 All right guys, let's get started. You ready to party? Yeah, then what the fuck are you doing here? All right, we're gonna have a good panel. We have really smart people here I'm here to bounce out there IQ so it's all good. So we want to have a lively panel line up against the wall You will not be shot Maybe Exactly we want one beer. So bring it on So my name is Demetral Perich The evil Russian I Run threat research for McAfee as every conspiracy theorist knows we are writing all the malware If you haven't seen our sock price You should take a look. It's really working. Well In Soviet Russia malware writes you All right, so let's get serious for a minute We have a pretty serious topic cyber warfare if you don't think it's a serious topic Your politicians your policymakers certainly do and they're enacting lots of policies and laws They're gonna impact all of you. So it's a good topic for discussion I'll let the panelists introduce themselves briefly explain what they do why you should listen to them So let's kick it off My name is John Strand with paul.com.com My name is Ed scotus. I'm with in guardians. I also have an instructor with the sands Institute I've been involved with cyber warfare planning and ideas and strategies and such for the last five years And I'm excited to be here I'm Phyllis schnack. I've run a threat intelligence for the Americas from McAfee. I'm shocked that we read all that malware But thank you to me treat for your labs for that I also lead our critical infrastructure protection work and I used to run the FBI's infigred program on the private sector side So hello to all of you who text message me from infigred. I appreciate it I'm mark socks. I run the internet storm center I fired my first evil packet in hostility in 1998 And I was on the cover of computer world as a cyber warrior in 2000 if you can believe that in uniform. No less Yeah, big deal, right and you were strapping back then. Yeah, we'll ask mark to show his scars from cyber warfare later on All right, let's kick off the discussion so to frame it I want to see how you define cyber warfare. Do you think it's hype? Is it real? Have we seen examples of it? Does it need to involve loss of life? What do you think cyber warfare is anyone? You know, I think a lot of this debate started with Marcus's presentation in Malaysia talking about what it was basically cyber warfare is bullshit But Marcus is equally fetching in a uniform don't ask what kind of uniform though He's got pictures on his website about random. Yes Yeah, sure So, you know one of we're talking about this I think you can be broken down to a lot of different semantic definitions to basically say Well, is it a nation attacking another nation directly? Is it going through proxies? Are they actually trying to bring down infrastructure? Are they trying to bring down the power grid? What is it that they're trying to do? And I would say that any time you're doing any type of reconnaissance from country to country Doing things like espionage. I think it would qualify under that broad umbrella I don't see that you would call espionage warfare the thing that we've been doing for thousands of years Yeah, absolutely. If you're actually doing hostile actions without actually launching It's not political espionage is not hostile Yeah, I think it's something I would say it's a pre-cursor though. I definitely say it's a precursor. Absolutely. Oh, yeah Well, it's not that hard. It's access points wide open. So so but other definitions, please come makes it legal Yeah, it makes it my definition involves a nation-state not necessarily the nation-state on both sides It doesn't have to be state-on-state action, but Wow But the state is either a target of perhaps a non-state actor or the maybe a state is sponsoring the kind of the It has to be internet-based. It does not have to be internet-based. No There's there's all kinds of technologies that are network-based, but aren't internet-based It also doesn't have to involve the loss of life There's plenty of forms of warfare that don't involve the loss of life it has to involve some action of manipulation some some level of a Violence to achieve a political goal either from a nation-state or to a nation-state That's how I define it a cyber warfare and I take espionage out of that definition because I think otherwise It just gets too blurry and everything becomes some form of cyber war because it's so clear otherwise That's right So Animals been fighting since they walked the planet We have always been at war in some way. We just have some new toys now So I think while we do need to define it so that we can work it More important than defining it is understanding that cyber events cause physical consequence Whether you take out part of a financial infrastructure or you get into I'm sure this will come up later So let's go for it the grid if you cause some change to our way of life Whether you're a nation-state or a board kid in your bedroom that is in some way a piece of this new electronic warfare When do you have a question? Is that a hearth gun? You don't have a beer. You're just happy to see us Yeah, you're working on your jeopardy questions for tonight Come on down Yeah, are you in line for a question win? Are you just standing up against the wall? That's the question. That's like the question line. You're ignoring the rules Oh Then bring them on up, please please father come forward Bring order to this chaos We have a mic for you. I use the mic sir. I'd love to hear more about your daughter. I have three daughters I can't bring order anywhere, sir, but thank you I had two questions one is You're the four-star sir or you commanding the new cyber command, okay for a moment now Here's the issue or the question How do you you know you watch the movies and it says the Air Force the Pentagon has all this great apparatus for Visualizing the battle space you see Bruce Bruce Willis called somebody and that kind of thing but but in reality how Do we use technology to depict cyberspace And and depict it connected to kinetic space One thought someone said at one point was go to a planetarium and then just begin to free associate, but the question is Reaching forward, how do you present the battle space that is cyberspace in a way that the you as commander can see what you need? So what you're trying to do is visualizing cyberspace Yes, sir, that's one question and then the the other you're asking two questions and no beer I'm sorry One is the limit for freebies. I noticed the airborne wings with full respect all the way, sir Yeah, the internet is a series of two phrase your your statement is a question And they're for pork what question is help for that four-star commander God blessing or her How do you visualize? How do you how do we visualize cyberspace? How do we do it? Most people use windows 98 with Thank you. I think I think to answer the question I think that anytime you're going into that if you're a four-star you've got to be very goal oriented What is it that you want to do? Otherwise you can get completely buried under all the minutiae of all the third-party applications You got to say tactically This is what I want to achieve and then focus on the points that will help you achieve that particular What's missed a lot of times too is the logistics world. Yeah, you know, it's not just about operations It's not just about getting in the way of weapons systems and things But there is a lot of things you can do to screw up a Opponents logistics side that is just as fair in this type of warfare and sometimes far more effective And and because the logistics world is connected to the internet, whereas most command and control systems aren't that's a direct path for a Lot of opportunity seekers per se even those who want to get into a war that are not necessarily combatants Let's get out of theory and talk about examples Do you have an example? All right, go ahead example is the airplane I flew in today I'm really glad my pilot knew there wasn't a 747 next to me or if he didn't know it He found it and he found it on radar So what they've done in the air community is they've taken all the planes in the sky And they've triangulated that in many different points And they show a pretty little airplane in a horizon line to the guy flying the plane That doesn't have to do much to figure out how to stay away from it And that's what we as an industry have to figure out how to do with cyberspace one of the things that I really liked about the question is it talked about the fact that you've got the cyberspace and you've got call it the kinetic space meet space whatever you want to call it and Visualization that can bring both of those together one of the things that frustrates me is when we start talking about the cyberspace Some people get a little bit of you know hippie drippy on this kind of stuff saying oh, it's a it's a completely man-made environment Where you can just recreate the rules remember Morpheus talking to Neo, right? For those of you who keep your eyes, Ed Scootus is number one. It didn't even take you five minutes That's a record pose. Give it up Fred. A round of applause for Ed Scootus everybody. The fact of the matter Is as much as we you know love Morpheus. No, there are some rules in this space and and and really if we can overlay the Physical space and the cyberspace it allows us to kind of get the holy grail here of joint operations I was doing a presentation at the Pentagon not classified or anything like that and I was going through an attack scenario There's a computer here and here and here and there was a guy sitting in the front row And he raised his hand as I'm going through this hacks this and that hacks that I said yes your question sir He raises his hand. He says what about that one machine over there? What do you do with that one? I looked up at it said oh that one that doesn't matter. You just blow that one up So I continue to present and a couple seconds later raised his hand again, you know fully uniform anything? Yeah, yes, what's your question now sir when you said you blow that computer up? Did you mean kinetically and I thought that's just no I meant you know like blue screen or something like that But to have that in your bag of tricks gives you some additional capabilities in And likewise likewise for a big of a bag Well, they get through to you as a marine but but but The ability to do joint operations between cyber and kinetic warfare is a very powerful thing and And I think we need to think along those lines and our visualization should also encourage that thing All right, so have we seen cyber warfare? Let's talk about another question because we got a few we have one lining up. Do these ones have beer no There's still dry. He's halfway drink. That's good enough. I'm cheap bring it up Sorry to be a pain the ass if you got an empty seat, please raise your hand because there's a bunch of people standing in the back If you're on that wall, you better have a fucking question And fucking beer And fucking beer there you go. We got a dry question Okay, so let's go with your name and what street you grew up on please and your mother's maiden name Social security would help too. Oh, we can get that later. My name is Johnny long I hacked up Okay, so I'll give you two questions. You can answer which one ever sounds fun It's somebody email those questions to you sir. No, I have to take notes. I'm really really stupid up here. Fair enough So are we Okay, the first is what part does active? response play in cyber defense and the second one would be we've seen a lot at this conference about cyber warfare on Network-based services to users and such how will that evolve into tax on skater-based networks? So answer what you like Well, we can start off active defense You know, there's a whole continuum of defensive things we can do you can change passwords you can put in firewall rules I mean very low-level There's an upper part that that crosses beyond and gets out of what a normal defender does you can shut down TCP sessions, you know do a reset attack you can Deflect attacks you can do keystroke monitoring and go back and hack back and you know after a while you kind of cross this line a Lot of times it becomes legal in terms of what what can I and can't I do this is where if you are in this space You have a good lawyer in your back pocket that's keeping you honest Unfortunately, we have a lot of cowboys now that are coming into this world that don't understand that and they don't know where the lines are and they Put their country at risk because they do want to actively go out and try and find out what's happening That's that is a problem We're going through at the moment as we're beginning to learn what this means about cyber conflict and cyber war and we're Going to have to work on that and one of the things I go ahead Okay, one of the things I really really really want everyone in the room to start thinking about is Anytime we bring up active defense. There's a bunch of people that get this knee-jerk reaction that says oh, we can't do that I Want everybody to start thinking about it at the very least because there's going to be a point where we do need that type of Capability and at least it'd be cool if that capability existed One of the examples I'd like to say is who was in Valsmith's talk today about metaphish raise your hand It was a really really cool talk. We were talking about malicious PDFs, right? Why don't you see those throughout your environment if somebody gets access to those PDFs that they should not have access to and They open them on their system. We now have a back door into their computer Now of course you want to consult with a lawyer because there's smart ways to do this and there's ways that are very very dumb But at least start thinking about that capability because it might be something that you need to ramp up on very quickly All right, so examples back to the question. I asked half an hour ago Have we seen cyber warfare? If yes, what are the examples? We got skater. We'll ignore that one. I want to talk about that for a minute So Bruce Willis did a really big favor for us as a country. He taught our policymakers a few things, right? That's what Bruce Willis did that movie was educational for a lot of the hill, right? What hurt us is that there are people not in this industry, but there are people running around thinking that that's how it happens So we use the word skater We really should be saying industrial control systems and looking at it It's actually not that easy to well maybe in this room it is but it's actually in general not that easy to quote attack One of these it's everything. We built around it. It's the internet Systems that we built around is the IP enabled back channel connections that we put around them And a lot of the ways to get in there are not even internet So looking at that is clearly something that is going to be part of cyber warfare because again You have that cyber event causing a physical consequence what Bruce Willis did though as he did stir He did stir the hill to start thinking but we do need to make sure as people in this industry teaching the rest of the world that Probably isn't true that there are nine or ten Chinese citizens in a hamster wheel inside the smart grid So just need to start looking at how to differentiate the terminology and teach people a few things and to Phyllis's You know first point when she said you know humans have waged war for thousands of years And it just moves into these new domains as we do You know when we started to be seafaring of course we started waging war in the water when we started having airplanes We waged war there space. Yeah, it's very expensive to wage war up there But there's certain pieces it's going to spread to cyberspace and cyberspace it will consist of components including the skater systems The smart grid war will go there And when I first started doing this kind of work it really kind of saddened me and I was frustrated And I had all these sort of ethical moral qualms and such you have come back then no actually I lost it before that thanks people in glass houses right so anyway The But you know I started thinking about this and first of all it's inevitable You could try to fight the militarization of cyberspace in that but but the people do engage in war That's what we do and as we engage in new arenas we will engage in war in those new arenas I don't think you should delude yourself. So I started to think about it in these new ways and Remember that that old Dr. Strangelove movie, right? And I realized you know, it's how I learned to stop worrying and love the hack so yeah You know what you keep asking about real-world examples and to just tie into what we're talking about How many of you have heard of the farewell dossier? Show of hands a few. Oh, we need some educating. I think if you give them a year Yeah, right might have heard write that down in your little book of things to do farewell. That's gonna be a question on hacker Jeopardy tonight. Yeah, we're taking notes. There we go There is a wiki page on it and there is a CIA page on it. It's a very interesting real-world event that happened back in the early 80s Someone called a supply chain attack We did some manipulation of equipment that the Russians were or the Soviets were trying to obtain from the West and obtained in a strange matter So we gave them the equipment they were looking for but it had a value-added feature and Once this is one outstanding. Oh, yeah, this is a good man. This is a good good. This is a good good You my good friend So once the equipment was installed the value-added feature allowed the country of the United States To execute the detonation of a very large Natural gas facility in the Soviet Union. This was in 1982 And it really set a kind of precedence there mainly because it shows our nation has the willpower to do this So you define this as a cyber warfare act in its infancy You got to put in context where we were in 1982 in terms of networks very different from today But if this was 1982 that would clearly be an act of cyber warfare. Let's talk about the hype for a second Estonia all that other shit that's been going on. Oh, don't North Korea North Korean So I love the North Korean example and the unnamed US officials that said they traced it to North Korean IPs When North Korea doesn't even have an internet connection. They operate out of China We're the gerbils again, I don't know So there was an interesting article in New York Times, so it must be true A couple of weeks ago about the Russian US bilateral Negotiations where the Russians are bringing up the issue of a treaty that like to have on cyber war cyber warfare Disarmament and the US the State Department obviously is not too hot on the idea. What's your take on it? Can we have a treaty on disarmament in cyber? Can you verify it? We do such a great job of that and WMD space Can we be successful in cyber? Yeah, go ahead not enough sure Well, you know, I think if you if you have a treaty like that in China is not involved it's it's not terribly useful kind of meaningless and So I'm concerned about Having the signing something like that Also, I do think that because of the asymmetry and the very low cost barrier of entry even if you had such a treaty Organizations and governments could develop these capabilities without without the other side knowing inspection is almost impossible when you make nuclear weapons You have residue when you make chemical weapons. You need industrial infrastructure that can be tracked to some level But when you make cyber weapons as long as you're careful, the other side can't really find that We're always so good at following trees and besides cyber weapons are made by our enemies You know in nuclear warfare We made our own nukes and the Russians made their nukes and the Chinese made their nukes, but in cyber conflict we use software written by the Chinese hardware made by the Russians and vice versa and vice versa. Thank you. It's key So who won't probably dead commence. Yeah, and Dan Kaminski. Yeah, and McAfee make sure that there's a value-added feature You have a question, sir hold on a second. We were just asked. I see his hand doing this Is this a dry question or a wet question? We were just asked a wire a wet question since we had a lot of people who were asked to do the introductions again real quick So people know what introductions again. Oh that way Internet storm center retired military and used to do this stuff for a living Bill a schnack VP of threat intelligence. The America's from McAfee. I hope I still do this stuff for a living Ed Scott is from in guardians. I've been working on cyber war strategy and tactics for the last five years John strand with paul.com.com Thanks, Paul you guys all know better there should be more beer up here, so thank you. All right. Demetra Parj. McAfee What's your question? All right quickly to try and save time make my question short audience and speakers Who has read Damon a book Damon? He's gonna be on the show. Okay. We've got one there When did you get that question? We're right, so you scared win away Okay, so for paul.com.com that's sort of my there you go if cyber warfare in my mind really happened It would be that accepting that I think there are a lot of us when we hear about cyber warfare in the media When we read an article in the New York Times We really really roll our eyes and when you talk about attacking information infrastructure a Lot of it's still physical act blowing a satellite out of the sky Renting a backhoe and taking out a fiber connection things like that that to me is cyber warfare That is physically denying something but when somebody sends a bunch of denial of service attacks That's easier to pull the plug on and it makes me feel Incredulous a lot of the time when I hear about cyber warfare, you know What is something that's practical and something to be worried about because when you you know go to some sort of war in North Korea is causing a problem. They're out through China. It doesn't matter so much We can lose China for a couple days while we sort it out and the world won't end It's called appropriations And it's called 17 billion dollars of new money that's been thrown out there so that we can protect ourselves against the evil DDoSing North Koreans When was that exploit originally and we're boring from China 2004 You know you make a good point But you know in some of the discussions that they're having on this the the analogy that is being used is is that of a blockade? A blockade is an act of war right, you know blocking access to a port so that ships can't get in and get out There's economic effects of that and so forth So if you accept that a blockade is an act of war which it has been for a good long time What is the internet equivalent of that or taking it off the internet the cyber equivalent of that against the smart grid and so forth? I think you could very easily make direct analogies Fair analogy one of the things, you know I want to get away from the semantics of this because I really think it's irrelevant whether or not it exists because Does anybody in the room believe that governments are not partaking in like cyber espionage warfare? Whatever you want to define it activities? Cool. All right, so let's move past that and let's try to figure out if we're living in a world We're organizations large large-scale non-state actors and nation states are funding Hundreds if not thousands of people to develop offensive capabilities How does that impact you and I think that that's probably the more pertinent question We can debate whether or not it exists and how we want to define it all day But I desperately think we need to start figuring out how we deal with this in the world today because it does change the way That we have to model our threats coming after our environment scary part two is in the 21st century Cyberspace and we all hate to use that term and we wish there was something better But that's what we've got is the economic engine. It's like the industrial age It's the steam of the industrial age except now it's in the 21st century and we're going to fight over it And we're going to contest it and we're going to deny it from each other And so it's going to affect the economy just at a time when we really need the economy to be taking off Do we want to contest cyberspace or do we want to make it into an economic engine? Which is more important for the future of the country, but if we're going to move down that path I don't believe that that's something that we can defend as a nation I think that the defense of it actually has to be in the hands of all the people that have their own systems In short, they've got to start defending their craft a second amendment in cyberspace would be a good that would be yeah Right to bear digital arms. Yes All right, next question. I conceal Kerry looks like in cyberspace I'd like our panel to just go down you mentioned McAfee is getting some money out of this All right We had a mind reader you mentioned economics if you guys could just go down one by one and And if and you can't pick a previous choice name who you think is making money off cyber warfare This is easy go ahead. Yeah, that's very straight. Go ahead. I'll let mark start. Yeah Okay, I live in Washington live and work in Washington. There's a large number of defense industrial base Contractors that the I like to lovingly call them the boat builders, but they build a lot more than boats These are the the well-known defense contractors that build the aircraft carriers the aircraft tanks, etc Every one of them smells money when we start talking about cyber security Every one of them have stood up some type of cyber security branch detail expertise, whatever none of them run networks Where is the expertise how are you experts in cyberspace if you don't run networks? I read a book. That's the SSP and they slept at a holiday in express last night So on the other side the people making money off of this are the crooks right half of Romania a good part of Russia your Ancestry Dmitri Ancestry my family It's trying to be nice So there are two sides of this with the bomb makers and the weapons makers and the Kevlar and And a lot of the industry as a whole are working closely. We're even managing to collaborate I won't go so far as to say information sharing will ever work But we've been going so far as to try to collaborate to try to put Different parts of the puzzle that we all see together to create that situational awareness that I believe the gentleman in yellow I asked about visualization a little while ago But to the point on information sharing one of one of my own pet peeves up in Washington is the bad guys do this Right they learn it in the prisons. They take it on the street They keep their relationships and they have information that they need 24 7 We have the biggest problem because of all the regulatory and the legal and all the issues we have around us with corporate Competitiveness so before we start thinking about who's making the money on it How do we start looking at how we pull that expertise that was mentioned together as a community to fight that because the bad guys are Already doing it in their way ahead Consultants contractors vendors certainly from a defense perspective cyber defense There's a lot of money that is going to be made as the nation's the nations of the world change their defenses And also from an offense perspective, they're going to be vendors They're currently our vendors that are starting to make offensive cyber weaponry. So yeah, there's a there's a lot of money involved in this So who makes money off of cyber warfare? I do and so do you and Let's figure out what that actually means How many of you guys are really frustrated whenever a big virus or a worm hits and it's on the front page of the New York Times your boss comes down to your office, you know from on high comes down into your cube a little bit frightened to be down There and he basically says Have you heard about this? Yeah, I get I get all of my internet security news from the front page of the New York Times I get mine from the Internet Storm Center Yeah, shameless blog or USA Today is one of my favorites So, you know, I hate to say that we should be using fear uncertainty and doubt as a tool But we should For every one of you in this room if that's what it takes for people to finally understand and visualize the threat Then use it because right now they have this visualized threat that the attacker is outside and his grandmother's basement trying to break in And they think that that's a relatively marginal threat even though it's wrong But if you say the Russians are after our computers or the Chinese or the Israelis insert any country here Maybe they'll finally start listening to some of the crazy things you want to do like proper logging and hardening systems and That type stuff who's making money the energy companies. What do you think powers all the servers? Next question you guys touched briefly earlier on in nation-state warfare state-on-state Hot state-on-state. Yeah Is as somebody who has to work to help kind of protect a large and Fairly talented and not very sometimes clueless. It's strange population. How do I minimize collateral damage? in an instance where We have a for example say an American company gets sold to a Chinese company that makes laptops for example Who would that be and they said not and they said and then they like sell Trojan hardware to us How do I minimize collateral damage in an instance? That's a value-added pressure value added feature. That's remote management Okay, or better yet. How do I get hold of the API so I can use that? Are you good with only dbg what where do you think that company was making the hardware before they sold? Now a very fair question even like just the good old supply chain most of our chips and things are not made here We except for very specialized ones and weapons systems, but consumer-grade products all made overseas How do we know that they're for real? How do we know they're not already backdoored? Everybody's aware of the problems. We've seen in consumer devices the digital photo frames and iPods and countless things have come Preloaded with malware USB sticks come preloaded with malware That's a very interesting angle for cyber warfare rather than doing it an attack directly over in a network Do the attack through supply systems and it works great because the social engineering factor kind of amplifies the attack So this is not just a single method. It's not just internet You did mention collateral damage one of the things that is often talked about is what is the weapons system in cyber warfare? Is it physically the keyboard? Is it physically the wire? Is it virtually the packets? Is it the Cisco routers? Is it the fiber optics? I mean what what exactly is the weapons system? And what's who are the combatants? We tend to as civilized countries We tend to Understand what the weapons are the combatants the non combatants the hospitals. How do we define that in cyberspace? Is a Cisco router a weapons system if it is can I take it out? Can I shoot cyber bullets at it? But what if it's moving hospital traffic at the same time does that make it a Red Cross platform? These are these are the types of things we we don't have answers yet But I think it's a very interesting discourse kind of goes what what Ed's talking about we're using some previous analogies How do we answer these questions based on our history of how we've done warfare in a classic sense? And you need to start thinking about these different analogies and and how they apply You know and blog about this stuff I mean we're right now at a time when we can have a discussion I mean they're defining what cyber warfare and weaponry is going to be so you know use your voice here That's you know That's a very good point because in nuclear warfare while the nukes themselves the yield and how much we have is highly classified Talking about it and talking about what we do and what we can do in restrictions is completely out in the open Yeah, why don't we do that in cyberspace? I love your idea about blogging Yeah, we really we really need to make it a public discussion Declassified cyber warfare no no open the open the conversation that the techniques and the tools and things like in bio Kim whatever we can keep that locked up the actual talking about its use the deployment limitations other things the policies wide open Yep, and let's start talking about as a community. Let's start. I mean Defconn's a perfect community start commenting on this One of the things Sir next year come stimulate us One of the things I also like one of people have these types of conversations and basically saying well How do I defend against this type of thing is you know defense in depth is dead in so far as that we've been doing it wrong One of we're talking about defending our networks We seem to think that a collection of security technologies from vendor ABC D&E is somehow the same thing as defense in depth And I honestly don't believe that that's true So what we need to do is start thinking okay, so what happens if my workstations become hostile or one of the workstations? What happens if my router becomes hostile take your network diagram spin it close your eyes Well you're drunk and put your finger down and stop it and say if this is compromised What does that do to my entire environment and if it basically compromises your entire environment you do not have defense in depth It's time to go back to the drawing board and figure out ways that you can have a more layered defense in that What do we do about the one story mark, but there is no perimeter How can you have defense in depth with no perimeter even better? Even better and I think that those are some of the hard questions that people start to have to start asking themselves Why in the hell is it that most of our organizations we allow our users to go into the internet completely unrestricted and they say oh we'll use web sense Allow our users to go to the internet completely unrestricted So in short we basically impose this lack of a perimeter on ourselves because they want it on their blackberry They want to get access to eBay they want to go to Newsweek where there's ads that are being put up with malware in them So we've got to start defining those types of boundaries. So we start talking about offensive stuff a little while ago What do we do about the issue of a symmetry the fact that we in the US and our allies are so reliant on Cyber whereas most of our enemies are not as Rumsfeld famous has said during the Afghanistan conflict We're not running of targets Afghanistan as our enemies are running out of targets How do we create offensive opportunities for us if we don't have ways to hurt them in a cyber arena? I think that that argument is actually you know given that we have a lot more targets than they do is an argument for us to participate What what's that? Well what they have a lot more that they can attack on our infrastructure Exactly, so so that's an argument for us to learn more about cyber warfare prepare more for it And of course to engage in the defensive strategy and planning But also understand what the offenses are because they could be turned against us But in terms of our offensive options should we include kinetic response as part of the options? Like I said earlier. I'm very much for joint types of responses. So I need I think that needs to be on the table I think it's inevitably on the table, especially if there happens to be loss of life So in that spirit going back to something you said a minute ago Where is the perimeter? So does it have to be at my gateway? And if our network was smarter or re-engineered or? Should something I said necessarily arrive where I want it to and why is it that we're not looking at how to make the network fabric? A lot smarter and not routes on this garbage, but whatever the yeah There was a government we need to start looking at as well there was a government organization that I was working with and they were trying to identify what the hell their perimeter was and They went through and they mapped their entire network and they said well We've got like 45 different egress and ingress points in our environment. They said how many those are documented egress or ingress points They're like five Yeah, so what are these other ones doing? We have no clue, but you know you keep asking for real-world examples 1998 was a fun interesting year because the year before when we had eligible receiver and things like that We showed what was theoretical and then February of 1998 while we're dropping bombs on Baghdad Because Saddam Hussein was kind of getting out of his northern fly zone southern fly zone United States Air Force comes under attack and then the thinking in cyberspace And the thinking was this is coming out of the Middle East all the attributions pointing back towards Iraq It must be Saddam Hussein that's attacking the Air Force in the end for those who know the story It was two teenagers in California. They were masquerading as the Iraqis desert desert Yeah, and so this type of asymmetric thinking down was paying them, right? Oh Saddam's paying well actually there was a loose connection back to Israel and then it quickly gets classified after that but But it does point out the fact that we big mighty western civilization with our billion dollar systems and the Capability to you know carpet bomb the planet We're up against these little countries that can come in and tickle us with a DDoS and watch Washington Just go into a panic it in the end this North Korean thing will turn out to be some teenager down in South America And and we've gone through this big spin just like we did back in 98 thinking it was Saddam Hussein We've got this boogeyman painted on our forehead where we think that every little nation out There's going to poke a stick at us in cyberspace in some cases. We need to get real about this This problem a lot of it is fantasy, but we need to get real. Do you think Estonia was hype hype? Oh, yeah, there's a lot of good media out of Estonia sure But it was it but it was educational while there was a lot of hype is certainly with it We learned lessons and and are better prepared to engage Please Throughout the conversation so far. There's been some talk about physical reactions to cyber terrorism or have what have you And kiss it like your cousin Ha ha ha Well, yeah, you had mentioned that it's hard to actually attack the infrastructure in let's say the industrial automation World, but I worked in that doing some programming in there for a couple years And the current trend is to move it towards the what they call the OPC unified architecture Which is based on web services And That means I can Twitter my nuke, right? Right well, and I've already done some Chatter and touch me. I've always done. I've already done like a little bit of like proof of concept stuff with some of the new OPC servers and clients that are out there and Possibly, you know with some of the physical devices a metaphoric movement. Well, yeah What are we doing to? Prepare these industrial companies to handle this because it's gonna be really easy to attack these devices We asked them we asked them very nicely with a letter a lot of people are freaking out So so in my day job, we do a lot of educating ourselves on what actually is the problem Because all the way around all around us are people coming out of the woodwork saying I have the fix for skater And they're running to the hill with it and they're running to Electric companies with it electric companies you sit down. We just talked to them and ask them. What does it look like for you? How can you be helped teach us about this and we get back is we need to learn about the NERC SIPs You have organizations like NERC and FERC doing good work NIST building standards, but no one is getting together Coordinating this and communicating it back to the industry the threat hasn't actually been defined I would argue there are eight people on the planet that actually understand the insides of industrial control There are probably nine that can define availability and reliability and yet they're going to start finding people a million organizations a million bucks a day Simply for not becoming under compliance regulations. They don't know and then to your point They move the whole thing onto services that my three-year-old niece can probably get to get into the Michael a little closer I don't kiss my cousin George at that long So Social engineering at work folks social engineering at work The answer is we as an industry and this is probably a great form to do that need to Find the people that understand the insides of these industrial control systems and learn about them There there are people doing this but understand how you protect it now How you protect it through the evolution of going from the green screen in the windows some of these are running on the boxes On which you played Solitaire 11 years ago and they're moving forward building the new ones But it's a process and in that process there probably is a hamster wheel with some other nation-state actors in it I'm trying to get it, but we as an industry have to come together and figure out what the road map is Alright, we have we have a lot of questions. Let's move quickly. So one question one answer real quick Be concise What do you guys actually qualify as you guys were talking about earlier cyber scar I can show you my cyber scars after this. What do you guys actually qualify as cyber damage? Is that leaking of knowledge? Is that the leak of a product to how to schedule? Is that the destruction of applications and software databases? What do you guys qualify as I'll take my Marcus show? Yes, that's a good. You want to see my scar? I do Many of you have seen me around I've got two kids two daughters. They're not kids anymore They're 21 and 23 but many years ago when I got burned They lost their homework and I know this really kind of brought tears to their eyes because they were able to go Back to their teacher the next day and say daddy's malware ate their homework and It's only because I was being a fool at the house and running an unprotected network and playing with crap I was downloading off of Russian websites and it kind of got thank you kind of got a little bit Burt me always with right glad to have Next question So in meat space one of the things that distinguish state actors from non-state actors is the rule law and The application of rules of engagement So do the panel believe that such concepts translate to cyberspace? Or a cyber war so intertwined with the intelligence process that it's going to be almost impossible to Disentangle them enough to come up with coherent rules of engagement. I think I think it's almost relevant due to the fact That there's very little attribution. I mean you're not going to get a packet that says from Russia with love And say it came from them, so I think that it's very difficult to actually say this one came from Al Qaeda This one came from China You have the same problem in meat space with bombs right at you having a terrorist attack They don't off. They don't always sign it with love from Osama. No, I've seen him with Sharpies. They do Yeah You have the same problem and there's the evil bit in the IP packet header and it's just a little bit is set We're good to go. It's an RFC standard. We just play by the rules and we're squared away I've got that's my only idea. We're there. All right next question. What are you grinning about sir? This one's going to be good. I'll live Bob lintz Friday morning said that he went aboard one of our new nuclear carriers Talked to the captain asked the captain what the most valuable thing on the ship was Answer was the internet the average age is nineteen point three years are up. Yeah You made a statement sir that why are large companies like mine giving the employees access to the internet? I would challenge you that we have to do that because pull the audience How many employees do you think we would get if we did not give the generation today? Access to the internet like they grew up with that's cool. They're not working anyway You resemble that remark, right? Okay, so How do you see training and not like the watch in PowerPoint slide for half an hour, but like the 6 or 8 I was being generous Like the actually injecting ideas traffic and seeing how quickly your employees come back and you know say hey We had an incident that kind of training and drilling. How do you see that played into? preparing for cyber warfare, I think it's an absolutely vital thing. I mean people need to have real Real-world style experience and to the extent that you can Simulate things in your environment or set up a test lab and show them what actual attacks will look like and for things That they should look through have them walk through their processes to make sure they understand them anything You can do to make it more concrete now from a military perspective I think we need to have training that encourages mission-based thinking here is the goal for the mission Here's how you need to achieve the goal and then of course you can't always just follow Definite and by the way props to DARPA because they've created the national cyber range. Yes, which is a virtual test range Which is a damn good thing. Yes, and it's it's quite vast. It is it's very vast So so we need to encourage the use of these kinds of things so people can really understand what they're gonna face And have the flexibility when they face things that are unexpected in the cyber realm All right Thank you And you got it you got a fan right He read your book So if the great firewall of China is all just Cisco gear and like Iran's deep packet monitoring systems are all clearly not written by Iranians are we going to change our export laws so that we're basically giving them the bombs against us That's the point we made earlier in cyber warfare. They use our equipment. We use theirs So what's your point sir? Like are you our laws going to adapt to just well we have laws against export to ran that's not working very well Is it yeah, yeah laws against smoking Cuban cigars and that doesn't stop All right, next question. Thank you. Thank you, sir Thanks for taking my question Speak into Mike, please. Okay. The the question was I want to follow up with the other guy who kind of disagreed with the idea of warfare If I can see totally the idea of defense and being able to properly defend yourself But if it's asymmetric and it's a guy It's a 16 year old kid in South America who's you know working out of China boxes South America by the way is the answer to ever within And then one of your responses was possibly Overhyping the threat and using fear and certainty and doubt to motivate people I kind of questioned that myself Especially after the whole WMD to get us into the previous wars Why don't we take the why don't why not take the idea of warfare out and make it defense because I mean this is Defcon It's not war con And what Jeff boss here shall we read that's you know what sad is like tomorrow? There will be a new con call that because God knows we have enough cons You know, but your point is his defensive is where he's coming from rather than being offensive Yeah, and look defense is a wonderful thing But I think if you unilaterally decided that I'm just gonna play the defense game You're going to miss out on a lot of possibilities You're not gonna understand the offensive game that the adversaries are gonna play against you right And you're gonna limit your own options so that you're gonna have to respond kinetically Who's ever won a war? General George told us defenders do not win wars exactly if I may In the Civil War General Sherman said that war is hell And DDoS attacks and you know flooding a server and turning off certain things are not Don't really I don't think anybody's ever died from a DDoS attack I look at and whenever they started shutting down power in California and lights traffic lights went out There were car wrecks people did die because of that so I think there are examples And that may be a criminal act of doing something But I wonder how I mean if war is one nation versus another nation one state versus another state And you don't know who to attack Isn't the best thing to do to defend yourself probably and I think that that's a great point I think that actually I disagree with you know Just focusing on the defense, but that's one of the things that bothers me is a lot of organizations They're very much into the can't contain and clear methodology I've been hacked to get it off my system And I think there's a lot that we can understand from watch and learn like if some if I hack your network I'm evil not my black hat compromise your network, and I start downloading porn on your system. That sucks But if your defense contract is great It's free That guy's a question about the internet we bring the internet to your employees It makes it a lot easier But if you watch and see what I do and all of a sudden I start searching for top secret You start understanding what it is that I'm after in your environment Then you have a better understanding of who it is that's coming after you Regardless of where they're coming from and I'd like to throw this to the panel for a second But don't we don't you believe that when we talk about attribution? We're not just focusing on cyber if it's a nation-state a nation-state attack We have other means to determine whether it was them other than just racing the packets Yeah, that's a that's a frustrating thing for me They bring up the problem of attribution and yes, there is a problem of attribution I think a a sufficiently determined and very careful attacker can make it very hard to trace back But sometimes they want to claim responsibility, right? You don't want to hide the fact that you've done it So you can't just use the problem of attribution to sort of rule out offensive cyber warfare. All right next question, please I haven't heard much discussion about botnets and their use in cyber warfare and Obviously spamming and DDOS attacks, of course, are the number one number two things that are out there How can we stop the proliferation of botnets in such a way that I mean Let's say you don't have to be a nation to Take down a system with a well, you know with a well botnet and I haven't heard anything talk about that So can we have some discussion about that? Let me suggest having worked beside my colleague to meet you up Paravich for like what five years am I that old now too long Yeah, I'd like to let our moderator address this because I could go on forever about it But this is one of our experts and I think this is something you should talk about He's like wow, you want to buy mine that before you get going yeah Yeah, a botnet is a perfect example of cloud computing Absolutely, and we are all moving to cloud computing so we don't do away with it's a wonderful use of resources Botnets are an abuse of the field of distributed computing that we all studied 20 years ago It's not done very efficiently, you know, I'm really disappointed they don't tend to communicate a lot with each other It's pretty disappointing. No, I mean it is a huge problem I think unless you secure the endpoint, you're not going to deal with it and I don't see us Having much progress in that area. I think we've abandoned the home user though. I Think the home user has abandoned us On a future cyber battlefield is grandma's computer a weapon system Well, I was actually I was in Australia about a week ago and they actually have a Pretty low problem with botnets and and the interesting thing about how they're solving it Unvoluntarily is it's all about the economics in Australia. You actually pay for your bandwidth So you get like a rate that gives you five gigs a month or whatever And you exceed that you pay quite a bit of money for that So when someone contacts the home user and tells them they're exploited and they're sending spam or whatever They have a huge motivation to shut it down and they do Maybe they don't know how but they ask for help and they get it here in the US and other places where we have unlimited bandwidth at home you call up an end user and They have absolutely no incentive to fix it. Yeah, but you know saying that, you know Let's just go and have all metered internet connectivity and that'll solve the problem of malware. You're gonna have Lots of unintended consequences from an economic perspective. I I don't want to go there I wasn't advertising that Let our friends live there and not us Move a little closer closer Just like the guy before you. Yeah, I Was a manual I was wondering would you I want to know where you stand in your opinion on The very like on the back that the catcher to the flag contest could be a very vague and shallow View of what actual cyber warfare is Yeah, capture the flags like taking a bunch of Boy Scouts out to the 22 rifle range and saying that that's trained infantry It's getting there no doubt, but it's a very controlled environment But really a lot to learn from capture to flag but I think you're on the right track But it's not exactly the same but how many people in the world have the skills of the room next door That's right And I think that that's one of the things that that I think a lot of nations are looking at that and saying you know what? We need to have those skill sets as well Yeah, there's that national cyber challenge also that's gonna raise. Let's keep moving and please formulate a question before you Get to the mic. We want to move fix me quickly How y'all doing good Y'all are talking about supply chain attack earlier and I'm wondering who should be responsible for defending that if we leave it up to The private industry bringing those chips in to do QA or if we have someone like customs You know through policy or something, you know Because it is those those hardware pieces in the firmware stuff come into more of our networks. They become more of a threat, so It's a very very difficult problem of liability and so forth I think you can talk about how you can try to split up the liability across all the different companies that are the piece parts But I think ultimately the solution is going to have to involve the person that is representing the completed built product has to absorb that Responsibility they can try to you know sue somebody else down the line if they need to later But you have to have that person that is pulling the product together. There's no better place to put that Adrian hello a couple times on I've seen Marcus random do his particular take on it And I would want to get your all's opinion on something he said about The asymmetric nature of cyber warfare one of his points was if someone was had lesser power than a greater power It'd be kind of like thumbing Mike Tyson's eye and have Dark closet, you know Yeah, you might hurt him, but you're not gonna like the results You get a bunch of Marines land on your area or if you're a country of size that you could actually physically defend yourself Then you're blinding the other nation and the first response is well, we can't see what the other nations doing So let's start firing nukes. I like to see I just want to see what y'all's response would to those two particular issues that Marcus brought up Well today mature Western countries at least understand what it means to go to war. Oh Passes Room numbers a party passes. Yeah, very cool. Thank you later. Thank you, Adrian. Very nice I don't expect the United States or any Western nation it if they come under a cyber attack to immediately start launching the B 52s and Uncovering the silos and launching and pushing the nukes that that's that's a bit of a stretch Well, we did have the in Russia in Russia Back in the 90s number of generals have a level general saying that they reserve the right to respond with even nuclear weapons to an Information attack in their country, of course in Russia generals don't make policy and we did have it But we did have a US congressman wanting us to go after North Korea because of Adidas also That's because the internet is made of pipes, right? It's tubes tubes tubes. I'm sorry But I mean the fact is sometimes smaller weaker countries do want to get in the face of a bigger country This gives them another opportunity to do that. I think it's inevitable. It will happen I think it happens in the kinetic world. Yeah, there's been an awful lot made of the risk to infrastructure systems like Power air traffic control systems even water delivery sewer these kinds of things You know the Chinese are going to shut off the the power systems and somebody else is going to turn off traffic lights Well, I want to know you know what idiot decided that the air traffic control system should be on the internet in the first place And maybe one of the ways to protect against it is take it off the fricking idiot that wanted his porn We're trying to hire Gen Xers and they need the internet to stay happy at work How do I get X and radio and United if it's not on the internet? Yeah, exactly I think you're you're a hundred percent right, but man the world is just not going that direction You remember the case of the dreamliner Boeing that wanted to connect the cockpit to you know the problem I mean you're right on the money The issue is we've got to get our senior people educated that these simple easy things that they want to do we're going to Put them in grave danger Yeah, so why shouldn't it work now? Yeah for that education. We do thank Bruce Willis Quite a fan, aren't you I do want to stress the point though So adding IP enablement is that a word to these and Electronic and the ability to meter things and moderate and monitor things remotely That's huge and that adds to our ability to provide good grid services to measure the amount of Electricity flowing to make sure there's 60 gig on both sides So there's a big difference between well There's a big difference between electronically enabling them and putting them on the internet And I think that's what a lot of people just don't get Melissa was misquoted. I'm acting like a press secretary here Well since I waited in line I want to just congratulate and thank you I wanted to congratulate this dude for reading my mind and asking the exact question What why why was gay to ever put on IP networks? It's ridiculous. So they have tinfoil hats next door if you're afraid that your mind is being read Now why they're putting it on it the question is why are the vendors building devices that have hundred bit or 100 megabit Ethernet jacks on it and IP enablement and on the websites if you go to some of these vendor sites It says we've put the stack on there so that the engineer can manage the system from home Those words are literally on there on their websites Yes, sir. Thank you. Yeah, that's exactly right Folks, we are dumbasses. Why I got one more question. Who thinks these guys kick serious ass Now why the fuck is up here?