The Author of Code War, Allie Mellen Reveals How Geo-Politics & CyberWar Collide

elcome Back And Guest Intro

How's it going, Allie? It's great to finally get you back on the podcast. I think at this point you might have been on like four years ago or something like that. I mean, it's kind of crazy to even think that this thing has been going for that long, you know, longer at this point.

Totally crazy. Yeah. Thank you so much for having me back. I'm really thrilled to be here. It's always fun chatting with you.

llie Mellon And Code War

Yeah, absolutely. No, I try to try to make it fun, at least, you know. But it's a it's an interesting time for sure. But before I go down that rabbit hole, how about you, since you haven't been on in like four years, how about you tell my audience like a quick, you know, thousand-foot view who's Allie Mellon?

Yeah, absolutely. Thank you. I so I'm Allie Mellon. I'm a principal analyst on the security and risk team at Forester. I cover security operations. So people process technology in the SOC, including EDR, XDR, SimSource, Security Analytics, Ransomware, all of those good things, nation state threats, AI and using security tools. I'm also soon-to-be author. My book comes out on March 17th and goes into cybersecurity and geopolitics in the intersection of those things. It's called Code War, How Nations Hack, Spy, and Shape the Digital Battlefield. My background is as a hacker before becoming a security practitioner. So I've seen the industry from a couple of different sides. And that's kind of how I approached this book is digging into cybersecurity and geopolitics from that hacker perspective. And it's crazy to think that I'm about to be a published author. So yeah, that's a little about me.

esearch And Writing A Book

That's awesome. How long, how long was that journey of writing the book?

It was two years. Like it was a long process. I need like a little space and time to make it work. But yeah, it was it's pretty crazy to think that it's been two years and many, many, many interviews that were so, so valuable. Took like at least six months, if not more, for the research phase before actually starting writing. And that just gave such good perspective that fed into the book.

Yeah, I I can kind of relate to that because I'm writing my dissertation right now. I'm at the point where like I'm wrapping up, you know, expert interviews on on the different topics that I'm that I'm doing it on. And my my chair keeps on like hammering me. He's like, you need to keep like you need to start writing, you know, your fourth chapter or whatever. Like, you know, you're not gonna have the time after it's done or whatever. And I'm I'm just sitting here like, well, I need to like know how to piece it together before I start piecing it together. Otherwise, I'm redoing stuff and I hate that, you know? Totally. I had to like thoroughly explain my mentality around my approach to it to him for him to like not freak out on me so much. He still freaks out if he's hearing hearing this now.

It's so funny because you're a hundred percent right. Like I had to refactor the book probably three or four times because I kept thinking it was gonna work in one format and then it wasn't. And it's so much work. It is not fun work, it's not the actual like research or cool stuff or the writing. It's like, should I have this chapter be on Russia here or be over here? And yeah, so I imagine it's very similar with the dissertation that you're working on and just wanting to like dodge that whole need to refactor six times and go through all that work for what feels like very little gain.

Yeah, yeah. I mean, they're they allocate like two whole semesters to nothing but editing and like having a professional editor edit it and everything else. I mean, it's just like there's so much that goes into it because it is so heavily scrutinized. It's like like people will like, you know, jam you up just because you you had a run-on sentence, you know, like it by the time you actually get that thing published, it has to be like so beyond perfect that like you'll never have to write like that again, you know?

Yeah, yeah, that sounds exhausting. Yeah, how close are you to finishing it?

I'm about a year left. Awesome. So not not terrible. Like the hard part of my research is actually done, believe it or not. The the hard part of my dissertation, because it's like I literally have like 200 pages of just like setting the stage. And it's just like, come on, do I have to do another chapter of this, you know? Yeah, like that sort of thing.

Very relatable.

hy Cyber Attacks Really Happen

Yeah, yeah. So I I'm finishing up interviews. I have a couple more that came in last minute of this month, but after that, it's just me running this stupid PyTorch simulation and uh getting that working. So we'll see. If I can get it working, that'd be great. But if not, I might need help. Very nice. Good luck. Yeah. Well, tell tell me about your book. It sounds really interesting. I haven't, you know, gotten an early release or anything like that, right, for for the audience. So I know just as much as you guys. Tell me, tell me about you know what it's about, how you approached it, you know, why did it make sense? Because it seems sounds like it's very timely, actually, with what we have going on in the world right now, especially with like the the healthcare company, I think it was Stryker, got breached, you know, yesterday, I think. And they didn't like just get breached, like they wiped everything, not even ransomed it, they just wiped it.

Yeah. It's been wild, to be honest. Like, I I talk about this a lot, but like last year when I was writing this book around this time, I was like, oh, I wish this was coming out now. I feel like there's so much that's relevant, but now I'm like, thank God it's coming out at this point because everything is so chaotic. There's so much changing, there's so much that is very reminiscent of a lot of the themes that I cover in the book. And it's actually helped me so much to get a better picture of like exactly what's happening in the world right now and what it means and what we're gonna see in the future. So the book is about the intersection of cybersecurity and geopolitics, which I mentioned already, but it's specifically about how the histories of Russia, China, and the United States have led to the way that they use cyber attacks and defenses against other nation states and against their citizens. So one thing that I really love is I kind of give little vignettes throughout the book of moments in history, how they relate to the modern day context and the cyber attacks that are being perpetrated. So we're talking czarist Russia, we're talking Imperial China, and pulling out those themes related to why these countries use the cyber attacks they do. It was really, really interesting because it's really a deep dive in these histories with these three nations, but it's also about a little bit more than that because one of the things that I have seen time and time again in especially popular culture is this idea of like cyber war is coming. We're all going to be hit by this cyber war that is completely unrelated to any current geopolitical situation, but it's just gonna hit us and we're gonna be down. I wanted to dispel that myth a little bit and talk about exactly why cyber attacks happen and what context they happen in. And so that's why I tied the histories to it, is because it was like, you can do this with any cyber attack you want, and it's going to make sense, especially when it's nation-state activity. I start the book off with a quote from Richard Feynman and his 1986 Rogers Commission report on the Challenger shuttle disaster, which is for a successful technology, reality must take precedence over public relations, for nature cannot be fooled. And I am obsessed with this quote. I think this quote is so strong. Of course, it makes a ton of sense for what the time was, which was all about technical failures and how they can't just be covered up by good PR. You can't pretend they don't happen because eventually you're going to run into a case where those technical failures really matter. But I think that it's so applicable to cybersecurity as well. And that's why I emphasize that without a real world impact, and I try to show that for each cyber attack in the book, without a real world purpose, cyber attacks and the defenses that have been created, they're just not going to happen. Like there has to be a motivation by something in the real world that every person can understand by some element of national power if we're talking about nation-state attacks. So things like diplomatic, economic, military, resource-related constraints and also reasons for these to happen. And so that's the true meaning of this book. And what I really wanted to get across is that reality is the most important thing. And that's why all of these attacks are grounded in the historical and the modern context together to explain the motivation better and some of the limitations around how these different countries choose to perpetrate these attacks.

Yeah, that's fascinating. That's really fascinating because, you know, like I started my dissertation primarily because I felt like the next major conflict would start in space long before it starts on the ground. Right. And we're actually kind of seeing that to some extent right now, you know, live with the the war in Iran that that's going on, right? There's so much reliance on the digital world now that for nations that aren't used to, you know, having to restore critical infrastructure like Ukraine might be, right, with their power grid. I mean, Russia hacked it, you know, what was it in 2012 or 2010, something like that. When they go and they do it again, it's no longer like a new thing. Ukraine's already prepared for it. They know exactly how to do it. It's down for like three hours or whatever it might be, right? Like it's back up, totally fine. If that were to happen here, though, I don't know if that's you know gonna be the same case. I mean, that's like a all hands on deck. I feel like at that point, it's almost like, hey, if you're in cybersecurity, sign up here to go and like help us figure this out, you know, like that sort of thing.

It's so fascinating because I mean, the same is true for like to be quite frank in the US. If we started getting stopped in the US, people would not know what to do. Whereas if you look at some other countries, like people are like, that's a Tuesday, I'm going back to work kind of thing. You know, that would not be the case here. So it it is really interesting from that standpoint. And to your point, like one of the things that I highlight when I talk about the Russia's war in Ukraine is that there are so many really interesting instances where there's incredible coordination in the attacks that are happening and why they're happening. To your point, like there are cyber attacks that happen against the electric grid during this war. And they take down the electric grid, but it's like a couple hours, a couple days, maybe a week tops before it everything's back up. That contrasts with when they hit it with a missile. And then it's months, it's potentially over a year until that system is back up. But what makes it even more interesting is what uh the Russians have done that's really made this even more powerful is that they don't just hit the electric grid with a missile, they also perpetrate a DDoS attack against the customer service infrastructure at the same time. So anybody who's trying to call in and say, hey, I don't have my power or if it's internet, I don't have my internet. Anybody who's calling in and saying that isn't going to get through. And so it causes even more confusion. It makes it even more difficult for the team at the electric grid company to coordinate and prioritize what they need to prioritize. And it just lengthens the time it takes to remediate that situation. So one of the things that I find most fascinating and that I talk consistently throughout the book is like the power of coordination in multidomain warfare and how much cyber plays a critical role in that.

Yeah. Yeah, I I was actually just seeing a video on Palantir's solution. I've never seen it before where it kind of like, you know, you you just basically point it in the direction that you want it to focus, and then it starts like prioritizing different attack paths and whatnot, and you can just launch the whole attack, you know, or choreograph it all right from there, which is pretty insane to think. I I mean, you know, obviously, like I'm sure the military's been doing it for forever, right? I mean, like you have to to be an effective military and whatnot. But to see it all in like one centralized place where it's like, okay, I'm gonna hack this thing and then we're gonna drop a bomb here, and then people are gonna come over here. You know what I mean? Like that is just like so it's so like meticulously planned, which of course it has to be, but like it's a totally different reality, you know, than before.

Yeah, it's absolutely wild. And it's so wild how they end up training that that kind of simulation and identifying the most likely outcomes for those situations. It's pretty horrifying, to be honest. But it's also just so bizarre because so much of the preparation in conflict scenarios is about identifying what's the most likely outcome, what's the least likely outcome, and what's in the middle, because what's in the middle is gonna be what happens, and having like a realistic point of view on what's going to happen. And so I'm always curious about these types of technologies and what they're able to identify versus what happens in actuality on the ground, like what variables are missing, what intuition is missing from these systems. And I don't know that we'll ever have data around that because, of course, like a lot of this technology is in secrecy for a reason, but it would be really fascinating to learn. And I also just think, like, I mean, we have this conversation with regards to AI agents in the enterprise a lot. Obviously, what we're talking about now is a much more serious scenario, but like who's responsible for when that messes up? Like, that's my question. Because in a normal wartime scenario, it's the commander, right? But is that still the case when you're dealing with a system that isn't technically something that you could like automatically pin the blame on and say this is the person who's responsible for this because it's not a person? Or do you go back to the developers and say, listen, you mess this up? Like what's the what's the chain of command here, both from the standpoint of software like this and who's responsible when things go wrong, which they have. But also if you look at this from like an enterprise and AI agent standpoint, that's one of the the gaps that we're seeing in how people can deploy it effectively is like who's responsible for when this messes up because it's going to.

Yeah. Yeah. I mean, you know, unfortunately, we may have seen like one of the one of those use cases actually happened, what was it like a week ago or something when a you know a missile struck a wrong building and you know unintentionally killed a whole bunch of of kids, right? I mean, I don't want to like propagate any conspiracy. Yeah, I don't want to come propagate any conspiracy theories. I feel like we'll probably never know, you know, the the real thing because it just gets shrouded behind classifications and whatnot, right? And I'm not trying to shade like America. I love America and whatnot, but you know, it's still a system that that's you know fallible, right? Like, you know, we're in we're in cybersecurity. Like I see systems do crazy stuff all the time. Yes. The alerts that it gives me don't make any sense to me, like why it gave me it. The context that it used to give me that alert doesn't make any sense, you know, like these systems are pretty spotty. I think the only thing that we have really figured out is Linux.

Like that's yeah, that's it.

That's solid.

We can trust it.

Like, that's it. Yeah, like that's pretty trustworthy at this point. You know, that's funny.

Yeah.

But like even, you know, people that are using like OpenClaw, right? Agentic AI to go and optimize their life, their workflows, whatever it might be. And now it's going through and it's like deleting all of their emails and you know, scheduling trips just because you like said something, you know, in a text that you want to do a vacation, it just immediately, you know, goes and books a trip or whatever might be. Like, yeah, those are you know non-consequential situations, right? But you can't tell me that same technology doesn't exist now in a weapons platform that you know now it's trying to decide what to do on its own. And what if it decides, hey, that's the wrong choice, you know, mid-flight and changes its own trajectory because there's no reason why it can't, you know, like what are we doing right now? Like there's so many movies on this thing.

reedom And Social Contracts By Country

Yeah. And we just don't understand. I think it's one of those things where like the I mean, I kind of grew up with the tech mindset of like move fast and break things, right? And that is just not the case when we're dealing with geopolitical scenarios. Like you, you move fast, you break things, you end up killing people. It's just the the reality, whereas that's not the reality in these like tech circles with their slides and their office buildings and the whole nine yards, you know? And so I do think there's an element of this that's just like the culture clash between what tech thinks of as the world and what is really the world in like a geopolitical scenario is very divided. And I think cybersecurity people tend to get that and tend to relate much more to the more geopolitical, like these things are serious. We need to like very mission-driven. Um yeah.

Yeah, no, it was it was interesting when I was doing my bachelor's. I got a minor in economic economics and international relations. I almost said economic relations, totally wrong. But like it offered a really interesting perspective because now you're seeing the world from like, you know, that 10,000 foot view, and they're saying, you know, like they give you a scenario, right? Like, okay, well, why would Russia invade Ukraine? Because like I was actually taking one of those classes like when it happened, it kicked off, and we were watching it live on TV. And like we walked through, you know, why it was, right? And not saying that it's like justified or anything, but the teacher's playing devil's advocate, you know, because he wants to have an engaging conversation. And he's saying, like, well, look, you know, there's actual reports of like Russia wanting to join NATO at one point in time, and then it got shot down by America, right? So it wasn't supported. And then the agreement was that, okay, well, you can't go any farther than you know, this country or whatever for NATO expansion because it's a little bit weird, you know, you don't want me in it, but like you're gonna encroach on the territory and this and that, right? Like, and he kind of just like drew it down, it's like, oh, this isn't so black and white. I mean, it's a terrible atrocity. Don't don't get me wrong. Like, it's a horrible thing that Russia invaded Ukraine and there's millions of people that are probably dead, right? Like, there's no getting around that. But when you start shading it in that international relations mindset of like, oh, okay, I can kind of understand that, right? Like, what if an adversary went into Mexico and took over Mexico and was like, you know, starting to like kind of have that same buildup on the border? It's like, well, what would we do? You know?

Yeah. It's really interesting because I I I think that there's a lot of that that is so true. Like, one of the things that I talk about that I actually have at the beginning of the book, which I did not when I was like almost done writing it. It was something that was added later, but I think is so important to kind of giving perspective on this, is like I write in the beginning and the end of the book all about the social contracts that the US, China, and Russia have with their people. Because I think it's important to level set on that because it makes such a big difference as to why, like, why China has such a walled garden and why the people are willing to accept that. And so a lot of it comes down to their different views of what freedom means and what freedom is. Like in the US, we operate under this very black and white freedom is freedom from any type of oppression from the government, any type of government intervention. And the second that you step over that line, we're entering tyranny kind of thing, which has its positives, it also, of course, has its negatives, especially in a geopolitical context and a defensive context. But if you look at like what we see in China, a lot of their belief system is around this idea of freedom, where freedom means the prosperity and the harmony to have a good enough life and to have a good life where you can, you can prosper and you can be comfortable and you can do the things that you want to do to a certain extent. Now, in order to live in that scenario, you have to believe exactly what the state is telling you. There's no room for disagreement with what the state is telling you. And they, they, I use the term belief very seriously there because it is, you need to believe it wholeheartedly and talk about it and have it be a part of your belief system. You contrast that with Russia, and like Russia's approach to this is, and for their citizens, freedom is the freedom to live a life where you don't have to be worried about survival every single day. A lot of their trauma is based off of the fall of the Soviet Union and the food lines that happened around that and the ability to break away from that and to just live a life where you don't have to worry about whether or not you can put food on the table each day. That's a level of freedom for them that is what they want. And it's interesting because in that context, like the thing that they need and what the government expects from them is you don't have to believe what we're telling you, but you're not gonna say anything against it. Like if we tell you to say it, you're gonna say it, even if you don't believe it. And people are fine with that. They're like, yeah, we get to survive, we get to be comfortable, we get to live our lives the way we want, have the freedom to move between different parts of Russia or potentially different states, we'll like accept that what you're saying is the truth kind of thing. And I found this so fascinating because it really affects the way that they, each nation approaches its defenses and the cyber attacks that it perpetrates. Because, like, if you look at China as an example, they want you to fundamentally believe the propaganda they're giving you. And so they have completely locked everything down so that the only propaganda you get is the propaganda that they're delivering to you. And if you get other propaganda, they're gonna cut it out as fast as they possibly can from the system. In Russia, it's a very different story where they kind of like a little late to this locking down the internet game and have struggled in a lot of ways to do so to the same extent that China has. But they're still trying to control the message as much as possible. And then, of course, in the US, it's so difficult because anytime the US government says, okay, companies, you have to do X, Y, and Z to protect your infrastructure for national security reasons. There's an at least private uproar and conversation about is this an actual attack on civil liberties and how do we manage those things? And in some cases it is, it is. Like it's not always just a fear based thing, but finding that line is. So much more difficult and so much more nuanced when you want to have that ultimate and total freedom.

Yeah, it's interesting. You know, I I had someone on previously, I think he might have been like a vice admiral of the Navy that was in charge of like all Asia intelligence, right? And we were talking about like what China did with the great firewall of China, right? And I brought up like it's kind of like it makes a lot of sense from a security perspective. It makes a whole lot of sense, you know, like especially like with their culture of, you know, that belief system and you are ingrained into it, like you have to adhere to it and whatnot. And it's kind of surprising that other countries haven't done that, you know, like Russia, for instance, hasn't really done that, you know, at least to that extent. How do you are there like cyber attacks that have happened that, you know, directly correlate back to the country of those, you know, what we would call pretty extreme beliefs, right? But have you seen cyber attacks that have different markers that kind of coincide with that belief system, what not of either like China or Russia, or how are you making that tie back to it?

isinformation Tactics And Bot Noise

Yeah, so it's interesting that you say that because the thing that shocked me the most writing this book is China's forethought and like foresight to start implementing the Golden Project as early as they did. And the Golden Project was basically we recognize that the internet is going to be important. We're starting to see that, that it's gonna be important economically and geopolitically, but we need to make sure that when people access it from within China, they are only accessing what we want them to access, which is crazy that they were thinking about this in the 90s. And so that's the system that they built with the Golden Project was let's have what they call the Golden Bridge, which is where all infrastructure associated with the internet and especially leaving China has to funnel through. They had a series of other projects that were responsible for things like payments and anything that you can imagine having to do with the internet, they set up a golden, a golden project associated with it. And that has been what has enabled the great firewall to be as effective as it has. Because once you have all of your internet that's leaving the country, streaming through infrastructure that is controlled or owned by a particular government, then you can cut off that stream whenever you want. And of course, they've also set up a lot around like managing encryption standards so that they can make sure that they're reading everything in transit and so that they can then pull information out whenever they want to. But the golden bridge is really the fundamental infrastructure that has enabled the great firewall to be built on top of it and to do things like block particular websites most effectively and censor things in real time and that type of thing. And most nations just did not build that system. Like Russia is a great example of this, where they did not build that system from day one. There's a lot of reasons for that. I think one of them is because the cyber criminal community in Russia has always been very strong and for a long time relatively protected by the Russian government. And so it's difficult to manage their aspects of freedom with building a system like that. But they have started to try to do so. The problem is that when you try to route all the traffic that is going internationally and being done on the internet through a series of a government-controlled infrastructure within Russia, when that's already been set up, we're talking thousands upon thousands of different pieces of infrastructure you have to redirect. And it's just difficult to do it successfully. And so they've run tests trying to establish a sovereign internet, trying to cut off the internet from the rest of the world. And to be honest, they haven't done very well because at the end of the day, it's a difficult technical problem. But they also didn't set up the infrastructure from day one the same way that China did to make that work. So that's one example where, like the historical element of this, of like China's consistent focus on controlling the propaganda within China, which has been the case for, I mean, since Imperial China, that focus has been what enabled it to see so early on that this was an information vehicle that they needed to control. Now, one of the ways that we see this causing issues for them, which I really find funny and fascinating, is of course, we know that Russia is really good at spreading disinformation, getting narrative attacks to be used effectively, getting them picked up in the virality element of it. China historically has not been good at that at all. They've actually really struggled. They've got a ton of people who are constantly posting, constantly like flooding the zone with different posts and things, but they don't tend to go as viral as what we saw from Russia. And one of the big reasons that's the case is because they don't understand the cultural context because they've been walled off from it for several decades. Like when you establish the great firewall, what that means is you're not, your populace is not on Facebook, they're not on Twitter, they're not on Instagram. They don't understand the memes that the rest of the world has, the cultural context that the rest of the world has between each other and has built on the internet. And so a lot of the times their hackers will post things associated with narrative attacks and trying to go viral that aren't wrong. They're just not quite right for the way that the culture talks about this particular issue and this particular theme. And so they just don't gain as much traction because of it. There's also a lot of issues for them with the great firewall where it's more difficult for them to actually execute a lot of these attacks, especially from a narrative standpoint. So they end up hiring outside of the outside of the country, like in Malaysia, and saying, hey, go start executing narrative attacks there, disinformation there. But even in some of these cases, like you look at some of the reports that have come out, and there are instances where a hacker in China will pop into a box outside of China and they're using that as their like command and control. And once they're on that box, they're checking their personal Facebook and Twitter. And so you're able to do attribution because you're like, dude, you're on your personal social media because you can't access it in your country, which is so funny to me. So there's little things like that where it creates a lot of like nuances in how they're able to approach cyber attacks.

Wow. Yeah, it's fascinating that they're so forward thinking, you know, because like no one was thinking about, you know, any like you just weren't thinking about information being used on the internet, you know. The internet was like such a like a niche thing. It it wasn't even, you know, anywhere near like what it is today. I mean, you had like Yahoo and AOL, you had to pay for minutes to use the internet, you know, like that sort of thing. It's kind of crazy to think, you know, how far we've come. And I feel like, you know, I don't know, in terms of like disinformation and everything, I I feel like I can't believe anything on social media anymore. Like it's at the point where where honestly, like I spend more time like fact-checking it, not even with Google anymore. Like I literally have to fact check it with an LL.

Yeah.

To get like a real, like a real opinion of it, you know, because like it all looks extremely real. And you know, for for all of the drawbacks or criticism of of X, I actually really like how they integrate Grok into the ability to like fact-check a post immediately, you know, like you just click a button and it tells you if it's you know true or false. And if it's false, it's like flagged like that forever. With other platforms, you have to like go through a whole like reporting process, and yeah, there's more steps, you could still do it, but like, you know, it's a little bit more arduous, it just feels more streamlined on that platform. But even then, it's like, you know, man, like, I don't know, it's well above 50% of what I'm seeing on social media is just like completely fake, completely fake, completely wrong, rage baiting. And I'm just sitting here and I'm like, man, I'm just trying to hang out, you know?

What really gets me is the cat videos. I'm like very upset about the fake cat videos, not the ones that are like clearly AI, but like there is as a as a person who has two cats, whenever I see a video that's like relatable about being a cat owner online, where like there's this one video I love where this woman is laying in bed and you can just see from like the whatever camera she has in her room, and the cats are just like running around the bed, and she wakes up and she's like, What are you doing? And I laugh every time I see it. And the other day I went to the comments and it was like, Oh, so annoying that this is AI. And I was like, I'm so disappointed. Like that was so relatable for me. Like, I just wanted that to be real. And so, to your point, it's like these little videos that, like, did this have to be AI? I don't think so. It's it is very annoying and very disappointing because you just don't know what's real.

Even a lot of the interactions and reactions on these posts are even fake, right? They're they're like kind of like even just like intentionally rage baiting to an extent where and you can tell because either they have like really poor grammar, which I feel like Russia doesn't make that mistake as often anymore with the poor grammar part of it. But the other side of it now is like when you when you respond to them, they basically say this the exact same thing, maybe in a different way, but they're saying the exact same thing, no like added context or anything. It's like, okay, well, are you a real person or are you a bot? You know, and it just drives me off of the platform, essentially, right? Because like I have two little kids, life is stressful enough. I don't need to be stressed when I look at my phone, you know?

Totally. No, it's so true. It's like they're constantly experimenting with what's going to be the new way to have like a significant impact on the narrative and and exactly what people are thinking. And I feel like right now they're like, oh, we'll just use a bunch of bots and add comments to existing posts that have already gone viral. And it's like, this is maybe try something else, guys. Not to help them out or anything, but this is not the way.

I Attribution And Belief As Reality

Yeah. Yeah, no, absolutely. In in your book, do you talk about maybe like a projection for the future of like where do you see this evolving? Because, you know, as an outsider looking in, but I'm in cybersecurity, you know, so I I kind of have that at least perspective of what's potentially possible, which, you know, at the end of the day, I don't know if we even know everything that's possible because of you know what's happening, right? I I had someone on, I think literally yesterday that was talking about how he's now seeing AI bots that are at the same level of nation-state hackers, you know, like literally manipulating API headers in a way that like only nation states would do it, you know, but like he can attribute it to an exact person so it knows it's not a nation-state hacker. Like, where do you see it going? Right, because I don't know. It it feels like we're at the top, and then something new comes out, and it's like, oh my God, like this just changed the world again and it's the third time this year, you know?

Absolutely. That is one of the things that I talk about quite a bit. It's like, first off, I do think that attribution is going to become much more difficult with the way that people are using AI and AI agents, especially. It's just, to your point, so much easier to just attribute it to something just ask the LLM, attribute this to someone else, grab the indicators that would make it seem like this is someone else. And so I do think that there's an element of that where it's going to become more difficult to identify these attacks. What I talk about in the conclusion and towards the end of the book is like AI and just the reality of AI and what AI means. And I talk about this in the context of like believability is reality and reality is believability. So everything that we know and everything that we think we know is no longer driven by what the facts of what actually happened. It is now all about what populace believes has happened. This is this is one of the problems that I have with the community notes system that's available on a lot of social media platforms, is that at the end of the day, community notes is saying we don't know what reality is, but whatever the community says the loudest becomes reality. And I think that's a real problem, to be honest. And so as we look at that, as we look at like the way that LLMs and AI is changing the conversations that we have and making us feel things about ourselves that may or may not be true, I have a lot of concerns about the direction that we're moving with this. And then you you compound that with if you look at like CrowdStrike's research released last year, that shows that if you use Deep Seek and you ask it a bunch of questions related to trigger words that the CCP doesn't want you to talk about, like Feng Gong or Tiananmen Square or Taiwan or Hong Kong or anything like that, and then you ask it to create software for you, it is much more likely to create software with vulnerabilities than it otherwise would be. And what's really interesting about that is that what they came to the conclusion of in the in the research is that it's not the CCP is directing DeepSeek to introduce vulnerabilities for organizations that are focused in one of their trigger areas. It's more of we know that the CCP has mandated that any models being used in China are able to censor particular terms. And as a side effect of that, we don't know what the AI is necessarily going to take away and make decisions based off of. But the way that it's started to make decisions is it's started to release less secure code in many instances for people that talk about those subjects. So it's really interesting because I think it's just two things. One, there's very there's a lot we do not know about the way that LLMs work or the implications of the guardrails that we put in place with them. But the other thing that it highlights to me is that at the end of the day, you don't necessarily know if that one response is the response that you're getting because you asked something else deeper in the conversation that has fundamentally changed the way that it's approaching the rest of the conversation. And you're getting responses based off of that. And so I found this really fascinating, this research on so many different levels, but also really concerning in that it's as we treat people as like, oh, you don't have to have as much experience to be using this. The reality is you still need that experience because you don't know what vulnerabilities are being introduced into this code if you don't have the experience to know.

Wow. That's interesting because, you know, like the, I mean, I don't even want to call it legacy. Like it shouldn't even be legacy, but the legacy mentality was if your company has to do business in China, that that infrastructure is completely separate. There's no route back, there's no information that you gather from it. If you need to know something about it, you have to pick up a phone and call someone, like nothing is sent to you, all of that, right? But for that to even take place, you know, in like Gemini or any of the LLM platforms, right? Like, how is that not taking place? Because that's just crazy. It it sounds like whatever instance they have over in China would be phoning home to some extent, and there's no reason why that home country couldn't, you know, poison the data set within their model and it filters up to the overarching model to then filter it down to everyone else. I mean, think about that with like, you know, Taiwan and and China, for instance, right? I mean, like, that would be like a prime example of something that they would want to like fully manipulate because if the rest of the world starts calling Taiwan China, when they invade, they're not invading. They're they're just arriving.

Yeah.

There's a difference, you know, there's a huge difference. The whole global mentality will shift because I would assume China doesn't want to kick off World War III. That would be not very beneficial for them either, right?

Yes.

But they want Taiwan and they want to take it in a way that the world doesn't identify it as an invasion, you know, because of the ramifications of that, right? And that's like the international relations mind in me.

Yes.

Which it makes a lot of sense, but it's like so crazy though, because you know, when Chat GPT was was in its infant in its infancy and you know, the assassination attempt had occurred, the first one on President Trump, right? And I saw somewhere online that like the you know, someone had asked ChatGPT like, you know, details about it, and it didn't know anything about it. It like completely didn't know it. And I was like, well, that ha like this person posted it, it's a day or two old, it happened over the weekend. Let me see if it's still there, right? Like surely it would it would like be corrected by now. And it wasn't. It wasn't corrected for probably like two or three weeks. I mean, it was a it was a long time. It turned into like me being like, all right, well, let's check it in the morning the next day, right? Well, let's check it in the afternoon, you know. And you know, I I talked to one of the AI researchers over at NVIDIA, and I I asked him about the specific use cases. I don't know, you know, like this guy does it every single day, all day long. I don't know what anything it is, right? And he said that there's essentially like a memory window or a learning window, and if that learning window didn't kick in, it wouldn't pull in any new information. And so, like over time, you know, it gets shortened right on on what that information would be or what that learning window would be because it's it has more knowledge and it's only looking for the difference, right? But at the same time, that opens a gap in these models where people are starting to rely on. And I can't tell you the last time I went to Google search engine, either on my phone or my computer, to look something up, to be honest with you. Like I couldn't, and I don't know what that means for Google. Probably not, probably not really good, you know. But like to be able to use these models to sway an entire population, because that's essentially what it could do. I mean, that's that is a giant security risk for any nation. It's uh we're going into uncharted territory because you know, these nations they don't want their people to not have access to it. You want the capabilities, you want the innovation that it's that it you know derives and promotes and everything, right? But you don't want fake information, you don't want false information, especially like you know, when the Pentagon is using it to make catastrophic decisions or decisions that have catastrophic ramifications on it. It's like if I can fool this thing, if Pliny the Liberator on X can release a how-to guide of how Grok and Chat GPT and Gemini ingest information, process questions, and build whole attack paths around these things. What are we doing putting that into a weapon system or anything outside of the search engine, you know?

It's so true. It is like the leap from kind of like still kind of beta technology to putting it into weapons is like it's not good. We're in trouble.

Like, how how old is it? It's it's four years old.

Yeah, which is not long.

It's four years old. I have a three-year-old. Yeah, the three-year-old doesn't know anything.

Like missile systems from the two-year-old.

Yeah, I mean, and she she'll repeat me because she's learning how to talk and everything, and so she'll like she'll imitate me, like the same tone and everything. And then I look at LLMs and I'm like, well, like I have to remind you to tell me the truth, to give me an unbiased opinion, to make validate the references that you're giving me. Like, like you're a toddler. Yes, you know, we're putting a toddler in a situation that requires an adult.

Yeah, it's pretty horrifying. That's crazy.

Maybe, you know, to to kind of, I guess, like circle back, right? Just one last time. Do you think that there's an end to this? Because, you know, security professionals like yourself, like myself with this podcast, right? I mean, we're raising the alarms, you know, we're telling people like, hey, we're seeing where this goes. I know it's really cool, you know, but this is really dangerous. Is there any hope for us at this point? Because I just feel like capitalism and innovation is like, yeah, we'll accept the risk. It's like, yeah, but the risk is like that we no longer exist, you know?

Yes. I don't think that there's any hope that we're gonna get anything, any level of like pullback from most of the vendors or regulation around this that's gonna make a difference. I mean, there's some regulation that's gone into place, but a lot of it has it's such a trade-off with stifling innovation versus actually delivering something useful. And like a lot of times, based on my read of like the reasons that we put into place cybersecurity strategy or regulations in the United States, the only reasons are either it's it's sector specific. And in those cases, it has to do with like health information or financial information, it is to protect children, or it is for national security reasons. And if something falls out of that bucket, those buckets, we're probably not doing it. So I don't have a lot of hope that this is gonna be the thing that we really strongly regulate, especially not right now, especially with the innovation that they want to have. But I do wish that we had more people in positions of leadership at these companies that understood the risks and were thoughtful about the decisions they were making for it. Like that's what I'm most disappointed by is that we don't have people in leadership in most of these companies that get it and get the problems. And there seems to be this like almost acceptance that it's going to destroy the world, and they're okay with that, which to me is like I I don't know how to, I don't know how to make that work in my mind, you know?

Right. And they're like starting to restructure it as like, oh no, it won't destroy it, it's gonna like revamp it or it's a new evolution or something, you know? Yeah. But it's like anyone that's in this space is like, you know, if I can fool this thing and I'm an idiot, like, you know, imagine, imagine what someone with very poor intentions can do. I mean, like, like if Pliny decided to go and be like a black hat hacker, you know, not to say that he is or isn't on the side, I'm trying to get this guy on, but God forbid this guy decides, you know what, I'm just going to. Start using this for you know the the bad side of security, there's nothing that this guy couldn't do with it. I mean he he fully breaks models every single day.

Yeah, that is the problem.

here To Find Allie And Book

Yeah. Well, Allie, it's it's been a fantastic conversation. I really do appreciate you coming on. It was way too long, way, way overdue.

Yes.

But I'm glad that I got you on, you know, before your bro book comes out. So if you want, you know, please tell my audience where they could find you if they wanted to connect with you and you know hear more about the content that you're putting out. And of course, where they can find your book that's coming out, I think it's next Tuesday.

Yeah, yeah, it is. So uh thank you so much for having me. Uh, this was really, really fun. Definitely has been too long since the last time we were on. But if you do want to check out the book, it is any uh sold anywhere books are sold. So uh it's Code War, How Nations Hacks Buy and Shape the Digital Battlefield. You can get it on Amazon, Barnes Noble, Books.com, Blackwells for International, anywhere, anywhere you'd normally get a book, it's going to be in hardcover form. You can pre-order it until the 17th, and then it'll be available hardcover and ebook at that time. So feel free to also connect with me on LinkedIn. I'm just Allie Mellon on LinkedIn, and I would love to hear what you think of the book if you do read it. So thank you again for having me.

Awesome. Yeah, it was a fantastic conversation. I really appreciate you coming on. But the links to her book and everything else will be in the description of this episode. So make sure that you go ahead and check it out. Definitely pre order the book. I'm going to myself. Thanks, everyone. Hope you enjoyed this episode.