Podcast Episode 84 - Ransomware as a Service (RaaS)
Jacob: All right, Matt. Why don't we start in a slightly silly place and then we can back into seriousness from silly because a couple of months ago we had Emily on the podcast and she and I were arguing about the cybersecurity risks associated with TikTok.
I took the position that the Chinese government can find as many of the videos that I sent to my wife and my other friends as they possibly want.
I don't see any cybersecurity risk whatsoever unless you're dumb enough to be in a top secret government installation and you're on a network and you're using TikTok. Are we really that concerned about it?
Since then we've had these mega hearings about TikTok and dragged TikTok executives in front of the house andeverybody's focusing on this thing that, to me, feels completely unimportant. So tell me, what should I give a frack about this? Or is it really just meaningless and we should be looking elsewhere when it comes to the very real issues that there are with China and cybersecurity?
Matt Pines: I think TikTok is a serious issue, but I would not rank it near the top of list when it comes to either, either the bilateral relationship and the sort of structural and strategic challenges they're in. Nor even at the top of the cyber specific sort of subdomain of that strategic challenge.
I think relative to its overall importance, it has gotten much more play than it deserves. But that doesn't mean it's not necessarily important? I view it, more as a symptom of this larger condition that the relationship is suffering from for a whole host of reasons. And so I find it revealing.
More for what it says about those larger, that larger context than about, say, TikTok per se. And in particular, the movement that has, generated as a result of those hearings and kind of the political momentum that has been seized by folks inside the Senate, in particular with things like the Restrict Act and other bills that had been in motion were put to the fore using the sort of media attention that, that hearing gained to then justify what are much more strategic and much more sweeping sets of technology restrictions, capital flow restrictions.
So there's a whole movement to. Impose constraints on the bilateral flow of capital of people, more restrictions on technology exports, national security reviews of those across border investments. So that is really where the action truly is, in my opinion. That's like the most significant development in the past few months.
TikTok is, I think, definitely generating more headlines but it's a symptom of that larger trend.
Jacob: All right. And listeners, you won't experience this because of our seamless editing over here, but apparently China was listening to my little diatribe there, or Matt's answer, I'm not sure which.
And completely short circuited, it looked like your computer to me. Maybe an electromagnetic pulse hit your office, I'm not quite sure, but we're back and I wanted to come back at you. So if you were controlling the house agenda, if you wanted the American people to have one cybersecurity issue with China that was emblazoned on the front pages and that everybody was talking about what do you think that most important issue would be from a US perspective?
Matt Pines: So the thing about cybersecurity is it's more a domestic issue of just like getting our own stuff together then necessarily is a China issue. Certainly there are specific nation state threats to a wide range of industries that China has a strategic interest and objective in targeting specifically for IP theft.
And those companies are the folks that, we engage with, professionally and they have particular interests in mind that they need to bolster the security programs, but for the wider kind of national mass public awareness, it's really just understanding the basics about cybersecurity.
And that's not very sexy.
That's not like China's coming to get you, right? It's just not getting scammed, not getting spearfished not getting your credit card stuff sold, not getting your bank account hacked, like China is not trying to target the median American. Where these things really trip is less in the cybersecurity specific domain and more in the structural relationship between US and China that the median American is not aware of necessarily, but has certainly benefited from the past 23 years of globalization, right?
Like this basic economic arrangement that has been built over many years. redounded to the benefit of say like the median consumer, while it certainly led to the erosion of say the manufacturing base in the country and left the summit strategically challenged when it comes to, mobilizing or defense industrial base.
But that is really where if you were trying to like draw attention. And it's really more this is the fundamental contradiction that we have to resolve as Americans, which is, we have this China-America economic system and production system for global trade that we have, really benefited from.
And yet at the same time, the political momentum on both sides of the Pacific is starting to pull away from that. And the sort of quote unquote decoupling or de-risking momentum is starting to run into inherent tensions between commercial pro prerogatives and objectives that, sustain global commerce and strategic political objectives, military objectives.
I don't know if we've really had an honest conversation with the median American about what are we really willing to do to, punish China, to hold China back, what costs are we willing to bear in order to achieve that, national strategic. And where are those tradeoffs and what are we willing or not willing to do?
And in particular, this gets, really into those, the Taiwan scenario, right? Because the media, American Light's getting the, like the next iPhone, right? What are they willing to go to war to ensure they get the next iPhone, right? These are the implicit trade-offs that, we want to prepare the ground for.
So there isn't this all of a sudden strategic crisis and you've gotta either mobilize national unity to defend Taiwan and some, acute contingency or you don't. And I think that is really where I would focus the conversation. Get a password manager, do the basics.
Don't fall for dumb tricks. Cybersecurity basics, right? If you're a corporation, certainly be much more well attuned to. The widening bullseye of nation state targeting for your IP and just general economic espionage. And then this more strategic conversation about what is this future of our bylaw relationship, what are our trade-offs and be politically honest about those things.
Jacob: Yeah. So we're recording Friday, April 7th. This will come out on Monday. Apparently this three day patrol that China announced in the Taiwan Strait should technically be over by now. They said they were gonna inspect ships in the Taiwan Strait in different parts of it. Doesn't seem to me that they've actually inspected any ships or gone there, but it was new for them to say that.
And as followers of Mule know, I freaked out about that a couple days ago cuz that cuts against a lot of things. But I think you raise an important point, which is what if China had bordered a ship or what if it boards a ship here in the next three days before this podcast drops? Taiwan has said they want to go help defend whatever ship gets boarded.
The US has a carry battle group in the region cuz we were exercising with Japan and South Korea. Is the US actually going to go risk the entire global trade system and everything else? Because China bordered a ship in the Taiwan trade, we're already seeing fatigue about sending money and weapons to Ukraine in a much more sort of black and white conflict between sovereign nations, where we recognize both parties as states, let alone this kind of weird Taiwan thing.
I could talk about the Taiwan issue all day. I don't think Americans at all understand the trade-offs that we're talking about there. Maybe I could ask you to put on how do I wanna ask this question? I want to flip the question on you and say, let's say the Chinese Communist Party approaches you and wants to talk about cybersecurity.
And you're talking about, obviously, you have to don't get spearfished in China. I'm sure there's a way more actors in China that are nefarious trying to hack bank accounts and this, that, or the other thing. But if you were thinking about it from China's point of view, do they have similar concerns?
Are they worried about the United States and corporate espionage on their top trade secrets? Is there any kind of balance there? Or is it really the question I'm trying to ask, I'm trying to see if from their point of view it looks the same or if it's completely different or, so we have all the techs, so they're trying to crack into our intellectual property safe house? Help us understand what this looks like from the Chinese perspective.
Matt Pines: Certainly I think there's a historical analog, which is, a rising economic power and political power, challenging the status quo power, right? That has lots of dimensions, but this particular one is all about, the leading edge of whatever the industrial technologies of the, of that era are. Where the focus of a lot of, state and sort of state adjacent economic espionage takes place. And then we saw this, back in the industrial evolution era and, us essentially copying and stealing a bunch of British technology to, invigorate the, our own domestic economy.
This is just the way things are done, right? If you wanna put the neutral, objective, moral moral hat on. I think from China's perspective, they see this as. Their way to accelerate up to get to the level that they think is historically justified that they were held back artificially by the west.
This is their sort of national storyline and that, all these things are justified essentially to bring themselves back to the rightful place that they think they deserve. I think there is a qualitative, and of course, like we fundamentally, do similar things at the state level to engage in, in espionage.
We don't do, at least as far as I'm aware, this type of like broad scale IP theft and in particular, because most of the IP we hold. And we just don't have the production processes, right? So China dominates most of the production. They're trying to climb the value chain. So structurally they have a mo, they have the most significant interest in acquiring that next piece of the sort of value chain ip and start to do some of the technology transfer activities.
So their whole sort of economic system is really predicated on this to a certain extent. And they have a really sophisticated apparatus. It isn't just purely an intelligence. Organs. It extends throughout their industrial and technology bureaucracies, their science and technology, their academic labs, their state-owned enterprises, the military, it is really a whole of government and strategic objective to to achieve the commanding heights of the of the sort of next generation technologies.
And they have set these strategic plans marking targets for where we're gonna go after certain advanced technologies. And we want to create, domestic national champions that are, global leaders in these key industries. So it is a qualitative difference.
And from the United States perspective, we see it as a strategic threat from, they see this as this is just the 21st century, economic great game played just the game that, all the other great powers played. So we're gonna play it just using 21st century tools. Yeah, that's, that, that's their perspective.
But the sort of the asymmetry in terms of who's targeting who, at what scale. It is clear China. China, by far, order of magnitude from any other peer actor in the system. The global system is just on a different level, right? They have, you can imagine there's. You think there's like a size that they won't go right in terms of a hundred percent company that's like a startup that has some interesting, ip say some aerospace thing.
It might be 50, a hundred person company. You think they wouldn't, target? No. They might have a dedicated p l a unit, like five or 10 guys and their sole job 24 7 just to get on those people's networks, persistence and just see everything they're doing as long as possible and not just hack them and shut them down, but just to monitor their whole progress and then feed everything back into the internal Chinese ecosystem where whoever like an internal marketplace essentially to sell that information.
So it does a very systematic global effort. And it's, yeah it's quite it's become now I think much more important, especially as this sort of decoupling tension has and I think will drive China. More towards that type of more covert activity, whereas before it was much more overt joint ventures, right?
Just doing partnerships with Western firms and just having conditionalities for giving access to that IP as a, as a condition of getting market access. Now that, one, the risk of operating in China's gone up post covid, everything else that's happened in relationship, the opportunities to facilitate down technology transfer through those other, say like more white side mechanisms are gonna be more difficult.
And so this is gonna force them to be much more aggressive on the sort of covert side insider threat economic espionage facilitated by cyber means. It's only gonna grow.
Jacob: Yeah, we had John Minnick on the podcast earlier this year and he's literally getting his PhD in technolo in technology transfer between US companies and Chinese companies.
And some of his research is actually really interesting because it shows that for the real important stuff, for the real high value stuff, It just hasn't worked for China. Like a lot of these US firms didn't want to give them the most important things. And now that you're in this environment I take your point about them wanting to push back.
I have two other questions I wanna draw out from there. The first we'll stick with China cause I don't wanna only talk about China cuz China's not the only actor out there and is probably soaking up too much of the oxygen. But I do want to ask in the context especially Nearshoring, how from a cybersecurity perspective, maybe US companies should be thinking about this.
The example that I always come back to is a country like Mexico. So if the United States is really gonna nearshore, Mexico is the ace in the hole. Mexico is the thing that makes the whole nearshoring process even feasible and realistic. We can talk about the specifics of why, but Mexico, even though it is overwhelmingly dependent on the United States from a trade and economic perspective, it doesn't necessarily like that.
It would love to have some kind of counterbalance at all. And when you start get into who are they using Huawei equipment for their 5G network? Are they going to solicit cooperation from Chinese companies? Things like that. Does it get to the point where if you're a US company and you're active in Mexico and there are Chinese, entities or officials or companies running around Mexico too, is that just a back way to get everything that you want, that your company could be absolutely perfect, trained in, in finding, making sure none of the Nigerian princes hack your mainframe but then you're in Mexico and suddenly the whole thing goes.
How is that a pressing concern? Because in some ways, that seems to me to be the weakest link here for the United States. It's much easier to play offense against one country than it is to play defense in countries everywhere across the world. So much so that it almost seems like a fool's errand.
Matt Pines: Yes. And in general, like the tagline is, as you change geographies, you change your threat vectors. But some say the same and some get re reintroduced, some new things get introduced. So Mexico specifically, there's about technical risks. There's like insider or third party risks, and there's like political and operational risks you would, that you would consider like specific on the technical side.
Much of the Mexican internet runs on PRC made kit, right? So that makes a technical environment for backend collection, like unchanged relative to the prc. So if you were a target of the prc, like moving to Mexico, wouldn't make their job any harder, right? That's like the bottom line.
Doesn't make it any easier per se, but you're not necessarily just because you're outside of say the, like the Chinese internet, their kit is basically running domestic internet. So if they wanted to target you, it would it. Very straightforward. And Mexico remains very reticent politically to jettison that PRC kit specifically specifically Huawei from their network.
So that's more likely gonna remain, an ongoing sort of threat factor. They're also like new risks that get introduced. So like insider third party risks in particular. You decrease the chance of like technology transfer through this sort of joint venture, direct access, et cetera. When you're operating in China though creates new kind of local insider third party risks, not necessarily to China, but to other say, criminal groups in particular in that operate inside Mexico that have maybe a different interest but still pose a threat to compromising your operations, stealing your information, maybe, redirecting supplies, right?
For criminal activities. And it also, if you are a target for whatever reason, PRC can increase like we call close access operations to obtain information that they want to get. Now that's on, that's like probably low on the threat level for most companies. But operating in Mexico is not a denied area for for China.
There's obviously like the operational disruption risks depending on where you operate in Mexico, right? There's like Monterey and the northern area that's kinda the green zone, right? That all the western companies are going into. But most Mexico is you look kinda like the state Department travel advisory.
It's all yellow and a lot of red, right? And depending on where you're setting up makes a big difference and depending, and like everyone is clustering in a handful of areas and the government knows that. And so you're setting yourself up potentially some constraints, right?
Because you've got limited freedom of maneuver. There's lots of, say kidnapping or ran some sorts of risks. On the cyber element, one thing that hasn't been well studied yet inside the cybersecurity community is the cartels movement into cyber crime. Most ransomware activities are dominated by Russia and Eastern Europe.
And mostly Asian criminal groups South America and Mexico. Central America hadn't really gotten too much into the ransomware game. I believe, I think it was Mandy and put out a report, maybe been late last year, earlier this year, identifying a group called FIN 13 which has interest in leveling themselves up in cyber crime and targeting specifically in Mexico, targeting targeting corporations.
Now this is, not necessarily like across the board, but it is a trend that's increasing. One thing that I worry about, and this is just more speculation, right? So this isn't part of the like mandate reporting or anything like that, is that the groups that are currently running most ransomware activities globally are, they that was their first entry into criminal activity.
Like organized crime was basically, and it's become very much like a platform as a service. Like ransomware become like a very low bar like barrier to entry for anyone to get in the game at different scales and become an entrepreneur in ransomware and start with one or two kids and then, grow your operations as you scale and get more sophisticated.
And it's pretty easy to get access to tooling and pretty advanced capabilities. It's very sophisticated to global criminal marketplace there. But that's like their first entry into almost our guy's crime in the cartel world. That is like taking folks that are like right now doing much more violent crimes.
And then moving into cyber crime, I don't think we have much of a good case study of what other sorts of tactics, would accompany ransomware, right? Especially if you're operating locally in an environment where they have like physical access to you and your company's operations.
Like this idea of ransoming, just, I'm gonna brick, your systems could come with other threats that could be credible and that hasn't been necessarily materialized. This is more speculation. But this is something that, I think folks coming into Mexico, like Mexico is not the NAFTA days, right?
It's a very different political environment and China's been particular like cyber threat, isn't necessarily gonna be fully mitigated and there's gonna be some novel threats that you may face locating there. This is to say that like it's a no-go zone or this should stop you from doing this sort of near Shing.
There might be other business reasons why that makes sense, all things considered. But it's a, it's an important risk that I think most C-suites may not have fully internalized. Especially if this sort of mental model of Mexico is, baked from like the late nineties.
Jacob: Yeah. That metaphor, ransomware as a service is and I'm gonna try and make that the title of the podcast. We'll see if my producer goes for it. I have this vision of a version of Shark Tank and these hackers go on and present their ransomware entrepreneur platform to four sharks, and they're like, oh, I really love this.
I'm gonna fight over it. Are there any places that are like what are countries from a Nearshoring perspective? Are safe, that are if you're, if your top concern is, yeah, like security or intellectual property, and it's not Mexico, what's on the dart board, or is it really just, it's probably the cheapest state you can find in the United States.
Matt Pines: It's interesting. So like the nature of the internet is that geography becomes less of a first order function driving your risk, right? Obviously if you're operating in China or operating in countries that are using Chinese kit, and if China is the top of your threat and your threat model, like their top of your list, then you would wanna avoid those countries where, you know, that backend infrastructure is still there, right?
And so you could look at where the public internet is run by you. You can look at co countries that are, members of the Shanghai cooperation organization, which, usually implies there's some backend military intelligence relationships. It means that those ju jurisdictions are likely gonna be very permissive for Chinese intelligence, operations, et cetera.
So there's certainly you can map out certain areas and say, okay, if China has my main threat, then these are countries geographies, maybe I wouldn't wanna, locate like critical critical servers, et cetera. But if you're a target of a nation state actor they're not gonna let that be an obstacle to to, to getting to you.
And so there it's more about, okay, thinking about your own internal security program, how you've structured, your different, measures to protect what you need to protect. And that's more basic cybersecurity stuff, right? And it's geographic agnostic. Where do you put your crown jewels?
How do you have, how do you control access to them? These sorts of things are standard business security, cybersecurity programs. And you have to think about geography, but at a certain point, that becomes less relevant than just specifically what, how do you design those security programs?
How do you test them? How do you ensure that the, they're keeping up to date with the relevant threats that you have to prioritize?
Jacob: Is there...? Going back to the ransomware question for a second, is there a historical analog in human history for what you were talking about, Asian financial groups or, groups and cartels and things like that, who can use ransomware, non-state actors that can really go after both states and corporations with this level of sophistication? Steel things? Are they just modern 21st century data pirates or is there something really qualitatively different about organizations like that? Being able to use the internet and use technology, to your point, to, to make the advantages and constraints of geography disappear?
Matt Pines: It is actually a fundamentally new sort of threat to businesses. And it is one that is, you can just people become numb to the headlines, but there are like billion dollar, or at least several hundred million dollar ransomware attacks on major multinationals like almost weekly.
And these can be, these can have pretty, substantial effects on mo on entire industries, right? There was a semiconductor kind of like niche for, I think it was called mks, that suffered a ransomware attack. It was pretty severe, shut down their operations for like multiple weeks.
And that cascaded through the industry because they manufactured like a critical component. And because their shut operations were shut down, like they weren't able to fulfill orders for a lot of their, a lot of their customers. And those customers then had to make, updated filings and it became, Probably, billion dollar plus incident didn't make like most of the headlines, but that happens a lot.
And a lot of companies are realizing like, this can be an existential risk to their business. And that is a new thing, right? It didn't used to have like this, like zero to one. All of a sudden now there's a new existential threat to my business. Like it usually would take like pretty catastrophic business decisions or you get nationalized in a coup.
Or there's certain things that like, would be really extreme for like your business to just go to zero, right? Ransomware does pose that threat to some companies to an increasing number of companies and. And that is something that a lot of corporate Americas had to grapple with over the last few years.
And you're seeing a lot of movement now happening most on the policy side, the regulatory side, on the national kind of security side. Cuz we're realizing this is now taking on increasing national security dimensions. And it's become such a, such an important significant threat to, ma many multinationals that like, it's starting to shift our overall posture to how we do defend forward cyberspace operations, run by the National Security Agency cyber command, et cetera, to proactively disrupt those oper those criminal gangs.
As like a matter of national security. So like going after criminal groups using like the military cyber capabilities like this has happened before. It's now becoming much more system aat. What's interesting also in the recent national security, the national cyber strategy that was just released is there's a, this is one of the five pillars they identify, which essentially disrupting adversaries including ransomware groups which are considered like, like Russia, China, like these are, like, they put them on the list of like major cyber adversaries. And there's some language in there that essentially Hal Harkens back to you may use like the pirate metaphor like letters of mark almost, right?
That there could be developing essentially this ecosystem of nonprofit defensive organizations with really advanced cyber capabilities that private industry could eventually be, to use, to defend themselves proactively against criminal groups. So this is very much in that sort of, okay like trade is developing and the, the pirates off the Barbery coast are attacking us.
So we need to like, ha have our own, cyber mercenaries essentially to guard our shipments of data as it goes through, the the, the digital seas. So to speak, that's a terrible metaphor. But this is this Darwinian process of evolution where the threat has grown so dramatically, such a threat to to, to major businesses that like, and the government can't, doesn't have resources, defend everyone, right?
And so this is this creating this really complex dynamic at play where the, companies wanna protect themselves legally. It's a lot of gray areas, right? Are you violating, laws by hacking some other system and what are the terms of that? And that's increasingly being tested, the line about what is permissible for, say, private a actors to do, to proactively defend themselves against these sorts of threats is moving.
And we're testing each limit of that line. So yeah, it has become, it's become a major issue. A lot of our clients ransomware is one of the top threats to them, right? And they always wanted, they need to have a plan. They need to have a way to understand it, the C-suite and the board level, increasingly the SCCs putting out new regulations that require that are the, that like for public companies, they had at least one member of the board who's like the cybersecurity, has cybersecurity expertise.
And this is like increasingly drawing attention of most regulators. It's a major issue. Like we've, we have some private equity clients and. They wanted to know, right? What do we do if one of our portfolio companies gets popped by ransomware? And it was really enlightening to do those exercises and walk them through.
And then all the sort of directors, main directors, I have a realization that, oh, this goes from like a, like an annoyance of my otherwise very busy day to being like, existential to my job because uhoh, like my investment in that, like this is my p and l could go to zero, right? Very quickly. And that tends to focus attention.
And so that re realization is happening more and more. Hopefully you had the realization before you face the acute existential crisis. This is lot of what we do is try to help, focus attention on these things before you get in, in, in a bad spot. But yeah, it is a big, it is a big issue.
Jacob: Forgive me if this is a dumb question, but Because it start, I cuz I, you could listen to that and probably listeners who were like me, who were not extremely well versed in cybersecurity will listen to that and throw up their hands and be like, then I'm just screwed. If somebody wants to come after me, if they have enough resources they can come after me.
Is there anything you can do, like from a physical perspective, let's say a small country let's say Guatemala wanted to become the cybersecurity safe haven of the world. Is there some way that they could like, build physical infrastructure that wasn't connected to the rest of the global internet or something like that, that would allow them to like, control everything on that network and protect against hackers?
Am I just in a completely utopian you don't understand how this stuff works kind of situation?
Matt Pines: Yeah. It's, I mean in a global internet, which is functioning like global services trade, right? Most businesses now are internet businesses in the sense that they buy and sell services and some goods along the way.
And that finally means you have to be connected. You have to have suppliers, you have to have clients, you have to have open access. Innovation comes from having scale and having access to, all the key markets. So if you're just like, trading in a, semi AAR zone and you don't need to have global internet scale driving your market, yeah, you could probably set something that up.
But in general, like most corporations fundamentally have to be global networks, right? That's like the business model now. That model of of global operations then really doesn't work with what you call like a fortress mentality. Can I just put big, bigger walls around my operations?
Fundamentally, this is moving what's called zero trust architecture, which is like the cyber security buzzword and doesn't really have a canonical definition. But generally means is like this idea of there being like a solid, periphery that you control the endpoints and then everything inside is trusted, everything outside is untrusted.
It's moving to a lot where you have layered defenses and you have really tightly structured permissions and security controls around certain parts of your network, data, tools, etc that are really delimited and that have, they're tightly structured so that if you get compromised from any particular area, doesn't mean your whole business goes down.
So fundamentally you can protect yourself and you can mitigate these existential risks by doing some kind of common sense things. They take time, they take attention to implement, especially in large, complex organizations, but you can, it's not like you could just avoid the threats coming. It's more how do you prepare to mitigate these tail risks and turn something that would always be an existential event to your business to being just like a bad week, right?
And that, that is really a lot of what, in the cybersecurity world is all about is like, Turning something from being like a catastrophic risk to being a manageable risk. And you can do things that are pretty practical and cost effective. To that end. And that gets more technical.
And it depends on the nature of the business, right? Do they have all on-premise services, or use the cloud? How much of these third party how much third party dependencies do they have? That's where it really gets into the, so the nitty gritty, a lot of what we do.
And that, an increasing risk. A lot of companies are now having to repost for a target that's always changing, right? Cuz the technology landscape is changing a lot. A lot of, companies are becoming more digitally enabled and these dependencies are growing and a lot of companies aren't just like building their own tech stack.
They're bringing in vendors to provide different services for them. So like a company now has to buy a stack of lots of other different products from other companies. And so you inherit the cybersecurity vulnerabilities of those other companies by plugging their products in to your product, to your business value chain.
And sometimes those can be like the most significant sources of compromise, right? So that was the big SolarWinds compromise a few years ago, which was this, no one really had heard of them unless you're like, operating in that space. But, their software was used by all the Fortune 500 and most of the government, right?
And so that became a vector for the Russians to put in essentially backdoor and get into a whole bunch of networks. China has done something similar with other software vendors that are like, in the supply chain that like we call the digital supply. And this is becoming the new battleground in cybersecurity is okay, looking at your third party risk, looking at those dependencies, looking at your upstream and downstream, and it's not just, okay, who's attacking me, but if someone else, is being targeted, right? But we share, right? A, a key piece of software. That vulnerability that might be developed for that of the target makes me vulnerable too. And so there's this growing recognition. There's like essentially collect, like there's essentially collective action problem associated with hyper security, right?
And where does the division of responsibility and liability really lie? If you make a compromise piece of software, And you push it out to everyone as in an update and that, the Compromise Software, leads to, you suffering a billion dollar ransomware attack. Who's liable for that?
Right now it's not clear. There isn't established case law. This new national cybersecurity strategy, associate implementation plan is trying to shift the boundaries of liability more to the software developers, right? To make them have, to ensure and essentially commit to getting their software to be secure.
How that happens in practice and how that gets litigated. That's a big issue. But this is changing the landscape of a lot of those regulatory environments.
Jacob: And that also raises the question for me. I feel like when you're thinking about the future of industry and things like that, it's all artificial intelligence and automation and all these, internet of things.
All of which requires still more data flows over larger networks with more, as you call it, different stacks and different module, all this, all these other things. Is any of that realistic in this environment? Like how, like even artificial intelligence itself, that's a whole subject unto itself and we've only just begun talking about it on this podcast, but like we, we can't even secure the current system we have.
So now like we're gonna figure out some secure way to engage with chat G P T or other artificial intelligence sort of use cases like that just seems totally pie in the sky based on everything you just said.
Matt Pines: It can still happen and it could just create more risk. And you could just get into a world.
More and more things break and more and more business suffer these sorts of major failures. And it is just like a increasing sort of dead weight loss spread across the economy over time. And like we could decide, and it could end up being something we can keep growing in spite of, right? But you could get to a position in time where several percentage points of GDP are lost as a result of cyber crime annually, but you're still growing in 5 to 8% of G D P because AI unleashes massive productivity gains, right?
So you can live in this weird, ER's world where like the costs associated with this sort of increasing dependency and a cat and mouse game between expanding cybersecurity threat capabilities and, leveraging tools like, generative AI essentially, that are also being used on the defensive side to do more improved detection, monitoring, and instant.
response Which is what's happening now, right? Essentially both defenders and offensive actors are using these tools increasingly. And it's like everything else. It's a technologically driven arms race. And it's a raceto bring the latest kick capabilities in before you get targeted.
And this is why, this is gonna continue to grow. I don't think it's gonna, someone's gonna be in a position to, yeah. stand before for history saying stop, right? This is gonna happen. This is gonna be a much messier world. I don't think we're gonna have a lot of good priors to lean on to determine just how it evolves.
I think structurally though what this is gonna mean is gonna be much more state involvement in these sorts of things because as the costs accrue across more and more industries that are increasingly being seen through a national security filter of critical infrastructure Then the requirements to put in place, different measures are growing and those are only gonna be like a one-way ratchet of more state regulation oversight and in the limit like state control to defend, right?
But if the state's gonna defend something and put you inside their regulatory perimeter, then they need to control that perimeter. And so this is where you could see it gradually move towards more, centralization of commerce as, both like nation state threats and the general geopolitical tension drives, but also, The proliferation of more advanced tools to a wider range of threat actors in the global system that any individual company can't defend against in a cost, in a cost effective manner.
And so you need to, you need to pull your security, right? And that's the sort of definition of the state is like you monopolize the security function. Everyone agrees to outsource that security function to a third party and, give up certain controls over their, spear freedom maneuvering and decision-making in order to get that security right.
And this is, it's like a weird medieval kind of like dynamic, right? They're like, these different fiefdoms have to then pull together their sec the, their capabilities and they don't, this is a big tension though, cuz they don't wanna give up all that autonomy to the state.
And that's where you're in this move of like public private partnerships across these different industries and you have infrastructures in place already. They're called information sharing advisory councils for like many critical industries. There's a health isac, a financial services isac, aviation iac, et cetera.
And those are like convening nonprofit organizations where, you know, all the major players in a particular industry can get security briefings from the government. Information can be shared from the law enforcement intelligence community on, on threats and how to, defend and protect against.
them And so that infrastructure's in place, cisa, the cyber security infrastructure security agency. So my boss, was the head of that helps stand that new organization up. That's then their main kind of driving impetus is how to, again, like they can't control everything.
But how do generally uplevel the foundational level of capability in across industry, especially as, the levels of threats are gonna, are continuing to increase. Now AI is a new dimension to that, right? The question is how does that how does the pace of that change, really manifest the next few years?
And I think the lesson that I take away from things like GBT four is that it's gonna be much faster than I think, anyone thought. And I don't think we really have thought through the consequences of that. Not just in the cyber security world, but just in general right across society. And I'm pretty sure that this is be gonna become an increasingly salient political topic in the United States. It's gonna become more increasingly salient geopolitical topic because, AI fundamentally impinges on, hardware as well as like this intellectual property dimension that is increasingly subject to, state competition, if not outright, conflict dynamics.
And so you're gonna see all these things, I think, spin, spin together in a loop. And now they guy have, confident predictions about how it's gonna fall.
Jacob: I think you're giving in some sense, giving governments too much credit because, I go back to the TikTok point We're not talking about all this stuff in hearings.
This is not the stuff that the, that, to your point, that the median American is thinking about. The median American is thinking, oh God, the Chinese are gonna see what embarrassing video I sent to my coworker online. Like the literacy rate is gonna have to go up quite significantly. And I guess that's the other thing is this an ideal.
In the world that you're describing right now, it seems like authoritarian states would have a leg up. Because an authoritarian state can say, fuck the global commons. We're all gonna take control over these access points or whatever we need to because in the name of security of the state, we're gonna do all those things.
Whereas in the United States, or in any liberal democracy, first of all, much harder to convince people that they're not allowed to do things on the internet. I think we've all become accustomed to a certain amount of freedom on the internet. If you wanna get real philosophical about it, maybe that's why people spend so much time on it, cuz you can do things in cyber realms that you can't do in the real world.
So it really is this sort of manifestation of freedom, but also just look at the collective age and cyber experience of the House and the Senate and the White House doesn't give you much hope. That, even if they do have the best advisors in the world, was it a, was it the house where that that Congresswoman said she didn't know what CK was like. That's the level of tech literacy we're dealing with the people who are supposed to be making these really important. Decisions you're talking about in terms of a new regulatory environment for a completely unprecedented technological world.
I don't know, take that. It's not even really a question. It's more like a sigh of exasperation, but give me some hope maybe somewhere.
Matt Pines: Yes. So I think you're seeing a trend globally along a number of dimensions, right? So the macro dimension, you've seen this, the securitization of lots of other types of policy that wasn't previously securitized, right?
And this is most acute in the US China relationship, like the, trade war, increasing financial restrictions, export controls, like that's the most, like on this spectrum of intensifying the securitization of all these bilateral sort of policy dimensions that is like the most acute, but it's versions of that tension at Emrick are playing out globally, even between ERs.
Allies, right? Europe has a data protection law, right? The gdpr, the United States doesn't, and that has created a lot of tension between multinationals and which obligations vene others. And, this is an additional cost imposed on western companies, et cetera. And you have a lot of governments moving to essentially treat domestic data right as a national resource and put in place laws that try to restrict the cross-border flows of those data and and put one in place.
Lots of restrictions also on the use of their citizens data. For things like social media, training, ai, et cetera. You've seen Italy, ban the use of chat G p t. This is gonna become an increasing dimension. You could call it, either the balkanization of the internet, splint internet.
I think it's gonna be very messy. This has the software regulatory policy dimension, but it also has a hard technical dimension of the actual connections in the internet. Like which fiber optic cables are laid by which national, which international consortiums, right? And we're starting to squeeze out the Chinese consortiums and basically try to compete over who's laying, which cables to which populations and effectively who's got, which, intelligence collection on, on, on each other's pipes.
And that is this is gonna be a dimension of state competition, how that plays out in terms of like domestic citizens. Sphere of, what they consider freedom of expression. I think there's gonna be like a few layers down from that. And much more conditional, depending on which political jurisdiction you're in.
I don't think it's gonna be necessarily determined by the nature of the technology. I think, this relates to just where technology's going and does that net empower the individual relative to the state or vice versa? And I could see it going in different directions. It depends on a lot of conditions, like in general, periods of increasing state competition mean that the state tries to pull more resources.
And impose more controls on the private sector in general. And the limit of that is war, right? When you have war, the state is total, is a totalizing force. All resources are and personal, dis decisions are cons, are constrained in the interests of, winning the war, right? And so if we get to a US China war, like that's really bad for individual freedom, right?
In general. That's just how wars go Now up before you get to that limit, right? Though, as you increasingly try to securitize these dimensions of regulations and as a threat, landscape evolves to make, you relying on the state for protection. That also is gonna mean you to have to defer more to state authorities.
Now I also have another view that fundamentally though state capacity is, you pointed out right? Is is limited, right? And you could argue is in a more decaying mode than in a like reinvigorating mode, right? Like most of our institutions were post-war institutions, vertically integrated bureaucratic control structures to fight and win continental scale conflict, immobilize hard resources and fight and win those wars.
And we just were left with those for the past several decades. They were not designed to live in a 21st century, digital environment where these new sorts of technologies and tools are empowering various types of self-organized groups, actors, individuals that have much more capability than.
The state, had previously had the posture for. And so who's gonna win that race? Is the state gonna be able to like get back in the game as a nexus of institutions that actually have capacity to regulate and prosecute these conflicts in which model of governance can more effectively you know, instantiate institutions that can manage, the proliferation of these more widely like accelerating technology capabilities?
I don't know. China's pitch is that they've been able to model a sort of techno governance system that wield AI as a tool for surveillance and control, which is very attractive to many other countries in the world that want to have their cakey needed to want to have the benefits of a technological society without the risks of empowering, the individual to the, to topple their authoritarian government.
So that's their authoritarianism as a service. Being pitched and sold around the world. Things like Huawei, zte, e h, avision, the, their digital currency. All these things are essentially a package deal that they're trying to posture and pitch to, most of the world and say, here's a techno government stack.
You can essentially subscribe to it. You just have to, but now you're in the Chinese technosphere of influence. The US doesn't have a national plan to compete with their own stack. We have a disaggregated set of semi oligopolistic competing interests. We have the core infrastructure that we dominate but we don't necessarily control it.
And that's, that, that's a subtle difference. Yeah, that was a meandering answer to the question that really answer. Who's gonna win? I don't know. I it's hard to say. I hope the individual. I have hope that certain technologies are gonna enable more individual flourishing, more individual autonomy in general.
And I think things like generative AI and other things could do that. But there's other countervailing forces. And in especially if, if we avoid an acute crisis, I think in general the individual will be more empowered. But if we hit a, an acute crisis, especially up to and including war, that's when, hegemons gonna hegemon.
Jacob: Yeah. You didn't make me feel much better there. Before I let you go, Matt I promise that we would talk about aliens a little bit at the end of the podcast here. I did a little bit of research ahead of time cuz you sent me a couple things that I should know about. For instance, the the unidentified aerial phenomena task force which was.
Looks like it issued its first report in June, 2021. It has since become the All Domain anomaly Resolution office, the A R O as of July, 2022, and is putting out reports. Apparently our tax dollars are hard at work, going to these organizations, putting out reports about unidentified flying objects in the United States.
And I read a couple of the reports doesn't seem like they're that that concerning to me, but I know that you've said that I'm a little too flippant about this and that we should actually be thinking about this a lot more seriously. We started the podcast this way, and let's end the podcast this way.
Why am I being too flippant about unidentified flying objects and what that means for us National security?
Matt Pines: Yes. I could go on for hours on this, but I'll stop. I'll give you like the bumper sticker or like mental model to how I think about this. So I think there's three concentric circles because I think when you bring up this topic, people jump to like the most speculative, most fringy, sets of hypotheses. And I would put those in like the third circle, like the outer rim. Or if like you're like, you're in a forest clearing, right? You're like, okay, I see the clearing I'm in and then I can see a little bit into the forest, right? I can see some of those trees and then it's just all darkness.
And this topic, most of the speculation and the attention is like in the dark forest. And there I think there's really lit little perch. Like we don't have much to get a grip on, right? So I wanna start like in the clearing, in the center of the circle, things that are like objectively true, that are like most people haven't paid much attention to.
And so you pointed to those reports, the establishment of the all domain the of the all domain anomaly resolution office. Like in that vein of in that center circle, like hard facts are like the two laws that were passed, right? That were co-sponsored amendments to the National Defense Authorization Act, led by senators Christian Gillibrand and Marco Rubio, a bipartisan amendment.
Reading just the statute language that was put into that authorization is extremely revealing about where and how seriously the US government is taking the, this topic. And in particular, like Senator Gillibrand, Senator, senior Senator from New York, Cincinnati Intelligence Community, she leads actually the emerging technological threat subcommittee on the the Senate slack Command, United Intelligence.

So she's as plugged in as it gets in terms of knowing where the cutting edge in terms of special access programs in the United States government, where we think the Russian and Chinese are in terms of hypersonic technology, et cetera. She is, and she's inserted a lot of language into these things that you are explicitly about.
Not China, not Russia, not us, something other. And she has made a lot of the statements, suggestive statements among other people. MIT Romney has made very suggestive statements. The senior folks from the Pentagon that have Yet we're running some of the Pentagon programs have come out and said explicitly, this is not ours.
It's not Chinese, it's not Russian advanced capabilities. We don't know what they are, et cetera. Increasingly like the rumor mill now is that the Senate is gonna host a another hearing next month on UAPs. This may be public hearing may not be a public hearing. There have been strong rumors that people have been giving in-camera testimony to the new head of Arrow Strong Kirkpatrick, who's a senior US government intelligence official and scientist, PhD physics, who's now charged of leading this office and has to like, owe a whole bunch of these reporting requirements back to the Senate.
And the house on this topic and the testimony, which was part of what was put into place by law as like a whistleblower protection provision, is that if you were involved in any legacy U F O programs, basically for the past, 75 years, literally, they haven't statute that there has to be a report written.
Going back to January 1st, 1945 to investigate any government efforts to manipulate public opinion, obfuscate, lie about u about, this, about UAPs have to make that, have to write that report that's due in about a year. But they also put in the provision for whistleblower protection.
So if you sign an under disclosure agreement, really any special access program either waived, unacknowledged, et cetera, that relates to U aps, you can come to Arrow, give your testimony, and then Arrow has to give your testimony to the Senate. And that has been happening. Number of individuals have already come forward.
And so this is becoming a very serious topic inside, the Pentagon, which has been charged and has been wrapped over the knuckles many times by Gillibrand and a bunch of other senator for not taking this as seriously as they want it to be taken. Now what that means, this is all in the center circle, right?
Like very serious legislation passed, formal bureaucratic maneuvers stood up very suggestive statements made by officials on the record, senior government officials, current serving, et cetera, in the like outer perimeter, right? Is okay, what inferences do you draw from that? That's where you get into more like conditionalities, right?
And this is, I think it, I, this is, could go on in many different dimensions, but like just staying in that center circle and just looking at what people are saying on the record, what laws are being passed, what offices are being stood up what money is being spent, serious money being sent on this.
Actual government officials that were running the u I P task force, they're now working for defense contractors that specialize in doing tipping and queuing LEO Geo satellite space surveillance architecture like this is there people that play at a very serious level in the intelligence community?
People that are that are in the, that are in the gang of eight, that are basically, winking at you and saying, this is something to pay attention to. So that's where it is. Like I have those are like say hard Bay Credences that I can ascribe given the evidentiary record.
And then I have like more decaying creds in inferences. I draw from that, right? But when the person who was running the, you depending on u ffo program for 10 years comes out and says, yeah, just says explicitly, these are not Russians, not Chinese and not ours. And they display advanced propulsion tech technologies that we don't know how they work.
And it is my strong belief, hint, hint, that the US government is in possession of some quote unquote exotic material. This is what he said, right? I don't know is he lying to us? He could be a psychological operation. I have to describe credence to that. But that in itself is a reportable story.
Why is there a senior Pentagon official coming out and essentially trying to imply that aliens exist? Why would that be the case? And so this is where it gets very geopolitical, right? Like, why would this be a story now? Why is this becoming a topic of conversation, right? This is there, there's no clear other exogenous reason why this would become a topic of conversation now, right?
There's no no one's asking for this to be like an issue. We got a lot to deal with. But the US government apparently prioritized it. A lot of people, very senior people in the Senate have prioritized it. In fact, Senator Gillibrand has given, like she's gotten hangry in meetings like at senior Pentagon officials for not taking this, seriously enough and being like, you need to spend more money.
She got 14 other senators to sign a memo. Requesting that the D Nni and the d o d Reigate existing appropriation funds to Arrow because she felt they weren't sufficiently resourcing it the budget for it officially classified, but it's in the tens of millions of dollars most likely. So yeah, this is like a smoke fire service situation.
These are other things that go on in like more speculative mood, but there's more than enough just in the evidentiary record to say, it's wake up and be like, huh, this is something interesting here. Why is this happening? Why do these people keep coming out and giving these statements?
Like what is the movement here? What what's this all going towards? And yeah, like people have literally like senior journalists have come out and said, yeah, I interviewed former military senior science and technology officials. They told me on the record. Yeah, we've been trying to reverse engineer alien aircraft.
So that was like a guy, his name was Nat Covitz. He was a like head for science technology for the Navy. On his deathbed, he talked to this journalist Ross Cohart. And just like after months of him being cultivated as he said, yes I can acknowledge that. And then he died.
I don't know, maybe he's lying. Maybe this whole thing was concocted, but that's I don't know. That's like a, so that's a surprising thing. Did not have that in like my background. I didn't have any basing creeds to that. I had a zero assigned to that. Doesn't mean I go to a one, but it means I go slightly up.
And I look for other things that mean do I push that further down or go further up? And yeah, there's this reason why I think it makes a lot to pull this together into a larger conversation, right? I think we're seeing an acceleration in lots of different. That are hard for our political systems and our institutional systems and our cultural production our systems called production to to manage, right? Like the pace of change, the pace of like complexity that the average citizen has to manage is a lot. And I think this topic is just like adding like a whole nother, dimension of complexity to it, right? How are you supposed to manage the fact that we're having like rapid and explosive AI growth as we're also, confronting a potential, extreme risk of conflict with a great power, right?
Oh, and by the way, the US government's coming out and saying, U oh, UFOs are real, basically. And we're coming right up to the line of acknowledging that they're essentially a non-human related technology. Like that's like a, you have to put that on the table is like a serious thing that could come in the next few years.
And yeah, there's geopolitical, there's financial implications for that. I'm aware of those folks that have been asked, to think through the financial implications of what unquote disclosure would be. Like they're worried about, bank runs and that sort of thing, right?
This is the reason why if you just suspend disbelief for a minute, it's okay, if it were true right then you have to imagine the government would need to think through very hard about what you do when you finally acknowledge that there's a there, right? If that was the case, that's you have to think that, you have to think that through, right?
Because you didn't, that's not something you would do lightly and you don't know, quite know what the second order consequences are. So that could be a situation we're facing the next few years. I don't know...
Jacob: before I let you go we'll just leave that tantalizing and you'll come back on and we'll do some more time on it.
But the only question I have for now, cause I wanna read these reports a little bit more seriously before. Do battle with you on this, but yeah. Is there an equivalent of Senator Gillen brand in China? Is there an equivalent in Europe? Are we only seeing UFOs in the United States? Is this some symptom of psychological trauma or paranoia that we're going through?
Or is this, is is Chile setting up an institution to look at UFOs? And is Aust like d do you have other things outside the United States that
Matt Pines: point in this direction? Again, I'm not like a whole U f o like buff. So I'm not like right up on all of the history. But I do know that like a number of Europe, European countries have taken this very seriously.
I think France and Italy have actually stood up like formal organizational bodies actually for many years. Affiliated with the military, they've had testimonies, et cetera. Written formal government reports, et cetera. On, U UFOs, UAPs, Brazil had a parliamentary commission actually just last year where they had, military officials, and it was all in Portuguese, so didn't get picked up much in the western media.
China stood up their own. Yeah, I think in the Chinese translation, it's basically the equivalent of aerospace anomaly objects and they made a big, like press release about how they're using Chinese, world leading advances in AI to characterize these objects. And it, with the China stuff, it was all, it was always like a double game with we are flying all sorts of drones over China, right?
You were using lots of collection capabilities. And so there's always like a double layer to all this stuff of like sensitive, this is like the freaking balloon thing, right? Of like the geopolitical dimension of objects, inner atmosphere, whether we're characterizing them accurately ha is all, is always the nation state game, right?
And so China has stood up their own thing nominally about, aerospace objects, et cetera. So yeah, that is, that's the thing. There was some documents that came out of this of Russia after this collapse, the Soviet Union where a bunch of, Russian scientists, came out and basically said, yeah, like this, we've had a program for decades looking at these things.
And they shared a bunch of documents and then. The door got shut pretty quickly. So if you look at the history, this has not been, this is not like a new thing, right? Like the US government has had their own programs, go back to Project Blue Book, project Grudge, project sign.
All these things were like, they had big government reports investigating things. It was poo-pooed, FMA decades, but it was like a, this has been the recurring thing in both the formal bureaucracy as well as like in the cultural, milieu for many decades. And it wax and wanes over time.
Again. Is this a psychological production? I'm just, there are, we have a lot of sensors now, very sensitive intelligence collection systems in space, in the atmosphere underwater. And they're all picking up a lot of things that are, very hard to ascribe to a nation or someone that has access to, physics knowledge that we don't have.
And that's as a physics nerd, I'm really fascinated because I think fundamentally like human civilization is downstream of physics. Whatever physics knowledge we have essentially unlocks degrees of freedom technologically that we can exploit and that, up, up levels our entire civilization.
And we've been coasting on 20th century physics for a while, and we just assumed that's all we, that's all we're ever gonna do. Like the lesson in history is that you unlock new physics, you unlock new technology. We did that with a nuke and it was like a new world. We did that with quantum mechanics, we got integrated circuits, right?
So it's like we have a historical proof of concept that like new physics very quickly leads to new technology, change of civilization changes, geopolitics. And I think like macro view is that we're discounting the possibility of a physics surprise, right? Where we have new physics we discover new physics and that unlocks a whole new dimension of degrees of freedom, which states would be acutely interested in because they know those historically are associated with dramatic changes in the geopolitical order, right?
You get, new weapons that can change the balance of power very. So it would be very, it would be a reason to protect any secret that potentially could lead someone in the direction of new physics as like the most important secret that you keep. So it would explain like if UAPs exist, that's one that's like a proof of concept that someone has new physics and therefore any efforts understand how they work, why they work.
What leads you to potentially unlocking a strategic breakthrough in physics, which would be, geopolitically of the highest order of significance. So again, that's the all reason speculation, right? But as someone who like intensely looks at like advanced theories of physics right now and understands like, where are we going?
It's a whole other conversation we could have. Like we're at a moment where like we are, we're trying to find like we're in this dark room and like we're looking for posts sign, physics. We don't know where it's gonna come from, it's like one of those things where you. If you find it, you're in a different world potentially.
And you never know how close you are until someone figures something out.
Jacob: I think that's an excellent place to stop. We'll stop there and we'll have you back soon, Matt. This was fun.
Rethinking wealth
Copyright 2023
Cognitive Investments LLC is a registered investment advisor. Information provided in this report is for informational and/or educational purposes only and is not, in any way, to be considered investment advice nor a recommendation of any investment product. The statements and opinions expressed in this article are those of the author. Cognitive Investments cannot guarantee the accuracy or completeness of any statements or data. For current information on Cognitive Investments, please visit the Investment Advisor Public Disclosure website at www.adviserinfo.sec.gov by searching with Cognitive Investments' CRD# 308306.