On with Kara Swisher - Is America Ready for a Full-Blown Cyberwar? with Nicole Perlroth, Michael Schmidt & Lt. Col. Vindman
Episode Date: March 20, 2025Everything, everywhere, all at once — but not the movie. This is how cybersecurity experts describe a scenario where a foreign adversary shuts off critical infrastructure, like oil pipelines, water... networks, ports, and electric grids, all over the country. The terrifying truth is that China has already hacked into our critical infrastructure. They’re “living off the land” and could conceivably attack whenever is most convenient. What’s worse? Our political leaders are defunding America’s cybersecurity efforts. In order to dig in deeper, Kara talks to Nicole Perlorth, Michael Schmidt, and Lt. Col. Alexander Vindman, (Ret.) Nicole Perlroth spent a decade as the lead cybersecurity reporter at The New York Times, before going inside the tent and joining the advisory board of the Cybersecurity and Infrastructure Security Agency and the Council on Foreign Relations’ Cyber Task Force. She is a founding partner at Silverbuckshot Ventures and the host and producer of To Catch a Thief, a new podcast on China’s rise to cyber dominance. Michael Schmidt is a Pulitzer Prize-winning investigative reporter for The New York Times and the author of the best-selling book Donald Trump v. The United States. He’s also the executive producer and co-creator of the Netflix series Zero Day, a political thriller about a devastating cyberattack on the U.S. Lt. Col. Alexander Vindman is the former director of European Affairs for the National Security Council. Vindman was a key witness during President Trump’s first impeachment and testified about Trump’s infamous phone call with President Zelensky of Ukraine. He is a senior fellow at the Johns Hopkins Foreign Policy Institute and the author of The Folly of Realism: How the West Deceived Itself About Russia and Betrayed Ukraine. Questions? Comments? Email us at on@voxmedia.com or find us on Instagram, TikTok and Bluesky @onwithkaraswisher. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Hi everyone from New York Magazine and the Vox Media Podcast Network.
This is On with Kara Swisher and I'm Kara Swisher.
Today I'm talking about cybersecurity, cyber attacks, and the potential for a full blown
cyber war with Nicole Perlroth,
Michael Schmidt, and Lieutenant Colonel Alexander Vindman.
Nicole Perlroth spent a decade as the lead cyber security reporter at the New York Times
before going inside the tent and joining the advisory board of the Cybersecurity and Infrastructure
Security Agency and the Council on Foreign Relations Cyber Task Force.
She's a founding partner at Silver Buckshot Ventures and a producer and host of To Catch
a Thief, a new podcast about China's rise to cyber dominance.
Michael Schmidt is a Pulitzer Prize winning investigative reporter for the New York Times
and the author of the bestselling book, Donald Trump v. the United States.
He's also the executive producer and co-creator of the Netflix show Zero Day, a political thriller about a devastating cyber attack on the U.S.
Lieutenant Colonel Alexander Vindman is a former director of European affairs for the National
Security Council. Vindman was a key witness during President Trump's first impeachment
and testified about Trump's infamous phone call with President Zelensky of Ukraine.
He is a senior fellow at the Johns
Hopkins Foreign Policy Institute and the author of The Folly of Realism, How the West Deceived
Itself About Russia and Betrayed Ukraine. So stick around. It's a panel of real experts here and on
an important topic to me. This week on Networks and Chill, we're honored to welcome Senator Elizabeth Warren, one of
America's most influential voices on economic policy and consumer protection.
In this revealing conversation, the former Harvard Law Professor turned political powerhouse
breaks down complex financial systems with her trademark clarity and conviction.
Listen wherever you get your podcasts or watch on the YourHBFF YouTube channel.
Support for the show comes from ServiceNow, which is enabling people to do more meaningful
creative work, the work they actually want to do.
You know what people don't want to do?
Boring, the work they actually want to do. You know what people don't want to do? Boring, busy work.
But now, with AI agents built into the ServiceNow platform,
you can automate millions of repetitive tasks
in every corner of a business, IT, HR, customer service,
and more.
And that means your people can focus
on the work they want to do.
That's putting AI agents to work for people.
It's your turn.
Get started at servicenow.com slash AI dash agents
Support for on with Kara Swisher comes from arm
Have you ever wondered what's powering your smartphone and the other devices we interact with daily or what lies at the heart of life-saving drug
Discoveries and robotic surgeries the answer is arm arm technology is moving the world forward
Enabling AI to create a more meaningful,
more connected life for everyone everywhere.
ARM believes the future isn't about technology,
it's about people and the possibilities
technology can offer us all.
The future is built on ARM.
You can discover more at arm.com slash discover.
It is on.
Nicole, Michael, and Alexander, thank you for coming on on.
Thanks for having me.
Thanks for having us.
Thanks for having us.
So I'm excited to have a panel with three smart people from different but related fields.
So let's start by setting the table.
I'd love each of you right now to say, there's so many of them, but what's America's most
worrisome cybersecurity vulnerability
right now? If there's a serious cyber attack or a series of attacks against the US in the
next three years, what will it look like? Nicole, why don't you start and then Michael
and then Alexander.
Nicole Soule-Bianchi I think we got a glimpse of it with Colonial
Pipeline. But if you remember, that was a ransomware attack by sort of this bumbling
group of cyber criminals. And since then, what we've seen is China infiltrating
pipeline networks, water networks,
transportation networks, ports, grid.
And they're doing it in a way where all they're doing
is getting in and just making sure that they can stay in
for the event of some sort of geopolitical tensions.
And so what we're really worried about right now
is what we call the everything everywhere,
all at once cyber scenario,
where you wouldn't just have one colonial pipeline,
but you would maybe have five or 10 simultaneously,
not just on gas, but on water networks.
So that's called the long game, essentially.
The long game of being there,
just in case they need to do that.
Michael? I mean, the whole thing that I have about cyber attacks and sort of attacks in general is like,
how would the country actually respond if something really horrific happened? If there was
something catastrophic that really shut down communications or stuff like water or electricity,
what would the response from the country look like? We all lived through the aftermath of 9-11. We
saw how the country responded to a horrific catastrophic attack. It's hard to believe the
country would be united simply just on fact of what happened, let alone on response.
And I'm a believer that if the society
doesn't have a understanding of what's going on around it,
it's less likely to make the right decision.
So not a technical answer, but I think a larger thing
about the threat that a threat really poses to this country. That's an excellent answer.
Alex?
I think about it from the perspective of our adversaries.
They think about it in terms of information confrontation with cyber being a component
of that bigger confrontation.
And in the environment where a attack may be, the chances of an attack may be increasing,
we're disarming. And we are adding
chaos to a potential response. I think in line with what Michael said, we don't have a predictable,
reliable response from the federal government. Potentially it's fractured and localized with
different narratives about who the aggressive actor is. I mean, there's a reason to believe that if it was Russia, Trump would
potentially downplay Russia as the threat actor and look for other different excuses. Elon Musk
was talking about Twitter coming down because of Ukraine and that was a false flag. So I think
that's a part of what I see unfolding, disarmament in the midst of increasing threat environment.
Right. So essentially, long game, chaos, and we're not ready at the same time, or we're even worse
than not ready, which is purposely incompetent, essentially. So for the American public, the
chances of side warfare actually affecting them can seem remote right now. Narrative fiction,
in fact, is possibly the most effective way to make people wake up to the threat. So let's
play a clip from Michael's Zero Day, which starts with a Wolf Blitzer cameo.
We've received reports not only of widespread outages impacting multiple regional power
grids, but of computer systems that control transportation, communications, and other infrastructure completely
hijacked with safety warnings somehow overridden, early estimates suggest a significant but
unknown number of casualties.
Subway cars and commuter trains filled with passengers found themselves switched onto
the same track, resulting in head-on collisions and mass injury.
So Michael, this show was number one
in English language TV and Netflix earlier this month.
Talk about reactions you've gotten from the viewers.
Did this switch on a light bulb for people?
Or they see it more as a Robert De Niro,
it's going out with Connie Britton sci-fi thriller?
My hope is the former,
but I'm probably gonna to say the latter.
Yeah.
I think the thing that that clip tries to show
is something that, as journalists,
we really struggle with.
And Nicole and I both covered cyber stuff together
at the Times about this.
And when I started covering this stuff,
I went to the Department of Homeland Security
and I said, what would a cyber attack look like?
This is like 10 years ago, 12 years ago.
What would it be?
Like, help me tell this story.
You had all these national security officials
going up to Capitol Hill and saying,
there's gonna be a cyber Pearl Harbor, cyber 9-11.
But so I went to them and they had this,
like something that looked like it came from the
1950s, and it had different light bulbs.
They were like, well, if this switch happens, this light bulb goes off.
I remember thinking at the time, man, this is a really hard story to tell people.
You have people really sounding alarms about it, but even in text, I don't know how to bring this to life.
And what the show allowed me and the other creators to do
was to show you what this looks like
in a way that no testimony from someone
on Capitol Hill could give you.
And sure, it's Hollywood, it's dramatized,
but what it is is that it shows people, hey, this is
what this could look like.
And it does it in a way that's accessible on a platform that millions and millions of
people watch and in a forum where they can easily digest it.
And for me, that was really exciting.
So, Nicole, you have a new documentary podcast called To Catch a Thief.
It tells the story of how China used cyber attacks to steal our IP and also hack our
critical infrastructure.
Now, the former has been going on for a very long time, as you know, but the critical infrastructure
is a whole new part of it.
We've referenced this a bit already, but does the cyber threat get enough attention in DC?
President Trump created the Cybersecurity and Infrastructure Security Agency in his first
term, but its funding and staffing are getting cut, it's getting decimated.
And you obviously fired the head of it famously because he said the elections were fine.
So who are the lawmakers and people in power right now who are making it a priority?
Because they seem busy with every other distraction known to man.
Yeah, and I'm just going to back up say, I did this podcast because I feel like,
and really to Mike's point,
we have failed at every institutional level
to convey just how serious this threat is.
And as we failed to convey it in media,
at the New York Times, I always said,
we need 12 people covering cybersecurity.
I am one person. Mike was covering
DHS, but there was a lot that goes on at DHS beyond cyber. We need one person just covering
what Russia is doing in our infrastructure every single day. We need someone that's covering what
China is doing with the IP theft and now critical infrastructure attacks. And we never did that.
And so it was really hard to tell this story. And I think there are some people in government who get it.
And thank God, cybersecurity is still a bipartisan issue. We are losing support for this on the right
because of exactly what you just said, because it became a political issue with the 2020 elections
and Chris Krebs getting out there and calling it the most secure election in history and Trump never forgave him for that.
Well, he fired him.
Right.
So I think really where a lot of the back channel lobbying going on right now is in
making sure that this administration gets it.
Sean Blanke was just named as the new CISA director by all accounts.
He's a great guy and he gets it.
Inside NSA so far, a lot of the leadership is still there.
And they have a very-
This is a national security agency, just for people who-
That's right, the national security agency.
Of course, people on the Intelligence Committee
still see this, Mark Warner is doing a lot on this topic.
But there's no longer someone I could say,
this person in the Republican Party
is being very loud and clear on cyber espionage.
Because?
Well, because everything is changing every 20 minutes. I would have said Marco Rubio really
understands the threat of Russia on cyber and definitely China on cyber.
But watching what happened in the White House in the Oval Office a few weeks ago, I don't
know who is holding the line on this anymore.
Alex, your new book, The Folly of Realism, shows how the US has spent decades misunderstanding
and mismanaging the Russia threat.
In case anyone missed it, the running theme here is that all three of you are trying to
alert policymakers and the public to risks that haven't gotten enough attention, which
is why I wanted to do this.
First to read how the US has responded to Russia's developing cyber program in the last
decade and what is happening now, I would say.
Obviously the Russia-Ukraine war is the first major conflict to involve large scale cyber
operations.
Now more than three years after the full invasion of Ukraine,
what have we learned about the role it's gonna play?
And if there's nobody there, as Nicole says,
on the Republican side and they're running the table,
what happens?
The book makes the point that we keep repeating
the same mistakes of the past.
We make the mistakes of catering to Russia's exceptionalism
and buying into the hopes that we could do more the mistakes of catering to Russia's exceptionalism
and buying into the hopes that we could do more with Russia or succumbing to fears that if we do too much
with regards to Russia, that the relationship could break
or spiral in a dangerous direction.
And we've done this repeatedly across six different
administrations is the point I'm making.
Same thing with regards to
cyber, although we only really started paying attention to cyber over the last 25 years. We
are now in an era in which we are the most transactional. We don't understand any of the
lessons of the past. It's only what's immediately in front of us. So, and he's been in power, he had four years in office.
This is now really like month 60 or something like that of his, of his
presidential tenure, but nothing beyond like last week or the week before, except for some key themes, Russia, good, Ukraine, bad continue on.
Everything else is highly transactional immediately.
What's in front of them.
So, you know, we're looking at a reset here coming between a conversation between Russia and the
United States, Putin and Trump, in which, you know,
we could pivot further down the road of accommodating
Russia, throwing out the playbook on the fact that
we need to be hardening ourselves against Russian
cyber attacks.
We've already kind of unilaterally disarmed on
offensive cyber.
Or it's hard to believe, you know, Trump is going to learn his lesson anytime soon.
But eventually we get to the point where Trump is provoked and is made to look weak and might respond aggressively.
So those cyber threats to Ukraine have increased.
Obviously that's how they began softening up the country, right? That was their first move.
Sure. And I think the fact is that nobody really knows the Russians better than the
Ukrainians. And the Ukrainians are looking and are constantly playing in the Russians backyard
very, very in a sophisticated manner. They might not have all the tools we have,
but they certainly understand the Russians. And the Russians have been attempting to exploit
vulnerabilities, not entirely successfully with regards to Ukraine. Actually, Ukraine has been
very effective at parrying a lot of these attacks on Ukrainian critical infrastructure. That's why
you see hard power, you see missile strikes to do the work that they thought that they might be able
to achieve. It could be through cyber.
Yeah. So, but there are, that's, Ukraine is a bit of a hard target. There are soft targets all around
Ukraine for the Russians to exploit either with hard power or in the cyber domain that the Russians
are aware of and are becoming increasingly comfortable with attacking.
So let's talk about where the cyber threats are coming from domestic groups a little bit.
I'm not going to give away your whole plot, Michael, but there's also domestic threats throughout your series.
What domestic threats concern you most and America's politics become more and more fraught because that's a topic here.
You know, I defer to Nicole on like the
You know, I defer to Nicole on the specifics on who has what capabilities and such, but what we're trying to show and raise in the show is the idea that these tools can be stolen.
They don't have to be created outside of the government.
They can be stolen from the government government and whether that is a state actor
or that is someone sitting in their basement, not to simplify it, but that the threat of this
is everywhere and it's not just Russia. It's not just state-sponsored folks. Nicole understands it
better than I do, but what we're trying to say is that this is something that can rear its head from anyone in any different ways.
And in a time in which things are so fraught and so divisive, what does that mean for people
that can get their hands on things like this?
So, Nicole, your whole book was about this, obviously using US government created technology
and then spread all around the
world by lots of people.
So talk a little bit about what's happening because AI is another element here.
It can lower the barrier to entry for hackers.
AI enabled military systems are vulnerable in the way traditional systems aren't.
AI powered cybersecurity tools can also be very powerful.
In the end, talk about that impact and non-state actors in exploiting all this technology.
Well, you know, it really is the perfect weapon, which is the name of another of our colleagues'
book, David Sanger's book, because all of these tools can be developed, reverse engineered,
fired back on their maker. Yes, the US bears some responsibility for launching
probably the most sophisticated cyber weapon of them all,
stuck-stat with Israel on Iran's nuclear facility
way back when.
And that has opened Pandora's box.
And right now we are seeing a whole well-oiled economy
of ransomware in particular,
where anyone can pick up these tools.
They don't even need to have any technical savvy. They can pick up these tools, they don't even need to have any technical savvy,
they can pick up these tools,
rent them and fire them on anyone.
And we've seen American teenagers,
Canadian teenagers arrested in some of these hacks.
And the barrier to entry only gets lower every day
because we've all somewhat come to realize
what a Chinese phishing email would look like.
But now with AI, it's really hard.
But let me just say something on Ukraine. Ukraine's defense is really the deterrence on Taiwan.
China has been watching very carefully how Vladimir Putin's invasion has gone. And they've
watched what we've done with our support, with sanctions, with funding,
with weapons. And now they're watching what we're doing on dithering on that support,
on trying to make a deal on minerals, et cetera. And they're taking the lessons to heart. One
thing I just want to say on what we've been witnessing with China creeping into our water
networks and our pipelines is that this is, to Alex and Mike's
earlier point, really, I think about it as a psychological weapon. We have incredible appetite
in both parties still, maybe it's waning, to support Taiwan in the event of some larger
military conflict. But what appetite will Americans have to support an island
7,000 miles away if we can't get gas for more than three days, or we can't get clean water,
or our water is contaminated? And really the goal with some of these weapons is to basically
win a war without firing a single bullet. Right. And one of the things that makes cyber this perfect weapon is we wouldn't immediately
know whether this is a Chinese cyber attack
or a Russian cyber attack or a ransomware attack.
There are a whole host of possibilities
for false flags, which we saw last week with Elon Musk
accusing Ukraine of hacking Twitter.
And I haven't followed that to its logical conclusion.
But if it's coming directly from Ukrainian IP addresses, then you probably can be 100% sure that it's not Ukraine.
Yeah, right. So we'll come back to Taiwan, but first let's get to the foreign hacking gangs,
which is I think probably did something like this. For example, the Russians speaking cyber gang
called, I think it's Alf v Black Cat Hacked Change Healthcare, the subsidiary
of United Healthcare that processed 40% of all healthcare claims and caused chaos for
providers and patients.
A lot of this stuff is not as well known because they try to keep it quiet, obviously.
A few weeks ago, North Korean hackers known as the Lazarus Group stole $1.5 billion in
crypto.
Alex, talk about the relationship between criminal gangs and foreign adversaries like
Russia, North Korea, Iran, and China.
Generally speaking, they do have the tacit permission of these governments to hit American
targets.
It's more than tacit.
In a lot of ways, they're extensions.
It's well documented that the Russians have used Russian organized crime to do some of
their dirty work, whether that's to channel hard currency or just muck around,
mischief make. Think about it from this way. When the Russians want their detained,
lawfully detained folks back, there have been a number of folks that have been cyber actors
that were acting on behalf of the Ukrainian or the Russian government. It wasn't because
they were benign looking to repatriate their folks, it's because these were actors that were serving the Russian Federation. Like vendors.
Yeah, exactly. So they're on a string, they have some latitude to engage in their own criminal
activity just to enrich themselves, but they are also oftentimes employed as part of the
government apparatus, same thing in Ukraine.
We'll be back in a minute.
Support for On with Kara Swisher comes from Delete Me.
All of us have had a moment in our life we wish we could just delete.
Unfortunately, internet doesn't work that way and your sensitive information can live online for a long, long time.
And a lot of that data can be collected and sold to the highest bidder by data brokers,
which leads to identity thefts, phishing attempts, harassment, and unwanted spam calls.
But Delete Me wants to help you protect your privacy.
Delete Me is a hands-free data removal service
that will monitor and remove the personal information
you don't want on the internet.
I've been using Delete Me for a while now,
and I have to say, I am still surprised
by how much personal information of mine is on the internet.
Super easy to delete information from your sites,
although it is an endless task.
It's like weeding the lawn or something like that.
They always pop up again somewhere else.
You can take control of your data and keep your private life private
by signing up for Delete Me now at a special discount for our listeners.
Get 20% off your Delete Me plan when you go to joindeleteme.com
slash Kara and use the promo code Kara at checkout.
The only way to get 20% off is to go to joindeleteme.com
slash Kara and enter code Kara at checkout. That's joindeleteme.com slash Kara and enter code Kara at checkout.
That's joindeleteme.com slash Kara code Kara.
This week on Unexplainable.
I like decided at some point in high school that I would dedicate my life to trying to
do as much good as possible.
How a group of moral philosophers started a movement.
I think it appeals to young people. I think it feels like you can do anything.
Whose mission?
I think AI is one of the biggest threats.
But I think we can aspire to guide it in a direction that's beneficial to humanity.
To prevent the AI apocalypse.
I'm like, damn, I think I can actually move the needle on this.
Good Robot, a four-part series about AI from Julia Longoria and Unexplainable. I'm like, damn, I think I can actually move the needle on this.
Good Robot, a four-part series about AI from Julia Longoria and Unexplainable, wherever
you listen.
So Nicole, in your podcast to catch a thief, you quote Rob Joyce, the NSA's former director
of cybersecurity.
He says Russia is like a hurricane, but China is like climate change, right?
Can you talk a little bit about that? What is our offensive against them?
And walk us through their long-term cyber strategy
and defense for their end game.
Yeah, I would say with China,
they've been coming at us for a long time.
They've been coming for our intellectual property.
In some cases, we're only just beginning to see
how that has manifested.
We don't talk about Nortel anymore, but it disappeared long ago and Huawei stole all
of its business.
They've replicated that model across many different industries, solar panels, now electric
vehicles, electric vehicle batteries, genetically modified seeds, over and over again wherever
you look now.
There is a hacking story that no one ever connected the
dots back to this company's bankruptcy, but that is what's happening. And then they've added this
critical infrastructure piece. And what's gnawing at me and why I did this whole podcast is that
this is a very different actor from the one that I was covering at the New York Times 15 years ago.
You know, when China was hacking the New York Times,
they fished us, it was, we didn't update our software,
they took advantage of that.
They weren't a very sophisticated actor.
But these days, there's no doubt in my mind
that they have reached apex predator status.
They are on par with what the US capabilities are.
They have found a way to really utilize their authoritarianism
to their advantage. If you are a hacker in China and you are an elite hacker, you have been
identified very early on in your student life. You are on a track. Maybe you work at a private
company. Maybe you work at Tencent. Maybe you are a founder. Whatever you are, if you have these skills, you are now a gunslinger
for the CCP.
They can tap you on the shoulder at any time and bring you into these operations.
And some of their best people do not work inside the PLA anymore or even inside the
Ministry of State Security.
They work through this loose satellite network of contractors, which makes attribution that
much more difficult.
And what have they done with this entire apparatus that they have built?
They've infiltrated our telecommunication networks, the threat we call salt typhoon.
They are inside our biggest telecommunication companies.
We have not been able to get them out and frankly, we probably never will.
And now they are in our water and transport and pipeline and grid networks as well.
So it's not a good situation. And now in terms of what our capabilities are, I do think we've
entered this new era of mutually assured digital destruction. And I was actually very concerned
when Putin invaded Ukraine, when we started escalating how much we were willing to support Ukraine with weapons and funding,
that Russia didn't do more here, right?
That they didn't actually utilize the access
that they already have in too many cases
to our pipeline networks and other critical infrastructure.
And you would have to be a fly on Vladimir Putin's wall
to understand why they didn't take advantage of that access.
But I think it probably comes down to the fact that they know we are in their systems
too.
This idea that we're in their grid, we're in their pipeline networks as well.
Now one point that often gets overlooked when we talk about this is that actually Cyber
Command, which does these operations and NSA, et cetera, is limited by law from hacking certain civilian systems
that could lead to mass casualties.
So we actually have laws that prevent how much we can infiltrate our adversary's infrastructure.
There are no laws like that in Russia and China.
So it's not necessarily an even playing field. So I saw you smile, Alex, about Russia's a hurricane. Can you talk a little bit about
that? And also, we've talked about Russian cyber operations in Ukraine. You mentioned
Ukraine is successful repelling many attacks, which means they're not as good, right? If
they're having trouble with Ukraine, they'll definitely have trouble with the US. So does
it give the US any lessons in how to fight back?
Cause I suspect we're pretty good at fighting off Russia at this point, or
maybe not, but talk about this idea of Russia as a hurricane and I think the
fact is, is it's a microcosm of the bigger deterrence that we've achieved
with regards to Russia.
They understand, um, that they do not want to provoke a direct confrontation.
Now they'll dance around it.
They'll, you know, issue threats, nuclear threats.
They've got this doctrine called reflexive control
that they've really tested over decades.
They understand, you know, what happens when they threaten
a nuclear escalation or an exercise.
We go to the, you know, the darkest place.
We go to the consequence, the nuclear war, without
understanding the probability.
But with regards to lower threats, they believe
that there might be an escalation, a direct
confrontation that could start us on an escalatory
spiral.
They have no interest in doing that.
They're concerned about a direct confrontation with
the West.
They do believe that we're in a lot of ways schizophrenic, but we're 10 feet tall,
and we have lots of capabilities that we can employ, conventional, cyber. And I think they
just are generally deterred by happy to make noise, but directly attacking the United States.
That's a different kind of bar. Different kind of bar, yeah.
Yeah.
So at the end of the day, it just, I think
focus should be on China, as you all pointed out.
It seems like the Chinese attempt though,
reunification with Taiwan is one of the most likely
events that could kick off a full-fledged,
not just cyber war, but other wars.
What are the, what each of you, what are the
chances that China invades Taiwan in the next five
years? And, and if it does, we'll be able to defend against accompanying Chinese cyberattacks that will
come probably before.
Let's hear from each of you, Nicole first, then Michael, then Alex.
I don't think it's inevitable, but why are they hacking into our water networks?
Why are they hacking into these targets that have no espionage value whatsoever?
The only reason you would go there is if you were looking to shut them down one day. And the thinking is that this is all prepositioning
for an eventual invasion of Taiwan. Now, Xi Jinping has basically made this part of his strategy,
and he's talked a lot about reunification being inevitable. And I think he will see his success, his legacy resting on whether Taiwan is quote unquote
reunified, right?
Right.
So the thinking is that in the next decade, we might see China take action on this.
Do I think it's going to happen in the next two to three years?
No.
We've seen people like Milley come out and say that they think China would be ready
to launch their attack by 2027. I don't think that means that they're going to actually launch
that attack in 2027. I think five years, you know, maybe in the next decade likely, I think the
thinking is that they think this is somehow going to happen automatically, that Taiwan will just
sort of acquiesce and stop being what they see as this renegade province. But we know that that is not how Taiwan sees things. And I do
think cyber is going to be a big determinant of what happens here. When you look at just TSMC,
right? They're not going to bomb Taiwan's semiconductor. The thinking there is that
to take it, they would hold it hostage with some
kind of cyber attacks until they would basically hand over the keys. Michael? Look, I don't know
how to, it's hard to predict the future. I guess what I would say is that the thing that concerns
me the most is that we seem to be in increasingly sort of fragile position where any sort of signal or any sort of
miscommunication can set something off and the more and more that, you know, um, uh,
Trump increases the pressure on our foreign adversaries, whether that's through something as simple as tariffs, um, or through his rhetoric.
I just think that you're in
a situation where something is more likely to be misconstrued.
There's a ton of rhetoric, for example, going on right now between the administration and
Canada, right?
Mm-hmm.
Yes.
Trump is saying all these things about Canada that are outside the norms of what politicians
have said about Canada for decades, if not longer.
In that type of situation, you wonder if there is some sort of issue at the border,
or if there is some sort of miscommunication, what will the response be?
Right. Alex, obviously Russia has paved the way for this with Ukraine, although some people say
the situation in Ukraine has been a deterrent for China to move in there, even if they may engage in cyber attacks.
Is that something they're looking at, what's happened in Ukraine, from your perspective?
They're carefully looking at it, and I think there was a significant level of deterrence
based on the consolidated response of the democratic world, imposing costs, Russia failing to achieve its
military objectives that looks like it's eroding,
um, you know, three years on under the Trump
administration.
I think what Xi might be considering here is
two different things.
I think there was a lot of rhetoric about the
decadence and decline of the West, but the
reality is that, you know, the economy in China
was slowing down and maybe there was a closing window of opportunity
where China felt strong enough to take action. That 2027 mark could have been important in that
regard. But things have changed in a significant, look like there might change in a significant way
in that the Trump administration is breaking our alliances and that's not just in Europe with NATO.
Frankly, we're unreliable to our Indo-Pacific allies.
The Japanese and South Koreans are thinking
that they need to be much more working much
more tightly together.
Same thing with Australians.
And in that kind of environment, you know,
watching things unfold over the next several
years, as they build up capabilities,
there's a decision point somewhere in that last year,
whether the window is closing or it's likely to
expand over the course of the subsequent decade or
so. So I don't think we're, you know, in the next
year or two, we're there. I think in the waning days
of the Trump administration, if there's a deal to
be had, that might be an opportunity, a narrow opportunity for the Chinese, or it could be in the aftermath.
So it's, I'd say short to medium term might be okay, but in the medium to long term,
things could get dangerous for Taiwan in particular. And the noise coming out of
the administration,
I'm not sure how many people caught
Albert Colby's testimony.
He's an uber China hawk for undersecretary defense.
He basically said, the game is not about securing
Taiwan, it's about preventing Chinese dominance
in the Indo-Pacific, which is a huge turn for him.
And that, you know, that is an interesting signal, aligning closer
with the Trump administration and not putting all our eggs on securing Taiwan.
Right.
Yeah, that's interesting.
So I want to shift gears then to talk about how Trump and Doge are affecting
America's ability to defend itself from cyber attacks, the National
Security Agency houses the US cyber command.
And this month, Elon Musk met with the head of NSA for a conversation that was reportedly centered on staff reductions and operations.
Doge already spearheaded cuts at CISA.
Nicole, talk us through these cuts and any future reductions in staffing effect overall
preparedness even if the leadership of those agencies get it as you said earlier.
Just for people to understand, it's not just cuts at CISA.
There are cybersecurity agencies across the federal government that work on securing specific
agency systems.
And so when their jobs get cut, it further degrades cyber capabilities, although the
White House recently emailed agencies telling to avoid laying off cybersecurity staffers.
So they seem to have some understanding that it's a problem.
And then Michael, I have a follow-up question for you on this.
But talk about these Doge cuts, because you wrote me right away when they started going,
oh, no.
Yeah.
I mean, we have a crazy cyber workforce shortage in this country.
Already.
Already.
And where that becomes most critical is on cyber defense inside government. And so I've
spent a lot of effort over the past four years trying to figure out what would it take to get
our best and brightest at some of these private security firms, people who work in security at
Google, Microsoft, et cetera, to do a tour of duty inside government. And it's really difficult,
right? They all have stock, they don't wanna give up,
they don't wanna go work in a bureaucracy,
they're getting paid really well to work at these companies
and they see the most interesting threat data
because in many cases, China comes first for Microsoft
as they did in 2023 or Google.
So it takes a lot to get these people inside government.
And what's really disturbing is to see how viciously
we've been firing them.
We need those people at CISA.
We've never needed them more desperately inside government
in these roles.
And so it's become a real national security threat,
some of these doji cuts.
And yes, there have been these sort of memos
and out saying, refrain from cutting cyber people.
Well, it's too late.
You know, these people who've been fired, they're not going to come crawling back.
No, to take these jobs.
They have many other options.
And so that's a big problem.
Now, you know, on some of this reporting that cyber command has been told to stand
down on some of its offensive planning operations around Russia, when I first read
that, to be honest with you,
I almost went and threw up.
You know, this is, like I said,
we are in a mutually assured digital destruction.
We have to keep up the pressure.
We have to keep up what they call active defense
or forward defense, otherwise we're really screwed here.
Now, I have heard in talking to people who are in the know
that actually this isn't what it sounds like,
that actually, you know,
as part of any negotiation with a foreign actor, it is a standard practice to basically stand down
on some of these operations as we are trying to come up with a deal on Ukraine. And so this might
be more standard operating procedure than it is Trump telling the people to basically stand down on any kind of
offensive cyber planning or operations. And let's hope that's all it is.
And let's hope we'll see. We'll be back in a minute.
So, aside from cuts, DOJ itself is gaining access to government databases with extremely sensitive information.
They seem to be violating protocols and regulations while they're doing it.
Michael, talk about that risk that it poses, because this is, I mean, they seem to do one
every day, largely, probably out of ignorance,
who knows what they're taking.
Some of these people have sketchy backgrounds themselves and love a good secret.
You know, I know these types.
Talk a little bit about the worries you have here.
I think it's an interesting political calculation by Trump, and I'm not saying that that much
thought went into it.
But I understand that part of his desire is to, so, and must desire, at least
what they say is to like remake the federal government, but in the process,
it certainly looks like they're destroying parts of it.
And, and maybe in the end that results in better government.
I'm open minded to that.
But in the short term, I think that's a big political risk because it
looks like they're doing it in a haphazard way and it doesn't look like
the Republicans on Capitol Hill have any interest in trying to understand that
or to hold them accountable for that.
Um, and, and that's, I think another thing in the whole thing is that they're
going about it in a way that looks haphazard.
And, um, if, if something were to go wrong,
tying the lines directly back to them
by the media or the Democrats would do,
looks like it would be pretty easy.
So I do think that is a big political risk,
but look, I mean, Trump often proves us wrong.
Yeah, let me just jump in real quick.
Sure, please.
I think actually the security blogger, Brian Krebs,
has done a great job covering some of this. And he's called it the great national hack.
And that is really what it is. I mean, you have to think back to there was a Chinese hack
on the Office of Personnel Management, OPM, right, about 10 years ago. And it was a huge
counterintelligence win for China. They basically got into the system. They could see everyone who
ever applied for a security clearance. And then've baked in machine learning and AI so that they can
do these pairings. So anytime there is an American person who once applied for a security clearance,
traveling repeatedly to the same place as a Chinese citizen, well, now that Chinese citizen is
put on a list of suspected CIA informants and you start to see how you
could break down our entire intelligence apparatus that way in China and that's what they've
been doing.
And so now what you have is you have Doji sending in 19 year olds, 21 year olds with
their own little, you know, Rup Goldberg server, plugging it in and basically like doing whatever
they want at these agencies.
There is no way that these people have not been identified and compromised on some level
and that foreign actors and sophisticated nation states are taking advantage of this.
And we have to look at it in that way.
And I'm surprised that there are not people inside this administration who aren't sounding
alarms over this.
It really is a very real security risk.
How many big balls jokes do we have to tell before we realize this guy's a creepy, creepy?
You know he's making copies of everything.
I'm like sitting there like he's, and it's on a hard drive that he hands to his mother
or something.
Anyway, I know, right?
Right.
Now you know how sloppy, one of the great lies of Silicon Valley is how precise they
are.
They're not precise in any way.
They're actually quite sloppy and then they're venal at the same time.
So Alex, I have to ask about Elon's attacks against you.
He has posted, exit, you're a traitor, a puppet, a puppeteer, you've committed treason.
Now I've been attacked by Elon for a long time now and it's pretty vicious.
He said my heart is seething with hate, which it isn't.
But I'd like you to talk about that just briefly.
And as Nicole already mentioned, we're not sure if Peek Hex has halted
Pentagon cyber operations against Russia earlier this month,
which was denied by the DOD.
Is that Elon too, or what is happening there?
Sure.
So I think it's a little bit of smoke and mirrors kind of this, this idea
that we're going to halt offensive cyber
operations. It sounds good that you know we're in the midst of sensitive negotiations. That's
actually not necessarily the way it plays out. We are just much more, this is a knee-jerk reaction
from an administration that is filled not with the practitioners that had the first go-around,
that would be a little bit more surgical and methodical, probably be, uh, continue operations and maybe do some sort of reviews, maybe an
extra layer of, um, caution around things that could, that could derail the, um, the
kinds of negotiating students that they're undertaking.
But I think that's an afterthought because there were those blowback on this, on this
idea of halting defense. It just doesn't ring
true. We conduct all sorts of different operations against adversaries. This is one in which there
is constant attacks against our allies, against Datome, and to halt all operations, that's not
the way it works. The other thing is, I don't understand how Elon is a successful businessman.
I just don't.
I don't understand that what he's doing with Doge is I see it as just completely disruptive.
There's no element of efficiency unless you're just literally working on chipping away at the bottom line to return dollars to the federal budget. Cause it's usually, you know, largely starts with
probationary employees across the board, regardless
of what kind of sensitive the jobs that they're
doing at NNSA or CISA or any other place.
So it is not in any way, bringing around efficiency.
I don't understand taking down the Wilson Center
and Kennan Institute that studies Russia, how
that works, Voice of America, our ability to compete in the
information domain, you know, around the world,
how that's helping.
These are not steps towards efficiency.
This is potentially taking a hatchet to the way
that the U.S.
employs both hard power and soft power.
With regards to me specifically, you know, I
guess I, my wife says I tend to piss people off. Right. So, you know,'t think I'm at the top
of that list.
You know, you might be more, you could be higher
on that list than I am, Kara.
I don't care.
But if they want to pick this fight,
I've got nothing to hide.
I would make it ugly for them.
I mean, just think about the congressional testimony.
They came at me on my area of expertise that really
in a lot of ways I'm kind of untouchable on.
If they want to pick this fight, it's probably going to get ugly.
So last two quick questions.
The Trump administration is reportedly looking into a deal to let Oracle run TikTok.
Obviously, this is something I thought they would go with because they already were with Oracle and Project Texas.
JD Vance and Mike Walz are leading Texas Project 2, I guess, what they're trying to
figure out.
But there's virtually no way to ensure the Chinese government doesn't have backdoor access
to American user data on TikTok unless they completely don't bring the algorithm over.
Nicole, you said you'd never download the app in deserved urgency with which it was
treated.
Obviously, Congress voted to ban it. So that's what they wanted to do,
whether you agree with that or not.
I'd love you to talk about, very briefly, about TikTok.
And do you think it's as big a deal?
And what do you imagine is gonna happen to it?
Yeah, it turns out they're China hawks
who happen to love TikTok.
I wish that the White House, and this is across administrations, would declassify
the security risks that they have seen around TikTok. It is not effective to go out there and
say Huawei is a national security threat if you use Huawei when it's so much cheaper than the
competition or to say the same about TikTok when when honestly, it's more fun than any of the
other social apps I've used. I finally downloaded it and then I quickly undownloaded it.
On your phone?
On my phone, yeah. I was going into the election. I know, I know.
You need the fake phone like Kara Swisher.
It's not on there anymore.
I told you this five years ago, Nicole.
But let me just say this. I have heard stories, too many stories now, about people who are in sensitive positions
inside government whose wives and kids have been hacked potentially through their access
to TikTok.
Okay?
So it is a very real security risk.
Now, will it be less of a security risk if it is owned and operated by a US company?
Yes, potentially. But what I really worried about with TikTok was more on the misinformation front
that they would tweak the algorithm. So yeah, one day, China invades Taiwan and oh, there are
college protests supporting it and we have no idea how that happened. And there had just been a subtle tweak of the algorithm to basically serve up, you know,
pro PRC content.
But I also worry about the backdoor issue and I don't know, it's a big question mark.
I think a lot about my old college buddy, Mike Gallagher, who headed up the China committee
and is now outside of government.
He's probably crying inside.
Yeah, he, you know, he spent so much effort on TikTok and now to sort of watch people in his own party
say never mind, we're actually okay with this and we're going to save it, probably has to
hurt a little bit.
It does.
I don't know.
I can tell you it does.
I can tell you it does.
Also, that JD Vance, the world's most unsuccessful tech venture capitalist is running
the process really makes me feel good. I'm sure we'll get a great deal. Anyway, last
question. Zero Day raises the question of national security versus civil liberties in
the face of a cyber attack. But what would happen to US civil liberties if there's a
serious cyber attack while Trump is president, all three of you.
I think that if there were to be an attack, that the response of the country as a single
people would be incredibly unpredictable and what Trump would do would be unpredictable.
And it seems like a lot of classical issues in the post 9-11 world, like civil liberties,
sort of got lost in the Trump era. That was a big debate during the war on terror.
Like, you know, what do civil liberties mean and such?
But when Trump, you know, rose to power,
and then even when he was out of power and back,
those classical arguments sort of went by the wayside.
So in the sense of the show, it was a way of raising that issue
and saying, okay, what about the good old question of civil
liberties and what would that mean?
And if there was an attack, would the government seize power?
And I think if we've seen anything based on Trump, Trump is basically willing to do anything
here in the second term and the people who would say no to him are no longer in the room.
Right.
So worse, worse than was already portrayed fictionally.
Nicole?
So, and I apologize because this is a little bit
of a technical answer, but it's as technical as I'll go.
You know, how is China infiltrating our infrastructure?
They are using our civil liberty protections against us.
They've actually hacked a lot of these systems
by hacking home routers and home office routers
that have stopped getting patches and we call that legacy software, right?
And then they hack into these systems through someone's house in Indianapolis so that when
you're the water operator, water treatment plant operator, you see this little traffic coming from
some house down the street in Indianapolis, you don't think twice about it. You would never suspect it's a Chinese state sponsored hacker, right? And so we are
really not set up well to be resilient against these threats because our adversaries have
figured out that our Fourth Amendment protections are actually very exploitable. And so if there
were to be some kind of full-scale conflict
where we would see this everything everywhere,
all at once cyber attack scenario play out,
it's an interesting question.
Like how do we defend ourselves when so much of this
is coming in through American homes where the NSA
and other agencies just don't have this ability?
We really are handcuffed when it comes to cyber defense.
And I don't know how those would play out,
but you know, the fourth amendment
is still the fourth amendment.
And you know, for now it's still holding.
And so that is actually why it is really disturbing
that we are seeing these reports of cyber command
and other agencies being told to stand down on our own pre-operational
planning because all we really have in the United States when we're blind to our own
domestic traffic is the ability to hack these systems back overseas and to basically create
pain for any adversary that would choose to create pain here.
Alex, why don't you finish up?
I think for me, it's pretty simple.
I see autocrats seeing opportunity in crisis and chaos.
So I think that that's just an opportunity for a power grab.
I've started watching Zero Day and basically very quickly you see the legislative branch seeding authorities.
I'm not sure what other authorities can be seated to this president.
I mean, he's already has immunity for all official acts, but I think there's just an
enormous opportunity, depending on where it lands in the timeline, that could mean delayed
elections if it happens to land in 2026. It could mean, you know, if there is chaos and looting,
that's the-
That's actually the perfect time to do a cyber attack,
would be right before the election.
So no ideas, sorry, I shouldn't have said that.
But I think in a moment where you're seeing civil unrest
as a result of, you know, services collapsing,
you could see, you know, martial law and suspension of posicomotatus or
something of that nature. So a lot of dangers in that kind of crisis.
Okay. Well, just watch Zero Day because it gets better and the legislative,
you'll see what they do. You'll see what happens. They've got a little more fire than you think
they do, but not maybe in a good way. We'll see.
You should all watch it.
And everybody, please watch and read all these people.
As I said, Alex's new book is called The Folly of Realism and Nicole's new documentary podcast
is called To Catch a Thief.
I recommend all of them and I really appreciate you all even though the topic is dire.
Thank you. On with Kara Swisher is produced by Christian
Castro Roussel, Kateri Yocum, Dave Shaw, Megan Burney, Megan Cunane, and Kaylin Lynch. Nishat
Kurwa is Vox Media's executive producer of audio. Special thanks to Maura Fox. Our engineers
are Rick Kwan and Fernando Arruda, and our theme music is by Trackademics. If you're
already following the show, you have reached apex predator status. If not, watch out for your teenager as a security
risk. Go wherever you listen to podcasts, search for On with Kara Swisher and hit follow.
Thanks for listening to On with Kara Swisher from New York Magazine, the Vox Media Podcast
Network and us. We'll be back on Monday with more.