School of War - Ep 178: Mark Montgomery on Cyber War
Episode Date: February 18, 2025Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at FDD and retired U.S. Navy rear admiral, joins the show to discuss how prepared (or ill-prepared) the U.S. is for cy...ber warfare. ▪️ Times • 03:24 Introduction • 04:20 America: A Target Rich Environment • 05:59 Cyber and mobilization • 08:35 What actually happens? • 11:36 Automation • 16:18 Salt and volt typhoon • 22:04 Continuity of the economy • 28:33 Offense • 35:05 Cyber responses • 38:43 Public opinion • 41:43 Defense of the homeland • 49:30 A new kind of leader Follow along on Instagram, X @schoolofwarpod, and YouTube @SchoolofWarPodcast Find a transcript of today’s episode on our School of War Substack
Transcript
Discussion (0)
A couple of weeks ago, a guest of mine said that while everyone is worried about a cyber
Pearl Harbor, he was worried about, as he put it, a Pearl Harbor, Pearl Harbor. Fair enough.
But we haven't done an overview on School of War about the cyber threat to the homeland yet.
And so today we're fixing that problem with the always thoughtful and fun Mark Montgomery,
who can talk cyber Pearl Harbors, missile Pearl Harbors, and plenty of other things to keep us all up at night.
The invasion of Hawaii.
December 7, 1941, a date which will live in history.
The bloody experience of Vietnam is to end in a state.
We continue to face the great situation in the ground.
We shall fight on the beaches.
We shall fight on the landing ground.
We shall fight in the fields and in the streets.
We shall never surrender.
For more, follow School of War on YouTube, Instagram, Substack, and Twitter.
and feel free to follow me on Twitter at Aaron B. McLean.
Hi, I'm Aaron McLean. Thanks for joining School of War.
Before we get to Mark Montgomery today, I'd like to remind listeners that the deadline to apply
for the Hurtog Security Studies Program is approaching fast.
The deadline is Monday, February 24th.
So next week.
This is a fantastic program that I teach in, Hurtog Security Studies, and help run for
undergraduates and young professionals. It's in Washington, D.C., and it runs this summer from
June the 15th to July the 11th. It's focused on grand strategy, military and diplomatic history
and policy, and this summer is composed of four separate week-long courses taught by some amazing faculty,
former Congressman Mike Gallagher, Dan Blumenthal, Frank McKenzie, all these folks have been on the show,
Vance Surchuk, who we really need to have on the show, and yours truly. They'll teach about
military history, grand strategy, China policy, Russia policy, the Middle East, and military political
relations. You can apply to do the full four-week program and be a Hurtag Grand Strategy
Fellow, or you can apply for individual weeks or just multiple weeks selected amongst the offerings.
Again, this program is for undergraduates and young professionals, so say rising college juniors
through people who are just a handful of years into their career. For successful applicants,
the program is offered at no charge, it really is an incredible opportunity. Check out the details
at hertog Foundation.org.org. That's H-E-R-T-O-G Foundation.org, forward-slash programs,
forward-slash security-studies. I've been teaching in this program for several years now,
and if you fit the qualifications, and you like this show, you're going to get a ton from this
program. I really do recommend it. I am delighted to welcome back to the show today.
Montgomery, Senior Fellow at the Foundation for Defense of Democracies, Senior Director of its Center on Cyber and Technology Innovation.
Mark was in the Navy for 32 years. He retired as a rear admiral. He was on the National Security Council early in his career.
He later was the policy director on the Senate Armed Services Committee. He's been on the show before.
He's a wealth of knowledge. Mark, thank you so much for coming back.
Aaron, thank you very much for having me.
You testified before Congress recently on cyber threats to the homeland, and that's where I would like to start today.
And I was thinking about how to best help the audience sort of visualize this, because I think anyone who has half an interest in national security thinks about cyber, hears about cyber, knows it's an issue.
But unless you've actually worked on it, it's a little hard to picture because none of us have really, unless you've been unlucky to, you know, been spearfished or something, none of us.
have really lived through state-level cyber action that is part of a broader military campaign.
And so I was going to ask you this. Imagine yourself a Chinese offensive cyber planner slash
commander looking at the United States and considering what you might do on, say, for example,
D-Day of an operation with Taiwan or the lead-up to an operation with Taiwan. What does America look
like to you and what are your objectives? Well, first, I'd say America looks like a target
rich environment. I mean, it looks like a place where I'm going to have the opportunity to impact
the operational and strategic flow of a crisis between myself as a Chinese planner and the United
States. So target rich environment. What I mean by that, of course, is that our national critical
infrastructures, the things that allow us to mobilize the military, rail systems, aviation systems,
maritime ports, the things allow us to produce economic power, financial services, energy production,
electricity grid, and even the things that provide public health and safety so the American people
feel safe, water, health care, even education, along with energy, you know, fits a car, all of those
are insanely vulnerable to malicious cyber activity, whether it's by China, Russia, or even
criminal actors, but in this case, China particularly.
So one of the things that I thought was really interesting about your testimony was its focus on the way in which cyber attacks could focus, maybe likely will focus on America's warmaking potential in the event of a crisis and how mobilization is kind of an obvious target.
Can you can you say more about that if something terror?
It's not just China.
Obviously, it could be a crisis in the Baltics with Russia, you know, say what you want.
But there's something bad happening in Eurasia and America is going to respond.
respond. What does that actually mean for people who have never worked on mobilization or thought about
mobilization and how does cyber intersect with that issue? Yeah, thanks. And you know, truthfully,
I think there are people in the military who understood this. I don't believe there are people
outside the military in the national security complex. So at the National Security Council and the
other non-D security agencies or even in Congress, the degree to which we are insanely vulnerable to this
Chinese capability and really growing Chinese capability. So what's this mean? In Avey, you know,
when the military is going to move, you know, from its current position in forts and ports
to a fighting position, say in Asia or in Europe, all the supplies, the equipment, and the
personnel flow, they start on a military base. But they very quickly leave that base. And those bases,
by the way, are beautiful. They're beautiful critical infrastructure things. As President Trump would say,
They're big and beautiful and the best ever.
You know, they have two power supplies, although one of them may be a Chinese cattle battery,
so be careful.
They have two telecommunications networks.
They have two water supplies.
But let's say that tank is loaded on a flat car on a train leaving Fort Cavasses, the former Fort Hood,
to go to a civilian airfield to be flown out.
And so it's beautiful, Noah's arc of cybersecurity as they leave the base.
And then they enter Mad Max Thunderdome.
And that's Norfolk Southern's rail line.
as they head to the Columbus Airport.
And, of course, Columbus Airport, the Air Operating Authority there, again,
you know, completely unprotected, you know, run by a civilian airport authority
that doesn't have two wood nickels drive together.
So what's happened is we rely Transcom, U.S. Transportation Command,
and that's the military element that moves weapons.
And then U.S. Maritime Administration, that's the Department of Transportation that supports them.
they rely on 69 civilian strategic airfields that support the military airfields.
They rely on 18 strategic civilian-controlled strategic sea lift ports to support the six military ports.
And they rely on 40,000 miles.
That's one-third of the rail system.
It's called Strachnet, you know, the important ones to us.
All those systems owned and operated by the private sector, but relied on heavily by the Department of Defense
to get to the war so that we can fight and win it.
So let's maybe take those piece by piece.
So what would it actually look like?
Like what would, you can pick your, pick your poison,
railroads, ports, aviation.
What actually happens?
You know, the 101st Airborne Division is going to go to the West Coast
so it can move on in some fashion to Guam.
What happens?
So great question.
And I'll go one step further and say,
sadly the Chinese don't even have to pick their poison.
They can pick all the poisons that,
once because it was literally a low bandwidth event. What they're going to do is they're going to
study the systems ahead of time. Good news. Transcom is pretty much unclassified. You know,
my 21-year-old son or brand new ensign in the Navy could pretty much figure out the war plan,
the movement war plan across our country. You and I could sit down here and do it in an afternoon.
It's not hard. It's using existing systems. So you know where to attack if you're China.
Then you do surveillance and reconnaissance of the battlefield, so they go around, look at these systems,
determine what software is running on them.
Invariably, they have.
They don't even have to use zero days.
In other words, never previously used exploits.
They can use existing exploits against systems that aren't properly patched and gain access.
They then gain access to those systems, whether it's the control network for the railroad
to remove the 101st airborne's equipment, or whether it's the control, you know, it's the airport
operating authorities network that allows it to manage air flight control, or maybe you attack the FAA
system just slightly upstream of that so that there's no air traffic control in that region of
Columbus Airport, wherever it is. And then you, if you're the Chinese side point, you don't attack,
you stay silent on these systems, and then you determine what's the best way to permanently place
this network at risk. Most likely it's installing a piece of malicious software malware that can be
and a hook into it so that you can alert it at a later date. Okay, I now want you to take these actions
to either disrupt or damage the network on which you're operating so that it will not function
as an IT network at a later date when the U.S. military is trying to move. So that's a long way of saying
ISR, access, and then installation, and I call it operational preparation of the battlefield,
installation of the malware, and then sit back and wait.
And I guess, you know, the growth or growing potency of the methods by which you would do
this stuff tracks perfectly with the extent to which all these civilian systems that you
describe, maybe some of the military ones too.
I don't know.
I don't want to be too complacent about the military systems, but certainly the civilian
systems have gotten increasingly digitized and like totally dependent on that digitization.
If you, you know, I'm hopeful that just to use kind of a crude analogy that if I took the GPS
device away from the average from any marine infantry officer or if I took, if I took away
from a naval surface warfare officer, they could navigate according to other means, maybe not
as efficiently, maybe not quite as quickly, but they could navigate according to other means.
if you pull the digital rug out from the civilian aviation system or the rail system or whatever,
it just doesn't work, right?
Like, we're done for a while.
So I do not think your point is we've reached this level of automation from which we can't go back to a manual control.
And I think that's generally true.
If you want to be really nervous, I think it's really true in our electrical power grids,
where we've automated the transformer operations to such a degree that getting things in phase,
I mean, as a nuclear engineer in the Navy,
he's a little bit understanding of this.
That is a, if you go manual,
it's a manpower-intensive effort.
And the manpower, that savings was pocketed 20 years ago
when they went automated.
Same with pipelines, rail systems.
The degree to which they've gone automated now,
the linemen that walk the pipelines or the rail lines
that could manually operate it are long gone.
Savings captured,
probably not invested in cybersecurity as they want to automate.
That's why we sit where we are now.
So I think it's going to be very hard.
And if it can be done, it will be significantly slower.
And the one area where I think about this is ports,
where the move to automated cranes and automated gantries
that move the Sierra land containers around, that's all automated.
For union rules, there tend to still be a lot of stevedores around.
But I believe the pace at which they would go would be in the 10 to 25% of the planned flow.
And so these are significant reductions.
And each coast is different in the union deal they have.
So I'm not even sure one of the coast could do this, but very slowed down to non-existent.
So, yes, we're at risk.
Yeah.
And I mean, in a way, it's almost what you say is reassuring compared to how I was conceiving of it.
Where you're saying that there are systems that can be, you know, there are older fashion ways of doing things that could come online.
It would just slow everything down pretty massively.
I was more thinking about, maybe I'm just conflating things.
here, but I was thinking about, you know, even where there still is human intervention.
I'm thinking about an air traffic controller in his, in his, you know, at his seat,
looking at his monitors and everything, or, you know, whoever it is who is supervising the
automated systems for rail traffic, et cetera, they're reliant on information that comes to them,
for the most part, I assume, this is all assumption.
I don't really work in this world, but I assume through digital means.
And if you take that info away, even the humans who are there are now helpless.
You know, they just can't, how do you, how do you control the planes if, I don't know, maybe,
maybe there are like still physical radars that are plugged in by a hard cable to a radar screen,
and so you can still work the air traffic control because actually it's, you're looking at some sort
of direct feed from a real life radar.
I assume, though, that there's all kinds of digital computer stuff.
You can tell I'm an infantry officer, digital computer stuff intervening between the collection
of the radar signal and the human who's looking at it.
And then he has to communicate, which is a whole other layer.
of digital systems.
Yeah, I think your assumptions are generally right.
And I would say you picked on one of the ones where there probably may not be a good
work around was air traffic control.
I mean, how I would handle air traffic control if I was, you know, Secretary of Defense
and this started is I would go to the Secretary of Transportation and say, we're going to have
to shut down all non-essential air traffic airflow.
And then the lower flow, I think you could manage it regionally, not have the interconnectivity
between networks and manage it regionally.
My guess is we could eventually get around that, but in a very suboptimal way, which, by the way, begins to tank our economy.
Because while only 5% of our stuff, we like to say 95% of our maritime flow in commerce is rail or ports or inland waterways, or 5% is aviation.
That 5% tends to be pretty important.
So if you know, it's the just in time stuff.
So if that goes away, there's going to be a real problem.
So bottom line is there's no good outcomes in this.
if the Chinese are able to disrupt or destroy the critical infrastructure of our military mobility systems,
therefore, we have to wind the tape back and actually figure out how to defend these systems,
or at least make them resilient, so that the takedowns for minutes or maybe even a day, not weeks or a month.
So we have these Chinese operations that we're aware of and have, I guess, to an extent, rolled up,
though I don't know to what extent.
So most recently there was, what, there's Salt Typhoon, which was this essentially, it seems to, from what I read in the press, a surveillance operation where they gained access to, you know, our phones essentially, listen to our calls, read our texts, et cetera.
And then before that, there was Volt Typhoon, which was more infrastructure oriented.
And again, I'm sort of using these terms crudely because I genuinely at some level don't understand.
I don't understand what I'm talking about here.
But what did you learn, Mark, from the details you.
seen of how these operations actually unfolded?
So what I learned was 2024 was a good year for the bad guys, right?
I mean, and look, Voltaifoon started before 2024.
Salt Typhoon might have as well, but for sure, Voltaifoon was more of the, of what we
would perceive as operational preparation of the battlefield.
It wasn't about espionage.
It wasn't about intellectual property theft.
It wasn't about denial of service.
It was about inserting malware into infrastructure systems.
for use at a later time. That is, by the way, borderline war-making activity by the Chinese.
And I'll give you an example. If in the same infrastructures, they brought 100 satchels of TNT in and
strapped it to each one, and then we found 100 satchels of TNT around port systems, rail, system,
aviation, I think we might, you know, even in the most like ridiculously consensual approaches to China,
there would have been some very direct action, you know, to hold them accountable.
But it's cyber, and I'll just tell you in general in cyber, I've experienced this for seven or eight years now.
Well, we accepted it.
But that was Operation Pressure in the Battlefield.
I love that you brought up Salt Typhoon.
That was espionage, pure and simple espionage.
And it was about penetrated scores of like small telecommunications companies, but really are nine big telecoms and ISP, the Internet service.
providers penetrated them. And within that, it's reported penetrated systems that were involved
with the legal wiretapping and listening that the government does to suspected criminals or spies,
things like that. That's just a big deal. Salt Typhoon, and Salt Typhoon worried me, even as much as
Voltaifoon, because of who it penetrated. There was a sense among a lot of us mistaken that
the telecommunications industry was on the upper end of the critical infrastructure,
like, you know, akin to banking, you know, financial services, more protected.
I still think financial services more protected, mostly because that's where money is.
And if they weren't protected, these would steal the money.
But it turns out telecommunications weren't that way.
And I think it's because telecommunications companies themselves have good cybersecurity
around their corporate networks, but around their core network that runs the comms
an internet service provision of the United States and the world, the, the operators want
nothing to do with the cybersecurity guys. They're like, we're all about speed, you know,
efficiency, and effectiveness. And your cybersecurity looks to me like it's going to slow one of
those down. So we learned that that core network that our phone, our non-encrypted communications
were on. So if you don't use an encrypted communication system before learning about salt typhoon,
shame on you. But if you don't after, you know, that's a big deal. I mean, you're you're putting
yourself at risk and your company. Yeah. And I wasn't really able to tell from what I read about
Salt Typhoon and maybe you don't know, maybe you know, but you won't be able to say. But it wasn't
clear to me the penetration into the systems, whether that meant that they could see and maybe even
monitor what we were collecting through wiretaps, which is obviously bad. That's pretty bad
right there because from a counterintelligence perspective, right there they see everyone were
surveilling. That's no good. But it wasn't entirely clear to me if that then further meant that
they could tap whoever they wanted. That was sort of the implication of some of the reporting.
I think the first part of your story, which is bad enough, you know, that they could see what
we were doing legally. I think that's probably true. I don't know about the second part. I'm not in a
position to assess that. Yeah. I'm not happy.
it's just the first part. Yeah, yeah. It's still, I mean, presumably through those legal means,
we are conducting counter espionage, counterintelligence operations that would be of interest to the
Chinese. Pretty bad. I would hope that information is well encrypted and protected within that,
and all they saw were ones and zeros and not useful information. There, I'm not able to shed any light,
but I worry about this. I worry that in cyber, when I hear about something, and my mind,
Mine goes to a worst case, which is what all like general officer, flag officers, minds do,
whatever they hear a story.
Historically, when I was in the Navy, the worst case didn't happen.
In cyber, it almost always has happened.
It's like, oh, no, no, your first report, I mean, I had a boss that was like, I don't hear,
believe any reports like at the fifth report.
And the fifth report of these is usually pretty bad compared to the first report.
So, yes, I think this is a really bad incident.
It strikes me that in terms of the policy response and the American public's investment in this,
that we're all just sort of suffering from the fact that nobody nobody can really picture at scale
what this would look like in America.
I mean, if you're looking into it professionally and you're sort of obsessed with it, you can,
but the man on the street has no experience of this.
And America has really had no experience of this at scale.
Like we obviously, you know, crooks shut down hospitals and rancin them back their records.
And if you've personally been involved in that kind of thing, and I know some people who have
been, yes, that left a mark on you.
But as a country, we just don't really have an awareness of how bad,
things could get. And we haven't even really, we've, I've been driving the train kind of in the,
as it were, the counterforce applications of cyber and how like they could really directly mess
with American military movements. We haven't really talked about the other kinds of targets
that are available to the Chinese. You have you, there's a at the end of your testimony,
you're talking about solutions. I'm kind of skipping ahead here, but you have a line in there
where you call for a return to continuity of the economy planning, which is a very sort of anodyne
phrase. If you actually think for a second about what you're referring to there, it's pretty
terrifying. I agree. And so look, first, I'm glad you mentioned that there's more than just the
China and nation state thing. There is this constant criminal. I would say, you know, 85 or 90 percent
of the malicious cyber actions that are successful in the United States every day are criminal
actions taken by criminal actors. Another percentage is criminal actions taken by four nation states,
you know, because I'll just say in general, North Korea is a cyber criminal gang, masquerie.
as a nation state. And I think the general belief is 50% of the Western capital that they can
use to work their nuclear power, their nuclear weapon programs and implicit missile programs.
50% of that cash comes from illicit cyber activity. So that's a, they are no kidding, a cyber
criminal state. And then the last little 5% is that kind of operational preparation of battle
filled by China. So there's a lot of criminal activity going there. And I want to pick up on one
thing you mentioned, like you mentioned the healthcare ones and the ransomware. You know, we are now
able to pin morbidity rates, you know, the likelihood, there are higher deaths happening because
of ransomware. Like when a hospital has a ransomware incident, particularly like a rural one or a
underserved community one, when they have this incident of ransomware, they're down for a week
or so for the ransomware and then two or three weeks for recovery. People die and not just the obvious one,
the dude in ambulance who now has to go 50 minutes instead of 30 minutes and sorry, Charles.
Charlie, you are, you know, you died. But also like old Uncle Fred, you know, his stomach hurts.
The local hospital shut down. It's not 30 minutes. It's now 60 minutes. He decides to go to bed
and doesn't wake up in the morning, right? So there are these morbidity rates and there's even
higher morbidity rates in the hospitals themselves where we look at it, studied afterwards,
and one or two people that were on the respirators passed away more after every respirator.
So I just say, when people say, well, there's no deaths in here, there are already deaths in here.
I like to kind of capture that, and I'm glad you mentioned it.
So there is that.
You also mentioned economy, and I, you know, it's myself and Samantha Ravich,
one of the commissioners from the Solerian Commission,
and Tom Fanning, another commissioner, chairman of a Southern company.
The three of us have been really pushing this issue hard
because it's about your ability to recover.
We are going to get beat on occasion.
And the mark of a resilient national critical infrastructure,
is that after the enemy hits you and you go down to a knee, you rapidly get back up and operate.
And we have such a durable economy that if we can get the networks back up, we'll continue to crank money,
we'll continue to have that power that we have through all that economic power that even outweighs our military power and our ability to influence world events.
We've got to get everything back up and running rapidly.
The critical exchanges, the SWIFT system, all those tools we have.
You've got to get them back operating.
And to do that, you need continuity of economy.
That means you have to have a plan.
And the plan should not say FEMA's going to figure this out.
FEMA figures out continuity of survivability.
Like they make sure after Katrina hits or after the wildfires in California that people can get food, water, and a tarp, right, or housing somewhere.
God love them.
You know, I want us, the government to have that capability.
I do not want FEMA solving my cybersecurity problem.
I want something else doing it.
And so we've been arguing, we passed a law.
The Biden administration really punted on this, three and a half years of studying it.
And they finally said, you know, we think we're okay.
That was the, no one had that on their bingo card.
You know, we think we're okay, right?
The question of how you fix it is complex.
But it's like alcohol, first you got to admit you have a problem.
And the Biden administration wouldn't admit they had this problem.
I think now with the Trump administration, I'm hoping they acknowledge we have a problem.
and then we go tackle it with good kind of economy playing.
Some of the people I think are going in the administration and they'll be able to do that.
Yeah, I mean, it's one of these spaces where there's a real intersection.
It's kind of hard to draw the line between, again, thinking of it from the point of view of a Chinese offensive actor,
like your counterforce options and your counter value options, like an attack on American banking in a way
is very straightforward sort of counter value targeting.
You're going after the civilian population.
You're going after American society more than you are military targets.
sort of on the other hand if it's happening simultaneously to a mobilization effort well you know private
so-and-so you know you know petty officer so-and-so is showing up to his base to the point meanwhile
his wife is calling him or her husband is calling her and saying I can't buy groceries I can't
I can't get any cash out of the machine I can't access our bank accounts my actually I did access my bank
account it says we don't have any money says there's zero dollars in our account you know and
that's happening at scale across the nation and the military
The military has to use money to pay bills.
Like the U.S. military runs on money.
So, you know, it's not as crisp.
And I'll go one further and say, an actual element of power of the United States is our control of these financial services systems.
And, you know, a number of the major commodity exchanges run out of the United States.
We use that to have.
Swift runs, you know, largely out of here.
Our banks control, we as a government, through our banking system, really can influence and pressure other
countries to either stop taking actions or start taking actions in support of wherever we're fighting
or have a crisis. So it's really, it is really important. And it is frustrating for me. It is a bipartisan
issue. There are people on both sides who've got it right, we've got it wrong. But we really miss an
opportunity to last three and a half years. When you have a congressional law that says,
we direct you to go on a bipartisan level, we direct you to study this. And it comes back,
and no one thinks nothing's wrong, but it was hard. And I would say gently that,
that sometimes administrations pass on hard assignments.
We've been talking almost exclusively so far about essentially defense and the need for it,
and you have some specific recommendations that we can get into those as well,
about how we need to go about improving our defenses.
But can we talk about offense for a second?
I mean, part of part of this is not just deterrence by denial, as it were, but deterrence by punishment.
They can tie sacks of cyber TNT around our critical stuff.
Well, we can tie sacks of TNT around their critical stuff, too.
make life harder for the PLA or life harder for the CCP elite or, you know,
however we want to, however we want to structure it.
How confident are you that that kind of thinking is proceeding healthfully on our side of the ocean?
Not yet.
So I'm not comfortable.
I was glad to see National Security Advisor Waltz back when it was representative Waltz say,
as I look at this China problem, I think we need to be more offensive.
But what that really means is challenging.
So when I think about being more offensive, there's,
there's two or three ways.
First of all, when I think about deterrence,
I understand the deterrence by denial,
which means I'm going to prevent you from causing pain to me.
I'm going to drive up the cost of you causing pain to me,
and hopefully you'll stop.
That seldom is enough, right?
It's not enough in the Red Sea when we're dealing with the hoodies
to just shoot down all their missiles.
We actually need to, at some point,
go strike Iran for providing those missiles.
Separate issue.
But that gets at the second part of deterrence.
It turns by cost imposition.
or punishment. And that's the idea of if you do something I told you not to do, I will punish
you, hold you accountable, and I'll continue to do that on an escalatory basis until you stop.
And when you put those two deterrents together, I mean, that's like chocolate and peanut butter.
I got myself a Reese's cup of deterrence. I want those two things. And in cyberspace, that's what you
need. There's other types of deterrence called like entanglement and norms. And I generally think
they're bullshit when you apply them to authoritarian regimes, you know, to work with them. And I'll say in
cyberspace, they have not been effective. So let's keep ourselves to denial and punishment.
Denial, you and I have just talked about for 26 minutes. How do we defend ourselves? How do we get
this better? Why, you know, make these real systems, do continuity and the counterpoint, got it.
Punishment is holding them accountable. And I have to tell you that whatever the line is for
the use of force in cyberspace, it's pretty damn high and it moves around according to adversary actions.
In other words, whatever they do, you're like, yeah, that's okay. So in the, in the, the,
case of North Korea taking down Sony. So clearly, North Korea said, if you release that movie,
the interview, a very enjoyable movie, I'd watch it. We're going to do something. They released the
movie. Sony got hammered, right? And I think caused, you know, between damage to systems and damage
to ability to release things, you know, $100 million with the damage. The response from us was,
like, four to five months later, after barely identifying North Korea as the culprit, we indicted three
North Korean military officers who I think very shortly after got their medals from Kim Jong-un,
and you can imagine the extradition is not coming any moment now from being. So that's not
punishment. Sometimes punishment cannot be, you know, this kind of punishment can't be
legal law enforcement or even sanctions. Sometimes punishment needs to be, I'm going to impose
damage on your cyber systems that were used to hit me. And I think that's what Waltz was talking about.
that, hey, it's about time for us to go out and using our kinetic tools. And of course,
our office operator is like, oh, geez, Mark, what are you saying that? You're going to compromise
a tool. You're going to compromise an access we have. And my answer is, well, then you better
have a lot more freaking tools and accesses if you don't want me to ever use them, right? You know what I mean?
I need, maybe by tools as a cyber tool to impose cost, you know, damage a network, damage
a system. And an access is the penetration point that I got in through it. So I think what
Waltz is saying we've got to be more aggressive in doing this and use our tools or our
accesses to hold the bad guy cannibal. And I give you one last thought. Senator King, the chairman of
the Cyber Space Center Commission, would say, final step, brag on it. Say, hey guys, that was us.
Those sons of bitches did this. We did that. Next guy up gets a little more. You know,
come, you know, if you want some more, come to us. You know, that's how you handle. That's how I think
you do turns by cost imposition. You don't have to do that with missiles. It kind of says like
Tomahawk made in the USA's and impacts, right? Whereas, you know, with this other stuff,
you know, with cyber, I think we actually need to brag on it. So to me, that's what offense looks
like. I'm not sure I'm familiar with any moment in our history where we've done that. I mean,
I know things that have happened in Iran and to the Iranian axis where the Israelis play a
leading role. Maybe we had some role in some of this stuff. You know, I'm trying to remember the big
centrifuge attack in our role in that.
And any, go ahead.
Stucks next.
And, you know, we still are like allegedly, you know what I mean?
So I didn't leave it allegedly.
So you're right.
We don't.
We do not take credit's the wrong word.
We do not take responsibility and accountability.
And that's what it is.
Hey, something bad happened to you.
I released a weapon on you of some form another,
just like a kinetic weapon.
I'm responsible for it.
I'm accountable for it.
And I'll escalate on that if I need to.
And I think it's absolutely fine for us to do this.
But we treat it like,
Did you know you just release polio into the wild?
I'm like, no, that's not what I did.
I used a cyber tool to hold someone accountable.
Well, let me ask you like a really big picture policy question that this discussion suggests
because the implication of what you've been saying for the last couple of minutes is
we are too hesitant to respond with cyber means to cyber aggression.
And it seems in some cases like the attack on Sony that there has to be some sort of
proportionate economic target that we could have hit through cyber means that would have
been fair and potentially increased a deterrence for the future, which seems very common-sensical
to me. I don't think you'll, in this listenership, I don't think you'll get a lot of pushback.
But, you know, the more lethal the attack, the more, I think, complicated it gets. And I'm curious
to know your thoughts on what our doctrine ought to be and whether or not we should be communicating
this doctrine to our adversaries in terms of what we're willing to do. For example, in an attack
that is purely cyber in nature, in its mechanism, but causes some deaths.
I mean, you were talking about hospital wait times earlier, you know, an attack on our,
you know, whatever, a state level attack on our hospital system that then causes patients
to die.
Maybe not in massive, let's make it ambiguous.
It's not massive numbers of deaths, and it's a little hard to point out, like,
draw the direct lines of connection between the attack and the deaths, but there were definitely
deaths.
There were definitely people who died because of this state's attack.
What do we, you know, where does the line between cyber response and kinetic response actually get drawn here?
What your point right now, which is well taken is, well, right now, it's totally, there's, there's hardly any cyber response.
So what are we even talking about here?
But in a healthy world with a healthy doctrine, like how would you think about as we go up the ladder of escalation here where the lines are where we would actually consider even non-cyber responses to cyber attacks?
This is the exact discussion we need to have.
on the Sondering Commission, we had it internally with the right people.
We had like four congressmen, four deputy secretary-level people inside the government,
and six or eight of us that were other professionals.
And we had this discussion, and it's a fruitful discussion.
My concern is that it gets lost out when you get into the NSC world.
So the answer to your question is we should establish, we should have,
I hate to use the word red lines, but we should have a threat,
a level of damage that you caused us that we're going to respond. And we should do it every time
so that over time you go, well, I better not go to that level. I'm going to keep it below that.
And then maybe we move the level down a little bit and then we drive you down. You know,
right now, for what I can tell, it just slightly goes up. You do something. We say,
well, there's a new level. We don't respond, which effectively puts the marker above that
level. And your response, we are pretty good about saying, if you strike us in cyberspace,
we reserve the right to strike back in cyberspace or use a kinetic tool. I'm okay with that.
The response so far has been neither, and I will tell you, it's unlikely that if a nuclear-armed adversary uses a cyber tool to call damage in our country, we're going to be like, well, here comes seven tomahawks.
You know, because I just think that could get real very fast, right?
I mean, you know, as Will Ferrell would say, that got out of control.
That's right.
That got out of hand, quickly.
Yeah.
So I think, though, we need to respond more aggressively.
I mean, Senator King had this crazy idea.
I got to tell you, I used to.
not make fun of it, but say, sir, that's not going to happen.
He's like, we'll build an electrical power grid in Saipan, invite them to watch us attack it
so they can see what we can do.
I'm past that point.
I think he is, too.
We're not building some electrical grid somewhere so we get that.
We're going to attack you on your systems that came at us.
And if you continue to hit our critical infrastructure systems, we'll hit your critical
infrastructure systems in cyberspace.
And believe me, even though I have a lot of problems with our cyber force generation,
and I think that we don't have the cyber forces we need,
we can still kick a little ass in cyberspace.
And so do not get in an escalatory cyber contest with the U.S. Cyber Command.
It would be good advice to any foreign country.
So we should be, but the advice has to be followed up.
You know, deterrence only works if you have a capability
and the adversary believes you're willing to use it.
I think step two of that is, you know, is evaporated.
Yeah.
just not to be too obvious, but just to reinforce what you're saying about the need to have
this conversation now.
I mean, it seems to me we need to have this policy or doctrinal clarity now and communicate
it now because otherwise what's likely to happen is there will be some sort of crisis
and there will be some sort of offensive cyber action.
Let's say it's a blockade scenario in Taiwan and there's some sort of attack on some part
of the American power grid that's somehow connected to that.
And a plane crashes, an American plane crashes somehow as a consequence.
And it comes out that that was a direct consequence somehow of the cyber attack.
I could see public opinion turning on a dime rapidly because that's what happens in America.
In America, everyone wants to stay out of foreign troubles.
Everyone wants to stay out of foreign entanglements.
Their war, not our war, et cetera, et cetera, et cetera.
And all of a sudden, Americans start dying and the world feels like it's falling apart.
And Americans get real hawkish real quick.
And what do we do then?
And you know what, you know, as you're quoting Ron Burgundy, like how quickly do things escalate?
Alternatively, we could know exactly what we're going to do then.
And we could even tell them ahead of time what we're going to do that in general terms in an effort to stave it off.
And it has to be believed, which means you actually have to do it during the, I don't want to say phase zero, phase one, because that's kind of out of style right now in the motor.
But in the time before the actual war, in that crisis build up in that constant competition, you've got to use.
your cyber tools in a way that demonstrates to the adversary that you will be willing to use
them in wartime so that you limit that. And believe me, by the way, if there's any of these,
I do want to say we did something called targeting Taiwan a paper here about six months ago. Craig
Singleton and I, Craig, are China director and then Ben Jensen from over at the CSIS. And what it was
was a study of how China will use cyber enabled economic warfare to grab Taiwan and not have to
invade, not have to do two conferences, I think, because they're constantly raising the pressure
on Taiwan, you know, just turning that reinstat a little bit more across all the different
finance, energy, comms with cyber tax. And it's just below the level of the United States given
a dam. So it even applies when you push it forward onto an ally or partner. And, you know,
eventually you break societal resilience in Taiwan before you've, they've had to be. They've
had to attack. It's not inconceivable. So we have to work to figure out how to do this in all
the countries whose infrastructure is critical to us for our own economic growth, a place like
Taiwan or economic success, but also a place like Japan or Korea where we rely on the infrastructure
to fight through. And so we have this problem both domestically and there. And there is, I think
our adversaries have, if you don't think we'll do anything about us, then you definitely
We don't think we'd do anything about Taiwan or Japan and cyberspace.
So we've got to change the dynamic on that.
And part of that's taking action now in time short of war.
I want to shift gears for our last few minutes here and ask you about missile defense
and the president's executive order on an Iron Dome for America and that whole network of issues.
We had Tom Carrico from CSIS on the show recently, right, right after the order came out,
just to kind of walk through what it involved.
And it was a really interesting conversation.
And you were also expert on missile.
defense issues. And Carico made a point, I sort of chuckled at it, you know, people,
people talk about a cyber Pearl Harbor, this Pearl Harbor, or that Pearl Harbor, and he,
Tom, is worried about a Pearl Harbor, Pearl Harbor. That is to say, the possibility of a strike
and that the missile defense conversation needs to happen with an eye firmly on conventional missile
threats, the kinds that we see used regularly in the Middle East now, being deployed against American
assets and potentially the American homeland, whether in places like Hawaii, the West Coast,
maybe even the East Coast. You just don't know. And I just, I wanted to get your take on
investing a lot of money in enhancing missile defense in the continental United States, but,
but obviously you've been beating the drum about places like Guam for some time. So just,
it's a very broad question. Let me just solicit your broad thoughts and we can go from there.
Thanks. So Tom's a good friend. I agree with, I listened to him on your show, I agree with what he
said. I would say, I actually think that this is an integrated thing.
is defense of the homeland. And we have, for the last since 9-11, kind of conceptually defense
of the homeland as a physical counterterrorism or terrorist strike. And we should still worry about
that. And having an open or loose border definitely contributes to you worrying more about it.
But the real, to me, the growth industry for adversaries has been in cyber and missing offense.
And we've talked about cyber itself. I say I'm missing offense. I like, I don't, the terminology
the Iron Dome, and I know Tom talked to this,
this is not about a thousand or
500 Israeli
counter-mortar and rocket systems
being put around our country. The president was
talking to a philosophical thought of
how do I keep things out.
One of the interesting things is, Iron Dome
is the system, I've studied
all, pretty much everybody's
crews and ballistic missile defense systems over the years.
It's one of the few systems that very
aggressively doesn't target missile
of things. In other words, it allows lots
of rocket and mortars from Hamas and
as well, to land, because it assesses them as not striking anything too important, which is really
important when your enemy has tons of things and you don't have many. We're going to have to feel
the same way about our Iron Dome. There is not an Iron Dome to defend all of America right now
against a cruise missile attack or a hypersonic missile attack. And what I'll say about that is today,
I'm sitting here, you know, in DuPont Circle. I'm protected from a cruise missile attack.
I'm part of the point 0.001% of America that's protected.
It's between basically Capitol Hill and the Pentagon.
It's protected from cruise missile attack by Naysams, which is an air defense system that's
at old RFK and Carter Rock defending this area post-911.
The other 99.99% of America are not defended from cruise missiles.
Hypersonic missiles nowhere's defended because we have not developed hypersonic defense.
And our adversaries are building hypersonic defense.
defense like drunken sailors. We're the third drunken sailor with the Chinese and Russians.
And we're trying to catch up. And we will. Our hypersonic offense, we're spending $4 to $5 billion a
year. We'll catch them. Our hypersonic defense, we have consistently spent $200 to $400 a year. So 5% to 10%
on defense that we do on offense. No one's winning the Super Bowl, spending 5% to 10%
on defense. And no one's going to win the missile defense game spending 5% to 10%.
All right. So we're not defended against that. So when I see this executive order, I'm like,
Fantastic. First things, understand what you need to defend in America against cruise missile attack.
It's not, and unfortunately, it's not much. It's not your home. It's not my home in Arlington.
It's not my, you know, parents place up in New Hampshire. It's going to be countervalue targets around the United States that have to be protected.
And then against hypersonics, you've got to build a system. You've got to get out there and invest to get your hypersonic defense going.
So there's small programs, relatively speaking, defense budget that could be done there. So first of all, the president should take.
the early wins on this. Systems where they're cost-effective and you can do it. A third thing I would
do, and this is the coolest thing, it isn't in the iron. It's not in his, but it's in Senator Sullivan's
Iron Dome Act, which has strengths and weaknesses. But one of the strengths is it refers to Deregibles.
I'm a big fan of Deregibles. So a Drigible, you put it between like 20 and 60,000 feet.
I put a traditional air defense radar in there like the Thads radar, you know, the TIPI-E-2. These are
military radars we use right now for defense. But now they're up at 20,000 feet.
That makes them what are term known as kick-ass radars.
They can see thousands of miles and provide, or you know, a thousand miles and see,
and they can provide what's called a firing quality track solution to missile defense systems
all over that thousand miles underneath them and allow consummated intercepts.
So with one, two, three, four of these radars up, blimps up around America, you can provide
lots of protection.
You can certainly detect a Chinese balloon drifting, but you, for sure, you'll get this kind of
picture out there. Of course, you're going to need your good ally Canada who you're not
terrifying to death, you know, to support you in this. And by the way, as we were
terrifying Canada, I want to mention that Canadian F-18s were protecting America that night.
You know, just a little thought for the president on occasion. And the final thing is space.
And, you know, I'm not talking about brilliant pebbles and Reagan, but Reagan's guys were on to
something. If I want to intercept a missile up in ballistic defense missile right now from ground,
I got to strap like three rockets, booster rockets, to the rocket to get it up.
And all these missiles cost between $20 million each.
But if I had weapons in space, it is actually less expensive over time
because I'm basically using God's great gift of gravity to drive down that weapon,
you know, from several hundred thousand feet up to hit the target.
So dirigible, getting cruise missile defense systems where you need them,
and starting to think about space as a pay.
It's a place you fight in and through with non-nuclear weapons, right?
Nuclear weapons would be illegal by the Space Treaty.
If we make those three investments as part of Iron Dome, we're going to be cost-effectively.
We're going to be cost-effectively more secure and survivable in a missile defense environment.
You know, one thought that occurs to me both as a consequence of our cyber conversation
and of your riff on missile defense right there is that I have a great deal of sympathy
for American leaders who have to think about what war is going to be like for them,
you know, in 2025 or the years to come.
And I mean something specific by that.
Let me attempt to articulate it.
I'm kind of making this up as I go.
So feel free to tell me that you don't follow because it's the first time I've said something
like this.
But some time ago, generations passed, an American president or secretary of defense or key advisors
who were thinking about war and making strategic decisions, say in World War II, say in Vietnam,
their decisions were at a very high level and operated on very long timelines.
Like, we're going to defeat the Nazis before the Japanese, and we are going to stand up 90 divisions
and not 70 and not 150.
And, you know, I'm going to sign off on this invasion plan for this broad timeline.
You know, and these long time horizon, big muscle movement decisions would be made in Washington
in consultation with allies and everything else.
And then as you got closer and closer to the battlefield,
the time cycle tightened and there were highly stressful, highly kinetic,
not the strategic stuff is not stressful, but you take my point.
Tactical stuff happening in tactical places,
places like the beaches of France or whatever or the, you know, dengue.
And then in the Cold War, you get this question of a nuclear exchange.
And so we have this concept that actually the president is going to be like kind of a tactical commander
in this doomsday scenario.
but the doomsday scenario is so awful that actually everyone's plan A is we're never actually
going to do it.
Like we're prepared to put the commander in chief in that position and have him fight a nuclear war,
but like nobody actually wants to do it because it's insane.
And now sitting here in 2025, what seems clear to me, and, you know, one, any future major
power war seems highly unlikely to me to spare the homeland.
So one, there's instantly a homeland kinetic dimension, or at least a loss of life dimension,
into all of this. Two, the strategic level stuff will move so quickly and be so integrated into
the tactical level stuff that Washington becomes like it's going to have to operate with real
strategic balance and know-how on a very fast timeline and the senior most decision makers to include
the civilians, to include the president, are going to have to be military commanders.
Does that make sense? Does that sound? I just made that up. So tell me if it sounds disconnected
from reality to you.
I do want to say right up front, I'm not for the president being a military commander,
but I do.
I take your point broadly, which is to say the attack on the homeland is inevitable in this.
It's just, and I also say, I think our adversaries think our public is weak so that it even invites
it in a way, you know what I mean?
Like it would, they would have to make a proactive decision not to attack our homeland.
I believe it's in the war plans for them.
And we're vulnerable in physical, cyber, and missile defense ways.
You know, we're definitely vulnerable in all three.
And I love your discussion at strategic level.
You know, we've dealt with this before.
In the Cold War, we actually would have fought the Russians with the joint staff as the
combatant commander, not Ucom.
It was not publicly discussed that much, but that was who was the actual commander.
And that makes sense.
It was Washington.
But what it wasn't was the White House.
What's different now is, you know, the kind of like LBJ reviewing, you know, the strike
plan for the Vietnam War.
The dinner table.
You're going to have that, but with so many other decisions, there's going to be this overwhelming
nature.
And then the profligation of social media.
I mean, my son's on a ship right now out at sea off of Japan.
He's calling me from his ship on a cell phone.
He didn't quite get time zones.
It's like 3.30 to morning.
But, you know, it's insane to me that we're at that point now where you literally have that
kind of connectivity.
Why does that matter?
The feedback loop into the American public and the American government system.
you know, General Field Marshal Montgomery, General Patton, General Eisenhower would have never
survived their two, three, four years in command in Europe with social media generating crappy
stories about it, right? You know what I mean? You can just imagine the feedback loops there that
would have just been unbelievable. So from my perspective, so much has changed. I don't know that
we're ready for what you're talking about. And you're absolutely right. The president is truly
commander-in-chief in a way this isn't about saluting the marine at you know marine one this is like
no kidding we are making you know operational decisions at this you know at the speed of data
every two three 10 15 minutes to execute this war i've always felt that the paycom commander
in a war the indo peacanman in hawaii actually would spend 100 percent of his or her time the
fours dark facing washington talking to Washington and the war would have to be executed
by other people. You know, he'd have to give his commander's intent and then just never look
because he would have 100% data pull, pulling him into D.C. So very good insights by you.
I agree with all of them. And I do worry slightly, though, because I don't think we elect our
presidents based on their ability to make tactical, not tactical, but operational war fighting
decisions at the speed of data. Yeah. Yeah. Yeah.
It's, you know, on some level, what I'm trying to do with the show here is I do think that
there's the president as a special and critical case, but just amongst the public more broadly,
not an appreciation for how important understanding more might be to all of us in the years ahead.
I hope it's yours in that months.
Mark Montgomery, it's always a pleasure.
Please come back anytime.
Great conversation.
Thank you for having me, Aaron.
It's been a real pleasure.