Inside Cyber Minds S2E1 — Dmitri Alperovitch: Cyber War & Global Security

And selling chips to China is akin to selling rockets to the Soviet Union to win the moon race. Like why would you ever do that? Even if it's second best rockets, even if it's not the very best, why would you give them any advantage? It makes zero sense. And it's not like we have to sell these chips because these poor companies like Nvidia would go out of business if they weren't selling to China, right? Nvidia, one of the world's most valuable companies, printing money.

It's great to be with you. Thanks for having me.

Well, I grew up there in the 1980s and obviously the Soviet Union was in the process of atrophying and eventually falling apart. But it was actually a pretty sheltered and calm childhood. I didn't have a computer growing up. I only got one when my dad, who was a nuclear physicist, was able to spend some time in the US working on nuclear reactor safety issues post-Chernobyl for about a year, and he brought a computer back with him. But I had actually learned how to program and was interested in computers long before I put my hands on one, because my dad, having an applied mathematics and physics background, was literally developing simulators for nuclear power plants and coding. So he taught me how to code on a piece of paper, which is a great way to actually learn algorithms. These days it's so easy to just type something up in an editor and hit compile and see if it works, or you can just ask AI to do it. But in those days you had to trace through the algorithm on a piece of paper, and it gives you a great way to think through the problem. I think it actually helped me quite a bit down the road once I actually got computers and started coding myself, having that background and not just defaulting to 'let me run it and see if it works.'

Yeah. So once we immigrated to the US and I was in high school, my dad got really interested in the then-emerging field of public key cryptography, particularly elliptic curve cryptography, which was just coming on the scene in the mid-90s. And we started a company together, which was a great way to get an introduction to business while still in high school. It was a software business that had a consumer component and a licensing component. I was kind of the business brain behind it. My dad was doing a lot of the algorithmic coding, and I was doing a lot of the consumer application development using the encryption libraries we were developing, and doing sales. It was a great experience because you learn it's all about sales. It doesn't matter how good your technology is unless you can market it and sell it. That's what's really important. It also got me interested in what was then called information security, not even cybersecurity, that emerging field. And the appreciation I got from the encryption experience was that encryption was important, but it wasn't going to solve the problem because the main weakness of encryption software, of course, was keys. Even if you're using public key cryptography, you still have a private key that needs to be protected. If someone steals it, it's game over, no matter how good your algorithms are. And there was something very appealing to me about the cat and mouse game of intrusion detection, of stopping hackers, knowing that you were never done. It felt a lot like chess, which I really love to play. So that's how I got the bug in this industry.

Yeah. So it was interesting because they had just started that degree. In fact, that's the main reason I went to graduate school at the same place where I got my bachelor's degree in computer science, Georgia Tech, because they were starting this degree. I thought, 'Might as well give it a try.' I wanted to get a master's degree and I was already passionate about cyber for a long time, so I wanted to go deep into it. And because it was a completely new program, the curriculum was a little up in the air. They had some courses, some cryptography courses, database security, a bunch of other stuff, but they didn't have the curriculum really settled yet. So I went to the head of the program and said, 'Hey, do you mind if I take all these other courses I was interested in that actually had nothing to do with cybersecurity? Like international affairs courses. This was the post-9/11 world, and geopolitics was front and center. I wanted to take counterterrorism courses, nonproliferation courses, missile defense, other things.' And he was very gracious. He said, 'Yeah, whatever you want. Just create your own curriculum, come to me, and we'll review it and make it work.' So I was able to pursue my passion in geopolitics as well as in cyber, which I thought was just a fun thing to do in college that would never be applicable to me in the real world. And then lo and behold, about a decade later, less than a decade later, the two worlds collided.

Yeah. So the event that really changed my life in many ways, and I think changed the industry as well, was what I eventually named Operation Aurora, which was a hack into Google and a number of other victims. I ended up leading that investigation for McAfee and naming that operation. It was the first time that you had an appreciation that nation states were major actors in this domain and that they were going after private companies. No one before that was really deep into it. One of the things that was really interesting to witness, which came back later many times over, was the skepticism of the community. I remember how some actors like Eugene Kaspersky and others were like, 'This is not nation state. This is too simple to be nation state.' Unless you're at a Stuxnet level of zero days and infiltration to OT systems, they were like, 'This can't possibly be nation state. It's just a botnet.' A lot of industry people at the time were making those claims, saying there's nothing novel here. They didn't really appreciate that you're now dealing with a fundamentally different actor. The then-emerging word 'APT' was basically a way to talk about China without saying China. But the interesting part of that acronym was the word 'persistent,' not the 'advanced' part that everyone focused on. You had an actor that was going to keep coming at you again and again because there's something they really want inside your network. No criminal ever acted that way because for criminals, time is money. You're looking for where you can get the best ROI. If this target is too hard, you just move on and hit someone else because you don't care where you steal money or credit cards. That was very different from nation states, and it presented a huge challenge for most companies. So I did Aurora, and then I had this natural question: was that really interesting and fascinating, but is it a one-off? At McAfee, we had a lot of data, a lot of customers, and a lot of incident response engagements. As I started digging into it, I realized this was happening all over the place. That's when I started publishing reports like Night Dragon, JDRAT, and others. It became very clear to me that this was not only not a one-off, it was happening everywhere, and most companies weren't even aware of it. In particular, when I did Shady Rat, I had an opportunity to get access to a Chinese C2 command and control server that they left unguarded. On that server, there were logs of every single victim they had hit from that server. What was shocking was the breadth of the campaign. That was just one campaign and one server, and it went back to 2006, a six-year campaign from that one server. It hit virtually every industry: not just technology, defense, and governments, but manufacturing, agriculture, insurance, chemical, everything you can think of. That's when I sat back, looking at Shady Rat and everything else I had seen over the course of about a year and a half. In the Shady Rat report, I even said, 'There are two types of companies: those that know they've been hacked and those that don't yet know.' It's a phrase that's now been often repeated by many others, but I was actually the first to coin it. And I said that what has taken place is the greatest transfer of wealth in history. A lot of people took both of these as hyperbole. Again, I was attacked, and Eugene Kaspersky and others came out and said I was overhyping it, that this was not nation-state activity, just botnets, and it couldn't possibly be that bad. I think over time I was proven right. Actually, that investigation was APT1. Years later, Mandiant put out a great report that did the attribution of APT1 to a PLA unit in China. My report was actually the first one highlighting the extensive activities they were engaged in.

So the first appreciation was that we were going through a paradigm shift where not only do you have to deal with cybercrime and hacktivists—Anonymous was emerging at the time doing hack-and-leak campaigns—but you also had these very persistent actors hitting almost everyone, and most companies weren't even aware of it. When I was doing these reports at McAfee, part of the process was visiting all the McAfee customers, particularly those impacted, and briefing them on these operations. In so many cases, I got the response, 'Thank you, Dmitri, for telling us, but it would have been great to learn about this five years ago when we first got hit. We didn't even know. At best, maybe years or months into it, we discovered a piece of malware in a system, cleaned it up, and thought we were done, when in reality the adversary had credentials, had deployed other malware, and was continuing to remain in our network exfiltrating data non-stop.' We even had the tagline at CrowdStrike in the early days: 'You don't have a malware problem; you have an adversary problem.' That's how you should be thinking about it. Before that, it was like, 'Oh, I found a problem on this machine. Let me clean it up, even wipe the machine. I'm done.' No, you had an intrusion. You just found one artifact. It's like a robber drops a knife in the house, you take the knife, throw it away, and think you're safe. Problem solved. But the robber may still be in the house. They may have cloned the keys, gotten into the safe. You have to do the full investigation. What happened? You just found one artifact. So that was the appreciation that this was a massive problem, and the existing companies, which I was part of at McAfee, really weren't prepared for this paradigm shift. They weren't thinking about it that way. I even tried to shift the company, to convince our team that we needed to do things differently, but it was too hard. The classic innovator's dilemma. The other thing emerging at the time was the cloud. AWS had started a few years earlier and was still very nascent. There was an appreciation that if you're building an endpoint solution, you could do it very differently. You don't have to have all this heavyweight processing and analytics on the endpoint; you can offload to the cloud, use the cloud to do correlation, use machine learning—before it was called AI—to identify threats. I had done an early version of that at a prior company that started around email security. I was working there out of college. Jay Chaudhry was actually the founder of that company, who is now famously the founder of Zscaler. That was a remarkable experience, getting started in cyber right out of college. I remember interviewing with Jay, the CEO, and he had this email security company. Email security at the time was really about encryption and policies for email. This was early 2000s. Spam was just beginning to emerge as a little bit of a nuisance in email, nothing like what it is today, and that was before phishing and all the other threats that came through email-borne vectors. I was being hired because of my encryption background, and that's what the company was focused on. I was going to be the first member of the research team. I asked Jay about his vision and roadmap for the future of the company, and he said, 'Well, we're going to spend a couple of quarters solving the spam problem. I know that's a detour from encryption, but we can get back to it. Don't worry. Once we solve spam, we'll get back to it.' So, 15 years later, spam is not solved, despite all my best efforts and many others in the industry. Needless to say, my job on day one was to solve spam. We never got back to encryption. Over the course of that year, spam went from being about 5% of all email traffic to 95%. Very quickly, there was an incredible innovation cycle with the criminals. They realized they could make a lot of money, first peddling Viagra pills and other things, then moving up to direct criminal activity with phishing, account takeovers, and scams. What was interesting was how quickly they responded to anything we were doing. The spam solution for the company was a dictionary: if you see 'Viagra' and 'payment' or whatever keywords in the email, it's malicious, with some simple scoring infrastructure to block it. Very quickly, that went out the window because the attackers started substituting words. Instead of an 'a' in Viagra, they put a '1', and suddenly your dictionary attack doesn't work. They started using images instead of words, so you couldn't process them. Then you started blocking the machines they were sending from, so they started buying botnets. That's when botnets started emerging. Before that, botnets were really a plaything: 'I have a worm on the internet, let me see how many machines I can control,' but not doing anything useful with it, maybe some denial of service. But right at that moment, spammers realized they needed lots of machines to send their emails, and they needed to take over these machines and work with criminals who would take them over. So there was this incredible iteration cycle taking place non-stop. You do something, and immediately the enemy does something. That gave me an incredible learning basis, which I later used at McAfee and other places: you're never done. You think you invented this really cool defensive technique, but the adversary always has a move to play, just like in chess, and they're going to find a way around your technique. That was the number one thing. It didn't happen on the same cycle with malware. It was really interesting when I got to McAfee, which had acquired my company, to get together with the researchers there, malware researchers who had been doing this since the 1980s. For them, malware research and detection was all about writing signatures and distributing them efficiently. It never even occurred to them that eventually adversaries would automatically generate malware, use polymorphism to adapt it, break your signatures, and do a variety of other things that would make the whole model completely obsolete. I knew from my email days that signatures and dictionaries are basically the same thing, and that's never going to work. But I had the privilege of learning that in a month because of how quickly the spammers evolved, whereas the attackers in the malware space literally took decades to adapt. There was a lot of complacency in the industry. So that background was really helpful. One of the things we developed back in those days for the email product was an online reputation system. We would take certain fingerprints from the email—hashes, so no private content would be captured—and send them to the cloud. It wasn't yet called the cloud; it was just servers in the sky, in a data center. We would correlate this information and do a lot of early machine learning to identify threats proactively, even when they were unknown. I realized by the time we were starting CrowdStrike that you could use the same model for not just email but for all sorts of threats, including threats on the endpoint. So you had this confluence of a threat environment that was changing, a new capability emerging in the cloud that allowed you to do it differently and at scale, and the improvements in machine learning technology that enabled the success of CrowdStrike. We came at the right time.

Yeah. So going back to my Aurora days, I said it changed my life. I learned very quickly something that a lot of people in the national security establishment took many years—and some to this day have not learned—which is that China is an enemy. It's an adversary, and we're in a new Cold War. Cyber was the canary in the coal mine that gave you insights into adversary activity and their intentions because they were using it very freely in a way they would not use physical capabilities. It was cheap, deniable, a way to project asymmetric power to come and hurt us here from halfway around the world. Even if they're caught, even if you attribute them, they'll just claim it never happened, as the Chinese do routinely, and others. So as a result, starting with Aurora and continuing throughout my career, I got very involved in national security, doing a lot of work in Washington with the intelligence community and the Department of Defense. I got really frustrated that the national security community was not appreciating the broader threat of China, not just the cyber aspect. I coined another phrase during that time: 'We don't actually have a cyber problem. We have a China, Russia, Iran, and North Korea problem.' Because if you trace where most of these attacks are coming from—not all, but the vast majority—it's from those four places, either from the nation states themselves or the criminal groups they harbor and provide safe haven to, particularly ransomware crews in Russia. We had to deal with a geopolitical problem, and the top geopolitical problem was really China. So when I decided to retire from CrowdStrike after we took the company public, I decided to focus my efforts on that issue, trying to move policy along. We call Silverado a policy accelerator, not a think tank, because we want to engage on practical solutions with government on how to confront the China challenge, not just in the cyber domain. We do a little bit of cyber, actually not as much as you would expect, but we do a lot on defense policy, military industrial base reform. We do a lot on semiconductors. We got early on chips before the CHIPS Act and a lot of other folks got interested. We got super early on critical minerals, which no one was paying attention to, and now that's one of the hottest issues in the last year. We do a lot of work on energy, which is still not something many people are focused on, but it's really crucial, especially the transition to new energy sources, particularly in the nuclear area with fusion and SMRs coming online. And then cyber. In each of those areas, it's all about how do we beat China, how do we curtail their progress and accelerate ours. Whether it's legislative work or work with the administration, we do it on a bipartisan basis, but how do we move the ball forward? We don't do a lot of reports. We publish some data, do great analysis of trade data and other things, and we have a lot of experts on the team, but it's all in the service of action.

Servants of specific policy recommendations that we're trying to get the government to adopt that are coming from a very independent voice. We're not representing industry. We're not representing any foreign entities. This is what we believe we need to win this new Cold War. And that's why I wrote the book as well, World on the Brink, because I wanted to highlight to the public what I've seen over the course of my career and what threat China truly represents and that we are not just talking about an economic threat or cyber threat, that this is now a march towards conflict. I believe with China intent on taking Taiwan, I believe during Xi's term in power and the man is in his 70s, the next term from 2027 to 2032 might be his last. He'll be 79 in 2032. So who knows if he can get another term. Who knows how his health will be doing at that point. And we're in a very dangerous time. And I now have also the grim distinction in the last four years of being three for three on major conflict predictions. So back in December of 2021, I came out publicly and said that Russia was going to invade Ukraine about 3 months before it took place. Unfortunately, I was proven right there. In January of last year, made a prediction that there would be a war between Israel and Iran, which of course took place in June of last year. And then earlier this year, I had said that I believe that the United States would launch an attack against Iran once again. So, I'm hoping I'm going to be wrong on my fourth one, the China Taiwan prediction. And partly what the impetus for writing the book was also to try to identify solutions for how to avoid it because it is not predetermined. It's not inevitable. It's not imminent. We have time, not a lot of time, but we have years to try to deter this action. And I believe that's the most important thing that we can do. Everything that I've done up to this point in my life in cyber and elsewhere in tech, that was great, but this is the most important thing I can think of doing at this stage of my life right now.

It's great. We had an unprompted number of senators, Congress people that have talked very positively about the book. I hadn't even given them the book, but they had read the book and loved it and provided commentary in the media. The Hill, a newspaper here in the US, publishes kind of end-of-year best books recommended by members of Congress and I made that list twice, which was a great honor and unprompted, these people read the book and said why they liked it. The podcast I started right at the start of the Ukraine invasion because I was really disappointed with the level of analysis in the media about it and I was deeply engaged with people on the ground there with military analysts here in the US. So I wanted to have an in-depth analysis as these battles were progressing for one hour. At the time we were doing it every week: here's what's happening, here's the limitations of the Russian plan, here's what's working for Ukraine, here's what's not working for Ukraine. And it became very popular. I remember one time we had initially it was on Twitter Spaces where we would release it and I literally had senators dialing in and listening in, not to talk, just to listen in to what we were discussing. And then it later became a podcast. But the principle is I want an hour-long conversation with a deep expert on the topic that I find interesting and hopefully others will too. But it will go into the depth that no one in the media is covering and I was doing it because I wanted to know. So it was to really satisfy my own curiosity more than anything else and turns out a lot of other people were interested in this as well. So, just recently we had a podcast with a retired naval admiral of what it would take to reopen the Strait of Hormuz militarily. Seems like a relevant topic. I cannot find anyone in the media talking about it. They talk about the importance of the Strait of Hormuz theoretically, that the US Navy might open it, but what would it actually take? How many destroyers? How many minesweepers? What threats they would encounter? How would you counter those threats? Hadn't seen anyone talk about it. So, I was very interested in what would be the plan. And we did a deep dive on that and the problems with that plan and what you could do, what you couldn't do. A lot of people found that sort of thing interesting. I don't have a regular cadence for the podcast which is probably annoying to people. I always get the question of when is the next one. I'm like, when there's something really deeply to analyze and discuss that hasn't yet been done. I don't want to be releasing podcasts for podcast's sake. I want to do something impactful every time I do it. So that's the model for it.

Well, most still have a head in the sand attitude. I remember I was meeting with, I go to the Munich Security Conference a lot. I've been going there for 15 years plus. And it's this coterie of defense officials, prime ministers in a very small hotel in Munich and it's great because everyone's there. You get these very in-depth conversations happening on the sidelines of the conference. But I was meeting with a major company executive, a Fortune 500 type company, and my book was not yet out but people had already heard it was coming out and this person wanted to meet with me to get my take on China. This company is doing a lot of business in China and I basically told him there's a very good chance we might be in a war with China in the next decade. And he just looked at me like I had two heads, like what are you even talking about? I'm like, I hope it doesn't happen, but here are all the reasons that I think we're going down that path. And he was literally in shock. So it's still amazing to me that so many people are not thinking about this. So many people have a head in the sand attitude towards so many of these black swan events that they think because this has never happened before or because this happening is such a disaster, it will never happen. I was literally just doing a book talk at a group event last week and gave all of my rationale for why we're heading down this path. And one person said a war would be such a disaster for China, would be such a disaster for the United States. It can never happen. It will not happen. And I'm like, well, people said that exact same thing about Russia, Ukraine. They said that exact same thing about Iran closing the Strait. In fact, they're saying this even today. So it's interesting, a little bit of a sidetrack, but as we're recording this, the Strait of Hormuz is still closed and yet oil is trading just a little bit above 100 bucks a barrel. And we have had an unprecedented shut-in in production. Historically unprecedented, over a billion barrels of supply disruption since the start of this war. And ongoing, and yet oil is not even at an all-time high. And I was reading this bank report yesterday, a research report on why are oil prices and oil futures not reflecting the reality of this incredible supply destruction. And literally in the report they're saying, well, if this Strait continues to be closed by early summer, it will be a global catastrophe, an economic catastrophe. Therefore, it will reopen before that time. The thinking is because this is so important to the markets, it can't possibly continue. Well, geopolitics doesn't run on that. Geopolitics doesn't control what markets want to do.

Well, look, Xi Jinping is not shy. We're recording this right as Donald Trump is meeting with him in their summit in Beijing and he's just lectured our president on the fact that the United States should be very careful on the Taiwan issue, that this is the one issue that can derail the US-China relationship. And he's not shy about the fact that he wants unification with Taiwan and he wants it relatively soon. He has talked about how this problem can be passed on to future generations. So we're on this collision course where every leader of China since Mao has talked about Taiwan but it was a problem for far off into the future. One day there might be unification of some kind. We're willing to wait. Xi Jinping is doing anything but waiting. You see this in cyber. You have this Volt Typhoon campaign that is fundamentally different from every intrusion campaign we had seen from China up to this point, which is not targeting espionage, not targeting IP theft. They're breaking into organizations and networks that have nothing worth valuable to steal. Port facilities, water utilities, electric utilities, pipelines, those types of infrastructure where they sit, they maintain persistence so that they can destroy that network in the event of conflict or in the lead-up to the conflict to give them an advantage. They're preparing the battlefield in cyber for this conflict. They're doing a lot obviously on the military buildup. They're doing a lot on pressuring Taiwan. You're just seeing a lot of activity that is taking place that is accelerating and people continue to ignore it unfortunately. I mean this is why I wrote the book, to try to wake people up that this threat is real. No one believed me on Ukraine. I was ridiculed for that as well predicting that war. Most people, someone just sent me a bunch of op-eds literally from a week and a half before the war began saying Russia will never invade Ukraine in major publications. I remember at the Munich Security Conference the weekend before the war began arguing with a senior German official that this war is coming within days and he's like this is nonsense. So people just can't wrap their minds around these things for whatever reason and I'm getting the same exact reaction this time around to China-Taiwan. And I feel a little bit like Cassandra on so many of these things: Chinese espionage, nation-state threats in cyber, Ukraine, Israel and Iran, and now this.

Look, I think AI is going to be transformational. I got to say I was surprised by the advancements in AI in recent years and I think being involved in the machine learning space for so long, I did not see a step function change that we saw with transformers being invented by Google in 2017 and then the idea that throwing more compute at the problem will produce these remarkable results. And now I'm a total believer and I think it'll be transformational to everything, every business, every part of our economy, and of course our military and the way future battlefields are fought. So it's really vital, perhaps more vital than almost anything else, that the United States wins the AI race and has a durable advantage in AI lead. And we have all the opportunities for winning it because the thing that really matters to AI is not talent. There's plenty of talent in China. There's plenty of talent in the United States. It's not data because anyone can train these models and crawl the entire internet. And we've learned actually that generalized models trained on much more compute outperform specialized ones that train on proprietary data. So it's not a data advantage. And it's not a money advantage. Plenty of money in China, plenty of money in the United States. The only advantage is in compute, is in chips. And we're lucky, unbelievably lucky, that all the chips used to train AI models and to run them for inference are designed by American companies. It's Nvidia, it's the big hyperscalers. They're designing their own chips. And pretty soon the AI companies themselves. And China is far behind and they have not been able to manufacture those chips because TSMC right now is pretty much the only manufacturer along with Samsung a little bit that's manufacturing those chips in Taiwan, a little bit in South Korea, moving to the United States as well in Arizona. And China has not been able to do anything below 7 nanometers and even at 7 nanometers their yield on those chips is very low. So we are designing those chips with allies. We're producing those chips. And right now the key debate literally as we speak and as the presidents are meeting in Beijing is whether we're going to sell them more chips. And to me, I just testified in the US House on this a few weeks ago and I said we're in the AI race today. Undisputable. Everyone acknowledges it. The last time we were in a great power race was the space race. We were trying to get to the moon before the Soviets did in the 1960s. And selling chips to China is akin to selling rockets to the Soviet Union to win the moon race. Why would you ever do that? Even if it's second-best rockets, even if it's not the very best, why would you give them any advantage? It makes zero sense. And it's not like we have to sell these chips because these poor companies like Nvidia would go out of business if they weren't selling to China. Nvidia, one of the world's most valuable companies, is printing money. And the American AI companies are literally saying we don't have enough compute. Anthropic is begging for compute. OpenAI is begging for compute. Every single chip that is being produced that does not go to them is harmful to US interests. So not only are you enabling your enemy, you're also harming your own industry. And by the way, third thing is how does China use those chips? You look at their models, whether it's Kimi, Qwen, DeepSeek, they are not far behind US models. Why is it? Because they're doing amazing at pre-training? No. In fact, most of them don't do much pre-training at all. What they do is they focus a lot on post-training where they do distillation attacks, which is basically theft. You're sending tons of queries to US models, getting responses, and then training your model on those responses. And you need a lot of chips to do that, but you also need to steal. So we're literally selling them chips so that they can do more stealing from US AI companies. It is mind-boggling that this is even a debate. And I'm certainly doing everything I can to try to put a stop to it.

When we stop pursuing this idea that we can change China, that more trade with China is good. Their objective, they're not shy about it. You don't have to read the tea leaves. Just read what they say. Their objective is to kick Western businesses out as they've done in so many sectors now, take IP, learn from it, build competitive companies that first kick us out of the Chinese market and then take the rest of the world by storm. They've done it now in electric vehicles. They've done it in batteries. They've done it in solar panels, in telecom with Huawei. And they want to do it with AI. And they want to do it with so many other industries. Rare earths is another example of an early version of this. And yet again and again, people will tell you this time will be different. This technology is very different or that technology is very different. They'll never be able to do it. Every single time those people have been wrong. So I don't think it's a very good bet to listen to them. And we need to end this idea that we're going to be pro-engagement. We need to do exactly what China is trying to do to us, which is to decouple from supply chains in China and invest in indigenous and allied production so we're not dependent on them and try to curtail their progress as much as possible. This is literally what they're doing to us and quite successfully. And somehow it's controversial to say that we should use the same playbook. It's worked for them, but somehow for us it would never work.

Well, I think cyber right now is getting disrupted by AI. So let's talk a little bit about that. We're living right now in this Mithras moment. A lot of attention on Mithras. Mithras is a good model. It's not a step function change from where existing models are. In fact, a lot of the vulnerabilities that Mithras finds, some folks have been able to use harnesses to do very similar work with older models. So things have already changed. Most people have not yet appreciated it. Automated attacks are on the rise powered by AI. I think they'll be the majority of all attacks in the very near future. The majority of all intrusions. And that means that the model we use, we're going through this second paradigm shift. With the first one, it was moving from criminals to nation-states. You're dealing with persistent actors that don't go away. You need to think very differently about how you're going to secure your enterprise. Now you're going through another shift where you're moving towards automated attacks. In the previous generation, I coined this 1-10-60 rule that I popularized, which was that if you're really fast at detecting an attack in 1 minute, investigating in 10 minutes, and responding to it in an hour, you would be able to thwart most attackers because most attackers are not that fast. Well, that rule just went out the window with AI. There's no way that you can be faster than AI as a human. So we're going to need to invest more in automation, more in AI-centric security as well. CISOs are going to need to learn how to relinquish control. In so many cases, even initially when people buy a CrowdStrike sensor, they don't want to put prevention on because they don't trust it. Something may go wrong and sometimes it does. Recently I said the company had an incident. You don't have that luxury anymore. You're going to put your faith in the prevention of these solutions and sometimes they'll screw up. It's inevitable. And you have to make the risk-based decision of whether it's better that once in a while you take the hit on them screwing up or is it better that you get completely ripped off by these attackers, you get ransomed, shut down, etc. And that is the trade-off. It sucks. It's not a great trade-off. And people are resistant to change and resistant to thinking that way. But anyone that doesn't adopt this model is going to get run over by this bus that's coming.

Yep. Let's do it.

Tea.

I would say password manager. Literally, it's fun to go out on this book tour and talk to people that know nothing about cyber and most of the talk is about geopolitics, Taiwan, Ukraine, all these things. But occasionally people are like, 'Well, you're a cyber guy, what should I be doing?' My first answer is go get a password manager. It's not sufficient, but it stops like 90% of the threat because password reuse, weak passwords, all of that stuff just gets eliminated with a password manager. And it's shocking how few people use password managers.

Camaraderie.

I've heard so many. I don't have a name for you off the top of my head, but someone who will open up my eyes to new worlds, new ways of thinking. That's who I usually want to hear from.

The United States. I was about to say the United States. Despite all our weaknesses, which there are, we have lots of problems. No question. It's a little bit of a situation of a Gulliver in the land of Lilliputians that everyone is so much worse off than we are. And even if you look at our competition with China, which is a formidable enemy for sure, they have so many weaknesses. If I were to dispatch an observer, looking to pick a side that's most likely to win, there's no question I would bet on America. No question at all. Now, we can totally screw it up and take every single one of those advantages and we're fully capable of wasting them. But you look at the scorecard: who has more strengths, who has more allies, who has the best technology, who has the best military, the greatest economy. No question, we've got all those advantages. Unlike them, but we don't have strategic thinking. We're horribly divided. We only focus on problems when they become a crisis that's right in front of our face. So we do have some problems to overcome.

Well, just check out my book, World on the Brink. It's about my career. It's about China, Taiwan obviously at the center of it all. How I got to understand that issue and become very passionate about this where I'm now spending a lot of time in Taiwan. There's a lot on Russia, Ukraine and I spent a lot of time there as well in Ukraine. So people will find it really interesting. Available on Amazon and other places. And check out the podcast, Geopolitics Decanted. Thanks so much.