Galvanick CEO Josh Steinman

Auren Hoffman (00:00.504)

Hello, Data Nerds. My guest is Josh Steinman. Josh is the co-founder and CEO of Galvanic, a cybersecurity company building tools to secure industrial infrastructure and AI systems. Previously, he served as the deputy assistant to the president and senior director of cyber policy at the National Security Council under the first Trump administration. Josh, welcome to World of DaaS.

Joshua S (00:22.734)

Warren, great to be here.

Auren Hoffman (00:25.134)

I'm super excited. Now, I'd love to like dive in on like spies. I assume like every big tech company unwittingly has employees, tons of foreign spies. Like what do you think is like the rate of infiltration? And it's like every good intelligence agency around the world in every company, every major tech company.

Joshua S (00:47.487)

Yeah, yeah, so the benchmark that I have for this is the Twitter. There was a report to the Twitter board that was put together by their chief security officer, who I believe at the time was a guy named Mudge Zatko during the purchase, during Elon's purchase pre-X. And what he essentially admits in that report is that they found instances of numerous nation states that literally had

just straight up assets inside the company. And they didn't even under.

Auren Hoffman (01:20.76)

They have some publicly ones that have been charged. They're working for even for things like Saudi Arabia from many, many different types of countries.

Joshua S (01:32.253)

Saudi, India, think the Israelis, a few others. I mean, like just yesterday, someone was talking about how one of the Israeli firms that was used, that was being used by Twitter to verify identities was then turning around and working with a doxing network in Europe to go after people. So the whole point here is just

Auren Hoffman (01:57.166)

Joshua S (02:00.725)

You know, there's a lot of surface area and when companies don't even have it in their mind that, oh, there might be other interests at stake in this person's employment, it just opens up a world of opportunity.

Auren Hoffman (02:15.019)

And the person could be like a full on spy or I know in some of the cases in the Twitter, it was like they were being either bribed by agencies or, you know, maybe their family was threatened or something like that to give them information or, you know, et cetera.

Joshua S (02:29.5)

Yeah, you know, one of the most interesting aspects of having lived in that world for a long time is that you realize just how dangerous mirror imaging can be. Mirror imaging is this concept where we sort of project onto other parties. Doesn't even have to be in the intelligence or foreign policy world, but we project onto other parties our own assumptions and our own patterns. So if you think about like what

You know, you think, oh, the intelligence community, you're an American. And you're like, oh, that person's the NSA or the CIA or this or that. United States is a country of over 330, 340 million people. 380 if you count the people that are here illegally. But they don't count, so we'll go with 330. So 330 million people.

And essentially the control schemas that we have are very different than almost any other country. And so I often like to remind myself that, you know, these things are done for a reason, right? Like espionage is conducted for a reason. And it's not even the reason that like those organizations inside the United States conduct espionage, right?

we conduct intelligence ops.

Auren Hoffman (03:54.476)

It could just be like to win a contract or something or whatever. There could be a lot of different reasons.

Joshua S (03:58.62)

Yeah, to achieve national objectives. And then you sort of ask yourself, well, what is a nation? You look at certain countries and, you know, there's 35, 40, maybe 50 serious clans or families that run that country. And so when you ask like, what's their national interest, it's going to be the national interest of those families. Those families probably control major industry in those countries, finance, et cetera.

So when it's like, what's the purpose of an intelligence community in that country? In many ways, can take, can manifest itself in different ways. It can manifest itself in just like very prominent families that have children that come to the United States and then they, those children, maybe they were born here and you know, until the Supreme Court decides the birthright citizenship case, you know, those folks have US citizenship.

They get jobs in very prominent companies and then they essentially guide company policy or process in a way that is favorable to their family, their clan, maybe their country. So, you know, you have to remember that it may not look like what we expect it to look like. It may not look like some intelligence officer going to someone and being like, hey, I need you to take this thumb drive and put it into a computer one.

and then don't ask any questions and never tell anyone again. Sure, it'll look like that, but there are gonna be other cases where they're like, if you see examples of people insulting this, that, or the other, you should really use your position to try and prevent that or make policy against that so that it doesn't happen because it offends our sensibilities. And so it's just, you have to remember that, you're like, like,

If you were to go onto Google right now and start searching around for stuff related to Tiananmen Square, you have to ask yourself, like, have the search results around those terms been altered or in some way affected by folks, you know, algorithmically, who, you know, may have an opinion on those types of topics? And the answer is what we see in the Twitter files was absolutely.

Joshua S (06:26.051)

And so I extrapolate that out to essentially every big tech company because the targets are just too juicy.

Auren Hoffman (06:34.242)

And it could just be like, cause chaos on slack, right? Complain about things. Let's bring random grievances up and stuff like that. And yeah.

Joshua S (06:38.94)

Sure. Yeah.

Joshua S (06:44.755)

I mean, that's the classic, you know, CIA manual for trickery and deception that was used during the second world war and given to partisans behind, you know, access lines to encourage them to sow chaos and throw sand in the gears. That's like a particular type of operation. I'm more talking about like, you know, you run operations to achieve national objectives.

So the point that I'm making is like, there may be people in these company, I guarantee you there are people in these companies that are there that are achieving national objectives that it doesn't match up to what an American would say, it's an intelligence operation. It's like, ish.

Auren Hoffman (07:30.774)

so essentially what they're doing is they're often guiding a very large company, whether it be a Google or Facebook or whatever it might be, Microsoft, they're guiding a very large company to help achieve the ends of their country or their clan. And obviously this is usually not in the company's best interest to do that.

So how do companies guard against this? Like what can they do to, to reduce that? Obviously you can't go all the way to zero, but just like if you had somebody hacking, you know, you'd want to reduce that. What can you do to reduce it?

Joshua S (08:09.467)

Yeah.

I mean, it's really hard. think you just have to be very mindful of who you're hiring, where you're putting them in your company. I mean, certainly there are mechanisms that are used across the US government. And in fact, they're used in tech as well, where you'll have like code reviews, reviews of new commits, et cetera.

And part of it is that you just have to be realistic about who your personnel are.

Auren Hoffman (08:48.898)

But you can make an assumption that like, like every intelligence agency in the world that's decent has like assets in open AI and you you should just make that we have to make that assumption, right? Like why would they not? Like it's just so obvious.

Joshua S (08:54.789)

Yeah.

Joshua S (08:59.797)

no question. Yeah. Yeah, yeah. would be willing to bet a large amount of information that OpenAI is completely penetrated by multiple intelligence agencies and has been for a while. Yeah. No, I guess the point that I'm making is like, what can you do? And it's like, well, you need to be realistic about who your employees are. And then you have employees that may not have the same interests reviewing each other's work.

Auren Hoffman (09:12.686)

They have to be. mean, why would you not do that if you're a smart intelligence agency, right?

Joshua S (09:30.736)

You know, you wouldn't pair people up that may be, you know, have similar, you know, pejorative interests.

Auren Hoffman (09:42.016)

Yep. Okay. That makes sense. The, in, when we think about like industrial companies, industrial companies could have lots of problems. That could be kinetic things that happen with industrial companies. you think like power plants or factories or other types of things. And I imagine a lot of these companies just are not that hard and like hackers can attack these companies. Right.

Joshua S (09:50.427)

Yeah. Yeah.

Joshua S (09:59.611)

Thank

Joshua S (10:06.063)

Yeah, interesting Wall Street Journal article dropped last week where sources probably from the Biden administration were relaying to the reporter that in December they had high level talks with the Chinese and the Chinese essentially admitted, admitted openly straight to the Biden reps that they had pre-positioned malicious cyber tools.

on American critical infrastructure and had been for some time. if you read or listen or watch the annual threat assessments that the directors of national intelligence have been giving to Congress every year for over, I think it's seven years, each one has said, with increasing amounts of sort of clarity that

foreign adversaries have been pre-positioning on American critical infrastructure. It's one thing for like our intelligence community to say that to Congress, even in the open, even in an unclassified forum. It's quite another to have the adversary themselves sit down with you, as reported in this Wall Street Journal article, and say, oh yeah, we're pre-positioned on your critical infrastructure.

Auren Hoffman (11:31.948)

And it's, it's, it's, it's used as a kind of like a bargaining chip or a threat or something. I mean, obviously we already knew that. It's not like we didn't know that.

Joshua S (11:39.854)

Yeah, it's one of these very interesting, people say, it's the wilderness of mirrors, right? They'll talk about how countries can and do interact with each other. It's like one thing to know something about someone else. It's another thing to know that they know that you know it, but it's then even like another thing for you to know that they know that you know.

Auren Hoffman (12:01.825)

Yeah.

Auren Hoffman (12:09.518)

Yep.

Joshua S (12:09.71)

I know that's weird, but you have to think about it in terms of what's going on in the social interactions and can you sort of feign ignorance, right? Because in many of these cases, you have these weird interactions with people and I'm totally blowing this, is like the secret sauce. You have these weird interactions and you never know if someone really gets it or not. You're saying things, you're trying to be esoteric.

you're trying to drop hints and you imagine that they're sort of picking up what you're putting down. And so the act of like really declaring something very openly is almost like it's unnatural, right? It's not normally done.

Auren Hoffman (12:54.69)

Yes, yeah, especially in the world of foreign policy intelligence services.

Joshua S (12:59.31)

Yeah, so for a senior Chinese official to be like, yeah, we're prepositioning your infrastructure. Like, if you guys come to the aid of the Taiwanese, like, we're gonna take it down. I've been making this joke even in public for many years, which is like, how do you know when the Chinese are gonna invade Taiwan? Like, what's the first thing that's gonna happen?

Auren Hoffman (13:19.118)

I assume all of our power is going to go out in our internet.

Joshua S (13:22.863)

Yeah, exactly. The joke is traffic lights on Oahu stop working. I've been made. So that's a joke, right? But it's definitely another thing for like a senior ministry or state security official or a senior, you know, the People's Liberation The Chinese Communist Party in China is the entity that has an army, right? China as a country doesn't have an army. It would be like if the Democrats had an army. So they call it the People's Liberation Army.

and Navy and all these other things, PLA and PLAAF. So it's a totally different thing for a People's Liberation Army officer to just sit there and be like, yeah, like we've got that. Like, and we know that you know that, but now we're telling you that we know that you know that, and we know that you know that we know that. So we can all speak frankly here about what we expect you to do or not do. So if you think about that, you just realize you just go down the list.

of everything that we have in the United States that enables us to not only project force into the Pacific or into Europe, but also live a normal life, like water purification, energy, power, sewage, all these things. And yeah, I think what we've seen over the past few years is that

A lot of these types of infrastructures are very vulnerable.

Auren Hoffman (14:54.156)

It's hard to get better at defending it. Like when you're a financial institution, like a bank, like you're getting attacked all the time and they're, actually trying to execute the attack by stealing money. That is usually the goal of the attack on a bank. And so therefore you have a lot of experience with, you know, defending and understanding, you, know, often when you have been successfully hacked, cause you see money go and there's all these things, right?

Whereas with a power plant or factory, you don't, you don't have that feedback loop to know because they're only going to take it down in an extreme circumstance. Right. And so I imagine it's just much, much, much harder. I assume that first of all, I assume that the targets are softer to begin with, and then it's much harder to defend than, than, than a bank. Right.

Joshua S (15:27.939)

Yeah.

Joshua S (15:37.515)

Yep. Yep.

Yeah, yeah, I think, you know, one of the reasons that they're so such challenging environments is because they sort of get built once, you know, 10, 20, 30 years ago, and then operated in perpetuity. And surely there may be upgrades and things like that. But, you know, this isn't this isn't an infrastructure. These aren't products. These aren't things that get renewed regularly. And so

It just creates a lot of opportunity. There also really isn't an incentive to protect them, unfortunately. That's like one of the most depressing things to realize is that, I mean, you can look at a bunch of industries. You can look at rail, which is really critical. You can look at water. And to some degree, power, the energy industry has done pretty well, actually, I really have to admit. Even the defense manufacturing industry.

There's really no incentive to protect the factories that make the stuff that we use to defend the country. And if you look at like rail and water, two very prominent examples of very basic cybersecurity guidance coming out from the regulatory agencies that oversee those industries, and the industries themselves just like hitting the ceiling, objecting, going to the hill.

In various cases, they're just like, this would be completely unreasonable, just asking for basic staffing and spending. So it's really hard. It's like this sort of principal agent problem, because the minute that something happens, everyone's gonna instinctively just say, the government's gonna take care of it. When in reality, the thing that should have been happening all along is these companies should have been

Auren Hoffman (17:15.832)

Yeah. Yeah.

Joshua S (17:37.605)

you know, paying more attention and not to say that it's like easy for them, right? the way that I would sort of scope this whole thing is that, we have been enjoying the benefits of digitization for probably 40 years now, longer likely. and what we should have been doing is pricing in the risk.

as we enjoyed those benefits and we haven't been, we've basically just been free riding off them. So like the Piper's coming, you know, and we just haven't created architectures that enable us to try and, know, soften the blow.

Auren Hoffman (18:26.552)

What did our adversaries learn from the Stuxnet hack? Because here and there we essentially were able to go into some older Siemens turbines, able to get those turbines to maybe rotate faster than they should have been rotating. I imagine a lot of our adversaries went through the code, understood that code, maybe even use that now against our own stuff.

Joshua S (18:42.665)

Yeah.

Joshua S (18:51.945)

Yeah.

Joshua S (18:55.35)

Yeah, so those were centrifuges being used to enrich uranium for the Iranian nuclear. I'm just explaining this for folks at home for the Iranian nuclear program. And the allegation is that code was deployed through various and creative and diverse means to essentially overwrite some of the instructions, like give them new instructions on how fast to spin. And that caused a...

Auren Hoffman (18:55.711)

How did I had a yeah. Yeah centrifuges. Yeah.

Joshua S (19:25.92)

cascading reaction that destroyed a bunch of those machines which were very sensitive and had likely been smuggled into Iran to do that. So yeah, I think the big lesson there was just that the physical world is just as vulnerable to cyber attacks as the digital world. Now that was a very exquisite operation, whoever ran it.

And so I think that, you know, in the intervening nearly 20 years, think about that, 20 years, yeah, what, like, I don't know, pull up the date. was like late 2000, I mean, I think the public acknowledgement, the public, here, we'll just pull it up.

Auren Hoffman (20:03.704)

That was 20 years ago?

Wow. I like you're right. You're right. I mean, you're you're that's probably when they started it. Yeah. Oh my gosh. That's crazy. I'm feeling a little old.

Auren Hoffman (20:18.904)

You know, I think, yeah, 2010 was the public acknowledgment. So you're right. So probably was 20 years ago. Yeah.

Joshua S (20:21.845)

Sure. they say development, Wikipedia says development since 2005. Public acknowledgement in, or uncovered in 2010. So even then, okay, 15 years, but you gotta imagine happened before then. So 20 years, right, 20 years you have this very prominent example of, cause think about it this way, and this is how we used to talk on NSC in very unclassified generalities.

Auren Hoffman (20:32.204)

Yeah, yeah, yeah, yeah, 20 years. It's crazy.

Joshua S (20:52.236)

Here's an even better example.

how else would you have accomplished that mission? There's a great operation, probably one of the greatest special operations missions in Second World War history. The Nazis were developing, again, nuclear weapons. The Nazis were pursuing a different strategy to achieve a nuclear weapon. They were using heavy water, H3O, to create a...

you know, nuclear reactions that they could weaponize, put onto bombs. And one of the ways in which they were collecting, I think it's called, is it called deuterium, H3?

Auren Hoffman (21:39.928)

think you're right, but if I remember correctly.

Joshua S (21:41.151)

Yeah, Deuterium, yeah, H3. It's a...

or is it H3, deuterium anyway, heavy hydrogen. It's not H3, but the point is energy intent, heavy water, yeah, but anyway, think you have to, I'm not a chemistry guy, but the point is.

Auren Hoffman (21:57.166)

Heavy water, you mean? Heavy water? Okay, yeah, yeah, okay. Like H3E0, instead of H20, it's H30. Yeah, yeah, yeah.

Joshua S (22:07.709)

I don't, whatever, deuterium. So the whole point is the Nazi program was relying on deuterium, which they were using to catalyze the nuclear reaction for the bomb. So in order to produce it, it's incredibly energy intensive and they had to have lots of power. And one of the places where they were doing this was in Norway where

they have enormous, what's it called? Hydropower stations. So hydropower, you can, it's basically just like free energy. If you can harness it right, if you can build these stations the right way, and it drives down your kilowatt hour cost. And so Norsk Hydro's,

company that has built a bunch of these power stations in Norway, even during the time of the second world war. And you can do a lot of things with that, including like aluminum smelting, which is very energy intensive. And so the the British special operations executive put together a group of Norwegian partisans, trained them in a whole bunch of skills, parachuted them into the Norwegian hinterlands.

and had a bunch of teams converge on one of these facilities in order to destroy it enough to ruin the heavy water manufacturing process that the Germans were running.

It took almost a year, I think the op took over a year to plan and a month plus to execute lives, money, et cetera. So one year, call it tens if not hundreds of millions of dollars and fast forward 70 years later and it's a line of code.

Auren Hoffman (24:19.566)

Totally. What what? Yeah.

Joshua S (24:23.113)

So you have to imagine that like what's going on is we're creating optionality for our war making apparatus to accomplish things that would have taken an industrial infrastructure, a delivery mechanism, a trained staff, effective platforms. And we're just completely creating a new paradigm that enables them to be delivered electronically.

Auren Hoffman (24:48.844)

Now is part of like the really the goal survive like if you're if you're a if you're in the government, if you went back into the government, there's some ways like we have to harden these targets more so they're harder to hack. But in some ways, like maybe that's impossible. Like is it just like is is the bigger strategy just like resilience? Like, OK, you take down six power plants, but like whatever we can we can get the other ones running and then we can make these come back up over time or.

You know, we can bring things up. Like, is that the key thing in the end?

Joshua S (25:21.692)

Yeah, think the role, like if you were to ask me for my sort of like magic and I don't have any magic, but you know, my magic solution, it would be a mix of capability to run manually for critical infrastructure and separate from the digital systems that enable you to have digital control. Second, and you know, not to plug the company, but like what we're doing at Galvanic, which is continuous monitoring for industrial systems and networks. So it's like,

Auren Hoffman (25:36.044)

Yep. Yep.

Joshua S (25:50.919)

You can operate digitally, but you have to watch everything, every single source of data within the four walls of that facility, watch it very carefully. You have to have baselines, be able to understand what patterns look like, understand what malicious activity looks like digitally. Then you need the ability to essentially cut off the digital systems. And then you need the ability to operate manually. And then I think you do need redundancy and resilience.

Auren Hoffman (25:54.935)

Yeah.

Joshua S (26:20.154)

and the ability to reconstitute. And if you were to sort of put those things together and pursue them in concert, I think you'd have a pretty good plan. That's certainly, you know, what we have articulated with the president articulated for a very long time during the first admin in terms of like the strategy to pursue. It's hard and you've got to corral a whole bunch of people together. And, you know, these systems aren't

You know, they're not they're not built singularly, right? So they're very complex a power grids very complex anyway

Auren Hoffman (26:58.84)

Now, if you think of like the Russian-Ukrainian war that's begun for the last three years,

I would have thought if you had told me that Russia was going to invade Ukraine, that they would have been extremely successful in taking down, you know, and the factories and the power and all this other stuff. cause obviously they're great hackers. and then I was talking to somebody recently and he said, well, the reason they weren't as successful is because they had been hacking them for so long that it was this cat and mouse game. Like, and then they got like,

Joshua S (27:30.501)

Yeah. Yep.

Auren Hoffman (27:34.008)

They actually helped build that resiliency over the 10 years prior to that. And we obviously, we don't have that here in the U.S. where we've kind of seen that kind of level of actually trying to shut some of these things down. Do think that that argument holds?

Joshua S (27:36.623)

Mm-hmm. Yep.

Joshua S (27:51.528)

Yeah, not only does it hold, but it was definitely how we were sort of thinking about things from 2017 to 2021. Yeah, I mean, the Russians had gone after the Ukrainian critical infrastructure, commercial infrastructure in various ways for a decade plus. You know, the not-patches cyber attack in 2017, which caused tens of billions of dollars of damage worldwide, was essentially the Russian military

targeting the Ukrainian economy through the Ukrainian version of QuickBooks, which then the spreading mechanism that they used enabled it to just spread worldwide affecting, you know, the British hospital system, ports in the United States, chocolate factories, drug factories, a whole bunch of other things that were not the intended targets. The black energy incident where the Russians went after the Ukrainian power grid.

supposedly, same thing. And in those cases also.

Auren Hoffman (28:56.14)

So you're just like, essentially they're getting better about, okay, we got to go offline. We have to go to the manual. So we have to, you we have to like that type of thing. Like you just like.

Joshua S (29:01.423)

Yeah, and the Ukrainian power grid notoriously during that incident, as it has been reported publicly, was manual enough that they were able to essentially roll back away from the digital systems. And my guess, I don't have any insight here, but my guess is that they took that to heart over the intervening period from that incident forward. Whereas like you go to publicly traded board of like a big energy company today,

and you're like, hey, we want you to have like the ability to operate manually and we want you to exercise that twice a year. And they're going to be like, son, I've got quarterly earnings to me. Like you want me to spend 500 man hours a quarter on what? You know, I've got fancy software that I bought from, you know, SAP 12 years ago that does this. Like you go sit in the corner, you know, I'll call you if I need you.

Auren Hoffman (29:39.982)

Totally.

Auren Hoffman (29:52.034)

Yeah, yeah.

Auren Hoffman (29:57.198)

What are some of your lawyers on things like backdoors on Chinese chips and some of these like how do you think about that?

Joshua S (30:03.867)

Yeah, I think you have to assume that anything that comes out of China, there's a capacity for it to be compromised by the Chinese Communist Party, by the Chinese intelligence apparatus. Do I think that means that everything is compromised? No, but the point is like you plan so that you can understand the range of possible scenarios that you might encounter. And so you just have to build that in as a planning assumption.

And I think anyone that doesn't do that is doing themselves and their constituents a disservice.

Auren Hoffman (30:41.877)

How do you think about things like DeepSeek? some ways, supposedly China was able or the people behind DeepSeek were able to accomplish a fairly impressive model on lower costs with maybe not the most advanced chips, etc. How does that do you think affect our policy of what we should export, what we shouldn't export, etc.?

Joshua S (30:45.157)

Yeah.

Joshua S (30:57.093)

Yeah.

Joshua S (31:10.384)

Yeah, I mean, there's a bunch to unpack there. Obviously Jensen showed up in Beijing yesterday. And I look forward to seeing the outcome. I look forward to seeing the outcome of his tussle with the president of the United States. It's worked out so well for many people over the years. Is that great meme? No. So look, I think that from what I've read and I'm no expert and I don't even pay attention that much to it.

Auren Hoffman (31:17.068)

I didn't see that.

Auren Hoffman (31:28.375)

You

Joshua S (31:40.619)

And Nvidia is a great company and I hope they do well. They're doing well. I think I even own some shares, great. Nothing significant, but just like, yeah, it's done really well. At the same time, I've heard like 20 to 30 % of high-end Nvidia chips end up making their way to China. And there is...

Auren Hoffman (32:05.218)

Right. It's impossible. mean, it's impossible if you're going to send them to Singapore or wherever. This is like you just put it on a plane. It's not like they're heavy. Yeah, cut them anywhere. In a suitcase when you're flying.

Joshua S (32:12.558)

on a boat. And by the way, like, there's no way, I'm sorry, there's no way that the leadership of that company doesn't know that. There's no way. The money's too good. And so, you know, there's a bunch of things going on here. Like one, there's a trade conversation happening between the president and the leader of the Chinese Communist Party, who leads China at the the current moment.

Then there's a conversation about trade. There's conversations about Taiwan. There's all these things happening. Then there's a conversation about reshoring. So, you know, I urge all these folks, all these chattering heads, although they get paid not to, but you sort of have to give the president like the latitude that he needs because I think he's probably one of the smartest people alive today. Having worked for him for four years and like gone in with that assumption, it was just validated time and time again when I worked for him.

So I think there's a lot going on. I'm open to a bunch of options. I think that he's got amazing judgment. So we'll see what happens there. But for the Nvidia crowd, like they just have to understand that like the jig is up, know? Everybody knows that they're skirting the sanctions. So the question is like, what are they gonna do in exchange, right? Like everybody knows now and they've known for a while. Again, it's like the same thing with the...

with the CCP officer sitting across from the Biden people in December being like, hey, just so you know, like we're totally on your infrastructure. It's like the mask off moment where now everyone has to publicly acknowledge that we all know what's going on. Like we all know what's going on. Like Nvidia's second biggest market is China. They know, we know it and we know that they know it and we know that they know that we know it. Okay, like let's have that conversation now. And so I think that'll be very interesting.

Auren Hoffman (33:48.067)

Yeah.

Joshua S (34:09.156)

We'll see how it plays out and I wouldn't want to get in front of president in of how to handle that.

Auren Hoffman (34:12.878)

No, no, when you were government, you wrote up, you wrote like the white paper that eventually turned into the Defense Innovation Unit, the DIU. What DIU seems like it's worked out like super well and cut through a lot of bureaucracy, etc. Like what what did we do? And obviously, books about it and stuff. But what do we like? Why did it work with so many other things to reform and do other things like didn't work over the years?

Joshua S (34:40.355)

Yeah. So, you know, I wouldn't want to claim exclusive credit. There were other teams that working on it in the Pentagon. The way in which I had advocated for that was directly to the chief of naval operations and the director of the National Security Agency, for whom I wrote a white paper because I was going out to Silicon Valley on behalf of the chief of naval operations. It's all over now. Everybody's moved on. I'm just going to say it. So I had I was working directly for CNO. I was a military officer. This is back in 2013.

and Ben Coleman, who's been nominated to be an assistant secretary of the Navy, Manpower and Reserve Affairs, fighter pilot at the time, wrote this article, said the military needs more disruptive thinkers. It became the number one blog post ever read on, I think, War on the Rocks at the time, and shared all over the Pentagon, shared all over the services.

the chief of naval operations senior officer in the Navy called Ben to the Pentagon to his office in the E ring and Was basically like alright son. I'm tagging you in go find me some heretics. So Ben was tasked to work with a three-star And went out and found ten You know people that just kind of didn't fit in in the Navy. I was one of them

There's a few very other interesting ones. I don't want to blow their cover. They've done very and are doing very interesting things right now. Some of my closest friends and CNO brought us in and was like, look, go find asymmetric opportunities for the United States Navy and you have my support and we'll get you money. So one of the projects that I was working on in 2013 was bringing augmented reality to the fleet. So I flew out to Google, talked my way into Google X.

and convinced them to allow me on behalf of the United States Navy to join the Google Glass Explorers program, if you remember that. Google Glass was like the little heads up computer. So I bought a bunch of them, brought them back to the, and they kind of knew and they were like, look, it's very sensitive, the Department of Defense, so don't tell anyone. I don't think we ever signed an NDA, so we'll talk about it now.

Auren Hoffman (36:40.642)

Yeah.

Joshua S (36:57.975)

I had a team of programmers working with me and this other program manager, a civilian, and we started building apps for Google Glass that you could put on a Navy ship to just speed up what you would call like the John Boyd OODA loop, Observe, Orient, Decide, Act. When you're on the bridge of a Navy ship, there's a ton of information that's coming in to the people that are there that are standing watch.

And if you can just provide very specific information that they always want to see right there in their field of view, it just makes things faster. So the theory was, okay, we'll make our guys faster, more nimble, et cetera. In the course of doing that, I was talking to all these folks at Google who were like pulling me aside after the meetings and being like, hey, look, there's this huge movement to stop taking meetings with the Department of Defense because everyone and their mother comes out here and they take meetings all over the company.

and they never ask for anything.

Nobody understands what's going on and it's a waste of our time. And it goes all the way up to the executives and they're thinking about cutting it off. As a military officer, I was like, I understand what's happening here, twofold. Like one, you have retiring officers that are looking to come out and essentially like talk their way into tech companies by just showing up and being like, hey, look at me, I'm wearing a uniform. I'm retiring soon. Wink, wink, nudge, nudge.

On the other hand, in a much more sort of like non-cynical approach, by 2013, everyone knew that tech was gonna be important in warfare. And whenever a new commanding officer takes command of a unit, they'll go out and they'll talk to all the places, they'll go get a capabilities brief from all the other units that interact with them. And so it was some mix of these two things that was going on.

Joshua S (38:53.142)

where you'd get like crazy special forces units coming out and talking to Google, Google X, whatever, and they just wanna know what's going on. With those types of capability briefing meetings, you never have an ask. You just wanna know what they do and who to talk to in case you need it. So I synthesized all this information, I took it back to CNO and I was like, look, we need to create an embassy style function that can be the entity that owns relationships in Silicon Valley.

And then when you have unit commanders or other senior officials come out, they go see that embassy and the embassy makes sure that they're maintaining those relationships and when they need to, they'll bring those visitors into these critical meetings, but they'll manage those relationships as a way to continue building them. So I wrote that white paper, I advocated for it at a bunch of in public, didn't think it was going anywhere. And then, yeah, the weak guy was...

getting off of active duty after almost eight years, I got a phone call from the Pentagon and they're like, oh yeah, like Joint Chiefs and CNO and SEC DEF have been discussing this and they're literally gonna stand it up next week. So I left active duty and I just called up my friends and I was like, hey, put me in as a reservist and me and Ben Coleman joined DIU right at the beginning is what we call plank holders. So on the reserve side, that's the story.

Auren Hoffman (40:18.786)

That's cool. That's great. Yeah, it's doing great. Yeah, it's amazing. It's a great. It's a great. Now, a lot of people are especially in tech are kind of extremely negative on defense primes. Like, where do you stand on it? How do you think about it?

Joshua S (40:20.203)

Great. And they're doing great. they're doing, sorry, answer your other question. They're doing great. think, yeah.

Joshua S (40:37.409)

Yeah, that was one of the things that when we were this task force I was telling you about, it's called the Chief of Naval Operations Rapid Innovation Cell. You know, know, you've got a good acronym when it's got nested acronyms. So we called it the CRIC, CNOs, Rapid Innovation Cell, nested acronyms. It's like super high level in the Department of Defense. Yeah, you know, we would travel places, talk to users, so to speak, talk to senior officials, junior folks, what's going on at the edge.

Auren Hoffman (40:56.088)

Ha ha ha.

Joshua S (41:07.136)

And like one of the biggest conclusions we came to in 2013 was that we needed prime, a new prime, new primes, plural, to be able to natively go after these emerging warfare capabilities. We built one of the first autonomous unmanned underwater vehicles. We co-developed it with a university.

We were out talking to Sail Drone in 2013. We found them in the Bay and went to go talk to them. They were like doing whale watching. And we were like, I want a thousand of these things in the South China Sea. And they were like, no, no, we started this company to watch whales. So we were thinking about autonomy. We were thinking about augmented reality. We were thinking about 3D printing. Ben put a 3D printer on a aircraft carrier in like 2014.

We were doing other stuff that I can't talk about.

Auren Hoffman (42:07.63)

When you think of these primes, like, it seems like almost everyone is universally like somewhat negative on it or at least or some somewhat negative to extremely negative. Like, is it graft? Is it is it just like big companies get get stale over time? Is it like what what's the why why are they so underperforming?

Joshua S (42:19.368)

Yeah. Look, our thinking was that...

Joshua S (42:32.288)

our thinking was that essentially the current primes just had not been born in the age of technology and capability that we were now seeing. And you needed new entrants, new primes to be able to integrate those new technologies. I mean, look, you look at an F-18 and look at an aircraft carrier and the United States of America's ability to take 4,500 souls

Auren Hoffman (42:47.255)

Yeah, okay.

Joshua S (43:01.79)

man, train, equip a floating city, put it anywhere in the world, refuel it at will, and launch a fleet of aircraft and recover a fleet of aircraft off it, essentially in perpetuity, is probably one of humanity's greatest achievements. Like probably top 100, I'd say in terms of industrial capacity. And that's due to the defense primes that we have today. Now,

Auren Hoffman (43:27.534)

We were doing that well 40 years ago too, like, yeah.

Joshua S (43:30.688)

That's right. So, but the point is like you have to, you know, you have to, you know, game respects game. So there is utility in these companies. There is a necessity in these companies at the same time, like they're not native to, and they are definitely connected, very well connected to the cadres inside the Pentagon that essentially want to operate business as usual. And so, you know, when you think about what next generation conflicts may look like,

Auren Hoffman (43:36.194)

Yeah, yeah, yeah.

Joshua S (43:58.899)

Those primes have had a harder time adopting these new modalities that I think have the possibility to leapfrog American capabilities in certain ways. And so, you know, we talked about building new primes really from the beginning, you know, right from 2013. And obviously now we're seeing the emergence of companies like Anderol, companies like True Anomaly and more that are, you know, capable of operating at that

at that very senior level. And I think it's important. think that it's a good thing because you need to essentially have like new blood that's coming in that just thinks about things very differently and isn't like, all right, we have to go out and get the next fighter contract. But like, hey, I wanna go out and deliver new capabilities that enable us to deliver kinetic payloads, right? Which is the thing that the fighters do. But when you've built a capability and a pipeline of people,

to make fighters, like that becomes your focus, not the outcome.

Auren Hoffman (45:02.222)

also depends on like, are you nimble enough to recruit the best talent? Because the best talent, need, they can't have too much bureaucracy if they're going to create something. so in the, you know, 1962 Lockheed was getting this incredible talent who could make the Blackbird and they can make these other types of things. Like these were incredibly talented engineers, were they able to recruit? My guess.

today is that it's just much, much harder for them to recruit these like incredibly talented engineers, because you have to like a lot of them, like when I talk to people there, they have to like keep time. have to like time card themself and there's just all this bureaucracy and just they've become much bigger entities. And we are where it's like an underworld. You're just going to be able to recruit much more talented people. You give them stock options. It's more of a startup, et cetera.

Joshua S (45:42.28)

Yeah.

Joshua S (45:55.966)

Look, I'm sure that's true. I am guessing though that places like Phantom Works and Skunk Works probably still have a easy time recruiting top talent to build crazy things that we'll find out about 15 years after they start, 20 years after they start. I mean, just look at the X-47, which the announcement said we had been flying it for some time now. I'll let the audience ask and maybe answer for themselves what that means.

But like we can still do like insane things and that's done with the help of the primes So I'm not one these guys that's out here like all down with Northrop down with Boeing all these other places It's like look those companies have a place and have a heritage and a capability to to do things that are really extraordinary but the whole point here is like you want new entrants that can also sort of challenge the

the strategic direction and the capability, and I think it keeps everybody honest.

Auren Hoffman (46:57.614)

Alright, a couple personal questions that we ask all of our guests. What is the conspiracy theory that you believe?

Joshua S (47:06.398)

Hmm.

Joshua S (47:14.974)

I don't know, I'm super paranoid about food and what's been going on to the American food supply. So I tweet a lot about seed oils, industrial lubricants being used as food, crazy ingredients. Basically in the past three years, I've tried to cut out nearly anything that's not, you know, natural from, it's super hard, yeah.

Auren Hoffman (47:40.77)

hard to do, right? I mean, it's really, really hard to do. It's like all of a sudden you should realize like I can't eat anything. Like it's like I'm eating some like, you know, it becomes, or I have to pay like 4X for my food or something, you know.

Joshua S (47:47.184)

It's wild.

Joshua S (47:53.745)

I'm like packing meals on airplane. You know, like I'm bringing like hard boiled eggs on an airplane. And they're like, do you want the little Biscoff cookies? And you look over and it's like 28 ingredients. And you're like, I can't have this. Like, no, thank you.

Auren Hoffman (48:06.702)

The problem is those Biscoff cookies taste so freaking good. I love them. That's like my guilty pleasure is those cookies and like United doesn't have them anymore. They still have one American and I doesn't have it. Sometimes I'm like, I should just fly America just for that cookie.

Joshua S (48:09.533)

They're good. Yeah. I know. Yeah.

Yeah.

Yeah. So yeah, that's probably something that I'm just really, not actively angry, but I'm just like disappointed in is that you have these, that is one of the reasons why I was so excited.

Auren Hoffman (48:30.36)

Yeah. But is it a conspiracy or is it just like one thing leads to another or something?

Joshua S (48:36.635)

I think it's a structural, you know, there are things that I think aren't like 10 people in a room getting together and talking about, and they're sort of like implicit structural conspiracies, right? It's like everybody kind of, it's a shelling point, right? You know, this concept where people are just like, well, the corn lobby is really gonna support these subsidies and, you know, this weird oil that they produce as a byproduct can be used by us.

And so we can go in and we know that they'll support us in the committee when we try and get the ag subsidies for this or that or whatever. And so I have a feeling that it's sort of like a conspiracy by default, where it's like, there wasn't like one person who was like, I know what we're gonna do. We're gonna poison the American people by, you know, feeding them industrial lubricants. It was just like, over time, consultants came in and they're like, man, you've got this byproduct. Like, what are we gonna do with it? Like, we gotta find a way to monetize it.

Auren Hoffman (49:17.548)

Yeah.

Auren Hoffman (49:23.115)

Right.

Auren Hoffman (49:34.721)

Yeah.

Joshua S (49:34.876)

And then they're like, yeah, but like engine lubricants are better if you just make them out of complex carbon chains as opposed to this or that. So let's see what else we could do. And then they're like, eventually someone was just like, oh yeah, you can feed it to animals.

Auren Hoffman (49:46.4)

We'll eat it. Totally. All right. Last question we ask all of our guests. What conventional wisdom or advice do you think is generally bad advice?

Joshua S (50:06.587)

Joshua S (50:10.704)

I this whole follow your passion thing, a lot of people say this as a critique. So I'll just sort of pile onto this.

I'm very skeptical of it because I think that when you're good at something, it compounds into joy. And so instead of like, you're doing it the wrong way, right? You're like, what do I enjoy? I enjoy drawing or something like that. So I'm gonna go do drawing. And it's like, I'm just not sure that that's like a productive. Whereas like, if you find a way to be excellent at something,

and you pursue that excellence, like you derive joy out of the excellence. And so I just think that thinking more seriously about how to professionally spend your time and using as your North Star that like, what can I find that I can be really good at? I think it creates a virtuous cycle around joy and fulfillment as opposed to starting with the sort of neurochemical like

what can I do that will have a feedback loop, right, that will, you know, immediately bring me that dopamine hit. To me, it's much more like find something to be very good at, learn what it means to be good at something, learn what it means to develop excellence, and then use that pattern that you've built to find other things to be excellent at. So yeah, I think that's like what I would.

Auren Hoffman (51:49.362)

How, like if you like, when you're giving advice, because I'm sure a lot of people come to you for career advice, et cetera, you can always be like, you could be working on your weaknesses and getting better at those and you're, could be working on your strengths and getting better at those. Like how should one divide their time? How should one be thinking about

Joshua S (52:08.696)

I try and just exclusively focus on working on my strengths. And then you wanna identify your weaknesses. And then if there's a way that you can like 80-20, like fix or mitigate those, I say do it. I'm not sure that this is good advice by the way, it's just like how I operate. It's like there are things that I'm excellent at, I wanna go do those things. And then there are things that I'm not great at. And it's like...

Auren Hoffman (52:25.378)

Yeah, yeah.

Joshua S (52:34.531)

I'd much rather find a way to bring someone else in to do those things than to try and build up that capacity myself. Because I know what it took for me to be excellent at whatever it is. It was like years, sometimes decades of work. And so when there's something that I'm not good at, I know what it's going to take for me to be good at that. And it's just like, need to find some way to, I need to find some.

Auren Hoffman (52:55.564)

Yeah. It's sometimes a weakness. You don't go from like terrible to very good. go from like terrible to mediocre, or something. Yeah. My, my, my rubric is like, what is, how debilitating is that weakness? So if you're just like, like a crazy heroin addict right now, it probably does make sense to go work on that weakness, right? This is like, it's like, it's just completely taking over your life. But if it's like, I don't know, you're late to meetings or something.

Joshua S (53:14.991)

Yeah. Yeah.

totally. Yeah, no, you're right.

Auren Hoffman (53:25.678)

Like, okay, maybe, maybe that's not like an important weakness to work on or something. Yeah. Like there are other things to do it. All right. This has been, this has been awesome. This has been great. Thank you, Josh Steinman for joining us on World of DaaS. I follow you by the way at Joshua Steinman on X. I love your tweets and or posts or whatever they're called now. Um, I definitely encourage our listeners to engage with you there. This has been a ton of fun. Good morning. We're going to wait. Yes. You write that all the time, which I love. Yeah.

Joshua S (53:30.575)

Yeah. No, I think that's right. Yeah.

Joshua S (53:45.228)

Good morning. Good morning.

Yeah, good morning. We're going to win.

Yeah. Thanks for having me, Auren. Yeah.

Auren Hoffman (53:55.79)

All right, this is great.