Lawfare Daily: The Offensive Cyber Industry and U.S.-China Relations with Winnona Bernsen

[Intro]

Winnona DeSombre Bernsen: So if you don't know a government customer, you'll probably want to find a middleman, which is where things get a little bit more sketchy because you don't necessarily know who will end up using your zero day, especially when middlemen sell to other middlemen. And so you get this weird, murky industry where there's markups and bugs that are going for crazy prices and then you have this lack of trust on the consumer side.

Justin Sherman: It’s the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare and CEO of Global Cyber Strategies with Winnona Bernsen, non-resident fellow at the Atlantic Council's Cyber Statecraft Initiative and author of the just released report “Crash, Exploit and Burn: Securing the Offensive Cyber Supply Chain to Counter China and Cyberspace.”

Winnona DeSombre Bernsen: It's statistically more likely that China will have more people in the offensive security space and in a highly manual field like vulnerability research, where even though you're producing software, this software does not necessarily scale. Having more bodies and people and headcount to throw at offensive cyber should cause policy makers some concern.

Justin Sherman: Today we're talking about the offensive cyber industry, the private sector and individual players, the U.S. versus Chinese procurement pipelines, and what it all means for the future of competition and cybersecurity.

[Main Podcast]

Why don't you start by telling us about yourself? I always ask this of every guest. And how did you get started in cybersecurity and what are some of the things you are up to currently?

Winnona DeSombre Bernsen: Sure. I worked in cyber threat intelligence for five years before heading to law school. First tracking Chinese nation state threats at Recorded Future, then at Google. And currently I'm the founder and head of Washington D.C.'s newest hacker conference, District Con, and I also work of course, for the Atlantic Council, who published this wonderful paper that you're having me on for.

Justin Sherman: I'm glad you mentioned District Con. I was going to plug that.

Winnona DeSombre Bernsen: Oh.

Justin Sherman: With that, we can just jump right in. So as you noted, you're the author and as we heard in the intro of an excellent new report which I encourage folks to check out, and we will link, as we always do in the show notes titled Crash, in parentheses, Exploit, and Burn: Securing the Offensive Cyber Supply Chain to Counter China and Cyberspace.

And again, we'll link it. You can find this on the Atlanta Council website. Broadly speaking, just to get us started here, what is the overall premise of this paper?

Winnona DeSombre Bernsen: Sure. And honestly, Justin, congrats on saying the entire title of the piece. I know it's kind of a mouthful, but the premise of the paper largely relates to this renewed call out of D.C., if it's the White House or Congress about cyber offense, particularly this concept of hacking back the Chinese or CCP hackers, right?

My approach to this concept is a little bit deeper than that, which is that if the U.S. actually does want to bolster its cyber offense and increasingly use offensive cyber operations internationally, do we have the capabilities in our supply chain to do that? Particularly if the adversary we're trying to go up against is China?

And so what I try to do that in this paper is illustrate, either via open-source research or interviews, how the U.S. supplies and acquires offensive cyber capabilities, focusing in this case on zero days versus how China supplies and acquires those tools. And when you compare the two systems up against each other, the answer to that question do we have the supply chain to really measure up to China and offensive cyber is probably actually that we don't—at least not to the same scale or just the way that our processes are currently set up.

Justin Sherman: Interesting. And you mentioned a few things I, I certainly wanna circle back to. Let's zoom in a little bit more so in the subtitle-

Winnona Bernsen: Sure.

Justin Sherman: And throughout the report you talk, as you just referenced about this concept of an offensive cyber supply chain. So break this down for us a little bit. What is that offensive cyber supply chain and what are some of its core components?

Winnona DeSombre Bernsen: Yeah, sure. So there's a couple of different components that go into any cyber operation. When you're thinking about how to hack someone, you have to figure out what infrastructure are you conducting your operation from? Is it a server in the United States that you're using to stage all of this? Or is it somewhere else?

Are you using malware or are you living off of the land? That's a concept where you're just using stuff that's on the victim machine rather than making a user download malware. And do you have someone actually trained to conduct the operation or to hack into things? All of those parts are components of a cyber operation, but as I said earlier, the focus of my paper is on zero-day vulnerabilities and exploits.

For listeners of this podcast and especially your episodes, Justin, I'm, I'm sure many of these folks are not strangers to what a zero day is, but for newer listeners: zero-day vulnerabilities are issues or bugs in software or hardware that are previously unknown to the vendor of that software or hardware ie, the vendor has had zero days to fix the issue. And so if you can write code to take advantage of that vulnerability, this results in a zero day exploit.

And so zero-day exploits are used, you know, famously Stuxnet had a, a large number of zero days back in the day, plenty of cyber operations nowadays used zero days especially those conducted by nation states. It's important to note that you can break into plenty of systems without one. Especially if people don't install the latest software update. And also there's always phishing. But a zero day allows an attacker to break into modern up-to-date systems, which are kind of the ones with strategic value to great powers like the U.S. or China.

Justin Sherman: I'm glad you're, you're digging a bit into the zero day. Definition and, and some of the surrounding concepts. I mean, you mentioned phishing and still the simple ways that some folks are able to first get into systems, but I wanna zoom in on the zero day thing because a lot of, a lot of policy discourse and media discourse and, you know, innumerable terrible Hollywood, you know, cyber doomsday things on Netflix and such that I, that I don't watch make people think of zero day exploits as the sort of cyber super weapons. I'm not sure what the right phrase is, but essentially that you can set off with a click and it's impossible to stop. And, but as you're noting, at the same time, there is something to be said there.

And then the second piece I think folks often think of is that zero days are built by, you know, government hackers. But something that you explore in this study is that there's in reality a very complex market in the private sector for the development and sale of these zero days and related capabilities including to be sold to governments. So talk to us about what that industry looks like globally for offensive cyber capabilities and who are some of the major players, maybe some that folks might be familiar with and others that they are likely unfamiliar with?

Winnona DeSombre Bernsen: Yeah, for sure. Thanks Justin. I think, oh man, where to start? I think the biggest thing that people need to understand and it's super easy, kinda like you said, to imagine a zero day vulnerability or a zero day exploit as like the closest thing to a cyber weapon, you know, quote unquote, that exists.

But ultimately the zero day market is a billion dollar industry that sells software. That's ultimately what a zero day exploit is, it's code. And this code just happens to take advantage of mistakes in commonly used products. And that's the way that I kind of think about it because it's not going to be a perfect weapon. You know, potentially there's mistakes in that software too, or that software isn't entirely reliable. It's not gonna be a hundred percent accurate because it's all made by like all other software engineers and hackers.

And going back to your point about this industry not really being in government, just like in regular software industries, engineers and hackers don't necessarily really vibe with that culture. They don't necessarily want to work in a, you know, secure environment or have to put on a military uniform, especially if they could get paid double, triple out in the private sector.

So of course there is a huge difference between the engineer writing zero to exploits and an engineer writing regular software. But the industry is quite commercialized. You have this enormous system of state like contractors and private firms, think large prime contractors here in the U.S. defense industrial base. You also have these spyware firms that are, you know, either producing zero days in house or purchasing them to then sell on. Think NSO Group, Paragon, Quadream, all of these Israeli firms that I feel like have been in the news for the last five years.

And then you also have these huge brokers and marketplaces. So, firms that act as middlemen to go get a zero day and then sell it onward to either another middleman or a government. And then underpinning all of this are smaller subcontractors, startups, and individual hackers. It's a really robust ecosystem.

Justin Sherman: What does it take for a business to succeed in this area and to effectively create and then sell one of these zero day exploits you're talking about?

Winnona DeSombre Bernsen: That's a great question. So I'll, I'll say creating and selling a zero day are two almost entirely separate verticals. Fundamentally, when you're creating a zero day what that requires is talent. You have to be able to find a vulnerability in a widely used technology product or system. And how you do that is by looking through the code. And if you think about how much code is in the newest iPhone or in a Google Pixel or an iMac, that's millions and millions of lines that somebody is just pouring through and trying to find where somebody else may have made a mistake.

After maybe you found some sort of bug you have to figure out like can that bug be exploited in the first place? Can it be exploited reliably or would it alert the target that something is wrong? Does that exploit only work on this version of the iPhone or every iPhone all the way back to 2014? And so that process in itself of creating a zero day or an O-day, as some people call it, can take, at least nowadays in modern software between six to 18 months to go from nothing to something marketable.

Now, selling is actually where it gets even more complicated. Now that you have an O-day, you need to know a customer or get in touch with one, and it's not like you can kind of waltz up to the NSA and go, hi, I have this fun bug. Would you like to buy it? So if you don't know a government customer, you'll probably want to find a middleman, which is where things get a little bit more sketchy because you don't necessarily know who will end up using your zero day, especially when middlemen sell to other middlemen.

And so you get this weird, murky industry where there's markups and bugs that are going for crazy prices. And then you have this lack of trust on the consumer side.

Justin Sherman: To deviate for just a second, Winona, now that you mention it, you highlighted some, I found this fascinating in the report specific numbers on what that markup can look like from the original developer of an zero to exploit to the middle man, reseller to the end buyer. Can you just tell us what those numbers are in a little bit of the context there?

Winnona DeSombre Bernsen: Sure. So with the caveat that this industry is super murky and what I've reported on is really only likely a sliver of what the global market looks like. I've had interviews where people have said it's anywhere from double to triple to 10x the markup.

The quote that I've put into the report specifically is by a former U.S. government official who states that an individual researcher who isn't informed on what bugs are selling for might sell a good bug for a hundred thousand dollars, but by the time it makes it to a customer, that individual bug could go for 750,000 to even a million dollars.

Justin Sherman: I just found that fascinating, and I think as we're saying, if we think of these as highly valuable, as you mentioned. The idea that governments are paying so much, not necessarily or inherently because it's valuable and difficult to procure per se, but because of a markup is really, really interesting.

You, you mentioned up top the differences between the procurement ecosystems in the U.S. and China, so I want to get into this. What does the U.S.  we will go in in order. So what does the U.S. offensive cyber acquisition pipeline look like? How much of it is centralized, decentralized, top down? Are, are sellers being responsive to specific government requests? Is it very entrepreneurial where people are pitching things proactively? How, how does this ecosystem operate in the United States?

Winnona DeSombre Bernsen: So in all of my interviews, it was pretty difficult for me to talk to individuals about their specific contracts, for good reason many of these contracts are classified. But I'll break down my answers in terms of supply first and then acquisition.

On the supply side, multiple Five Eyes, vulnerability research companies, ie the companies that create and sell zero days have said that they hire talent not just in other Five Eyes countries, but also from Europe and South America. And so much of this talent is decentralized in smaller firms. Some are in, you know, the bigger prime government contractors, but many can be in tiny companies at comprising of as few as three people. And so from that perspective, it's really interesting to see how diverse and international and small business forward a lot of these communities are in.

Then when you look at the acquisition, it's kind of taking that and turning it completely on its head. U.S. acquisition is neither top down, nor bottom up, but it's largely people trying to work around a system that you know is DOD acquisition. It was built for tangible things like bombs or bullets or trucks and not software. And so the contracting ecosystem, because it's hyper compliant and requires all of these, you know, different audits does inherently favor the large prime contractors, and it treats zero days as this product to be purchased on a schedule.

And that creates these feast or famine contracts where you're getting a windfall if you get the bug purchased. But that entire time that you're developing the bug, say for six to 18 months, you may not see any money because they're treating this product as a one and done piece of code.

I'll also say that it's pretty frustrating to the smaller businesses because they don't necessarily have that direct line to the government. And I think the most frustrating part of this is that sometimes government customers won't even let a seller know what type of bug they want, which means all the work that a vulnerability research firm might put into research and productize a bug may turn out to be for nothing.

And this is a point that I really want to hammer hone because I get asked the question like, oh, who cares, particularly from people who don't necessarily want governments to acquire zero days, and I get that. But this particular inefficiency where the government does not tell, you know, people who are producing cyber weapons for the government, what they want should bother everybody regardless of whether they're pro-national security or software security.

Because if you're pro-national security, this is a waste of government resources. You have someone with talent working on something that the government doesn't want. But if you're pro-software security, this is alarming because the government is not telling the seller that they don't want that bug either. So the seller might just sit on the bug and not tell anybody about it.

Justin Sherman: All these market dynamics are instructive. In that vein, you write in the report that going through layers of middleman to sell to a government, quote may be a uniquely Western, end quote phenomenon. China analysts posit that the Chinese government has deliberately created avenues for foreigners to offer bugs to the Chinese government in a relatively frictionless way.

So how does the offensive procurement ecosystem, if there is that, that idea that it's frictionless, how does it work in China and what is, if any, the different approach that the government takes?

Winnona DeSombre Bernsen: I would say that fundamentally everything is a lot more decentralized in China, which is kind of ironic considering that they are the country with, of the two, the more centralized quote unquote planning. But I would argue, and I do argue in the paper, that China's acquisition processes use decentralized contracting methods and then also decentralized operations.

On the decentralized contracting methods, over a year ago, I came on the podcast to talk about the i-Soon leaks, which was this contracting company that got all of their internal documents leaked online. And in those leaks, you could actually see that they weren't getting contracts from a particular centralized organization like the Ministry of State Security, like headquarters or whatnot They were actually getting them from state, local, and municipal government branches suggesting that, you know the equivalent of an FBI field office out in Pittsburgh could be doing the contracting requirements for getting zero days.

The other aspect of this is that these companies weren't just providing the zero days they were using them. They were actively conducting operations on behalf of the Chinese state. And that provides a company with a ton of freedom to be able to get access to systems however way they want, use cyber capabilities however way they want, in a way that doesn't have the same restrictions and, you know, abiding by international law and norms that the, the U.S. might have.

And that doesn't even mention all of the different regulations that makes multinational corporations or other domestic firms unwilling vulnerability providers or reluctant vulnerability providers to the CCP.

Justin Sherman: That's a great segue because many people in the West, especially these days, tend to talk about China, I mean, I have this similar complainant about Russia discourse, you know, China in a way that characterizes it, the country writ large, as very top down sometimes. Or maybe not that specific firms could be coerced by the state, but that they're constantly working for the state.

So how would you characterize the relationships between different white hat hackers in China and the government, different private sector cyber companies in China and the government? How integrated, if at all, are those relationships when it comes to vulnerability discovery and exploit development? And are there places where folks might be surprised to hear that there isn't, you know, is or is not state interaction and influence?

Winnona DeSombre Bernsen: That's a great question. Justin and I hesitate to give a good answer to it, only because if you flipped that on its head and said, oh well, like Winona, can you describe, you know, how hackers interact with the government from the Five Eyes? There's never going to be an answer that like really encapsulates the entire community. Right? So I hesitate to, to use such a broad brush.

But what I'll say is that, and going back to the original question that you had asked me previously, this frictionless manner has less to do with the relationship between the hacker and the state and more about like writ large and more about the number of avenues that the Chinese state has for a hacker who, you know, excited or reluctant or otherwise is providing these services or products to the Chinese government.

It's definitely easier and more resourced to do and get into offensive security in China in a lot of ways. There's a lot of state sponsored catch the flag teams or live hacking events or offensive security programs in universities and grad schools. There's also a lot of funding of vulnerability research teams under big state sponsored or, or state owned enterprises and, and large Chinese tech firms. So the resourcing is there, the avenues are there.

What I'll say about the international hacker community and, and the Chinese hacker community at least based off of the limited interactions that I've personally had at, at hacker cons and otherwise, is that hackers are far more similar than they are different, and I, I say this in the report. There's three large reasons why people would want to stay in vulnerability research.

One is profit. Like we talked about, the, the profit margins for some of these bugs and exploits are, are quite large, even if you are potentially in a feast or famine contract cycle. The second is, you know, patriotism, motivation, mission. Obviously there will be hackers in the Five Eyes or hackers in the Chinese government who truly do care about serving their country.

And then the last one, which I think is, is pretty universal, is this act of really considering vulnerability research and exploitation as this art where it's a complex thing that's really cool to, to be able to have the power to do, and there are plenty of vulnerability researchers internationally that will appreciate the work of another researcher in a different country while knowing that the two of them may never meet or be able to work together because of geopolitics. It's a field that like other sciences appreciates the work despite the inconvenient truth of geostrategic relations.

Justin Sherman: And I appreciate even the context on the way I framed it, which as you said in part sort of notes that there's no one model. So if we look then, now that we have a picture of what the ecosystem looks like in the U.S. and China respectively, if we compare the two, including with the acquisition process, are there major differences in how the two governments balance stealth and speed and flexibility in offensive cyber procurement?

Winnona DeSombre Bernsen: Oh, for sure. And, and the reason for that, I think, is because these models showcase the underlying values and priorities of the, the respective nations, right? So the U.S. is definitely more focused on defense and prioritizes high levels of trust and stealth.

So if you think about the U.S.'s cybersecurity talent pipeline, a lot of it is geared towards defensive jobs. You see the ONCD cyber talent report that came out in the Biden administration. You see this like huge bug bounty community having better cybersecurity budgets out of CISA, DHS, all of that tailoring to defense.

We also, when we do offense, have this vulnerabilities equities process, which while imperfect is more than what certain other countries have, right? For, for those of whom aren't aware, anytime the U.S. acquires or, or creates a vulnerability there's an interagency process that determines whether or not they're going to disclose it or use it. Which has agencies both from defensive and offensive sides of, of the table come together.

There's also long procurement timelines from the U.S. and high quality assurance requirements because they're treating these offensive tools as, as bespoke high sensitivity items. They don't wanna get caught when they're, they're doing these cyber operations, right?

And ultimately I would say that a huge thing about the U.S. is that these policy priorities show that the U.S. has a lot to lose from an economic perspective if they're caught breaking into their own U.S. tech firms and products. And, and this is pretty obvious in the mobile market where Android, I think is on 71% of all mobile phones globally and iOS is on 28% of all phones globally, which means that 99% of the global mobile market is made by U.S. tech firms.

So the U.S. government inherently does not really want to be caught breaking into their own tech companies, and they also don't want that to have an economic detriment on the global markets. So that's the U.S. side.

But when you think about China. China does not have those same market caps. If you think about the global market caps, Huawei, I think only makes up 4% of the global smartphone market at least based off of, of data from a couple years back. And their policy priorities clearly showcase a desire for offense.

You see the decentralized procurement allowing a wider array of researchers and contractors to do this sort of work. The regulations that pull Chinese companies towards forced disclosure or partnership of vulnerabilities. And then the offensive operations being broader and faster, sometimes at the expense of deniability. The Chinese government doesn't necessarily care about getting caught. And so you see these two separate models that inherently showcase why we're valuing certain things in cyberspace. 

Justin Sherman: In your mind, what are the biggest national security or cybersecurity or policy broadly issues that China's offensive cyber pipeline raises for the United States?

Winnona DeSombre Bernsen: I think, and this is kind of a common theme throughout this discussion, that the issue is really scale.

I really like this fact a lot. China produces every year more STEM grads than the United States produces college grads. Fundamentally, from a population perspective, it's statistically more likely that China will have more people in the offensive security space. And in a highly manual field like vulnerability research, where even though you're producing software, this software does not necessarily scale, having more bodies and people and headcount to throw at offensive cyber should cause policymakers some concern.

On top of that, I write in the report that China's already working to integrate artificial intelligence into its exploit discovery and offensive operations, which means that they might have at some point very soon down the line, a breakthrough where they can create offensive operations that do scale, create zero-day exploits that do scale.

And finally, even with this enormous pipeline of supply, they're continuing to reach out of their domestic sphere of influence more into East Asia and the Middle East, to not only get more researchers, but to show other countries that this model, that this model of prioritizing national security and cyber operations in their wider ecosystem works.

And I think that this type of scale and showcasing to the international community is, is quite concerning, especially as, as we're trying to put forward more responsible cyber stakeholdership, not just through the United States, but also within the Five Eyes, and the EU, and, and reaching out into East Asia ourselves.

Justin Sherman: Let's end with some of your recommendations. You highlight that the U.S. procurement pipeline is more or less dominated, you mentioned this earlier by large prime contractors. And that it can, as in other areas, be difficult sometimes for a small business or an individual to compete. How might we fix this contracting system, both in an ideal world and then in terms of what you think can be practically done in the short term?

Winnona DeSombre Bernsen: Justin, are you asking me to fix the, the DOD contracting system?

Justin Sherman: Pretty much. In, in one to two sentences would be good. Thank you.

Winnona DeSombre Bernsen: Yeah, sure.

Justin Sherman: Great.

Winnona DeSombre Bernsen: Cool, cool, cool, cool. So I think the overarching recommendation that I really do have is, while it's pretty much impossible to overhaul our, our U.S. government contracting system, there are ways to fix this pipeline that adheres to our values.

And I think that's the common theme here. Because we don't necessarily want to change the way that we prioritize economic security and international norms and making our allies know that we care about them. We can do things that don't tie our hands in the offensive security space while still adhering to the things that we hold dear.

So I, I list a quite a few recommendations in the report, but I think the, the three big things would be creating accelerator programs for vulnerability research. Accelerator programs exist for software. We have the model, DIU does this all the time, so does SCO. Like, taking a model for more enterprise software and moving it towards vulnerability research is something that would provide these smaller firms, the resources to continue to be in this space.

The second would be protecting and supporting security research in general. Especially when these bespoke cyber capabilities are created by a finite pool of international talent. We don't necessarily want them to be worried about lawsuits or, you know, the threat of being arrested, especially if they're being contacted by foreign intelligence, for example. Which has happened not just by China, but also I think very famously, North Korea has been reaching out to a lot of U.S. vulnerability researchers and trying to steal their wares.

And then the last thing would be just being more open and transparent as a government about how or what vulnerabilities should be acquired or, or sold. The fact that this inefficiency comes from all of this cloak and dagger around vulnerability research and around this industry is kind of needless, to some extent. Obviously there's some security requirements and, and people want to, to know that they are working with trusted parties. That makes sense. But human rights organizations have been pushing for more transparency for years, and, and no one has really talked about the amount of money we're wasting by keeping this concept a secret.

Justin Sherman: And when it comes to vulnerability research and the changes that you recommend in the paper for the U.S. approach, are there risks if we focus on China as the competitor in intentionally or unintentionally adopting any tendencies that could actually be detrimental to the U.S. cybersecurity and ethical independent hacker ecosystem?

Winnona DeSombre Bernsen: Oh yeah, for sure. And I think this goes back to, you know, abiding by our values while finding ways to make this more efficient. Right. I think ultimately the act of vulnerability research is a necessary good. And I, I know that there are people who will disagree with me.

And also the fact that U.S. has a defensive focus funnel is also good. We want people to trust U.S. products in the international market, right? I think there is this temptation here to start thinking about, okay, can we mandate bugs or, or can we create backdoor laws or you know, prevent technology firms from fixing their products. I think that's definitely not the route that we should go down.

Instead, talking about how the U.S. and Five Eyes are doing offensive hacking and using sunlight as a disinfectant is the antithesis to, you know, the rigid regulatory mandate approach that China is using.

Justin Sherman: You also mentioned the counterintelligence issues associated with foreign governments trying to recruit really bright independent hackers and technologists, both winning and unwitting.

How can the U.S. government but maybe also the hacker community, I'm not sure how, how can we better support, support those hackers who, who might independently decide that they do want maybe some guidance or some tips or something like that to mitigate the risk that, you know, someone comes up to them at an overseas CTF, capture the flag competition?

Winnona DeSombre Bernsen: Yeah, that's such a great question. I'll say for all of the hackers listening in on this call, if somebody approaches you and says that they work for ex-government and they want to buy your bug, especially if it's the U.S. government, ask to meet them in the embassy. I feel like that's like a pretty calm way of either shutting down the situation because they're not actually who they say they are. Or then you like know for sure that they are who they say they are, right?

From a U.S. government side, vulnerability researchers in the private sector actually already use companies or funds like the Security Research Legal Defense Fund to defend themselves from lawsuits that seek to chill their research.

And the basis of that actually comes from a DOJ guidance or, or policy opinion where the DOJ said, hey, you know, if it's good faith security research, we're not going to prosecute or you could use it as a, a solid defense. And I think there are, are moves, at least in the private sector to try and get that exception codified in the CFAA, which is the, the U.S. Computer Fraud Abuse Act, primary anti-hacking law.

I'll say that there is already a national security exception in the CFAA, a little known Section 1030(f) that has not yet been tested in the courts or in any sort of public document that I've been able to find. And potentially having the DOJ issue certain guidance around, you know, what is protected national security research, are you a company that provides these services to the United States government, is a, a possible avenue to explore.

But that doesn't necessarily solve the, the foreign intelligence issue, right? That's only if you accidentally get caught up within U.S. law or get sued by a U.S. company.

On the counterintelligence issue, I think it's really important for the FBI or CISA to be able to have some sort of hotline to provide resources. I think the fact that Google was one of the first companies to come out and say, hey, the North Koreans are targeting security researchers. And then to have the government pretty silent on it was pretty chilling to the wider security research community where ultimately the U.S. government at the time effectively signaled sure you can provide these services that are crucial to our national security, but we're not going to help you if even the hermit kingdom decides to go after you.

I think that that's something that the U.S. government should change, especially if they want to support this sort of research.

Justin Sherman: Certainly, and I incidentally was watching some communiqué earlier built for businesses generally just to be aware of, you know, nation state issues and, and so that's, those are all helpful recommendations.

One of the last things you, you mentioned is recommendations to limit China's access to some of these offensive cyber capabilities, while ensuring the United States has continued access to the right talent. I'm wondering if you could explain to us how you think the United States government and and country generally can make that happen.

Winnona DeSombre Bernsen: Oh, saving the spiciest question for last Justin. I'll say that in 2017, Qihoo 360, or the, the CEO at the time of Qihoo 360, which is currently on our U.S. government entities list, stated that vulnerabilities are now a national strategic resource. And I think that the U.S. government is only really now in the year 2025 catching up and, and realizing that that is the case.

And so we are in a little bit of a disadvantage just from a temporal perspective. We're eight years behind. And so at this point Chinese firms, Chinese vulnerability researchers, Chinese offensive security conferences are already reaching out to the international community and saying, hey, come work with us, come work with us.

Which is kind of interesting when you think about the fact that there's only a couple of thousand people who are really in this game and in this industry seriously, and only probably in the low hundreds of people who can do this job really well. And so the U.S. government should be cooperating with allies to work with some of the best minds in East Asia, in South America, in Europe.

I mean, if, if we're thinking about China's backyard, South Korea, Singapore, Thailand, all of these countries have phenomenal CTF players, researcher, bug bounty contributors. And shielding those up and coming talents from the regulatory pipeline of the Chinese intelligence apparatus, I think will be crucial to maintaining a long-term competitive advantage.

And, and this doesn't have to be on the U.S. right? We are in a Five Eyes Alliance. We are going through the Pall Mall process with the U.K. and France. Creating diplomatic programs potentially through any of these avenues or with these other countries focusing on technical talent exchange and industry-wide collaboration would also be an avenue. And I would be remiss to not talk about how AI security research is also going to need to be under this umbrella, particularly as AI enabled offense becomes more prevalent.

I'll also add this one last tidbit, which I found interesting from the i-Soon leaks and then also with interviews with China analysts and that is that the Chinese government deliberately depresses payment of vulnerabilities. Instead of the U.S. model which by contrast has huge, huge margins. So at least, you know, for hackers who may be listening to the law firm podcast out in Asia, like, we'll pay you better.

That, that's probably my rallying cry though to, to the government is to. Treat these hackers like the strategic resources that we are and to appreciate the work because this is the work that underpins what a cyber power can do.

Justin Sherman: That's all the time we have. Winnona, thank you for coming on.

Winnona DeSombre Bernsen: Thank you so much for having me.

Justin Sherman: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter at our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, the Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work at lawfaremedia.org. This podcast is edited by Jen Patja, and our audio engineer for this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi Music. As always, thanks for listening.