CyberWire Daily - CyberWire Daily at 10: The evolution of geopolitics and warfare. [Special Edition]
Episode Date: May 10, 2026In this special edition of CyberWire Daily’s 10th anniversary series, N2K CyberWire's Maria Varmazis and Dave Bittner discuss cybersecurity geopolitics and warfare that have been in the news over th...e past 10 years. We begin our conversation around the supply chain malware from the destructive NotPetya campaign out of Russia, then Maria and Dave highlight: Olympic Destroyer disrupting the Pyeongchang Games, CozyBear's SolarWinds espionage campaign, the Colonial Pipeline ransomware disruption, Russia’s full invasion of Ukraine paired with Viasat hack, Iranian hackers attacking ICS devices at water treatment plants in Israel, and China's VoltTyphoon and SaltTyphoon intrusions in critical sectors. Join us as we reflect on the escalation from election interference and disruption, to espionage and ransomware as national security crises, to integration in kinetic war,and now expansion into space, with AI-driven defenses and NATO codifying cyber as a collective defense domain. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Hello, Maria Vermazes here, and thank you for joining me today.
The party's still going strong for our celebration of 10 years of the Cyberwire Daily.
So in today's N2K Cyberwire special edition episode, as we look back at 10 years of the Cyberwire,
I am, of course, chatting with Dave Fitner, host of the Cyberwire Daily.
And in this chat, we are talking about the complexities of geopolitics and warfare as we look back on the last 10 years of cybersecurity headlines.
Well, it is my distinct honor yet again to bring back Dave Bittner, host of The Cyberwire.
Hi, Dave.
Hello. Good to be back.
Yes, imagine. We're talking to you today of all days about your show.
It's Maria, right?
Yeah, nice to meet you.
Nice to meet you.
I appreciate that, Dave.
And the occasion that brings us together is, as we've been covering for quite a little bit now,
the 10-year anniversary of the CyberWire Daily and all of the incredible stories that the show and you have been covering over the last decade.
And for our chat today, we're going to take a focus look at geopolitics in the last decade as it relates to cybersecurity and the many, many stories in that realm that you have taken a look at in that time.
So, gosh, to start to cover geopolitics, I think a few things have changed in the last decade.
One or two.
Just a few.
I mean, 2015, 2016 was a millennia ago.
I know.
Not literally, but kind of.
Yeah.
Well, I'm still battling the reality that post-COVID time has no meaning.
But I really enjoyed looking back as I was prepping for our conversation today.
There were a lot of things that I hadn't really considered in a while.
And when you kind of lay them all out in front of yourself,
you see that, yeah, there has been a lot of change over the past decade
when it comes to a lot of this geopolitical stuff.
It's a feedback loop, isn't it?
It is. It is.
I think one of the things that strikes me is just that it's become constant.
Like, it used to be that you'd have something like the OPM breach,
which was more episodic.
ooh, something happened
and oh, there was a breach
or oh, the data got stolen
or, oh, there was some ransomware.
And it's just, it's everywhere now.
It's daily, thank goodness for us.
Yeah, there's a low-level drone
of this stuff that is all the time now.
And so that's the new reality.
That's where we are.
Yeah, was there anything,
a leading question,
but anything that contributed to that,
that shift, because that is quite a change from what the landscape looked like, at least for
the civilian side of things, that, you know, now, as you said, that drone of continuous threats,
especially on that international scale, it is quite a shift. What do you feel has contributed to that?
I think geopolitically, it's the reality and the recognition from nation states that
cyber is a domain without the usual borders and also you get a huge return on your investment
if you in you don't have to build an aircraft carrier to force your influence around the rest of
the world and we've seen that with things like influence operations from the Russians
and uh Chinese stealing um uh information from our organization our companies our organizations
supply chain issues, all those kinds of things.
Again, they're a day-to-day thing now, and they weren't always.
That's for sure.
Yeah, I think as we start thinking about specific incidents and threats,
the one that definitely, I'm sure for most of our listeners would come to mind as we look back the 10 years, not pet you.
and how seismic pet you and then not patchy,
truly were, and everything that has come after that.
Can you talk us through that one a little bit?
Because that was such a huge, huge thing when it landed.
Well, I think it was the one that sort of opened everybody's eyes
and thought it can happen to us, right?
You have a global disruption of the supply chain,
you know, major supplier gets hit
and everybody starts worrying that,
maybe our global economy is a little more fragile than we thought it was.
So it certainly got everybody's attention, made everybody feel like it was real.
And, you know, it's in everybody's consciousness ever since.
That's very true. That's very true.
And another thing, as we look back on the last 10 years,
2022 was the start of the war in Ukraine.
And it's still ongoing.
the fallout from that is certainly global,
especially when we're talking within the cyber realm.
What are the geopolitical shifts within the conflict
that you think have fed into the cybersecurity realm, as it were,
like the nature of the threat?
Yeah, I mean, there's this whole idea
that the war in Ukraine has been a bit of a laboratory
for cyber war, for modern cyber war,
the integration of cyber and kinetic battle
using cyber alongside your battlefield operations.
Again, information operations, which is top of mind for the Russians.
It's always been something they've had up their sleeve,
but it feels like cyber has been an accelerant for that,
for them to be able to do the things they do.
And then also, I sort of related to, I think it started in Ukraine,
but related to what we're seeing now in Iran
is seeing inexpensive technology being used in warfare,
little consumer drones, consumer electronics,
routers, Starlink, all these things that are not nil-spec, you know.
Such as it is.
Right, whatever that means.
Yeah.
But they're off-the-shelf tools that,
hose themselves up to the cyber and have allowed folks to have an unfair advantage or at least
maybe not as much of a outsized disadvantage against a larger, more capable adversary.
Speaking of adversaries, and again, we're based in the United States, so this is our very
U.S.-centric point of view, so just owning up to that. But when we think about, in case that
wasn't obvious. When we think about, you know, the adversarial nation states, often Russia,
China, North Korea, those are the names that commonly come to mine. Iran, of course, as part of that
as well, has been. But things have shifted in that arena as well in terms of nation state strategies
against other nation states and also against private enterprise. It's all in the mix. Over the last 10
years, again, big shifts. Anything notable that you want to highlight on that front? Well, let's look at
China, who famously, I think they play the long game, and we're in the middle of that long game.
Who knows how long it is? We might be in just the beginning of it. But we've seen that they
have positioned themselves in our infrastructure. They have access to supply chain. So many things
get manufactured in China that it's, and the manufacturers are obligated.
to do what the Chinese government wants them to do.
So I think there's a legitimate concern from nations like ours
to think about what might be in the firmware,
what might be in our supply chain.
We certainly found them in our telecommunications infrastructure
with the various typhoons, of old typhoons,
salt typhoon, and those sorts of things.
So they're more looking for,
long-term economic influence and advantage rather than turning the lights off, which I think is the fear
that we have from, say, Russia or Iran of messing with our critical infrastructure. It seems like
China's really interested in gathering information, knowing what we're up to so they can leverage
that knowledge to their own advantage. And it leaves defenders in a really,
a bit of a bind, truly, when you're thinking about potential supply chain attacks or just
issues from within the supply chain. And specifically, if we're talking about devices from China,
in many cases, they're the only source for some of these things, many things that are made.
There is no domestic supplier for not just some, many of the things that a lot of modern IT
infrastructure relies on. So it leaves defenders in a quite difficult position.
And I'm wondering, what is the advice that we, that defenders should be.
applying in their day to day?
Or what can we tell them?
What should they be doing in light of all that?
Well, I think ultimately, I mean, it's defense in depth, right?
So you can't rely on only one thing to protect yourself.
So you do your due diligence to check to make sure your supply chain is as secure as it can be,
but then have defenses in place on the chance that it's not because it might not be.
And so, look, we're seeing again, to the present day, who thought we would see the rest of the world being so interested in digital sovereignty because of the actions of the United States, the major players, the Microsoft, Google, Amazon, we're seeing other nations building their own infrastructure because they're not sure they can depend on us as good partners in a way that they had assumed that they could in.
prior years. So I don't know the degree to which people saw that coming. I certainly didn't. I don't
know about you. That was a blind side for a lot of us. Yeah, I did not. I am still reeling from it
personally, honestly. And given the conversations that you've had, especially in the last few years,
I'm wondering if the nature of what you're hearing from people that you've interviewed,
when geopolitics, but maybe also specifically supply chain issues,
has the nature of that conversation changed?
I mean, are there new worries, anxieties?
What are you hearing that is trend-wise that has changed?
Yeah, I mean, I think it's top of mind for a lot of people.
They understand that the threat is real.
They understand that there's only so far down the supply chain ladder that you can go
to trust but verify.
And like you said,
so many things come out of other nations
who are potentially adversarial.
I mean, look at how many of us
are carrying iPhones around, right?
Who makes the iPhones?
Where do they come?
Now, so who are we trusting?
We're trusting Apple to do their due diligence.
But, right?
The thing, so at some point,
you have to trust someone.
I want to let that marinate for a second
because it's an important point
but it's also
makes me kind of recoil
I don't know why
just viscerally it makes me go yeah but
and yet
what is probably the most
popular thing that we've seen
or one of the
let's say top five things
that's come to the four
in terms of strategies
is zero trust architecture
so you don't want to trust anybody
right?
Where does it leave us, truly?
Right.
Well, you have to strike that balance.
And, you know, I guess it's the old Reagan saying, trust but verify, only trust so far and do your due diligence.
And zero trust is a way to be constantly challenging the trust to make sure that people are only getting access to what they need to when they need it.
And I think that's wise.
So the rise of zero trust and its adoption by governments, you know, the feds really jumping in with both feet with zero trust, I think shows that that's probably where we're headed going forward.
When I think on the last 10 years, I think we talked about this in our last chat, the rise of ransomware and its efficacy and also where we're seeing it, the systems that it's taking out, I think if you would ask me 10 years ago, where,
where it would be most effective.
I'm not sure I would have said,
oh, definitely, you know,
on a large scale nation state level,
would we be seeing ransomware being a serious threat?
I would have thought maybe enterprise only.
And yet these lines have become so blurred.
I don't know if that's maybe a theme of the last 10 years,
but truly critical infrastructures in the crosshairs
with things that we might have thought of
as sort of business level nuisances.
Where do we go with that?
What do we do with that?
Just thinking about the lines being blurred between
things that are critical
military or government level
infrastructure and the commercial world
I don't know
I have this mentality of these two worlds
being more bifurcated but that is a very
outdated model clearly
yeah I've wondered for
several years now and I remember this
being a question that I was asking
early on with you know folks who
know way more about this than I do
was why don't we
see brighter lines drawn in the sand
when it comes to a lot of these things
And the answer seems to be that governments don't want those lines to be there.
They want to have the flexibility to do, I'm putting air quotes, what needs to be done
when they decide something needs to be done.
So if your ransomware operators are to your advantage to have them around when you need
them, then we're going to let them operate.
We, I'm just saying us, the U.S., I'm going to put them.
us in the good guys category here.
I know people will take,
people will perhaps justifiably take me to task for that,
but for the sake of this particular argument,
let's accept that,
that we don't want to draw sharp lines ourselves
because we want to have the flexibility
to use whatever tools we think we need to use
against our own adversaries.
So there are things that I continue to scratch my head over,
like why aren't hospitals off limits?
There seems to me like there are some basic rules of humanity that we should be able to all agree with.
And if there was a way, for example, you know, the Russians are famously forgiving and tolerant of their ransomware operators.
Well, if the Russians said, okay, we're tolerant, but no hospitals, right?
I think we could all agree on it.
I don't see the controversy there.
is a basic law of warfare, right?
You don't bomb hospitals.
And yet here we are.
And yet here we are, yeah.
Right.
So I think there are frustrations because I think there are,
there's low-hanging fruit that people could agree on.
Perhaps if we wanted to start with some international treaties over cyber things
that ransomware not going after hospitals would probably be a great,
first step. Nice place to start. Yeah.
Yeah, but we're still resisting that.
And on the one hand, I get why, but on the other hand, I sure would love it if we could do better.
Yeah, amen to that. When I think about geopolitics last 10 years as we are right now,
attribution is another word that comes up for me as something that has really changed.
Again, this is just my recollection from before the last 10 years, but I remember people being
a lot more cagey about attributing anything, especially to a nation state. And that seems to have gone
completely out the window. At this point, it's almost like there's a rush to a tribute.
That feels like a big change to me. I'm curious your thoughts on that.
Yeah, I think that's right on. And I think we have all these named threat groups now,
whether they're one of the fancy bear or one of the UNCs or, you know, depending on who's naming
them, they have all kinds of different names. And that's another point of frustration.
Sometimes many at once. I wish, yes, I wish we could settle on it.
and I have my own thoughts about giving bad guys cool names
that sound like they're out of Marvel movies,
but we'll set that aside for the moment.
Yeah, I think you're right.
People are less cagey.
There's a greater expectation.
We know what sort of tradecraft comes out of different places,
so we know what to expect,
and I think it's easier to put a label on things.
There's still organizations out there
who are intentional about,
not signaling attribution.
So there are people who still think it doesn't matter.
Yeah.
I don't know that I agree with that.
I think it's helpful to know where something's coming from
so that you can use that context to help inform you
and help you defend yourself and so on.
But I think you're absolutely right that attribution has become much more routine
and just a part of the daily back and forth.
It is interesting to me how, however, again, being in the U.S. and being U.S. centric and everything that we do pretty much flowing through our own news organizations, how unusual it is for the U.S. to be tagged as.
I was just thinking that.
I was just, I was like, do I say something?
I'm going, once the last time I've heard, oh, this was a U.S.-based attack.
I'm going, I can't really.
I mean, it's happened, but not as much.
It happens. Every now and then, you'll hear somebody allude to it or, you know, a chance.
And a lot of times just when something gets uncovered that's been around for a while,
like we had the thing that just in the past week or so, it was something that predated Stuxnet.
It was.
Yes, I remember. Yeah.
They were sneaking in faulty versions of simulation software that would spit out bad answers.
And clearly that came from us, but there's been a long time since whatever.
that was one out. So I don't know. It's interesting to me that we don't see attribution to
ourselves to the degree that we see the other folks. That makes sense. But I wonder, you know,
I imagine that's going to change. Yeah. And if the Chinese or the Iranian or the Russian version of
the Cyberwire Daily, are they every day talking about, you know, screaming eagle or something,
some orange cheeto i mean yeah i mean some some american name right something right something that's hilarious to them but
uh slightly offensive to us yeah no i i bet i bet that's a that's just a maybe a language barrier on our side
but i also have to imagine uh given the lag in understanding about stuxnet for example eventually
more is going to be uncovered and we'll will update our understanding retroactively but i think i think
i've got if i was going to make a prediction i imagine that that would be
a big thing that will change, but I'm curious
about your predictions, Dave.
As you look as you look to the next 10,
see what I did there.
Well, obviously, the big thing is AI
and we can't go.
Everybody drink. He said it.
We were so close to getting through this one
without summoning it.
Oh, oh.
And it's a wild card, isn't it?
Because we don't know
how viable it is.
We're throwing all this money.
We're throwing all these resources,
all this electricity,
all this water at AI.
And I think there's general agreement
that it can't go on the way
that it's going on right now.
Right now we're in the land grab part
where everybody's trying to be the dominant force
in this.
I understand that.
But at some point it's going to shake out
and people are actually going to have to make money
so what does that mean for the future of it
who will be able to afford to have these tools
and what does that look like as we go forward
will certain
tiers of AI tools only be available to nation states
maybe maybe not
we've got quantum computing
which is you know we joke about
always 10 years out no matter when you ask
but it feels like
it is closer than we've ever thought it was before.
Who was it?
I think Google pushed up their timeline for being quantum safe on some things.
So they're getting some signals that, hey, folks, this is probably real.
So we'll see.
So Q day sometime in the next 10 years.
That's a prediction you heard it here first.
Yeah.
But what is it right?
Right.
But I'm not sure we all know exactly what that means.
You know, some of the folks I've talked to have said, be careful.
at how much you place on Q-Day, because while quantum computers are very, very good at certain things,
there's a lot of other things that we rely on computers to do that it's not particularly good at.
So it's, you know, it's not going to be a huge game changer to many of the areas of computing that we rely on day-to-day.
Just turns out it's really good at cryptography, so, which is important.
Oh, it's a good thing we don't use cryptography for literally anything.
Right.
So, you know, it'll be seismic for sure, I'm sure, on a international basis for a state craft and all that kind of thing.
And I mean, that would be my prediction.
But for the average folk, they may not see any change at all.
So who knows?
Right. Will we have a Sputnik moment where all of a sudden there's a beacon that everybody else can't ignore?
Just beeping.
Right.
And do you end, you know, I mean, Sputnik led us to putting men on the moon.
So if we have a Sputnik moment with quantum computing, do we find ourselves in some kind of new arms race or Cold War or who knows?
Hard to tell is what Yoda said.
Always fuzzy the future, always unclear.
Well, any other wit or wisdom, Dave, that we should add before we close out.
I look, I am, I really appreciate this episode because, as I said at the outset, looking back on this stuff was really interesting and a lot of fun.
You lose perspective, I think, as you're doing this day to day and you're looking to the immediate future, which is what we all tend to do in the news business.
So to take a 10-year look back and really see some of the big arcs that we've seen has really been interesting.
gives me good perspective and hey i'll talk to you again in 10 years maybe a little bit before then
but yeah i hope so same well dave thanks as always uh yet another fascinating conversation thank you
for letting me pick your brain yet again uh and thank you for everything you've done for the cyber
wire over the last 10 years and long may it continue no it's my pleasure thanks to our listeners
for making it possible uh it's been great fun talk to you soon thank you for joining us today
See you back here next time.