Code Red: Breaking Down China’s Cyber Offensive—Volt, Salt, and Flax Typhoon
Season 2 Episode 43 •Show Notes
What do Volt Typhoon, Salt Typhoon, and Flax Typhoon reveal about China’s cyber playbook? This episode of Cyber Focus breaks down a new McCrary Institute report on China’s advanced persistent threat campaigns—and what they mean for U.S. national security. Frank Cilluffo sits down with Mark Montgomery, Brad Medairy, and Bill Evanina to explain how China is embedding itself in American infrastructure, telecom, and data systems. They warn that Beijing is laying the groundwork for future conflict and that the U.S. response has been dangerously slow. The guests call for stronger deterrence, better public awareness, and a renewed focus on the economic toll of cyber theft.
Main Topics Covered
- China’s long-term cyber threat strategy
- Volt Typhoon and infrastructure targeting
- Salt Typhoon and telecom espionage
- Flax Typhoon and persistent access
- Gaps in U.S. cyber deterrence
- Economic costs of IP theft
Relevant Links and Resources
McCrary Institute Typhoon Report
Booz Allen October 2025 China report
Key Quotes:
“Each year we can say the threat has grown. And I would say the leading driver of that growth in the cyber threat environment in the United States is China.” — Mark Montgomery
“China is using cyberspace to project power. And as a nation, I think that we need to recognize this threat.” — Brad Medairy (~05:50)
“Until people believe that [China’s cyber actions] matters to them, we’re not going to get the kind of actions we need.” — Mark Montgomery
“China[‘s] … offensive cyber tradecraft is going to be AI enabled. They’re going to be able to deliver effects and capabilities at pace that we never imagined. — Brad Medairy
“I think the Chinese want not only us, but they want the world to know that they’re inside… Xi wants… the world to know that he can do this.” — Bill Evanina
“We have to expeditiously get into place where we could harden ourselves so the railroad could work, the ports work, the electricity grids work. We’re not ready. We’re nowhere near ready.” — Bill Evanina
Guest Bios:
RADM Mark Montgomery (Ret.) is Senior Director of the Center on Cyber and Technology Innovation and a Senior Fellow at the Foundation for Defense of Democracies. He also serves as Executive Director of Cybersolarium.org, a nonprofit advancing the recommendations of the Cyberspace Solarium Commission, which he led from 2019 to 2021. Previously, he was Policy Director for the Senate Armed Services Committee under Senator John McCain, following a 32-year career as a nuclear-trained surface warfare officer in the U.S. Navy, retiring as a Rear Admiral in 2017.
Bill Evanina is the Founder and CEO of the Evanina Group, where he advises corporate boards and CEOs on strategic risk, counterintelligence, and national security threats. He served as the first Senate-confirmed Director of the National Counterintelligence and Security Center (NCSC), leading U.S. government efforts to defend against espionage and foreign influence. A 24-year FBI veteran, Evanina held senior roles in both counterintelligence and counterterrorism and previously led the CIA’s Counterespionage Group. He also chairs national and international security boards and is an instructor at the University of Chicago.
Brad Medairy is an Executive Vice President at Booz Allen Hamilton, where he leads the firm’s cybersecurity business and supports national-level clients including the FBI, DHS, DOD, U.S. Cyber Command, and the Intelligence Community. He focuses on protecting critical infrastructure, securing emerging technologies, and defending against advanced cyber threats. Medairy leads multidisciplinary teams that integrate AI, cloud, and cyber operations to deliver full-spectrum solutions. He has been recognized as a Top 50 Cybersecurity Leader and Cyber Executive of the Year, and holds degrees from UMBC and Johns Hopkins University.
Transcript
1
00:00:00,000 –> 00:00:01,000
Bill Evanina [00:00:00]: I think the Chinese want not only us, but they want the world to know that they’re inside. And I think that’s problematic, not only from an actual cyber perspective and the ability to cause disruption, destruction, listening to our telephone conversations or staying our systems and stealing data that they see fit, but they want us to know they’re there.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:20]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week we have the privilege to sit down for a special episode. It’s on a report we are releasing on the various typhoons perpetrated by the People’s Republic of China. And I have with me the four co chairs of that particular task force. First Admiral Mark Montgomery, then Brad Medairy, and then Bill Evanina. All three of whom have served, have actually been on previous podcasts and all three are also senior fellows. So really excited about today’s conversation. Want to be able to take a complex set of issues and bring it to the American people.
3
00:00:02,000 –> 00:00:03,000
Frank Cilluffo [00:01:05]: So, gentlemen, thank you for joining today. So this is our report. It is released today and I think it really drills down into the various typhoons and tries to put it into plain spoken language and answer hopefully the why it matters. But I thought before we jump into the report itself, we’ve seen a whole lot of activity coming out of China. The landscape continues to move. The tactics, techniques and procedures continue to change. But Mark, I thought maybe a little bit of a background on its evolution if you want to kick us off there.
4
00:00:03,000 –> 00:00:04,000
Mark Montgomery [00:01:43]: Thanks. First, it’s an honor to be here with Brad and Bill and you and with the all McCrary team here of senior fellows and director. Listen, this is a great report, but you’re right, you know, you kind of need to understand up front just what a threat China is to us. And you know, we just put out our annual assessment and one of the things you’d hear Senator Angus King would say was one thing that’s been true in all five assessments is each year we can say the threat has grown. And I would say the leading driver of that growth in the cyber threat environment in the United States is China. Second is probably criminals. And then you’d get to the other nation states. So China is a big driver. And I think it’s important for us to understand what an important role cyber malicious activity plays in China’s overall national security strategy.
5
00:00:04,000 –> 00:00:05,000
Mark Montgomery [00:02:30]: I think when, when Chairman Xi thinks about recapturing Taiwan, he, while there may be thoughts about a cross strait invasion, his realistic dreams involve a cyber enabled economic warfare campaign with the emphasis being on the word cyber. You know, he’ll use diplomatic and economic and other tools, but in the end they’ll leverage cyber malicious activity and influence operations that are themselves the product of cyber activity to break the societal resilience of Taiwan. So from my perspective, a study that examines, you know, the Chinese threat and the particulars, the tactical particulars of how it does it is important because it helps reaffirm what we all know to be the operational and strategic nature of the Chinese threat to the United States.
6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo [00:03:16]: Perfect segue. Bill, I mean, over the span of your career, how have the tactics, techniques and procedures changed? How have you seen the modus operandi change and coming at it from both your time at the FBI and then running the National Counterintelligence Directorate?
7
00:00:06,000 –> 00:00:07,000
Bill Evanina [00:03:34]: I think when you, just to amplify Admiral’s perspective on China and the strategic perspective, I think that’s where it starts with strategy. I think when Xi came in, he decided to make this a strategic intent of one of their main pillars of how they’re going to combat and compete with the United States, both civilian and militarily. I would say over that span, I’m going to say last 15 years, a couple things come to mind. Number one is complexity and the persistence and the complexity, persistence of where they’re going and how they do it is astronomical. Two, the strategic intent of how they do things, why they do things and where they’re targeting is number two. Three, the frequency and scale for which they attack the United States and other entities around the world is really, really impressive. Lastly, I think the most important change I’ve seen in 15 years has been the targets of their attack. It started out, I would say late 09, 10, where they were mostly government targeting.
8
00:00:07,000 –> 00:00:08,000
Bill Evanina [00:04:31]: Then it went, transitioned into defense industrial base because they were the main components of how we facilitated our military operations. And then Xi came in and they changed. They saw the vulnerability of our private sector, our academia, our research institutions, I would say our non title fifties. So the spread and the vastness of how they facilitated their target, not only their surface targets, but the actual entities and private sector allowed them to utilize some of these typhoons specifically to attack, not only from a cyber espionage perspective, but data aggregation, data theft, and also theft of intellectual property and trade secrets to facilitate both their civilian and military capabilities.
9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:05:11]: And fair to say everyone’s a target, right? Very few sectors that haven’t been targeted.
10
00:00:09,000 –> 00:00:10,000
Bill Evanina [00:05:17]: That’s correct.
11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:05:18]: Brad, Booz has put out a number of good reports on China recently. And why are these reports important? Why does it matter?
12
00:00:11,000 –> 00:00:12,000
Brad Medairy [00:05:30]: Yeah, I think to some extent, as a nation, I think we’ve become sort of, cyber attacks are the norm, and every day we’re reading about something new. Just recently, the F5 vulnerability. And so we read about it and then we move on. And Mark talked about it, and I would say that with China, we see continued escalation. And I think it’s important to look at it as an entire body of work. And when you look at that, you see this continued escalatory behavior. China is using cyberspace to project power. And as a nation, I think that we need to recognize this threat.
13
00:00:12,000 –> 00:00:13,000
Brad Medairy [00:06:12]: I remember talking to someone in the administration about the threat, and I’m like, how do we make a dent in this? And the feedback was actually pretty profound. He’s like, look, we need to educate the public. We need to understand what the threat is, who is the threat, and then we can start to build consensus around how to combat it and how to defeat it. I think about myself, a child of the 80s, right? I knew the threat. It was Russia. And I think if you ask the general population today, they’re going to say, well, Russia is still the threat. And the reality is China is the threat of our generation.
14
00:00:13,000 –> 00:00:14,000
Brad Medairy [00:06:46]: And I think that we need to create that awareness and we need to have an integrated strategy to combat that.
15
00:00:14,000 –> 00:00:15,000
Frank Cilluffo [00:06:51]: I would, I would just add, yes, but Russia is still there.
16
00:00:15,000 –> 00:00:16,000
Brad Medairy [00:06:54]: 100%.
17
00:00:16,000 –> 00:00:17,000
Mark Montgomery [00:06:56]: And I would commend to you Booz’s October 2025 report. I think it’s one of the best ones I’ve read recently.
18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:07:03]: Yeah. And let’s sort of, and in our report, we go into great detail on all of the various typhoons. We’ll pick on the big three for today. Volt Typhoon, Flax Typhoon, Salt Typhoon. We also have Linen. We also have Violet. We also have Nylon.
19
00:00:18,000 –> 00:00:19,000
Frank Cilluffo [00:07:25]: And on and on and on. And probably by the time this episode is aired, we’ll have a new one. But, Mark, I thought we’d start at the very beginning with Volt Typhoon, because I think that was the one that, at least from my perspective, raised all sorts of alarm bells. But you want to give a quick?
20
00:00:19,000 –> 00:00:20,000
Mark Montgomery [00:07:45]: Sure. And leading into that, I’ll just say this report, the goal of this report, slightly different than the Booz report, is to very specifically provide a primer on this one set at Advanced Persistent Threat Access that the typhoons from China. So if you’re, if you’re working on the Hill, if you’re, you know, in the Administration. If you’re in a company, if you’re in a trade association, this is, you know, should be required reading for understanding what is the most significant set of threats coming to the United States. Not, not in any way take away from the Booz report, which really looks at the broad perspective of threats to the United States. So dig into this if you want to understand typhoons. And so first, one, Volt typhoon.
21
00:00:20,000 –> 00:00:21,000
Mark Montgomery [00:08:26]: Look, Volt typhoon, as a military officer, military planner, this is the easiest for me to understand. I call it operational preparation of the battlefield. It is the Chinese examining our critical infrastructures, determining what are the targets most important to impinging on our national security, and I think particularly military mobility, our economic productivity, and our public health and safety. And we’re pretty convenient. We lay out what, what our risk areas are. In other words, if I go to US Transcom, in a very transparent, unclassified way, says here are my 69 strategic airfields. Here are my 17 strategic seaports.
22
00:00:21,000 –> 00:00:22,000
Mark Montgomery [00:09:10]: Here’s my 20,000 miles of strategic rail network. Now, DOD does this. Department of Defense does this for a reason, which is to try to get the Department of Homeland Security, the Coast Guard, and TSA, the Transportation Security Agency, who, if you didn’t know, is responsible for the security of your rail networks, to get them interested in it, to get them engaged on it. Now, the Department of Defense’s real strategy is not to pay for it. And so they identify these things. Well, I get it. Coast Guard and TSA know what’s strategic now. So does China.
23
00:00:22,000 –> 00:00:23,000
Mark Montgomery [00:09:43]: And then if you back up and look at former FBI Director Wray’s very accurate and transparent testimony to the China Select Committee about 18 months ago, he very clearly stated China went after exactly those kind of systems that were critical to military mobility and national security, then the ones that are critical to economic productivity and public health and safety that underpin that. So not just rail, aviation, ports, but also energy, water, and financial services. So, look, China is doing operational preparation of the battlefield is to either disrupt or destruct these critical infrastructure networks during either the buildup to a crisis to signal to us, stay out, America, or during a crisis to kneecap our ability to respond rapidly.
24
00:00:23,000 –> 00:00:24,000
Frank Cilluffo [00:10:30]: So very simply, you have military mobilization, which is anything that could impede the ability to project power, deploy forces, move troops, personnel, and everything else down to other critical infrastructure that could be held hostage at a time of their choosing. Yes, no?
25
00:00:24,000 –> 00:00:25,000
Mark Montgomery [00:10:50]: It is. Let me say one last thing. You remind me. Like, really easily, if I want to get a tank from Fort Hood, Fort Cavazos to Korea, it, it gets on a tank rail car at Fort Hood, Fort Cavazos, and it’s got, that base has got two power systems, two comms systems, two water systems. It’s the Noah’s Ark of critical infrastructure, right?
26
00:00:25,000 –> 00:00:26,000
Mark Montgomery [00:11:10]: It leaves the base and it, and it enters, like, Uncle Rufus’s rural rare collective number 27.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:11:16]: You love Uncle Rufus.
28
00:00:27,000 –> 00:00:28,000
Mark Montgomery [00:11:17]: I do. But Uncle Rufus, he says, my job is to clear that 50 miles of track of, of dead animals, not maintain the cyber security of the network that propels it. The Chinese are like, we, well, we can attack Fort Hood, Fort Cavazos, which might be hard. You know, TSA’s working it. Or I could go after Uncle Rufus. And they go after Uncle Rufus. And we don’t have a system for TSA to even help Uncle Rufus assess his systems. And there’s lots of these rural routes that the rail system is not run by four or five big companies.
29
00:00:28,000 –> 00:00:29,000
Mark Montgomery [00:11:50]: Like there are four or five big car, you know, rail cargo companies, lines. But there’s hundreds of owners of the track. That’s who we have to help. And they’re not going to be regulated into a helpful solution. They’re going to have to be incentivized with grants and other programs, particularly in these rural networks where these are not Fortune 500 companies masquerading as local utilities.
30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo [00:12:12]: You know, Mark, this brings me back to when we were first working together early in the Clinton administration, when there was this belief that you had a global information infrastructure, you had a national information infrastructure and a defense information infrastructure. The reality is they’re all blending. Right? Brad, I mean, the next one probably, and still early innings to know exactly the consequences and the impact. More understandable because it’s a large espionage campaign, but Salt Typhoon, you want to paint a picture of that?
31
00:00:30,000 –> 00:00:31,000
Brad Medairy [00:12:46]: Yeah. So Mark described Volt Typhoon as operational prep of the battlefield. If, you know, kind of continuing along those lines, I would say Salt Typhoon is really gaining the strategic high ground for intelligence. And here is where we saw, you know, PRC threat actors embedding in telecom networks globally across 80 nations. And there’s evidence that this started as early as 2019. And it was really a multi year espionage campaign. They were able to embed themselves in the telecom network. They were able to get call data, metadata, information around lawful intercepts, which means they were able to figure out who were being tracked in terms of criminals and spies.
32
00:00:31,000 –> 00:00:32,000
Brad Medairy [00:13:38]: And it’s really kind of the strategic high ground. Right? Because from an espionage perspective, if you’re in the telecom networks, you can actually see…
33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:13:47]: And who’s not?
34
00:00:33,000 –> 00:00:34,000
Brad Medairy [00:13:48]: Yeah, yeah. And so really significant campaign went on for a long time. In the U.S. nine telecom companies, Verizon, AT&T, Charter Communications. And we’ve seen, you know, evidence, right, heavily focused in the D.C. area, political figures and really significant campaign that took us years to uncover.
35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:14:09]: And I think, again, the full damage assessment is very early. But even without having all the information, you know, that’s a pretty darn bad day. Right? I mean to know who we’re interested in clearly is of interest to the adversaries.
36
00:00:35,000 –> 00:00:36,000
Brad Medairy [00:14:27]: Right. I mean if you think about it, you know, if you’re able to get into the telecom networks and look at the lawful intercept data, then you can actually see who the US may be watching from a spy perspective. And that’s a huge national security issue. The other key thing…
37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:14:41]: It’s like having the offensive and defensive coordinators playbook, right?
38
00:00:37,000 –> 00:00:38,000
Brad Medairy [00:14:45]: Definitely, definitely. And the other thing is, you know, we use the word APT, advanced persistent threat. Right? Salt Typhoon was uncovered in around October 2024. But that doesn’t mean they’re going to stop. This is going to be a multi year campaign, a game of cat and mouse and we’re going to continue to see attempts to attack and infiltrate US and our allies and global telecommunication networks.
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:15:10]: Awesome.
40
00:00:39,000 –> 00:00:40,000
Mark Montgomery [00:15:11]: Frank, add one thing on this too, that’s a great description. I attach myself to everything Brad said. What I’d say also is that Salt Typhoon caused me to, to no longer trust kind of the judgments I’d necessarily draw on critical infrastructures. If you’d asked me a year before it, what are the critical infrastructures in the best condition, I’d have put energy, defense industrial based, financial services, communications somewhat ahead of the other ones. I think what I learned in this, and correct me if I’m wrong, but I think in the communications network, what I misunderstood was the security of the corporate network, the telecommunication system, where they protect important stuff. Our PII, our, our credit card details, things like that, that’s secure. That has a lot of invested in it. They’re trying hard to protect that to keep us as customers.
41
00:00:40,000 –> 00:00:41,000
Mark Montgomery [00:15:57]: What equally, to keep us as customers, when it came to the core network, the guys operating are like, hey, what’s that, that subsecurity change you want to put in here? Is it going to slow me down? Is it going to make me less efficient? Did my, did my competitors at Verizon or AT&T have to put that same thing in? And when I think at some level the ability to impose cybersecurity on the core network lagged the ability, the desire to put security on, cybersecurity on the corporate network. And therefore our telecommunications infrastructure was less secure than any of us would have hoped. And that worries me because that kind of decision making could be happening in other infrastructures and we don’t really understand it.
42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:16:43]: You and me both. And I’m sorry, Brad, but I go back to the 90s where the cartels were buying telecommunications companies. It’s the ultimate, why break in if you can own? In essence, they owned it.
43
00:00:42,000 –> 00:00:43,000
Brad Medairy [00:16:58]: I mean, I think a common pattern between Volt Typhoon and Salt Typhoon is as a nation, we have a tremendous amount of technical debt. And I mean, I think the strategic question is with all of that technical debt, we can’t modernize everything. And so that technical debt leaves some of our most critical infrastructure inherently insecure. And so, you know, how do we win?
44
00:00:43,000 –> 00:00:44,000
Bill Evanina [00:17:22]: If I might just add, like, as a law enforcement and intelligence professional for 25 years, I find Salt Typhoon to be personally insulting because, they’re all insulting, but in my world, back a couple decades, in order to listen to an American’s telephone call, you had to get a FISA application, a title three, you had to have a judge sign off on the ability to listen to a US citizen’s telephone calls. Now we’re in a situation, we have a foreign adversary listening to telephone calls of Americans as they see fit.
45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:17:52]: That’s scary.
46
00:00:45,000 –> 00:00:46,000
Bill Evanina [00:17:53]: It’s scary.
47
00:00:46,000 –> 00:00:47,000
Frank Cilluffo [00:17:54]: Yeah, it is. And it is insulting. That said, that one is understandable. It’s espionage. And I don’t want to tip a hat, but, but that’s a little different, I think, than Volt. And we’ll get to intentions in a second. But one of the other big typhoons is Flax Typhoon.
48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:18:15]: Can you walk us through that a little bit, Bill? And anything you want to add on Volt and Salt as well, but start with Flax.
49
00:00:48,000 –> 00:00:49,000
Bill Evanina [00:18:21]: I’m with both of my colleagues here in terms of insulting and aggravating on the Volt Typhoon. I think as Americans, we should all be very clear to not only the, the consequences here about the intentions. Now, Flax, I would say, you know, if you looked at the metaphor of three angry brothers here, one out to disrupt, dismantle and destroy critical infrastructure, one out to not only spy and listen to telecommunications, Flax is a little bit more interested in the long term slash mutual fund consequences of what the Typhoons are doing. Flax Typhoon is an ability for the Chinese ATP groups to live off the land, get into critical infrastructure, whether that be government intelligence organizations, technology organizations, you name the critical infrastructure and get in through legitimate means, have the ability to stay inside the systems, credentialing how they want to float around with the prime intention to identify key data sets, information, intelligence, take what they need when they want to see it, but be there for a long time. Because what they found out in OPM and other breaches is that sometimes when you go in for the bottle of water, there might be a beer in there and there might be wine coming down the road. So I think what they look at is if we can get into a critical infrastructure, we could stay there, be persistent, be quiet, be unfound for a long time. The data sets and the theft from an espionage perspective can be really fruitful, more down the road than they are right now.
50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo [00:19:49]: And you bring up a very important point that it’s not only discriminatory information you’re pursuing, very specific information, but it’s the data itself, right?
51
00:00:50,000 –> 00:00:51,000
Bill Evanina [00:20:03]: It’s the data itself. And look back to some of the ATPs and not necessarily, would not be classified as Flax Typhoon. When we look at the Chinese arc of attempts when they were going company by company, but then they realized, well, wait a minute here, if we breach a cloud service provider, we get lots of companies, right? So, so then they were breaking glass and we found them. But now with the Flax Typhoon as part of this, you know, very vicious Typhoon family, their abilities to hide in plain sight, be a credentialed entity inside a company, a critical infrastructure, is not only disturbing, but it’s very, very difficult for CISOs and CIOs around the country to identify them and extricate them from the facility.
52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo [00:20:42]: And also included a number of IoT and IIoT devices which demonstrate a level of sophistication and also finding the seams in older generational forms of technology that have been knitted together through the cloud and other means, Right?
53
00:00:52,000 –> 00:00:53,000
Bill Evanina [00:21:03]: Absolutely.
54
00:00:53,000 –> 00:00:54,000
Frank Cilluffo [00:21:05]: Let’s talk intent now. Not all hacks are the same, not all hackers are the same, not all intentions are the same, not all capabilities are the same. I don’t want to put words in your mouth, but each one of these Typhoons on their own is a significant national security concern. Collectively, it basically shows across the board, military, economic, diplomatic. It’s a strategic, these aren’t one offs, these aren’t one off incidents. Collectively, it tells a pretty damning story. What would you say in terms of intentions if, and pick on the three or any of the other Typhoons we didn’t have time to discuss here?
55
00:00:54,000 –> 00:00:55,000
Bill Evanina [00:21:47]: I think it’s important for the audience to understand that you probably don’t want to pick one of the three. I think you have to look at them in totality. And I think the story is, to your initial comments, Frank, we’re talking about three typhoons right here, but there are many more and many more. And a lot of these typhoons touch multiple parts of our critical infrastructure and our government entities collectively and individually. And I think you have to look at it from a strategic intent. What is Xi and the Communist party trying to achieve with this? From a perspective of what they’re doing, it’s also why. They’re okay with getting caught. So far as we all know, the consequences of getting caught have been minimal at all.
56
00:00:55,000 –> 00:00:56,000
Bill Evanina [00:22:26]: Right? So for me, getting in and making our private sector and our government know they’re there is a problem and then trying to find them. We exhaust resources and capabilities. We’re always trying to patch 0 days. And I think the Chinese want not only us, but they want the world to know that they’re inside. And I think that’s problematic not only from an actual cyber perspective and your ability to cause disruption, destruction, listening to telephone conversations or staying our systems and stealing data that they see fit, but they want us to know they’re there I think there’s a lot of that, hey, when Xi wants to be the global power on all things, some of that is the world to know that he can do this.
57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:23:07]: Absolutely. Brad, anything to add?
58
00:00:57,000 –> 00:00:58,000
Brad Medairy [00:23:08]: Yeah, I mean I think that we’re seeing, you know, the early days of, you know, the future of warfare, the integration of, you know, in the past we talked a lot about kinetic warfare. The future of warfare is going to be an integrated non kinetic and kinetic fight. Mark talked about prepping the battlefield, you know, through escalatory cyber activity. You know, when, you know, Volt typhoon, when China’s pre staging capabilities for no other effect then to disrupt and dismantle our critical infrastructure. You know, that is projecting power, it’s imposing cost and it’s creating doubt and it’s not going to stop.
59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:23:45]: Mark. And why should Americans care?
60
00:00:59,000 –> 00:01:00,000
Mark Montgomery [00:23:47]: Yeah, that’s great.
61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:23:49]: We all, I care.
62
00:01:01,000 –> 00:01:02,000
Mark Montgomery [00:23:50]: I do. All four of us do. And I think lots of Americans care, but they just don’t know how to care. Yeah, so Bill had an executive, when Bill was talking, I was thinking about our mutual friend Angus King, Senator Angus King from Maine who could not ever get off the idea that we don’t deter attacks in cyberspace.
63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:24:06]:We don’t do enough. I’m with Angus on that.
64
00:01:03,000 –> 00:01:04,000
Mark Montgomery [00:24:07]: We don’t do enough. That, the, the, the level of use of force, our, the level of pain we would have to suffer before we did something in cyberspace, before we did something back in cyberspace, or kinetically is so high as to be ineffective. And then when I think about Volt Typhoon, there’s the perfect description.
65
00:01:04,000 –> 00:01:05,000
Mark Montgomery [00:24:27]: You and I have had discussion before. If the Chinese were to take a thousand backpacks of, you know, five pounds each of some of explosive, strap them to the same port, rail, aviation, power grids and the FBI were to discover this, we would be, we would hold them kinetically accountable in some way. And we would probably, I mean we would be, we would have a complete breach in our diplomatic relationship and we would get our, our allies and partners. We would say this is a, you know, a go no go in your relationship with us, that you will join us in this economic pain that we’re about to put on them or this kinetic pain that we’re about to put on them. That would be, you know, an act of war. But in cyberspace it’s perceived as, hey, that was some. I might, somebody might have caught what Director Wray said. The vast majority of Americans don’t care what’s said at congressional commissions, they don’t read those articles.
66
00:01:05,000 –> 00:01:06,000
Mark Montgomery [00:25:21]: And so China’s getting away with a lot of provocative behavior. And, and it’s, they’re setting a bar of what we probably have to accept, you know, in a crisis or contingency because we’ve accepted it prior and we won’t want to be, appear to be escalatory. That’s the, the ugly that the kind of, the most…
67
00:01:06,000 –> 00:01:07,000
Frank Cilluffo [00:25:39]: How can we be more escalatory? What more could they do?
68
00:01:07,000 –> 00:01:08,000
Mark Montgomery [00:25:42]: I think you have, first of all, you have to respond every time. If you don’t, you establish a new bar of acceptable behavior.
69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo [00:25:47]: And others who are watching.
70
00:01:09,000 –> 00:01:10,000
Mark Montgomery [00:25:49]: That’s right.
71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:25:49]: How you respond, right?
72
00:01:11,000 –> 00:01:12,000
Mark Montgomery [00:25:50]: Think about Sony, I mean, what North Korea did to us. And then it took us like four months to attribute it. It took us about a year to do something back. And what we did back was we indicted three or four North Korean military officials who I’m confident were immediately invited to Pyongyang for their award ceremony. And no one was extradited and we knew no one would be extradited. So it was almost like theater.
73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:26:15]: It was Seth Rogen’s movie that triggered it, right?
74
00:01:13,000 –> 00:01:14,000
Bill Evanina [00:26:18]: I would say to amplify the Admiral’s point, I think when we look back the last 15 years, when we attributed the PLA attacks in 2014, it was a big deal in the interagency because no one wanted to attribute to a nation state threat actor that there was this, and on the global scale, Xi was really embarrassed. Embarrassing an emperor was a big deal. So the next four or five years, up to the infamous meeting in the Rose Garden, attributing these things to the Chinese Communist Party and Xi was a big deal for us. It really made a difference. And that was not necessarily deterrent, but it made us feel good. The indictments of people who were never come out of China was just a waste of time. Now because it’s happening so frequently, even the embarrassment on global stage is problematic because Xi and the CCP don’t care anymore. So I think, to Mark’s point, we have to find new ways to push back.
75
00:01:14,000 –> 00:01:15,000
Bill Evanina [00:27:07]: And you look back even to the OPM data breach 20 million Americans have, and then more importantly, Equifax, when every American had all their financial data stolen by the Communist Party of China because they wanted algorithms and business processes. We have to find a way to fight back because as Mark mentioned, that level gets larger. And the last point, I’ll, think about this. As Americans, you’ll think back to 9/11. Our want to retaliate is predicated upon the loss of human life. And until we have lives that are lost because a Volt Typhoon shuts off an energy grid and people die because they freeze to death, I don’t see a policy that comes forward that has enough strength that Angus King would like that we could put some pressure and deterrence on the Communist Party of China.
76
00:01:15,000 –> 00:01:16,000
Mark Montgomery [00:27:52]: That reminds me, I’m glad you brought that up. You know, I used to say, I agree with you that people have to perceive that there’s loss of life. We do have loss of life in cybercrime, in ransomware, on hospitals.
77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:28:03]: Absolutely.
78
00:01:17,000 –> 00:01:18,000
Mark Montgomery [00:28:03]: There’s an absolute like 21, 26% morbidity rate change in the hospital over that five weeks. Now, I’m gonna be careful how I say this, we all have elderly relatives, but the people who are dying in hospital are elderly people. And if four 90 year olds died instead of three, it’s very hard to have accountability for that one was the one. Now if you’re in an ambulance, head up to hospital, they just had ransomware errors in the ER and you have to go to another one 10 miles away and you die en route, your family’s got a good lawsuit. But until we have more and more experience of this, I think we all know the companies we talk to, their desire to do cybersecurity work is directly tied to the last incident they had occur to them or a neighbor close enough that they trust their reporting. We need, we have to be able to make a compelling message that what happens in criminal behavior, what happens here with Volt Typhoon matters to you as Americans, whether it’s to you personally or to the critical infrastructure you rely on.
79
00:01:18,000 –> 00:01:19,000
Mark Montgomery [00:28:58]: Until people believe that it matters to them, we’re not going to get the kind of actions we need. And the Senator Kings of the world will be disappointed in the response they get to requests for deterrence, for actions to support deterrence.
80
00:01:19,000 –> 00:01:20,000
Brad Medairy [00:29:12]: I think probably the biggest, you know, I remember back on Colonial Pipeline when they were attacked with ransomware and it shut down almost the entire east coast from a travel perspective for four or five days, it’s really significant. And so I think that that started to condition the public, but that’s long out of sight now. And so there have been some other events like the meatpacking plant. I remember my kids were upset because they couldn’t have Chipotle one day. But the reality is we haven’t really seen the implications of cyber effects on, on our everyday life.
81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:29:44]: Or people don’t see how the unintended consequences…
82
00:01:21,000 –> 00:01:22,000
Mark Montgomery [00:29:51]: That’s a great one. On the agriculture, the meatpacking plants. Perfect one. So Colonial happens. We actually got changes to pipeline cybersecurity because enough people were pissed, and there was enough, Repeat, CBS and 60 Minutes. And it went on and on because…
83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:30:03]: I think we had a piece in NBC.
84
00:01:23,000 –> 00:01:24,000
Mark Montgomery [00:30:05]: Yeah, United. Yeah. So, but on the food and ag, you know, on the meat processing, because it went away without like a, you know, couple picnics might have gotten ruined, but the reality is it was came and went rapidly. If you look at the Department of Agriculture, they’ve done nothing. Four years later, they’re still spending $250,000 on critical infrastructure support to the private sector, which us government officials know is one full time equivalent, one human being running a website. It’s not how you support tens of thousands of farms, meat, you know, food processing plants, shipping plants. So you’re absolutely right.
85
00:01:24,000 –> 00:01:25,000
Mark Montgomery [00:30:42]: It has to be, unfortunately, what the American public needs to take action is four days of no gas at the pump, flights canceled, people pissed, then you get action. And unfortunately, and even then it does dissipate over time. I would prefer that the government solves issues without getting kicked in the teeth repeatedly.
86
00:01:25,000 –> 00:01:26,000
Frank Cilluffo [00:31:03]: You and me both. It sounds similar to getting the government open. It takes some of these. But Brad, anything you want to add?
87
00:01:26,000 –> 00:01:27,000
Brad Medairy [00:31:10]: Yeah, just, I mean, like this conversation, this last conversation, I mean, I think we all hit on it. Right? The strategic question is what is the red line? And then what happens when you cross it? I Just don’t think we have a good or a consistent answer for that. And I think that’s something nationally we need to address.
88
00:01:27,000 –> 00:01:28,000
Frank Cilluffo [00:31:25]: And we are addressing that in our national security task force.
89
00:01:28,000 –> 00:01:29,000
Bill Evanina [00:31:28]: Just to again double down on Brad’s comment, I think also the government has to be careful that as things happen and occur at a more frequent and more devastating pace, on the Volt Typhoon, Mark’s perspective, what happens if someone does die and we have multiple deaths or hypothetically we have a train derailment and it’s attributed back to China and no one, I don’t want to see US Companies retaliating against the Chinese. Right? And I think at the end of the day, there’ll be enough pressure that someone wants to retaliate independently and the government needs to be able to do that prior to U.S. businesses because they can. We can’t allow that to happen.
90
00:01:29,000 –> 00:01:30,000
Frank Cilluffo [00:32:04]: Good point. That is a big discussion. We’ve covered and want to as well. But I want to turn to this week, President Xi is likely sitting down with President Trump in South Korea and in all likelihood, critical minerals is going to dominate the discussion. A lot of trade discussion. Where should cyber fit into all of this?
91
00:01:30,000 –> 00:01:31,000
Mark Montgomery [00:32:31]: Well, it’s not going to. I mean, that’s the truth. I mean, the truth is it’s not the hot topic. Right now, there are a number of hot topics, critical minerals, tariffs, oil purchases from Russia, support to Taiwan. I do not think you’re going to get through those thicket, those thicket of issues to get to cyber. Should it be on the table? Yes. Will it be on the table? Almost certainly no.
92
00:01:31,000 –> 00:01:32,000
Frank Cilluffo [00:32:54]: Brad, any thoughts on that?
93
00:01:32,000 –> 00:01:33,000
Brad Medairy [00:32:56]: I mean, I think Mark hit it well.
94
00:01:33,000 –> 00:01:34,000
Frank Cilluffo [00:32:57]: Bill?
95
00:01:34,000 –> 00:01:35,000
Bill Evanina [00:32:58]: I just want to amplify, I think when you look at the current ongoing dynamics of discussion that’s going to be predicated by this meeting, cyber’s probably 37th on the list. However, depends on how you bring it up to the president. Right? If you approach the president, hopefully his advisors are talking about Volt Typhoon and using the metaphors that Mark talked about, those backpacks of explosives on critical infrastructure, the way you talk about it matters. And then, you know, the $600 billion a year we’re losing in intellectual property theft, but I think that number will get the president motivated to at least bring it up as a talking point.
96
00:01:35,000 –> 00:01:36,000
Bill Evanina [00:33:33]: I agree. I don’t think it’s going to be. But I think there are ways to get the president of the United States motivated to use these talking points.
97
00:01:36,000 –> 00:01:37,000
Mark Montgomery [00:33:39]: Yeah. If you could monetize the impact of China’s aberrant behavior. That’s probably the, I think that’s the most easy way to get to this President. He does not like getting money taken from him or stolen or the perception that someone got a better deal.
98
00:01:37,000 –> 00:01:38,000
Frank Cilluffo [00:33:58]: But it is having massive economic implications.
99
00:01:38,000 –> 00:01:39,000
Mark Montgomery [00:34:01]: So you got to get that, like Bill said, someone’s got to get that story across to him.
100
00:01:39,000 –> 00:01:40,000
Bill Evanina [00:34:04]: And again, the process is unknown currently how that works, how do the advisors get to the President? How does the intelligence community, how do talking points get there? It’s changed new world. But I think if the President knew that just from the theft of intellectual property and trade secrets is $4,000 per American family after four, I think the President can use that talking point. Right? I think it’s important for him to understand that the monetization of cyber is real.
101
00:01:40,000 –> 00:01:41,000
Brad Medairy [00:34:29]: You know, as a cyber community, we tend to think about the cost that we incur in terms of infrastructure modernization and cyber defense, and then we tend to talk about the risk it poses to our citizens, but we never actually talk in general about the cost it imposes to us from a business perspective, right? If you look at the next gen Chinese strike fighter, right, it looks a lot like the F35. Well, that’s a tremendous amount of cost avoidance that they had through espionage. Right?
102
00:01:41,000 –> 00:01:42,000
Brad Medairy [00:34:57]: If you look at the drug community in terms of all the, the formulas that have been stolen and reproduced in China, you can actually quantify and measure the economic impact there. It’s an interesting conversation.
103
00:01:42,000 –> 00:01:43,000
Mark Montgomery [00:35:08]: That reminds me, and I’m not volunteering you or I for this since we’ve done our commission time, but the Blair commission needs a refresh.
104
00:01:43,000 –> 00:01:44,000
Frank Cilluffo [00:35:15]: Blair did a great job.
105
00:01:44,000 –> 00:01:45,000
Mark Montgomery [00:35:16]: He did. Admiral Blair’s commission on the cost of intellectual property theft writ large, of the kind of cyber enable intellectual property theft writ large was very useful. I do think it’s getting dated. I think the numbers are high.
106
00:01:45,000 –> 00:01:46,000
Frank Cilluffo [00:35:34]: Six years ago, eight years ago.
107
00:01:46,000 –> 00:01:47,000
Mark Montgomery [00:35:36]: It had some updates like ours, but you know, it’s still, it is old now. I think that needs to be, and you know, the beauty of that is that coming out and being put on the President’s desk that, you know, is, as Bill implied, I think that’s how you get it to them. I’m not saying that the intelligence community should do it. I think it’s, that might be. I don’t know if that’d be distracting or not for them, but someone needs to be doing that work and it needs to be, I know they won’t like to hear this, but if we, the government does it, it has to be unclassified.
108
00:01:47,000 –> 00:01:48,000
Mark Montgomery [00:36:03]: It can have a classified annex to show a few nitinoid things. But the broad truth, not just, not just I’ll have some part that’s unclassified. The actual argument has to be unclassified because you have to make it to congressmen who don’t work well.
109
00:01:48,000 –> 00:01:49,000
Frank Cilluffo [00:36:16]: You have to make it to the American people.
110
00:01:49,000 –> 00:01:50,000
Mark Montgomery [00:36:17]: Yeah, you have to make it to the people, the press.
111
00:01:50,000 –> 00:01:51,000
Bill Evanina [00:36:20]: I would profit that the information, I concur wholeheartedly that that message can be brought to like the President by like the Business Roundtable, like, you know, Jamie Dimon and crew. They’re the ones that are victimized by this intellectual property theft. Their banks, their holdings, the private equity and venture capital, people that are investing in technology and AI development who are continuing to be victimized. I think that message is strong enough the president to get motivated by, to be able to use that as an underpinning. And also if you want to get the President motivated by the previous administrations, you know, he could talk about how XI embarrassed Obama in the Rose Garden. Right? And don’t let that happen to you, Mr. President.
112
00:01:51,000 –> 00:01:52,000
Bill Evanina [00:36:55]: I think there are some ways to motivate the President to use cyber with the big C as part of one of these talking points this week.
113
00:01:52,000 –> 00:01:53,000
Brad Medairy [00:37:03]: I also think just in terms of educating the public, right? We’ve been talking for, you know, the cyber community by nature are fear mongers, right? And so we’ve been talking about like a cyber 9/11 or a cyber Pearl Harbor for 15 or 20 years, right? Yet nothing’s happened. And so people are just skeptical. Oh, this cyber thing, everyone keeps saying it’s going to be bad, but I don’t see anything. I can’t touch or feel it. But when you start talking about the economic impact, it’s measurable and it’s a way to actually I think connect with the public. When you say, oh, this is how much money, this is the economic cost to us as a nation, it’s much easier, I think, to rally support and get people’s minds wrapped around it.
114
00:01:53,000 –> 00:01:54,000
Frank Cilluffo [00:37:42]: And it’s jobs and it’s innovation and it’s why people wake up elsewhere in the world wishing they were born in the United States, not Beijing. So I think there’s a lot to that as well. 2027 is around the corner. What should we be thinking? And this is lightning round.
115
00:01:54,000 –> 00:01:55,000
Mark Montgomery [00:38:03]: Well, first of all, as I’ve told you, the actual year is now 2030 because we made investments. But the metaphorical 2027 I would actually make just for our discussions, 2028 is the right year. That’s the re election. The election in Taiwan and the beginning of our own presidential elections. I think that’s prime hunting ground for Xi. So when I think about that time, it’s about we have three, three elements to get better. Industry’s investment in cybersecurity, the government’s investment in being a good partner and the actual execution of that collaboration.
116
00:01:55,000 –> 00:01:56,000
Mark Montgomery [00:38:35]: All three legs of that stool have got to get stronger year over year. You can’t just have the, you know, 10 banks kicking ass. You know, you can’t just have regulation that’s successful in nuclear power and in flight safety. You know, we need to have, we can’t just have incentivization and grant programs in electricity because their congressional committees are more effective at getting it into the appropriations. You got to consistently have all three legs of the stool strong across 16 or 19 or 20 critical infrastructures. However you count them, that’s how you’re successful. And all of that is iterative and boring and the hard work of governing a country that needs an executive branch and a legislative branch working on it.
117
00:01:56,000 –> 00:01:57,000
Frank Cilluffo [00:39:20]: And I might note, Mark, you’re doing some really important work, tabletops and exercises between US and Taiwan. So thank you for that. Brad?
118
00:01:57,000 –> 00:01:58,000
Brad Medairy [00:39:32]: Yeah, as I think about the next couple of years, we’ve talked here consistently about escalation. And in the past cyber was about maintaining stealth and doing things discreetly. I think what we’ve seen through this period of escalation is it’s no longer about stealth. No one worries about attribution. They worry about kind of pre staging and getting effects and outcomes. And so I think we’re going to see increasingly more visible activity. That’s one. The second thing is we’ve talked about escalation. It’s going to hyper accelerate.
119
00:01:58,000 –> 00:01:59,000
Brad Medairy [00:40:08]: The last piece is I think it’s going to be the future is going to be about speed. We are in, you know, if you think about like Chat GPT, Chat GPT is what, like three years old. And so it’s still, you know, we’re still in our infant days of the AI acceleration. But China is heavily investing in AI. Their offensive cyber tradecraft is going to be AI enabled. They’re going to be able to deliver effects and capabilities at pace that we, we never imagined. And you know, as a nation we’re obviously investing heavily in AI and in leading the world in many areas there. But the future is going to be defined by, you know, this AI centric warfare and it’s going to be, it’s going to be a fight.
120
00:01:59,000 –> 00:02:00,000
Frank Cilluffo [00:40:49]: I think you’re right about that. Hypersonic, space, cyber, those are the big three cards we’re looking at. All powered by AI.
121
00:02:00,000 –> 00:02:01,000
Brad Medairy [00:41:01]: And actually just one last point, the other piece is just this whole continued fusion of cyber in the physical world. You mentioned space and hypersonics and everything now is hyperconnected and the future risk is more so not necessarily around enterprise and digital networks, but all of the physical world that is connected.
122
00:02:01,000 –> 00:02:02,000
Frank Cilluffo [00:41:21]: Bill?
123
00:02:02,000 –> 00:02:03,000
Bill Evanina [00:41:22]: I just want to amplify both of the comments of my colleagues here which are spot on. I think from my perspective I want to boil down to just, Mark used three legs of a stool, I’m going to use two bicycle wheels here. As I talk about this in the corporate world with clients in academia, I always use the 12 month rule because we went to 27, 26, 30. I don’t think anybody really knows. So I use a 12 month rule. Let’s pretend it happens in 12 months. I think two things fundamentally have to happen in the US. I’m looking at specifically from a domestic landscape.
124
00:02:03,000 –> 00:02:04,000
Bill Evanina [00:41:55]: Number one, we have to find a way to incentivize US private equity and venture capital banks from not investing in Chinese capabilities and tools to enhance their ability to invade Taiwan. It’s just problematic, right? We have to find a way to disincentivize that investment over there to help them on their civilian military capabilities. That’s number one. Number two is domestic preparedness. Think about what we talked about here the last 40 minutes and talk about, you know, not only Salt Typhoon and mostly Volt Typhoon. We have to get in a position to enhance and maybe influence the corporate world to prepare for what’s going to happen if Taiwan comes in the picture and China makes a decision. As Mark talked about…
125
00:02:04,000 –> 00:02:05,000
Frank Cilluffo [00:42:36]: And you have no chips available or anything else.
126
00:02:05,000 –> 00:02:06,000
Bill Evanina [00:42:39]: If you think that Volt Typhoon doesn’t, isn’t predicated upon this, you’re crazy. Right? The ability to set the place these disruptive capabilities is primarily for when you make a decision to go to Taiwan. So there’s no appetite and bad things happen here. We are not prepared for that. So my admonition is domestically, we, regardless if it’s in 2027 or 2030, we have to expeditiously get into place where we could harden ourselves so that trail, the railroad could work, the ports work, the electricity grids work. We’re not ready. We’re nowhere near ready.
127
00:02:06,000 –> 00:02:07,000
Bill Evanina [00:43:13]: But we have to get there as soon as possible.
128
00:02:07,000 –> 00:02:08,000
Frank Cilluffo [00:43:15]: Well said. That will be the last word. There’s so much more to unpack here. Let me just remind people read our report. Gentlemen, thank you so much. For spending some time with us today, for putting in the blood, sweat and tears into our research here. And thank you. Thank you for your leadership.
129
00:02:08,000 –> 00:02:09,000
Mark Montgomery [00:43:35]: Thank you, man.
130
00:02:09,000 –> 00:02:10,000
Bill Evanina [00:43:36]: Humbled to be here.
131
00:02:10,000 –> 00:02:11,000
Brad Medairy [00:43:37]: Thanks.
132
00:02:11,000 –> 00:02:12,000
Frank Cilluffo [00:43:38]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.