‘Living off the land’ doesn’t mean what it used to
“Everyone, please click on your [software] update right now.”
Those words — from the Hoover Institution’s Stephen Kotkin — were a public-service announcement, delivered partly in jest, during a 2025 SIEPR Economic Summit session on military defense and national security in the AI era.
“We’re in a period of tremendous upheaval because of the degree of vulnerability we have now, where everything is interconnected, and the military industrial complex isn’t a place, it’s software,” said Kotkin, who moderated the session.
“A teenager in the basement who doesn’t use shampoo and is just having fun can get into a [top-secret] lab,” he said. Or, into “smart” home appliances: “My refrigerator [didn’t used to be] a source of vulnerability.”
The insights from the session’s panelists — all with insider perspectives from the front lines of national security — were just as sobering (thankfully, the cocktail reception was next on the Summit agenda). At a time of heightened geopolitical tensions, the risks of a cyberwar that cripples critical infrastructure — whether it’s China attacking the U.S. or the U.S. going after Russia — has never been higher, they agreed.
“Chinese hackers are now ‘living off the land’ [in the U.S.],” warned panelist Nicole Perlroth, a former New York Times cybersecurity reporter who previously served on a Department of Homeland Security advisory committee and is now a venture partner at Ballistic Ventures. “They don’t hack in anymore; they log in. They’re just there and they stay there in the event they’d have to do something one day.”
What this and other military threats mean is that defense is no longer about “going from one point of capability to another point of capability,” said Arati Prabhakar, who served as science and technology advisor to former President Joe Biden and previously led two federal research and development agencies. “You now need to be on an escalator — always able to iterate and get better and faster.”
The promise of public-private partnerships
There’s good news on that front, according to Raj Shah, a onetime F-16 fighter pilot who previously directed the Pentagon’s Defense Innovation Unit, which works to bring commercially developed technology for military defense, and who is now a venture capitalist.
By Shah’s calculation, venture capitalists a decade ago were pouring at most $300 million a year into companies whose products and services had national security implications. In the last three years, he said, that figure was $140 billion.
“You’re seeing this massive trend that will continue,” Shah said.
Other panelists were equally bullish on the role that the private sector can play in fortifying national defense. Perlroth recalled how companies rallied to help root out Russian malware that could cripple Ukraine when the war between the two countries started two years ago.
“We always talked about these hurdles and silos to public-private collaboration,” she said. “Turns out, all you need is a Slack channel.”
One of most effective defenses against an enemy cyberattack is simple and “super boring,” Perlroth said. “Patch your software; run your updates.”
Panelists said that Congress will likely have to step in to require companies to comply with basic security protocols. There’s a role, too, for private markets. For instance, a company that Shah co-founded, called Resilience, sells cyber insurance that requires regular monitoring of policyholders’ digital security systems. If the policyholders aren’t staying up to date, the potential insurance payout if they get hacked falls sharply. Why is this a good idea? Because, Shah said, the core of the challenges in combatting cyberattacks — whether from criminals or adversaries — are not so much technology problems. “They’re behavioral problems,” he said.
Highlights of the 2025 SIEPR Economic Summit
Photos by Ryan Zhang.