Ahana Datta Fasel began as an ethical hacker for the British government before becoming cyber chief at the Financial Times, where nation-state actors targeting journalists became a daily reality. Her PhD on the political economy of digital espionage produced Full Stack Spies: Cyber Espionage in the Age of US-China Competition, which argues that cyber operations function as a mirror of the states behind them — their psychology, risk tolerances, and strategic ambitions made visible. She discusses with Chris how China has compensated for limited tradecraft sophistication with persistent scale and a dispersed ecosystem of front companies over three decades; what a leaked Chengdu hacker group chat reveals about the ego rivalries and financial anxieties driving operational decisions; what Operation Triangulation suggests about American reliance on private contractors; and why the defining fault line of this era isn't between peace and war, but between peace and "not war."
Subscribe and share to stay ahead in the world of intelligence, global issues, and current affairs.
Learn more about Ahana on her website: https://ahanadattafasel.com/
Order Full Stack Spies: https://www.hurstpublishers.com/profile/ahana-datta-fasel/
Support Secrets and Spies
Become a “Friend of the Podcast” on Patreon for £3/$4: https://www.patreon.com/SecretsAndSpies
Buy merchandise from our shop: https://www.redbubble.com/shop/ap/60934996
Buy us a coffee: https://buymeacoffee.com/secretsandspies
Subscribe to our YouTube page: https://www.youtube.com/channel/UCDVB23lrHr3KFeXq4VU36dg
For more information about the podcast, check out our website: https://secretsandspiespodcast.com
Connect with us on social media
Bluesky: https://bsky.app/profile/secretsandspies.bsky.social
Instagram: https://instagram.com/secretsandspies
Facebook: https://facebook.com/secretsandspies
Spoutible: https://spoutible.com/SecretsAndSpies
Follow Chris and Matt on Bluesky:
https://bsky.app/profile/chriscarrfilm.bsky.social
https://bsky.app/profile/mattfulton.net
Secrets and Spies is produced by Films & Podcasts LTD: https://filmsandpodcasts.co.uk/
Music by Andrew R. Bird
Secrets and Spies sits at the intersection of intelligence, covert action, real-world espionage, and broader geopolitics in a way that is digestible but serious. Hosted by filmmaker Chris Carr and writer Matt Fulton, each episode examines the very topics that real intelligence officers and analysts consider on a daily basis through the lens of global events and geopolitics, featuring expert insights from former spies, authors, and journalists.
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:00] Lock your doors, close the blinds, change your passwords. This is Secrets and Spies. Secrets and Spies is a podcast that dives into the world of espionage, terrorism, geopolitics, and intrigue. This podcast is produced and hosted by Chris Carr.
[00:00:29] On today's podcast, we're diving into the world of hacking and cyber espionage. I'm joined by Ahana Datta Fasel, who was once an ethical hacker, then cyber chief at the Financial Times, and now author of the book Full Stack Spies, which we discuss today. If you're enjoying this podcast, please consider becoming a Patreon subscriber. Go to patreon.com forward slash secrets and spies and you'll get access to ad free versions of this show.
[00:00:54] If Patreon's not for you, that's absolutely fine. You can also buy us a coffee at buymeacoffee.com. Please also leave a review on Apple Podcasts, Amazon Music, Spotify, and if you're on YouTube, don't forget you can leave a comment below this show. Thank you for watching. Thank you for listening. Take care. The opinions expressed by guests on Secrets and Spies do not necessarily represent those of the producers and sponsors of this podcast.
[00:01:27] Ahana, welcome to Secrets and Spies. Good to have you on. How are you doing? Oh, I'm doing very well. Thank you so much for having me. It's great to be here. My pleasure. For listeners unfamiliar with you and your work, please could you just tell us a little bit about yourself and what led you to writing Full Stack Spies?
[00:01:41] Yeah, sure. So I started my professional life as an ethical hacker. So my job was to sort of go around various departments in the UK government and poke holes in their technology stacks to see that if I could do it,
[00:01:57] then surely hackers that were not of the ethical kind could as well. And that led me to various different roles in the UK government and then eventually to being the head of cyber security for the Financial Times.
[00:02:14] And it was there that I got kind of a front seat experience of state actors and nation state level threats. And that gave me the idea that it felt that every state has its own way of intimidating journalists in cyberspace.
[00:02:45] Mm hmm. It was essentially about the political economy of digital espionage. What are the power structures through which espionage online is enabled?
[00:02:57] And how does this business, insofar as it is a business, how does it run? So I adapted that to the US-China context to look a little bit more deeply into how the Chinese ecosystem of hackers and the state, how that works, and how instrumental that is in the strategic competition that's playing out now.
[00:03:22] Brilliant. Thank you very much. So what does the phrase full stack spies actually mean? And what made you realise that this was sort of fundamentally a different form of geopolitical competition to what we'd seen before?
[00:03:34] The term full stack would be familiar to anyone listening who has a bit of a techie background. What it means is the entire technological layering from hardware all the way to software and to the apps that we interact with on our phones.
[00:03:59] But I wanted to take that concept of the full stack and extend it into a more wide ranging metaphor for this sort of character of geopolitical competition.
[00:04:11] And so it became this encompassing term, this metaphor for competition across the military domain and competition across the economic domain and the tech domain, but also from the tradecraft details of cyber espionage and what that might mean for the hand of statecraft.
[00:04:37] So this kind of wide ranging metaphor came out of a very well established tech concept. And the reason why I went for full stack spies is because now all these domains are connected through cyberspace. They're all enabled by some version of connectivity. In the public case, it's the internet.
[00:04:59] And these spies are therefore enabled to work across these different domains by deploying these techniques of espionage and sabotage and so on. Yeah, thank you for that. So why do you think so many policymakers still treat cyber as a sort of technical niche rather than something central to geopolitics and statecraft? Well, it's quite abstract. Do you know what I mean?
[00:05:22] In my career, whenever I've spoken to a policymaker, you can see their eyes sort of glaze over when you start mentioning cyber. And partly I think that's because people who work in cyber have difficulty in trying to bridge that language gap. It's difficult to tell a story when the story seems to be so abstract that you need a whole mountain of technical knowledge to be able to understand the consequences. Oh, yeah.
[00:05:51] But I think it's also because a lot of it is down to plausible deniability. A lot of it is down to murky attribution. It's difficult to establish what really is the source of truth in cyberspace.
[00:06:07] And so often policymakers, they are kind of faced with a whole gamut of different problems from how to invest in solving such a problem to how to explain it to a citizen's society in terms of what the stakes are. So I'm not surprised that they do switch off. And I'm hoping that the human side of this helps a little bit in going towards that.
[00:06:34] There's also one thing I've observed with sort of policy and technology is obviously a lot of policymakers tend to be a bit putting it politely behind the curve when it comes to technology. And then they get seduced by kind of bright and shiny new things and then end up investing in things that don't quite sort of really pan out to be that useful. I don't know if you've noticed anything like that. Oh, I mean, constantly. I think we also kind of see it with every massive technological wave, right?
[00:07:02] We saw it 10 years ago with blockchain, that blockchain will solve everything. And now we are seeing it a little bit with AI, that AI is going to solve everything. And, you know, when I started working in cyber defence, that was, you know, the sort of buzzword that cyber is going to be the next big thing. You know, this is like in the sort of late 2000s, early 2010s.
[00:07:27] And often I think it's not necessarily because of, you know, loud voices or bright and shiny. It's because there are a lot of competing priorities for policymakers where thinking in the long term, especially in the tech domain, is quite difficult and abstract. And it's a difficult story to sell.
[00:07:49] So I think trying to take everyone's incentives into account, especially when it gets to something so abstract and deep, I think it's completely understandable, but not entirely forgivable. Yes, yes, indeed. One of the book's central arguments is that China succeeds less through superior tradecraft and more through sort of persistent scale and strategic integration. Can you unpack that for us?
[00:08:17] Yeah, I mean, the Chinese cyber ecosystem has transformed over the past 30 years in ways that are sometimes recognisable, but in ways that are sometimes completely unexpected.
[00:08:33] So in terms of the quality of tradecraft, what we see from, for example, the Russians or the few occasions we see something disclosed by Russian researchers as touted to be coming from the Americans or from sort of capabilities showed by states like Israel.
[00:08:55] These are really kind of, you know, these are really kind of, you know, the sort of top layer, very niche, very sophisticated tradecraft, very sophisticated cyber capabilities. We don't really see that sort of quality coming out of hackers located in China. And sadly, we haven't seen it up until quite recently for sort of the last 20, 25 years, kind of culminating around 2021, 2022.
[00:09:25] We didn't really see the use of exquisite cyber weapons coming out of the Chinese state. They were using quite common vulnerabilities in like the Windows system to essentially try and poke at networks in the West over and over again.
[00:09:47] And it was that persistence, that over and over again, that sort of repeated attempts to send phishing emails or to use the same vulnerabilities in older versions of Windows that might have been unpatched to find a way in. So they weren't using these exquisite capabilities.
[00:10:07] But their ecosystem as it has grown, both hackers kind of working with the state, alleged to be working with the state, but also working independently, that is quite a dispersed and quite a diffused system.
[00:10:23] By which I mean that a lot of different private companies that act as sort of front companies for the intelligence agencies, they're able to disappear and regroup quite quickly in the event of an indictment.
[00:10:39] And so that kind of persistence to have been found out and then to regroup and reemerge a couple of years down the line and deploy the same sort of tricks that they've been using. That makes it quite a difficult system to pin down. But at a scale and at a level of persistence, that is quite unlike what we see coming out of other state actors.
[00:11:07] So how does China think differently about cyber power compared to the West? Because there are a lot of people who like to sort of say that, you know, you get it with sort of more propaganda stuff, but like the West is just as bad as China, etc. And I was just, there did seem to be a difference from what I read in the sort of attitudes with cyber. Yeah, I mean, I think it would be fair to say that their attitudes have changed quite a bit over time.
[00:11:32] There have been different, it's such an opaque system, but we can sort of pinpoint a few different signals that show that the Chinese state has taken cyber power to a level of seriousness in terms of strategic competition that is, you know, sort of to be reckoned with.
[00:11:55] So if you look at the military side, the People's Liberation Army has taken its cyber space force, its sort of cyber fighting capabilities to the same level as a theater command. So it takes it as seriously as the PLA's space force or the PLA's naval force, its air capabilities. So it really sees it as a war fighting domain.
[00:12:23] And that is as recent as 2024, this sort of elevation of the PLA's priorities. But also we, you know, sort of from a more broader Chinese philosophical point of view, they don't really have a comparable term for cyber warfare or cyber competition or, you know, something like that.
[00:12:49] They have sort of these slightly different distributed concepts like information operations or network warfare. And so it makes it quite difficult to, I suppose, compare apples to oranges in terms of the West, in terms of how we see it. And then add to that, you know, I'm sure we can come to the foreign intelligence aspects of this later, because that is where this kind of distributed and diffused capability structure is.
[00:13:18] But China over the past 20 years has been able to mobilize its academic side, its academic sector, its industrial sector into this sort of what they call a whole of nation effort into being able to create this offensive cyber capability. And certainly over the past five years, the Western allies have been more and more alive to that.
[00:13:47] And that until sort of 2020, China wasn't necessarily seen in comparison to the Russians, for example, as the same kind of force to be reckoned with. But because, you know, we used to read it in headlines all the time, that this is economic espionage, this is intellectual property theft.
[00:14:10] And to an extent, you kind of became immune to that and didn't see how their priorities changed into strategic signaling, into military signaling, into political activity. So it is, in sort of, in summary, it sees cyber as an entry point into almost every other domain.
[00:14:35] One thing that comes through strongly in the book is that cyber operations often reflect the culture and psychology of the state behind them. What do Russian, Chinese and Western cyber operations reveal about how those systems think about power and risk? I'm glad you picked up on that, because I think that is, I think if there is anything original about this book,
[00:14:59] then I hope that it is that sort of thread in how the culture and psychology of a state and its people is reflected in its cyber state craft. And I suppose if you kind of think about, you know, the people you've had on in the past,
[00:15:19] almost every single one of them, if they're an intelligence professional, will vouch for the fact that an intelligence agency is essentially a mirror to a government or a state.
[00:15:36] And it is that ability to be able to use secrecy to play out the state's intentions without any sort of inhibition. In that sense, cyber is really no different. Because of, you know, the plausible liability, because of the level of murky attribution,
[00:16:00] it almost emboldens its hacker ecosystem into reflecting even more the personality of the state, the personality of its government. And so if you look at American cyber operations in the past 15 years,
[00:16:20] they reflect the appetite to expose these really exquisite, really hard to find, really expensive, invaluable cyber weaponry, which almost inevitably happens once an operation is made public.
[00:16:41] So that reflects the level of waste, the level of risk a state is willing to take and what it puts its bets on. But also the level of seriousness with which it approaches operations like this.
[00:17:01] And if we look at, for example, the Russian side, especially looking at operations in the lead up to the 2022 invasion of Ukraine and then onwards, their cyber operations almost always reflect a sense of cruelty. And so the ability to cut off the power grid in the middle of winter
[00:17:28] and the ability to deploy cyber operations to really try and land a message in the most brutal way. This isn't the kind of apocalyptic scenario that we thought about pre the 2022 invasion, partly because the Ukrainians and the Americans were working very hard together on their cyber defense. But it was very calculated from the Russians.
[00:17:54] That they did try and hit Ukraine where it hurts the most. And then when you look at China, what it began sort of over the 25 years ago as a spree and pray kind of operation, that they would just throw everything and the kitchen sink, aerospace companies and defense contractors in the early 2000s and try and get what they could.
[00:18:22] But sort of 20, 25 years later, now we see sophistication not in terms of the quality of cyber weaponry, but the kind of stealth that they introduce into their cyber operations. We see it in terms of them being slightly more careful to enter a network to be able to spend as much time as they can
[00:18:49] probing different corners of these networks and see what they can glean. So it does reflect a massive amount of difference in attitudes. And that has always been the kind of missing piece for me as I was trying to tell the story. Why is every state's tradecraft different? It's because their approach to risk is different. Their approach to disruption and being disrupted is different.
[00:19:20] Yeah, yeah, yeah. Thank you for that. And do you think Western governments sort of fundamentally underestimate China's approach? I do think that they underestimate China's approach. I think sometimes it kind of oscillates between underestimation and overestimation. So I think it's kind of more that I worry sometimes that we are not sufficiently bedded into Chinese thinking
[00:19:46] and immersed in an understanding of their structural layout and their structural constraints, their domestic pressures, their foreign policy ambitions, and where cyber fits into all of this and has become an enabler for meeting all these objectives.
[00:20:13] And I think that kind of disconnect to be able to see cyber as sort of a separate policy issue rather than a driver of domestic and foreign objectives, that is what I worry about, that the West is not sufficiently curious about the Chinese system. And do you think sort of cyber competitions have become too integrated into the global economy to ever fully disentangle? If you think about the global economy, if you think about trade and finance,
[00:20:42] if you think about global supply chains that are extremely expensive and time-consuming to decouple, inasmuch as our various systems, global economic systems, global financial systems, global trade systems, global technology systems, remain interdependent,
[00:21:08] that sort of vulnerability that comes from interdependence will be ripe for exploitation by whoever can exploit it. And we see it in, we've seen it in the Iran war recently, you know, just moving away slightly from the Chinese example. But, you know, to be able to weaponize a choke point like the Strait of Hormuz
[00:21:30] is really a maritime equivalent of what is likely to be happening in cyberspace. So in this kind of, so long as systems remain globally interdependent, we are stuck looking at cyber competition as an extension of strategic competition. Because all these systems are now enabled and facilitated in cyberspace.
[00:22:00] Let's take a break and be right back with more. One thing I found fascinating about the book is how often sophisticated cyber operations still come down to very human flaws, ego, rivalry, vanity, carelessness.
[00:22:27] Why does human nature remain so central to cyber espionage? I mean, human nature is kind of central to espionage generally. And cyber is merely another kind of expression of espionage. Cyber is just another sort of technical way to conduct espionage. You know, who presses the exploding watch and when? Yeah.
[00:22:55] That is eventually a human decision. And when that decision is made, and more crucially not made, is reflective of the person making it. So what the book tries to do, or at least what I've tried to attempt to do in the book, is to draw a line between the kind of styles and characteristics of tradecraft and what that might mean about the choices being made
[00:23:24] by the people behind it. So when we see, you know, in this sort of opening chapter, we see a plausibly American operation that is extremely sophisticated, but quite careless in execution. And what I try to do is think about, well, why is that? And what does that tell us about the way
[00:23:53] the state mobilizes its power? Who does it rely on? Why has it chosen to be careless at this crucial stage? So what we see in the Chinese case, and we see it because someone has been considerate slash pissed off enough to be able to have leaked the group chat of one of these front companies that sort of stems back to years and years, is that they're motivated by a number of different things
[00:24:21] that motivate young men, and almost always young men, at least in the Chinese case, in all locations, right? Irrespective of geography, young men are motivated by who's in a drinking circle and who has the most amount of state sponsorship. Can they keep the lights on? Are they having dinners with sufficiently illustrious people?
[00:24:52] You know, can they impress girls? And that sort of thing. And that really comes through in the chats. And this kind of intense competitive anxiety between different so-called private companies bidding for state contracts and, you know, worrying that, oh, you know, is our offering as good as theirs? And are we getting the right price for, you know, this data dump that we're trying to sell to the government? And so all these anxieties, they come across.
[00:25:22] And so the focus isn't so much on, oh, what is the level of, what is the technical prowess demonstrated in this piece of malware or in this piece of cyber capability? It's about, has the job been done and are we going to be compensated for it? And if not, is the rival company going to get ahead? And that is quite unique to the Chinese ecosystem.
[00:25:51] That often the same job might be contracted out to two different hacker groups. And so it's almost like a sort of Game of Thrones situation where, you know, they're like trying to aggressively bid and, you know, put the other sort of group down and, you know, sort of make it about their egos and make it about, oh, is their tradecraft sufficiently sophisticated?
[00:26:19] And, you know, these guys, they don't have a clue. And, you know, that sort of, you know, one-upmanship, that would be quite familiar. And we wouldn't expect it to be such a central part of the decisions that go behind tradecraft, but it turns out that they are. Yeah, yeah. So in 2020, a group in Chengdu was indicted by the US Department of Justice.
[00:26:45] And so this other group that I concentrate on and sort of look through their group chat, I tried to go back and see what their reaction was to essentially their competitors being indicted. And they were having a right laugh about it. And they were like, oh, you know, now I guess we've got to like make them drink as many drinks as, you know,
[00:27:13] their group number's been assigned to by the DOJ. And, you know, we're going to take the mick out of them. And so when this indicted group went underground to sort of evade the sanctions imposed by the US, there is some evidence to say that it appears that they were hired by this rival gang who tried to then subsume their cyber capabilities
[00:27:43] and continue from Western eyes to continue this sort of hacker ring and its activities. So these rivalries and these sort of, these ego power plays, they really affect the tradecraft because you, you know, even when it drops, you can see that it's continued later. So something must have happened on the human side of the story. Yeah, yeah. They take greater risks and things, yeah. Right, right.
[00:28:11] And so this chat dump kind of gives us an insight into what's happening, which is that they sometimes hire their competitors and then don't seem to pay them enough because they're really struggling to keep the lights on and antagonize them enough that they, that sort of new entrants sue them or try to sue them. And then eventually the whole company implodes. Yeah. Because they're trying to sort of position themselves as a sort of legitimate software development company,
[00:28:41] but they really are nothing of the sort. So, because they can't keep their lights on, they can't pay their freelancers, they can't pay this, you know, these entrants, these new entrants from the indicted hacker group, they end up, somebody ends up dumping all their marketing material and their group chats online. And then people like me go ahead and find it and then look through six years of chats and try and understand what we can learn about the Chinese ecosystem from that. Yeah. Wow. Wow.
[00:29:10] That's amazing. Yeah. Well, one interesting operation you mentioned in the book is something called Operation Triangulation. So why was that such a significant case study? Yeah. I mean, I use that operation as kind of the opening gambit in the book to be able to lay out what the stakes are and what the structure of this kind of business of espionage is.
[00:29:41] It is one of the few operations that might have plausibly come out of the National Security Agency in the US to be, to have been made public. So back in 2023, three lads from Kaspersky, which is like this antivirus company, which has a research arm, presented their findings at a hacker conference.
[00:30:11] And it turned out that whoever was behind this operation had put together previously undiscovered vulnerabilities in our iPhones to be able to infiltrate these Russian researchers at Kaspersky, but also a lot of high value targets in the Russian government and visiting diplomats.
[00:30:36] And the sophistication of the operation was really a beacon, sort of, you know, this kind of look at me, look at me, kind of style, kind of level of sophistication. And so the way that these researchers were able to find them was by looking at the level of carelessness in the operation itself. They had invested, the hackers had invested
[00:31:06] so much into finding these undiscovered vulnerabilities in the iPhone. But the way that they deployed the operation was quite sloppy. And so I ask in the book, what does that tell us about the way this state thinks about risk? So quite fortuitously, just before the book went to press, there was a story that came out that said that
[00:31:36] some remnants of this malware in the original operation triangulation appeared in other cyber operations later on. And that a US defense contractor was arrested for passing on some associated malware to a Russian broker. And really that kind of, you know, sort of hot news, that really put it in context
[00:32:04] that the reason for carelessness, one quite plausible theory is that the authors of the malware were different from those that deployed the malware in operation triangulation. And what that tells us about the state behind it is that there was sufficiently flush to be able to buy this cyber capability that might have cost hundreds of millions,
[00:32:34] but were quite careless in deploying it in terms of being found out. They didn't care about being found out so much, which shows a level of recklessness, right? It shows a level of confidence. Why do you think that was? Why did they not care so much about how they deployed it? Presumably they wanted to get their hands on a piece of data, on some kind of ongoing intelligence from key targets in Russia. It might have been intended
[00:33:04] to be a short-lived operation, but ended up going on for far too long, like sort of four years. And then once they were in, they presumably didn't really care very, either didn't really care very much about being found out, or they prized their own ease of access than stealth. So they prized the fact that it could sort of infect a phone over and over again,
[00:33:34] rather than thinking about, right, this will, you know, this will get us found out. Because the last thing you want to do is use sloppy tradecraft on someone who's professionally trained to discover hacking activity. Yeah, yeah. And so it was really the association with the US defense contractor who was arrested and sentenced to prison for selling associated capabilities to a Russian broker that led credence to the theory
[00:34:03] that Operation Triangulation might have been initiated by the US. And that is sort of the latest addition in very little that's known about the US offensive cyber ecosystem. You know, back in the sort of Edward Snowden days, you know, we know a little bit about the NSA's capabilities because of that enormous leak.
[00:34:32] And we know a little bit about the NSA's capabilities from the WikiLeaks dump of their hacked capabilities that were then reused by the Russians and a bunch of different actors in the mid-2010s. But we didn't know so much about the more cutting-edge recent American capabilities. And so in that sense, it is quite a useful discovery.
[00:35:01] And I don't want to make an attribution here. I'm just saying that given what has happened in the course of the lifetime of the tools in this piece of tradecraft that it points to the Americans, and if it is so, that will be quite seismic because it shows a growing level of recklessness in that ecosystem. Yeah, indeed. Yeah. And so what do we know about, so we talk about how, like sort of,
[00:35:29] how with China and Russia, obviously, their cyber operations kind of reflection, their psychology. What do we know, what do we feel about the psychology of the American side of things? You know, because obviously we only know so much about what the Americans have been doing. We know that they possess extensive and unparalleled passive surveillance capabilities. And we've known that, you know, since the Snowden leaks, much of the consternation of the Western intelligence allies.
[00:36:00] We've known that the US has, you know, these, this sort of vast undersea cable network and a lot of the internet traffic that's concentrated through US territories. And so we know about all these passive surveillance capabilities and now, you know, increasingly in space as well. But what we, what we didn't know was the use of covert cyber capability and, you know, the, the kind of, the direction
[00:36:30] and the trajectory of an operation like triangulation, which would be priceless really to any intelligence agency. It shows the level of scale, the sheer amount of investment into cyber power, but also the reliance of American intelligence on private contractors
[00:36:59] to provide these capabilities to the intelligence agencies. these are all quite sort of significant insights into, into how the US appears to conduct its cyber operations. Yeah. Because it, it shows that to an extent through the reliance on private actors, the US and Chinese offensive cyber ecosystems, they both have this kind of structural similarity
[00:37:29] that they rely on private contractors to, to provide at least some level of operational support. In the Chinese ecosystem, often intelligence agencies like the Ministry of State Security, they probably wouldn't have any real oversight technically of how the operations conducted. They would, you know, sort of give an end-to-end job
[00:37:58] to a front company in most cases. And these front companies, they moonlight as legitimate cybersecurity companies. Whereas in the US, the relationship is a bit tighter, it's a bit closer, it's not so diffuse. The reliance is much stronger in the sense that there's a clear ingestion of cyber capability from a private actor or from a broker. and then to, you know, to own the deployment of that,
[00:38:28] both for their own consumption, but also for their customers' consumptions, which are, you know, might be other American intelligence agencies or indeed Western allies. So the Americans use companies like, is it Booz, Alan Hamilton and companies like that, don't they? And they kind of are contractors for the NSA, et cetera, is that right? Yeah, I mean, it's quite a complex system because it's contractors and subcontractors and often it depends on the intelligence agency.
[00:38:58] And so, I mean, I try and give it a bit of structure in the book. I kind of paint it as like an upstairs-downstairs dynamic, which is, you know, upstairs are sort of the legitimate spies, the intelligence professionals, and above them is sort of the political class. And then downstairs you have this combination of defense contractors that are quite established and old like Booz, Alan Hamilton, but also the sort of clearing houses for hacking capabilities
[00:39:28] that are then provided to these old school defense contractors through brokers. So, it's not the cleanest and most intuitive ecosystem, but there is certainly a level of hierarchy and a degree of closeness or diffusion that is quite stark and specific and different in the American and Chinese ecosystems. And does that mean now then sort of big tech is, whether it likes it or not, sort of effectively a part of this
[00:39:58] intelligence ecosystem now? There's certainly a part of strategic competition, and, you know, that is not necessarily by design, but that is, has always been true of powerful intermediaries in the private sector. So, the book, I give an example of the US, one of the US telecommunications companies operating out of Chile just before Pinochet comes to power and how they
[00:40:28] try and persuade the CIA to mount a coup in Salvador Allende to prevent being nationalized and having their assets in Chile stripped. And, publicly, the CIA obviously turns down this request. So, whether or not we like it, powerful intermediaries have always been a very important part of strategic competition because they mediate a lot of these information flows, especially in today's
[00:40:58] environment where all these information flows are interdependent. big tech mediates our ability to ingest news, for example. And so, that sort of perception shaping element of state craft, they own that, they mediate trust between us and the political class. So, whether or not they like it, they certainly have grown powerful and big enough to be right at the center
[00:41:27] of strategic competition. When it comes to intelligence, intelligence, a lot of the times, the state's intelligence apparatus doesn't necessarily have the resources or the agility or the technical capabilities to be able to do a lot of forensic work and to follow the actions of state sponsored groups. And so, they often work in partnership with
[00:41:56] friendly intelligence agencies to be able to do this kind of long-term work, which then they also package and sell to their customers. So, it is a very stark and specific role in cyber statecraft generally that not all big tech companies have the same level of power, they don't have the same role,
[00:42:26] Google, and so we shouldn't lump them together. They obviously play, you know, Apple plays a different role than Google, but it is inextricable from the intelligence ecosystem now. Yeah, yeah. And different countries have different legal relationships with those companies too, don't they? That's exactly right, yeah. Yeah, yeah. So, like in the US, there's a lot more restrictions in how they can extract data from a private firm like Google, as opposed to, I guess, Russia or China,
[00:42:56] where if it was, you know, I don't know much about the relationship with Google in China and what access the state can get to the data or not. Yeah, I mean, that's a great question. So, I mean, I try and cover this a little bit in the book, but again, it's very opaque. So, back in the mid 2000s, so in 2006, Google entered China for the first time. and was immediately being bombarded
[00:43:25] by phishing emails and a lot of attempts to steal Google IP. And it appeared that Google was sufficiently uncomfortable by these cyber attacks, which we now call Operation Aurora, Sleeping Beauty, the protagonist of Sleeping Beauty. So, Google was sufficiently spooked by that to then have
[00:43:55] left the Chinese market in 2008. But since then, of course, they have been, they've had a toe into the Chinese ecosystem with local competitors. So, you know, China has sort of the equivalent of Google Search that conforms to the Great Firewall and things like that. And as Google has expanded its services offering,
[00:44:25] we see sort of direct competitors emerge like Baidu and cloud services like Ali Cloud and things like that, which is a very different model, of course, from right at the bottom of the stack like Apple to be able to allay the national security concerns of the Chinese state by offering secure hardware and developing whole new supply chains to be able to do so. So,
[00:44:55] we mustn't lump all big tech actors in the same bucket because they fulfill very different functions. Google has a huge cyber defense and research team and their output often helps Western intelligence agencies like the FBI in trying to find that last piece of evidence or, you know, run operations in conjunction to be able
[00:45:25] to really pin down attribution. But obviously that's not the way that relationship works with the Chinese public security ministry. It doesn't work that way with the state security ministry. So, to an extent, Western companies have always had to sort of choose in their allegiances, whereas hardware companies like Apple try and
[00:45:55] maintain a sense of balance to be able to keep both markets open. Let's take a break and be right back with more. Can you talk to us a little bit about how trust is becoming weaponized and so on? A great portion of
[00:46:24] where a lot of the structural stuff is leading to is that centrality of trust. What it means, what is the geometry of this kind of trust. year, so I kind of use the examples of how to trust work with something like the Italian mafia in the 1980s, as opposed to how to trust work in a multilateral organization like the United Nations. Because you see the presence of
[00:46:54] both of those structures and power hierarchies in cyberspace. And so how do these private actors, these intermediaries, whether they are various big tech companies, but also hackers contracted out to do operations on behalf of the state. How are they jostling to reshape trust, to reshape
[00:47:24] the information flows that inform our understanding, that inform our sovereign capabilities, that inform both the adversaries' perceptions, but also to be able to preserve their competitive advantage in any domain. So trust really emerges as this kind of central quality that is really hard to define. And I take a couple of punts in the book
[00:47:54] itself, but now we see it as not just endemic to cyber espionage. And espionage, the kind of point of espionage is to subvert trust, to be able to get to some statecraft objective. But it's not just endemic to espionage, we see it in disinformation operations, we see it on the information landscape as a whole,
[00:48:25] which has now irrevocably changed the level of polarization in our societies. And so it really emerges as this kind of the linchpin, what is the objective of cyber espionage is to manipulate trust. And so I look at the role of various different actors that we have set up in sort of in competing for that final quality. You write that the
[00:48:55] rules of the gentleman spy game are passé and that there are few gentlemen in cyberspace. What did you mean by that and how has espionage culture changed in this new era? Yeah, I mean, you know, if you think about the days of the Cold War where, you know, if you were found out to be spying on your host country, you might get sort of a wrap on the wrist. If you
[00:49:24] were working in a more authoritarian system, you might pay a slightly more severe penalty. That hasn't changed, to be honest. But what I was trying to say was that the red lines were understood by all parties, or at least the professional players in both parties understood the rules of the game, where you don't disclose the
[00:49:54] capabilities of your competitor, even though it might be expedient, because your competitor might do the same. If you were found out to be spying, you might have a quiet expulsion from the embassy you were attached to. But this wouldn't escalate into a tit-for-tat situation like we were seeing in the late 2010s after the Salisbury poisoning.
[00:50:23] These rules that came from the Cold War, they don't exist in the same way anymore because cyberspace doesn't have the same kind of clarity and the same kind of certainty of who's done it, why they've done it, how they've done it, and have they really done it or is someone pretending to be them. These simple questions don't have simple answers anymore.
[00:50:53] The rules have changed because of this inherent ambiguity in cyberspace, ways, but also because states now find themselves in a tricky position of trying to be both regulators of offensive cyber capabilities as well as consumers. That puts them in a difficult position of being able to use the very same tools that they don't want their competitors to use to do the spying.
[00:51:22] It's a bit hypocritical in some ways, isn't it? Hypocrisy is the classic human condition, and that's a given. I don't think there's any amount of, yeah, we can't cure that one. No, definitely not. Definitely not. Well, one other thing that your book suggests, we're kind of living in this sort of condition of a constant low-level competition that sits somewhere between peace and conflict. Has the line between war and peace been fundamentally blurred?
[00:51:52] I will give you a slightly more nuanced and academic sounding answer. Go for it. And I think it's that, it's not that the level, it's not that the line between war and peace has been blurred, because, you know, we are in the midst of three, if not four, live wars that were supposed to be limited to being regional conflicts, but have international
[00:52:21] and long-term consequences. It is that the line between peace and not war is blurred. And not war is that stage of having quite an uneasy, kind of fragile, volatile sort of peace that might at any point break out into a full-blown conflict. And so, it is that we can't take that world of sort of
[00:52:51] pre-2020 and indeed in Ukraine pre-2014. That kind of bygone era of lasting peace for granted, that this constant low-level conflict, street engagement that becomes flashpoints in Ukraine and in Iran and in Sudan, these are states of war that previously used to be just
[00:53:20] at not war thresholds. So it is that line between peace and not war that is blurred, that the competition is getting more intense, it's making our systems more unstable, it's making strategic stability more questionable and it's making trust more volatile. And that is really the kind of message of this book, that the ability to direct that instability, to choreograph
[00:53:49] uncertainty, is going to determine who wins the strategic competition. Do you think both policymakers and the general public are knowledgeable enough about all this? Because you were mentioning the sort of relationship between not war and war and it made me immediately think of Y2K, because at the moment it seems to be back in fashion right now. And living in London, you get constant reminders of sort of millennium schemes. There's a
[00:54:19] boat called the Millennium of Peace that sails up and down the Thames that has this sort of, it represents all the optimism of that time. But we definitely aren't living in a millennium of peace at the moment. But I do worry that many members of the public haven't quite caught up with some of this sometimes. I don't know what your thoughts on all that are, that mindset. I kind of feel that we've never been more informed, even whether that's misinformed. I think there has never been a greater appetite
[00:54:49] for information. Often that information comes from sources that are not entirely trustworthy or reliable. But I think the public is very alive to sabotage coming out of Eastern Europe. It's very alive to the changes in their energy bill as a result of the conflict in Iran and their rising mortgage costs. So I think that
[00:55:19] awareness is there. But the trouble isn't awareness, it's about what to do about it. I think there has never been a greater level of awareness of cyber threats than today. And a lot of discourse around artificial intelligence has only helped that. So it's certainly not for lack of information. It's that there is so much information that it's almost leading us to a level of paralysis where we don't quite know what
[00:55:49] the best thing to do is. And so the danger is a level of disengagement. And that is really the disillusionment, the numbness, is the challenge for our political class to be able to tackle. So that re-engagement with this level of not war, this unstable peace, really translates into policy options, whether that's for cyberspace,
[00:56:19] whether that's for defence spending, or whether that's for economic warfare. Let's take a break and be right back with more. Is there anything else of important to you you'd like to add or any key thoughts that listeners should walk away with that are important
[00:56:49] to you? Yeah, I mean, I think for me the important issue now is we are entering a level of strategic competition that is only getting more and more intense and it is only getting more and more unstable and volatile partly because of unpredictable leadership, but partly because our systems are not resilient enough to
[00:57:18] absorb a lot of disruption. So I think the takeaway for me would be that what I've tried to do in this book is to show that cyber statecraft is often a sort of canary in the coal mine for what the state's broader intentions are. And I hope that policymakers can see past the technical abstractions to be able to focus on the human story, on the story that
[00:57:48] cyber statecraft is telling us about states and their changing appetites, their growing confidences, and their increasing recklessness to be able to deliver something for the rest of us that is very aware of that, that prices that in. Hannah, where can listeners find out more about you, your work, and where can they get a copy of your excellent book? So I have, I'm not quite sure how, but I've managed to stay off of social media entirely.
[00:58:19] Good for you. I'm trying to get off it, but it's the addictive qualities and sometimes necessity of it make it very hard. Yeah, I mean, for your work, I suppose it's, yeah, it's impossible to stay off it. So you can't find me on LinkedIn, I'm afraid. Okay. I do have a website, so if you want to get in touch, you can certainly get in touch, and it's kind of this page that never changes. And I often write
[00:58:48] for outlets, I've written for outlets like Foreign Policy or the Financial Times or these various different places where you can read about my work. And of course, I think the book is sort of one way of diving deeper into that. You can get the book from essentially every good bookshop. And I'll put a link in your show notes that hopefully can help people find that. Yeah, there will be
[00:59:18] a link in the show notes there, both to your website and to your book. Thank you so much for your time today. It's been really great chatting with you. It was great to chat with you. Thank you so much for having me. This has been a really great and wide-ranging conversation. Excellent. Thank you.
[00:59:59] Thanks for listening. This is Secrets and Spies.

