Why that matters depends on what “matter most” means. The public conversation is rarely precise about it.

“AI company” is not a category

The industry gets flattened into one label, and that label is useless for thinking about risk. AI is a stack. The layers are not interchangeable.

At the top by capability, not by headcount or valuation, sit the frontier labs. The term has a precise meaning that casual usage erodes. A frontier lab trains its own foundation models from scratch, on the order of tens of thousands of accelerators running for weeks or months. It operates at the current capability boundary, not behind it. And it produces the architectural advances that everyone downstream inherits. By that definition the global count is small. Under twenty labs, plausibly fewer.

Everything else descends from that layer. Foundation-model labs train real models below the frontier, often open-weight and domain-specific. Fine-tuners take an existing base model and reshape it for a vertical (law, code, clinical data) using a fraction of the original compute. The application layer, where most of the named “AI companies” live, rents intelligence through an API and builds product on top of it. Beneath all of it runs the infrastructure: compute, model-serving, the data pipelines. The frontier labs depend on that infrastructure as heavily as anyone above them.

The strategically decisive layer is the first one. Capability originates there and diffuses downward. Its geography is what should concern a security planner.

Where the frontier sits

The corridor is dense. OpenAI and Anthropic in San Francisco. Meta’s FAIR in Menlo Park. xAI in Palo Alto. The chip-design and model-serving layer sits in the same handful of zip codes: NVIDIA in Santa Clara, the serving firms in San Francisco and San Mateo. So does the established software that consumes frontier output, from Salesforce to GitHub to Adobe. Seattle, with Microsoft and Amazon, is the only real break in the pattern, and it is still a single metro. One layer has started to leave. Raw compute is moving to where the power and land are, xAI’s Colossus to Memphis, the Stargate build to Abilene. Capital and silicon disperse when they have to. The talent and the IP have not.

Abroad, the Western frontier is not a cluster. It is a scatter of one-per-country bets. Google DeepMind in London. Mistral in Paris. Cohere in Toronto. Falcon, out of the Technology Innovation Institute in Abu Dhabi. Each is its nation’s single entry at the frontier. Europe’s entire frontier presence comes down to two cities.

China is the exception to the scatter. Hangzhou anchors DeepSeek and Alibaba’s Qwen. Beijing holds ByteDance, Moonshot, and Zhipu. Shanghai adds MiniMax. That is depth, and planned resilience.

Concentration of Resources is a Tactical Blunder

Concentration is fragility, and the warning usually arrives before the failure. Through the 1930s the U.S. Pacific Fleet operated out of West Coast ports. In 1940, to signal resolve to Japan, the Roosevelt administration ordered it consolidated forward to Pearl Harbor and held it there. Admiral James Richardson, the Navy’s foremost authority on Pacific warfare, told Roosevelt directly and then put it in writing: a fleet massed in one exposed harbor was the logical first target in a war with Japan. He was relieved of command for pressing it. The administration wanted a deterrent. What it built was a target, and the officer best placed to see it was removed for saying so.

The frontier carries the same shape. A capability that lives in one seismic zone, on one regional power grid, inside one metropolitan labor market is efficient. It is not resilient. The talent and the intellectual property that define it aren’t just co-located in a country. They are co-located in a commute. Any planner who has war-gamed single-point-of-failure problems will recognize the target.

Geography narrows the collection problem. A distributed industry is a hard target. A frontier that resolves to a small number of buildings and a small, mobile talent pool is a legible one. Legible to foreign intelligence services, to insider threat, to the ordinary churn of people carrying what they know from one lab to another just a few exits away. Concentration compresses them into an adversary’s target set.

We are measuring the wrong contest. The dominant frame treats AI as a race to a finish line: who crosses the capability threshold first. The map argues for a different metric. The durable advantage is depth and the resilience of where capability physically sits. That’s what China has been building. The U.S. may win the velocity race, but China wins on survivability.

None of this argues for dispersing the frontier by fiat. The clustering exists because proximity compounds talent and capital, and that effect is real. But the security community assumes the competition is about capability gaps and compute access. The geography points to a quieter variable: concentration itself. The side with a true second cluster has an answer to a question we have not seriously asked.

The frontier is a commute. That should be in the threat model.

Worldwide Lab Reference Data By Tier

Tier 1: Frontier Labs

United States

• OpenAI — San Francisco, CA

• Anthropic — San Francisco, CA

• Google DeepMind — London, UK (with Mountain View operations)

• Meta AI / FAIR — Menlo Park, CA

• xAI — Palo Alto, CA

• Amazon (Nova/Titan) — Seattle, WA

• Microsoft Research — Redmond, WA

China

• DeepSeek — Hangzhou

• Alibaba / Qwen — Hangzhou

• ByteDance / Seed — Beijing

• Moonshot AI — Beijing

• Zhipu AI — Beijing

• MiniMax — Shanghai

Rest of world

• Mistral — Paris, France

• Cohere — Toronto, Canada

• TII / Falcon — Abu Dhabi, UAE

• Samsung Research — Seoul, South Korea

Tier 2: Foundation Model Labs (Non-Frontier)

• Stability AI — London, UK

• EleutherAI — distributed/no fixed HQ (open research collective)

• BAAI / WuDao — Beijing, China

• Hugging Face — Brooklyn, NY (the open-model hub; also straddles infrastructure)

Tier 3: Fine-Tuners & Derivative Builders

This is the most geographically diffuse tier by design — it’s thousands of domain shops fine-tuning someone else’s base model. The headline example we used is Cursor / Anysphere (San Francisco), which fine-tuned Kimi K2.5 into Composer 2. Most of this tier is enterprise and vertical shops that don’t register as “AI companies” on a map.

Tier 4: AI Application Companies

• Salesforce (Einstein) — San Francisco, CA

• GitHub Copilot (Microsoft) — San Francisco, CA

• Adobe (Firefly) — San Jose, CA

• Perplexity — San Francisco, CA (RAG-based search, application layer)

Infrastructure (beneath everything)

• NVIDIA — Santa Clara, CA (compute)

• Together AI — San Francisco, CA (model serving)

• Fireworks AI — San Mateo, CA (serving; the Cursor/Kimi intermediary)

• Scale AI — San Francisco, CA (data/RLHF pipeline)

• Pinecone — New York, NY (vector DB)

• Weaviate — Amsterdam, Netherlands (vector DB)

Open the license agreement for Microsoft Defender and read down to the disclaimer. In capital letters you’ll read that the software is licensed “as is,” and you bear the risk of using it. A few lines down, a second all-caps block caps the company’s liability at roughly what you paid, which, for a tool bundled into Windows, is effectively nothing. That’s the deal. Microsoft builds the thing you rely on to keep attackers out, disclaims responsibility for whether it works, and leaves you with the damages should a breach occur.

Now consider what Microsoft has done to the researcher who exposed those flaws.

A pseudonymous researcher who goes by Nightmare Eclipse says Microsoft locked them out of its own reporting portal, paid nothing for the bugs they submitted, and ignored the findings. So they retaliated. Between early April and mid-May, Nightmare Eclipse dumped working exploit code for six unpatched zero-days affecting Defender, BitLocker, and core Windows components onto GitHub and GitLab, skipping coordinated disclosure entirely. At least three were turned on real victims within days, before Microsoft could respond. Instead of a patch, Microsoft answered with a referral to its Digital Crimes Unit and a threat of criminal prosecution.

In short, Microsoft tells you Defender is “as is” and the risk is yours. Then it reaches for criminal process against the researcher who found the specific risk you were told to carry. The company will not stand behind the product, and, at its worst, it turns on the people who prove where the product fails. The risk flows one direction. The liability flows the same direction. Neither flows back to Microsoft.

None of that excuses what Nightmare Eclipse did. Publishing live exploit code for unpatched flaws is reckless. It put ordinary users in the line of fire, and that is on Nightmare Eclipse. But it is a separate wrong, not a defense. Microsoft’s liability does not turn on whether the person who exposed the flaw behaved well. The disclaimer covers the product no matter how its failures come to light. “As is” means as is.

This would be easier to wave off as a licensing quarrel if the company had earned any benefit of the doubt. It hasn’t. Russian intelligence moved through Microsoft infrastructure into the U.S. Departments of Justice, Homeland Security, and Treasury in the SolarWinds operation, using a token-forgery technique Microsoft had understood since 2017 and disclosed to no one. Chinese state hackers rode four Exchange Server zero-days into more than 30,000 organizations in 2021. In the summer of 2023, the Chinese group Microsoft tracks as Storm-0558 read the email of the Commerce Secretary and the U.S. Ambassador to China in the days before a sensitive trip to Beijing, using a signing key Microsoft had stopped rotating and could not afterward account for. Then the same Russian group from SolarWinds walked back in through a test account with no multifactor authentication and reached Microsoft’s source code. Four catastrophic intrusions in six years. Not one required sophisticated tradecraft. Each turned on a basic control Microsoft failed to maintain — the kind of control Defender is sold to provide.

The Cyber Safety Review Board reviewed the 2023 intrusion and called it preventable, the product of a security culture it said required an overhaul. Nightmare Eclipse is not the first to make that complaint. The late Amit Yoran, then Tenable’s chief executive, accused Microsoft in 2023 of leaving customers deliberately in the dark about an unpatched Azure flaw, and in October 2024 Trend Micro’s Zero Day Initiative criticized Microsoft for quietly patching an actively exploited Windows flaw without crediting anyone and rating it only “moderate.” Check Point and others have described the same handling: silent fixes, withheld acknowledgment, disputes over severity.

What is unusual in the Nightmare Eclipse case is not the grievance but Microsoft’s answer to it. A criminal referral is not how the company normally treats researchers, and that is exactly why it shows how far this relationship has broken down. Katie Moussouris, who built Microsoft’s own bug bounty program, called the company’s language toward Nightmare Eclipse inflammatory. When the person who designed your disclosure program says you are threatening researchers, the researcher is not your real problem.

The real problem is that what Microsoft is doing is legal, and it is ordinary. Every software company on earth ships under the same “as is” disclaimer and the same liability cap. I argued in Inside Cyber Warfare that cybersecurity is a market for lemons — the seller knows the product’s defects and the buyer cannot. The license agreement formalizes that asymmetry. You can’t negotiate it; lawyers call a take-it-or-leave-it contract like that a contract of adhesion. If you don’t like the terms, the industry’s answer is simple: don’t use the software. There is no version of that answer for a hospital, a utility, or a federal agency running Windows.

No other industry that builds critical infrastructure is permitted to operate this way, and none of them surrendered the arrangement on its own.

Accountability is never volunteered. It is, historically, forced. To wit —

The railroads let brakemen lose their hands to the link-and-pin coupler until Congress mandated the automatic coupler in 1893.

The ammonium nitrate that leveled Texas City in 1947 (roughly six hundred dead, and still the deadliest industrial accident in American history) produced the principle Justice Robert Jackson set down in dissent: the public cannot be expected to possess the facilities or the technical knowledge to learn for itself of inherent but latent dangers. That sentence describes the software EULA exactly.

Detroit fought seat belts until the Motor Vehicle Safety Act of 1966, fifty-eight years after the Model T.

The first mass-market personal computer shipped in 1976. Half a century later, software liability still does not exist. Why? There hasn’t been enough public outrage to overcome the tech industry’s multibillion-dollar lobbying efforts to keep its unregulated status.

The 2023 National Cybersecurity Strategy calls for shifting liability onto software makers, who to this day carry none — short of gross negligence. Chris Inglis, who oversaw that strategy as National Cyber Director, made the same argument I did when he said “voluntary hasn’t worked in 25 years.” The model already exists in miniature — New Jersey writes liability into its cloud and software contracts, so a vendor whose flaw causes a state data breach pays multiples of its annual fees plus the full cost of the cleanup. The large vendors swallow those terms to win the contract. The small ones can’t, which is precisely why the floor has to be law rather than negotiation.

Nightmare Eclipse has promised Microsoft that their next drop on July 14 will be “bone-shattering.” The last batch was weaponized within days; there is no reason to expect this one won’t be. A single shut-out researcher may do to Microsoft’s customers what four nation-state services could not, and the wreckage may at last be ugly enough to drag liability into law.

The casualties of a mass zero-day release are never Microsoft’s executives. They are the hospitals, the agencies, and the ordinary users holding the risk Microsoft assigned them in the disclaimer. The logic of every precedent is that we keep waiting for the bodies before we act, and the bodies are always other people’s. We do not have to run this one to the end. The contradiction is already on the page: “as is,” you bear the risk, and a criminal referral for the person who proved it. Congress can take its cue from history and write liability into law now, or it can wait, as it always has, and let the next disaster, perhaps as soon as July 14, make the argument for it.

Infographic

We are in that moment again. The date is July 14, 2026.

What Is Converging on July 14

Three things are happening simultaneously on that date, and the overlap is not coincidental.

First: July 14 is Microsoft’s monthly Patch Tuesday, the most watched day in the enterprise security calendar, when Microsoft releases security updates for its products and the entire defender community pivots to assess, test, and deploy patches across millions of systems worldwide.

Second: July 14 is the date Microsoft permanently ends extended support for SharePoint Server 2016 and SharePoint Server 2019.^[1] After that date, both platforms will continue to run. Nothing shuts off automatically, but Microsoft will issue no further security patches, bug fixes, or technical support for either version. Any vulnerability discovered in SharePoint 2016 or 2019 after July 14 is, by definition, permanently unpatched on those platforms.

Third: a pseudonymous security researcher known as Nightmare Eclipse, who has already released six weaponized zero-day exploits targeting core Windows components since early April, three of which were confirmed under active exploitation within days of release, has publicly threatened a major disclosure on July 14.^[2] In a post directed at Microsoft, the researcher wrote: “Mark this date July 14th. I will make sure your bones are shattered that day.”^[3]

Whether the July 14th threat materializes, targets SharePoint specifically, or proves as severe as feared is unknown, what is known is the exposure. Your organization is either hardened for this window or it isn’t.

Who Is Actually Exposed

The vulnerable population is specific and, in national security terms, alarming.

During the July 2025 ToolShell exploitation wave, researchers at Censys identified 9,717 on-premises SharePoint servers that were directly internet-exposed.^[4] Those are only the visible ones. Air-gapped and internally accessible deployments are not counted in that figure. The actual population of organizations still running SharePoint 2016 or 2019 is considerably larger, concentrated in the sectors least equipped to absorb a mass exploitation event: federal government, defense, intelligence, healthcare, and finance.

Government agencies are disproportionately represented in this population for a structural reason. Migrating to cloud-based SharePoint requires obtaining a new Authority to Operate under FedRAMP, a process that can take months to years. Many agencies are caught between a legacy platform they can no longer safely run and a cloud migration they haven’t completed. Some DoD and intelligence community environments run air-gapped networks that cannot migrate to cloud by definition. For those organizations, “migrate before July 14” is not an available option. Hardening is.

The federal government’s exposure to SharePoint vulnerabilities is not hypothetical. In July 2025, ToolShell, a chained exploit combining remote code execution and authentication bypass, was used against over 400 organizations worldwide, including multiple federal agencies and state and local governments.^[5] The Department of Energy confirmed that both DOE components and the National Nuclear Security Administration were affected, though the agency characterized the impact as minimal and said a very small number of systems were involved.^[6] The vulnerability was patched, but the structural conditions that made federal agencies vulnerable to ToolShell in 2025 have not changed.

Why July 14 Is Different From a Normal Patch Tuesday

The feature that makes Nightmare Eclipse genuinely dangerous, and different from the established norms of security research, is not the disclosure of vulnerabilities. It is the simultaneous release of weaponized, working proof-of-concept exploit code.

Standard practice, even among aggressive disclosers who publish over vendor objections, maintains a professional line between disclosure and arming. Publishing a technical description of a flaw allows skilled researchers to reproduce it. Publishing working exploit code hands a loaded weapon to anyone who can download a file.

The practical consequence is a collapse in what security professionals call the weaponization-to-exploitation window. Under normal conditions, even after a vulnerability becomes public, threat actors require days to weeks to reverse-engineer the flaw, develop working exploit code, test it, and deploy it against targets. That window is what gives defenders time to patch. When working exploit code is released simultaneously with the disclosure, that window closes. The barrier between “I know this vulnerability exists” and “I have working code to exploit it” drops to zero.

Huntress Labs confirmed active exploitation of Nightmare Eclipse’s BlueHammer, RedSun, and UnDefend exploits within days of their release in April.^[7] The gap between code on GitHub and attackers using it against real enterprise targets was not weeks. It was hours.

Enterprise patch cycles do not operate in hours. Even well-resourced organizations with mature patch management programs operate on weekly or bi-weekly cycles, with additional time required for testing before updates reach production systems. When the exploitation window collapses to hours, patching after the fact is not a defense strategy. It is a damage assessment strategy.

On July 14, if Nightmare Eclipse releases weaponized exploit code against SharePoint 2016 or 2019 on the day those platforms permanently lose patch support, the organizations most likely to still be running those platforms are also the ones with the slowest patch cycles, the most complex IT environments, and the most sensitive data.

What to Do Right Now

While six weeks is a short window, it is not an empty one.

The Y2K parallel holds: the relatively benign outcome of that crisis was not evidence that the warnings were overblown. It was the result of organizations taking date-certain, technically understood risks seriously early enough to act. The actions below reduce exposure regardless of what Nightmare Eclipse does on July 14.

Inventory immediately. Every organization running on-premises SharePoint should know today exactly which version it is running, how many instances exist, and which are internet-facing. This is not a complex technical task. It is a governance task that should have been completed months ago.

Take internet-exposed SharePoint 2016/2019 offline or behind a VPN now. If your organization has SharePoint servers directly accessible from the public internet that are not going to be migrated before July 14, reduce that attack surface today. Censys could see your server during the ToolShell wave. So can every threat actor who knows how to run a scan.

Accelerate or emergency-authorize migrations. For organizations mid-migration, July 14 is a forcing function that justifies emergency procurement authority, expedited FedRAMP review requests, and executive-level prioritization. The cost of an accelerated migration is known and bounded. The cost of a mass exploitation event is neither.

Segment aggressively. For environments that cannot migrate before July 14, including air-gapped defense and intelligence installations, network segmentation, enhanced monitoring, and restricted lateral movement capabilities reduce the blast radius of a successful exploitation. This is not a substitute for patching. It is a risk reduction measure for the window in which patching is not available.

Brief leadership before the end of June. This is a board-level and agency-head-level risk event, not a patch management task. The officials responsible for mission continuity need to understand what July 14 represents before it arrives, not after.

Ensure CISA KEV alerts are operationally connected. The CISA Known Exploited Vulnerabilities catalog exists precisely for situations like this. Verify now that alerts are flowing to operational security teams with defined response timelines — not being logged and reviewed quarterly.

The Deeper Problem July 14 Exposes

None of this would be a crisis if Microsoft’s security culture matched the scale of its infrastructure footprint.

The federal government’s dependence on Microsoft products is total in ways that have no equivalent in the private sector. Exchange Online handles diplomatic communications. SharePoint manages classified workflows. Azure hosts systems whose compromise has resulted in Chinese intelligence services reading the email of America’s most senior diplomats. The Cyber Safety Review Board, after investigating the 2023 Exchange Online breach that exposed the accounts of the Commerce Secretary, the U.S. Ambassador to China, and senior State Department officials, concluded that the intrusion was preventable, that it reflected a cascade of security failures at Microsoft, and that Microsoft’s security culture was inadequate and required an overhaul.^[8]

The researcher at the center of the July 14 threat claims to have exhausted conventional reporting channels, only to have had their Microsoft Security Response Center account deleted, their vulnerability reports ignored, and their bug bounty payments withheld.^[9] Whether or not every element of that account is accurate, it describes a failure mode in Microsoft’s researcher engagement that the security community has documented repeatedly. When the world’s largest software infrastructure company treats its most capable outside eyes as adversaries rather than assets, it removes the early warning layer that might catch what internal teams miss. July 14 is the result.

A Final Note on Proportionality

The Y2K crisis ended well. Not because the risk was overstated, but because enough organizations took the warning seriously early enough to act. The people who called it a false alarm after the fact were confusing outcome with probability.

July 14 may also end quietly. Nightmare Eclipse may not follow through. The disclosure may affect platforms other than SharePoint. The payload may be less severe than feared. None of that changes the calculus for a federal agency, a hospital network, or a defense contractor still running SharePoint 2016 today. We have a credible threat against a known target set, on a specific date. The clock is ticking.

Notes

[1] Microsoft. “SharePoint Server 2016 and 2019 End of Support.” Microsoft Lifecycle Policy. Confirmed end-of-extended-support date: July 14, 2026. https://learn.microsoft.com/en-us/lifecycle/products/sharepoint-server-2019

[2] Barracuda Networks. “Nightmare-Eclipse: Six Zero-Days, Six Weeks and One Big Grudge.” Barracuda Blog, May 19, 2026. https://blog.barracuda.com/2026/05/19/nightmare-eclipse-zero-days-grudge

[3] Cybernews. “Microsoft’s Nightmare: GitLab Removes Rogue Security Researcher Days After GitHub Ban.” May 27, 2026. https://cybernews.com/security/gitlab-bans-rogue-researcher-releasing-windows-zero-days/ Note: Nightmare Eclipse’s gender is unknown. Coverage by The Register, Barracuda, and others uses they/them. This article follows that convention.

[4] Cybersecurity Dive. “What We Know About the Microsoft SharePoint Attacks.” July 24, 2025. Censys figure of 9,717 internet-exposed on-premises SharePoint servers cited as of the ToolShell exploitation wave. https://www.cybersecuritydive.com/news/what-we-know-microsoft-sharepoint-attacks/753961/

[5] CyberScoop. “Microsoft SharePoint Attacks Ensnare 400 Victims, Including Federal Agencies.” July 24, 2025. https://cyberscoop.com/microsoft-sharepoint-attacks-400-victims-us-agencies/

[6] BleepingComputer. “US Nuclear Weapons Agency Hacked in Microsoft SharePoint Attacks.” July 24, 2025. DOE spokesperson statement: “The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted.” https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-hacked-in-microsoft-sharepoint-attacks/

[7] Notebookcheck. “Microsoft Faces Security Community Backlash Over Nightmare Eclipse.” May 29, 2026. BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498) confirmed exploited in the wild. https://www.notebookcheck.net/Microsoft-faces-security-community-backlash-over-Nightmare-Eclipse.1311160.0.html

[8] U.S. Department of Homeland Security, Cyber Safety Review Board. “Review of the Summer 2023 Microsoft Exchange Online Intrusion.” April 2, 2024. https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewOfTheSummer2023MEOIntrusion508.pdf

[9] The Register. “Microsoft 0-Day Feud Escalates as Researcher Threatens Another Windows Exploit Dump.” May 28, 2026. https://www.theregister.com/security/2026/05/28/microsoft-0-day-feud-escalates-as-researcher-threatens-another-windows-exploit-dump/

The surest indicator that China has built something genuinely valuable in AI is not a five-year plan or a state media editorial. It’s a prohibition. When Beijing blocks a Western acquisition, it functions as an unintentional authentication service — we know the value of our technology versus yours, and you can’t have it.

The Meta-Manus decision is that signal. And the history behind it fills in the gaps left by the one-line statement from China’s National Development and Reform Commission.

I. The Manus Block as Evidentiary Signal

China’s National Development and Reform Commission — the country’s top economic planning agency and China’s functional equivalent of CFIUS — issued a single-line statement prohibiting a foreign acquisition of Manus and requiring all parties to withdraw from the deal:

“The office in charge of foreign investment security review (NDRC) has decided to block the foreign acquisition of the Manus project and require the parties to unwind the deal.”

What made that terse statement remarkable was what accompanied it behind the scenes. The decision was elevated beyond economic regulators to China’s National Security Commission — the Communist Party body chaired by Xi Jinping that oversees national security strategy at the highest level. Chinese officials reviewing the acquisition reportedly described it as a “conspiratorial” attempt to hollow out the country’s technology base. Not “unfair competition.” Not “regulatory concern.” Hollowing out. That conveys the essence of China’s concern: that home-grown technological advancements in a domain with national security implications will be transferred to the West.

Meta, meanwhile, seemed to be addressing a different concern — that of the U.S. government rather than the Chinese government. The company committed that there would be “no continuing Chinese ownership interests in Manus” and that the startup would shut down its operations in China entirely. This suggests Meta was concerned about the wrong issue and the wrong government. Beijing’s response was to look past the corporate structure entirely and rule based on the underlying reality: the IP, the talent, and the data were Chinese in origin, and no Singapore registration address was going to change that.

II. The Singapore-Washing Gambit — and Why It Failed

In July 2025, Manus announced it had relocated its office from Beijing — where it was founded — to Singapore. This is a well-worn path for Chinese technology companies seeking to distance themselves from their country of origin. There are four principal benefits:

• Easier access to Western investment capital

• Access to Nvidia H100/H800 GPUs blocked under U.S. export controls

• Singapore’s 17% corporate tax rate and English-Mandarin bilingual workforce

• Escape from China’s 2023–2024 VC environment, where founders cited months-long diligence cycles

Beijing’s intervention in the Manus deal sent a message to every founder who was watching: the model doesn’t work. China’s state-run Global Times made the doctrine explicit, arguing that the key issue is not where a company is registered or where its team is currently based — what matters is “the extent of its technological, talent and data links with China,” and most importantly, “whether the transaction could harm China’s industrial security and development interests.”

Beijing’s position is that the IP travels with the people and the data, not the registration address. Tech founders and venture capitalists who had been structuring deals around the Singapore-washing model found themselves looking at a landscape that had fundamentally changed overnight. Beijing had drawn the line not at corporate structure but at technological substance, and it had made clear it was prepared to use exit bans and regulatory reversal to enforce it.

III. The Historical Arc — From Courtship to Closure

Nothing about this is new. It’s the natural evolution of a strategy that has been running for thirty years.

Phase One: The Open Door (Late 1990s–Early 2000s)

In the late 1990s, China was running what amounted to the world’s largest technology acquisition program — and it was entirely legal. The bait was irresistible: a billion-person market, a generation of cheap PhDs, and tax incentives structured to make Western CFOs look like heroes. Microsoft, Dell, Oracle, IBM, Hewlett-Packard — they all came. Beijing wanted their R&D centers on Chinese soil, their engineers training Chinese counterparts, and their codebases within reach.

What made this machine run was the joint venture requirement. Multinational firms seeking to conduct foreign direct investment in China were required to form legal business relationships with domestic Chinese partners, with explicit technology transfer obligations that severely curtailed the rights of the foreign IP holder. The foreign firm transferred proprietary methods, designs, and know-how to the joint venture entity. That was the price of admission to the world’s largest market.

The U.S. Trade Representative later characterized it as “administrative review and licensing processes to force or pressure technology transfers from American companies” — a practice that had been baked into doing business in China since the early 1980s. The Western firms that entered accepted the terms and bet that market access was worth the cost. They were subsidizing their own eventual displacement.

Phase Two: Absorb and Innovate (Mid-2000s–2014)

China’s own framing for this period is instructive. Beijing-based Teamsun, which received technology transfers from IBM, declared its corporate strategy openly: “absorb and then innovate” — close the capability gap with the foreign partner, then replace them. That phrase is as close to an official doctrine as you’ll find stated in plain language, and it applied across sectors: auto manufacturing, pharmaceuticals, telecommunications, semiconductors, and software.

The knowledge transfer wasn’t purely transactional. It moved through laboratories, through graduate programs, through the daily friction of joint operations. What couldn’t be absorbed through proximity was taken through other means. China’s commercial espionage targeting during this period was neither random nor opportunistic. It followed China’s five-year industrial acquisition priorities almost exactly.

Phase Three: The Legal Architecture of Control (2014–2017)

Around 2014, the posture shifted. Beijing began building a legal architecture that signaled the extraction phase was ending. The Counter-Espionage Law (2014), National Security Law (2015), Cybersecurity Law (2016), and National Intelligence Law (2017) each expanded state control over foreign firms’ operations in China. The 2015 law required all information systems in China to be “secure and controllable” — meaning every company, foreign or domestic, had to provide the government with source code, encryption keys, and backdoor network access.

The HP case from that same year illustrates the dynamic. In 2015, Hewlett-Packard sold 51% of its China networking and server operations — a $4.5 billion business — to an arm of Tsinghua University. China’s restrictions on foreign technology vendors had made HP’s position untenable without concessions. IBM, the first major U.S. tech company to comply with the “secure and controllable” requirements, began delivering technical knowledge about high-end servers to Teamsun — the same partner that had declared its intention to replace IBM in the Chinese market entirely.

Phase Four: The Trigger Point (2017)

The publication of China’s New Generation Artificial Intelligence Development Plan in July 2017 was the line of demarcation for AI specifically. Rather than continuing to solicit Western expertise, the plan called for “indigenous innovation” — a formal declaration that the absorption phase was over and the generation phase had begun. It explicitly fused civilian AI development with military applications through civil-military integration doctrine. That fusion is the direct line between 2017 and the 2026 Manus decision.

The Pattern

Invitation → extraction → absorption → legislation → exclusion

In telecommunications, the welcome mat disappeared when Huawei emerged as a global competitor. In auto manufacturing, the joint venture requirements were formally removed in 2022 — widely viewed as a victory for foreign firms — but by then Chinese EV manufacturers had already overtaken the Western firms that trained their engineers. In AI, the welcome mat didn’t disappear quietly. Beijing pulled it back in public, with a one-line administrative order that named the thing it was protecting.

IV. The University Rankings as Structural Evidence

The Manus decision reflects a Chinese AI ecosystem that has reached genuine capability — not just in specific applications, but at the foundational research level that produces next-generation breakthroughs. According to CSRankings — a metrics-based assessment of the world’s leading computer science universities — all of the world’s top ten AI universities between late 2025 and early 2026 are in Asia, with China holding eight positions including the top seven. The United States contributes two universities to the top twenty.

Tsinghua University has produced more of the world’s 100 most-cited AI research papers than any other institution, and generates more AI-related patents each year than MIT, Stanford, Princeton, and Harvard combined. Peking University topped a global list of institutions ranked by AI research output since 2022. Chinese institutions took five of the top ten spots in 2024 publication rankings.

The pipeline matters as much as the current output. China graduated 3.57 million STEM students in 2020 compared with 820,000 in the United States — a figure state media now reports may exceed five million annually. That pipeline is producing frontier-level work domestically rather than exporting it to American universities and corporations.

DeepSeek is the illustration. Its founder, Liang Wenfeng, graduated from Zhejiang University. His team is composed almost exclusively of Chinese nationals fresh out of Tsinghua and Peking University — not returnees from American institutions, not veterans of OpenAI or DeepMind. Domestic talent, trained domestically, producing a model that rattled the American AI establishment at launch.

When Meta announced its Superintelligence Lab, all eleven founding researchers were educated outside the United States — and seven were born in China. America’s most ambitious AI initiative was built substantially on Chinese talent. Beijing watched that dynamic and decided the outflow had to stop.

V. Beijing’s Veto Is the Tell

Analysts have spent years debating whether Chinese AI capability is genuine or derivative — whether DeepSeek’s efficiency gains represent true innovation or clever optimization of borrowed foundations, whether the rankings mean what they appear to mean. Beijing just answered that question, not in a think tank paper but by issuing exit bans on two engineers and blocking a deal at the National Security Commission level.

“China is showing the world that it is willing to play hardball when it comes to AI talents and capabilities, which the country views as a core national security asset,” according to Lian Jye Su, chief analyst at Omdia. The acquisition ban, he noted, is “strongly indicative of what Chinese authorities may do going forward regarding acquisitions involving Chinese deep-tech companies.”

The machinery China deployed — regulatory reversal, travel restrictions, NSC elevation — is reserved for assets it cannot afford to lose. If Manus’s technology were replaceable, Beijing would have let Meta have it.

Jeff Caruso is the Founder and Managing Partner of the Whitefish Security Summit, which he co-organizes with Mick Mulroy, former Deputy Assistant Secretary of Defense, and CDR Eric Oehlerich USN (Ret., DEVGRU). He founded the Suits and Spooks conference in 2011 and publishes national security analysis at InsideCyberWarfare on Substack.

Singapore has a long history of being a convenient place for both Russian and Chinese companies to set up their global or regional headquarters. For AI companies like Manus, it offers the following specific benefits:

• It’s easier for Chinese startups based in Singapore to attract Western investment capital

• Access to Nvidia H100/H800 GPUs blocked under US export controls

• Singapore’s 17% corporate tax, English-Mandarin bilingual workforce, and Southeast Asia market access

• Frustration over China’s 2023–2024 VC environment (Tabcut founders cited months-long diligence)

While the Manus AI acquisition by Facebook is the latest example of this trend, I’ve identified thirteen other examples since 2023 that are contained in the downloadable spreadsheet, including hyperscale data center giant DayOne (spun out of GDS Holdings with nearly $4 billion raised), AI-for-pharma leaders Deep Intelligent Pharma and ChemLex, Temasek-backed enterprise AI platform Whale, conversational AI veterans Wiz.ai and AI Rudder, Tencent-pedigreed video generation startup Video Rebirth, AGI research outfit Sapient Intelligence, Vue.js creator Evan You's developer-tools company VoidZero, ex-Ele.me founders' consumer AI bet Orion Arm (Toki and Syft), e-commerce video tool TopviewAI, the Bloomberg-famous "Singapore-washing" poster child Tabcut, and the cautionary tale Megaspeed, now unraveling under US, Singaporean, and Malaysian investigations into alleged Nvidia GPU smuggling.

China To Singapore Startups

15.5KB ∙ XLSX file

Download

Download

Russian firms who have moved to Singapore for some of the same reasons include Yandex, Acronis, and Group-IB.

The bombs had already fallen. It was the evening of April 1st — the day before the 2026 Whitefish Security Summit was set to open — and it was unmistakably clear that the event could not proceed as if the world hadn’t just changed. The question wasn’t whether to address it. The question was how fast we could do it right.

This is the kind of moment that exposes the difference between a conference and a convening. Most events would have scrambled, apologized, and added a panel for next year. We had a panel on the floor of WSS 2026 within hours — credentialed, contextual, and substantive.

The ability to do this isn’t luck. It’s the whole architecture of what we’ve built.

Nancy Youssef, national security correspondent and one of the most respected voices on U.S. military operations, joined remotely as moderator. Colby Connelly of Energy Intelligence provided the energy economics lens — critical context given Iran’s position in global oil markets and the downstream consequences of any sustained campaign. On the ground in Whitefish, we had Mick Mulroy and Eric “Olly” Oehlerich of the Lobo Institute, both of whom have operational histories in that region that few in any room could match. And seated with them: Tony DeMario, EVP at Strider Technologies, whose CIA career included a posting as Chief of Operations for Iran andCounterterrorism.

Put that panel together on a stage anywhere else in the world on 24 hours’ notice and it would be considered extraordinary. At WSS, it was Tuesday.

Panel — assembled in under 24 hours

Nancy Youssef National security correspondent, The Atlantic — Moderator, Remote

Colby Connelly Senior Analyst, Energy Intelligence — Energy Economics, remote

Mick Mulroy Co-founder, Lobo Institute — former Deputy Asst. Secretary of Defense; CIA Paramilitary Officer

Eric “Olly” Oehlerich Co-founder, Lobo Institute — Commanding Officer, DEVGRU Squadron Two
U.S. Navy (Ret.)

Tony DeMario EVP, Strider Technologies — former CIA Chief of Operations, Iran & Counterterrorism (Ret.)

The panel ranked in the top three of the entire summit in post-event attendee surveys. That outcome didn’t surprise us — but it confirmed something important. The practitioners in that room weren’t looking for analysis they could find on cable news or in a think-tank PDF. They were looking for the conversation that happens between people who have actually operated in that space. The panel delivered exactly that.

The WSS model is built on a simple but hard-to-replicate premise: when you spend years cultivating genuine relationships with the people who matter — the operators, the intelligence officers, the energy economists, the defense policymakers — you can call on them when the moment demands it. Not in six weeks. Not after a program committee review. Now.

National security doesn’t pause for event calendars. The Whitefish Security Summit was designed with that reality in mind. What you saw on April 2nd is what that design looks like under pressure.

Thank you to our 2026 sponsors, who all believed in our mission and whose support made panels like this one possible: Strider Technologies, Red5, Helio Risk, Ledlow Security Group, 5 Stones Intelligence, Acorn Capital Management, IN Network, and Four Branches Bourbon.

WSS 2027 opens February 24th in Whitefish, Montana. Theme: Rings of Disruption — The 2027 Threat Landscape. Sponsorship and attendance inquiries are open now.

Learn More

On April 7, 2026, Anthropic unveiled Claude Mythos Preview under Project Glasswing — a controlled-access program that immediately sent shockwaves through the technology and national security communities. In internal testing, Mythos had identified thousands of previously unknown zero-day vulnerabilities across every major operating system and web browser, reproduced vulnerabilities and developed working exploits on the first attempt in over 83 percent of cases, and in one documented instance uncovered a 27-year-old vulnerability in OpenBSD. Anthropic judged the model too dangerous for general release.

The U.S. government’s response illustrated a contradiction that would be comic if the stakes weren’t so high. The Department of Defense, which had formally designated Anthropic a supply-chain risk on March 3 and been upheld in that designation by the D.C. Circuit on April 8, was simultaneously watching civilian agencies rush toward the very company it had blacklisted. The Office of Management and Budget circulated an internal memo positioning Cabinet-level departments for Mythos access. Treasury Secretary Scott Bessent convened senior American bankers to urge them to use the model against their own networks. Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley were reported to be testing it.

An administration official summarized the situation with unintentional precision: “There’s progress with the White House. There’s not progress with the Department of War.”

OpenAI announced its own equivalent capability would follow shortly. The narrative crystallizing in Washington and on Wall Street was one of breakthrough — a threshold crossed, a new era begun.

The narrative of American breakthrough is almost certainly incomplete. The more accurate frame is one of American announcement.

That narrative is almost certainly incomplete. And a systematic review of Chinese academic literature makes the case plainly: the more accurate frame is not breakthrough but announcement. The capability has been under development in China for at least sixteen years. The question worth asking is not whether China has something like Mythos. The question is what they’re calling it internally, and how far ahead of their published record their operational systems actually run.

II. What the Chinese Academic Record Actually Shows

A search of CNKI — China National Knowledge Infrastructure, the primary repository for Chinese academic and institutional research — using keyword combinations spanning AI vulnerability mining, automated exploit development, LLM-assisted fuzzing, and related terms returns 74 results spanning 2008 through February 2026. The dataset is not exhaustive. It is, however, systematic enough to establish several conclusions with confidence.

The research thread is continuous and unbroken. The earliest entry, a 2008 master’s thesis titled “Study on Vulnerability Discovery Technique Against Smart-phone,” establishes that Chinese researchers were working on automated vulnerability discovery long before the current generation of large language models existed. By 2014, research on “Smart Fuzzing Technology” appears. By 2019, multiple doctoral and master’s theses specifically address AI-powered vulnerability mining as a discrete discipline.

The publication velocity accelerates sharply after 2022 and again after 2024, tracking almost exactly with the global LLM capability curve. What was a steady research program becomes a sprint. The most directly relevant paper in the dataset — “Design of an Intelligent Software Vulnerability Mining and Penetration Testing Framework in the Context of Large Language Model Applications” — was published in February 2026 in a journal called Equipment Technology. That journal title is not incidental. Equipment Technology is a defense-adjacent publication. This is not academic curiosity.

The institutional spread is equally significant. The research appears across civilian universities, state-owned defense contractors, and direct military institutions. China Electronics Technology Group Corporation — CETC, a state-owned defense conglomerate that directly supplies the People’s Liberation Army — appears in multiple achievement entries, including a 2020 operational deliverable titled “Research and Application of Key Technologies for Integration of Information Security and Artificial Intelligence.” That is not a paper. That is a delivered capability.

Most significant is entry 27 in the dataset: a 2023 achievement co-authored by the PLA Strategic Support Force Information Engineering University. The SSF IEU is not a civilian academic institution. It is the PLA’s primary organ for cyber and information warfare capability development. Its appearance in this dataset, producing operational outputs on AI-assisted vulnerability mining, is the clearest signal that what is published represents the leading edge of something already deployed.

III. The Group Intelligence Track — A Different Architecture

One of the more consequential findings in the dataset is a research track that does not map cleanly onto what Anthropic has described with Mythos. Running from 2019 through 2021, a cluster of papers and operational achievements centers on what Chinese researchers call 群智 — group intelligence, or swarm intelligence — applied to vulnerability discovery.

The key paper, “Vulnerability Mining Mechanism based on Group Intelligence Technology,” published in Communications Technology in 2020, and a companion operational achievement from CETC titled “Research on Key Technology for Collaborative Vulnerability Mining Based on Swarm Intelligence,” describe a fundamentally different architectural approach. Rather than a single powerful model operating autonomously, the group intelligence framework envisions networked AI agents collaborating on vulnerability discovery — distributing the search space, sharing findings, and iterating collectively.

This distinction matters for two reasons. First, it suggests China is not simply replicating Western LLM-based approaches but pursuing a parallel path that may yield different — and in some respects more scalable — results. A swarm of coordinated AI agents conducting distributed vulnerability discovery against a target network is architecturally harder to defend against than a single model, however capable. Second, it suggests that comparing Mythos to whatever China has developed may be comparing categorically different systems, which makes capability assessment significantly more difficult.

The group intelligence track is also, notably, the framework most directly suited to the scenario described in the final section of this article.

IV. The Power Grid Signal

Across the full 74-entry dataset, one application domain appears with striking consistency: power infrastructure. Smart grid vulnerability mining features in entries from 2017, 2018, 2019, 2020, 2021, and again in 2025. The journals involved include Jiangxi Electric Power, Zhejiang Electric Power, Chinese Journal of Power Sources, and the broader electric power research institutional network.

This is worth stating plainly. A sustained, multi-year, institutionally distributed research program focused specifically on finding vulnerabilities in power grid systems — including smart grid terminals, IoT power devices, and industrial control systems for substations — is not defensive research dressed as academic inquiry. It is target development. The consistent presence of this thread across more than eight years of published output indicates that Chinese researchers have been systematically mapping exploitable vulnerabilities in energy infrastructure with AI assistance for nearly a decade.

The implications for critical infrastructure protection in the United States and among NATO allies require no elaboration.

V. What Is Not in the Dataset

The CNKI database indexes peer-reviewed journals, institutional achievement records, doctoral and master’s theses, and conference proceedings. It represents work that has been cleared for publication — which in China’s system means work that has been reviewed, approved, and intentionally surfaced. Classified research, active operational programs, and PLA internal development programs do not appear here.

The SSF Information Engineering University achievement from 2023 is the most visible edge of a much larger structure. PLA cyber doctrine, as documented in open-source analysis of the Science of Military Strategy and related texts, treats offensive cyber capability as a strategic asset requiring continuous development and forward deployment. The published research suggests the capability exists. The doctrine suggests it is already operationalized.

It is reasonable to assume that China’s operational AI vulnerability discovery capability runs two to three years ahead of its published record. If the published record extends to February 2026 with LLM-integrated penetration testing frameworks, the operational system may have achieved comparable capability to Mythos in 2023 or earlier. This is inference, not confirmed intelligence. But it is inference grounded in a systematic reading of what China’s research establishment has chosen to make visible.

VI. The Policy Implication

The U.S. government is currently treating Mythos as a breakthrough requiring emergency access decisions. The OMB memo, the Treasury briefings, the White House negotiations with Anthropic — all reflect an institutional posture of responding to a threshold just crossed.

The Chinese academic record suggests the correct policy frame is not breakthrough response but parity management. If China achieved comparable capability in 2023 or earlier, the United States has spent two to three years in a threat environment it did not fully recognize. The question is not how to respond to what Mythos can do. The question is what Chinese systems have already done during the period when no American equivalent was deployed defensively.

This is the institutional contradiction that the Mythos moment has made impossible to ignore.

VII. The Cyber GAN — When the Systems Find Each Other

There is a final dimension to this story that current policy discourse has not yet fully confronted. It begins with a question: what happens when both sides have systems like Mythos, and those systems are operating simultaneously against the same target environments?

The most useful analogy from machine learning is the Generative Adversarial Network — the GAN architecture in which a generator and a discriminator are locked in continuous competition, each improving because the other improves. Applied to AI-powered offensive and defensive cyber operations, the GAN analogy suggests an arms race dynamic that humans cannot observe in real time, let alone meaningfully intervene in.

But the GAN analogy understates the danger in one critical respect. In a classical GAN, the generator and discriminator share an objective function and a training environment. They are, in a meaningful sense, optimizing toward the same goal from opposite sides. In a real cyber conflict between opposing AI systems, the offensive and defensive networks operate on asymmetric information — neither system fully understands the other’s architecture, objectives, or decision logic. A GAN eventually converges. Opposing cyber AI networks operating on asymmetric information may not. There is no equilibrium-seeking mechanism built into the interaction.

The more precise term for what this produces is an Autonomous Adversarial Cyber Ecosystem — an environment in which AI systems on both sides are developing, testing, and deploying offensive capabilities against each other faster than any human decision-making chain can track, approve, or constrain. The human commanders nominally in charge of these operations are, in the relevant time frame, passengers.

This is not a speculative future scenario. The Chinese group intelligence research track, with its emphasis on networked AI agents collaborating on distributed vulnerability discovery, is architecturally suited to exactly this dynamic. A swarm of coordinated agents probing a target network, sharing findings in real time, and iterating collectively against adaptive defenses is the offensive side of an adversarial ecosystem. The defensive side — AI systems attempting to detect, characterize, and respond to these probes — completes the loop.

Once both sides have deployed systems of this class against the same infrastructure, the interaction dynamic itself becomes the primary threat — independent of any specific attack, independent of any specific actor’s intent. The ecosystem generates emergent behavior that neither side designed, controls, or can reliably predict.

The policy community is not yet thinking in these terms. It is still asking whether Mythos represents a breakthrough, whether the DoD designation of Anthropic should be lifted, whether civilian agencies should get access. These are real questions. But they are upstream questions. The downstream question — what happens when the systems are already in contact — is the one that will define the threat environment of the next decade.

The Whitefish Security Summit exists precisely to have conversations that other forums are not yet having. This one is overdue.

METHODOLOGY NOTE

The Chinese academic literature cited in this article was retrieved from CNKI (China National Knowledge Infrastructure) using keyword searches spanning AI vulnerability mining, LLM-assisted penetration testing, fuzzing-based exploit development, and related terms. The dataset of 74 results spans 2008–2026. CNKI indexes peer-reviewed journals, institutional achievement records, and graduate theses cleared for publication; it does not capture classified or operationally sensitive PLA research. All institutional attributions are drawn directly from author affiliations as listed in the CNKI records.

Jeff Caruso is the Founder and Managing Partner of the Whitefish Security Summit and the Suits and Spooks conference brand, and publishes analysis at www.InsideCyberWarfare.com on Substack.

Nine months in the making, two name changes, three location changes — and then Whitefish. Over 130 people signed up to attend our first event and 86% have said they want to come back in 2027.

So much happened in just two days that it’s impossible to capture it all in one article, so I’ll be doing a series of highlights over the next 30 days, starting off with some images and feedback from those who attended.

Many of our attendees were Intelligence and Military veterans who took no convincing to do PT in near-freezing temps before breakfast.

“A core lesson came from combining Stanley McChrystal’s leadership insights with our morning PT, especially the 6:30 AM swim training in a 37°F Montana lake, led by Eric Oehlerich, former U.S. Navy SEAL and Commanding Officer of DEVGRU (Squadron 2). It made one thing clear: theory means little without execution. The water is cold, whether you like it or not. The real question is whether you perform and lead when it matters.” - Cassian Peña (WSS Young Professional attendee)

“I appreciated the opportunity to virtually join the event. You’ve assembled an impressive mix of talent and expertise.” - Stan McChrystal (Founder and CEO, The McChrystal Group)

“My favorite memory from the summit, was being able to bring my daughter Natalie to see the documentary “The Power We Hold: Stories from Women Spies” and for her to meet so many great people from the Community. I think that the summit’s inspiring experience will stay with her for the rest of her life.” - Matt Zacharias (Attendee)

"The WSS was a tremendous experience for our company. Exploring global risks and projected issues in geopolitics and national security, intelligence and defense is exactly the type of gathering we've been looking for. The collaborative model of the WSS lends itself really well towards interacting with true subject matter experts. We are already looking forward to next year. Best summit in best environment." - Kyle Sweet (Chief Strategy Officer, Helio Risk)

“My favorite memory was more of a post-event observation about the depth and breadth of super-smart, serious people - both presenters and attendees - who were there.” - Howard Gordon (Award-winning Writer and Producer)

This is the first in a series of dispatches from the inaugural Whitefish Security Summit. Part II drops Monday, April 20th, with additional attendee feedback, photography from across the two days, and deeper coverage of the programming. Video coverage will follow in Part III.

None of this would have been possible without the support of our sponsors: Strider Technologies, Red5, Helio Risk, Ledlow Security Group, 5 Stones Intelligence, Acorn Capital Management, and Four Branches Bourbon. Their investment in this community made the Summit what it was — and we’re grateful.

Subscribe below to follow the series, and if you were there, we want to hear from you.

Subscribe now

Taylor’s connection to the special operations and intelligence communities is genuine, personal, and well known to everyone in that room.

He portrayed Lieutenant Michael P. Murphy in Lone Survivor — and has described Marcus Luttrell as a brother, a relationship that continued long after filming ended. In The Terminal List and The Terminal List: Dark Wolf — co-created by former Navy SEAL Jack Carr — he plays Ben Edwards, a SEAL Chief who crosses into CIA paramilitary operations. Dark Wolf premiered in August 2025 on Prime Video. He is an executive producer on Dark Wolf — not a hired actor, but an invested creative partner in stories about the people who will be sitting across the table from him that night.

On Thursday evening, April 3, at the Whitefish Security Summit, we are dedicating a two-hour dinner to a single purpose: launching Howlers Ridge’s major donor network.

Howlers Ridge

Howlers Ridge is a 501(c)(3) nonprofit retreat center on 22 acres outside Bozeman, Montana — founded by Taylor to provide nature-based healing for veterans, trauma survivors, and people in recovery from substance use disorders. The facility is under construction and will offer residential retreat programs grounded in wilderness experience and trauma-informed care.

The need is not abstract to anyone in this room. Suicide rates among special operations veterans remain significantly higher than the general population. The intersection of combat trauma and substance use is well documented and poorly served by existing systems. Howlers Ridge is being built to address exactly that gap — in a Montana landscape that is, for many of these veterans, home.

The Evening

4:30 PM — Pre-Dinner Reception Taylor circulates freely. Informal, unhurried. Every ticket holder has access.

5:15 PM — Dinner Begins / Welcome Remarks Jeff Caruso, Managing Partner, Whitefish Security Summit

5:30 PM — Taylor Kitsch: Howlers Ridge Personal story, the vision, current build progress, and why now.

5:55 PM — Veterans Panel Ground-level perspective on veteran mental health and recovery — the gap this facility is built to fill.

6:20 PM — Q&A with the Room Open conversation. This audience will drive it.

6:55 PM — Closing Remarks + Giving Opportunity Direct appeal. WSS will facilitate follow-up for anyone interested in a larger conversation.

7:00 PM — Post-Dinner Private Reception / Founding Donors Closed, intimate. Taylor available.

Tickets

Patron — $1,000 Pre-dinner reception and dinner. Full program access.

Benefactor — $2,500 Above, plus priority seating and your name in the printed donor acknowledgment distributed to the room.

Founding Donor — $5,000 Above, plus post-dinner private reception with Taylor and a warm introduction to Howlers Ridge for larger partnership conversations.

Tax deductibility: Howlers Ridge is a registered 501(c)(3) nonprofit. The portion of your ticket exceeding the fair market value of goods and services received (food, beverage, and program access) qualifies as a charitable contribution. WSS will forward proceeds on a per-donor basis in your name, and Howlers Ridge will issue a written acknowledgment reflecting the deductible portion of your contribution.

Contact

Space is limited. To reserve your seat:

Jeff Caruso • Founder & Managing Partner, Whitefish Security Summit

China Central Television (CCTV) is China’s national television broadcaster — and the Publicity Department of the Chinese Communist Party. In this case, they deserve a raise.

“White Eagle and Persian Cat: Chronicles of Love and Hate in the Valley of Gold” is a brilliant piece of propaganda. It wraps a genuinely clever geopolitical argument inside a beloved 1970s Chow Brothers Kung Fu format with cute anthropomorphic characters — and it works.

The eyeglass-wearing vulture-headed adviser (Stephen Miller) is informing the White Eagle King (Donald Trump) that the Persians are refusing to dismantle their underground core — that is, their nuclear enrichment facilities. The time to act is now.

An assassin flies through the air, sword extended, and kills the Persian cat leader.

The Eagle King’s adviser, now panicked, delivers the post-strike math:

“I just did the maths. Their wooden birds cost at most two taels of silver, but each golden arrow we shoot costs at least 100 taels. This is not war! This is feeding our treasury to the dogs!”

The King’s reply: “You shut up. How can a White Eagle be frightened by a few broken pieces of wood? Keep shooting until he has no wood!”

The king escalates. A school filled with Persian kittens is killed, vengeance is sworn, and a blockade of the only trading channel is initiated.

The Chamber of Commerce (NATO) is called upon to intervene and force the Persians to reopen the trade route. Instead, the Chamber discovers the old Silk Road — and while it may take a few extra days, it’s stable and reliable.

“Let’s find new allies and take a new path,” says a Chamber member riding through the desert.

The video closes with a slogan — a bastardization of Sun Tzu's principle of winning without fighting: "The art of war is not in the fighting, but in the stopping."

I’m sharing this because it illustrates something worth paying attention to: AI is now capable of generating emotionally resonant, strategically targeted narrative content drawn from current events in near real time. This isn’t a curiosity. It’s an information environment capability.

Storytelling and warfighting have always been inseparable. Done well, narrative shapes perception, builds will, and wins. Done poorly, it becomes a liability that turns on you. The CCP clearly knows this.

If that intersection interests you, join me and more than 100 colleagues from the worlds of national security and entertainment at the Whitefish Security Summit, April 2–4 in Whitefish, Montana.

For More Information

Suits and Spooks was born in a Palo Alto loft in 2011. Fifteen years ago. What started as an experiment at the intersection of national security and private enterprise has carried me — for better and for worse — to something I genuinely never imagined was possible.

In fifteen days, the Whitefish Security Summit begins.

Since I first conceived of this event last July, it has gone through location changes, name changes, and a significant shift in focus. What hasn’t changed is the pull — the sense that something necessary was missing from how the people who shape security, intelligence, and story actually talk to each other.

WSS 2026 is the answer to that.

The speaker roster is impressive — including General Stanley McChrystal and Howard Gordon, the showrunner behind 24 and Homeland. But what’s equally impressive — maybe more so — are the people attending whose names won’t appear anywhere. Private bankers. Quiet professionals. Power players from the entertainment and national security worlds who are spending real time and real money to be in a room together in Whitefish, Montana, because they understand something most people don’t yet:

Events are moving at a speed no one knows how to control. The speed of story.

That phrase deserves unpacking — and it will be, over three days in April, by people who have lived it from the inside. If you’ve been watching what’s happening at the intersection of narrative, intelligence, and influence, you know why that conversation matters right now.

There are still a limited number of seats available.

Count Me In

Olly — retired Navy SEAL, former Commander within DEVGRU, and apparently our new favorite person to follow into the mountains — is leading Morning PT at the inaugural Whitefish Security Summit this April 2–3.

Day One kicks off with a hike into the peaks surrounding Whitefish, Montana. The kind of hike where your legs start negotiating with your brain around mile two. The payoff: a panoramic view of the valley that makes you forget you can’t feel your quads.

Day Two is where things get interesting.

Olly decided the group needs a swim. In Whitefish Lake. In Montana. One thousand meters of aggressively cold water. Wetsuits are encouraged!

For reference, here’s the official spirit animal of Morning PT:

Everyone who gets in the water will finish. Nobody mutinies. A few people may question their life choices somewhere around the 500m mark — but they’ll keep swimming. Which is basically the whole point.

And when it’s over? Olly personally signs your Certificate of Survival — because if you voluntarily entered freezing water under command of a former DEVGRU Commanding Officer, that deserves official documentation.

👉 Register now at whitefishsecuritysummit.com

This is your invitation.

The Whitefish Security Summit isn’t just two days of frank, substantive conversation about the world’s most pressing security challenges — it’s a full experience, set against the unspoiled wilderness of Glacier Country. No vendor booths. No political theater. No warm lakes.

Seats are limited and going fast.

👉 Register now at whitefishsecuritysummit.com

See you out there. Wetsuits are optional. Excuses are not.

With no evidence of an imminent threat to support a preemptive strike against Iran, and the President’s refusal to provide same, President Trump, National Security Adviser Stephen Miller, Secretary of Defense Pete Hegseth, and Director of National Intelligence Tulsi Gabbard have recklessly put the U.S. at risk for expanded hostilities to include the Russian Federation. This brain trust may have just handed Vladimir Putin the pretext he never had to move from the sidelines to the field. Seven hundred Rosatom engineers are still at Bushehr. That's not a footnote. That's a tripwire, known in forecasting terms as an “accidental entanglement.” And nobody in this administration appears to have thought seriously about what happens if we trip it.

How Likely is Entanglement?

To answer that question, I looked at the target list, and ran that through Anthropic’s Claude to determine how many Rosatom employees might be present at each. Here are the results.

Bushehr Nuclear Power Plant — HIGH Rosatom presence, CONFIRMED

About 700 Russian specialists were taking part in construction of the second and third units at Bushehr, out of roughly 3,000 total specialists on site.

The port city of Bushehr was struck, though it remained unclear whether the nuclear reactor sustained damage.

Rosatom subsequently evacuated 94 non-essential personnel — children and family members — but confirmed its essential staff remained at the plant.

Isfahan Nuclear Technology Center — MODERATE Rosatom presence likely

Isfahan was struck in both the June 2025 Operation Midnight Hammer and again in the February 28 operation. Isfahan was among the cities targeted in Operation Roaring Lion, with nuclear-related sites taking hits. Isfahan has historically hosted Russian technical cooperation on reactor fuel conversion and research. It is less exclusively a Rosatom facility than Bushehr, but Russian technical advisors involved in fuel cycle cooperation and reconstruction monitoring after the June strikes would plausibly have been present. Probability of Rosatom personnel on site: moderate, perhaps 30-40%.

Parchin Military Complex — LOW but non-trivial Rosatom presence

The Parchin military complex also took hits in the February 28 operation. Parchin is primarily an IRGC weapons development site — explosives testing, missile work, suspected nuclear weapons design research. This is not a Rosatom facility. However, Russian military advisors (distinct from Rosatom) have been documented at IRGC facilities. The probability of Rosatom engineers specifically at Parchin is low, but Russian defense personnel more broadly is a separate and higher-probability question. See the S-300 and S-400 missile banks below.

Fordow and Natanz — LOW current Rosatom presence

These were the primary enrichment sites. Fordow and Natanz were struck in the June 2025 Operation Midnight Hammer and were again targeted in February 2026. These are Iranian-run enrichment facilities with no significant Rosatom operational role. The probability of Rosatom engineers at these sites is very low. Russian nuclear scientists in an advisory or monitoring capacity is conceivable but unconfirmed.

Tehran — CONFIRMED small Rosatom presence

A small group of Rosatom staff working in Tehran had been concentrated within the grounds of the Russian Embassy following the strikes. Tehran targets included the Iranian Atomic Energy Agency headquarters, where Russian officials regularly visited. Whether any were present at the moment of the strike is unknown.

With essential Rosatom staff still at Bushehr, inside an active conflict zone, with the Strait of Hormuz closed and Iranian retaliation ongoing, those personnel are effectively hostages to the conflict’s trajectory. Putin has already used their presence as diplomatic leverage — warning Israel publicly before the strikes began. That lever now cuts both ways: it constrains Russian escalation (Moscow doesn’t want its people in a war zone) but it also gives Putin a legitimate grievance narrative if any Russian nationals are killed, accidentally or otherwise.

The Presence of Russian Defense Personnel at Iran’s S-300 and S-400 Air Defense Systems

Israeli forces destroyed or damaged many of Iran's air defense systems during the June 2025 Twelve-Day War, including its Russian-supplied S-300 long-range surface-to-air missile batteries. However, February 2026 satellite imagery reveals S-300 launchers positioned within prepared revetments near Tehran, suggesting Iran had retained or restored sufficient components to reconstitute at least portions of its long-range surface-to-air missile coverage, and it would need Russian assistance to do it.

However, the presence of Russian technical personnel is probable but unacknowledged, undocumented, and unprotected by any prior diplomatic assurance. If U.S. or Israeli strikes hit a battery with Russian advisors present, there is no prior agreement to invoke, no public count of personnel to account for, and no established deconfliction channel to manage the aftermath.

Summary

There is a pattern here. Venezuela. Now Iran. With no confirmed imminent threat, no congressional authorization, and no deconfliction mechanism protecting hundreds of Russian nationals on the ground, the Trump administration has lit a fuse whose other end nobody can see. The world is watching — and what it sees is an America that has abandoned the international legal order it spent 80 years building. If this is the new doctrine, we should be honest about what it costs — starting with the very real possibility that the next casualty is a Russian engineer at Bushehr, and the phone call that follows goes to the Kremlin.

I came across this assessment in a Facebook post by my friend and go-to expert on everything related to Industrial Control System risk, Tim Roxey. As a non-engineer, I found it to be clear, concise, and convincing regarding the Pentagon - Anthropic controversy over how Claude could be used by the Pentagon. If you like this, and you want to read the full version with footnotes, visit Tim’s Substack and subscribe.

The Pentagon and Anthropic are in a very public fight over whether AI companies should set the rules for how their technology is used in military operations. Undersecretary Emil Michael says it’s “not democratic” for Anthropic to restrict military use of Claude. Anthropic says its models shouldn’t be used for autonomous weapons or mass surveillance. Secretary Hegseth is reportedly close to designating Anthropic a “supply chain risk” — a classification normally reserved for foreign adversaries.

Both sides are talking past each other, and here’s why: neither one has an engineering framework for the argument they’re actually having.

The Pentagon’s position rests on DoDD 3000.09, the directive on autonomy in weapon systems. That directive requires “appropriate levels of human judgment over the use of force.” But as multiple analysts have documented — including the people who wrote the update — 3000.09 doesn’t ban autonomous weapons, doesn’t require a human in the loop (that phrase never appears in the policy), and leaves “appropriate” deliberately undefined. That was defensible when the directive governed deterministic software that could be formally verified. It is dangerously inadequate for generative AI systems whose cognitive outputs are non-deterministic and cannot be mathematically proven correct.

Anthropic’s position rests on its terms of service. That’s a contractual restriction a company can be pressured to revise — which is exactly what’s happening.

What’s missing is the engineering argument. Through the ISA Global Cybersecurity Alliance, and my own research over the past decade, my colleagues and I have developed a hybrid quality assurance framework that resolves this impasse by grounding it in the actual technical characteristics of generative AI.

The core concept is the Bright Line — an architecturally enforceable boundary above which generative AI may not exercise autonomous control authority. This isn’t a policy preference or a corporate restriction. It’s an engineering conclusion: the same non-determinism that gives large language models their analytical power makes it impossible to verify they’ll never produce a catastrophically wrong recommendation in an untested context. For applications where consequences are irreversible — which describes every lethal engagement — a human must serve as the final safeguard.

The implementation is the Command Broker architecture. Above the Bright Line, the AI and the weapons platform are physically separated by a human decision-maker. The AI analyzes, recommends, and explains. The human decides and acts. The defense is architectural, not procedural.

Here’s the thing: this maps exactly to how military command authority already works. Commanders don’t delegate lethal authority to staff analysts. They receive analysis and decide. The Command Broker codifies that existing command relationship in the system architecture.

This reframes the entire dispute. It’s not that Claude shouldn’t be used in the kill chain. It’s that above the Bright Line, the system architecture must enforce the separation between AI recommendation and lethal action that military command authority already demands. The Pentagon gets generative AI across kill-chain planning, analysis, and assessment — where they’re already seeing what their own CDAO calls “significant advantage.” Anthropic’s safety concerns are satisfied by engineering, not by a usage policy that can be renegotiated under political pressure. And Congress gets a governance architecture with clear categories, boundaries, and evaluation criteria for the annual LAWS reporting required by the FY2025 NDAA through 2029.

The middle ground isn’t a negotiated compromise between contractual positions. It’s an engineered solution derived from the technology itself.

Written by Tim Roxey, reproduced here with permission.

The Montana Intelligence Summit is not a traditional conference.

For two and a half days this spring, we are converting downtown Whitefish into a living Intelligence Ecosystem—one designed to bring together intelligence professionals, storytellers, and creators who shape how national and global issues are understood.

This matters because, for as long as humans have existed, we have learned through story. The Summit is built on that truth: bringing people from the intelligence community together with leaders from the entertainment industry to help ensure that the stories reaching the public are authentic, intentional in their impact, and grounded in national and global realities.

That philosophy extends beyond the stage.

Instead of being funneled into conference rooms or catered spaces, attendees and speakers are free to enjoy lunch and dinner anywhere in downtown Whitefish. With a walkable town, a close-knit restaurant scene, and a shared schedule, people naturally cross paths—at tables, bars, and sidewalks—continuing conversations without agendas, badges, or conference food. The result is informal, unforced time together that feels human rather than programmed.

And then there’s the Montana version of networking.

Thursday night kicks off with Four Branches Bourbon’s Sip to Remember inside the 100-year-old Great Northern Bar & Grill—history in the walls, bourbon in the glass, and conversations that tend to last longer than planned.

Friday night is Movie Night. We’ll screen a 30-minute documentary on child soldiers, followed by exclusive clips from Iron Butterfly Media’s upcoming documentary on women in the Intelligence Community, with Q&A sessions featuring the filmmakers. It’s a reminder that story is not just entertainment—it’s how complex, difficult realities are understood.

Saturday morning brings the Lobo Institute’s “Find The Hooch Treasure Hunt” that will test your orienteering skills in the surrounding foothills, followed by spring skiing, or a cold plunge in Whitefish Lake.

Everything is within walking distance, with shuttles on standby when needed. Place isn’t a backdrop here—it’s part of the design.

One Week Only: 20% Off Tickets

Starting today and running for one week only, you can save 20% on both Standard and VIP tickets.

This is the only ticket sale that will happen before the event.

Use code HOLIDAY20 at checkout.
When it’s gone, it’s gone.

Join us in Whitefish—and experience where intelligence meets story, shaped by place.

The summit, founded by Jeffrey Caruso and developed with Lobo Institute co-founders Michael “Mick” Mulroy and Eric “Olly” Oehlerich, will convene experts from the intelligence community, special operations forces, diplomacy, economics, and journalism. Discussions will address issues ranging from geopolitical conflict and cyber threats to the rapid rise of autonomous and advanced military technologies.

At a time of increasing global instability, organizers say the goal is to create a setting that supports frank, cross-sector dialogue outside traditional Washington policy circles.

“Complex security challenges demand perspectives from across government and society,” said Mulroy and Oehlerich. “We want to foster serious conversations that connect operational experience with broader policy and public understanding.”

The rebranded summit will follow the April 2–3, 2026 Montana Intelligence Summit and is intended to become a recurring, invitation-focused gathering. By drawing inspiration from international forums such as the Aspen Security Forum and the Munich Security Conference, WSS aims to establish a new center for security dialogue in the American West.

“This partnership enables us to scale the summit into a lasting platform for global engagement,” said Caruso. “We’re building a forum that connects Montana to conversations shaping international security.”

About the Principals

Jeffrey Caruso, Founder — A veteran cyber warfare researcher and author of Inside Cyber Warfare, Caruso has briefed the CIA, DIA, FBI, and the Chief of Naval Operations. He is a veteran of the U.S. Coast Guard and the founder of the Montana Intelligence Summit.

Eric “Olly” Oehlerich, Lobo Institute — A retired Navy SEAL officer and former Commanding Officer of DEVGRU (Squadron 2), Oehlerich focuses on advanced research and development and the integration of high-fidelity sensor technologies for national security applications.

Mick Mulroy, Lobo Institute — A former Deputy Assistant Secretary of Defense for the Middle East and retired CIA paramilitary operations officer, Mulroy is a retired U.S. Marine and a national security analyst for ABC News.

About the Whitefish Security Summit

The Whitefish Security Summit (WSS) is an invitation-focused forum that fosters collaboration between senior leaders in government, the military, intelligence, industry, and academia. Through strictly limited attendance and off-the-record discussion, WSS provides a secure environment for addressing complex global threats and advancing practical solutions.

About the Lobo Institute

The Lobo Institute is a national security–focused organization dedicated to strengthening collaboration between military, intelligence, and policy communities. Founded by experienced special operations and intelligence professionals, the Institute develops programs, partnerships, and public engagement initiatives aimed at improving strategic understanding and operational effectiveness in an evolving global security environment.

“I’m not a spy. I just read books.”

In Three Days of the Condor, Robert Redford’s character describes a quiet corner of the intelligence world: analysts whose job is not clandestine action, but consumption. They read novels, newspapers, journals—everything that’s published—looking for patterns, leaks, and ideas. Fictional plots are examined not as entertainment, but as data points, fed back against real plans and real operations.

It’s a cinematic moment, but also an unusually clear articulation of a long-standing reality: the porous boundary between intelligence and entertainment. Stories don’t merely reflect the world of intelligence; they inform it. And intelligence, in turn, supplies an endless stream of raw material for storytelling.

At first glance, the Intelligence Community and the entertainment industry seem to occupy opposite ends of American life. One operates in secrecy, the other in spectacle. One claims national security as its mission; the other sells stories for mass consumption.

Look closer, and the parallels are striking.

Both are insular and widely misunderstood by the general public. Both are referred to in shorthand—the “Agency” and “the Industry”—as if naming them fully would give away too much. And in both worlds, the line between fiction and reality is thinner than most people realize.

Gatekeepers Over Merit

In neither domain does talent alone determine success. Advancement depends on sponsorship, trust, and informal power networks. In intelligence, it’s clearance, access, and reputation. In entertainment, it’s agents, producers, and perceived momentum. In both cases, a small group of gatekeepers quietly shapes outcomes behind the scenes, while formal processes provide institutional cover.

Mythmaking as Infrastructure

Both institutions actively manage their own mythology. The Intelligence Community relies on secrecy, mystique, and selective disclosure. The entertainment industry constructs star personas, prestige narratives, and carefully curated origin stories. In each case, myth smooths over contradictions and reassures outsiders that someone, somewhere, is in control—even when reality is far messier.

Secrecy as a Structural Necessity

Both worlds depend on secrecy—not as an affectation, but as an operating requirement.

For the Intelligence Community, secrecy protects global stability, human assets, sources and methods, and the fragile advantage of surprise. Exposure can cost lives, compromise alliances, or collapse years of work in a moment.

In the entertainment industry, secrecy serves a parallel function: protecting intellectual property, massive financial investments, and the fragile alchemy of creative development. Scripts are locked down, projects code-named, endings concealed, and leaks aggressively policed. Premature exposure can kill a project just as surely as a blown operation.

In both cases, secrecy isn’t about hiding wrongdoing—though it can enable it—but about preserving optionality. The work must be protected until it’s ready to be revealed, framed, and understood on institutional terms.

Failure Is Hidden; Success Is Curated

Most intelligence operations fail quietly. Most films and television projects do too. In both worlds, failure is buried, reclassified, or quietly forgotten, while success is elevated into legend. History becomes a highlight reel, not a full accounting.

Compartmentalization as a Way of Life

People inside these systems rarely see the whole picture. Intelligence professionals work on a strict need-to-know basis; entertainment workers are siloed across writing, editing, visual effects, and marketing. Compartmentalization protects secrets—but it also limits accountability and perspective.

Narrative Is the Real Currency

Despite the technical trappings, both industries are fundamentally about narrative control. Intelligence agencies frame threats, victories, and priorities. Entertainment frames heroes, villains, and national identity. Facts matter—but how they’re arranged, paced, and emotionally framed often matters more.

Moral Ambiguity as the Default

Neither world operates cleanly. Ethical gray zones are not exceptions; they are the norm. Participants learn to rationalize compromise, justify trade-offs, and live with outcomes they can’t fully endorse. Cynicism and dark humor become coping mechanisms rather than signs of corruption.

Burnout as a Feature, Not a Bug

Long hours, personal sacrifice, and identity fusion with the job are normalized. Leaving can feel like exile. Both institutions reward obsession and quietly punish balance, even as they publicly celebrate resilience.

Outsiders Get It Wrong—In Both Directions

From the outside, these institutions are imagined as either omnipotent or incompetent. The reality is more mundane: capable people constrained by bureaucracy, incentives, and human error. Reality is rarely cinematic—but the myth persists.

Shaping National Identity

Together, these two worlds help define how a nation understands power, threat, and heroism. One does it through classified briefings and policy memos. The other does it through screens and stories. The methods differ, but the cumulative effect is the same.

The Quiet Exchange

Which brings us back to that line from Three Days of the Condor. The analyst who “just reads books” isn’t a fantasy. He’s a reminder that imagination, narrative, and interpretation sit closer to the center of power than we like to admit.

The Intelligence Community and the entertainment industry are both meaning-making systems operating under scarcity—information in one case, attention in the other. One conceals reality; the other stylizes it. But both decide which stories are told, which are softened, and which never reach the public at all.

Different missions. Different aesthetics.
Same underlying logic.

And once you see it, it’s hard to unsee.

This article was written by Jeffrey Caruso, with editorial support from generative AI tools.

We’re pleased to announce that Rodney Faraon is joining the Montana Intelligence Summit as our newest featured speaker.

Rodney brings a rare fusion of national-security experience and creative storytelling expertise. A 15-year veteran of the Central Intelligence Agency, he contributed to the President’s Daily Brief across two administrations, served as b…

Read more

Read more