Ep 178: Mark Montgomery on Cyber War
Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at FDD retired U.S. Navy rear admiral
Aaron MacLean:
A couple of weeks ago, a guest of mine said that while everyone is worried about a cyber Pearl Harbor, he was worried about, as he put it, a Pearl Harbor Pearl Harbor. Fair enough. But we haven't done an overview on School of War about the cyber threat to the homeland yet, and so today, we're fixing that problem with the always thoughtful and fun Mark Montgomery, who can talk cyber Pearl Harbors, missile Pearl Harbors, and plenty of other things to keep us all up at night. For more, follow School of War on YouTube, Instagram, Substack, and Twitter. And feel free to follow me on Twitter, @AaronBMacLean.
Hi, I am Aaron McLean. Thanks for joining School of War. Before we get to Mark Montgomery today, I'd like to remind listeners that the deadline to apply for the Hertog Security Studies program is approaching fast. The deadline is Monday, February 24th, so next week. This is a fantastic program that I teach in, Hertog Security Studies, and help run for undergraduates and young professionals. It's in Washington, DC, and it runs this summer from June the 15th to July the 11th. It's focused on grand strategy, military and diplomatic history and policy. And this summer is composed of four separate week-long courses taught by some amazing faculty, former Congressman Mike Gallagher, Dan Blumenthal, Frank McKenzie, all of these folks who've been on the show, Vance Serchuk, who we really need to have on the show, and yours truly. And they'll teach about military history, grand strategy, China policy, Russia policy, the Middle East and military-political relations. You can apply to do the full four-week program and be a Hertog Grand Strategy fellow, or you can apply for individual weeks or just multiple weeks selected amongst the offerings.
Again, this program is for undergraduates and young professionals. So say rising college juniors through people who are just a handful of years into their career. For successful applicants, the program is offered at no charge. It really is an incredible opportunity. Check out the details at hertogfoundation.org, that's H-E-R-T-O-G foundation.org/programs/security-studies. I've been teaching in this program for several years now, and if you fit the qualifications and you like this show, you're going to get a ton from this program. I really do recommend it. I am delighted to welcome back to the show today, Mark Montgomery, senior fellow at the Foundation for Defense of Democracies, senior director of its Center on Cyber and Technology Innovation. Mark was in the Navy for 32 years. He retired as a rear admiral. He was on the National Security Council early in his career, he later was the policy director on the Senate Armed Services Committee. He's been on the show before, he's a wealth of knowledge. Mark, thank you so much for coming back.
Mark Montgomery:
Aaron, thank you very much for having me.
Aaron MacLean:
You testified before Congress recently on cyber threats to the homeland, and that's where I would like to start today. And I was thinking about how to best help the audience visualize this, because I think anyone who has half an interest in national security thinks about cyber, hears about cyber, knows it's an issue, but unless you've actually worked on it, it's a little hard to picture because none of us have really... Unless you've been unlucky to been spearfished or something, none of us have really lived through state-level cyber action that is part of a broader military campaign. And so I was going to ask you this. Imagine yourself a Chinese offensive cyber planner/commander looking at the United States and considering what you might do on, say for example, D-Day of an operation with Taiwan or the lead-up to an operation with Taiwan, what does America look like to you and what are your objectives?
Mark Montgomery:
Well, first, I would say America looks like a target-rich environment. I mean, it looks like a place where I'm going to have the opportunity to impact the operational and strategic flow of a crisis between myself as a Chinese planner and the United States. So target-rich environment. And what I mean by that, of course, is that our national critical infrastructures that the things that allow us to mobilize the military rail systems, aviation systems, maritime ports, the things that allow us to produce economic power, financial services, energy production, electricity grid, and even the things that provide public health and safety so the American people feel safe, water, healthcare, even education along with energy which fits across... All of those are insanely vulnerable to malicious cyber activity, whether it's by China, Russia, or even criminal actors, but in this case, China particularly.
Aaron MacLean:
So one of the things that I thought was really interesting about your testimony was it's focused on the way in which cyber attacks could focus, maybe likely will focus on America's war-making potential in the event of a crisis and how mobilization is an obvious target. Can you say more about that? It's not just China, obviously, it could be a crisis in the Baltics with Russia, say what you want, but if there's something bad happening in Eurasia and America is going to respond, what does that actually mean for people who have never worked on mobilization or thought about mobilization and how does cyber intersect with that issue?
Mark Montgomery:
Yeah, thanks. And truthfully, I think there are people in the military who understood this. I don't believe there are people outside the military in the national security complex. So at the National Security Council and the other non-DoD national security agencies or even in Congress, the degree to which we are insanely vulnerable to this Chinese capability, and really growing Chinese capability. So what's this mean? In AV, when the military is going to move from its current position in forts and ports to a fighting position, say in Asia or in Europe, all the supplies, the equipment, and the personnel flow, they start on a military base, but they very quickly leave that base. And those bases, by the way, are beautiful. They're beautiful critical infrastructure things. As President Trump would say, "They're big and beautiful and the best ever."
They have two power supplies, although one of them may be a Chinese CATL battery, so be careful. They have two telecommunications networks, they have two water supplies. But let's say that tank is loaded on a flat car on a train leaving Fort Cavazos, the former Fort Hood, to go to a civilian airfield to be flown out. And so it's beautiful. Noah's Ark of cybersecurity, as they leave the base. And then they enter Mad Max Thunderdome, and that's Norfolk Southern's rail line, as they head to the Columbus airport. And, of course, Columbus airport, the air operating authority there, again, completely unprotected, run by a civilian airport authority that doesn't have two wood nickels to rub together. So what's happened is we rely...
Transcom, US transportation command, and that's the military element that moves weapons, and then US Maritime Administration, that's the Department of Transportation that supports them, they rely on 69 civilian strategic airfields that support the military airfields. They rely on 18 strategic civilian-controlled strategic sealift ports to support the six military ports, and they rely on 40,000 miles, that's one-third of the rail system, it's called STRACNET, the important ones to us. All those systems owned and operated by the private sector, but relied on heavily by the Department of Defense to get to the war so that we can fight and win it.
Aaron MacLean:
So let's maybe take those piece by piece. So what'd it actually look like? Pick your poison. Railroads, ports, aviation, what actually happens? The 101st Airborne Division is going to go to the West Coast so it can move on in some fashion to Guam. What happens?
Mark Montgomery:
So great question, and I'll go one step further and say, sadly, the Chinese don't even have to pick their poison. They can pick all the poisons at once because this is literally a low-bandwidth event. What they're going to do is they're going to study the systems ahead of time. Good news, Transcom's pretty much unclassified. My 21-year-old son or brand new ensign in the Navy could pretty much figure out the movement war plan across our country. You and I could sit down here and do it in an afternoon. It's not hard. It's usually existing systems. So you know where to attack if you're China.
Then you do surveillance and reconnaissance of the battlefield. So they go around, look at these systems, determine what software is running on them. Invariably, they have... They don't even have to use zero-days, in other words, never previously used exploits. They can use existing exploits against systems that aren't properly patched and gain access. They then gain access to those systems, whether it's the control network for the railroad to remove the 101st Airborne's equipment, or whether it's the airport operating authority's network that allows it to manage air flight control, or maybe you attack the FAA system just slightly upstream of that so that there's no air traffic control in that region of Columbus airport, wherever it is.
And then if you're the Chinese, at that point, you don't attack, you stay silent on these systems, and then you determine what's the best way to permanently place this network at risk. Most likely it's installing a piece of malicious software, malware, and a hook into it so that you can alert it at a later date, "Okay, I now want you to take these actions to either disrupt or damage the network on which you're operating so that it will not function as an IT network at a later date when the US military is trying to move." So that's a long way of saying ISR, access, and then installation... And I call it operational preparation of the battlefield, installation of the malware, and then sit back and wait.
Aaron MacLean:
And I guess the growth or growing potency of the methods by which you would do this stuff tracks perfectly with the extent to which all these civilian systems that you described, maybe some of the military ones too. I don't know. I don't want to be too complacent about the military systems, but certainly the civilian systems have gotten increasingly digitized and totally dependent on that digitization. I am hopeful that, just to use a crude analogy, that if I took the GPS device away from any Marine infantry officer or if I took it away from a naval surface warfare officer, they could navigate according to other means, maybe not as efficiently, maybe not as quite as quickly, but they could navigate according to other means. If you pull the digital rug out from the civilian aviation system or the rail system or whatever, it just doesn't work, right? We're done for a while.
Mark Montgomery:
So your point is we've reached this level of automation from which we can't go back to a manual control. And I think that's generally true. If you want to be really nervous, I think it's really true in our electrical power grids where we've automated the transformer operations to such a degree that getting things in phase... I mean, as a nuclear engineer in the Navy, I have a little bit understanding of this, that is if you go manual, it's a manpower-intensive effort, and the manpower, that savings was pocketed 20 years ago when they went automated. Same with pipelines, rail systems, the degree to which they've gone automated now, the linemen that walk the pipelines or the rail lines that could manually operate it are long gone. Savings captured probably not invested in cyber securities, they went to automation. That's why we sit where we are now.
So I think it's going to be very hard. And if it can be done, it will be significantly slower. And the one area where I think about this is ports where the move to automated cranes and automated gantries that move the sea, air, land containers around, that's all automated. For union rules, there tend to still be a lot of stevedores around, but I believe the pace at which they would go would be in the 10 to 25% of the plan flow. And so these are significant reductions and each coast is different in the union deal they have. So I'm not even sure one of the coasts could do this, but very slowed down to non-existence. So, yes, we're at risk.
Aaron MacLean:
Yeah. And, I mean, in a way, that's almost what you say is reassuring compared to how I was conceiving of it where you're saying that there are older-fashioned ways of doing things that could come online, it would just slow everything down pretty massively. I was more thinking about... Maybe I'm just conflating things here, but I was thinking about even where there still is human intervention, I'm thinking about an air traffic controller at his seat looking at his monitors and everything, or whoever it is who is supervising the automated systems for rail traffic, et cetera, they're reliant on information that comes to them, for the most part, I assume...
This is all assumption. I don't really work in this world. But I assume through digital means, and if you take that info away, even the humans who are there are now helpless. How do you do it? How do you control the planes if... I don't know, maybe there are still physical radars that are plugged in by a hard cable to a radar screen and so you can still work the air traffic control because, actually, you're looking at some direct feed from a real-life radar, I assume though that there's all kinds of digital computer stuff... You can tell I'm an infantry officer. Digital computer stuff intervening between the collection of the radar signal and the human who's looking at it, and then he has to communicate, which is a whole nother layer of digital systems.
Mark Montgomery:
Yeah. I think your assumptions are generally right, and I would say you picked on one of the ones where there probably may not be a good workaround with air traffic control. I mean, how I would handle air traffic control if I was secretary of defense and this started is I would go to the secretary of transportation and say, "We're going to have to shut down all non-essential air traffic, air flow." And then the lower flow, I think you could manage it regionally, not have the interconnectivity between networks and manage it regionally.
My guess is we could eventually get around that, but in a very suboptimal way, which, by the way, begins to tank our economy. Because while only 5% of our stuff... We like to say 95% of our maritime flow and commerce is rail or ports or inland waterways or 5% is aviation, that 5% tends to be pretty important. So it's the just-in-time stuff. So if that goes away, there's going to be a real problem. So bottom line is there's no good outcomes in this if the Chinese are able to disrupt or destroy the critical infrastructure of our military mobility systems, therefore we have to wind the tape back and actually figure out how to defend these systems or at least make them resilient so that the takedown's for minutes or maybe even a day, not weeks or a month.
Aaron MacLean:
So we have these Chinese operations that we're aware of and have, I guess to an extent, rolled up, though I don't know to what extent. So most recently, there was whether there's Salt Typhoon, which was this... From what I read in the press, a surveillance operation where they gained access to our phones essentially, listen to our calls, read our texts, et cetera. And then before that, there was Volt Typhoon, which was more infrastructure-oriented. And, again, I'm using these terms crudely because I genuinely, at some level, don't understand. I don't understand what I'm talking about here. But what did you learn, Mark, from the details you've seen of how these operations actually unfolded?
Mark Montgomery:
So what I learned was 2024 was a good year for the bad guys. Right? I mean, and look, Volt Typhoon started before 2024. Salt typhoon might've as well, but for sure Volt Typhoon. Volt Typhoon was more of what we would perceive as operational preparation of battlefield. It wasn't about espionage, it wasn't about intellectual property theft, it wasn't about denial of service. It was about inserting malware into infrastructure systems for use at a later time. That is, by the way, borderline war-making activity by the Chinese. And I'll give you an example. If in the same infrastructures, they brought 100 satchels of TNT in and strapped it to each one, and then we found 100 satchels of TNT around port systems, rail system, aviation, I think we might... Even in the most ridiculously consensual approaches to China, there would've been some very direct action to hold them accountable.
But it's cyber... And I'll just tell you in general in cyber, I've experienced this for seven or eight years now, well, we accepted it. But that was operation pressure in battlefield. I love that you brought up Salt Typhoon. That was espionage. Pure and simple espionage. And it was about penetrated scores of small telecommunications companies, but really our nine big telecoms and ISP, the internet service providers, penetrated them and within that, it's reported penetrated systems that were involved with the legal wiretapping and listening that the government does to suspected criminals or spies, things like that. That's just a big deal. Salt Typhoon worried me as much as Volt Typhoon because of who it penetrated. There was a sense among a lot of us mistaken that the telecommunications industry was on the upper end of the critical infrastructures, akin to banking and financial service is more protected.
I still think financial service is more protected mostly because that's where money is, and if they weren't protected, these would steal the money, but it turns out telecommunications weren't that way, and I think it's because telecommunications companies themselves have good cybersecurity around their corporate networks, but around their core network that runs the comms and internet service provision of the United States and the world, the operators want nothing to do with the cybersecurity guys. They're like, "We're all about speed, efficiency, and effectiveness, and your cybersecurity looks to me like it's going to slow one of those down." So we learned that that core network that our phone, our non-encrypted communications we're on. So if you don't use an encrypted communication system before learning about Salt Typhoon, shame on you. But if you don't after, that's a big deal. I mean, you're putting yourself at risk and your company.
Aaron MacLean:
Yeah. And I wasn't really able to tell from what I read about Salt Typhoon, and maybe you don't know, or maybe you know but you will be able to say, but it wasn't clear to me the penetration into the systems, whether that meant that they could see and maybe even monitor what we were collecting through wiretaps, which is obviously bad... That's pretty bad right there because, from a counterintelligence perspective, right there, they see everyone we're surveilling. That's no good. But it wasn't entirely clear to me if that then further meant that they could tap whoever they wanted. That was the implication of some of the reporting.
Mark Montgomery:
I think the first part of your story, which is bad enough that they could see what we were doing legally, I think that's probably true. I don't know about the second part. I'm not in a position to assess that.
Aaron MacLean:
Yeah.
Mark Montgomery:
I'm not happy if it's just the first part.
Aaron MacLean:
Yeah, yeah. Yeah. It's still, I mean, presumably through those legal means, we are conducting counterespionage, counterintelligence operations that would be of interest to the Chinese. Pretty bad.
Mark Montgomery:
I would hope that information is well encrypted and protected within that and all they saw were ones and zeros and not useful information there. I'm not able to shed any light, but I worry about this. I worry that... In cyber, when I hear about something and my mind goes to a worst case, which is what all general officer, flag officer's minds do whenever they hear a story. Historically, when I was in the Navy, the worst case didn't happen. In cyber, it almost always has happened. It's like, "Oh, no, no, your first report... I had a boss that was like, "I don't believe any reports until I get the fifth report." And the fifth report of these is usually pretty bad compared to the first report. So, yes, I think this is a really bad incident.
Aaron MacLean:
It strikes me that in terms of the policy response and the American public's investment in this, that we're all just suffering from the fact that nobody can really picture at scale what this would look like in America. I mean, if you're looking into it professionally and you're obsessed with it, you can, but the man on the street has no experience of this and America has really had no experience of this at scale. Crooks shut down hospitals and ransom them back their records, and if you've personally been involved in that thing, and I know some people who have been, yes, that left a mark on you.
But as a country we just don't really have an awareness of how bad things could get. And we haven't even really... I've been driving the train in, as it were, the counterforce applications of cyber and how they could really directly miss with American military movements. We haven't really talked about the other kinds of targets that are available to the Chinese. At the end of your testimony, you're talking about solutions. I'm skipping ahead here, but you have a line in there where you call for a return to continuity of the economy planning, which is a very anodyne phrase, but if you actually think for a second about what you're referring to there, it's pretty terrifying.
Mark Montgomery:
No, I agree. And so, look, first, I'm glad you mentioned that there's more than just the China nation state thing. There is this constant criminal... I would say 85 or 90% of the malicious cyber actions that are successful in the United States every day are criminal actions taken by criminal actors. Another percentage is criminal actions taken by four nation-states, because I'll just say, in general, North Korea is a cyber criminal gang masquerading as a nation-state, and I think the general belief is 50% of the western capital that they can use to work their nuclear weapon programs and [inaudible 00:22:39], 50% of that cash comes from illicit cyber activity. So they are, no kidding, a cyber criminal state.
And then the last little 5% is that operational preparation of the battlefield by China. So there's a lot of criminal activity going there. And I want to pick up on one thing you mentioned. You mentioned the healthcare ones and the ransomware. We are now able to pin morbidity rates, the likelihood, there are higher deaths happening because of ransomware. When a hospital has a ransomware incident, particularly a rural one or a underserved community one, when they have this incident of ransomware, they're down for a week or so for the ransomware, and then two or three weeks recovery. People die, and not just the obvious one, the dude in ambulance who now has to go 50 minutes instead of 30 minutes, and, "Sorry, Charlie. You died." But also old Uncle Fred, his stomach hurts, the local hospital shut down. It's not 30 minutes, it's now 60 minutes. He decides to go to bed and doesn't wake up in the morning.
So there are these morbidity rates and there's even higher morbidity rates in the hospitals themselves where we look at and study it afterwards, and one or two people that were on the respirators passed away more after the [inaudible 00:23:51]. So I just say when people say, "Well, there's no deaths in here," there are already deaths in here. So I like to capture that. And I'm glad you mentioned it, so there is that. You also mentioned economy. And it's myself and Samantha Ravich, one of the commissioners from the Solarium Commission, and Tom Fanning, another commissioner, chairman of Southern Company, the three of us have been really pushing this issue hard because it's about your ability to recover. We are going to get beat on occasion. And the mark of a resilient national critical infrastructure is that after the enemy hits you and you go down to a knee, you rapidly get back up and operate.
And we have such a durable economy that if we can get the networks back up, we'll continue to crank money, we'll continue to have that power that we have through... All that economic power that even outweighs our military power and our ability to influence world events. We've got to get everything back up and running rapidly. The critical exchanges, the SWIFT system, all those tools we have, we got to get them back up [inaudible 00:24:54]. And to do that, you need continuity of the economy. That means you have to have a plan. And the plan should not say, "FEMA's going to figure this out." FEMA figures out continuity of survivability. They make sure after Katrina hits or after the wildfires in California that people can get food, water, and a tarp or housing somewhere. God love them. I want us, the government, to have that capability.
I do not want FEMA solving my cybersecurity problem. I want something else doing it. And so we've been arguing, we passed a law, the Biden administration really punted on this, three and a half years of studying it and they finally said, "We think we're okay." No one had that on their bingo card. "We think we're okay." Right? The question of how you fix it is complex, but it's like alcohol. First, you got to admit you have a problem. And the Biden administration wouldn't admit they had this problem. I think now with the Trump administration, I'm hoping they acknowledge we have a problem, and then we go tackle it with good continuity of economy planning. Some of the people I think are going to the administration and they'll be able to do that.
Aaron MacLean:
Yeah. I mean, it's one of these spaces where there's a real intersection. It's hard to draw the line between, again, thinking of it from the point of view of a Chinese offensive actor, your counterforce options and your countervalue options like an attack on American banking, in a way, is very straightforward, countervalue targeting. You're going after the civilian population, you're going after American society more than you are direct military targets, sort of. On the other hand, if it's happening simultaneously to a mobilization effort, well, private so-and-so, petty officer so-and-so is showing up to his base to deploy, meanwhile, his wife is calling him or her husband is calling her and saying, "I can't buy groceries. I can't get any cash out of the machine. I can't access our bank accounts. Actually, I did access my bank account that says we don't have any money. It says there's $0 in our account." And that's happening at scale across the nation. And the military has to use money to pay bills. The US military runs on money. So it's not as crisp.
Mark Montgomery:
And I'll go one further and say an actual element of power of the United States is our control of these financial services systems, and a number of the major commodity exchanges run out of the United States, we use that [inaudible 00:27:10]. SWIFT runs largely out of here. Our banks control. We as a government, through our banking system, really can influence and pressure other countries to either stop taking actions or start taking actions in support of wherever we're fighting or have a crisis. So it is really important and it is frustrating for me. It is a bipartisan issue. There are people on both sides who've got it right and got it wrong, but we really miss an opportunity the last three and a half years. When you have a congressional law that says, "On a bipartisan level, we direct you to study this," and it comes back and no one thinks nothing's wrong, but it was hard. And I would say gently that sometimes administrations pass on hard assignments.
Aaron MacLean:
We've been talking almost exclusively so far about essentially defense and the need for it. And you have some specific recommendations and we can get into those as well about how we need to go about improving our defenses. But can we talk about offense for a second? I mean, part of this is not just deterrence by denial as it were, but deterrence by punishment. They can tie sacks of cyber TNT around our critical stuff, well, we can tie sacks of TNT around their critical stuff too and make life harder for the PLA or life harder for the CCP Elite, or however we want to structure it. How confident are you that that thinking is proceeding healthily on our side of the ocean?
Mark Montgomery:
Not yet. So I'm not comfortable... I was glad to see National Security Adviser Waltz, back when he was Representative Waltz, say, "As I look at this China problem, I think we need to be more offensive." But what that really means is challenging. So when I think about being more offensive, there's two or three ways... First of all, when I think about deterrence, I understand there's deterrence by denial, which means I'm going to prevent you from causing pain to me, I'm going to drive up the cost of you causing pain to me, and hopefully you'll stop. That seldom is enough, right? It's not enough in the Red Sea when we're dealing with the Houthis to just shoot down all their missiles. We actually need to, at some point, go strike Iran for providing those missiles. Separate issue.
But that gets at the second part of deterrence, deterrence by cost and position or punishment. And that's the idea of, if you do something I told you not to do, I will punish you, hold you accountable, and I'll continue to do that on an escalatory basis until you stop. And when you put those two deterrences together, that's like chocolate and peanut butter. I got myself a Reese's Cup of deterrence. I want those two things. And in cyberspace, that's what you need. There's other types of deterrence called entanglement and norms, and I generally think they're bullshit when you apply them to authoritarian regimes to work with them. And I'll say in cyberspace, they have not been effective. So let's keep ourselves to denial and punishment. Denial, you and I have just talked about for 26 minutes. How do we defend ourselves, how do we get this [inaudible 00:30:00] make these real systems do continuity economy planning, got it. Punishment is holding them accountable.
And I have to tell you that whatever the line is for the use of force in cyberspace, it's pretty damn high and it moves around according to adversary actions. In other words, whatever they do, you're like, "Yeah, that's okay." So in the case of North Korea taking down Sony, so, clearly, North Korea said, "If you release that movie, The Interview," a very enjoyable movie, I'd watch it, "We're going to do something." They released the movie, Sony got hammered, and I think caused, between damage to systems and damage to ability to release things, $100 million worth of damage. The response from us was, four to five months later, after barely identifying North Korea as the culprit, we indicted three North Korean military officers who, I think very shortly thereafter, got their medals from Kim Jong Un. And you can imagine the extradition is not coming any moment now from [inaudible 00:30:56].
So that's not punishment. Punishment can't be law enforcement or even sanctions. Sometimes punishment needs to be, "I'm going to impose damage on your cyber systems that were used to hit me." And I think that's what Waltz was talking about, that, "Hey, it's about time for us to go out and using our kinetic tools." And, of course, our [inaudible 00:31:22] are like, "Oh, geez, Mark, why are you saying that? You're going to compromise a tool, you're going to compromise an access we have." And my answer is, "Well, then you better have a lot more freaking tools and accesses if you don't want me to ever use them." Right? What I mean by tools is a cyber tool to impose cost, damage a network, damage a system, and an access is the penetration point that I got in through it. So I think what Waltz is saying, we've got to be more aggressive and doing this and use our tools and our accesses to hold the bad guy accountable.
And I'll give you one last thought. Senator King, the chairman of the Cyberspace Solarium Commission, would say, "Final step, brag on it. Say, 'Hey, guys. That was us.' Those sons of bitches did this, we did that. Next guy up gets a little more. If you want some more, come to us." That's how I think you do deterrence by cost and position. You don't have to do that with missiles. It says like, "Tomahawk, made in the USA [inaudible 00:32:23]" Right? Whereas with this other stuff, with cyber, I think we actually need to brag on it. So to me, that's what offense looks like.
Aaron MacLean:
I'm not sure I'm familiar with any moment in our history where we've done that. I mean, I know things that have happened in Iran and to the Iranian access for the Israelis play a leading role, maybe we had some role in some of this stuff. I'm trying to remember the big centrifuge attack in our role in that. And any-
Mark Montgomery:
So...
Aaron MacLean:
Go ahead.
Mark Montgomery:
Stuxnet. And we still are allegedly. [inaudible 00:32:52]. So you're right, we do not take... Credit's the wrong word. We do not take responsibility and accountability, and that's what it is. Hey, something bad happened to you, I released a weapon on you of some form or another, just like a kinetic weapon. I'm responsible for it, I'm accountable for it, and I'll escalate on that if I need to. And I think it's absolutely fine for us to do this, but we treat it like you just released polio into the wild, I'm like, "No, that's not what I did. I used a cyber tool to hold someone accountable."
Aaron MacLean:
Well, let me ask you a really big-picture policy question that this discussion suggests, because the implication of what you've been saying for the last couple of minutes is we are too hesitant to respond with cyber means to cyber aggression. And it seems, in some cases, like the attack on Sony that there has to be some proportionate economic target that we could have hit through cyber means that would've been fair and potentially increased deterrence for the future, which seems very commonsensical to me. In this listenership, I don't think you'll get a lot of pushback. But the more lethal the attack, the more I think complicated it gets. And I'm curious to know your thoughts on what our doctrine ought to be and whether or not we should be communicating this doctrine to our adversaries in terms of what we're willing to do.
For example, in an attack that is purely cyber in nature in its mechanism, but causes some deaths. I mean, you were talking about hospital wait times earlier. An attack on our... Whatever, a state level attack on our hospital system that then causes patients to die, maybe not in massive... Let's make it ambiguous. It's not massive numbers of deaths and it's a little hard to point out, draw the direct lines of connection between the attack and the deaths, but there were definitely deaths. There were definitely people who died because of this state's attack. Where does the line between cyber response and kinetic response actually get drawn here? Your point right now, which is well taken is, well, right now, there's hardly any cyber response. So what are we even talking about here? But in a healthy world with a healthy doctrine, how would you think about, as we go up the ladder of escalation here, where the lines are where we would actually consider even non-cyber responses to cyber attacks?
Mark Montgomery:
This is the exact discussion we need to have. On the cyber commission, we had it internally with the right people. We had four congressmen, four deputy secretary level people inside the government, and six or eight of us that were other professionals. And we had this discussion and it's a fruitful discussion. My concern is that it gets lost out when you get into the NSC world. So the answer to your question is we should establish, we should have... I hate to use the word red lines, but we should have a level of damage that you caused us that we're going to respond. And we should do it every time, so that over time, you go, "Well, I better not go to that level. I'm going to keep it below that." And then maybe we move the level down a little bit, and then we drive you down.
Right now, from what I can tell, it just slightly goes up, you do something, we say, "Well, there's a new level you can go." We don't respond, which effectively puts the marker above that level. And your response, we are pretty good about saying, "If you strike us in cyberspace, we reserve the right to strike back in cyberspace or use a kinetic tool." I'm okay with that, but the response so far has been neither. And I will tell you it's unlikely that if a nuclear-armed adversary uses a cyber tool to cause damage in our country, we're going to be like, "Well, here comes seven tomahawks." Because I just think that could get real very fast, right? I mean, Will Ferrell would say, "That got out of control fast-
Aaron MacLean:
That got out of hand quickly.
Mark Montgomery:
Yeah. So I think though we need to respond more aggressively. Senator King had this crazy idea, I got to tell you, I used to... Not make fun of it, but say, "Sir, that's not going to happen." Right? He's like, "We'll build an electrical power grid in Saipan, invite them to watch us attack it so they can see what we can do." I'm past that point. I think he is too. We're not building some electrical grid somewhere so we can attack... We're going to attack you on your systems that came at us, and if you continue to hit our critical infrastructure systems, we'll hit your critical infrastructure systems in cyberspace.
And believe me, even though I have a lot of problems with our cyber force generation, and I think that we don't have the cyber forces we need, we can still kick a little ass in cyberspace. And so do not get in an escalatory cyber contest with the US Cyber Command would be good advice to any foreign country. But the advice has to be followed up... Deterrence only works if you have a capability and the adversary believes you're willing to use it. I think step two of that has evaporated.
Aaron MacLean:
Not to be too obvious, but just to reinforce what you're saying about the need to have this conversation now. I mean, it seems to me we need to have this policy or doctrinal clarity now and communicate it now, because otherwise, what's likely to happen is there will be some crisis and there will be some offensive cyber action... Let's say it's a blockade scenario in Taiwan and there's some attack on some part of the American power grid that's somehow connected to that, and a plane crashes. An American plane crashes somehow as a consequence. And it comes out that that was a direct consequence somehow of the cyber attack.
I could see public opinion turning on a dime rapidly. Because that's what happens in America. In America, everyone wants to stay out of foreign troubles, everyone wants to stay out of foreign entanglements. It's their war, not our war, et cetera, et cetera, et cetera. And all of a sudden, Americans start dying and the world feels like it's falling apart and Americans get real hawkish real quick. And what do we do then? As you were quoting Ron Burgundy, like, "How quickly do things escalate?" Alternatively, we could know exactly what we're going to do then, and we could even tell them ahead of time what we're going to do then in general terms, in an effort to stave it off.
Mark Montgomery:
It has to be believed, which means you actually have to do it during the... I don't want to say phase zero, phase one, because that's out of style right now in the military. But in the time before the actual war and that crisis buildup and that constant competition, you've got to use your cyber tools in a way that demonstrates to the adversary that you will be willing to use them in wartime so that you limit that. And believe me, by the way, if there's any of these... I do want to say we did something called Targeting Taiwan, a paper here, about six months ago. Craig Singleton and I... Craig, our China director, and Ben Jensen from over at the CSIS. And what it was was a study of how China will use cyber-enabled economic warfare to grab Taiwan and not have to invade, not have to do [inaudible 00:39:30], because they're constantly raising the pressure on Taiwan, just turning that real estate a little bit more across all the different... That's finance, energy, comms with cyber attacks, and it's just below the level of the United States given a damn.
So it even applies when you push it forward onto an ally or partner. And, eventually, you break societal resilience in Taiwan before they've had to attack. It's not inconceivable. So we have to work to figure out how to do this and all the countries whose infrastructure is critical to us for our own economic growth, a place like Taiwan or economic success, but also a place like Japan or Korea where we rely on the infrastructure to fight through. And so we have this problem both domestically and there, and I think our adversaries have... If you don't think we'll do anything about us, then you definitely don't think we'll do anything about Taiwan or Japan in cyberspace. So we've got to change the dynamic on that. And part of that's taking action now in time short on war.
Aaron MacLean:
I want to shift gears for our last few minutes here and ask you about missile defense and the president's executive order on a Iron Dome for America and that whole network of issues. We had Tom Karako from CSIS on the show recently right after the order came out just to walk through what it involved. And it was a really interesting conversation and you were also expert on missile defense issues. And Karako made a point, I chuckled at it, that people talk about a cyber Pearl Harbor or this Pearl Harbor or that Pearl Harbor.
And he, Tom, is worried about a Pearl Harbor Pearl Harbor, that is to say the possibility of a strike and that the missile defense conversation needs to happen with an eye firmly on conventional missile threats. The kinds that we see used regularly in the Middle East now being deployed against American assets and potentially the American homeland, whether in places like Hawaii, the West Coast, maybe even the East Coast, you just don't know. And I wanted to get your take on investing a lot of money in enhancing missile defense in the continental United States, but obviously you've been beating the drum about places like Guam for some time. So it's a very broad question, let me just solicit your broad thoughts and we can go from there.
Mark Montgomery:
Right. So Tom's a good friend. I listened to him on your show and I agree with what he said. I would say I actually think that this is an integrated thing as defense of the homeland. And we have, since 9/11, conceptualized defense of the homeland as a physical counter-terrorism or terrorist strike. And we should still worry about that. And having an open or loose border definitely contributes to you worrying more about it. But the real, to me, the growth industry for adversaries has been in cyber and missile defense. And we've talked about cyber, so I say on missile defense, the terminology Iron Dome, and I know Tom talked to this, this is not about 1,000 or 500 Israeli counter-mortar rocket systems being put around our country. The president was talking to a philosophical thought of, "How do I keep things out?"
One of the interesting things is Iron Dome is the system... I've studied all pretty much everybody's cruise and missile defense systems over the years. It's one of the few systems that very aggressively doesn't target missile, of things. In other words, it allows lots of rocket and mortars from Hamas and Hezbollah to land because it assesses them as not striking anything too important, which is really important when your enemy has tons of things and you don't have many. We're going to have to feel the same way about our Iron Dome. There is not an Iron Dome to defend all of America right now against a cruise missile attack or a hypersonic missile attack. And what I will say about that is, today, I'm sitting here in Dupont Circle. I'm protected from a cruise missile attack. I'm part of the 0.0001% of America that's protected. It's between basically Capitol Hill and the Pentagon. It's protected from cruise missile attack by NASAMS, which is an air defense system that's at our old RFK and Carderock, defending this area post-9/11.
The other 99.99% of America, not defended from cruise missiles. Hypersonic missiles, nowhere's defended because we have not developed hypersonic defense, and our adversaries are building hypersonic defense like drunken sailors. We're the third drunken sailor with the Chinese and Russians and we're trying to catch up. And we will. Our hypersonic offense, we're spending four to five billion a year. We'll catch them. Our hypersonic defense, we have consistently spent 200 to 400 million a year. So 5% to 10% on defense that we do on offense. No one's winning the Super Bowl, spending 5% to 10% on defense as you do on offense, and no one's going to win the missile defense game spending 5 to 10%. All right. So we're not defended against that. So when I see this executive order, I'm like, "Fantastic." First things. Understand what you need to defend in America against cruise missile attack. And unfortunately, it's not much.
It's not my home in Arlington. It's not my parents' place up in New Hampshire. It's going to be countervalue targets around the United States that have to be protected. And then against hypersonics, you got to build a system. You got to get out there and invest to get your hypersonic defense going. So there's small programs, relatively speaking to defense budget, that could be done there. So first of all, the president should take the early wins on this. Systems where they're cost-effective and you can do it. A third thing I would do, and this is the coolest thing, it's not in his, but it's in Senator Sullivan's Iron Dome Act, which has strengths and weaknesses, but one of the strengths is it refers to dirigibles. I'm a big fan of dirigibles. So a dirigible, you put it between 20 and 60,000 feet. I put a traditional air defense radar in there like the THAAD radar, the TPY-2, these are military radars we use right now for defense.
But now they're up at 20,000 feet. That makes them what are [inaudible 00:45:15] known as kick-ass radars. They can see thousands of miles and provide... Thousand miles and see, and they can provide what's called a fire and quality track solution to missile defense systems all over that thousand miles underneath them and allow consummated intercepts. So with one, two, three, four of these radars up, blimps up around America, you can provide lots of protection. You can certainly detect a Chinese balloon drifting. But for sure, you'll get this picture out there. Of course, you're going to need your good ally, Canada, who you're not tariffing to death, to support you in this. And by the way, as we were tariffing Canada, I want to mention that Canadian FATs were protecting America that night. Just a little thought for the president on occasion. And the final thing is space. And I'm not talking about Brilliant Pebbles and Reagan. But Reagan's guys were onto something.
If I want to intercept a ballistic defense missile right now from ground, I got to strap three booster rockets to the rocket to get it up. And all these missiles cost between 20 and $100 million each. But if I had weapons in space, it is actually less expensive over time because I'm basically using God's great gift of gravity to drive down that weapon from several hundred thousand feet up to hit the target. So dirigibles, getting cruise missile defense systems where you need them, and starting to think about space as a place you fight in and through with non-nuclear weapons, right? Nuclear weapons would be illegal by the Space Treaty. If we make those three investments as part of Iron Dome, we're going to be cost-effectively more secure and survivable in a missile defense environment.
Aaron MacLean:
One thought that occurs to me both as a consequence of our cyber conversation and of your riff on missile defense right there, is that I have a great deal of sympathy for American leaders who have to think about what war is going to be like for them in 2025 or the years to come. And I mean something specific by that, let me attempt to articulate it. I'm making this up as I go, so feel free to tell me that you don't follow, because it's the first I've said something like this. But some time ago, generations passed, an American president or secretary of defense or key advisors who were thinking about war and making strategic decisions, say in World War II, say in Vietnam, their decisions were at a very high level and operated on very long timelines like, "We're going to defeat the Nazis before the Japanese and we are going to stand up 90 divisions, and not 70 and not 150. And I'm going to sign off on this invasion plan for this broad timeline."
And these long time horizon big-muscle movement decisions would be made in Washington in consultation with allies and everything else. And then as you got closer and closer to the battlefield, the time cycle tightened and there were highly stressful, highly kinetic, not that strategic stuff is not stressful, but you take my point. Tactical stuff happening in tactical places, places like the beaches of France or whatever, or Da Nang. And then in the Cold War, you get this question of a nuclear exchange. And so we have this concept that actually the president is going to be a tactical commander in this doomsday scenario, but the doomsday scenario is so awful that actually everyone's plan A is, "We're never actually going to do it. We're prepared to put the commander in chief in that position and have him fight a nuclear war, but nobody actually wants to do it because it's insane."
And now, sitting here in 2025, what seems clear to me, and, one, any future major power war seems highly unlikely to me to spare the homeland. So, one, there's instantly a homeland kinetic dimension, or at least a loss of life dimension to all of us. Two, the strategic level stuff will move so quickly and be so integrated into the tactical level stuff that Washington becomes like it's going to have to operate with real strategic balance and know-how on a very fast timeline and the senior most decision-makers to include the civilians, to include the president, are going to have to be military commanders. Does that make sense? Does that sound... I just made that up. So tell me if it sounds disconnected from reality to you.
Mark Montgomery:
I do want to say right up front, not for the president being a military commander, but I take your point broadly, which is to say that the attack on the homeland is inevitable in this. I'll also say I think our adversaries think our public is weak, so that it even invites it in a way. They would have to make a proactive decision not to attack our homeland. I believe it's in the war plans for them. And we are vulnerable in physical, cyber, and missile defense ways. We are definitely vulnerable in all three. And I love your discussion on strategic level. We've dealt with this before. In the Cold War, we actually would've fought the Russians with the joint staff as the combatant commander. Not EUCOM. It was not publicly discussed that much, but that was who was the actual commander. And that makes sense. It was Washington. But what it wasn't was the White House. What's different now is the LBJ reviewing the strike plan for the Vietnam War-
Aaron MacLean:
The dinner table.
Mark Montgomery:
You're going to have that, but with so many other decisions that there's going to be this overwhelming nature. And then the profligation of social media... I mean, my son's on a ship right now out at sea off of Japan. He's calling me from his ship on a cell phone that he didn't quite get time zones, it was 3:30 in the morning, but it's insane to me that we're at that point now where you literally have that connectivity. Why does that matter? The feedback loop into the American public and the American government system. Field Marshal Montgomery, General Patton, General Eisenhower would've never survived their two, three, four years in command in Europe with social media generating crappy stories about them. You can just imagine the feedback loops there, that would've just been unbelievable. So from my perspective, so much has changed. I don't know that we're ready for what you're talking about.
And you're absolutely right. The president is truly commander in chief. In a way, this isn't about saluting the Marine One. This is like, "No kidding, we are making operational decisions at the speed of data every 2, 3, 10, 15 minutes to execute this war." I've always felt that the PACOM commander in a war, the Indo-PACOM commander in Hawaii, actually would spend 100% of his or her time the four star, facing Washington, talking to Washington, and the war would have to be executed by other people. He'd have to give his commander's intent, and then just never look because he would have 100% data pull, pulling him into DC. So very good insights by you. I agree with all of them, and I do worry slightly though, because I don't think we elect our presidents based on their ability to make tactical... Not tactical, but operational warfighting decisions at the speed of data.
Aaron MacLean:
Yeah. On some level, what I'm trying to do with the show here is I do think that there's the president as a special and critical case, but just amongst the public more broadly, not an appreciation for how important understanding more might be to all of us in the years ahead. I hope it's years and not months. Mark Montgomery, it's always a pleasure. Please come back anytime. A great conversation.
Mark Montgomery:
Thank you for having me, Aaron. It's been a real pleasure.