? And it's just, it's Pandora's box. I was talking to members of Congress for the. When I was writing the transition story, and they're like, no one has thought this through. If you do this. Like, no one has thought this through. Now, one argument that has started to fall flat a little bit is Cyber Command saps money and resources and people from NSA. That's getting better. I feel like U.S. cyber Command has been given budget like authorities or service like authorities. I should say set their own budget so they can. They've. They reimburse NSA for manpower hours and things like that. So that argument's starting to sound a little hollow. But in terms of like, how do you take these two apart? How do you keep the right people in there? How do you attract people? It's all. No one's thought this and ensure you

don't lose capability. Because I, this is Frank Salutha's opinion. I'm not putting words in Martin's mouth here, but we've got to defend forward. At the end of the day, yeah, we're not going to defend and firewall our way out of this problem. The question is, where are we going to get that capacity and how long will it take and will it impact our ability to have the outcomes we hope to have, both in the cyber domain and every other domain that cyber touches. Right. That's what

the evaluation is supposed to look at. But again, it's so vague, that Secretary has got to just be like, no, it's fine, everything's fine. But then, okay, so how does this work? No really knows. And it is interesting for Trump and Doge, even though it had two heads at first, now it's on the one head. Efficiency, government efficiency. And now you're going to take one person's job and put in a two and you're going to separate all these other people's jobs. And the domino effect, the cascading effect from that is interesting. Never thought about it from that perspective. Did, did

Secretary Hegset that give any indication during his confirmation hearings? I, I didn't track him as closely. I will say sat through that whole hearing and the word cyber was

not uttered once. That was a bummer. But like I said in his written questions, which are available online, if you go to the sask, he said he would bring it to a conclusion and he would bring it quickly. So whatever you want to read into that, you can read into that. But I would say in his hearing, he didn't really show much. A, A want. Indication. Indication. Indication one another an indication disagree with the President. On certain national security issues. So this is something that President Trump tried to do in his first administration and people are advising you do this administration. It all adds up to again, not to lead the witness, to use your phrase, it leads up to. It might be the dual hat might be over as we know it might be over. And again, I'm agnostic as long as capability is

and I hope that is part of the deliberative. Yeah. And I'm agnostic because I'm

a reporter. So. Yeah, true that. True that's. So let's jump to another topic and

you've done some really interesting reporting and I didn't see many others report on this. And it's more looking at the broader role of State Department and former ambassador Nate Fick in terms of and I don't think we have a nominee for the current role but looking at the diplomatic role of cyber and most interestingly, I thought you wrote a, a phenomenal piece on Falcon and rather than steal your thunder, I'll let you talk about that. Sure. Falcon, please don't ask me to spell out that acronym. Not a worry, not a worry. This is the first two but after that I

am lost. So there's the Bureau of Cyberspace and Digital Policy at the State Department. It's only about, it's not even three years old. I think April is his birthday. In the past couple years they have spent since being established doing the pick and spade work of what capabilities can we the State Department bring forward and how can we potentially win hearts influence minds through cyber diplomacy. There, there I had a story. You have it up right now. They had about nine programs back in September. I think that might change in the future. But the premier one that they're talking about is Falcon and what this is cyber incident rapid response and not just by the State Department. They're they are bringing along the private sector to do this. That's the story story I wrote just a couple weeks ago or was it last week but about Costa Rica. Costa Rica, Yes. Costa Rica was the first. So what happened was the day before Thanksgiving the there it is there copay which is the state owned oil refiner for Costa Rica realized they were under ransomware attack. Now we had helped

and Costa Rica paid a big price in the past. Yes, yes. We helped them

out with Conti back in 2022. They were down for months. The whole government was down for. Really down. Really down. Yeah. Like writing. Exactly. Pen and paper operations throughout. So they realize under they're under cyber attack. On Wednesday they call Ambassador Fix Saying, we need help. By Thanksgiving night, you have a couple State Department employees and. And people from two private sector companies on their way down to Costa Rica to help.

You're talking like 30, like a Go team. Exactly. It's like 36 hours down to

Costa Rica. They were down there maybe 10, 12 days, then some virtual help after that. There's still some virtual assistants going on. But for all that to get them back online, and by the way, they avoided a catastrophic. This would have been catastrophic if they couldn't get these systems back online. As it was, some tanker trucks were backed up at oil stations, some payments had to be processed. But ricope is the only company in the country that can handle airplane fuel, that can handle fuel that's being brought in from the ports, things like that. So it's all just. It could have been terrible. Big deal. It's a big deal. A really bad day. It was a strategic target by the ransomware operators. Absolutely. And does this bias love? And I

don't mean to be so blatant. Oh, sure, but. But I think at the end of the day, bringing something unique to the table to help others will have. Will pay dividends in other diplomatic areas. Yes, no, absolutely. I think that's the whole point,

is by showing up as a friend, Genuinely, Genuinely as a friend. Because isn't that one of the knocks on China's foreign policy over the years is they always want something in return. Transactional, Exact transactional. So if we're showing up as a friend and helping you out, and by the way, this whole operation costs probably like less than a million dollars. I think that's a good news story. I talked to people down in Costa Rica who were like, this is exactly how programs like this, how cyber diplomacy, cyber foreign assistance should work. And by keeping at it over time on a variety of fronts, not just Falcon, like I said, there are nine programs. Falcon's one of them. We demonstrate the US Demonstrates its value on key issues that we might not have in the past. So that China might have traditionally. Awesome. So you brought

up China. How do you think we could look at this strategically to maybe counter the CCP's influence? And I think by and large it is much more transactional. But if you have lots of transactions, that makes for a tough, tough environment to push back on. I think I agree with you there. So I think that maybe there

is a little something not so altruistic about this policy because one of the efforts is about laying undersea cable, something that's become a massive target around the globe. Globe, they're being cut all the time in Europe. And now Swedes are getting pretty vocal

on this, right? They are. It's becoming an issue. Some of my colleagues have covered

this very well, for the record, but one of the first use of the undersea cable was in a little South Pacific nation called Tuvalu. And it's a little specific little island, South Pacific. But they didn't have an undersea cable before. Now they do, thanks to the US now in the US it was a multilateral mission with Australia, New Zealand, Japan and U.S. so now it's not only are. Is the U.S. showing up to your front, but your neighbors are showing up to be your friend. And then another thing that I mentioned in the, in the recope story is another effort is a. Is about training others on malware threats or about other online threats. So they held workshops for members of the Vietnamese government about various North Korean online threats and how to handle them, what to look for, things like that. So sharing that knowledge is also helpful. And, and just to maybe help some of our viewers and

listeners undersea. A lot rides over these cables, right? Can you. And at the end of the day, it's irrelevant whether you do something through cyber means or you use a kinetic, more traditional IED or whatever it may be, or anchor to take out a critical infrastructure. But just for our viewers and listeners, most people don't think of undersea. They see space, they see land, obviously they see cyber. But can you help us? Just. I would say, in addition to those examples you just gave about space

and see, I, I would say that undersea cables are part of the backbone. They

are the back. They are the backbone for connectivity in the world, especially to small

island nations. And if you're talking about the South Pacific, you're talking about Pacific, you're talking about a lot of nations out there that without these cables are not going to be able to have connectivity, which take away connectivity. We're talking about the conversation here about Volt Typhoon, the catastrophic damage that could have been done if they decided to just flip a switch when all of a sudden you can't. Gas stations don't work or something like that. Imagine that, like not having connectivity. Fill in the blank about how bad that's. Can you send a distress call? Can you defend your country?

Bad situation. Worse. Exactly the potential for that in itself. It's a bad situation. Now there seemed to have been. Maybe we're just paying more attention, maybe we're being a little more vocal about it, but, but I feel like we've seen a lot more incidents of trawlers and potentially allegedly commercial shippers accidentally taking out undersea cables.

It does seem to be on the rise and I think that's one of the reasons why this is now a State Department program to take care of this or Russia and China. Russia and China. Yes. Is the State Department is seeing this rise happen and undersea cables are not cheap like we. We couldn't afford that. I say we said the US alone couldn't afford to start funding undersea cable projects all around the world. But if we can work in strategic areas like the South Pacific or in parts of Europe. Yeah, yeah. With. With other partners, make it multilateral again. That shows the value the US brings and gives an alternative to what a. Country Turning

to China. Yeah. During the turning to China. Yeah. Last question is one that I don't love talking about but norms. You've written some interesting pieces there and here's the truth truth. At the very least it should be a do no harm. If you've got 100 diplomats from one country and we're bringing one, that's not an even playing field. But what are your thoughts there? I think that there is. They have a

lot of work. I think the department has a lot of work to do. I think that the Bureau is only less than 3 years old. Like I said they have no. Do they have the resources you think? I think they do. I think that because of the 2022 Chips act and then their baseline budget and then Congress has set up the Bureau specifically with a 50 million dollar reservoir of money they have a chance to at least get out the now whether that is sustainable over the next three to five years we'll see. I wrote this weekend that you know the cyber diplomacy funding is basically on hold. As we as I as are a lot of as we found out this morning a lot of things are on hold all of a sudden but that one seems to be clear that Secretary Rubio is doing a 90 day review and if you're looking to counter China, if that's the argument, if that's what the state goal of the administration is to compete and and compete against China. These seem like all the instruments you need all the instruments and you need all these programs. But again agnostic. Just a reporter. But if this is your stated go looking at what these programs do. Yeah. We don't know what the

outcome of that is. We do not yet. So Martin, you've covered a lot of amazing territory here. Any other pieces in particular and or questions I should have asked That I didn't. That's funny. It's usually one of the last questions I ask interviews

is like, are you scratching your head about, like, why is he asking me about this yet? But I think that one thing that we're definitely keeping an eye on, I think a lot of people are, is cyber nominees. We have none. We have no SISA chief, we have no Cyber Director, we have no National Cyber Director. We don't know whether Ann Neuberger was the head of cyber for the nsc. NSC is

going to handle how. How it's going out. We just. We still just don't know.

And I was thinking about the other day, about how much guff the Biden administration came under for not naming an ncd. This is back during Colonial Pipeline, not naming NCD for a couple of months and things like that, and not having a CISA director in place. But here we are, we're dealing with these typhoon hacks, we're dealing with all these other things that we've talked about, and we're just not seeing. We're seeing names on the ether, but they've been on the ether for the better part of five, six months now. And there seems to be no hard timeline to get these people in at State, at cisa, at dod, we'll just see. So I think that's something to really pay attention to and just to double. Down and emphasize cyber

matters. So at the end of the day, if you went through a whole confirmation hearing and couldn't have one drink, when they say cyber, that's a drinking game. That's. That's also shame on. It's a broader set of issues. It is. I was, I

will admit, my secret heart here. I was a little disappointed. Senators King and Rounds, I was like, here come my guys. They're gonna ask the cyber question. And they didn't come around. I was like, oh, so then once that happens, then I don't think we're gonna hear about it. And so turning the questions, and that's where I found the dual hat answer. But yes, cyber matters. I just don't know what the administration's priorities on immigration and, and fiscal policy and whatnot. I just don't know when we're gonna see these people. Martin, continue shining light on big important issues. I hope

we'll have you on again, either on the podcast or in a different format. And thank you for fighting the good fight and making us smarter. So thank you. Thank

you very much for having me. Thanks, Martin. Thank you. Thank you for joining us

for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.