 Hello and welcome to New America and thanks for joining us virtually. We're still counting the days until you can join us in reality. Again, I'm Heather Herbert I run our new models of policy change project and we are very delighted to have you and our speakers here this afternoon for ransomware summer. But we were really thrilled to put together because it combines several of our passions at New America one is digging into and exploring the connections among national security, cyber and infrastructure policy. And another is showcasing the connections and building new connections among our fabulous community of current and former fellows. And today is going to do both of those things in spades. So to kick us off, I'm going to hand the program over to my colleague Sharon Burke. Sharon has an illustrious career in both defense and energy policy, but she's currently founder and president of ecosphere X and in keeping with our theme, a fellow at New America so Sharon over to you. Thank you so much Heather and I do want to say a bigger thanks to Heather just because she's also doing a lot of really interesting work at New America with our colleague Candice Rondo and sort of redefining security. And I think that's what this event is all about you know we're used to security being about bullets and tanks and combat aircraft and now it's about bits and bytes and patches. So that's the theme of the day and it's ransomware summer is the title. Whatever we're going to get into that in a moment with our two fabulous panelists, I'm so thrilled to have the opportunity to be in conversation with them on something that they both have these deep expertise on, and I'm, you know, one step shy of being a victim so I'm great it's great to talk to them. Shane Harris you're at the top of my screen so I'm going to introduce you first. It's been wonderful to watch Shane's career just really rise. He is a phenomenal national security and intelligence intelligence reporter at the Washington Post. One of the top reporters in the country on these topics, a podcaster, a writer, just a wonderful to have him here to talk about these topics which he has done a lot of reporting on. And then Jason Crabtree Jason, I think I might have met you, maybe for the first time when you were active duty. You're an Army officer, a West Point graduate, who has since then become a very sought after advisor in the US government which I think we also cross paths when you are playing that role, and is now the CEO of complex, I hope I'm saying that right, you know, complex, complex, Q, complex, which is a leading cybersecurity firm and risk management in this space. So, to have someone with that kind of depth of experience in the conversation. And both of these people have been new America fellows as well so which is of course the most important thing in their resumes. So, gentlemen, here's the question ransomware summer. This just seems like it's everywhere I mean just before we started, I did a little news scan just to see what the latest news is which is like boom, it's, you know, so much. Who's a victim of ransomware and I got just in the last like 48 hours law firms school districts the mortgage industry, touchscreen ticket machines around co, and that's not even what we're here to talk about today. So, why now, why is this issue just exploding like crazy now. And Shane I can see you nodding so your first step why now. Well, you know, I think that one way to answer that is that for a lot of people who followed this for a long time. This is not new, even though it is news, we're hearing about this I think so much more recently, probably because of a few months ago, the ransomware attack on colonial pipeline which of course was the major gasoline pipeline running up and down the East Coast. And that captured the nation's attention I think it's fair to say in a way that no other ransomware attack has and I think the reason for that is because it affected the daily lives of millions of people. Most people have gone along for years and these attacks have been around for years, you know, not aware that city governments have been essentially had their systems taken hostage hospitals have had their systems taken over there've been real world consequences but this is something so to the core of daily life that I think it kind of catapulted into the national attention and now people are understandably much more aware of the wider universe of these attacks and of course there have been other very significant ones just in the recent recent weeks. I wrote a book when I was a new America fellow called at war and this was back in 2014 and at that time and was up there you go thank you for the plug you came prepared. You know, it was clear to me at that time that this was kind of like ransomware was going to be one of these sort of next waves that was going to be coming along. And particularly as as it was becoming clearer to governments at the time that the barrier to entry for criminal groups, as well as states with smaller militaries to become formidable cyber offensive adversaries that barrier was quite low and it was getting more and more everywhere all the time. And so now we're seeing in these most recent attacks is that not only are they ubiquitous. They're relatively straightforward for a lot of criminal groups mean the one behind the colonial pipeline attack we believe was essentially selling ransomware as a service which is to say that they were you know they're a criminal that kind of does this for other criminals or puts the pieces together so it's a highly evolved, sophisticated marketplace that now most people are seeing because, you know, arguably dark side who launched the colonial pipeline attack is kind of the dog dog who caught the car. They they now are, you know, can like claim rubber the most high profile one, and it's just kind of lifted the rock and everyone sees now what's underneath it and has been there for some years. I'm going to ask you why now to, but I'm also, I'm curious, you know, one thing that Shane was saying in there, you know about dark side and about these attacks but some of this is like the equivalent of piracy on the high seas and some of this privateers, you know, in the service of a government so all of that is that part of why this is happening now. I mean I know it is but I'm throwing you the question Jason. Yeah, I think there are a few key dynamics here the first of which is certainly that risk is a consequence of dependence and digital dependence has moved a long way in the last decade. And I think that's a really important framing because ransomware exploits the fact that dependence means availability means systems go down and to Shane's point. That's exactly why American consumers right Swedish consumers in the Kasey attack just a few weeks ago. Right, you couldn't get on a train, you couldn't get your pharmacy filled 20% of grocery stores were down so Swedish consumers had a similar sort of simultaneous experience, and that causes a very different reaction. Then maybe very personal things like a hospital being down if your loved ones there. But that's something that was very regionalized to a small group of people in communities. I think the second big piece beyond risk being a consequence of dependence and us having a much more digital society than a decade ago is really ultimately that we currently have a tremendous amount of visibility into vulnerabilities. It's really easy to do the equivalent of casing a house on the internet. And the tools for you to mass scan the entire internet to look for vulnerable companies is exactly why their affiliate networks that Shane mentioned are actually able to thrive. This actual ransomware and illicit economy is really premised on the fact that no different than selling, you know, cosmetics or your food stuffs, you can have someone that goes and looks for good consumers, right so look for vulnerable companies, you have someone that gains initial access, you have folks that specialize in taking over and moving laterally from their entry point to gain administrative rights and actually gain the authorities to mass broadcast ransomware. You have folks that specialize in the extortion phase, and you have folks that specialize effectively in money laundering and funds collection and distribution. And that scalable business model with the barrier to entry being so low, and so internationalized is exactly why you see us companies and others get targeted with tremendous efficiency. So we're not going to see that go away and in the last part, I think Sharon to sort of directly answer your question about, you know, where are we on this sort of spectrum of state tolerated for state sponsored. I think we absolutely are seeing maybe ransomware groups that originally were sort of useful spenders in depressed economies, places like Russia and sort of interesting in the sense that they didn't do any harm and they were sort of a thorn in the side of America in Western countries. Oh, you're now seeing more and more aggressive tactics from more state sponsored types of groups, and you're actually seeing in some cases, nation states hand over access after even an espionage operation, where you can hand over access to a ransomware group or into one of those affiliate networks because it's a really useful noisy way to cover your tracks. So there are several sort of dynamics around how states benefit from this and certainly it really benefits Iran. North Korea has had Lazarus and others helping funding operations for a long time, not just ransomware right. And then certainly certainly Putin. But I think, let's remember though that criminal organizations don't just use ransomware business email compromise and lots of other sort of fraud is alive and well. And the fact that that has been so successful for so long was part of what funded the sort of initialization of the ransomware communities it was the seed capital in some ways, but now we're so dependent that it's too easy to get paid and getting paid they are. Okay, so can we dig in a little bit more to that spectrum that you just talked about so it's basically, if I got it right, the spectrum of bad actors in this space is basically criminal sort of Wild West, like, you know, lots of flowers are being criminal organized, which is, you know, obviously can take down bigger targets and is ransomware as a service sells the service, then state tolerated which has a lot of overlap with those first two, where it's just convenient to have them operate maybe there's a tax, you know, there may be lots of mutual benefit there and then state sponsored where a state is actually using this as a tool of warfare. In a lot of ways, you could probably say there's a threshold below warfare, would you say that Shane. I certainly think there's a threshold below warfare I don't think we're not a cyber war just for clarity I think that's, that's, you know, that's been bandied about too much lately. Why do you think that I'll give you a short piece and then turn it over to Shane but I think the reality is that we're seeing predominantly criminal organizations that can get paid espionage actors that want to harvest a lot of information. And we've not in general seen direct state sponsored action for a lot of destructive purposes and there's some edge cases we could talk about but I think they largely prove the role. And one of the things that we do have to talk about in cybersecurity is because the line between espionage and physical consequences and others especially our infrastructure is so so thin. We have to talk about what are the norms that we want to tolerate, and how do we ultimately make it less likely that criminal organizations and activity are either going to be tolerated or sponsored or confused with state action. I think Jason's right on that and it's such an important point to make when we because that that term cyber warfare it does get thrown around, you know, I mean I wrote a book with it in the title so I'm so I killed you with this and even drawing people's attention to the metaphor and it isn't easy metaphor these are very offensive operations, but we could take maybe the colonial pipeline ransomware attack as a good example of or maybe it does sort of even start to edged into to something that might start to look like an offensive state operation where you have this criminal group that is believed to operate, either in Eastern Europe or Russia, but essentially with the tacit if not explicit approval of the Russian government and we've even seen some instances in which these groups are believed to scan systems in that way the Jason was talking about kind of like looking broadly across internet your targets and skip anything that looks like it's a system you know programmed in Cyrillic so that you know don't hit the Russian target. And it seems like you know from my reporting and from others that there is this kind of arrangement with these criminal groups, especially in Russia where it's, you know the Russian government which is to save Vladimir Putin. You know, allows them to operate as long as you know you don't hit any Russian targets and you don't bring your dirty business here. And if there's something that the Russian government needs you to do, you might be called upon to perform services for the government and there you know that gets into a whole other question of what is that nexus between a non state criminal group and the state. What I thought was so interesting in response to both the colonial pipeline attack. And then this recent Kesya attack which has been attributed to another Russian group is the White House is not coming out and saying the Russian government did this, you know, and they're not even necessarily saying the Russian government knew about this particular operation, and that's important because if a state is knowingly you know facilitating an attack like this by a non state actor, you do start to edge towards something that looks, you know, a bit like you know scenario of you know Afghanistan in 2001 giving safe harbor to Al Qaeda to operate overseas and ultimately we held the government of Afghanistan accountable for that event on 911. Or you know if you have, you know, during the height of drone strikes during the Obama administrations or the tribal areas of Pakistan. And some of those attacks were predicated on the idea that if the Pakistani government was in in unwilling or unable to address the terrorist threat within its own borders that we would have a right to go respond to it. And so I bring that as a way of saying that, you know what the administration seems to be doing is saying to the Russian government like, we're not holding you per se responsible for this attack because then you could start to get into a scenario that looks like warfare legally, but it's very clear that the administration knows that these groups are operating, you know, with the implicit endorsement or the permissiveness of the Russian government and that's where they're leaning on them to do something about it they're careful in their language not to say the Russian government did this because that gets you into a scenario that could arguably look more like warfare if it's an attack that results in a pipeline going down a piece of critical that starts to edge you into that war like category if I could put it that way. I mean, as a defense person I would agree with that that that if it were the Russian state, even if they were using other groups as media as intermediaries that took down colonial pipeline and cause that much disruption and and some deaths, that would be considered an act of war, like think if they did that level of disruption with a with a kinetic, you know, attack it certainly would be so it's a gray area right. Yeah, and we've seen Russian the Russian government attributed to attacks on power when electrical infrastructure in Europe is that Ukraine so it's not as though it's beyond their capability to do so. And let's talk about that just a little bit before we sort of switch gears. What happened with the colonial pipeline. Well, I tell you what, we're going to talk about cybersecurity as infrastructure, and then about the implications and the policy priorities but before we do that. I want to talk about the vulnerabilities Jason was talking about to physical infrastructure. The colonial pipeline should we be worried that that means that a cyber criminal can take down the entire grid system in the United States and destroy it. You know there's podcasts on this and there was a TV show and books. Is that something that could happen, like tomorrow. I think the reality of cyber physical systems work and a lot of my background and some of the work I used to do for DoD was specifically in understanding the nexus between the cybersecurity side and the physical processes so really running the power flow simulations the actual physics underneath this and how those control systems interact is this is a tremendously complicated and complex system. And I think what colonial underscores for people is that these systems are all inherently transactive. The colonial ransomware attack actually impacted the billing systems and private companies do not give away their product, unless they're nationalized. And they are not going to engage in commerce if they have no ability to ultimately track what they're distributing and get paid for it, they would become insolvent and cease operations by other means. We have to acknowledge that in a very federated and complex power system, where you have lots of different power providers you have balancing authorities you have lots of different distribution networks. We actually have to solve the security issues not just at the control systems level, but in the economic levers that actually allow our power markets to generate the appropriate pricing signals for balancing the grid. And that is true within the Eastern interconnect it's true within ERCOT and it's certainly true for the for the Western interconnect and I think we are going to have to deal with that I think that's the first thing I think the second thing is, there are way too many vulnerable utilities, gas lines, etc. And if you actually look at these folks and I don't mean the checklist and the security guidance and the maturity model stuff which is really a paper fig leaf. You can actually scan these organizations and look at their internet facing posture, or you go on site those networks and look at the average state of health. The reality is you have lots of organizations that are often not resourced to do this successfully. They're usually not managing assets well enough they don't necessarily know all the computers control systems are on those networks that's the first problem asset management inventory number one issue can't secure you don't know about the second problem is most of them would like to implement things like least privilege. But most of them actually end up with pretty federated environments and they often have things like active directory that featured so prominently in solar winds featured so prominently and opm back in 2014 with those Chinese operations. A lot of that often is actually not secured well in any of these environments. And so whether you're talking about espionage looking for details on pipelines for future potential offensive action or other things in the event of war. Or whether or not you're talking about things like criminal organizations being able to lock up organizations. It maybe they'll go after the physical stuff and there are some examples of that, but in many cases shutting down a billing systems enough and we have to secure the entire transactive posture. I don't want to be inflammatory Sharon I think a lot of folks have overstated the nature of a lot of the sort of direct threats to the grid, but if you are very knowledgeable about the grid. And you're not just breaking some random part of the grid, you can do some pretty significant damage if you're targeted about how you disrupt the network. Most organizations probably don't have the knowledge to do that, but nation states unequivocally do. Shane you're nodding and I think you alluded to earlier, the Russian attacks on Ukraine and elsewhere that are actually physically shut down systems. Yeah, I mean, then that's, and I think that, you know, it's a, as Jason is doing here it's important to keep drawing those distinctions and we should take some comfort from the distributed nature of the electrical power system in this country that if you wanted to shut down, you know, power to the entire country you'd have to shut down multiple, you know, sections of the grid and it's not completely integrated it's not like sort of one switch. You know what's always struck me as you know as we're discussing here is that the reason that we're not seeing those kinds of attacks is not because nation states don't have the capability to do them. I think it's more because we would regard such an attack by a nation state as an act of war. And if you're really talking about like shutting off the power to New York or something like this. And it was always my understanding from from my research and reporting that, you know, that the military and obviously Homeland Security classifies that as class for critical infrastructure as well, would view an attack like that is something that they would have the right to respond to the military. You know, if the lights suddenly went out in New York you might also think it was that, you know, the government might think that that was a prelude to something that was actually going to be more of a, of a kinetic strike so important to kind of you know caveat those things and put them in that category. But, you know, to the extent that Russia has launched attacks on the power grid in Ukraine and demonstrated a capability and a willingness to use these kinds of attacks. Anyway, I don't think it's something that we can as a country remotely afford to be, you know, blasé about and clearly we're not. But, you know, what is the security level on this infrastructure who is responsible for ensuring that and regulating it that's been a conversation people have been having for years, and there's no clear policy resolution to that as to how can the federal government mandate a level of security and even if you could would that be enough. I mean to Jason's point so many of these companies they're not security companies they're in the business of generating and distributing power or fuel. The level of security you need to harden a system against a nation state adversary I mean it's like equivalent nation state capabilities in some case and it's perhaps unrealistic for us to expect that companies that aren't in the business of security are going to be able to protect themselves in all cases. And when they are such prime targets as a power company might be, you know, I don't know does it raise a question of whether you know the government needs to step in and try and even use its own resources to protect that that network. You know, those are those are big meaty policy questions that have no easy answer. And it's not because people haven't been thinking about them for a long time they have to stick into that a little bit then Jason were you starting to say something. Yeah, just one quick comment I think one of the big challenges for policymakers is understanding the economic case here for these organizations right especially because America also has thousands of small public power organizations largely small there's a few big ones like NIPA right in New York and others that are quite substantial but for the most part they're small and federated. But for even investor owned utilities. I, you have to understand for folks that don't sort of dabble in this frequently that they're, they're paid for availability. And ransomware again targets availability so there's good reasons why availability drives the train on a lot of the economic impacts of cybersecurity, but you have to allow these companies and organizations to understand what is the standard of care that's expected, and make sure that their budgets are actually aligned with investing in it. Right now to Shane's point there's a lot of more capability to do harm than we've seen. But you don't make policy decisions based on only the events you've experienced especially when we're talking about catastrophic risk. If you do you end up making terrible terrible decisions, and we could go back to lots of popular examples like insurance and having enough money and all going bankrupt in Hurricane Andrew, right. That's another example of well it hasn't happened yet so therefore a big one won't hit. So we know that we can't have a Hurricane Andrew Hurricane Katrina style approach to how we improve grid security water system security, and we're seeing lots of small events in an area where we've got to incentivize folks but this this requires federal action it requires state utility commissions, and it requires, you know, public and private power organizations and pipelines to hopefully have a unified sort of understanding of what do care is going to look like. So I mean, to date, what's been the strategy, you know, a lot of these companies are just paying off the, the attackers when it comes to ransomware at any rate. It's like, I mean, it works. Right. And then it doesn't because it allows the threat to persist. Is that, is that fair to say. I think certainly in the, in the context of ransomware. Yeah, I mean, why do ransomware attackers keep attacking because they're getting paid right because insurance companies issue payments for this and you go where the money is right I think that's that's a fairly straightforward kind of proposition. And, you know, I'm beginning to be more persuaded that, you know, one way that the government might make a real impact and a dent in this is not so much in, you know, the pure security piece which is to say they just harden the systems and make it harder to get into them, although that is probably a great idea because I think clearly a lot of these attackers are going for that lower hanging fruit. And we know from reporting on colonial pipelines own systems that they issued an audit that found that they had pretty significant security deficiencies so they, you know, they were arguably a target. Clearly, you know, this seems to be attackers knew that, but I'm wondering, you know, if this isn't more of just something it's, there's a, there's a case to make that there's a strong policy solution to this release to make a dent in it by the US government making very clear to the Russian government like this has to stop, we will not. Did that, did that just happen. My administration right is saying that it's communicating to the Russians and you're seeing that come you know, more in the form right of you know that the president saying I've talked about this to Putin and his staff saying we've communicated this. The question is, you know, what are the sticks here what are the consequences have we have they enacted any I mean, you know and not just well our evil disappeared is that is that a consequence or is that just a rebranding. It's not clear to me so Politico actually just reported I think in the last day according to a senior administration official who was unidentified, making the point that you know the US government had nothing to do with you know our evil, going offline going dark, but I'm sorry, we should say what our evil is would you would you explain. This is the criminal hacker network that's behind the Cassia attack which is this more recent one where which was, you know, pretty insidious and that and Jason will correct me if I have the tech wrong as I simplified it but basically breaking into a system that sends out security management and IT management to its customers and kind of using Cassia's own pipeline to attack and infect all of its customers. So kind of you kind of you know writing on their infrastructure if you will to get to to ultimate victims. But you know regardless in this this group that then you know becomes very high profile because of the nature of the attack and it was so pervasive and had sort of audaciously demanded $70 million to let all of this systems go at once you sort of get like a bundle price I guess from their perspective, their their their website their systems and these people do advertise essentially you know their services went dark leading to the question well did we the US government have something to do that and with that and you know the question I'm not saying they're being coy but they're at least saying on background well we didn't do that. Does that mean that the Russian government did it because we told them you better you know start cracking skulls. I mean it's highly correlated, but at the same time, at the same time. President Putin hasn't shown a whole lot of interest in playing ball right. Right. Well I think the reality here is Putin has been more than disinterested. He's been willfully ignorant. Right. And I think it's been convenient for him to have this these groups right well not necessarily I think Putin has largely benefited from them they've made money they've brought it home they've bought stuff in the economy and they've been a pain for everyone that he doesn't get along with I mean that sounds like a pretty useful idiot to me at worst for a win-win right that's a win-win scenario and I think that's part of why you've seen for years. Right a lot of the the encryptors actually did do things as she noted to look for you know for more than a decade they've done a lot of things like check for Cyrillic or other things that's been it's been a well known feature of a lot of ransomware groups not all by the way there are other ransomware groups in other parts of the world that do go after Russian organizations and that is just not as many of them. It's you know a lot of sanctuaries there. I think the challenge in in sort of talking about any of these groups going dark is just to actually sort of step back and say the rebrandings are frequent right you know they're pretty distributed anyway so a lot of the wins are against an affiliate not necessarily against the folks that maintain or actually manage sort of the core malware sort of the kingpins if you will and I think you've seen some examples like Ukraine and taking down part of the clock ransomware group actually the same day that Putin and Biden met for the ransomware discussions and sort of using that to highlight what a good partner looks like from an international law enforcement perspective so you are seeing others kind of step into this lets increase cost and consequence regime that the Biden administration is trying to put forward. I think the challenge is making sure that cost and consequence apply to the people, you know, let's make sure that people that we can identify that are part of these groups can't take a vacation anywhere out of Iran Russia and North Korea that's a good thing right we should do that and have standing indictments for them, you know, but I think we have to separately look at what are the cost and consequences for participants and affiliates, what are the cost and consequences for the organizations themselves, and what are the constant consequences for tolerating and sponsoring states, but thinking about those is very distinct categories I think it's quite useful for Biden. The challenge though is, I actually, I'll disagree a little bit here with Shane on on whether or not, you know banning payments really does anything. And here's the reason, but no organization wants to pay money to these criminal groups, but most of the companies that are getting hit by ransomware are getting hit because they're attractive targets, and they are easier to ransom than their peer. So they got picked, because they were not the fastest camper and bear country they were the slow one and the bears hungry. And the reality here is after they're there, they're getting mauled in this particular case, they're in a really tough spot. Many of the things that make you a target are also the same things that make it hard to restore from backups, many of them don't have sufficient backups they don't have an incident response plan. So talking about whether or not are we going to let American corporations that didn't prepare well, die, because we're going to make it illegal for a shareholder group to pay a ransom. Or in the case of, or the case of the colonial pipeline talk about what what were some of the consequences there right because that became intolerable very fast right because it's not the distribution of fuel to a large. And this goes into sharing if we do a much better job of defending and being able to recover, you have optionality, but we live in the biggest glass house in the block. And until we set better standards for security and recovery expectations. We don't have leverage to not necessarily pay in some cases. And there's a lot of ransomware groups that are reasonably reliable. It's always hard to restore from backups if you've never done it it's it's a real pain. It's harder if you don't have some of that help so you know ransomware groups by and large have been reasonably reliable, but a lot of the orgs that pay get hit again, rarely by the same group but sometimes. And so ultimately though we've got to make sure that it organizations have optionality because they are not so negligent that they can't recover from these events. And if they can recover, we can decide at some point you've had enough warning to get right corporate America. But a lot of small mom and shop pop mom and pop shops and others are not anywhere close to being able to recover from this stuff and I don't think we're ready as a society to say you're going to lose your business you're going to lose your customers, because it's illegal to pay the ransom. Remember and not Petya is a different animal, but remember that mayorsk was saved because of a power outage in Africa that kept a domain controller with all the effectively the keys to restart the network offline when not due to the Russian attack on on Ukraine. And so mayorsk is one of the largest shipping companies in the world nearly went away. Except for a power outage the men they they literally had someone fly back a server on their lap from Africa to Europe to reconstitute the network. So think about that if it's your company if it's your shareholder base. They're not ready to just say hey cut them off at the knees. It's just not realistic. I wish that it in the United States was mature enough where that was a real option but it's just a full policy choice right now. Okay, then let's go there. So this picture of like widespread vulnerability on everything from, you know, people at home to the world's biggest shipping company to pipelines that supply fuel for large sections of the population to electricity and water, all of this infrastructure. It's a, it's just a thousand million billion points of vulnerability, right, and lots of criminal and, and other kinds of actors in this space. China's also recently gotten wrapped on the knuckles we can talk about whether you think they're in the big leagues yet. Brazil, Iran, there's lots of different places where this is originating from, it's everywhere so you've got non point source, you know, attackers and non point source vulnerability. What are we supposed to do. How do you have cyber security I mean is that itself an infrastructure. Like you mentioned optionality Jason but I'm not even sure what that really means I mean Shane is there a way. I mean how do we begin you've alluded a couple of times to policy options. Is there, you know what does that look like. What is cyber security as something other than just the patch that you have to remember to install tomorrow, you know. Yeah, I think that that is that is the big big question right and it's it's kind of the why we're here. You know, I just as my thinking has evolved on this, you know, it sounds like a trite answer but like there is no one solution but that's true, right there are some places where yes, improving security, particularly among small businesses and making them, you know, less appealing targets, great idea. Everyone use two factor authentication to protect their personal data and their communications would be a big step forward like there's kind of that that's sort of that obvious, you know, stuff that still is you know it's it's maybe it falls into the category of no digital hygiene, which is going to be a useful analogy now that we've been living with a pandemic for a year and a half to think about. But just I'm just becoming more and more persuaded that it's just saying just you know, build thicker doors and bigger vaults and higher walls is not really going to solve the problem. And you know in this country we've had this it seems to me for as long as I've been writing about cybersecurity which has been you know 15 years now or so. We keep having this conversation about government regulation of the internet as a way of government enforcing certain infrastructure providers maybe to have a much higher level of security. And we just we've never really gone there for all for all kinds of reasons which we can get into but like I mean it's just it's you know whether it's, is it the technology lobby is powerful is it that you know people don't want to regulate the internet, you know, maybe it's a lot of these things. But what I found compelling about the colonial pipeline attack is you know again, well it wasn't an attack on the infrastructure per say it was an attack on their information the sort of office systems that then, you know, triggered them to to shut the pipeline down the effect is still the same. For years people have worried about that very kind of you know system level attack on a critical piece of infrastructure that would cause massive economic and daily disruption to people's lives. It happened, right on a company's network that as we now know was like not well protected, I mean just objectively by their own standards it wasn't well protected. So, you know, it strikes me though that if that hasn't really moved the needle on the conversation about regulation, I don't know maybe that needs to be tabled maybe that's not really the answer which is what makes me think now maybe it's more about, you know, Joe Biden threatening Vladimir Putin and telling him to stop so at least that piece gets shut off, but it's so multi dimensional. You know, you could argue that there's a credible deterrent factor at play when it comes to infrastructure security and so far as that you know some countries think that if they did something really damaging that we would retaliate militarily maybe that keeps them from doing it. It's kind of all of these things but I guess, you know, why I'm sort of you know pessimistic maybe is and all the time that I've been writing about this. I feel doesn't feel like we've really like advanced in a big way in our understanding of how to answer that very important question you're asking Sharon which is, you know, how do we do this. And it's kind of like we've sort of, you know, left companies to their own devices to some degree to protect themselves some industries do a really good job of that I think the financial services sector is one that everyone agrees is kind of the gold standard at least for now for when you do network security. But as we're seeing I mean this is it is just kind of like you're you're sort of left to defend yourself. And you know I got not proposing that the government come in and protect the internet and I'm not sure they could really do it it might be too big of a challenge. But that's unrealistic so but but it seems to me like the conversation is maybe not maturing as fast as the adversaries capabilities. I don't have any questions. But before I do Jason you have a quick word on on this on this question of, you know, the, what's the defense, what's the, what's the way that we protect. Yeah, I mean I think one of the challenges that a lot of the best practices that were a good idea, five years ago 10 years ago in some cases even 20 years ago are actually not implemented by the majority of companies. And so a lot of what you're saying a lot of. They're often not invested in there's often insufficient staffing there's there's a lot of there's a lot of reasons why it's not been resourced. And so I think that you know while financial services as Shane notes at the very upper end has done a much better job but you know it's got a very squishy middle. So you know it's it's highly concentrated right and that's kind of true across very large corporates in general. But you know the reality is that there's a ton of stuff that you would expect a reasonable person to do to protect data and availability, and it's often not done. That's not an indictment of everybody but but it's it happens way too much. So I think the best thing that we can do is disclosure disclosure disclosure, and you're, you're starting to see some movement towards that. I think that ransomware is an iceberg problem, less than 50% of ransomware events are actually getting talked about in the news, despite all the ones that you're seeing. And the reality of this is that so many organizations don't have disclosure obligations, and you're seeing, you know, a move towards this from the sec and others but private companies as well need to actually disclose the stuff promptly to their customers, and there was no evidence your data was taken folks if someone can encrypt your data, they could have taken your data if you don't have any logs to monitor what they can take. You don't get to say there's no evidence, you know, evidence you know absence of evidence is not absent evidence of absence. And I think there's been a huge conflation of that with double speak and hiding behind legal counsel and others are a lot of breaches. So if we have disclosure obligations and transparency, we've got a much better sort of opportunity for our society to have a real discussion about the scope of the problem. And I think there's a lot of folks who are not investing in security because they can just bury it in an IT budget and make it go away and they don't have a disclosure issue at all. And if they had to disclose it there's a lot of corporates and private organizations and government agencies who would take a much more active role in trying to minimize these events make big ones into small ones or prevent them entirely. We have a lot of really great questions but I'm going to take one from Aaron Mans that's that's specific to this where he asked about you know why wouldn't insurance companies press clients to better secure their systems. So what is the role of insurance companies and what you got both just said, why, why isn't that changing the game because this must be costing them a fortune. So I'm happy to maybe take part of that so cyber insurance originally kind of evolved out of you know insurance so professional lines professional liability, and it's changed a lot in the last decade so most cyber insurers have moved away from sort of bundling that together with other property policies and they're going towards what's called affirmative cyber liability cover. And that basically means if you don't have a cyber policy that says cyber insurance. You don't have this, probably the most famous example of a major multi hundred million dollar lawsuit over this is Merck in the not pet case. So the reality is that it used to be something that was sort of implied in this part of business interruption and now it's moved into its own class. It's been pretty profitable, in part because insurers wrote a bunch of it they wrote it pretty cheaply. And if you look at the historical profitability in the sector based on underwriting profits. Maybe they were really ensuring against business email compromise not really ransomware or outages or business impacting events for the most part ransomware now has gotten so severe and so significant that you're seeing tons of cyber insurance companies dropping policies dropping coverage or reducing limits. And part of that is in response to the last profile change. Part of it's also in response to their finally acknowledging that surveys about whether or not you think you have a good security program have little to do with whether you think you have a good security program. And so we're getting away from sort of check the box initiatives which were very similar to a lot of what the government cybersecurity standards have been historically things like Fed ramp that are not very closely related to risk management, but provide tremendous amounts of money to consultants that do you know certification and compliance regimes. We've really got to move towards real security programs which are focused on real operational risk, and they use data to say things like that. Shane unless you have something really different. Okay, because I have a question I want to direct to you Shane that this is quite a pointed question from Robert suretta. He actually has two that are that are closely aligned. I don't want to wrap them together but he he pointed out and that non state actors in the United States, and he said think triad Nigerian mafia dark hackers etc launch attacks all the time internationally as well as domestically in the US is the US group that are based here is the US government responsible for all those actions and for that group. And he also pointed out that US agencies have been launching attacks internationally for many years and are we starting to see a blowback scenario where nations continually escalate strikes as retribution for other attacks. So, fair enough, the United States is not clean on this we have our own role to play. What do you say to that. I mean, I think to the first point of the question mean that that's a great point I mean how much I mean there is a lot of cybercrime happens in the United States and from the United States. Obviously, you know our law enforcement agencies, you know pursue that and try to process catch and prosecute people who are engaged in that activity and it's you know it's not the policy of the US government to let these criminal organizations do it as long as they don't do things in the US and they occasionally help the US government when they need it which is more the policy in Russia so that's kind of today, qualitatively different approach. But you know to the point of you know the United States having sophisticated operations as well. I mean there is a bit of a glasshouse thing to some degree I think one reason arguably why, you know, at least the United States hasn't really pushed for anything. The international treaty on cyber weapons is we don't want necessarily anything it's going to restrain our ability to operate in that environment as well which is traditionally more geared, you know towards espionage and when we need it you know offensive cyber operations. You know, I don't mean to sound overly patriotic in this but I will just say in my own reporting on this. I think that the United States, you know use of offensive cyber operations and the kind of context that we're talking about not espionage I'm going to just put that aside for a second. So as a result of actually going out and doing kind of destructive attacks like this, I think it's much more constrained by our understanding in our application of law of armed conflict by our own regulations to those kinds of operations. Fat lot of good that does though when you're trying to necessarily set an example for the world right when it comes to digital espionage and intelligence gathering I mean, you know we like we are the best at it probably some of the most aggressive so, you know, but we can't I think we understand in the way probably of forming you know policies that try and restrain criminal activity and you know attacks on civilian infrastructure I think that that's tends to be you know where the US tries to draw that line, although you know doing that's easier said than done clearly. Jason any, any, anything to add on that. I'll echo with chain is you know I think we do have great capabilities in the US security and intelligence apparatus, but I think it's important that we are constrained and I think we have to make sure that we're consistent with our values and our understanding of laws and I think we do. I think we have to also remember that Putin wants to play Calvin ball, not by international norms right. You know, the old Calvin and Hobbes game that after so many turns it always turns into Calvin ball right and I think we have to be realistic about that in terms of setting very narrow and achievable objectives that are measurable and objective enough that we can have international norms and enforcement around a certain setting. Now Putin's done a lot of work to help and you know create alternatives to things like the swift banking system for, for, you know, cross border monetary transfer and things like that which are also enabling more of this type of criminal activity. So the more that we can end up, you know, reducing vulnerability at home, increasing cost and consequence against individual actors and criminal organizations, and then helping use international partnerships to improve our ability to attribute traffic to state sponsored and condoned or state sanctioned or state initiated activity. The more that we can try and isolate this behavior and I think that that has to be a really consistent sort of message from us. That was a question that Gilbert Martin asked was what is the US government doing, you know, actively or reactively, you know what we know they're doing so we know that that they're talking to governments and they're putting it out in public. There's also a lot under the waterline that's going on that we don't necessarily hear about in public. We have a sense of any other US government actions that that that are going on. I think we've seen instances in the past and you know that we may be seeing them sooner now. And US government has been clear that they would do things like try to disable the infrastructure that some of these organizations use you know go out and take down places on the network that they're operating and you know does that lead to a question about. We try and go out and you know deny the, you know, an area of operations if you will to some of these groups so I think that's that that that's one thing. And look, there are the other retaliatory steps we can take towards states in this domain, as well. That are you know, I won't say like off the shelf but there are you know things ranging from sanctions to you know to covert activity that could make it harder for them to operate. You know there was a question I think years ago after the Sony attack for it was attributed to North Korea. You know, when the internet basically went down in North Korea there were questions about whether the US government had done that. Or whether that was something actually that the North Koreans that we misunderstood but it leads to those kinds of scenarios where you can imagine the kinds of things that you know that that we could do in that domain. Authority is there for any president to use to try and influence the behavior of other countries and covert authority can be exercised in cyberspace as much as it can be in the human and kinetic space. So those are, those are policy options and tools that are built right into our national security system and just because they're done on the internet doesn't mean it makes them different in that regard but in authorities they're the same. Okay, so some things we'll see like, and they'll message explicitly and then a lot of things who can say I mean dark side certainly disappeared the colonial pipeline attackers. That doesn't mean they won't come back but maybe that was also a demonstration of what the US government can do in retaliation. And the US recovered some of that ransom which was a fairly impressive operation. I'm just curious how exactly they did that but yeah. But they're probably not going to tell us right. I don't think so. This goes in the territory of sources and methods that if you tell people how you do something. This is what I would say Gilbert partly an answer if the US government is explicit about some of these actions they will lose access to those actions. That would be my guess. We have a question that's in a different direction from, I don't know if it's Ellie or Eli Jacobs but what role does the wider spread of cryptocurrency play in this and does government back digital currency improve this, or make it more difficult. This is definitely outside my playbook so if either of you have a comment on that I think that'd be very interesting. I'll share a small snippet I think the reality is that you've seen, even with increased government pressure some of the ransomware groups move from things like Bitcoin towards things like Monero, because of some some small reductions the amount of data available for tracing those funds effectively because of the way those cryptocurrencies work. The reality is non state actors and nation states that are largely not friendly to, you know, Western organized kinds of governments and allies are going to continue to look for ways to move money, you know, outside of sort of the global state sanctioned financial system and Putin for a long time has tried to encourage alternatives to things like Swift and others that are used by responsible actors. Remember that we have visibility into that certainly the more it's going to help with law enforcement actions. Remember that things like non fungible tokens and others are even heightening that to even a further degree. So those are all driving crime, and you actually can even see that and there's some anecdotal evidence that, you know, things like antiquities and art theft across borders that are actually going down that's another classic way to move huge amounts of money, you know, outside of the normal financial system in NFTs and others are just kind of alternatives to something that's been happening for centuries. Yeah, I just, I feel like it's, you know, the criminals are always going to find a way to get paid right and to extort people and, you know, the networks of illicit financing and money laundering that you can trace back to being built, you know, in post Soviet Russia are at an industrial scale. I mean it's a significant portion of the world's economy by some measures so, you know, I think probably, you know, you can't really just blame it on digital currency there's always going to be a way to move money illicitly and to hide it and to get it out of the reach of authorities, but you can make that harder. That this has been a great conversation we're coming up on the hour so I want to combine two of the questions that we have for you to give your last thoughts on. What was about. It was Matthew Greg, who wanted to know if cyber security is something that should be taught in school. And if so at what age group, and then he also asked earlier on, what do you think about the future of cyber security and I think those are closely related questions so what do you think about the future and how much responsibility we bear for teaching, you know, people at what age for making sure that people learn about how to do this. I'll take a first crack and then Jason have the last word I mean I am a huge advocate of media literacy for young people being a journalist and finding that you know so many people including kids parents understand very little about what I do and trust that even less. I have long thoughts from report reporting on this to that that you know digital education and digital hygiene needs to be a part of that too I mean at the same time that we should I think be educating kids about how to essentially you know, not believe everything you read on the internet and understand truth from from falsehood instilling these kinds of best practices should be as I feel like it as ingrained as teaching kids to look both ways when you cross the street and not talk to strangers right there's two basic things that we can do. You know that would solve a whole lot of problems of just individual information security right you know don't click on links and emails that people send you you know don't click on the text message you know use two factor authentication stuff that could just be an eight and taught to kids I think in terms of like you know where this thing goes in the future I mean I wish I were more sanguine. I think just experiences taught me you know not to be too optimistic I think that you know there are you know there's a lot of incentive in markets to come up with better security and to protect people more than those things can really work right I mean there's a lot that can be done to protect as we've been talking about here companies that are just clearly vulnerable in ways that they shouldn't be and that we can solve those problems. But I think that we've just as as you know kind of cyber as a domain evolves I think I've often felt that we are kind of inevitably heading towards some kind of shift where there's going to have to be some international normalization of what is acceptable behavior is that a treaty. Is it just sort of a set of customs is it something like law of the seas. I don't know. It hasn't happened yet and there've been lots of reason why it hasn't but as this thing evolves. I just think every all nations are going to have an interest in trying to sort of normalize and draw boundaries around what is acceptable behavior and what is not. I don't think we're just going to naturally peacefully arrive at that conclusion I think that there could be you know real damage and real violence that happens before then. And I don't think I think that what you've seen with colonial for instance is more kind of like a preview or of an appetizer of things that are to come I don't think that we've gone through the dark period yet. It's not encouraging. What about you Jason. So, Shane says the future is. I'm normal. Youth engages but it's really upright. So what do you say shade shades putting me in the position where I get to be the optimistic one so given my work in this field that's I don't always get to do that. So, you know, I think building on that commentary. I think the reality is we as a society or at a bit of a crossroads right now. You know, 1520 years ago, we weren't digitally dependent like we are today. And there's no coming back. We've made that trade. And we're going to keep getting more digitally dependent because of all the economic opportunity and individual opportunity that comes as a society for a country for our people. And so I think we have to acknowledge that and that means that the education point. Yes, there needs to be literacy around some of the basics of what does it mean no different than the other systems that you look, you know, whether it's roads whether it's telephones there's lots of basic things that you get exposed to in your life and we need to make sure that's there. But I think the other part is is that leaders who are in power today, private public etc. So let's pretend this is an information technology issue. This is a geek issue. It continues to get talked about as a technology issue a geek problem, feed them pizza slide it under the door to come out when they've restored the systems. Right. And the reality is most of the organizations that are getting hit are getting hit because of systemic lack of investment in people process data and technology. I have yet to see a ransomware attack that was from a nation state advanced adversary, where there wasn't something clearly preventable that could have caused it to have been identified and detected and maybe not stopped entirely, but largely to have avoided some of the really catastrophic implications. So we have to decide that we're serious about making transparency a real thing about how many events are happening. We have to take a look at the fact and not papering over them. And I think if we do that we have a much better shot of getting everyone to take it seriously. The second part is, we have to take a look at the cumulative harm that's being done to consumers in our society, even the unemployment fraud and benefits the small business and COVID fraud and benefits. What do you think that was enabled by it was enabled by the Equifax breach, the JP Morgan breach, all of these successive the breach for military records like mine, thousands, millions in fact of, you know, American defense professionals have their entire family histories in China. And by the way, the same techniques that the Chinese use to compromise active directory identity infrastructure because of fundamental vulnerabilities in Microsoft products in 2014 are used by Russia and SolarWinds in 2020. So exploiting Microsoft exchange so that people can then exploit Microsoft active directory to compromise 30,000 organizations earlier this year. That was a very wanton response to their operation getting blown. So we should absolutely be going after improving norms and standards for nation states, espionage military others. We should absolutely be building a law enforcement coalitions to go after organized crime and criminal groups. We should be making sure that individual people face consequences, but we have to acknowledge that if organizations sell vulnerable products for decades into their customer base that they shouldn't just be excused from that behavior. And we have to start having enough data about how many events are occurring. And those events are linked to things like Microsoft exchanges vulnerabilities or Microsoft, you know, print nightmare that was going on right now I mean there is a dumpster fire insecurity that is as bad as it was in 2003. When you saw Bill Gates in a calamity initiate Microsoft's trusted computing initiative which move the industry forward a huge way, but it is time for another trusted computing initiative that is much bigger much broader and much more serious because of our digital dependence today. And I'm sanguine about the potential for us to get serious about that. But if we don't have disclosure and we can't have policymakers and business people and consumers and voters have the same understanding of just how big this iceberg is. We're going to continue to just move, you know, the chairs around on the deck of that Titanic. We're in contact now how long do we want to wait before we decide it's big enough that it's going to sink the ship. So that was a great way to end, and I don't know the answer to that question but I certainly hope that the way that Heather and her colleagues framed us as ransomware summer means that this has risen to the visibility that we can get serious in the ways that you both talked about. Thank you both Shane Harris with the Washington Post Jason Crabtree with complex CEO. I appreciate both of you joining us for this conversation. It was a great, great hour. So, take care everybody. Thanks for joining us.