Lawfare Daily: Grading the Trump Administration's Cybersecurity Efforts, with Rear Admiral (Ret.) Mark Montgomery

[Intro]

Mark Montgomery: Particularly in the workforce, or needs a workforce to execute it, that's where you saw the degradation, the slippage, where we changed our assessment of where the government stood.

Jonathan Cedarbaum: It's the Lawfare Podcast. I'm Jonathan Cedarbaum, Lawfare’s book review editor, with Ret. Rear Admiral Mark Montgomery, who is senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.

Mark Montgomery: From my point of view, these things are small but important, and they add up to a very important element of U.S. foreign policy that is kind of in tatters right now. No one nominated to lead anything, people leaving left and right because there's no––you don't know what the final organization's going to be like.

You know, this was an absolute own goal.

[Main episode]

Jonathan Cedarbaum: Today we're talking about the 2025 Annual Report on Implementation produced by the Cyberspace Solarium Commission 2.0.

Before we get into your recent annual implementation report, I wondered if you could just remind our listeners about the work of the Solarium Commission in its original form and some of its overarching or key conclusions.

Mark Montgomery: Yeah, thanks.

So the Solarium Commission was set up in 2018 in the National Offense Authorization Act that then allowed us to start the commission in March of 2019.

There was going to be a three-year commission, about $4 million, I'll say, right up front. We finished on time and under budget. You don't hear that every day in the government. But mostly because we had Senator Angus King as our chairman and Representative Mike Gallagher as our chairman from the House. So you had one Democrat––or one independent with the Democrats––one Republican.

We also had a really important member named Jim Langevin from the House, who, if you study cyber and legislation at all, you know that over the last 25 years, he's responsible for probably 50% of the legislation that's gotten done. He's now retired. He was from Rhode Island as a Democrat.

Anyway, so with that group and with legislators, U.S. government members like deputy secretary of defense, deputy secretary of homeland security, director of FBI––by the way, potentially not a completely legal commission, and we can talk about that some other time––and then some private sector personnel as well. Former government, private sector, including the CEO of Southern Company, Tom Fanning. So good mix.

We went out there. We spent one sharp year studying the problem. And the problem was, as Senator McCain kind of articulated it when he signed off on the commission, was, we need to come up with a strategy to ensure that America's critical infrastructure stays secure in cyberspace, with the implication being that it wasn't at that time.

And Senator McCain was correct. Whether you're looking at criminal actors or nation state actors, we were not secure in 2018. I would say we are not secure today. But his idea was, Hey, go come with a strategic approach so we can at least start getting the government aligned.

And he had a suspicion that the government didn't have a proper quarterback, a few other––that, you know, to use his terminology, we weren't properly organized to lead and win. And, you know, over one year we studied this issue, came up with some significant findings that they'll basically, you know, number one was the government wasn't properly organized.

Number two was, the private sector was responsible for a whole lot of secure––you know, the cyberspace, this is different than say undersea warfare, where Russian submarines––the problem of Russian submarines was not a problem for Southern Company, you know, a power company. It was a problem for the U.S. Navy. It was a problem for the government, and so it was fundamentally different than in cyberspace.

Cyberspace was a different mission area where the battle space, so to speak, was 85% owned and operated by the private sector or state and local governments, not the Department of Defense.

And the third probably that we had not developed the public-private collaboration to work through that problem of a tough threat problem not owned by the government owned by the private sector that wasn't investing enough, and then a government that wasn't helping enough.

So that's the point. That was kind of our conclusions, from which we drove a whole lot of legislative and executive branch recommendations.

Jonathan Cedarbaum: Excellent. Thank you for that overview. I remember that one of the central themes of the commission's report was that we needed, in the United States, a strategy of, quote, “layered cyber deterrence.” What did that notion mean, “layered cyber deterrence,” that we had been missing?

Mark Montgomery: You know, that's a great, yeah, it's a good terminology. It's––and we had a two really smart cyber strategists, Dr. Erica Lonergan who's at Columbia now, but at the time was at West Point and was seconded over to the Commissioner of Work, and a second was, we hired Dr. Ben Jensen, who is the lead professor at Marine Corps University on cyber and cognitive warfare kind of issues. And, in addition, a colonel in the U.S. Army Irregular Warfare program.

So, you know, we had two very strong thinkers. They've both written extensively, published extensively on the issue and we collectively came up with the idea of layered cyber deterrence.

I have to say Senator King, he wouldn't like me calling him this, but he was kind of like a broken record, in the sense that he's like, we are not deterring in cyberspace. In fact, if you go to a hearing today, five years later, he would invariably say––as I've said for the last five years since I was on the Cyberspace, Cyber Commission––we are not equipped to deter the adversary in cyberspace. We are not preventing them from taking the actions they want to take, beneath a certain level of warfare.

So, the idea of layered cyber deterrence was that you actually had, and Joe Nye wrote on this––and Joe Nye, a pretty famous soft power strategist at Harvard and in the Department of Defense who coined the term soft power. Recently passed away, but he wrote some op-eds on cyber, in fact, that were very consistent with our definition of layered cyber deterrence.

And what it really means is that if you're going to deter someone in cyberspace, you have to use all the elements of national power. You have to engage them in all the different types of deterrence. So deterrence by entanglement, that's where you try to use law enforcement sanctions, legal regimes, international negotiations, deterrence by denial, which is kind of the one we most think about, which is––I'll defend myself to such a degree.

It's not, it's too expensive or not that, you know, not effective for you to strike me. Or, the third one, deterrence by cost and position. Sometimes it's called punishment. But in either case, it's the idea that I'm going to punch you back in the nose so hard that you determine this is not a habit you want to continue. And so––or an attribute you want to continue.

So layered cyber deterrence says you have to work across all three of these in order to build the public-private collaboration that's necessary to deter an adversary in cyberspace.

Jonathan Cedarbaum: Very good.

So with that background on the commission's initial work, let's turn to your most recent implementation report released just a few weeks ago, which I gather was the fifth in a series of these annual reports.

For this most recent one, what would you identify as your most important, you know, two or three findings?

Mark Montgomery: Well, I think the first and foremost finding is that—and I just read it to make sure I get it exactly right—we said right up front, our nation's ability to protect itself and its allies from cyber threats is stalling, and in some cases even slipping.

That's a tough thing to say, because for the last four years we've been saying things are getting better.

Now, I will say, I would always caveat that in an administration change, particularly when you change parties, there's always a three- to five-month perturbation in policy development.

It's unavoidable. I get it. Cabinet member––like the secdef or secretary of state, they're confirmed in the first week of administration.

But you know, there's a lot of ligature, there's a lot of assistant secretaries and undersecretaries and such that don't get, deputy secretaries that don't get confirmed for months or even a year.

And this is party-agnostic: no matter who's the presidency, who's got the Senate, there's delays. And sometimes the underlings to that––the deputy assistant secretary in the GS-15, the Schedule C, which is political appointee, GS-15s underneath that are sometimes delayed while we, quote, wait for the guy to make his––or the man or woman to make their––choice.

You know, frustrating. So I understand there's three or four months.

But we are writing this eight months into it. They're publishing it in, you know, in late September, you know, writing it basically in August, the final parts of it. And I, and our final assessments are around––I think our cutoff time was August 31st.

I'll just say this was beyond the normal. Three or four months perturbation. There was slippage and there was obvious reasons for the slippage.

Jonathan Cedarbaum: Let's take those up a little bit, one by one. So what are some of the important respects in which you and your colleagues concluded that there has been this stalling and slippage?

Mark Montgomery: You know, I think the first one was cyber workforce.

I mean, I'll take one agency, the cybersecurity, infrastructure security agency, our civilian cyber defense agency. Developed, you know, before the commission, put into law in like 2016, 2017 at the beginning of the first Trump administration––and Chris Krebs was the first director, and then Jen Easterly was the director for four years of the Biden administration––but heavily supported by our report. Our report gave 10 different areas to support it with authorities changes and appropriations changes, and eight of those 10 were done.

I mean, we did significant assistance, created organizations within it, put lots of it in law that just wasn't in law before. It was just in practice. And that's always dangerous to not be in law.

And then the appropriations were then raised between 2019 and 2024, from $1.3 billion to almost $3 billion.

And by the way, John Katko, Republican from New York, was on record of saying it's probably a $5 billion organization when done right. And that's in 2022 numbers.

So, it still hadn't fully grown into itself. This administration came right in and cut that. And so, to me, manpower was one of the most important issues.

And then the authorities to operate and exchange information, I––this was not on my bingo card of stuff they might accidentally remove. I'm still of the opinion that was an accident.

And most administrations have trouble admitting a mistake. I, I get it. This administration, you know, has a PhD in that characteristic. And so as a result they're like ‘no, this was all on purpose, we have a master plan and you know, we're eight months into the master plan.’ And I don't see it.

So I saw things like that. So in my mind there was––look, there were some good things as well, but some bad things.

But if I could, I'd just start by saying those were our general findings, was that particularly in the workforce, or needs a workforce to execute it, that's where you saw the degradation, the slippage, where we changed our assessment of where the government stood.

Jonathan Cedarbaum: Were there examples of that outside of CISA?

Mark Montgomery: Yeah, so for––I gotta say one thing about CISA.

It shocks me. There's a temporary leader, says––look, the Senate owes the government, the executive branch, the confirmation of Sean Plankey, the CISA director. He's being held up over the provision of a report from the last administration, demanded by, mostly by Democratic senators, and I, and my––I'm just like, come on guys, just let it go.

I mean, let the guy get a––I want to criticize him for not doing the right thing. It's hard to criticize them when they're kind of rudderless without a leader.

But the acting leader said something along the lines of this, like, we've lost––we've gone from 3,300 to 2,200, no appreciable change in our ability to our job.

And I'll just say, gently, that in 35 years of leading a whole lot of military organizations, many of which were bigger than CISA, no leader ever came up to me and said, sir, the key to my success is cutting one third of my workforce, you know, randomly.

You know, come on. And especially the way they did it, they took away the probationary employees, the seed corn of your future, develop-, you know, leadership.

And they took away, they accelerated the departure of senior leaders through early retirements and fork in the road. Boy, talk about how I would not remove one third of my personnel. That's the opposite of the right––I mean, I wouldn't really just take it off in the middle, but I take most of it from the middle part of the workforce.

Instead, they went to the top and bottom of it. Really poorly done.

So I say, I just need to say that––and look, there's other examples. NIST, which is a National Institute of Standards and Technology at the Department of Commerce, we assessed it in 2020 as about $120 million organization in terms of, of workload with an $80 million budget.

And neither the Trump 45 nor Biden truly corrected the budget, but they did get it up to about 100 to 110 million on cybersecurity. This is just the cybersecurity part.

Unfortunately, every executive order put out at the end of Trump 45, or all of the Biden administration would say, ‘and NIST, go do this.’

And let me tell you how much money is attached to an executive order: zero.

So the reality is, they'd become like $160 million worth of assignments, and had about a hundred million dollars. So the Trump 47 rolls in on this already stressed and strained organization. One that, by the way, had stuck it to the Biden administration in early 2024 by stopping funding some national vulnerability database work to say, ‘this is how bad our funding is. We will make it something that's public and embarrassing.’

Which I thought was a pretty, you know, ballsy move by NIST. And they got their money from Biden's OMB to fix that. So they're under stress, under duress. And then comes DOGE and you know, the Department of Commerce. And they just start cutting within that.

And, you know, both in the budget appropriations and the personnel, this is––so, taking an organization that's critical to cybersecurity standards, regulate, you know, not just really regulation, but cybersecurity standards, education, understanding in the government and in the private sector, and kicking it in the backside a few extra times is, was not a good move.

So that's a second one. I'm––there's more, but I think that gets the point across.

Jonathan Cedarbaum: Very good. Okay. So as you say, I gather, one of the central concerns in this most recent report is budget cuts and staffing cuts at a number of the departments or agencies that play an important role in U.S. cybersecurity policy and U.S. cybersecurity defense and resilience.

Were there other major concerns beyond the staffing and budget cuts?

Mark Montgomery: So, in State Department we had set up something called the cybersecurity and the––

Jonathan Cedarbaum: The ambassador-at-large ambassador for cyberspace and digital diplomacy, I believe.

Mark Montgomery: Yeah, cyberspace and digital diplomacy. It was a bureau there, to work, and it was underneath the deputy.

Every time you do legislation, you have the perfect legislation and you have the legislation you get. And there's a series of compromises you have to do to get things through.

And one of the compromises was, and this was a problem we had with the Biden team, they wanted––they didn't like putting it under the deputy.

I felt it needed to hang for some period of time, five or seven years outside of the normal hierarchy. I would say State Department––you know, I've lived in Department of Defense, which has some parochialism to it, but––

Jonathan Cedarbaum: So I've heard.

Mark Montgomery: The State Department is Olympic gold medal-winning, you know, world record-setting parochial, you know, siloed bureaus.

And so I was afraid to get and this administration came in. And here's the killer: as they're breaking it, reorganizing the State Department––because it obviously couldn't be right, because it was done by Biden––you know, they're breaking up the State Department. The guys come into the––I know for a fact that came into the cyber digital policy office and started to show what they're going to do.

And the per––one of the people they're interviewing said, you know, there's a law about this called the Cyber Diplomacy Act. And the person was unaware of it.

You know, so they're reorganizing it without even reading basic law. And they reorganized it in violation of the law. By the way, a law that Senator Rubio aggressively supported before he became Secretary of State.

And so his own guys came in, unaware of the law––and they weren't his guys, in my opinion, they were probably White House guys. But, you know, in State Department and they did this.

And so it's, I mean, it's mildly––I'm not insulted by this easily, or I'd be insulted all the time, but it's kind of insulting that you reorganize something without reading the law.

We are a nation of laws. I mean, I believe we're a nation of laws. And you probably, and you literally––this wasn't a law, like, you know, that reorganization from 1862 is a little old. This was a reorganization from 2023.

I mean, come on. You took the maximum time to implement it. So it was really, fully––I mean, the law was 2021, to be implemented by 2023.

You know, it had been in effect for two years. Have a little bit of due diligence and, you know, find that out. But okay, they didn't. And then Senator Rubio, when confronted by Senator King who talked to him and said, what's up? You know, basically was, you know, mildly denied.

You know, he was aware that he had been part of the law.

You know, I mean, this is not helpful. It's not how you run government. And now we're in a position where the administra-, you know, Republicans in the House are trying to, you know, clean up the spill on aisle three, you know, by writing legislation that kind of supports what the administration's doing.

And you know, the rest of us are like, well, I would like it to work. But on the other hand, I'd like you to just follow the damn law. Which you just passed, and you guys supported, the Secretary of State supported, before he didn't support it.

So I'm a little frustrated. That one's bad. Now here's why that's bad: it's not just, like, someone to talk to for our partners and allies. That's important. But we do need some cyber capacity building. Like when our forces move with and through a country, we want the cyber to be secure for our military forces.

So that matters. Cyber capacity-building and very specific––even in a Make America Great thought process, you want our forces to do well. There's standards-setting, like the State Department kind of leads our participation in international standards-setting of things like the International Telecommunication Union and the World Intellectual Property Organization.

You know, we don't get the right––if China's working very aggressive those places to get a China-centric solution in place, one that doesn't believe in personal rights and responsibilities and privacy, one that's focused purely on sovereignty––which is, you know, coded language for authoritarian control.

So from my point of view, these things are small but important. And they add up to a very important element of U.S. foreign policy that is kind of in tatters right now. No one nominated to lead anything, people leaving left and right because there's no––you don't know what the final organization's going to be like.

You know, this was an absolute own goal.

Jonathan Cedarbaum: We've talked about a number of the critical elements in the report––that is, ways in which the report has been critical of the Trump administration's early moves. Does the report identify any initiatives by the new administration that it considers beneficial?

Perhaps some, in some cases, carrying forward efforts that had already been underway before it came in?

Mark Montgomery: Yeah. This is a tough yes.

So there's a little bit in there. So look, I like the idea––in their first executive order, they emphasized the importance of state and local governments. Look, I've lost my confidence in top-down, regulation-driven solutions for some industries.

Look, Americans like regulation on nuclear power. They prefer something not go really wrong in 'em. They're pretty cool on regulation, on flight safety. They don't want to fall out the sky. They're pretty cool about regulation about their money, so that it stays in their bank account.

After that, the list gets tougher. So trying to force in like water regulation at the top that comes down––especially, you know the difference between New York City water, L.A. water, and like, Fauquier County Rural Collective Number 7’s water utility. There are big differences there.

So I get that water probably has to be the bottom-up or ground-up, no pun intended. And to do that you really need state and local empowered to do that. You know, understand––provide 'em with standards, and then incentivize through grant program support.

Now, look, I'm not talking about a grant program for a Fortune 50 company. I'm talking about a grant program for rural collective number seven, you know, in Fauquier County, right? Which is, you know, doesn't have two root wood nickels to rub together for this threat.

So if we could help them out with a grant program where they meet, they assess themselves to a government standard, show the gaps, and then use an approved solution that we help fund.

To me, that's how you get at this. And it should make Republicans happy. Democrats should be happy with the end result. You know, I think ev-, it's a winner-winner. So he says that, and you're like, ah, good. I like this.

Of course, the next thing that happens is the administration does nothing to prevent the state and local cybersecurity grant program from expiring. Now, in the CR, the House Republicans––and the Senate Republicans did add it in, it's reauthorized through like January of 2026.

But long-term, you're going to have to reauthorize and appropriate to that. In other words, the next step is to have grant programs that incentivize this.

Believe it or not, the energy, rural energy does have some grant programs. There's some areas where you see congressional committees have shown an interest, or maybe the federal agency showed an interest, and we're doing all right.

In general, I would tell you there's three sectors that I don't lose sleep over at night: financial services, energy, and the defense-industrial base. There's 17 or 18––depending on, you count 'em, 17, 18, 19 sectors.

So that does leave a lot of F's, you know, in the programmatics, water being one of them.

And so I like the fact that the Trump administration recognized, hey, this is a state and local solution. I also like that they have kind of put the NSC and the N––the National Security Council Cybersecurity Directorate, focused on offensive operations, on international partnership, and I like that.

And then told the National Cyber Director, you're really responsible. You're the lead for the National Cyber Defense, which makes sense from the name of your office. And, you know, that was our intent.

We'll see how that plays out over the next 40 months. But I will tell you, good intent there. So there's two pretty big areas I would say the administration's done, you know, stepped off on the right foot.

The problem is, when you're assessing them, they haven't produced yet. What I'd say is they've drawn a line in the right direction. We'll have to see if they resource and move along that track. And then next year, they'll be good grades.

And I would say right now it's equally likely that they have good grades, as bad grades next year, because this perturbation is over. I think the personnel perturbation is over.

I, you know, there's something involved with the coming out of the standdown, and the people that were supposedly RIFed during the standdown, coming back, that would be good.

But they've got to get in––they're gonna get appropriations that well exceed their current manpower, right.

CISA will get, you know, probably $2.7 billion. They'll have more than enough money for the people they have and money to hire more. And hopefully a new director will come in and do that.

So there's hope, there's potential. But those are two areas where they, I can actually see them pointing themselves in the right direction.

Jonathan Cedarbaum: Excellent. So we've been talking about findings in your, you know, most recent report, both critical and potentially positive. I wondered if we might step away from this kind of report card, which, as the report itself notes is necessarily a backward-looking assessment. You know, it takes a look back over the prior year and tries to assess what was good and what was bad.

Step back and look forward, because as the report notes, of course, cybersecurity risks are ever-evolving. And to shape cybersecurity policy, one can't only look back to a set of recommendations from the commission from several years ago. However, you know, prescient the commission was.

So we've had the benefit of more years of experience now, and of course, you and others are looking forward.

As you look out, say, you know, ahead, the next two or three years, are there one or two important trends or developments that you think the United States has to focus on as it tries to improve its cybersecurity posture?

Mark Montgomery: Yeah, there are. There's a few things, and I'll bid them into, in the kind of––one of them is a technology thing, one of them is a people thing and one of them is a kind of a policy process thing.

So on the policy process side is, can we get everyone to understand what Volt Typhoon and similar activities that are operational preparation of the battlefield are really doing.

In other words, make it so people understand: this is China preparing for a future crisis with us, or conflict, and putting in either malware or like an access so at a later time they can rapidly conduct a destructive or disruptive attack on that critical infrastructure.

You would say Mark, well, of course everyone's worried about that.

They're not, right? So, so the FBI director does this, announces this last January.

Director Wray says, ‘Hey, opera—you know, Volt Typhoon did this. Thousands of penetrations into dozens of infrastructures. You know, they went right at our military mobility, rail, aviation ports. Right at our economic productivity, financial services, energy. Right at our public health and safety, healthcare, water. All the different attack vectors.’

And I'd say people like me are still spun up about it. 99.9% of America came outta warble a day later, right? And they're fine with it.

Now, let me give you another version of this. Director Wray comes out and says, Hey, there's a thousand attacks, 16 sectors. And what the Chinese did was put a backpack with Semtex in it on this infrastructure, so that at a later date they could, you know, initiate it and disrupt or destroy the infrastructure.

We would still be talking about that. You know, we might have had a war in between. I mean, a war might be too far, but we'd have certainly had a collapse in U.S.-Chinese relations.

This operational preparation of the battlefield has gone unremarked. And so the first development's got to be the next two or three years, we have to understand the adversary. We're learning the criminal adversary because of ransomware.

It's made people understand, this is significant, it's real, and I better invest in it. Now, I still think the vast majority of companies that kind of come to Jesus, so to speak, are the ones who just kind of attacked. But still, if your neighbor just got attacked, you're like, yeah, I'm going to come to Jesus.

But the others, the, to me, the, you know, this nation-state operational preparation of the battlefield––which is a relatively new phenomenon, this needs to be understood, that's number one.

Number two is a technology one. We've got to figure out how to have better recovery tools. Here's the bottom-line lesson learned from the last five years, is: you're going to get hit. If you get hit, you probably can only mitigate it slightly. And the real value is speed of recovery. How fast can you be up and running again?

Is it through redundancy, through resilience, through training? But how fast can you get back up off the canvas?

And the most important companies on this are the small-, medium-sized businesses that have four or six weeks float––that is, excess cash. Because the normal ransomware is one to two weeks till you get the key or go without the key. Three to four weeks to get your system fully aligned and integrated.

That's five or six weeks. Around that same period, you're laying people off, selling assets, declaring bankruptcy. Kind of, weeks four, five, six.

So the question is, are we going to get technology that helps that recovery faster? To me, that would be if I was making, if I wanted to––as a venture capitalist, that's the tools I'd be looking for.

And the third one I'll make quick is on personnel. It's on the offensive side. We're not currently generating enough forces, properly trained and ready forces. We have different––every service, the Army, Navy, Air Force, Marines, Space Force, all build cyber people, and then send 'em over to Cyber Command.

Cyber Command is the force employer. They're doing okay, given the quality we're giving them. We're giving them substandard quality.

But the force generation, I think requires a single service doing it, that focuses on cyber. When we're recruiting kids outta high school, the people I need to be a Ranger don't look like the people I need to be cyber.

There can be one or two that look the same, but the vast majority––I'm okay with overweight, face tattoo, a little bit of extra weed usage. That's okay. But the Rangers are not.

So we need to get cyber––so that's the first thing you recruit. Then you specifically train them for this mission, at a certain high level. And then you pay them properly.

And there might be a split there of uniform versus non-uniform that's much different than the Army and Navy and Air Force. And then you'll end up retaining them properly.

So we need to do a big thing in this. And just to show you the math on it, our cyber operating forces have gone––we were about 6500, 6400 was our target goal in 2012. 6700 is our target goal now. So about a 3% increase.

In that same timeframe, our estimate is China may have gone from 6,000 to 60,000. I'll just say, their 1000% may not be right, but our 3% is definitely wrong.

And so to me, those things––you know, understanding OP, operational preparation, battlefield technology through recovery, and then cyberforce––those are three things I'd be working.

Jonathan Cedarbaum: Excellent suggestions.

Let me ask you one final question, which every cybersecurity analyst is at least speculating about because it's early days, and that is the implications of the development of ever more sophisticated artificial intelligence systems on cybersecurity offense and defense.

There's more and more writing trying to gauge, you know, who in the offense defense balance will get greater benefit from artificial intelligence systems in what ways, how quickly.

Do you have any initial views about that? And if so, what evidence do you think is the most helpful evidence for those of us interested in trying to assess the impact of AI on cybersecurity should be looking to?

Mark Montgomery: I'm not the right person to decide which one will go better. Here's what I do know, though. I do understand well enough that both will benefit from it.

And here's the challenge. The challenge is, I do think the criminals, people who are exploiting AI, will invest enough to have a tool that works.

Cybercrime has been a––I mean, it's not a unicorn, but it's a pretty good startup, right? They've done pretty well.

And the criminal conviction rate on cybercrimes is, you know, avert-your-eyes bad, you know. It's in the 1% or 2%, if that. And usually that's one guy, 40 crimes, not 40 crimes, 40 guys. And it is mostly guys.

So, they're going to invest what they need. The question is, are we going to invest what we need defensively? So far is, I'm just going to––the answer's been no. The problem with AI is it will exponentially grow the risk of your “no.”

If you don't invest properly in cybersecurity––and whether the tools are traditional or AI-based tools––you're exposing yourself to greater and greater risk, I think, over time, in this environment.

So that'd be number one. Number two is, there's an element to AI that really worries me, and it has to do with influence operations. We study that here at FDD. We look for AI misuse, and then AI––you know, we look for influence operations being conducted by China, Russia, and Iran, particularly.

North Korea does a lot of bad stuff in cyber, but not these––they're not doing influence operations to try to change how Americans feel about the state of democracy or things like that.

But I think these AI tools are going to make influence operations look more and more like a text or an email from your spouse or your daughter or your child, you know, and have a much higher likelihood of success.

So, these influence operations are going to be more effective over time. And we already are a fragile society. We can see that in a lot of ways. And this will amplify––I think AI has the risk of amplifying that greatly, if we don't figure how to take any of this––

And one last thing, I'll say, another reason they got a bad grade, the Trump administration has kind of consistently, across all our government, removed the disinformation efforts, whether it's at Justice, FBI, State, Department of Homeland Security.

It was under the guise of, they somehow were involved in election security and suppressing conservative thought, which I just don't think they were. I, you know, maybe I'm blind, but I didn't see that.

What I saw was a lot of bad––what we saw at FDD and studying this election cycle, and we've written three reports on it, was a lot of bad Russian behavior trying to help Trump. Some bad Iranian behavior trying to help Harris.

And then a lot of Chinese behavior, not caring who they helped. All they cared about was undermining Americans’ faith and belief in the credible execution of democracy. That worries me the most.

So I guess that's a bad pessimistic line to end on, Jonathan, but that's where I sit.

Jonathan Cedarbaum: Okay. But we will have to end it there.

Admiral Montgomery, thank you so much for taking the time to talk with us today.

Mark Montgomery: Thank you for having me.

Jonathan Cedarbaum: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts as well, including Rational Security, Allies, The Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja and our audio engineer this episode was Hazel Hoffman of Goat Rodeo. Our theme song is from ALIBI Music. As always, thank you for listening.