Welcome to the deep dive. We're here to well navigate the complicated stuff and pull off the key insights from today's source. And today we're really digging into Ben Buchanan's book, The Cybersecurity Dilemma, Hacking, Trust and Fear between Nations. Our mission really is to cut through the complexity, you know,
where cybersecurity bums up against international relations. We want to extract the core ideas about how nations actually operate, how they build trust or maybe more often, how they don't, and how they handle this well, this digital battlefield exactly.
And b Canon puts this concept, the cybersecurity dilemma right at the center. It's the lens for looking at these modern conflicts. The basic idea is when a country tries to make itself safer online, those very actions can end up looking threatening to others, and that can, you know, unintentionally wratchet up tensions. It's this constant high stakes balancing act.
Yeah, and to make it real, Buchanan starts with a pretty chilling example. Remember the reported twenty fifteen Russian hack, the one that hit the White House communication system. I mean this was just like stealing some files. It showed the dilemma perfectly. They reportedly got into President Obama's emails, sensitive stuff, legislative things, scheduling, you name it. A senior officially even called it one of the most sophisticated intrusions
we've ever seen. That's pretty stark. And it wasn't just a White House. There were breaches at the Pentagon Joint Chief State Department. So this isn't just theory. Buchanan uses these real world examples and even draws on things like the Snowden revelations, not really for the whole civil liberties debate, but more to show the mechanics, the how and why of these cyber ops. Okay, so let's unpack this core idea, the security dilemma. I. Buchanan traces it way back right
to classical international relations. For listeners maybe not so familiar. Where does this actually come from? And how does he connect that ancient idea to well, today's digital world.
It's fascinating. Actually, the roots go way way back to Thucydides, you know, the ancient Greek historian is history of the Peloponnesian War. He talks about that famous standoff between Athens and Mellows and the Athenians basically say, look, the strong do what they can and the weak suffer what they must. It's brutal, and that captures this idea of anarchy in the international system. There's no world government, right. It's not like inside a country where you have laws and police
between nations. It's more like Hopps' state of nature solitary, poor, nasty, brutish and short, not Locke's idea of ordered government. So political scientists like John Hurst and the historian Herbert Butterfield they formalize this. They said, Look, when one state tries to get more power just to feel secure, it automatically makes other states feel ass secure, and those other states react, They build up their own power, and you get these
dangerous arms races. It just feeds on itself. Mistrust everywhere, right, and.
That maps directly onto intelligence gathering, doesn't it bu Canon brings in Michael Herman, a British signals intelligence guy. Herman pointed out that even if you're just collecting intel defensively, the country you're spying on sees it as threatening. So why is intelligence so crucial? I mean, obviously states need it, but how does that need feed the dilemma? Oh?
It's absolutely vital. Intell is about foresight, about knowing what's coming. Think about Pearl Harbor or nine to eleven. Those disasters show exactly why states need good intelligence to prevent surprises, to protect people. But and this is the core paradox. States collecting that intel usually see their own actions as you know, necessary, even benign, defensive, but the state being spied on, they see it as provocative, as potentially hostile.
Buchanan uses the Cold War, like in nineteen eighty three as an example. Reagan and his team were apparently genuinely baffled that the Soviets thought the US might attack. George Schultz, Secretary of State, then called Soviet fears incredible. He just couldn't believe it. But then years later, Gorbachev admitted he hadn't really grasped how much fear his side's actions were causing in the US. So each side thinks they're the good guys, just defending themselves, and the other side is
the aggressor. It's the cycle of misperception.
Okay, So if that's the backdrop, this constant suspicion, what does it mean for offensive cyber operations. Buchanan calls this the intruder's view. Okay, some of the big examples he uses to show why States Field they need to go on the attack in cyberspace.
Well, he kicks off with Stucksnet. That was a real game changer. It was this incredibly sophisticated bit of malware aimed at Iran's Nten's nuclear facility back in twenty ten. And it didn't just steal data, It physically damaged things. It subtly broke about one thousand centrifuges over time. It was so stealthy, so effective that the Iranians actually arrested some of their own people, thinking they were spies sabotaging
the plant. So yeah, it showed you could get real world physical or kinetic as they say, effects from a purely digital attack.
That was huge, And Stuck's Net, even though it was devastating, was maybe just scratching the surface of what was being planned. Bu can And talks about nitro Zeos. Can you tell us more about that? That scale sounds enormous.
Oh, absolutely. Nitro Zius was basically a massive US contingency plan. The idea was, if needed, to use cyber capabilities to take down huge swathes of Iranian infrastructure. We're talking power grids, transportation systems, air defenses, the works. The scale was just immense. Thousands of people involved, tens of millions of dollars spent just getting the access embedding tools deep inside Iranian networks. They were apparently checking this access sometimes nightly, just to
make sure it was still there, ready to go. Now, the plan itself was never actually activated because the Iron nuclear deal happened in twenty fifteen, but the existence of nitro Z shows you the level of planning, the ambition, and the strategic thinking behind these offensive cyber preparations.
So if you can run operations like stuck Scent or prepare something like nitro Z, you need the right tools. I was really struck by what Buchanan says about zero days. These sound like the ultimate cyber weapon. What are they exactly?
Yeah, they really are kind of the secret sauce in the cyber arsenal. A zero day is basically a vulnerability, a flaw in software that nobody knows about yet, or crucially, the vendor, the company that made the software doesn't know about it, so there's no patch, no fix available. This makes them incredibly valuable for an attacker because it gives you a way into system that well, nobody's guarding against.
It's a secret door if you. Cannon points out the NSSAY reportedly paid over twenty five million dollars in just one year to one French company just for the zero days that company found. That kind of money tells you just how critical these things are operationally.
And it's not just about getting in. Is if Buchanan talks about achieving persistence, that sounds clingy and pretty ominous. What does that actually involve and why is it such a big deal.
Persistence is about sticking around. It means burrowing really, really deep into a target system, not just installing some malware on the hard drive, but getting into the system's firmware or even the bio sets, the basic input output system that starts the computer up. When you're in, at that level, it's, as Buchanan quotes, virtually impossible to get them out. You could wipe the hard drive, reinstall everything, the operating system, all the software, and the implant, the malicious code could
still be there waiting. Security folks call it the race to the bear metal. Getting as low level as possible, bu Caan incites research from Kaspersky Labs, suggesting the US developed ways to do this against hard drives from pretty much all the major manufacturers. Researchers called it an ultimate persistence mechanism, next level you've never seen before. It's about having that permanent, hidden foothold, right, So.
They're basically moving into the digital foundations of the house, not just breaking a windows. Yeah, that's a defender's nightmare. Yeah, which leads to why they do this. What are the operational incentives? Buchanan points to, why build these deep persistent footholds.
It comes down to preparation. States want to do detailed reconnaissance before any potential conflict. It's officially called cyber operations in Preparation of the Environment or COPE fancy term, but it means mapping the territory. Buchanan mentions DARPA's Plan X program. This was about building this constantly updated digital map of potential targets, figuring out vulnerabilities, placing tools so you could launch cyber operations really quickly if needed. The goal, quite explicitly,
was to dominate the cyber battlespace. It's about having everything lined up ready to go at a moment's notice.
And what's really tricky here is, Buchanan points out, is this dual use problem. The access you need for spying often looks exactly like the access you need for an attack. Can you give us examples? And why does he say these ops are often opaque sort of hard to grasp for traditional military folks.
Yeah, this dual use thing is absolutely central to the whole dilemma. The tools and access for espionage often are the same tools and access needed for attack. He uses the hacks on Saudi Ramco, the Oil Giant, and Sony pictures. In both cases data was destroyed, hard drives wiped at a Ramco, massive data deletion at Sony, but data was also stolen embarrassing emails, employee data, movie scripts from Sony.
Same access, different goals or maybe even both goals at once, And they're opaque to traditional military planners because well, cyber isn't like tanks and planes. You can't easily count cyber weapons or see troops massing on a border. It's invisible, hard to quantify, hard to fit into establish military doctrines. This makes it really difficult to integrate cyber into broader strategic planning and to assess the true threat level.
Okay, let's clip the coin. Now, let's talk about the defender's view. Protecting networks against all This sounds like a monumental task. U Canon calls it a massive and largely secret effort. What kind of fight has the NSA, for example, been waging just to keep network secure?
It's a constant, uphill battle. You take the NSA, they've been in this long running fight against Chinese cyber intrusions, which they code named Byzantine Hades. Buchanan says there were over five hundred major cases attributed to this one actor group. It just shows the sheer persistence and sophistication attackers brain. Even the most capable agencies are constantly playing defense, trying to patch holes and detect breaches.
And sometimes the best defense is offense. Buchanan mentions this tactic of hacking the hackers that sounds pretty bold. How did the NSA apparently use this against Chinese operations?
Yeah, it's a fascinating turn about. So in response to one specific Chinese intrusion camp code named Byzantine Candor, the NSA's threat operations center their cyber hunters, they actually managed to break into five computers that the Chinese hackers were using to launch their attacks from. This gave the NSA, as Buchanan puts it, excellent sources of data on what
the attackers were doing, their tools, their targets. They can basically watch them in action, which is invaluable for figuring out how to stop them and protect US networks.
So how do defenders spot these intruders, especially the really sophisticated ones. Buchana goes through different detection methods. Let's start with pattern.
Matching, right. Pattern matching is a common technique. It relies on finding known indicators of compromise or IOCs. These can be simple things like atomic indicators specific IP addresses or domain names known to be used by attackers, or they can be computed indicators like cryptographic hashes basically digital fingerprints
of known malicious files. And then there are behavioral indicators, which are more about the patterns of activity, how an intruder moves through a network, the sequence of commands they use. It's like recognizing a burglar's typical methods.
Okay, but what if the attackers are using brand new tools like those zero days we talked about? Pattern matching might miss that, right? What about things like network security monitoring or memory analysis exactly.
That's where those more advanced techniques come in. Network security monitoring is about watching all the traffic going in and out of a network. You collect it, analyze it, looking for anything unusual, any anomalies that don't fit the normal patterns, even if you don't know exactly what the attack looks like yet. And memory analysis is really powerful too. Instead of just looking at file stored on the hard drive, you examine what's currently running in the computer's RAM, it's
active memory. This can catch malware that tries to hide itself or exploits like zero days that might not leave many traces on the disc. It sees what the computer's doing right now.
The NSA also has this concept of foreign intelligence and supportive dynamic defense. Sounds like using spy data to directly improve security. You an example of how that actually works in practice.
Yeah, it's exactly that, connecting the dots between intelligence gathering and network protection. It's a direct feedback loop. Buchanan mentions that by twenty eleven, the NSA's defensive systems armed with this intelligence could block something like twenty eight different categories of threats. Automatically, and there was this one specific case where they stopped a byzantine Haites attack targeting four very senior US military leaders, including the Chairman of the Joint
Chiefs of Staff. So that's intelligence directly preventing a potentially serious breach at the highest levels. It shows the operational value.
Then there's this really interesting almost cloak and dagger concept fourth party collection, piggybacking on other countries hacking operations. How does that work and what does it do to trust, maybe even between allies.
It gets pretty murky. Yeah, the example Buchanan uses involves the Five Eyes Alliance, you know, the US, UK, Canada, Australia, and New Zealand. They apparently targeted South Korea's signals intelligence operations. They weren't just trying to learn what South Korean knew about North Korea from their spying. They were sometimes even hijacking the tools the exploits that South Korea was using against North Korea and repurposing them for Five Ey's own use.
As you can imagine this kind of thing, Knowing that even your partners might be intercepting your operations can read a lot of paranoia, as Buchanan puts it within intelligence circles. It really complicates trust.
Which brings us back to a fundamental debate. Is cyberspace inherently a fence dominant We hear that a lot. President Obama said offense is moving faster than defense. Michael Hayden, former NSA director, was even stronger, there's almost nothing inherent in the domain that plays to the defense.
Is that the whole story? Though? What's the counter argument? It's definitely a common view that the attacker always has the edge, and there's some truth to it, But defenders and experts push back a bit. Richard Bettlich, a defense pioneer, pointed out that attackers often have a huge advantage in focus.
They study one target system deeply. Defenders have to protect everything, and Bruce Schneier, another top expert, famously said a sufficiently funded, skilled, motivated adversary will get in, which sounds bleak, but the nuance is important. While perfect defense might be impossible, good defense, good preparation, good information sharing, smart strategies can make the attacker's job much harder, much more expensive, and much riskier.
So it's not that defense is futile, but it is incredibly challenging.
Okay, So pulling this all together, what does this cybersecurity dilemma mean for overall stability between nations? How is it different from the old Cold War security dilemma with nukes and tanks.
Well, A key difference Buchanan highlights is the lack of physical geography in cyberspace. You don't have oceans or mountains acting as natural buffers or borders. It's inherently global and interconnected. And maybe more importantly, sober capabilities are just fundamentally ambiguous. It's incredibly hard to look at a cyber tool or an intrusion and know for sure if the intent is purely defensive like mapping networks to protect from better or
offensive like preparing for an attack. That ambiguity is a huge source of tension.
That ambiguity must make it incredibly difficult to dial things down. How does Buchanan suggest that just having good basic security baseline defenses can help? And what about all the noise he mentions like those ten million attacks?
Right? He argues that strong baseline defenses are actually crucial for managing the dilemma. If your own networks are reasonably secure, you can filter out a lot of the background noise you mentioned as the former director of the OPM, the US Personnel office that got massively hacked, talking about ten million attacks a month. But most of that is just automated scanning background radiation of the Internet, not serious state
level threats. Good defenses help you separate the signal from that noise, so you can focus your resources on the genuinely sophisticated, potentially dangerous intrusions. It simplifies the picture.
Okay, so defense helps, but that ambiguity is still there. Trust seems essential. Buchanan looks back at the Cold War again, specifically the hot line. How does that serve as a model for cyber diplomacy.
The hotline between Washington in Moscow, set up after the Cuban missile crisis, was vital. It was used during the nineteen sixty seven Arab Israeli War other crises. It provided that direct, immediate communication channel. It allowed leaders to quickly clarify intentions, ask questions, and hopefully avoid misunderstandings escalating into something catastrophic. There was even a lower level warmline for
operational folks to talk. It showed that even bitter rivals saw the need for communication to manage.
Risk and we've seen attempts to apply that lesson to cyber right. What about efforts between say the US and China.
Yeah, despite all the friction, there have been ongoing efforts high level talks, joint working groups focusing specifically on cyber issues. The results have been let's say mixed. China walked away from talks for a while after the US indicted some PLA officers for hacking, but then they eventually came back. But the existence of these channels is important. They provide a place to air grievances, discuss norms, and try to build at least a minimal level of understanding. Even if trust is scarce.
Beyond just talking, you can brings up costly signals. These are actions a state takes that clearly show its trustworthy because the action involves some kind of sacrifice. What are some historical examples he uses.
He points to things like Khrushchev unilaterally pulling Soviet troops out of Austria in the fifties. That wasn't just talk, it was a tangible reduction in military presence. Or think about Gorbachev making big concessions in arms control treaties like
the inf Treaty or pulling out of Afghanistan. These were actions that cost the Soviets something, either strategically or politically, but they signaled a genuine shift in policy, and Buchanan notes how these actions gradually changed Reagan's perception of the Soviet Union away from the evil empire rhetoric. They demonstrated trustworthiness through sacrifice.
And this idea of costly signals applies directly to cyber specifically with those zero day vulnerabilities. How can handling a zero day demonstrate trustworthiness?
It's a really clear example. So a government finds a zero day flaw, what does it do? Option one keep it secret, use it for spying or potential attacks. That's the offensive advantage. Option two may be selled on the black market. Option three tell a software vendor so they can fix it, patching the hole for everyone. Choosing option three means giving up your secret weapon. You sacrifice that operational advantage for the sake of broader cybersecurity, for collective defense.
That's a costly signal. Buchanan mentions the US has a formal process, the vulnerability's equities process, trying to weigh these offensive versus defensive equities, and he quotes the Dutch government's clear stance encryption good, backdoors bad. It's about signaling commitment to overall security, even at a cost.
Okay. Lastly, attribution and response. Knowing who did it is crucial. The Sony Pictures hack is the big case study here. How is the US so sure it was North Korea? And what does this tell us about the role of private companies?
Now, Attribution is notoriously hard in cyber but in the Sony case, the US government expressed very high confidence it was North Korea. B Canon suggests this confidence came largely from pre existing acts access the US likely had inside North Korean networks, giving them visibility into the operation as it happened or shortly after. Intelligence was key, But the Sony case also highlighted the growing role of the private
cybersecurity industry in attribution. These companies have global sensor networks, deep technical expertise. They often publish their own detailed analyzes of major attacks. This sometimes forces government's hands, making previously secret operations public and adds another layer to figure out who's behind a major incidence.
And when a state does attribute an attack, the response doesn't have to be another cyber attack, right What other tools were in the toolbox.
Absolutely, you can in stresses that responses don't need to be inkind. You don't have to hack back just because you're hacked. States can use other instruments of national power. Economic sanctions are a big one. The US use them against North Korea after Sony, or diplomatic actions like indicting foreign military officers, as the US did with Chinese PLA members.
These are political signals. They show resolve imposed costs and demonstrate that cyber actions have consequences without necessarily escalating things in the cyber domain itself.
So wrapping this up, you canon, really leaves us wrestling with this core tension, this cybersecurity dilemma. In this hyper connected world, states are constantly trying to secure themselves, but those very actions almost inevitably look like potential threats to others. It's this fragile, ongoing struggle, it.
Really is, And it leaves you, the listener, with a pretty fundamental question, doesn't it. Given how ambiguous cyber tools are, how hard it is to tell defense from offense, can things like costly signals and talking shops truly build lasting stability or are we just stuck in this cycle and what does this constant simmering tension between nations online mean for your daily life, for the security of the data you rely on, the services you use, the very infrastructure
that underpins our digital world. It kind of forces you to think about how these high level state games filter down and affect us all, and whether genuine trust is even possible in this domain.