 Thank you all so much for joining us today. My name is Tori Bosch and I'm the editor of Future Tense. Future Tense is a partnership of New America, Arizona State University and Slate Magazine. And our goal is to explore emerging technologies and their implications for public policy and for society. We do that daily on Slate where we publish reporting and commentary at slate.com slash Future Tense. But we also like to get people together in real life as they say. So a quick plug for another event we have coming up. On November 20th, we're going to be screening the 1975 Colt Classic Roller Bowl. Following the screening, we'll have a discussion about corporate power and questionable 70s fashion, hosted by ASU English professor Devoné Lucer, who is a Jane Austen scholar who does Royal Lord Derby under the name Stone Cold Jane Austen. Today, though, we're here to discuss something that I suspect doesn't have quite as questionable fashion involved in any way. Andy Greenberg's fascinating new book, Sandworm, a new era of cyber war and the hunt for the Kremlin's most dangerous hackers. It looks at the most devastating cyber attack in history. And you can also read an excerpt of it on Slate where Andy wrote about the implications of not pettia for hospitals in the US. Our speakers, who I'll introduce in a minute, will talk for about an hour, followed by 15 minutes of Q&A. When we get to the Q&A, please make sure to wait for the microphone. I know you may speak loudly, but this is being broadcast online, so please wait for the mic. We also ask that you identify yourself and make your question actually a question. After the Q&A, Andy will sign books, which are also for sale at the table outside, so please make sure you get a copy. And while we're on housekeeping notes, please make sure your phone's on silent. So now for the fun part. With us here today in the center is Andy Greenberg, author of the book Sandworm, A New Era for Cyber War and the Hunt for the Kremlin's Most Dangerous Hackers. And I always have to look to see what the subhead is. I cannot. It's a little long, but very evocative. Sandworm was just released yesterday. He's also a senior writer for Wired, where he covers security, privacy, information freedom, and hacker culture. His reporting on Ukraine's cyber war has won the Gerald Loeb Award for International Reporting and two Deadline Club Awards from the New York Society of Professional Journalists. Then we have Peter Singer, who's a strategist and senior fellow here at New America. He's been named by the Smithsonian as one of the nation's top 100 leading innovators. Defense News calls him one of the 100 most influential people in defense issues. And foreign policy included him on their Top 100 Global Thinkers list. His latest book is Like War, which explores how social media has changed war and politics and how war and politics have changed social media. And finally, our moderator will be Lily Hay Newman, who is a senior writer for Wired, where she writes about information security, digital privacy, and hacking. She also was previously the staff writer for Future Tense at Slate and my former colleague. Thank you all for being here. Off you go. Hi, everyone. Thanks for coming today. And yeah, as Tori said, Sandworm just came out yesterday, so probably haven't had a chance to read it yet. But I hope that you get a copy and you do soon. It kind of ties into a lot of things that may be occupying your mind right now. We just had an election yesterday, and there's a lot of psychic space, I feel, taken up by these questions of influence operations, the ways that we may be exposed in our digital lives. And Sandworm really engages with those topics, as well as questions of destructive hacking and the big question of cyber war. What is cyber war? What is coming next? So I thought, since most of you won't have been able to read the book yet, that we would start by talking a little bit about Sandworm and what is Sandworm or who is Sandworm. And then we'll dig deeper into some of those huge topics that, as I said, I think are occupying all of our minds right now. But the question of who is Sandworm or what is Sandworm is so fascinating. And the book just walks through this really amazing sort of mystery adventure of trying to find some answers to that and just brings in history and so many concepts along the way. So Andy, the first thing I want to do is talk a little bit about how you got onto this story. And you can spoil the whole book and tell us who Sandworm is now so we can all eat lunch. Well, around the time that you started at Wired, actually, and our editors asked me to find the big story of cyber war. They actually wanted to do a takeover of the whole issue. And I think that that was, as is the case now, on the top of their mind was the election hacking. And there had just been the breaches of the Democratic National Committee and the Clinton campaign by Russian hackers and this fervor that it just built in a month since then. So by late 2016, we were ready to do some big piece about this. But I didn't see that as cyber war. I didn't actually know if I believed that cyber war was a real phenomenon that had actually taken place at that point. The hacks that affected those election targets were more like digital dirty politics as I saw it. And so I went looking to please my editors for a real cyber war story. And I found it in Ukraine where in 2014, there had been a pro-Western revolution that had been promptly followed by an invasion from Russia. And that invasion was accompanied, that physical invasion into the east of Ukraine and seizing the Crimean Peninsula have been accompanied by wave after wave of cyber attacks that it's in every part of Ukrainian society, the media, the private industry, the government. And ultimately, in this kind of really important red line crossing moments, the first ever attack on an electric utility that caused the blackout. These Russian hackers, as I read about this, had turned out the power to a quarter million Ukrainians. The first ever kind of hacker caused blackout. And the mechanics of that were so cinematic when I looked into it that these hackers had not only planted their malware on the IT systems and gained access to the operational controls of the electric utilities in Western Ukraine that they were targeting, but they had hijacked the IT staff's desktop control system. Just as your IT staff remotes into your PC and takes over your mouse, they took over the mouse controls of these grid operators. And these people in the control room of this Western Ukrainian electric utility had to watch helplessly as their own mouse clicked through circuit breakers, turning out the power with each click to thousands of Ukrainians. So I was immediately drawn to this story, like who are these almost Hollywood-style evil hackers? And I followed the traces of that hacker group back to their initial discovery in 2014, this little company outside of DC called I-Site Partners had found that these hackers who appeared to be Russian, because they actually traced the group's infections to a server, a command and control server that left open a directory that included a how-to manual for their malware written in Russian. So they were clearly Russian-speaking hackers, and they seemed to have pretty Russian typical targets like Eastern European and NATO political espionage targets. But then it became clear that they were also breaching American grid operators. And these hackers, who had actually hacked the American grid, for each of their victims, they had planted a piece of malware. And in that malware, they had a little campaign code that they used to identify the victim. And each one was a reference to the sci-fi novel Dune. And so I-Site Partners named this group Sandworm. And when I heard this story, first of all, it's a cool name. And to me, it evokes this kind of like, if you've read Dune, this kind of giant monster that lies beneath the surface and occasionally surfaces to do terrible, destructive things. I mean, it turned out to be kind of a perfect name for this group. But also, for me, this moment where I was like, wait, the same hackers that crossed the line for the first time in Ukraine and turned out the power to civilians had also planted their malware in the American grid. This is not just a story about Ukraine. This is a story with immediate analogous importance for the American national security. And as I was looking into all of this, Sandworm did it again and caused a second blackout this time in the Ukrainian capital of Kiev. So I could see that I was not too late to the story. I was still unfolding this cyber war. And I believe now that it was actually the first true cyber war was still unfolding in front of me. And I wrote this first big magazine piece for Wired about this premise that we could look to Ukraine to see what Russia's kind of most aggressive cyber war capabilities were, that Russia was using Ukraine as a testing ground, as a test lab for cyber war, that what happened to Ukraine needed to be recognized because it would soon happen to the rest of us. So these were capabilities that could easily spill out from Ukraine to affect all of us. And kind of bizarrely, the day that Wired cover story hit newsstands, predicting that what happened to Ukraine would soon happen to the rest of us, a piece of malware called Nathpetia hits Ukraine and immediately spread to the rest of us and became the worst cyber attack in history. Ultimately cost $10 billion, which far exceeds anything we've ever seen before. And I like that Andy often says, you don't want your prediction to come true that day. Yeah, I don't think anybody actually noticed that we've made this prediction because it actually came true within 24 hours. But Nathpetia was soon able to trace it back to sandworm again. And then I could see that there was a much bigger story here, a story about how we watched the cyber war unfold in Ukraine, how certain detectives had followed these attacks and tried to warn the world that we need to pay attention to what's happening here. And it will soon hit us too. And those warnings were ignored until it was too late. And it ballooned out into this cataclysmic and very tragic, ultimately, cyber attack that hit the whole world. So those are the first two acts, ultimately, of the book, this kind of detective story that becomes a disaster story. Yeah, and I think the nice thing about the book is that you get all these fascinating, I mean, sandworm as a group is just incredibly fascinating and trying to imagine who is behind the ghost mouse hundreds of miles away or whatever it is is really amazing. But the specifics of sandworm kind of tie in to this larger point that sandworm is one of the groups that took some really significant first steps or early crossing the Rubicon type steps in destructive cyber war. And one thing I think is interesting is that the idea that this type of destructive hacking is possible has been around for almost decades. People have really been discussing the idea that it could be technologically feasible to cause blackouts or what's the paper of the flying toaster or the problems with the internet of things, devices, eyes everywhere. All these types of ideas have been around for a long time that it very well could be technologically possible or even was. But it sort of never happened for a really long time. So Peter, one thing I am sort of fascinated to hear about is that your book, Cyber Security and Cyber War from 2014 was in that transition era, and you would have been reporting it in this transitional time where there had been some indications. And I'm specifically talking about Stuxnet, but we don't sort of need to go into a whole side thing about that. But there had been some indications in the early 2010s that things were finally getting closer, that more might actually happen. But this whole huge history that Andy just sort of summarized had not yet occurred. So what was it like reporting on this issue at that time, and how was that the lens that you view what's happened since the book? Sure. So I want to begin, though, by congratulating Andy on this book as a reviewer put about it. It's informative and entertaining as hell. The reviewer being Peter. It's well worth it. I got a chance to read an early version of it and very much mean that. And it's a great book. And by combining sort of the best of reporting, but also storytelling. And that's what's great about it. So to hit your question, I was thinking about it. There's, in essence, sort of there's many, but I point out three things that have changed in that time since we were doing the book Cybersecurity and Cyber War that have become significant. One is you put your finger on it is this shift in. And you could frame it lots of different ways. But I think of it as the complete and utter collapse of cyber deterrence. That for the first generation plus of us caring about cybersecurity, our response was this idea that we could build up global norms that would steer people away from making attacks on scale or attacking certain kind of targets. That surely we could all agree that certain types of targets would be off limits. And that discourse was playing out everywhere from an academia to there was various legal conferences on it to it was part of it was the core of US strategy to it was of course playing out at the United Nations, a global group of experts and the like. And then we had these series of attacks that were basically someone crossed that line. And really nothing happened in response to them crossing that line. And then since then we've seen a complete kind of utter lack of fear and temerity from not just this set of attackers but the wider set of attackers. And Andy captures this in the book but we also see it in the news every day. It's hitting everything from Ukrainian power grids to Olympics to American power banks, governmental systems, probes on election systems, you name it. And every other actor is looking at this and saying, I can get away with this and do it too. And it's also leading to changes in behavior. In the book they're trying to cover their tracks in a way that some of these actors are no longer putting the hard work into covering their tracks because well they know it doesn't matter if they get caught. There's for example the data on breakout speed within entities getting in a network. So one is sort of the collapse of cyber deterrence. The second related and you could get a taste of this is the scale and impact of the attacks is definitely going through a shift. And when you think about when we were doing the book back in 2012 there was one mega breach in the entire year, mega breach, 10 million plus people touched by the impact of the attack. One in the entire year. What was it? I'd have to go back and look at it. But now you guys are reporting on a mega breach literally once a week or you're no longer reporting on them because they're so commonplace. And that has huge impact on how we think about our interaction with the internet, how we think about what we're allowed to do and not to do. But then you have the other which is the physical impact of it because the internet's changing into the IOT, it's the internet of things. And so you can now start to affect things like I'm not just stealing people's personal information, I can affect the power grid. We were talking about this in the room back there. It might not be doing ransomware to hold files hostage, it might be ransomware that shuts down the operations of systems, be it at a hospital, be it at a city transportation network. And then the third big change that we really hadn't seen back then but now it's becoming more common is hybridization of the attackers and the attacks. So you are seeing these sets of are they Russian criminals but they're also conducting political style attacks or swinging back and forth or in turn you see North Korean state hackers targeting political but also robbing a bank. And that's very difficult to face and then we have the other hybridization that's playing out which is I'm breaching a network but I'm also trying to conduct activity in social media and how these go back and forth and of course that hadn't taken off back then and it's something that we see now. Yeah and in terms of the covering your tracks thing, it kind of makes me think that one thing that has come up is the sort of plausible deniability that exists or sort of lack of a standard that groups come forward after committing destructive attacks or aggressive hacking. And it sort of feels like there's this lawlessness that makes me think a lot about the not Petia attack. You can do something very specific like an attack on an electric grid or something that causes a blackout or you can do something that has sort of one intention but without a lot of concern for collateral damage or what else may happen because it's like well who even did this, you know it wasn't us like there's no sort of face of these types of attacks. So Andy can you talk a little bit about how that played out with not Petia and sort of that's the sort of scattered nature of it that it isn't always just this one to one. Yeah well so the data not Petia hit June 27, 2017 we initially I fell for this as well it looked like ransomware which as you guys know it encrypts your computer and you have to pay a ransom to unlock it and thousands and thousands of computers around the world were showing this ransom message this was a ransomware worm it looked like that automatically spread from machine to machine we quickly could see that it actually used in part a stolen NSA hacking tool to kind of hypercharge this spread as well as like a password sealing tool and the kind of secret ingredient was that the hacker's sandworm had hijacked this piece of Ukrainian accounting software so that everyone in Ukraine because this was an ultra common piece of software kind of like the Quicken or TurboTax of Ukraine everyone who had even filed taxes in Ukraine had this software on their network and so the hackers hijacked the updates of that software to push out their worm to seed it out to thousands of networks. But it looked at first like it was a for-profit attack that they were just trying to get ransoms but we quickly actually when I spoke to Ukrainians who are always the first to say actually this was Russia ended cyber war they were right that you could not actually when you paid the ransom you still couldn't decrypt your files that was just a very thin cover story over this ultimately destructive attack but it worked for about 24 hours and then we could see that this was actually just another kind of even bigger act of disruption in the ongoing cyber war and one that had spilled out from Ukraine to everyone who did business in Ukraine even because if Maersk for instance the world's largest shipping firm had I ultimately figured out one computer in one office in Odessa in the south of Ukraine and on that computer they had installed this Ukrainian accounting software and that was enough for their entire global network to be destroyed essentially by this worm and that happened to Maersk and Merck and FedEx and Mondalez the company that owns the Bisco and Cadbury and Reckon Benkisler this manufacturer of directs condoms and ultimately hospitals all across the US and of course the entire nation of Ukraine I mean hundreds, 300 companies I heard one estimate were hit in Ukraine and all of their computers just destroyed so this is a scale of attack we never seen before and for each of these multinational companies they started to report to their shareholders hundreds of millions of dollars of damages and you look at like a typical ransomware attack that hits on the front page in the New York Times and it's like they took down the city government of Atlanta that will cost between like 10 and 20 million dollars to fix and each one of these companies were reporting like well over 10 times that sum and in total 10 billion dollars I mean this is not just the biggest attack in history it's like an order of magnitude several orders of magnitude bigger than the typical ransomware attack that we see so I was at this point obsessed with the story of Napehtia but I was also going crazy because as Lily was getting at there was this kind of initial confusion over who had done this had been pretty effective all of these multinational companies like Merisk and Merk and FedEx were weirdly not saying this was Russia this was part of the Ukrainian cyber war they were not talking about how they had lost hundreds of millions of dollars to this kind of one in a million attack they were just reporting to their shareholders that they'd lost this money and not telling any details so for me that became a months long reporting process of trying to find any one of these companies that would actually whose anonymous sources brave sources who would go against their the wishes of their PR teams and share the experience of being hit with this kind of cataclysmic data disaster Yeah and will you just talk a little bit more about the people who were willing eventually to speak to you and how they felt how does it feel to be staying in the room So ultimately well first I should say that this is something I really love about Ukrainians that they will just tell you everything about the experience of being hit with a cyber attack because they're so tired of being ignored of being abused by Russia for well centuries really but most recently digitally hit with one attack after another so when I went to Ukraine within a week I had assembled an entire kind of oral history of the experience of Napaite and Ukraine everyone had their own personal disaster story to tell me of how they were working at the Ministry of Health for instance and they had to kind of make the split second decision to take down the entire network so that it would not be hit by Napaite and have all these medical records destroyed but then they left and tried to go home on the metro but they couldn't get onto the metro because the payment system was down for the metro so they went to go find cash to buy a physical token and all the ATMs were down in the neighborhood and they finally found one ATM with a tiny cash limit that gets and they wait in a line forever they get some cash and then they get on the metro they go home and they try to buy groceries and the credit card system and the grocery store is down and this kind of as it was described to me by that the person who told me that story this was all one guy's story and I heard dozens of these over a week and it felt like as he put it that it was this kind of disorientation like he had lost a limb of his body like everything just seemed to be broken he couldn't live his life the way that he was used to so there was a kind of and he also described it as a kind of end of the world movie scenario but then I, so as I was getting all this from Ukrainians I did finally begin to piece together from anonymous sources the experience of one company Merisk who were brave enough to tell me what how they had experienced not Petia which for them began as one person described it in seeing every computer in their global headquarters in Copenhagen just go black and one IT administrator described to me looking up and seeing a wave of screens just go black, black, black, black, black, black, black across the room and then within minutes people were running down hallways screaming to turn off every computer they could to spare them from this worm that was spreading they were jumping over the turnstiles between parts of the building because even the physical security systems were broken unplugging machines in the middle of meetings but of course it wasn't enough and not Petia spread to their entire global network and from Merisk that's not just that's not just a bunch of computers that includes they own 76 terminals and ports around the world and 17 of those terminals were entirely crippled by not Petia so you can imagine this means that cargo ships the size of the Empire State Building are arriving at these terminals with another Empire State Building's worth of containers on top of them and suddenly nobody knows what is on the ship they have no idea how to unload it and then simultaneously thousands of trucks are arriving at these terminals and the gates outside the terminal is dead the voice over IP system that they use to tell the trucks where to go and pick things up and drop them off is totally offline so I was able to reconstruct this best at the Newark terminal for Merisk in New Jersey and there I talked to a port staffer who watched trucks just line up miles long with no idea what was even going on Merisk couldn't even send them an email to explain what was happening and then they're ultimately told you gotta find somewhere else to ship your cargo today which means that some of them have just in time supply chain things for manufacturing processes or perishable goods you have to figure out where to put these avocados truck full of avocados where they can be refrigerated or they're gonna rot and this was happening not just in Newark but in 17 of Merisk's terminals across the world and then of course it's not just Merisk it's also the same thing at actually even greater scale Merisk lost $300 million to this FedEx lost $400 million Merk lost $870 million they had to borrow some of their own HPV vaccine from the center of her disease control because their actual manufacturing of these important life-saving drugs was disrupted and then even those dollar numbers which are kind of the best quantitative measure we have of this don't capture the fact that this also spreads to hospitals across the United States I'm sorry I'm maybe getting carried away but I'm deep in this with you because I mean I think that exactly encapsulates the experience of reading Sandworm the book just really conveys both sort of a lot of details and information about Sandworm and about these situations but also just the emotional feelings and emotional destabilization that's such an important part of this and there's one really memorable moment that's about the blackouts but it's where one of the sort of central characters talks about a character slash real person who exists and experienced this talks about feeling that the Sandworm hackers kind of reached into their own home by turning off the lights and stopping his family was watching a movie and suddenly it's just so personal when these things happen whether it's in your business life or not the idea that someone from so far away could destabilize your entire life like this and I think another personal element that is tied into the Sandworm story is the way in which destructive hacking and influence operations and sort of this exertion of power ultimately seem to go hand in hand and I think a lot of the influence disinformation stuff is a component that we all are sort of grappling with in our lives and hearing a lot about it certainly but also maybe dealing with ourselves or seeing and so Peter I'm curious about disinformation on social media your book like war and what is like war and how does some of those concepts tie into what we're talking about so I wanna pause and actually hit something that Andy said that connects back to the earlier point but it'll circle around to get to your question. We're on the journey. So one of the things that I think stands out about these episodes and Andy captures well the scale of the impact of it. Numeric 10 billion dollars and damage it but also you can play it out in these incidents of hitting harbor shutting down people being stuck places, et cetera is that you think of the equivalent of this in non cyber terms in effect what would happen if Russia the Russian government sent a team that set a fire with matches that was designed to hit one target but it burned out of control and it cost 10 billion dollars worth of damage around the world this raging fire burned and it hit harbors and shipping facilities were burning down to the bank that you were getting your ATM from to a drug company's processing facilities were damaged by this fire how would we react versus the lack of response the lack of consequence to what happened ex post someone cost the world 10 billion dollars worth of damage had physical impact and in effect there was no real response to it and no real punishment for it and that goes back to the earlier question that you asked about one of the biggest changes is for this long period of time we tried to spread the message that if you do bad things you cross a line there's gonna be a certain kind of consequence for you and this is where it's on both the Obama administration but now the Trump administration is part of why we've seen the collapse of cyber deterrence and this connects to the story to your question of disinformation to what's playing out in elections today not just Russia continuing to hammer away in all sorts of different activities but also we've seen networks pushed by China networks pushed by Iran we've seen for profit actors just like we saw in cyber security that try and break into a network we're seeing the disinformation side of it is in effect the lack of response and so in many ways and Andy and I have talked about this Ukraine was, it was like a test lab but if you think about it as a historic parallel it's like the Spanish Civil War before World War II where the Germans were not only figuring out what tactics work best Blitzkrieg, dive bombing they were also figuring out what the world will let us get away with so if you're an art person, you know, Guernica it's the, you can dive bomb a city and burn it down and guess what, the world's not gonna respond to you and that's in effect part of the story of not Petya is that they didn't just do it they got away with it and we're still feeling the consequences of this today and of course we're feeling that in what I call the like war space if you think of cyber war is the hacking of networks like war is the hacking of people on the networks by driving ideas viral and that's why we're still feeling this today that's connection points is that basically the attackers are not only feeling that they can do this they're feeling that it's relatively low cost for them to pull it off and great consequence because they're not gonna face any kind of negative aspect for it Yeah, I think that, I agree but I think that like the, for me the Granica moment and you gave me that analogy and I failed to use it in the book and I was still kicking myself about it So I'm gonna use it every time Yeah, yeah, the Granica moment for me was what happened to Ukraine pre not Petya we could see Russia doing all of these things and the story of the book is Ukraine and a lot of Americans who were kind of the detectives following what was happening to Ukraine trying to warn the US government you need to say something about this at least put out a statement that just says hey, it appears that Russia turned out the power to civilians with a cyber attack for the first time and that's not okay like that's a red line we've tried to set for years and someone has crossed it and that we're going to globally recognize that that red line has been crossed at least just say that it's unacceptable in a public statement and we heard nothing even as the Obama administration called out the North Korean attacks on Sony and Iranian attackers hacking US banks they treated this thing that was happening in Ukraine as this far away foreign problem and allowed basically sent a message to Sandworm and its bosses that you can do this with impunity and not Petya was the results of that this thing that we treated as this far away foreign conflict came home for us very, very quickly there were in fact there was eight months after not Petya finally a statement from the White House maybe the shortest statement I've ever seen from a government body that just said not Petya was the work of the Russian military and there was the worst cyber attack in history and there will be consequences for this and that was kind of like after years that was the moment when I said okay finally I'm not insane like the US government has recognized this is as bad as it looks and a month later there were sanctions as well for not Petya but it was just it became so late the scale compared to right too little, too late by years and in fact as I tell into the book that even six days before that statement finally calling out these Russian hackers there had been another disruptive attack by the same agency on the 2018 Olympics which is the kind of third maybe the biggest piece of action in the third act of the book but we can get to that well it seems to me and you guys tell me what you think when I think about this sort of lack of response the only thing I can imagine is that the global community doesn't really want to draw the lines and that everyone is sort of tempted by the idea that they might want to reserve the ability to do these things themselves well I've certainly been trying to figure out like Peter may be more cynical than me and it sounds like you believe that we've missed our chance to set to create a Geneva convention for the internet or some people describe it Josh Corman calls it like a cyber no fly zone where we make rules that say listen you can do what you want with your fund cyber war activities but if you touch a hospital then that's a war crime and you're gonna be in the haig and I still want to hope that those kinds of norms can be set it doesn't seem like any government is as enthusiastic about it as I am though it seems like because from what I can tell they want they're just too attracted to the power of these capabilities I think that's been one of the other shifts say over the last three plus years is that initially that norm building trying to build whatever the laws and the no goes are was primarily a state centric discussion it was that the governments of the world would be the ones to build this again you had this activity going on at the UN with the global group of experts you had discussions within NATO and it's basically sort of it collapsed it fell by the wayside now use that phrase cyber Geneva convention like it's the private sector that's stepping into and that's another big change or whether you think about a tech accord it's basically companies starting to say okay governments if you're not going to set it we're going to try and set these norms but the key with a norm for it to lock into effect behavior is that it either has to have rewards or negative consequences and that's what we've really not done a good job of you know for the most part the attackers are still seeing this as low cost high gain whether the attack is you know think about all the articles and speeches and Hollywood movies that were made about the nightmare scenario what if someone took down a power grid and then they did it and dot dot dot okay or you know what if someone tried to affect an election dot dot dot and so that the message and again the financial it's the financial cost of putting together these attacks are also relatively low for the great gain you know I don't I don't know what the the budget for sandworm was the the 2016 the data we have on the 2016 sort of Russian government uh... disinformation campaign was sub twelve million dollars mean that compared to the payoff is strategic level is huge so again you're looking at this is low cost high gain both in the investment in the lack of later consequence yeah but the private sector what you talk about in like war you know it's very difficult to you know create incentives or disincentives as you're saying from the private sector and there's also in the like war space perhaps a need for the private sector to be taking more responsibility right uh... yes so for talking about particular when you speak about social networks you have the attackers you have the defenders but you also have something different which is essentially sort of the power behind the throne you have the platform companies who again the changes of the last couple years have moved from saying you know whatever happens on my network uh... it's i provide a service i'm not responsible to now the big political and corporate debate is how much responsibility does that company the twitter the face book etc bear for what happens on its network when should it intervene or not and then who makes it intervene is it government forcing it through legislation you know we're seeing that in australia in europe to know it's the customer base saying you know face book twitter i'm not happy with what's happening on this network if you don't do something about it i might leave and uh... you know you so you're having a a debate around kind of corporate and political responsibility that again wasn't an issue in twenty sixteen is there i think the the difference with the cyber security side that that any touches on is you know no one's yelling at the cranium power company uh... for this in a way that they're yelling at mark zuckerberg yeah there's there's so much here i i mean we could honestly sort of chat for six or seven hours about this stuff i i i want to move into talking a little bit about the what's next the future of cyber war or what's to come uh... and also the question of what's next for defense uh... i'm really interested in uh... part at the uh... end of sandworm that really talks about resilience well there's a few parts at the end of the book to talk about different concepts resilience how do you respond how do you uh... deal with the situation where all the screens go black what happens next um... and uh... one character or again an actual person in the book uh... dan gear uh... is sort of this like sage figure in cyber security uh... and he contributes this perspective about the need for sort of an analog backstop or return to paper uh... and maintaining that type of capability in society uh... but whereas right now we have a lot of people in the workforce who remember sort of a time before where uh... they know they remember the old paper systems they used to use or things like that uh... it seems difficult going forward you know with subsequent generations to maintain something like that so uh... you know i'm curious to talk a bit about that and different ways that we can be resilient uh... and also you know just sort of the what's next on the offensive side is the question everyone wants to know the answer to should we talk about what's next on the offensive side first or do you want to talk about resilience whichever is more interesting to you well uh... dan gear lives on this farm disconnected from pretty much off the grid and it's very appropriate because he has this idea that we need to maintain a kind of analog baseline to to fall back to in the case of this kind of terrible you know digital armageddon events like not that you know which he sees as likely to happen again and possibly to happen at a greater scale and in the u.s. he has a flip phone that he keeps in his glove compartment uh... i think so yes that's a cell phone yes like uh... this is like tractor is like you know twenty five years old because you didn't want the new one with too many you know computerized functions and things so uh... in ukraine for instance when the first blackout happens the ukrainian's utilities were able to just send out trucks of of guys to manually flip the power back on and all these distribution stations across entire regions the u.s. is not as used we don't have the the practice of having to do that very often we're much our grid is more automated and in some ways as a result is more there's more attack surface it's more vulnerable maybe harder to take it down uh... because we have better cyber security but it might be easier to keep it down example from ukraine was that the postal service was hit by napetia and devastated its network was just destroyed uh... but there were still ukrainian civil servants who remembered how to work with with paper who had uh... they had like all of the cards from all of the magazine subscriptions and uh... all of the paper based payment systems it's sorry i didn't interrupt but in ukraine the sort of social security equivalent is distributed by the post office right right the pension system runs to the post office as well so they were they were ready there were people there who remembered and could teach the younger employees how to do things uh... with the old fashioned way so that when all their computers were down they still could you know carry out their kind of most basic functions like giving retirees their cash pensions and you know do we have that fallback in the u.s and will we in in twenty years that stand gears question he as he puts it we're in this generation where uh... we're on the precipice we're about to take a step into an era where we have no analog safety net and he kind of is pleading to maintain that analog fallback even if it costs more as a kind of safety net in in the case of these digital disasters i see peter writing i just completely disagree with both the likelihood of that approach working and uh... the value of it and you can see about in three different ways one uh... it has a uh... over time declining ability for you to implement uh... simply put as you know less and less of the old guard is working at you know uh... at that organization so instead you know so so over time you you you won't have that fallback unless you are paying extra which means it's really hard to implement uh... second is life would be worse so you know there is a reason why we digitize banking there's a reason why we digitize uh... the power grid and it's everything from it's better to uh... you don't have a smart grid you're not going to be able to do anything about global climate change uh... and then the third is it if you think about an adversarial term and we played with this in the ghostly book sure you can operate if if you are afraid that an attacker might hit you and so you go back to the analog model you can operate like it's nineteen seventy five again the attackers already won if they've actually taken you back to nineteen seventy five because they don't necessarily have to act like it's nineteen seventy five so if you think about you know the parallel of ukraine and russia yeah russia can hit and if it sends ukraine back that it's already one it's one half the battle instead so i don't think going to the analog model uh... is either viable or the right way to approach it i think instead is that you plan for resilience in a different way you plan for failure and you plan into your system how to either shrug off the attack or recover quickly so you know if you think about the examples of the internet of things we are building networks that are incredibly brittle we don't have to do that to uh... you don't have to live on a farm to have a one week emergency supply in your house and flashlights and like you know the other part of the analog model is not everyone can do it right uh... it's sim it's a parallel similar to social media where sometimes well you know given all the harm social media we should just stop using it well guess what not everyone can do that not just because they're addicted but they need it for their jobs or where they live so plan for failure uh... and then the other uh... element of it is uh... we've been the scenario so you know you think about the story of ransomware over half of organizations don't have a plan don't have backups so if you you know if you've got the ability yes they take down your network but if you can come back online so what and so again we can plan our way around it it's just and this is where i hope you know kind of the benefit of andy's book is is like helping people to understand hey these things are real you need to be able to visualize it uh... and plan for that not everybody go move to a farm yeah i think i think in some ways i've told dance story it's a nice analogy and maybe it shouldn't be taken literally but it is a real but i think people are pushing that as a policy inside this town i think dan means it literally too that he wants people to have a true analog fallback but but i think it's a better principle is just let's think about how digital systems fail make them fail safely like if you build the equivalent of an escalator instead of an elevator so that when it breaks you can just walk up the stairs instead of being trapped in a box you know so but the what that means and you point to ransomware scenarios and you could i could see these as i reported them out inside of companies like murk and marisk had a had a backup system but it was a it was a hot backup rather than a cold backup like they had a they had a backup facility with all their data but it was connected to their network so it got infected and destroyed too and uh... marisk had this even more dramatic crazy story which is that they uh... they had all these domain controllers which are the kind of backbone of their network across the world more than a hundred of of them and they were all designed to back up to each other so that one or twelve or twenty five went down there would still be plenty of other copies of the domain controller backup but they hadn't planned for a scenario where every single one of them is wiped at the same time which is exactly what happened with napetia as soon as they started this like you know panicked process of trying to rebuild their network they realized they didn't have a domain controller backup they couldn't even start uh... until they did so they began to frantically call all of the data centers that they had around the world looking for one copy of their domain controller backup and they finally were overjoyed to find it in uh... Ghana where there had been a blackouts just a kind of normal not a hacker caused blackout just a normal blackout in this Ghanian data center and the result was this one data this one domain controller had been left offline at the moment uh... that napetia hits and it's all of its data was preserved so they had to get that data back to their recovery operation up in this town outside of london and uh... they found that like that they couldn't establish a secure connection with enough bandwidth so they tried to fly the Ghanians uh... to london but they didn't have the right visas so they had to like fly the Ghanians to uh... nigeria and then meet them in nigeria in the airport and hand off like a hard drive with all this backup data and then fly that back to london and then drive out to maidenhead and begin this process so you know it's it was a kind of crazy necessary relay race just to begin just to rebuild their network but it's also a lesson about you just leave one of your domain controllers offline as a backup you could have avoided all of that and that's the way that you know the kind of principle of of how you recover from a ransomware attack that even hits your entire global network what else should we talk about about what is to come next you know though sandworm has shown that a group can be prolific in executing these types of attacks and can cross the line many times luckily the book came out yesterday and your predictions didn't all come true yesterday so that was good uh... but what else is to come that's on both of your minds well then the next step that i'm thinking about and tracking is uh... it's strange to say that's the next step because it's already happened that that malware has not just disruption but actual destruction of physical stuff in the world that first happened with with Stuxnet in 2010 when this NSA Israeli collaborative creation this piece of malware was able to infect uh... network in this underground facility in Iran that was being used to develop a nuclear weapon and reach out into these enrichment centrifuges and destroy them so we've been waiting for that moment to happen again and and uh... not in this kind of targeted and restrained military action that Stuxnet represented but the but in in the kind of way that sandworm does attacks which is indiscriminate that affects civilians that uh... doesn't discriminate between uh... you know military and civilian targets and just in the in the cup the last couple of months a new analysis that couldn't even get into the book it was too late uh... of that second blackout attack in Kiev has revealed that that may have been intended to be uh... not just a disruptive blackout but a destructive one the uh... this piece of malware used in that second attack we knew back in twenty sixteen that it was something really interesting there was a it was a piece of automated code that uh... directly spoke to the circuit breakers in this transmission station in Kiev it was the first piece of malware sent Stuxnet that even did that that like sent commands directly to circuit breakers to open them but it turns out according to this new analysis by this company dregos and an analyst there in joe sloek looked at the incident response data and recreated the order of events uh... that the intention of the attackers it seems was that they would first use that tool to turn off all the power but then they would there was another step which is that they would use this little understood components uh... that attacks protective relays in the station and protective relays of the safety devices monitor if uh... electrical equipment has an overload of of currents that might burn lines or hurt someone or you know damage equipment this little components of that attack would put those safety devices to sleep the intention and now seems sandworm these attackers would turn off all the power and then as the and then it would put to sleep this safety devices so that as the responders in this facility scrambled to turn the power back on they themselves would cause the surge that could destroy lines or hurt people or explode a transformer and lead to a blackout physical destruction blackout that would have been much more catastrophic than what we actually saw and difficult to recover from could have lasted days weeks instead of a matter of hours so now we can see that that's that actually seems to have been an attempt by by these hackers to cause that thing we've been waiting for uh... an act of physical destruction civilian critical infrastructure and it only failed because of a small mistake they made exactly this little tiny configuration error in in that part of the attack designed to turn off the safety systems made it fail but it you know we were just lucky and they may not make that mistake again so i'm just waiting for this moment when one of the when one of these attacks succeeds and we see for the for the first time an actual active physical destruction that affects civilian lives we're gonna go to questions in just a minute but do you have some other final thoughts about looking ahead so i'm uh... wrapping up part of why i'm uh... so enthusiastic about it and he's he's he's at a different part of the writing books as you have the research side you have the writing side you have the editing side and then now he saw you you toss it over the wall and then you hope it's well received and that's where he's at in the stage and it should be well received i'm at like an earlier stage of uh... finishing up editing a project that hits your question it's called burnin and it's uh... two of the elements and some of the lines of what you said uh... that it plays with is one how we are we are going to see more and more attacks other parts of critical infrastructure so much of the discourse has been on uh... power grid and the like and yet we as we moved to the iot you know every other part of our lives will be woven into this and then second is that um... the types of attacks that we will see will be um... will not just see information that but we will say see more and more stocks net style kinetic physical damage but not just being done by politically motivated actors but by criminal groups by terror groups and with that goal in mind so for example you think about a smart home you may conduct a murder a breach of a smart phones network so i may not try and do it on scale i may go after my neighbor that way or you think about ransomware of a city um... there's ransomware of holding the files hostage there's ransomware of locking the people in the city bus until they pay me off to uh... allow the automated bus to stop driving around and let me off the bus or closed doors or whatever so burnin's playing with that idea of what's next in the both the attacker space the targets are going after but the physical consequences of it okay so i'm not completely horrifying we're gonna take some questions i i know it's hard to keep your question short because this is such a media topic i had trouble with it but uh... just you know keep it quick so we can uh... get to as many people as possible and wait for the mic to come around hi uh... so given your you're going to introduce yourself oh sorry uh... mike sexton uh... director of the cyber program at the middle east institute uh... so i was curious uh... a lot of governments in particular in the middle east is they try to modernize and go to uh... become post petrochemical countries a large part of that for a lot of them is uh... so-called e-governments where uh... you know all sort of government functions will not be something that you go into an office to apply for a passport and all these sort of daily things a lot of it will be handled online so that way things move more swift more swiftly uh... but obviously that also carries with it the massive risk that you have virtually all of not just like you know the government's own data but like all of the citizens data all in one place uh... and that's a massive concentration risk uh... given that debate that you guys were having over whether or not there's a value in sort of maintaining the analog mindset verses uh... just having a digital mindset but having backups and having better security uh... considering i don't think we're ever going to be able to say that these systems are perfectly secure do you think it's even a good idea to have them at all uh... to have like a more e-government i don't know it really just depends what kind of what kind of what part of the government we're talking about like um... uh... like technology i think it's it like makes our lives better but a good example is voting machines i think we've all come to realize that we don't want an entirely electronic voting machine we want there to be paper backups and those paper backups can can be something that has nothing to do with the process until you need to do the audits so uh... it's entirely dependent on that like the part of government we're talking about but but yeah i think that when when you start to to like whatever digitize your government then yet you you are inviting uh... a new kind of vulnerability as well but again it's the point of thinking about it in advance if you're going to do it who else ericard coltman cbp retired i know when they were talking about the uh... centrifuges destroyed or delayed by the u.s. government's uh... warms or whatever you call it presumption i think in the public mind is that you know there is a retribution not stuff that we're supposed to know about maybe even fully understand so there the score the scoreboard might be going on you know there might be an actual retaliation event and we simply just wouldn't know about it well i think that the the idea that's like the u.s. responded to that the u.s. is that the american plan is that when if you if you do a cyber attack on us we're going to do the same to you is this kind of mutually assured destruction model that i think is that totally fails in cyberspace because for one thing i don't know i don't i don't really want to see the u.s. performing attacks on civilian critical infrastructure but also uh... there is this problem of hackers at least think that they can get away with it because of the difficulty of attributing cyber attacks it's not easy to see you who has you know turned out the power it takes months of forensic work in some cases to trace it back to the source with any kind of definitive conclusion usually the u.s. intelligence does manage to solve those attribution mysteries hackers at least seem to think that they're going to get away with it they always have a kind of cover story in some cases they have they're throwing in false flags uh... so the idea that we're going to uh... figure out who it was and hit them with the same kind of cyber attack back but it's not a good deterrent model because they don't believe that they're going to be found out in the same way that we're going to know when the missiles are flying from the soviet union at our you know washington dc if there's a tit for tat it's not going to deter anybody i think it's more likely to escalate these attacks what i see is the model of deterrence is that we we say to them we saw what you just did there here's a whole new round of sanctions that's going to cost you know your uh... you and your your cronies billions of dollars uh... here are some indictments that of everyone involved we know them by name uh... this is like serge and this is you know vladimir we we know exactly who did this they're never going to travel outside there outside of russia again because will grab them those are the kinds of more peaceful diplomatic measures that i think we at least need to try on a snappier schedule right to to you know to actually try to control the behaviors of rogue actors yeah so i mean to answer your question there were definitively activities done for example in the um... weeks before the twenty eighteen election were not for example being done in twenty sixteen that would fit the framework of what you talked about aggressive and we would call it defend for we got into uh... for example the networks of uh... the or sorry we reportedly allegedly got into the network of the uh... entities that that had been conducting disinformation uh... warfare attacks in twenty sixteen uh... that happened but to to andy's point for it to be deterrence it has to it's not that you do something it actually has to change the calculus of the attacker so we did something we did sort of the the equivalent of like turning off the wifi and and the internet research agency and the like it did not change the strategic calculus putin or Beijing or any other actor that said oh goodness nsa cyber command got into the networks made the lives of the attackers a little bit harder they also took down certain parts of their infrastructure their online infrastructure it did not change the overall strategic calculus of we ought not to do that again because it was more painful for us than it was for them and that's where you know you you you need the attribution side but you also have a broader consequence to it and we've really not been able to master that yet and it really what we i think the the the debate that needs to happen is first how do we lift the level of deterrence in the the cold war meaning of deterrence by punishment you don't hit me because i'm gonna hit you back uh... and raise that cost be it through hitting things that they care more about putin didn't care about the lives of the hackers whether it's the members of the members of sandworms job got a little bit harder than it was in twenty seventeen they do care about billions of dollars hidden in real estate around the world you've got that deterrence by punishment or retaliation and then you have the other element of which you talked about which is resilience uh... building up deterrence by denial i'm not going to do this well i don't think it's gonna work the same way either the attackers gonna shrug it off or they're just gonna recover quickly you know Muhammad Ali rope a dope so the value of me doing it is not the high payoff that i thought that's how we can change their calculus i'm fritz mohazer retired civil rights attorney two questions following up on what you were just saying i don't get a picture of the reward we're talking about the risk to us but the reward to the perpetrators if you could just say who did it and why and what was the benefit they reaped from this terrific horrific response reflect on us and second how hard is it to do this the risk might be really low if it takes a lot of people with very special skills a long time mount this sort of attack on the other hand if it's easy then we ought to be really scared to spoil the ending of the book in one fact that sandworm turned out to be the gru russia's military intelligence agency and for them i mean for any intelligence agency i think it's peter was saying it's not easy but it's it's a lot easier than some sort of seal team six operations like sneak into the capital of kiev and like get into their electric utility and blow something up i mean digital stuff is cheap compared to actual physical kinetic warfare or sabotage it's not that hard so then i think you're asking like what is the reward what i think the question is really what is the motivation of this group and that is what i kind of spend a third act of this book you know it becomes it goes back to a kind of detective story after the disaster story of so who are these perpetrators why did they do what they do and can we you know can i actually like figure out what their names are where they're located and find them and the i you can read the book to see how far i got which you know but the as for motivation i think we can ultimately i did not actually get any interviews i did not knock on the door of the like gru unit seven four four five five and i like asked them to explain why they did these terrible things we can see that they were i think they're experimenting to build capabilities to show the west what they can do to try to impress the global audience with their capabilities and uh... make us but that in our calculus of what will do to them and in their areas of interest like syria and ukraine they're trying but they're also trying to impress i think their superiors and there it seems to be culture within the gru of just i don't know what you an appetite for risk that is just insane like a kind of cowboy mentality that you earn your pay for the day just by doing the craziest most aggressive thing you can think of and then trying to out do yourself the next day and not even really thinking about the strategic the long-term strategic consequences but just trying to impress your boss with that that tactical win of the day but i think that the maybe the biggest overarching motivation of of russia's they do these things to ukraine is to it isn't kind of ties in with the disinformation and the hacking and leaking operations it is another kind of influence operation in a way it's a kind of terroristic effect where you try to show ukrainians that they can't have confidence in their own governments they can't actually experience security in their own country uh... that ukraine looks like a failed states i think all that this actually accomplishes because it's not it never wins them some sort of immediate tactical advantage in this war they're targeting well beyond the fronts of the war that they're fighting in eastern ukraine so i think it's all about morale so there's a very clear in these cases political motivation you know russia at that time and still today was engaged in a conflict with ukraine that alternated between being outright hot war you know thousands of casualties to uh... pre or then cease firing uh... there's a digital side to it but there's very clear political goals of it i think what's interesting it goes back to to uh... lilies question about the kind of the norm building changing is this was an attack a type of attack that had a clear it will there's two different but but the not petty exercise it's akin to they carried out an act of politically motivated but they also ended up setting a forest fire they had a goal to disrupt ukraine cause this lack of consequence harm to ukrainian society politics but oh by the way i don't think they intended to have this impact on murk or fedex or what not beyond they used a specific tactic or technology that got out of control and that actually goes back to this uh... issue and a little bit connection to your question maybe the norm is not hey nobody do this maybe the norm is if you're going to use these kind of weapons there are certain rules around the use of that weapon so there is a clear difference between stocks net which also sabotage the target but the weapon the malware itself was designed not to harm every other target in the world even if it got into other computers by contrast there was an irresponsibility with not pedia that just you know again i it it hits and harms all these other targets so maybe the norm building is we give up the you know hey we accept everybody's gonna engage in cyber warfare of some kind but they're even in this space there are rules to the game yeah i mean to you this is really important fact that we didn't actually get at which is that it does seem that all the damage beyond Ukraine was collateral damage of course like it was avoidable collateral damage they could have restrained their worm they using like techniques like finding the tax ID number of this accounting software they were hijacking to know their victims but and in fact russia was a massive victim of not pedia as well which really i think proves that it was largely accidental that spread beyond Ukraine but i also want to be clear that if they had responsibly uh... limited this attack to just carpet bombing the entire internet of Ukraine that's not okay either and you know we have to have like said rules that are more constrained than that even okay i think we have time for one more question hi my name is heath Stockton with Booz Allen and i am uh... hearing rumors that uh... the insurance companies that paid out some of the victims are starting to kind of push back and say this was an act of war and uh... they don't want to pay and so i guess it gets out a couple things the rules of war but also the precedent that's going to be set if they are victorious and not paying them out so what's government's role going forward uh... well it's not it's not just a rumor in Zurich i think has uh... has said directly to mandala's we're not paying your claim on your hundreds of millions dollars damage from napetite because that was an act of war which when i read that i was like thank god somebody else's is saying this this you know is like call you know pointing to the elephant in the room this was an act of cyber war even if they have you know some hundreds of millions of dollars of incentive to agree with me about that i don't i i think that uh... i'm not sure do you think the government has a role in in in solving that like if you if you buy an insurance policy and it says we don't cover acts of war then you should know yet you gotta think about the fact that you could become a victim of cyber war too uh... and that's not covered and maybe just it's your lawyers to that part out and in the but the parallel that we're and this will be the debate it's already started is is a parallel to terrorism risk insurance post nine eleven and so the government says okay we will guarantee you know we give you this kind of protection airlines of the like however this is what you have to implement given that and you know so to if you do see that kind of immunity given there needs to be that other side of it is and oh by the way if you want to get this kind of protection this is what you have to have in place uh... and that's that's the part where you know the both sides of that debate are still to play out uh... yeah well this has been a really fascinating conversation i think we should all meet back here for a reunion panel when burnin comes out and we'll check in on uh... where we are and i thank you both for joining me on the panel and everyone should go buy sandworm thank you so much