Daniel Miessler's Blog, page 57

I spend my time reading 3-6 books a month on security, technology, and society—and thinking about what might be coming next. Every Monday I send out a list of the best content I’ve found in the last week to around 40,000 people. It’ll save you tons of time.

MY IDEAS & ANALYSIS



Analysis of the Recon/Attack Surface Management Space More



Summary: The Pentester’s BluePrint — My review of Phillip Wylie and Kim Crawley’s new book on how to become a penetration tester. More



Some Free-form Thoughts on Ayn Rand, Objectivism, and Other Big Ideas More



The Rise of Home Theater More



Amazon Will Dominate Through 10,000 Small Bets More



SECURITY NEWS



Sunburst — Russia’s APT29, or Cozy Bear, has evidently hacked multiple US Government agencies and corporations through malware implanted in SolarWinds asset management software. This is the same group that hacked the State Department and White House email servers during the Obama administration, and according to FireEye the hack against them was part of the same campaign. SolarWinds software is used by more than 300,000 organizations around the world, including all five branches of the US government, NASA, and NSA. This will be a very early test for the new Biden administration in terms of how aggressive they’ll be towards Russia, both publicly and behind the scenes. More



Someone has released a massive dump of data on members of the Chinese Communist Party, including where they live and work around the world. More



NSA is warning that Russian state-sponsored attackers are targeting companies using recent VMware flaws. More



Trucaller says spam calls grew 18% this year. More



Crowdstrike says ransomware made up half of all serious intrusions in 2020. More



The US military has picked 16 sites and started vaccinating troops for COVID-19. More



GitHub has rolled out dependency review, vulnerability alerts for pull requests, and dark mode. More



Vulnerabilities: 

33 flaws have been discovered in millions of IoT device TCP/IP stacks, and many are basically unpatchable. More
QNAP continues to have vulnerability issues, this time with XSS. More
Accounts with default credentials have been found in over 100 GE medical devices. More

Companies:

Dragos has raised $110 million to secure industrial systems. Congrats to the crew over there! More
Palantir has won a major FDA contract to help review and inspect drugs before approval. More
Orca Security raises $55 million to scan cloud infrastructure and produce a data flow map that it monitors for security. More
At-Bay raises $34 million to do cyberinsurance, which is expected to be a $23 billion dollar industry by 2025. Their focus is on monitoring customers’ systems and reducing the chances they get compromised. More
Salt Security raised $30 million to protect APIs from attack. More

TECHNOLOGY NEWS



Amazon launches HealthLake, a platform for storing and analyzing petabytes of health care data. “For example, HealthLake leverages natural language understanding and ontology mapping to identify whether a patient has been properly prescribed a drug, pulling out information from blood glucose monitoring systems, physicians notes, insurance forms and lab reports, and more to inform its conclusions.” More



Multiple government groups are coming after Facebook for anti-competitive practices, but as Scott Galloway has pointed out many times, this could actually be good for investors if properties like Instagram and Whatsapp are broken out. More



Redhat has killed CentOS. I think in like 10 to 20 years it’ll just be Amazon Linux and some hobby distros like Arch and Gentoo. More



Oracle, Palantir, HPE, and now Tesla are moving out of California. Many see this as a rejection of Calfiornia’s extremely high taxes and restrictive regulations, combined with its deteriorating infrastructure and inability to solve bad roads and homelessness. Many of these companies are moving to Texas, which has less of all that. More



Cruise is starting to test driverless cars in San Francisco. This comes right as Uber sold their driverless business to someone else. More



Companies:

SpaceX has received $885 million to provide US rural areas with internet. More
C3.ai stock doubled after its $651 million dollar IPO. The company manages the process of spinning up the use of AI within a company, from data ingest, management, model creation, and deployment. More
Arthur.ai has raised $15 million to monitor the performance of ML models over time. More
Squire, a barbership tech startup, has tripled its valuation to $250 million by providing customer management, scheduling, and contactless payments. More

HUMAN NEWS



The US has approved the Pfizer vaccine, and millions of doses are being shipped immediately. More



Gallup says 63% of Americans would be willing to get an FDA-approved COVID vaccine. More



Plastic surgeons appear to be thriving because people want to fix how they look on Zoom calls. More



There’s a super exicting study out of UCSF that has reversed age-related mental decline in mice within days. 

Undocumented immigrants are half as likely to be arrested for violent crimes as US-born citizens. More



Wall Street now has a water futures market, like gold or oil. This is unrelated to the release of Dune in 2021. More



“Jimenez told me that, compared with yelling, quiet talking reduces aerosols by a factor of five; being completely silent reduces them by a factor of about 50. That means talking quietly, rather than yelling, reduces the risk of viral transmission by a degree comparable to properly wearing a mask.” — A remarkable quote from this Atlantic article on how COVID spreads. This would also help explain why bars are especially bad, where the spaces are small and people are smashed together yelling at each other. More



Some are starting to look into the use of MDMA in couples therapy, specifically where one partner has suffered from PTSD. More



Disney launched around 10 new series’ in the Marvel and Star Wars uinverses, and their stock jumped 15% on the announcement. More



HBO Max hits 12.6 million activations before Wonder Woman release. More



Companies:

Koan just raised another $1 million to help build its OKR and Status software. More

UPDATES



I’m enjoying some time off from work, but quietly. Not like I can travel or eat out or anything.



I purchased a new audio interface, the APOLLO Twin X, and will be trying out using that instead of my RODEcaster Pro. This is in preparation for transitioning to a true music creation setup in the near future. I’m also going to be tinkering with LUNA, the DAW from Universal Audio, and if I like it I might be trying that instead of Hindenburg, which is what I’m using now for the podcast. The other options I’ll be comparing will be Logic Pro and Ableton 11 once it comes out. More



Currently reading:

Atlas Shrugged
Anna Karenina
Homeland (the UL Book Club Book)

DISCOVERY  



CrowdSec, a modern replacement for Fail2Ban, has released their version 1.0, which includes a new local REST API, which allows you to deploy in different enterprise configurations. More



A compilation of publically accessible web shells. More



Kafka is Not a Database More



This guy wrote a blog post about how he’s switching from WordPress to Jeckyl, and spent half of it describing how he needed to create half of the basic features that WordPress has, manually. I predict one of two things will happen here: either he stops blogging, or he comes back to WordPress. More



Set your GitHub display preferences. More



Shopping Cart Theory More



A defense engineer gives more detail on the microwave weapons likely used against US diplomats. More



Follow your curiosity by reading your ass off and finding the source. More



To listen well, get curious. More



RECOMMENDATIONS



MORE is my favorite short film, and probably my favorite piece of art—ever—in any medium. It’s 5 minutes long. Please watch it. It might improve your life. MORE



APHORISMS



“The first, and hardest, step to wisdom: avert the standard assumption that people know what they want.”



~ Nassim Nicholas Taleb

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’ve been doing the Unsupervised Learning show since 2015. That’s five years of a weekly show where I highlight innovation, among other things.

One thing that’s struck me during all that time is the staggering volume of new ideas put out by Amazon.

I don’t remember which book it was, but there’s a book that talks about making “Many Small Bets”, as a strategy for longterm innovative success.

Amazon hasn’t just embraced this; they’ve adopted it as their core DNA. In an average month I cover multiple announcements, like this one from this week:

Amazon launches HealthLake, a platform for storing and analyzing petabytes of health care data. “For example, HealthLake leverages natural language understanding and ontology mapping to identify whether a patient has been properly prescribed a drug, pulling out information from blood glucose monitoring systems, physicians notes, insurance forms and lab reports, and more to inform its conclusions.” 

That’s what they call a Tuesday. And they have hundreds or thousands of teams working on doing the exact same thing.

Instead of having an R&D department, Amazon IS an R&D department.

That’s what they do. They spend billions of dollars on R&D. Constantly. With massive courage to both try new things and kill things that don’t work.

I don’t see anyone doing this with the same volume or courage, anywhere in the world. And for that reason I don’t see anyone winning the long game.

I think they will be the first one or two companies to 3 trillion, and they’ll probably be the first to 5 and 10 trillion—even if that’s in the form of their multiple broken-up companies after the anti-trust folks come knocking.

If the engine of innovation is trial and error, there’s nobody with an engine like Amazon today. It’s a thing of awe and beauty.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Another trend that’s been accelerated by COVID is the move away from movie theaters.

They were already struggling due to the high prices and bad experience, with a few boutique exceptions, but with fewer people being willing to cram into a box for over an hour this will get worse.

Warner Bros. is releasing all 21 of their movies in 2021 to streaming the same day as the theater release.

Combine this with falling prices on giant, high-quality TV screens and the fact that Netflix, Disney, and HBO are producing such great content that’s being sent to their streaming platforms earlier, and it’s just a bad mix for theaters.

I think some will survive, like Alamo Draft House, and others that have a truly premium experience, but most will elect to stay home and have a better experience for less money.

I think people will double-down on their home setups and we’ll see the rise of Shared Viewing technology, where you can both watch the movie and see and hear your friends at the same time.

This is not only technically possible and will give another reason to stay home, but it’ll let you watch with your perfect friends for what you’re watching—who can live anywhere—not just those who live in the same town.

I’m definitely heading in that direction myself, e.g., upgraded audio, better screen, etc., and the surveys indicate many others will do the same.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’m reading Ayn Rand’s Atlas Shrugged for the first time. This is after spending decades ignoring it because of its reputation, which I’m ashamed of at this point.

To reject something is fine, but to reject it because of someone else’s reasons is repugnant.

Anyway, I’m finally reading it, and I’m really enjoying it. I’d say my pleasure in it comes from one part as a book and three parts as philosophy.

But the main thing I keep getting hit with is not how right the philosophy is, but how almost right it is. This is tremendously important.

I’m struck by the urge not to explain how true her philosophy is, but the nature of where it fails and breaks. That’s both more interesting and more useful than simply restating its merits.

We need to do this with every good thing.

Marxism is brilliant. Adam Smith’s Capitalism is brilliant. Ayn Rand’s Objectivism is brilliant. And so is Roddenberry’s vision of the world we could live in.

What we don’t spend enough time doing is Moral Threat Modeling, where we take an ideological system and run it through multiple scenarios to see where it fails.

Communism would be amazing if humans were wired to accept it. We’re not, so it turns out to be a fucking nightmare every time we try it.

Capitalism is brilliant at harnessing human ambition and creating prosperity for others as exhaust. But it fails when the head of the cigarette company monopoly buys a bunch of television companies to create tobacco ads that target kids.

Rand’s Objectivism fails much like Capitalism does, i.e., at the extreme of its success. It has within it an assumption that the winners will be good actors, just as Communism includes the assumption that people will be happy with everyone getting the same regardless of their contribution.

Capitalism and Objectivism don’t have built-in controls for psychopathic monopolists who would smash millions against the rocks just to gain an inch over his competitors. And Communism clearly creates an oligarchy that profits while the masses suffer, just as we see in today’s (and yesterday’s) China and Russia.

But here’s the thing: these all have wonderful properties, which is why they’ve succeeded as memes.

Capitalism harnesses human ambition and creativity to create things that didn’t exist before. It’s fucking glorious. And say what you want about it, but it’s the reason there are so many new rich people in China today. That’s Capitalism that did that.

Communism points out that it’s not ok for there to be two extreme classes, with clear lines between them, where the rich take advantage of and shit upon the poor—especially when it’s the poor who are doing all the real work. Well, yeah! 100% That’s not ok. And we can see this thread of objection in every populist uprising, including those coming from the right in today’s politics.

But the solution to that is not to slide the slider towards pure Capitalism or pure Communism. The pure forms don’t work.

What we need is a hybrid, but implementing a hybrid correctly requires that you deeply understand first principles.

Basically, we need to do a few things:

Harvest and incentivize human responsibility, ambition, and creativity in everyone
Look for places where people are less able to produce those things
Make policy changes that help them to do so, i.e., lifting everyone through education, healthcare, etc.
Broadcast this policy to promote the most healthy behaviors in everyone

So we maintain a hybrid policy. We simultaneously say,

Everything is up to you. It’s your fault if you don’t succeed. It’s all on you.

And this will encourage maximum output from everyone. Plus,

But we also know that people have different advantages and disadvantages in life, so we need to remove as many barriers to personal ambition as possible, which is why we will help everyone with their education, their healthcare, etc. This should never be a consideration for anyone. Now get out there and be productive!

That’s the message. That’s the path. “This is the way.”

This is the hybrid of Capitalism, Communism, and Objectivism that we need.

The good parts of all these systems are…um…good. And the bad parts are horrific.

We’re smart enough to know the difference and build composites that work for us, and that is what we must do.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

9/10

My One-Sentence Summary

It’s quite possible to approach the highly-coveted career of penetration testing if you take a methodic approach.

Capture


The book was written by Phillip L. Wylie and Kim Crawley who are two well-known experts and personalities in the infosec commuinity.

Pentesting requires not only computer technology skill but also practical thinking.

Wylie, Phillip L.; Crawley, Kim. The Pentester BluePrint (p. xix). Wiley. Kindle Edition.

Structure: What is a Pentester, Required Skills, Education, Building a Lab, Certs and Degrees, Developing a Plan, Gaining Experience, Getting Employed
I liked the description of “Pentests assess security from an adversarial perspective.”
I liked the mention of methodology, including PTES, OSSTMM, NIST and OWASP
I like how they differentiated vulnerability assessment from pentest, saying they are often done together but are not the same
I like how they broke down different spaces that people focus on in pentesting

To assess the security of a target and to hack into it, you will need to understand the technology and the security. Deep knowledge of your target is required to be successful at penetrating the target.

Wylie, Phillip L.; Crawley, Kim. The Pentester BluePrint (p. 17). Wiley. Kindle Edition.

I like that they gave a primer on basic information security concepts
It seemed a little jarring to move from infosec basics to talking about the dark web to airgapped machines, but I get it—there’s a lot to cover
I like their blueprint formula of Tech Knowledge + Hacking Knowledge + Hacker Mindset = Results, which reminded me of how I described it in previous talks. I think I said, TECH KNOWLEDGE X HACKER MINDSET, which is very similar. And I see why they added hacking skills to that
I like how they are mapping the story along the temporal arc of how you’d proceed to enter the field, with book recommendations
Whoa!, I’m in here! Thanks you two! That’s a fun surprise while doing a review!
Surprised I didn’t see anything about Pentester Labs? Maybe I missed it?
I liked the quotes of people talking about their own approaches to tools
I was a bit confused about the skills plans concept. I feel like there could have been more conversation about, “If you want to head in this direction, here’s a possible path.”, vs. “if you want to head into this other area, …” So like skill trees in an RPG or something. Or like Lesley talks about in her blog post on career. I did like the quotes portion of the chapter though.
Similar comments on the employment chapter. Would have been cool to see some visual career paths like an RPG. Just an idea


Takeaways, Questions, and Ideas

Ultimately I think this is the best-organized and most-detailed layout of how to go from zero to hero as a pentester.

I think they covered it in a logical flow, and provides not just practical “do this” advice, but also a series of references you can come back to later.

9/10

BROWSE MY OTHER BOOK SUMMARIES

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I am often asked for my thoughts on the Bug Bounty / RECON / Asset Inventory / Attack Surface Management spaces.

This is partially because I founded a company, called HELIOS, back in 2016, which I separated from at the end of 2018. And although I am no longer actively involved in the space I still follow it from a distance.

Here’s how I understand the space and where it’s going.

There are multiple sub-spaces that will eventually merge

The biggest thing to understand is that there are multiple sub-spaces and sub-markets within this overall domain. My favorite name for this space so far is what Assetnote calls itself, which is Attack Surface Management.

Anyway, the functions—or spaces—that I see here are:

Attack Surface Management: The overall management of a company’s entire attack surface, whether that’s internal, external, cloud, or legacy/on-prem.
Asset Inventory: The creation of an interactive database of all your online assets. Notable players: BitDiscovery, Expanse (Now Palo Alto).
Bounty Researcher Tooling: These are sets of tools, or platforms, that help security researchers—especially in the Bug Bounty space—to discover more and better bugs in customer systems.
Discovery and Alerting: These are platforms focused less on maintaining and displaying inventories of discovered systems, but that focus on letting the customer know as fast as possible—via multiple methods—that there is an issue with their attack surface that needs to be fixed.
Reporting and Remediation: These are platforms most focused on integration with customer systems so that issues can be routed and fixed internally as quickly as possible, usually through integration with SOAR tools like Swimlane, Demisto, etc.
Vulnerability Discovery and Management: These are RECON-oriented platforms that are largely focused around emulating traditional Vulnerability Management platforms, except facing the internet, using discovery techniques, and across the entire stack—including AppSec.


The players

Here are some of the players in the space. And please note that there is some significant overlap in the sub-spaces/functions described above, and many of the companies below are already playing in more than one of them.

Alphabetical.

AssetNote (Primarily Vuln Management)
BitDiscovery (Primarily Asset Inventory)
Expanse (Primarily Asset Inventory)
Helios (Primarily Discovery and Alerting)
Intrigue (Primarily Researcher Tooling)
Project Discovery / Nucleus (Primarily Researcher Tooling)

The way I see this, all of these spaces will merge into the first one—Attack Surface Management—within around 3-6 years.

Nobody is there now—at least not completely. But they will all get there.

Groups focused on discovery will be asked for a browsable database. People with a database will be asked for real-time monitoring. People with monitoring will be asked for discovery. People with monitoring and discovery will be asked for vulnerability identification. And they will all be asked for SOAR integration.

In less than 10 years, every large vendor in the security space will have some sort of unified play that includes all these components. With some being better than others at each function, of course.

Analysis

To me, the two questions for a potential user—or investor—of these spaces are:

Which do customers need most right now?, and
Which option is furthest along in unifying all these spaces into the endstate of Attack Surface Management?

If you can answer those questions you’re doing pretty well.

You’ve reached a piece of member-only content.

Subscribe

If you’re already a subscriber, please login here.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’ve thought for a long time that Trump was unique in that he believed his own lies.

I got this impression not only from observing him, but by reading the many books on him by Bolton, Woodward, and Strzok.

They all painted a picture that I could unify only one way—with the understanding that Trump doesn’t actually lie. What he says is often untrue of course, but that’s not the same as lying. He actually what he’s saying at any given moment. This is how he is able to muster so much vitriol.

Then I heard that his niece, Mary Trump, said this about him:

He’s the only person I’ve ever met who can gaslight himself.

I thought to myself, yes, exactly. But just because you’re someone’s family doesn’t mean you know exactly what’s wrong with them. But it turns out she’s also a Clinical Psychologist. And she went on to say:

Probably the most central part of Donald’s psychopathology is the need to deny any reality that paints him as a loser or as somebody who is weak.

This adds up perfectly to me, and there are numerous things to consider if this is true.

First, it’s not effective to treat him as a liar if he’s not lying. It’s a different problem that requires a different solution. And I think we can see this in the fact that none of the attacks on his “deception” have been effective.

Second, it happily tells us that there is much less of a chance of someone similar coming behind him to further harm the planet. If you take other people in the GOP, which you may not like, they are still relatively normal people. Maybe not moral people, but normal people. This means that they won’t be able to say the kinds of things Trump has said and get away with it—or at least not for long periods of time.

Their body language, the fact that the lies will contradict each other, and the growing pressure of this snowball over time will eventually crush a standard-issue lying politician. To survive that pressure, and maintain the constant stream of contradiction, you don’t just have to be a good liar. No. Any liar would have crumbled long ago under the weight of Trump’s garbage.

In order to pull off what Trump has done, while still getting tens of millions of votes, you have to be crazy. In this case, a psychopath. You have to literally be able to compartmentalize your mind so that you can deny reality and fully believe what you’re saying at any given moment.

It’s effective. It’s dangerous. And it grants you immunity to pretty much any attack that targets liars.

I think this is why the media has failed to make anything stick, and it’s also how the GOP got turned into a neutered fan club.

Basically, all the tools of rhetoric and dialectic are inert against someone who lives in their own reality, and that’s exactly the situation with Trump.

When he says the election was stolen, he believes it. When he says Obama tried to frame him, he believes it. When he says he’s done the most for Black people since Lincoln, he believes it. In fact, when he’s in that mode of spewing rhetoric, he believes every single word he says. That’s his superpower.

And if you have half the country with a broken relationship with education, facts, and truth—well now you have a problem. Because on one side you see politicians that are lying, like Clinton and everyone else, and on this side you have someone who is not lying.

People are pretty good at knowing when they’re being lied to, and Trump never lied to his followers. That’s a big part of the reason he’s so powerful.

The problem is when those same followers don’t know enough about the topics in play to know that he’s vomiting garbage nearly every time he speaks. Foreign policy, economic policy, healthcare policy, energy policy. These are not topics of expertise for most of Trump’s followers, so all he has to do is find a simple, specious argument and say it over and over with conviction.

And the genius is that he doesn’t have to fake that conviction, because he actually believes it.

This is why nothing has stuck to Trump in this 4-year hellscape of a presidency. And this is why it will be very hard for someone else in the GOP to follow him.

People are worried about the smart-Hitler type coming behind him, who’s presumably a dumb-Hitler. But that’s not going to work, because a smart manipulator would still be deceiving people, and I don’t think he would stand against both the media and the GOP.

And I don’t see anyone sitting in the dugout with this exact combination of energy and psychopathy that can replace Trump and his immunity from reality.

The biggest threat isn’t someone following Trump in 2024, using the path that Trump’ paved for them. The biggest threat is Trump himself coming back for another round.

The defense against high-energy, reality-denying psychopathy is to separate yourself from the stimuli and to keep your feet firmly planted in reality. This is what America must do, and what the media must do.

I feel like they’ve kind of caught on recently by refusing to show him going on fiction-filled rants, but we need to do more.

The proper answer is to frame him as mentally ill due to his disconnection from reality. The proper answer is to listen to him say something stupid, to look at the actual facts and show them on the screen, and then look directly at the camera and say,

Did you hear what this guy just said? He just said X, and the facts that anyone can look up are Y. This man is legally insane, and he’s a danger to the country.

In other words, you have to stop trying to get him on the lies and the morality, and instead get him on being a dangerous crazy person who doesn’t understand reality.

This is the only path that will work, and if we don’t figure this out soon we might go throught his whole thing again in 2024.

Notes


For the Trump supporters reading this, I’m not claiming everything he did was bad or evil. I think he improved our policy on China, for example, and I think there were other similar stances he took that were beneficial. I also think he’s fundamentally pro-America, and trying to do the right thing (even while putting himself first). But in my opinion, most of the good stuff he did were similar to a broken clock being right twice a day, rather than the result of thoughtful policy.
I also think Trump was right about much of the left being rotten, and in need of replacement. But again, those few times when he was right served to give his other positions far too much weight.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

The Lawfare Podcast is one of my few staples, and I just listened to another great episode on espionage against US buisnesses.

My main takeaway was this:

Foreign governments—and especially China—are pivoting from targeting other governments for their secrets, to instead going after private companies because that’s where most of the intellectual property is.

The guests, Bill Priestap and Holden Triplett, give tons of great background and examples for this claim, and they go onto basically say that this is just a new reality—kind of like terrorism.

They also make another interesting point, which is that the US is behind in recognizing that economic power is national power, and in their willingness to use the intelligence apparatus to further those economic goals.

In other words, other governments just plainly state to themselves that the future of the country lies in its economic strength, and thus it must use its intelligence capabilities to make itself more powerful economically.

Which often means stealing IP from both friend and foe.

The US has been reluctant to use its intelligence capabilities in this way. The FBI, for example, might tell a company that they’re being targeted by a foreign adversary, and how to protect themselves, but they’re not doing that to give that company an advantage in a global marketplace.

They’re doing it because that company is considered part of home base, and their mission is to protect home base.

I think this is a really interesting distinction, and I wonder how long it’ll take the US to “catch up” to how others are thinking about this.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

The Lawfare Podcast is one of my few staples, and I just listened to another great episode on espionage against US buisnesses.

My main takeaway was this:

Foreign governments—and especially China—are pivoting from targeting other governments for their secrets, to instead going after private companies because that’s where most of the intellectual property is.

The guests, Bill Priestap and Holden Triplett, give tons of great background and examples for this claim, and they go onto basically say that this is just a new reality—kind of like terrorism.

They also make another interesting point, which is that the US is behind in recognizing that economic power is national power, and in their willingness to use the intelligence apparatus to further those economic goals.

In other words, other governments just plainly state to themselves that the future of the country lies in its economic strength, and thus it must use its intelligence capabilities to make itself more powerful economically.

Which often means stealing IP from both friend and foe.

The US has been reluctant to use its intelligence capabilities in this way. The FBI, for example, might tell a company that they’re being targeted by a foreign adversary, and how to protect themselves, but they’re not doing that to give that company an advantage in a global marketplace.

They’re doing it because that company is considered part of home base, and their mission is to protect home base.

I think this is a really interesting distinction, and I wonder how long it’ll take the US to “catch up” to how others are thinking about this.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.