 I'm here with ethics village and today we have who is going to speak on the subject of ethical issues and cyber attribution and this is intended to be an interactive session so he will pose questions to you all and encourage you to answer or you can ask questions of him as well. We would like that you wind up for this microphone and speak into the microphone your responses or your questions because we are recording for posterity. If anyone is uncomfortable getting up on the microphone you can tell me your question and I will phrase it for you. With that being said we will get started. Take it away Jake. For those who don't know me I think the problem with the big thing here is probably that bullet down there about the former NSA hacker because this is something we didn't use to talk about a lot at all and then the Russians did it for me. So I have a bias here, a significant bias with the whole shadow group and for those that ever followed that they definitely done a bunch of fools. They also had a few folks that had dealt with cyber operations and that has definitely impacted my life. So I have a kind of a state here in understanding as well as trying to normalize what are our ethics around how to publish cyber attribution. Now in their case they were right. Since they came out today we shouldn't talk a lot about our operations or somebody who used to be involved in operations of your own. In other words you've got skeletons in your closet and make sure that I knew that they had enough physical material to hurt me significantly. Mostly that they are right and I did exactly what they said in STFU. Because I decided that I think I did the worst decision there. I could all do it in both sides. Anyway so I actually have quite a stake in this and I think this is an important discussion that we really haven't talked about for a long time for my own personal sake. I think there's a lot that we really don't talk about when we publish these attribution strings. So I want to walk through here. I'm going to make this a very interactive talk. I'm very interested in what your opinions are. I'll have to share some of mine as well. I spent a lot of time thinking about this obviously. You know first hand and the first hand impacted. Don't vote without me though as far as dislikes. Well if you got to call yourself a thought leader, you're not a thought leader. If you know you're a thought leader, people will tell you you're a thought leader. I hate it when people are thought leader and are vital. And I also hate people that have blockchain and needless to do so. That is a blockchain knowledge down the way there. I'm not saying blockchain is bad. It's not. Blockchain has lots of break which isn't going to use this string on free. Anyway, that said, if you needless to add it because it's cool or if you get investments or whatever, you're just doing wrong. Look, this is going to be really loose. I mentioned this before. My agenda is really loose. Discussion, talk, and skeptical issues inside our attribution. I've got a number of different scenarios that I want to walk through. I highly encourage you to hit the like before every reason. For me, of course they are all reporting. If you don't want to be seen or heard or whatever and reported, or Shane offered again, they're very gracious to offer to take your question and pose it. Likewise, if you can't get to the like for whatever reason, I present sans all the time. So I'm used to repeating the questions. We'll definitely do these on videos if we don't lose these for austerity. I'll mention here that this isn't going to work if you don't contribute as well. Again, I can offer my opinions all day. I'm like one guy. And I'm biased. The first thing that I have biased is back two hours ago for a hand initiative. I gave a talk on cyber front intelligence and then you biased one of the things we talked about. So avoiding bad CTI. And certain CTIs review a lot of that attribution app. And I admit one of my biases is that I can't publish about Russia. They're in a biased fashion. I'm personally bad at it. They've impacted my life pretty heavily. And I have a hard time separating my emotion and my issues there with them. My personal issues there with them. The natural attribution itself. Well, I also saw a great talk yesterday with Anna about this. Actually, we know a lady that works over at Microsoft. Anna called it. And she was talking about that as well as an IBM. We're kind of IBM. And I was really fascinated. One of the things she talked about was the Russia published. And we have this info stuff right now. It's not going to name the names of Bloomberg, but there's a rush that he makes it to publish before you verify some of the information there. And again, if you're not familiar with the Bloomberg story, but you know basically that they published that there was an example of sort of a Chinese supply chain attack, super micro servers, and something the size of a grain of rice, a small size of grain of rice, could ultimately change how the base board management control would work. Now, that was really cool. And of course, they never found any actual evidence of that happening. This is a really interesting analysis problem though, right? Because the, obviously, you can't prove a negative, right? So it's very, very difficult to just prove a negative. And yeah, that definitely gives there. But look, you know, super micro lost a lot of money as a result of this, right? Their stock price started to die. They sent me incalculable amounts of time, or any incalculable amounts of time, working through, well, trying to discuss the waste group, definitely internally. What message should we send? Were there any instances that this actually happened? Amazon and Apple were both excited to the story. As I haven't been impacted, they lost lots of money there as well. And money, meaning money and time, I think there are customers, I think customers, asking me, showing it off to Amazon and Cloud, trying to send it back home, right? Well, that's huge, right? You're talking about migrating away from Amazon, you're migrating over to Google, because they don't use super micro or something. That's a huge thing, right? So as I look at this, I'm kind of like, rush to the public, right? What kind of obligations do we have there as well? And I really liked that talk yesterday. I highly recommend it there. And that was something that you really talked about. This is the, if you're not first, in many cases, it's not where the public should get, right? There's a lot of folks that feel that way. And as a result, you know, how are we addressing our ethical obligations and correctness there and balancing those against the, you know, against that whole rush? So I want to talk about my agenda here more or less, some of the questions that I want to get into. Obviously, issues of participation. My talk about participation here, the primary person that comes to mind is Mark, right? So, Mark was North Korean hacker that we charged last year. I actually had an op-ed in the, we charged from last year to the beginning of this year, I can't remember now. They're all bleeding together with the, the other day charging foreign hackers, which also feels about, that's a legal question, not an ethical question, right? Charging those nation-state to nation-state hackers there. But, you know, in Park's case, I really don't think Park had a choice, right? He worked for the North Korean government, right? North Korea doesn't come and say, hey, anybody want to do this over here? Because it'd be really cool. In fact, probably cool to the planning of the race, which it is, right? I don't think you're wrong. I mean, I think, because I'd rather hack the plan. Right, so at the same time, I don't know that you have a choice to say no, right? In fact, I would argue we probably didn't. In fact, you're not familiar with the North Korean government, they have, basically, they have what they call the three-generations rule, which is that the North Korean government, they kill three generations of family. It's a pretty powerful incentive to a, well, not after the North Korean government, right, when it comes down to it. When they came and said, hey, do you want to do this thing, right? I think that's a huge issue of participation, right? And so, as we look at our publishing, or us publishing cyber-activation there, does it matter, and we'll talk about that, but it doesn't matter if that part was not free to choose. To choose is unadventure, if you will, right? This is the fact that family members, second and third order effects, right? So as we start talking about second and third order effects, does it matter? Maybe Park didn't have a choice, and we're okay with that. But if we know for a fact that the government may take out on, or may take actions out on, second and third order, you know, folks there, does that matter? Does that change how we need to address our attribution, right? Because there's the technical side of attribution, but we're really trying to address in this talk is not the technical side. It's the what should you do, right? Not necessarily what can we do for a technical standpoint. What should we do? Then, of course, we have loss of life, right? You know, I have 100% confidence that Park is not alive today, right? So after we out of Park, I have 100% confidence that he was killed by his government. The easiest possible way to make sure that he doesn't become a bargaining chip is to make sure that he doesn't exist, right? Now, of course, the North Korean government originally came up and said he doesn't exist, right? Not only, right? If you've read a lot of the reports on the backside, I said, look, not only are you wrong about this, right? Wrong about the attribution. You're crazy wrong, because the guy that you're talking about isn't actually a guy, right? He just doesn't, and look, that's gonna be an embarrassing thing for them to back up on, right? And so I think, again, pretty confident here, you know, knowing the North Korean government and their wonderful ethics and morals, they took the guy out, right? So he'd probably sit in a meat grinder someplace, or who knows what, right? Bottom line, bad spot there, right? From a loss of life standpoint, if we know that's gonna happen, does that change our obligations to publish or not publish? Then we have the possibility of false flags. In fact, at DerbyCon this year, I'm actually speaking on how to perform false flag attacks, right? So kind of taking a look at it, and I have an ethical issue with that, too, by the way, so that's something we discussed a lot at Everendition, right? If we detail how this is happening, right? Because we are observing false flag attacks in the wild right now, right? So the question then becomes the should we then even be publishing on that, but the how-tos, right? We actually internally assess that the publishing it is probably less damaged than people thinking that false flags are something that don't happen, right? So we think that by opening that up, it's actually gonna start a bigger discussion around that, start more forensic examiners looking for false flags, and that itself actually is gonna increase the overall confidence or attribution. But as I say that, I'm gonna tell you it could be wrong. I could be a hundred percent wrong, and it's only gonna be used for bad, and there's no goods gonna come of it. And I don't know, and that's one of the things that we run into there, but now I want to take it back to from an ethical attribution standpoint, does the possibility of a false flag attack or false flags in our data, does that impact whether or not we should release attribution or publish on attribution? I have some fuels about that as well, and I have issues of confidence in my attribution. My talk over Diana today, talking about CTI in general, we talked about the fact that we never have all the data, never have all the data. I've never had an attacker call me up on the phone and be like, it was me, totally it was me, we hacked it. And if they did, I gotta be honest with you, I questioned that too, because it would be so out of the norm, I'd even question that. And so I always end up having to make and basically perform an attribution and when I have to do that, I have to question then if I'm doing this with incomplete data, what then are the incomplete data points? Is that likely to change or invalidate my assessment? And look, if we're talking about loss of life here, that's not something that I can take back. I talked about being wrong, we actually talked about Kent's analytic doctrine over Diana today and ninth point, for those that don't know, Kent formed basically the analytic framework of the OSS. So the Office of Strategic Services or the CIA even existed. And he put together a nine point analytic doctrine, but number nine is candidate admission of mistakes. And I talk about to folks all the time in CTI, all the time in CTI, that your credibility is your currency. We always have to make judgments without all the data there. Frequently those judgments are wrong. By the way, if you're getting into CTI, cyber threat intelligence and you don't want to be wrong all the time, you're in the wrong field. Because it's just a reality, you are going to be wrong a lot and you're going to have to back up, back assessments a lot, right? And it's not always your fault, it's because you have to do that. You have to perform the attribution, you have to get that data out there for your decision makers. But what's your confidence in that data? And what's the confidence that attribution and how confident does one need to be before in that evidence as well as the attribution before you actually go ahead and make that assessment. So I'm going to start off with a couple of scenarios here and again, this is a spot where I would love to get a discussion going. So please hit the mic as we kind of walk through these questions here because this is going to be 18 times more valuable, 1800 times more valuable with you actually participating than without, right? I have lots of opinions on this, I'm happy to share mine. I'm actually not going to share mine first because I'm going to bias what other people in the room are going to say, right? So I'm big on not biasing as well. But I'll happily kind of share my opinion on this where I sit as we go but I'd love to hear a couple of other thoughts. Here I've been asked to provide attribution to a specific cyber operator, right? That OPSEC or let's call it incomplete OPSEC, right? Where they have made mistakes that allow us to literally say this person behind the keyboard. This is what we're seeing done with the DOJs charging Russians, Chinese actors. We charge a couple of Iranian hackers and finally park over North Korea, the examples that I'm aware of at least. Now the operator, basically once we identify them, they're not going to be extradited, right? So let's say they operate in, I don't know, we'll come up with a fake country here, Russianistan or something, right? And they're not going to be extradited, right? But they're also not going to be killed, right? So the only thing that we're going to do is we're going to limit their quality of life by ensuring that they can't travel because if they travel outside of Russianistan, then they will find themselves in a bad spot. So this would be a quality of life issue for said operator. The questions that I have here are what are ethical obligations How confident do we have to be in the attribution? How does the quality or evidence play into our decision to publish the attribution report? Now again, remember the impact here is that Joe basically is not, whoever this person is, is not going to be able to travel outside of his home country ever again, right? We'll say indefinitely throughout the future. I actually have a question over here. Yeah, how can we be so sure that the ethical attribution of Russianistan is that they will not actually get rid of the... Yeah, so you're asking... So the question is how can we be so sure that Russianistan isn't going to kill said operator or get rid of this person? And I'm capitulating that here to make the ethical discussion. I'll get into that in a little bit to the your scenario. But I'm starting here with an easy scenario. Why say easy? Maybe it's not easy, right? But basically, we're willing to capitulate at this point that Russianistan isn't going to kill, imprison, negatively impact in any way, said operator, right? So actually, let's come back to the U.S., right? So we'll take that scenario, right? So let's say... Heck, I'll make it personal. Let's say that I get charged in China, right? It's pretty clear that U.S. is not going to extradite me to China for my crimes against the Chinese government, right? But there are a lot of other nations that if I land there, even though they're friendly to the U.S., they're also friendly to China, and given a valid court order would extradite me there, right? So in this instance, we're worried about... Yeah, so in this scenario, we're not worried about this operator being charged by their own government only by a foreign government, again, which limits their travel and, of course, limits their quality of life. Now, through the U.S. example out here, honestly, being locked to the U.S. is not a significant quality of life impact issue compared to some other countries, right? If you live in Morocco, let's say, Morocco is, yeah, big, right? And, you know, you probably want to travel to Spain in other areas, well, maybe not Spain if you're from Morocco, but you get the idea... They have a big, like, butting-head kind of thing here, so hence the thought there. But you get the idea, right? You might want to travel to some other country, and, again, what's your obligation there? You're sorry, what's our obligation here in the attribution side for significantly impacting the quality of life of said operator? So I'd love to know if anybody has an opinion on this. Go ahead and hit the mic, man. I think it depends on your level of confidence, and if you're willing to disclose your level of confidence. Confidence is relatively low, but you clearly disclose that your level of confidence is low, then it becomes less of an issue. Okay, so we have that the quality of... Sorry, the quality of our confidence, the level of confidence plays into plays into our decision if we disclose it, right? So that's always key, because we read a lot of CTI reports today and attribution reports where nobody actually talks about the quality of or the level of their confidence in a particular conclusion, and then there's also kind of a metapiece here, which is the confidence in your evidence overall, right? So there's confidence in your analytic conclusion, there's confidence in your evidence, and those things are related, but separate issues, right? So we're willing to disclose that and if so, you know, what? Sir? You got the... Oh, I'm easy. Take it back, go ahead. Well, there are two of you writing the same line there, so line of fire. So you've only kind of talked about the one side of it, though, the impact it's going to have on the operator that we're potentially disclosing. You've only talked about why somebody would want to disclose and therefore what the counterweight or the benefit would be to the person disclosing. Yeah, that's very interesting. So basically what's the benefit to us for disclosing and what ethical issues do we have in enforcing that disclosure, because we're talking about the counterweight of this, right? But not necessarily the ethics and in fact to have a scenario coming up where that specific issue gets brought up, right? So basically as we have other impacts here, right? If we can prevent some, I say here, but basically from our perspective, we can prevent some action from happening by disclosing, right? How does that weight versus counterweight play out? And that's actually a really, really good point there. I'd be interested to know, do you have any thoughts in this scenario under, you know, basically what weights might impact here? Yes, I mean if the expectation was that by doing this, and I get it, it depends. There's lots of players who've collected that, but by doing this you're creating a higher confidence in being able to say that the actor was doing it, and that allowed you back and forth between two governments as a private entity to have a single person, but I would be more likely to say it's a private entity because you have more people being impacted. Right, so basically the kind of the conclusion or the thought process, and I'm going to paraphrase here, tell me if I'm missing the vote here, but basically that if by attributing the single actor, right, this triggers diplomatic discussions between two nations that impact a much larger number of people, ethically then, and forgive the wording here, but basically this person, you know, using them as kind of that collateral damage or that pawn is okay, ethically okay, because we get a larger net benefit, right, as a result. Is that accurate? Okay, perfect, perfect. And before you go here real quick, there's a gentleman over here, you got a thought? Just a quick comment on the last one, the level of confidence. I would argue it almost doesn't matter because the consequence happens either way. Yeah, so the question or the kind of comment is, does level of confidence even matter, right? Because once we make the attribution, if the basic of our level of confidence is low, medium, or high, that individual is still going to be impacted, right, no matter what. I guess from my perspective, when I, you know, you say kind of it doesn't matter in that scenario, I think where it matters to me, when we talk about that, you know, that level of confidence side, it's the, does our level of confidence influence whether or not the level of confidence influence whether or not we actually report on the attribution in the first place, right? So I agree with you, once the attribution's out the door, if you say, hey, I did this attribution, it's low confidence, I think I agree with you by and large, right, that largely it's not going to impact the outcome, but I think it should, personally, I feel like it probably should impact our decision to release in the first place, right? Particularly if we believe this to be an actual impact, a likely impact, I think that's probably where we consider that confidence level. Yeah, that's a really interesting point, right? The golden rule, do unto others as you would have them do unto you, right? If you're not willing to be that person, if you're not willing to take this impact yourself in a similar scenario, should you then release that attribution? That's a very interesting take, right? Because there's a lot of folks that have trouble with that whole, you know, the empathy side of being able to say, well, I would never have been in that position to be up to be, you know, to be that hacker on the other side of the keyboard, right? So, interesting point there. So, are you out of thought? Yeah, so what I'm really concerned about is the ethical obligations if we don't. Because here's the thing, when you're talking about Russia Stan attacking Ukraine Stan, and you're doing ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... Civilizations happening so don't you think we have an obligation if we have a reason things of confidence because We have interpole these people are you know have indictments and that kind of stuff And so if we don't do that if we're just thinking about just one level person then move that person aside What about the nether fifty thousand people are doing that for that government? Is there not at a turn for that country to not to be very focused on how they want to do these things? Yeah, no, I actually don't disagree with that right there really is a Will absolutely agree with you that there's a human cost to cyber attribution particular Or sorry to not performing cyber attribution You talked about the example of Russia the Russian a stand attacking Ukrainian the stand The heck with us Russia versus Ukraine and so as you know I was trying not to annoy Russia anymore than I have but never mind whatever it's that cats out of the bag That ship has long sailed look realistically, you know when I think about that. I do think you're right I do think that there's probably a you know a Definitely a convenience factor because here we're only talking about quality of life for one individual If we talk about not patching not patching impact of the quality of life for millions of people No, no question impact of my quality of life directly do an instant response I'll be the first to first to share that Marisk as we know sent workers home and many of those workers never got back paid right so You know impacted a lot of those people I suspect are working paycheck to paycheck, right? So so I think here we're talking about quality of life versus quality of life I think it's a pretty clear. I would agree with you. That's a pretty clear Pretty clear balance there, right? I think things get more complicated in some of the other scenarios. We'll talk about down the road We're talking about quality of life versus versus definite loss of life or predictable loss of life, right? I think that's where they will have some more interesting conversations conversations as well Oh, that's such a great question right so so the question that got interjected or kind of thrown out there was are we asking about the ethics of An individual performing this action and an attribution or the state performing the attribution, right? I would argue that I would argue that that we have to discuss first at a personal level, right? I think that that's at least for me and and you could at the end of the day You can define that you know basically to find the discussion however you like right? It could be that that indeed it is the you know We're talking about as ethical for the state to do it, but but look for the state to perform attribution There are analysts working to do that attribution directly and they either choose to participate or not right in that action And so I think that we have to start at the individual level But but I do understand that we do have to have that discussion at a definitely have that discussion at a higher Yes state level as well, right? So yeah, that's it man That's a really good question that I don't that I wasn't prepared to answer specifically So hence me kind of like thinking through it on the fly great. Whoever brought that up awesome job, right sir So the question I have is is just also like a place Let's say it's a Russian to say is a place very similar to a country next to South Korea where people routinely flee the government So the kind of idea here is if we call somebody out Are we actually are we if we call somebody out who works for government where they're forced to do this thing? Mm-hmm, maybe they're doing it unwillingly are we stopping them from actually having a better quality of life? But not only that but we also have to if it's if we're doing this as a state We also have to take into consideration. Are we actually blocking ourself from? Having this person potentially flee at a later date and then us turn them or us use them as a source of intelligence Because we just burn that if we do this. Yeah, I don't disagree with that, right? We do have a possible issue there of you know, basically eliminating let's say that person gets eliminated, right? Or doesn't flee or the you know the extra pressure on them prevents them from fleeing We then couldn't use them as intelligence source also separately from an intelligence source recruiting standpoint They would be very very unlikely to work with the u.s. Then in any in any capacity regardless of the logistics of them fleeing right, you know Typically we try and soften them up to be receptive to us or whatever your nation is right home nation intervention I would suspect that that would completely eliminate their desire to work with us I don't know how ethic how much of an ethical question is versus a logistical question, right? And don't be wrong I'm not nitpicking here, but I I mean I guess we look at ethics being kind of like what's the greatest the greatest good for home country? Yeah, as we're going that so so greatest good for home country, but that's that's a tough question I I certainly don't have a good answer for that. Yeah. Yeah, but you're right There are there are countries where that occurs and very primarily North Korea is a great example of that Could we potentially instead of providing the attribution down to the smallest denominator of the individual operator instead? Provide the attribution to the level of a collective be it government threat actor group, etc. Instead Yeah, so this is a really good question right instead of providing a Basically providing attribution down to the human individual operator level should we be providing attribution at a higher level? Could we achieve the same goals with that right? And I will tell you that is something that I am a huge huge proponent of as you all know But as you well know, but but a huge proponent of and for that very reason right because we are unlikely to impact the individual Versus you know ultimately versus we can still get the same statecraft approach across without saying no No is this person this person individually was was behind this right now on the other side of this by the way Of course, we have to look at the ethics of upholding our own laws right obviously the actions these cyber attacks Against us whether they are a result of statecraft or not they are illegal in our country All right, so whatever that country is that you happen to live and work in if they get hacked Ultimately, they are you know, there there was laws broken there And of course we have an ethical obligation to uphold those laws right and so this is a spot where ethics, you know It starts to get very very You can do your public attribution very different than how you prosecute or start looking at finding other things So there can be a separation between the legal handling and the ethical Yeah, so to that point Jessica mentioned that there could be a basically a separation of how you handle something legally versus how you handle something I apologize. I didn't mean to say I didn't mean to just attribute you there. Sorry That was unethical. Anyway, so the without prior consent so the Yes, anyway about that So Yes, so anyway, so yeah, you could separate how you handle individual attribution for how you handle legal side of Of that, you know basically upholding our laws sir and more to that point It got me thinking that you could do kind of a individual attribution without naming the individual you can you know provide a sufficient level of detail that a cyber operator in district atom of City beta of this country Did this work to the level of degree that you know if Your experience doing that you see the report like that and you're just like oh there They know who I am without being named specifically which kind of changes the you know separates the legal and Ethical issues some additionally. I think there's some consideration as to Who they're working for that there's going to be a difference whether they are working for the state or whether they are Say in organized crime that it might have the same effect within the scenario that yes even someone operating in organized crime in this country the Nation-state relations they're never going to extradite them but at the same time it can have the effect of Getting that nation to turn the screws on that particular organized crime group to say hey no you're hurting things Diplomatically stop this action. That's a great point. If you'll say at the mic for just a second I actually have a follow-up kind of I'm interested to hear your opinion on this since you brought this You know since you kind of brought this up I'm a hundred percent behind this with the you know the organized crime group Let me come back to the nation-state Nation-state operator side of this because I think that's I think that's where we have a little bit more Confusion around you know what is ethically right or not right when it's a cyber criminal operating outside of the state I think that there's a little bit less confusion around that But if we take back to the nation-state operator if I'm publishing to a level of detail that that the individual or sorry if I'm if the You know the CTI team is publishing to a level of detail that an individual operator and go oh snap That's me right We not assess that those around to them would also be in the similar situation be like oh, that's Jake Right exactly well does that change? Let me ask you does that does that fundamentally change the game right with the government Then not also act in the same in the same manner or you're saying here because it would because it really wouldn't limit their I think for this particular scenario when we're talking about you know affecting their quality of life and so forth It's like okay. Well charges aren't going to be brought So they aren't worried about traveling to intermediate country and getting extradited or so forth But it certainly might affect them in some regards in terms of you know the government saying okay Well, you're going back to working in a rice field That is it might have that sort of quality of life issue on them But it's not going I think the the quality of life impact is probably going to be a lot less and honestly anyone Who's technically skilled the government's probably not going to say you know go back and work in a rice field It's going to be okay. You're no longer doing this super cool job You get to go service routers now That's actually quite fascinating right hadn't really considered the whole like you know calling it out to a degree that the government can See who it is that they can see who they are but not necessarily Because because in that particular scenario then you know you don't end up with charges being filed that's fascinating I honestly had never just never really conceived of that before yes, ma'am It is we might affect change in that group to change their tactics So we might actually more actively meet our goal if they can self-identify crap That was us. Maybe if it's to a group within a nation-state organization Because now we're talking about district level Or maybe everybody's coming out of that state building we don't know who but we can we can't punish the whole group We need them to work, but we can force them to change their Yes, so the thought they're just kind of memorialize this in the you know microphone feed and everything is that no you're all good So the ma'am you're all good, but the so Basically the thought process there being that by identifying this individual without naming them right we may force a group to change tactics Right is such a strong and in fact we've seen this and I think this is where you're going with us We've seen this repeatedly when we when we out an individual in a group that that entire group does change tactics, right? It's it's very clear to let's say the group is 30 people and we charge three of them because those are the three that we can say These folks were behind the keyboard the other 27 in the group don't just go They're not on to me now, right? They absolutely are I I would suspect pooping bricks, right? It's probably the you know the the the right term there and and certainly looking at what impact do they have right? So I I agree with you I think that you're on to something there that definitely and certainly our pattern in the past has been again They charge or recharge an operator, you know the rest of the group changes tactics changes infrastructure changes You know changes malware in many cases right or tools however you want to refer to that and so I think to your point I think that you know identifying without naming could could be effective in achieving that same goal Yeah, absolutely any other thoughts for you sir Yeah, so the question is what if they what's the risk if they change is something we can't detect and and actually if you Really want to read up on this on Mandiant's APT one report is outstanding They have a whole section in there about why did we decide to publish and Kevin Mandia? You know is is somebody who took took a lot of a lot of pains in making sure that they published about a group that you know In fact, there's one the only group they could publish but it wasn't the most impactful group that they could publish about If you read their reporting they say specifically they chose to report on APT one to get the word out that China was Performing nation-state hacking against commercial organizations right they wanted to tell that story But they chose this group of many Chinese groups doing the same thing Specifically because a their op sec was horrible and B They didn't have good tooling resources right and so to reconstitute that group right was going to be very difficult And they expected that they would make a number of operational security mistakes and doing so and that they would reacquire That group very very quickly and so they you know I have spoken to folks on the back end You know obviously friendie eight and I'm not going to reveal any details beyond the you know the generic here But they had several other groups that they had single instance indicators for right meaning like this is the one way We can track this group or two ways we can track this group and to go discuss even the operations that they were doing even without revealing the Indicators right would absolutely tell that group that they needed to go change TTPs right and so it basically becomes an Intel gain loss Scenario right so what do we what do we gain versus? What are we predict will lose and there certainly is an ethical issue there You know in that disclosure that that's really not one that I was that I've got a slide to talk about but no But that that's great. That's why we do the discussion side on this I think that's a phenomenal You know phenomenal piece right when you publish in fact I'll tell you that when when the APT one report came out I know several companies who didn't have the capabilities that Mandy and did all right Mandy and reacquired APT one like that I mean it was just like that because they they went to ground for Give or take six weeks doing some retooling and pop back up on the grid And it was just I mean that they were bad There's other companies that don't have the telemetry and the resourcing the mandion does and it took some of those other companies You know six months to a year to reacquire you know basically reacquire the actors They're they're no longer tracked under APT one, but it's same actors Continuing to operate right to reacquire them obviously took longer And so you have now a question from an ethical standpoint I think to where you're getting to is if you release that data and you impact others ability right to track that Is that even ethical to do actually this would be a great time to do one of those polls? We have those cards the the card thing here ethical or unethical So if you know that by releasing this data you're gonna change policy But at the same time when you release the attribution report You're going to hurt other private businesses ability to track the same group Is it ethical to release and get the foreign policy debate going so ethical would be releasing get the foreign policy debate going unethical is you're hurting other companies and other Organizations and other countries ability to track this actor that you know they're targeting a wide range of folks ethical or unethical What do we think? Ooh the ethical's habit by a large margin large margin, right? I saw one two Yeah, I'd love to hear an unethical unethical why do you think it was unethical anybody Like release it internally before attributing that's the only reason I know it's kind of a cop-out But it seems like really easy to say Everybody this is what we're gonna do and then next day or whatever or in two days. We're gonna release this You know externally. I don't see any reason to jump the gun early. I know it's a little bit of a cop-out, but Yes, you think timing plays an issue or plays a role here right so timing so basically if you could give a heads up I would argue just just in the APT1 report and this is so great that this actually a concrete versus a hypothetical right in that particular case That they did actually influence, you know, definitely influenced a statecraft influenced, you know, diplomatic policy And you know, I feel like I'm gonna have to be very careful. I say this here I think it was publicly reported that That some of the intelligence services had been Broadcasting some of the same stuff in the APT1 report for our lawmakers for years And and hadn't really moved the ball but but it being public did move the ball right because suddenly it was wasn't something happening behind closed doors It was something that they were getting calls our elected representatives were getting calls from their constituents about so I mean the timing I think plays one role, but but also I mean demonstratively in this case that moved the ball Right so again whether or not it was ethical to do is a whole whole separate question, right? But it definitely moved the ball, right Yeah, so what you have here effectively is one nation unilaterally making a decision Possibly without considering and it wasn't even a nation making a decision as a corporation making a decision without That affects nations right a corporation making a decision that affects national policy of other nations nations that they're not headquartered in right so Basically, you know, you said it was unethical to consider can I ask you do you believe that that was a consideration that was played out Okay, and the question you're correct right so in the question That's not something we stipulated, but you do believe in the APT1 report that was something that was actually considered you believe Okay Yeah, cuz I'm gonna have repeating stuff to get posterity. Yes totally cuz I've got yeah, okay. I appreciate that. Thank you Shane So just kind of a response that but that does that put you in the loop then of you can never release until you talk to Enough other people that you possibly create it getting out before you have any control of it because once two people know something now three people know something Consideration is very different Then making the choice and making the decision And I believe at the point that you potentially have the level of attribution that was done in APT1 That you specifically know what other nations may be using that as intelligence gathering fascinating thought. I like that sir So as I've been thinking about this I think there is an ethical obligation to report, but I don't think publicly so I think I Think that one of the challenges that we especially is we look at this scenario as as an individual the individual shouldn't It would be very difficult for an individual to get to the confidence level required to do a public disclosure Okay, so so it looks like public versus non-public disclosure matters matters a lot in this scenario Right, so I don't disagree with that necessarily right although in many cases You know like this again the impact that they get out of the statecraft really comes because it's public Current so we've certainly seen that play out over several over several scenarios So so I'd like to kind of kick over another scenario here. This one's very related to the previous scenario Except here. We're not impacting individuals quality of life We know for certain right and of course I know knowing for certain is very difficult here But but let's suppose for the state matter for the purpose of the of the discussion here that we know for certain That attribution once we provide it They are going to be arrested and will likely serve a lengthy prison sentence in a country that is not their home country All right now where are we out on the ethics? All right, does this change the does this change our reporting and if so our ethical obligations are reporting if so how? Any thoughts on this? Because I certainly have some but I'd rather hear yours first so one of my thoughts would be How did this person get into that role? Was it a decision they made or was it a decision that the state actor said you're gonna come work for us? Hmm, so so it sounds like personal choice actually plays a role here, right if it comes down to comes down to that any other thoughts about this They're asking what did they do specifically? Yeah, that's another great question, right? So what did they do? Was there a loss of life there was a loss of money, right? So yeah, totally. What did they do? I think that's an important ethical consideration, sir Yeah, I was thinking along the lines of that and the the confidence question Becomes a lot more important that you know, perhaps having them arrested and serve a lengthy sense and sentence is the end goal but in a lot of countries that we're dealing with they don't have the same sort of due process that we do say in the United States or numerous other countries where such attribution might be performed so You know, essentially we would be kind of trying them in in abstentia before you want to put out that sort of Report because you know that goes to the confidence. Do you have this same level of confidence? Knowing that that's going to be the result to say that yes, if they were here in front of us right now We could charge them and prosecute them convict to them with that sort of end result Yeah, so so that that's perfect. You hit the nail on the head This is actually the point that we so so all these scenarios we played out my company Before you know, obviously before coming out here talk to a lot of the folks there I'll go ahead and tell you that the majority of the folks that work for me are former intelligence professionals Most of them are operations professionals right who have been in the field or on the other side of the keyboard and that was one of the one of the first things that we hit on right was the That we have due process and most other countries do not right so so that was one of the first things We hit on from an ethical standpoint the second thing that they hit on that my analysts hit on very very quickly is that When it comes to the gold standard of cyber attribution, right? It's it's really the the five eyes nations right so five eyes being u.s Canada Great Britain, Australia, New Zealand right basically the five eyes countries really are considered worldwide kind of that gold standard for Intelligence and attribution if we publish something does that de facto You know basically try and convict said individual right Obviously we're not going to share the information behind that you know all the source data behind that attribution, right? So our confidence level in that attribution will never be discussed the actual source evidence is not going to be discussed But the fact that we made a publication is absolutely going to get brought up in in foreign basically in foreign kangaroo court Right is is what ends up being in many many nations, right? And so that that was one of the things that we looked at very very heavily was who's making the attribution, right? And then also basically you know from our perspective if it's if it's the government of Morocco making an attribution right against the US operator I'm not that worried about that right ethically right if it's the government on the other hand You know the US government making attribution about let's say a Saudi operator. I am concerned about that right? I'm concerned well it takes Saudi out. They have a horrible human rights background Let's pick a country that doesn't a French operator, right? I'm less I'm still a little bit more worried about that than then you know Morocco coming to the US side, right? US you know basically indicting more or less a French operator I think changes the game quite a bit there because again that that report is Doubtlessly going to be read into the the court record and even France is a bad example because they at least have a decent legal system But you get the idea there and 100% that's exactly where we went with this right? So so I do think that there's some significant challenges there and thank you so much for bringing that point up because like I said That was our conclusion as well. We don't have any answers by the way It's not like there's a good ethical framework around go here's where you publish here's where you don't right and to somebody's point earlier There really is that delta between the me working as an operator me working as an individual versus Somebody else saying you know basically that the government you know in conglomerate Basically making a determination there very quickly. I'll share with you that that's something that's near and dear to my heart I left the intelligence community after 18 years based on something I saw that I wasn't comfortable with that. I'm positive that we're still doing right and I'm not I'm not a whistleblower I'm not going to go blow a whistle on anything but I made made a personal choice not to be involved with said activity right and Obviously will not discuss any of that very further because all that but but again, you know firsthand I can tell you that you know nation-state versus individual does change the game quite a bit right individually We all have to determine are we comfortable in being involved with whatever that happens to be in this particular case that we're Talking about here cyber attribution, sir The more I think about it I'm not sure we'll be able to reach like an axiomatic conclusion that it's always you know In this situation we do this and in that situation to do this and it may be taken For granted for for the rest of the conversations more I think about it that it does really depend on what we're talking about because in a situation of armed conflict We don't wait and try the person on the other trench Right, you know, we we we do it where what the troops were sent out there to do and if we're talking about cyber You know warfare on either a state level Or you know or whatever I think it really does have to take into consideration what the consequences are of because it may be an Situation where releasing the name may set an example as to what's going to happen to other people who do have personal choice So that's a great if you'll stay there for a second I'm interested to know since you brought up the term cyber warfare Is it different when it's cyber espionage versus cyber warfare and when do we cross the line from one to the other? I don't have an answer to that. Okay, well Does anybody have an answer that question because I think that please come up to the mic? Because I think this is an important discussion to have as we talk about because I am actually gonna hit warfare here in a minute and This is an important discussion to have one is across that line. All right, so Espionage is stealing information, right? Property intellectual property when you talk about warfare. You're talking about when you said these everybody uses the term cyber attack Yeah, it's not an attack when you attack some somebody or something You're destroying things or killing people or hurting them Espionage even though you may lose money Nobody is dying in the trenches in the battlefields And so we use this term cyber attack in this in these communities writ large and we got to understand that that cyber warfare and cyber attacks are completely different than you talk about the Shamoon virus destroying 30,000 computers and we have a hardware issue and that's hurting a company That's actually destroying something versus Stealing property of a government or a of a corporation you still lose money But you're those effects are reversible. You are collecting versus hurting or destruction. Yes So if I may I'd like to before you leave the mic there real quick So I'd like to talk real quick about the days March doctrine, right? So because we talked about you know the point of destroying something, right? That's a cyber attack just to make sure that I'm tracking with you But prior to that we're not is that where you're at? There's a range right range. You have espionage You have disruption DDoS. You have you know, you have You know these different ways to manipulate things and integrity of messages But then finally you get to that far spectrum of actually death destruction Yeah, so so I guess what I would what I would question then is Let's say prepositioning right because if we were all the way back to in order for you to destroy assets Shamoon virus being a great example there. I don't think anybody argues that wasn't a cyber attack, right? Definitely impacted Saudi Aramco in a huge huge way huge way But so as we look at that there there's prepositioning that occurred right, you know They couldn't just snap their fingers and say go they had to be in the network They had to be in the right places in the network to to achieve that effect When do we cross the line because as we look at you know, I go back to medieval times, right? And we look at the days March doctrine, right? It wasn't that you go attack somebody that wasn't attacking you yet But you didn't have to wait for them basically the kind of the rule of the nobles as it were was he didn't literally have to wait For the enemy to be at the gates knocking the gate down if they were marching an army and bringing army They were days March away right then it was considered ethically okay to go out and deploy your own army forward And so that you know basically fight on not directly on our you know basically on our castle grounds kind of idea I kind of step back and I look at the prepositioning and kind of putting it in that light I wonder where does where does it become that act of war or act of war back up the attack. Yeah Now we're dealing with this this term called sovereignty. Mm-hmm, you know, we're talking about it does does you being in my country? it or less worst-case scenario is you're taking advantage of another country's Servers and things they can do in operations out of that country Knowing that if you want to get after them you are going into another country space That's not trying to do any of these things. They're just you're just leasing their equipment or whatever else It's an issue that's hard to deal with in a staying age because we've dealt with for you for centuries I'm sovereignty. This is my physical territory same thing with air same thing with space in these other domains So now we have this hard issue trying to really remember what what is it external internal sovereignty? What does it look like? Yeah, I definitely agree there Can you do the mic? Yeah, they're gonna yeah, sorry just just for posterity, right? So so now you're talking about the difference though between reconnaissance and Pre-positioning a payload those are two very different things if I've actually planted a weapon That's an active attack. Mm-hmm, whether I've executed it or not Reconnaissance I haven't done anything Physically I haven't pre-positioned any weapons and that's part of intel gathering. Yeah, I know that's a great point I'll counter just by mentioning that and I do agree with you by the way that the second you Position a weapon whether or not you've executed or actually detonated said weapon I think you've crossed the line into cyber attack and again as we're talking about attack here Right, we're talking about impact of you know, basically What's a cyber attack versus espionage because we're talking about the action here Just kind of get you know spinning all the way around back here But but the if I have a backdoor and a machine the delta between me positioning a weapon there and not Which I think we both agree crosses that line literally is is upload, right? And so basically as we talk about a backdoor that could be reconnaissance or it could be staging for me to go upload that weapon And so it does make it very difficult and back to the point of sovereignty I mean it really is a really difficult thing to track ma'am and if you're talking about At which point can you act if the days March really comes in there? Especially when the espionage is a setup not for a cyber attack of destruction, but a kinetic attack And if we think about the setups that needed to happen in Georgia stand In Georgia stand, I love it Where you had in you know, integrations of ics networks to disable electricity to allow kinetic Warfare to take place at a time when there was no anyone knowing and using social You know disruptions That were happening for the rest of the world to be distracted for your timing There is bigger issues there in terms of at what point is it okay to treat it as an act of warfare when you know the Attribution and you're quite certain that the end goal may not be to harm the servers you're on but to position yourself for kinetic physical warfare So so if I take this correctly your sense is that the ethics of this change Based on the type of espionage and what is the espionage ultimate goal, right? If it's to steal an actual property the ethics change differently than if the espionage is to gather intelligence to support a future kinetic act Okay, good to go at the mic so To that point into the earlier point of cyber kinetic events being like a trigger that would change your I kind of want to maybe push back into the idea that just stealing IP cannot have a serious True real life effect in that when people lose millions of dollars Those means the dollars would have gone to people who now aren't affording medicine or going to college like it does it trickle down into a real life Effect it's not just explosions. Yeah, so that's that's such a great point, right? We actually worked in this in response earlier this year for a company that got hit by ransomware And it was financially straight financial motivation. There's no we have solid attribution on the solids attribution gets her foot and mouth Right, but a solid attribution gets we got good attribution on this group But you know literally the company got hit on Wednesday They lost one of their major contracts on Friday And they were told literally that they would lose the next one if they weren't operational on Monday All right, and they were gonna have 70 people out of a job All right, and so you're lucky that 70 people then that are going on government assistance, right? Definitely impactful to their lives, you know losing jobs and and so yeah to that point right just stealing Just stealing intellectual property. We've seen other places where folks have lost jobs based on you know moving Manufacturing overseas, right? So yeah, definitely there there's no such thing as I think to your point, right? There's no such thing as just stealing intellectual property. There is a human impact to that no matter what sir I was just gonna mention that risk management also Assumes a specific dollar amount to a life and so that's one of the challenges that Wow flashed an ethical card there, but but well not him I mean just the thought Well, but It is a challenge because you are affecting so many other people when you are taking away from the economy That is a that is a type of disruption So but but the other thing too is the difference between espionage and warfare is really the what the person's intent is and It's really hard to judge intent. In fact, you you could cause death By trying to do espionage and making a mistake Yeah, so yeah to that point of causing Causing death by you know by hitting espionage there or trying to do espionage You know we talk about intent a lot as we do incident response and you know I'll share an example that we ran into you know, we're intent and impact. We're not identical, right? You know, we saw an oracle server a fall over which I guess is pretty normal for them But we saw an oracle server a fall over there was part of an ERP And they were in the middle of or very end stage of a very large bid that was literally going to keep this this company alive Or as this company is is on the verge of 5,000 plus people and getting ready literally to They will be by the end of the year less than a thousand people if this bid doesn't go through if they don't win this bid And they're down to the end stages of getting this thing in and their oracle server that drives their their ERP system enterprise resource Planning system fell over and they were just positive. It was a competitor trying to take them out of the game, right? And and then they found out that indeed the server was hacked and then they were doubly certain that that oracle It was definitely they were trying to take them out of the game And and it ends up being that the attacker had been on there for months and amid siphoning data off and Specific to this bid. It was definitely corporate espionage I said definitely as deaf and as we can be it appeared to be corporate espionage But we were able to go back and track through some of the logs and see that the attacker was indeed doing queries to support that type of data All right says the type of data they would want to go steal for espionage points when the server finally fell over It's because the attacker executed a left inner join Exhausting lots of RAM and if you've ever worked on an oracle server when you exhaust all the RAM Bad things happen the ERP system on the other hand had guard rails, right? So if you were querying through the ERP system the actual middleware or not the back end tier You couldn't do that right it had guard rails there And and they from their access had taken all the training wheels off right effectively and and we looked at the last query There was run last query was ever run before we're building the server But the well cuz you know those things fall over integrity becomes an issue there too And this was a very very seismic event for the organization and by the way, you know for whatever it's worth They did not win that bid They they absolutely lost that bid and several thousand people wanted to work right and so that's a great example of An operation that began with an intent for espionage now I kind of look at that one's a little bit weird right because had the espionage succeeded the outcome would have been the same Right, so so espionage versus the actual impact right the the end-stage impact What was ultimately the same those thousands of people lost jobs, but but at the end of the day I mean it is definitely a great case of intent not not aligning with impact or impact not aligning with intent right so Sir come on up to the mic unless you want to be anonymous in which case Okay Okay, well there you go So one thing about these ethical questions on the other times we focus on intent and focus on our actual actions decisions But I'm old enough to remember Back in the days when people were talking about nuclear war strategies Mm-hmm that there is another factor here that we have to consider and that is the perspective of the other side if You conduct a successful espionage Attack and they were espionage action and they detect that they may not interpret that as purely an espionage piece Action and then they may react in a way that is That will create a larger downstream issues that You won't be able to control and so I do think that that's Ethical dimension that has to be considered in these questions because again sometimes Ethics we think of more just about us internally, but not seeing those downstream impacts particularly on the basis of perspective of the targets Now I like that so if I compare a phrase here, what you're saying is that your intent Probably matters less than the assessed intent of the victim. Yeah, I like that That that's that's definitely significant right because we've said from a US doctrine standpoint very publicly We've said that we would consider Pre-positioning in the electric grid to be a catalyst for kinetic action, right? And we've been very public about that right that you know that if Russia were to pre-posit. I mean Russia here. I am It's almost it's almost like I'm trying to drink polonium tea or something, but the The in any case so we have the basically if you've got this this group, right? I'm who's hacking the electric grid looking to do something like that in Ukraine a stand We've just flat-out said right if we see you positioning there right that that itself would possibly be cause for kinetic action and I think that's significant right because you know There's legitimate reasons you'd want to be in the same spots for as purely espionage reasons right to understand You know what how much electric power is going to one place or that's really interesting He I mean do you have any other like like first-order or like examples of where that might I know the power grid It's the big one. I think of any other examples of places where that might go, right? Your intent versus a sest intent a lot of military history So I only think of it from those perspectives and I do remember part of the issue in the nuclear war issue discussions were being very public about What your overall intent was and how you would react in a variety of scenarios and then that would help Reinforce the mutually exerted destruction concept and so I think that that would have some parallels here where particularly where an attribution is not always going to be a precise science and Some of the impacts are not going to be like threatening We want to make sure we're clear about what the lines are before we you know institute a policy that might You know hurt other people down. Yeah, so fascinatingly. Thank you very much for that specifically because fascinatingly That's why I'm here actually right talking about this is because we have not communicated About you know as we create an impact right by by doing this attribution We've not talked about it a government level and projected at a government level like we used to again using the nuclear example saying If x then y right we haven't done that here and and that's going to be a significant I think it's going to be a significant issue going down the road so we haven't communicated at a at a government policy level where we said if Very very publicly saying if you do x then this is the outcome that this is going to be the you know Basically that that that public outcome You just agree with that You're saying To be pained And the systems are 1960 70s a technology and so your intent is to create espionage You create a a vulnerability for our in getting new power grids water treatment plants whatever when you with your we don't know your intent But when you actually destroy the power grid in North Dakota and kill a hundred thousand my my Civilians I'm going to react a whole government approach even though you meant something for for for for Espionage reasons we're going to do a kinetic and whole government approach to this So we have addressed these issues where it was meant to be espionage But we realized second third order effects are going to be something that's going to hurt our Civilians and we both agreed that we would guard how we do Intellectual property espionage how we do military targeting those kind of things and that that was done just a few years ago Well, I don't disagree that it was done obviously don't disagree that it was done in in that very specific Circumstance, but and also in a more generic circumstance We've been very public about the fact that we won't tolerate intrusions into the grid But but I don't necessarily agree with the fact that I think that we've more broadly Not not the way that we have with it's there there are very clear lines like for instance We know from a sovereignty perspective that if you bring a warship inside, you know outside of international waters into US Water that there's there's going to be a reaction and that reaction has been very well telegraphed what that's going to be And I don't think we've done that to a larger extent with with cyber I just I think that that's I think we've done it in individual cases right and again The grid is such a great example that you know you came back to that one as well I think even on the intellectual property side even though we telegraph to China quite a bit I don't know that that was a I think it was a very very specific like hey Let's tone it down a little bit kind of thing But but obviously if you're working in some response today, you're seeing Chinese actors still stealing intellectual property Every day of the week right and so yeah Chinese actor went to Belgium to steal military Yeah About sending that message right about the economic message so yeah to that point the the one person thus far has been arrested charge Whatever is the well arrested I shouldn't say charge because a lot of them that have been charged The ones been arrested and extradited is a gentleman in Belgium that was arrested in Belgium It's a gentleman the spy in Belgium who was stealing military technology right there who was ultimately arrested and extradited back Right is yeah absolutely ma'am. I think we still need to think about the ethics of the trust in publishing Because of the potential of intentional misattribution and the fact that People don't always know what they don't know and we're talking about the gold standard potentially of five eyes producing But we need to consider when what is the ethics of an of a third-party country to take an action? Based on analysis when there might have been intentional misattribution and is there secondary verification before acting which I know now we're talking about the third party instead of the first versus the second, but I think it's Critical that we contemplate that when we do our publishing does that make sense? Yeah, totally. So yeah, absolutely. Yep It's a good point so We kind of hit the It matters what intent was But it also matters what the consequences of that intent was and how that intent was interpreted And there's a third part to this kind of ethical Triad here and the third one is is why So if our intent was espionage and we ended up killing a hundred people Why did we do it? Did we do it in self-defense or did we do it as an act of aggression? Did we do it out of greed or did we do it out of fear or why did we do it? And so it's kind of a question for you and for the crowd is Does that matter or is it purely are we purely going to say the you know? It's a matter of the consequence. Well, what if it was for incompetence? Ha Then you would it would really depend what the consequences are because I mean that certainly is a thing right? I mean certainly and thank you very much for that right because the the why question is something We really haven't talked about yet, right? Was it for self-defense and when you talk about self-defense I think there's another critical thing to think about as well here. That's perceived self-defense, right? Your perception that you have to take this action to defend yourself obviously can change that game as well Sir, please ball means So you mentioned that we had stated a policy that if we found for you know if we found Russia in our substations that we would react We didn't because we found them in a hundred substations as reported in the Wall Street Journal So my question is last year. We had someone in here that was advocating for a United States level hack back policy to create a How did he phrase it the nuclear deterrent for hacking and that we currently had no Consequences for the countries that were attacking us regularly. So What are the ethical ramifications of that? Well, so so I'm that's a great look hacking back is something that comes up all the time right by far the best Research has been done on this. Thank you by the way for that because it's a fascinating side of the discussion The the best by far the best Publication or best research done on this this topic really comes to the Naval postgraduate school They've done a lot of work on they've done a lot of public work. So it's classified most of it is not On that release most of I'm aware of is not at least on the basically on cyber attribution cyber deterrence right and the thing that you will see consistently as we look at cyber deterrence is that people Consistently will talk about the issues with attribution playing into the deterrence overall right because again if your attribution isn't solid You can't deter unlike you know somebody launches a missile right if we're talking about come coming back to the nuclear side Right if we're coming back to the nuclear side and we're talking about a basically a missile being launched at you know Foreign government. There's no quite our foreign nation. There's no question about where it came from We have the technology at this point right to see where the need that that missile was launched from So I think that that does play in hugely there I think that our ability to do good attribution and have a good confident attribution I don't have a definition for what quote good confident attribution means but but at the point that we're ready to do that I think that's where we can start getting into deterrence because you are right We did find them in substations and then said Yeah, we're not gonna we're not gonna shoot right. We're not gonna take kinetic action yet I know we did a little bit of political posturing perhaps, but but a little bit less there Ultimately, I think and then call this whatever it's worth, but the majority of those that they found them in were Basically where the end distribution substations not the transmission substations and so just on I'll keep try to say out of the tech here for a second, but the The difference in the two crane attacks Ukraine attack number one that impacted a much smaller number of people hit I believe if I remember correctly 70 different transmission or sorry distribution substation To the end that basically distribute the power out to out to your businesses and factories and homes And then the second attack that hit a much much larger number of people hit transmission Substations, right and in fact they had written the malware at least according to Dregos and ESET had written that malware specifically to operate at the transmission substation layer to talk those protocols and again We're talking about a higher level here. That's where you see the big, you know high-tension lines And anyway, so so hit a much larger number of people and I think that may have been the Delta in our particular case Well, I don't know and I don't know ethically right if you're not ready to basically if they're not in a position to create a Monstrous impact and monumental impact kind of thing, you know Does that change the ethics of it of it overall and I don't know at the end of the day But that's such a great point, you know, we did say that we're gonna act We didn't really act but but I wonder if the cop personally I wonder if the cop out there for us was like well It wasn't transmission so we're okay. I don't know. I don't know but again the two Ukraine attacks That's what separated the two was was distribution versus transmission, right? So I'll go and hop up to the next next point. Would you have a thought do you want to okay? Hop up to the next point here. I'm actually gonna skip this one here because it's a operator being being killed But we're time-wise. There's a couple of more important discussions that I'd like to like to have here rather than kind of variational last scenario and I'd like to How appropriate I've loved to talk about the national power group was impacted by cyber attack power was interrupted There was no loss of life directly attributed to the event All right So nobody at this point has been been identified as having lost a life But when we publish that cyber attribution national leaders are gonna box them to go into war and they're gonna kill hundreds of thousands of people in the aggressing country Ethically at the well we were going here no matter what's right Ethically Where where we out on this is publishing an attribution where we know The impact is going to be actual kinetic event where we are going to kill and I intentionally throw up here a large number of people dying Right and and I think that's that's important because when we go to war We just don't know all right if you look at some of the foyer reports for the or some of the stuff That was foyer, you know going into the the second Gulf War. We thought we were losing I believe I remember correctly the foyer report that I saw so they shipped more than 10,000 body bags Over there, you know for going into basically going into our second Gulf War, right? Obviously that didn't happen. Thank goodness that didn't happen, right? but We were prepared for that right and that that's not on the Iraqi side either obviously if the Iraqi You know if we suffered 10 10,000 plus casualties You can imagine what that would have looked like on their side Not that it was great for them and that they're living the dream over there now anyway But but again, you know a separate issue there if we're killing tens of thousands or hundreds of thousands of people You know do we if there was no loss of life on our side are we as an individual analyst? And this is really where I'd like to kind of think about this for a second here as an individual analyst You know when you publish this attribution that you're killing people. We're gonna create a war Let's say create a war. We're going to box our leaders in to go to war. Are you ethically? Let's take a poll here actually before we get into the details of this You know that by publishing this you're confident your attribution Are you ethical or unethical and publishing your attribution if you know that people are going to die as a result when nobody died in the Precipitating event. What do we think ethical or unethical? Individual analysts are you ethically? Are you ethically responsible and yes, the unethicals have it here If you said ethical, I'd love to hear your thought on on the why all right Do you want to mic this and send to the mic as a hit the mic if you want to Well good there you go so fire go into war is a team event and You know sometimes Like if you're not giving your national leaders or whatever it is your hierarchy The best information possible. I don't think you're doing your job And you know at some point you have to have some faith that they're gonna make the right call Yes, they might be boxed into going to work, but they might not So why would you assume necessarily? Why would you be have the arrogance per se? who assume That you know what's gonna happen down the road when you give that piece of information Well, I like that you're just giving them a fact It's up to them that the leadership you know the difference between a leadership and then you're just down the Like your line people is the leadership is required their job is to figure out the future Does the future mean going to the war but they have to have accurate information to do that And if you're not providing that then you're not doing your job and you might still they might still go to war With the wrong information does that make that better against maybe the wrong people doing the wrong things And that doesn't make sense either External publication Yeah, yes, we're back to internal versus external communication I think it does matter and to that point you could publish internal without publishing externally I was assuming external publication here as well. Yeah, but but I mean I particularly the boxing in right if the public opinion Is what would generally box that in right? But but I mean it is a fascinating thought there right if you are not providing your leaders of the best possible information Are they gonna a go to war anyway go to war for the wrong reasons go to war with the wrong people? Fundamental intelligence is a decision support service right attribution of course is part of that decision support Are we then not providing the we're not basically the folks are gonna make decisions one where in action is a decision Right and so as they talked about the end of the last talk in action is a decision Alright, so if we don't act and we don't publish are we then making the decision to give them bad information to make other bad decisions? Yeah, that's a great great thought. I Yeah You don't the only thing I'll add to that is let's say that we didn't have their unmarked planes And nobody knew except for one guy who attacked Pearl Harbor Nobody died in this in this fictitional Pearl Harbor, but it absolutely destroyed our base No loss of life But one person know who did it would that person not be obligated to stand up and say hey It was Japan everybody or it was this person who ordered the attack when you have a damage you Especially the national critical infrastructure or whatever it is That's an act of war whether anyone died or not and and that's why to me It doesn't matter whether your attribution was public or private what you have there is an act of war in my opinion So now can I ask before you move away from the mic? Does it change if it's not an act of war? I don't think there's there's such a thing that an attack on a national power grid. It is not being an act of war Well, let's slide away from the power grid for a second though Like if we had a if we had an attack on let's say manufacturing infrastructure It's not critical for national defense right not directly like building bombs building Let's say the Dixie sugar plant down in Savannah, Georgia gets taken offline. Nobody dies But there's a huge Financial impact to the area of Savannah right because sugar apparently is all they'd be drinking the sweet tea You know do you? That's ridiculous anyway, so I'm from Georgia by the way, so I can say that but anyway Or maybe not, but but does that change the game? Well, I'm from I'm from Texas and we have something called castle law and I'm not personally very familiar with that. I'm not personally a big big proponent of it So I think it in in this case If you didn't have full understanding of the reasons why the attack happened again We talked about that if you didn't have a full understanding of what the intent was all you know that there was an attack on A plant I think that that absolutely does matter and that your response should be different Okay, so so if your response should be different can I ask how? I Don't put me on the spot here. If you don't answer that's fine, too I just yeah, I I don't have an answer for that good good very good question I'm always looking for other opinions. That's why I ask because I I have thoughts on this as well But yes, but so I was leaning towards ethical But I feel like there's not quite enough information to make the choice which is so you've Postulated here killing hundreds of thousands in the war. Mm-hmm Understand that's a to add context, but you haven't given what happens if this attribution is not made and Foreign policy continues right if we know that an adversary is now shown intent What is the next thing they're gonna do that? We would have prevented had we killed a hundred thousand here Yeah, no, that's a great question right and obviously that's one of the problems that we consistently run into here As as we look at deterrence right if you don't act with deterrence or if you don't if you don't counter an aggressive act Right today. What's the next aggressive act right by taking this out right obviously and you're right because We can't postulate it's very or say we can't we do all the time from a national security standpoint But but here in the scenario, it's very difficult to postulate that out But you are to that point very very correct Any other thoughts on this sir? So I actually couldn't decide ethical or unethical because I think you know one slide is insufficient amount of context and One resource that is on my reading list that I haven't gotten to yet Is the the Talon manual which is now in its second revision and how many people here are familiar with Italian? Not enough. Yes, please. Yes, right exactly. So so the Talion manual was put together by a NATO Associated group you could say So many different NATO nations including the US contributed to this. It was people from the governments from NGOs and from academia Across public policy legal technical all contributed to it to address these exact sort of issues And at what point does you know, what's the line between cyber espionage and cyber war? How to how do cyber attacks fall into that where you know the lines between cyber events kinetic events? That sort of thing and provides sort of an overall doctrine for These exact sort of things and I think to be able to make any sort and ethics definitely plays into that very heavily and So I think before trying to make a decision on that I would want to be more informed by a framework like that to think about it Yep. Yeah, so to that point if this is something that interests you this kind of topic interests you the Talon manual is Definitely a good read although it is a thick Very dry. It is it is not an exciting read. It's doctrine right at the end of the day Doctrine is not exciting right unless you're a doctrine geek in which case whatever right, but sir So I think one of the things that like and maybe it's getting a little too much in the detail for this scenario, but You know in order to attack to and I think it is really an attack in this case a National power grid and not kill anyone No traffic lights were affected. No hospitals were affected. That is an incredibly targeted Precise attack to be able to show that you can take down a national power grid at that scale and not kill a single person and I think that in like to some extent is more of a dangerous attack Then killing people in a city because the traffic lights went out, you know there's a car accident and so that's showing that you have utmost control of their vital infrastructure and Perhaps even is more important to retaliate against. I like that. So about Ukraine So yes, it was seriously in both of the Ukraine attacks. Nobody has cited You know Ukraine hasn't come out and said hey, here's the death toll from from either of these either of these grid interruptions There's it's not to argue that the proximate cause right you mentioned mentioned like a traffic light right traffic light might have been the Proxima, you know or the power outage may have been the proximate cause of a death through that But but again even there Ukraine hasn't you know hasn't been public about any number of I have a hard time again You know in this scenario or theirs even right, but but I'm gonna roll with theirs and say that so far there's been no You know basically no claim even that the deaths deaths were caused there And so it's a very interesting point there and I think to that Any thoughts about the Ukraine attack there? And do you think you know? I wonder bring it back to the To the topic at hand. I wonder if it's an attributation issue and you know the deaths weren't attributed that way because you know the lights went down and So well the drivers should have responded correctly, you know lights went down You're supposed to turn you know always stops now their fault, but was it their fault? You know, are we attributing the deaths there to that cyber attack or are we falling back and saying well? We don't know how to how to attribute this anymore You know maybe it's it's an attributation problem there Yeah, I mean look I do a good deal of expert witness work And I'm not a lawyer, but I'll mention there's a term called proximate cause right so for instance I spilled my soda on you and you ran over to your hotel room crossing the street so that you could you know Change and you got run over by a car All right, you wouldn't have run across the street if you weren't soaking wet with soda and so the proc legally the Proximate cause of your death right is me spilling soda on you right and so from an attribution side though Right the cause of death on the corner certificate. It's gonna be like he got run over by a car All right, but the proximate cause might be different there, right? So misattribution versus Right, that's that's a really great really great kind of point there Right. We were not doing a good proximate cause level analysis of some of these deaths. I suspect or impacts It's the same thing with the you there's been zero yep all of the Surgery that would take place people they get picked up to go to the emergency thing There's been any assessments that at all and that's we're talking Ukraine as a Eastern European country They're you know, what's above level of sticks and fire. We're talking about a British national government It has you know, that's a very modern. Yeah Yeah, so to memorialize that basically want to cry is what we're talking about here the You know want to cry attacks obviously NHS got taken down in the UK There's been zero attribution of death there either and clearly the reporting infrastructure to do it They haven't been willing either based on people that didn't get picked up to go to the hospital surgeries It didn't happen diagnoses etc. Nobody's labeled it there either and so yeah I think it just solidifies the point. We're doing a bad job of proximate cause level analysis, sir So I'm apologize. I missed the first half of your talk, but I see you're okay given this scenario that You're an analyst of some kind if you're doing this kind of work, right? So in my mind, I would even go so far as to say not only are you ethically bound to do the attribution? I'd say you're unethical if you don't because the whole point of what you're doing is Finding attribution and reporting it. That's the whole point Yes, so that's a that's a great point there, right? So you took the job you signed up to do the job, right? If you aren't doing your job, are you ethical? Are you acting ethically, right? And I have big feels about that really big feels about that definitely I got to counter the argument a little bit So how about you take the exact opposite view you were contracted do it for private agency and they told you don't release it And you were contracted and now you've got the attribution So wait a minute if you're gonna if we're gonna play the whole you're bound to release it I happen to agree with you personally But if you're bound to release it what if you're bound not to release and then you leak it and then you have Whistleblower laws and all that attribution approximate cause don't come back to your core question of is it okay for me to cause something that kills a bunch of people I generally prefer not to kill a bunch of people, but if those bunch of people are gonna kill me I'm gonna shoot them first Castle law do worry So so that's and just transparency I came here because I can't answer these questions Me enjoy the conversation and I thank you For adding this to the DEF CON type world. I have to go, but I'm really enjoying it. I appreciate it Thank you. I want to say thank you on the way out. I appreciate that and hey to that point, right? You know kind of coming back on man. That was deep, but Awesome man, so but yeah coming back to that coming back to that point though, right? We talked about the if you don't do the attribution earlier kind of what's the next order effect? I believe it was you that brought that up there, right? What what do they do next, right? And so, you know, this is something that I think in the forensic side We deal with all the time on you know criminal act right where there are a very limited subset of criminal actions that you have to report And and everything else you probably are not Well probably not nothing you are legally not required to report but ethically maybe should or shouldn't depending on Who's paying the bill right and what their concerns are and the whole and I'll tell you that regularly I do forensics cases where I see evidence of crime that we don't report that could be a whole separate discussion down the Way there and what's that out of scope out of scope, but it's it's very I think it's very related though Right because particularly here when you're talking about a contract type thing where somebody says yeah You know it bury that because it could kill somebody or they say publish it because it's your job All right, and then you say I'm not going to publish it because it's I think it's easier on the berry versus leek side Right because some organization can bury but I think it's a great kind of a great topic great thing to think about sir I had an idea I used to work in the restaurant business and a lot of times people would Crack their teeth on something they ate and whether it be a bone or Sometimes a foreign object that had gotten into the food and then they would threaten to sue us But we did some research and we found out that nine nine times out of ten or even greater than that The cases would be thrown out because it would be decided that if the if the tooth was going to be broken by that Then it was very likely that it was going to be broken anyway Right, and I think that by analogy we could argue that a similar case is here that these events don't happen in a vacuum And that my reporting things does not actually instigate this war It's that we're at the tipping point where this is just one straw on a camel's back Sorry to mix analogies, but you know like at what point do we just decide? You know we're not putting straws on camels anymore because you know eventually one of them might break somebody's back So that that's a great that that's a good one. I was unaware of the issue with the restaurant business thing I did chip a tooth actually at a I don't know if I'm legally allowed to say where I don't think I am I chipped a tooth at a major chain when they had a broken dish actually in you know a piece of a broken Broken piece of you know dishware there in the in the piece and and they just immediately settled with me That was it right and they cut me a check and called it a day But I didn't think about the fact that you know again if if that tooth broke there was probably gonna break eventually anyway That's fascinating right and here I do agree with you right if this is the if this is literally the straw That breaks the camels back that then we are we are already at a tipping point right and yeah That's that's a that's a great point. No question Well, it is a big straw There's no and I intentionally look I'll be the first to tell you I intentionally threw this up here for that reason Right because I think it's easier to start I mean when we start talking about ethical norms and what are the what are our ethical norms as well as what should Are nationally right internationally ethical norms be around this? I think it helps to start with those with those big straws right because it's a you know It separates the is this a big deal from the what should we do about it knowing that it's a big deal All right, so I try to have when it when possible when I'm doing analysis I try to separate those into binary conditions right and so here again by throwing such a big straw out here All right, I think it's important then that we can have the discussion without focusing on is the power grid a Big deal I don't think anybody here's willing to stand up and be like you know is the power grid a big deal Right, I don't think I'm he's flashing black on the back side. We're like no no not a big deal Heck with it let him burn it to the ground right so so it's very intentional that we start with that But that just you know that's that's why it was it was definitely an intentional decision, sir I'm actually reminded of the 1983 incident with Stanislaw Petrov Who is actually a lieutenant colonel in a submarine which is under the case of how confident must we be in the attribution? And he was ordered to fire nuclear weapons upon US soil because the submarine had picked up information that the United States had Launched a nuclear attack upon them and he like Did not do this and he did not start World War three because of his inaction Even though it was his obligation his duty and a direct order and he faced a court-martial So I think that like you need to have supreme confidence in your attribution And even that then you need to actually realize what the long-term loss of life of your actions would be right because even though it is a 100,000 in your first incidents the escalation of that and the geopolitical environment that it creates could cause like ramifications that go down like for hundreds of years Yeah, I don't disagree with that although if you'll stay at the mic for a second here on that attribution side, right? You know you talk about confidence here. He wasn't confident. It's that's been well-published and it's a phenomenal It's a phenomenal analogy and I wish I thought of it myself actually but the phenomenal analogy seriously He didn't though it's well public that that he had experienced multiple other Basically multiple other malfunctions of his equipment and the equipment that was basically The reason that they sent him the order to fire right and he'd experience multiple other issues there In fact, there's I don't know if you've read the dead hand or know about the dead hand system but there was a Russia basically built a a system in case of Massive nuclear war that knocked out their communications and knocked out Everything else that would still fire their weapons regardless right and so they called it the dead hand system Basically, if they weren't continuously getting a ping if there was nobody basically coming back and saying yep We're so alive. We're so alive. Don't fire. Don't fire. They were gonna fire All right, and several times they had systems around that that detected launches right from from the US Launching over the basic over-the-north pole and several other operators decided based on you know confidence in their data not to fire And I'm curious from a cyber standpoint, right? What's what do you think the the parallel is there right so in having that lack of confidence in data? I? Think like there's a large amount of certainty in the like confidence of data in modern day Which is why like the Petrov example isn't totally analogous, but I think it's also easy to false falsify attribution of an attacker and like Basically say oh the Russians stole our election when it was the Chinese or the Chinese are interfering when it was actually Russian influences And I think the ability to falsify that information which has become so easy Does kind of hurt the ability to attribute attacks to a certain extent if the attacker is extremely experienced And if that's their direct intent the attack isn't but the attribution misalignment is yeah That's that's that's a great great point I would I would partially argue for a moment just kind of devil's advocate, right? You know you said that it's not totally analogous to the 1983 Petrov situation because our data is better Right, but then simultaneously said that the you know that basically that the misattribution intentional misattribution is a big deal We also have systems that that you know routinely malfunction right and you know Fail to provide data so very often it's a scenario where it's not a question of is the data itself accurate, right? Very often we say hey I detected this on system a and if this other condition doesn't exist on system B then Right, you know basically if one and not the other then it's a true positive, right? But if system B is malfunctioned right and simply isn't providing that data right then then what appears to be a true positive is Is not really right and so so this is an area I run into a lot with incident response, right? We're a particular system simply isn't collecting and people make bad judgments based on the the unavailability of data Right where they don't even realize the data isn't there So I'd I've been just to know like yours. You know have you experienced that or what your thoughts are around that? I don't have much experience on like data attribution So I can't really speak to it to the level that you can but in instances where you like can't attribute properly in that manner being aware of that and just like Like staying your hand would probably be the best recourse. I can't disagree with that at all I 100% right to know what your data is telling you stay your hand awesome. Thank you so much. I appreciate it. I think to that point it's you know everyone the room that knows your background is You know pretty telling you get up in front of the room and numerous times today you've gone Well, you're never 100% confident and yours someone with your sort of background Saying that I think that's very telling that well gee if if Someone who's highly experienced is never 100% confident in the attribution That's probably not It should never be the tipping point to war You know at at most it's you know, I think it realistically what we would see You know at at least in the US is This would push some further action Some further intelligence whatever that's like, okay. Well, we're pretty sure we know who it is So we're going to go off and do some targeted action to confirm that Before it escalated to this level. Yeah, so so taking smaller scale actions instead of escalating to the level of war Yeah, a hundred percent behind you on that multiple sources of intelligence on a single event before moving forward with any Public with it before moving forward public attribution. Yeah, although I'm going to devil's advocate you here and point out that even private attribution Or lack thereof can have a significant impact on foreign policy and and actions taken so absolutely agreed however, I Think it is a personal responsibility to determine if you want to work in an organization where private attribution Within you know, that's being only shared in a certain element if it is acted on Unilaterally without collaborating sources based on level of confidence and whether or not all source analysis Using multiple sources happening before attribution. That is an ethical choice Whether or not you want to work in an organization would make a decision based on one unilateral piece of digital evidence Which could have absolutely been misattributed preach. I love it Seriously like that that more than anything else I mean that that's really something that wanted to talk about wanted to get across today, right? Is that when you work in right when you work in cyber threat intelligence, right? And I think it's difficult to know whether or not you know to your scenario whether or not You're working in an organization where when you publish this this will be the outcome right a single piece of private reporting There's some faith there and some and definitely situational, right? You may think you're you may think that would never happen and of course the realities We know actually that the national intelligence estimate right the annual national intelligence estimate draws Routinely from because this is widely public. It's widely open the national intelligence estimate polls from vendor reports All right, and we know this and so as you as a vendor both private and public vendor reports, right? And so a private meaning of course, you know private to a very small circle and but does does pull from that Right and then policymakers do make assessments based on that one of my goals today was to get people thinking about Do you want to be involved personally in CTI in the first place right because what you do the attributions that you make? Absolutely impact people's lives and in some case end them right realistically in some cases end them right And you may be okay with that and you may not be and a lot of people getting a CTI Are not thinking about that as part of their decision and I would throw out there one of my goals At least was to walk away. Hopefully having started a conversation about when should we be doing attribution? What are you personally comfortable with is this something that you want to yeah that you want to do anyway, sir? I think one part of this that's missing that is is we're not mature in the way We think of proportionate response, especially combining cyber kinetics, and I don't have an answer, but it bothers me Yeah, so proportionate response actually to this gentleman's point the talent manual actually tries to address that Tries I don't think they have an answer either but but to your point that that's that's incredibly profound Right what is a proportionate response? You know for for cyber versus kinetic right when we move out of the cyber world into the into the kinetic side it is It's tough to know what the proportionate response is right to this other gentleman's point though right if you don't respond You know what is that next impact going to be right? We already know that you've got somebody with an intent to impact our group with an intent to impact How does that change the game? So yeah, love it love it So so want to kick over another scenario here ten minutes tell you what I'm gonna flip forward to here and Talk about does the attributed nation impact the ethics here and this is probably will close on this one here And this is we're looking at attribution here Sanctions are gonna be levied against the country and I'm just gonna use the Russia example here right Russia only because and by the way If you're Russian, I don't dislike you or anything. I just dislike the Russian government. We're good there But look the you know if it's Russia who's generally a unfriendly country considered by most right versus Let's say France, which is generally a generally a friendly country, you know considered by most or at least considered by most to be friendly Do we do we care here about the loss of basically loss of jobs here in the US right? So I'm making this very US centric right so and if you're not from the US substitute that back here So if we publish the attribution right so let's say here You know basically does the you know we were ready to publish the attribution were set one minute We thought it was Russia. We're gonna publish publicly and then New data comes to light that says no that's definitely France and that's gonna impact Let's say thousands of jobs here in the US and ultimately cause a financial and personal strike for people here Does the country that we're naming and possibly as a result the obviously the concern back to you know the Certainly the impact back to us domestically. How does that change change our ethical? Requirements in attribution. I'm gonna speak to this one Yeah, that's tough right that it's intentionally tough, right? But I I have thoughts here too by the way and then go ahead first jobs in this instance are secondary to me to Diplomatic relationships and other operations that may be taking places amongst nations more diplomatic Relationships if you were to put this as diplomatic relationships, I'd say yes if you consider this jobs. I Honestly think it's just a really really really gray line So it's a really gray line if it's jobs, but you think it's more black and white and if it's if it's policy if it's international policy international policy war things like that I feel that Yeah, that it's a little more black and white. Absolutely. Well, I think here the and I don't disagree with you But I think here what we're looking at is sanctions being levied which of course are Diplomatic, right, but the ultimate outcome is Sections themselves are diplomatic so does the fact there's a diplomatic what's both. Yeah, I get it. Yeah Whoo, that's that's tough. This is a really really really tough one Because do I think that the country matters? Absolutely, do I think it matters who it affects? Everyone's going to have their own national interests. So absolutely do I think it's different if you're a global organization You've got to look at the the Impact to the organization that's doing the release and what countries they deal with work in Etc and their entire play field if we're talking about an individual organization vendor report That's going to play into it if we're dealing directly with a nation their Allegiances and other relations may play into it and I don't think it's as simple as just a loss of jobs If I'm going to play live in a scenario and Jessica It's just a matter of jobs and country a country b your country's going to lose jobs Have a different economic impact view on jobs than I do on human life and I hold those in different regards I I tend to care. I tend to think that it depends on how in the US there are Some safety that's maybe not for medical where those are at the ethical discussions we're having But I think I'm a little more comfortable with it with jobs than things that would affect diplomatic relations Hey fair fair enough. I can't disagree with with that. So so yeah in this particular scenario It's really difficult to separate that the two right now, you know the diplomatic from the you know from the personal side I'm fascinated to hear your thoughts as well here again, you know, you step up to the mic to make sure we're going As with war, you know Living sanctions is a team effort. So it's not like this is gonna You know a single attribution is not going to necessarily cause that to happen this Sure, but again, but the other problem is of course, you've mentioned France and these that's filled with a bunch of cheese eating surrender monkeys Okay, well Now now hold on just for those that don't know France has a very active computer network exploitation program and a very very active industrial espionage program and they were chosen for seriously They were chosen as as a friendly country that steals lots of intellectual property I didn't pick France out of a bag here and be like hey, let's grab another they're considered generally friendly a lot of folks So they have an active economic espionage program. They do right and they're on par with China. They're just better at it All right, so I mean, I don't know what else to say other than you know, but I think to your point there I mean, they're not necessarily you're right. This this is a team sport I do disagree though. Well, I think that a single attribution is unlikely to take us to war or less likely to take us to war I think it is much more likely to create sanctions that themselves will have A predictable impact on us jobs Gotcha Right, so you're saying that it's not a single person implementing sanctions as a result of Congress versus a right But but of course acting on your acting on your analysis Potentially wait, that's true. But again, you know, I don't think you know living sanctions is a major Diplomatic event and so that is something that you know, you have to mobilize the whole government to perform that Yeah, and it's really unlikely that that single attribution is really going to do that I don't think you know when the US went to war with Germany in the First World War It was like a long line of things that Germany had to do to eventually Drive America to declare war. So just like that, it's not gonna happen immediately fair enough. Yep, sir So since I like to say things that Rile people when it comes to a the business impact of thousands of people using their jobs There's scholarly articles written about how that increases suicide in the individual and Their children breaks up families and so death is written right across there in my mind One of the things that we keep talking about To if we break this down in the in the five ethical working theories We have a few of the general ethics that are fighting against each other That's that's why we're just we're talking about it. But it and the reason why we try to associate a value To certain things such as life is because a couple of the workable ethical theories actually Way the pros and the cons, right? So but really what we're talking about is is how Confident am I am I lying? so Having a high level of confidence, but it should not play at all What country it is? Okay, except for there are a few workable ethical theories that will let you weigh that in But then you'd have to be thinking very myopically So, so So is it is it ethical for a country to think about only their things and not about how it affects others And and actually there there is some ethic the ethical discussions around that but But we shouldn't Mike we're losing the mic here. Yeah You will please come up to the mic. Thanks And even in the scenario here I was looking at basically your attribution causing job loss at home not in the foreign country itself, right? Although that certainly be another ethical discussion that we could have separately It's it's a little bit harder to you know to think about that in terms of away from home So there are five workable ethical theories and that plays into two of them. Yes So of the and the two of them that it plays into one of them is the one that it's okay to kill people at a certain circumstances Yeah, no, I think the big thing I took away from this by the way though And I love the point is that economic damage isn't just economic damage that when we look at it like that It's a very myopic view and and I don't disagree with that at all Yeah, maybe some of us intentionally look at economic views as our economic damage is only economic damage And we have to cognitive dissonance right to allow us to look in the mirror every day and go to work And and even sanctions is a pretty broad spectrum there that I mean it could be you know everything from oh just a little Okay, maybe a couple jobs are lost to oh we've got an entire trade war and entire industries need to be bailed out and that sort of thing and I mean the important point that should be brought up here is with the AP T1 report that it wasn't government sanctions But Google actively in response to Mandy its investigation said we are rolling back What we are going to be doing in China and that did definitely have Economic impact on a US corporation, but quite frankly Google ain't doing so bad today Awesome, hey, I think that's where we're we're gonna cut it out here. Shane Give me the five minute to go and then the one minute to go signal here. I greatly appreciate it Thank you. I will I will give you the last word But I did want to say that someone mentioned earlier that it's unlikely that we're going to come up with an axiomatic or a Programmatic way to come to these decisions There's no there's not going to be any algorithm that we're able to tick a bunch of boxes And then here's the outcome, but I think that being the case That's the reason why we created this village was because we need to start finding out what the kind of questions are that we do Need to be asking and so because we have to make these decisions right and as people we need to know like what the questions are So I want to thank everyone for being here and for contributing to the conversation and especially Jake Thank you for coming in asking these these great questions. Yeah, no, and hey, thank you so much for putting this together again I don't I don't have the answers here either right? I mean I have opinions on everything out here I'm pretty vocal and a lot of those opinions if you follow me on Twitter or reblogs or Publications and whatnot where I contribute to but you know to that point, right? I'm positive I'm not right about everything either and I appreciate the ethics village for setting this up and giving us this Opportunity to discuss this because while we're not going to create an axiomatic framework I think this works a lot like tabletops right for incident response when we go in and do a tabletop for instance We can't possibly work through all of the possible incident response scenarios and how we're going to deal with each one of those We do tabletops as generalizations to say hey here's how we react to this type of thing right and I think we have discussions like this We can start to build scenarios out where at least it's predictable what our response is going to be Given a particular set of inputs and I think that without that it's a very very difficult thing for us to do And as we build those out, I think it's important of course obviously to consider the ethics of that right? And so I'll break here by the way. I'll mention if you want some We we played off isn't completely ethically whatever but I forgot to take the second bag of this to whose slide it last night You may remember and I don't know the ethics of selling your gamer bathwater are but this gamer on Twitter was selling bathwater Her bathwater for like 30 bucks and that created a big stick a big stink and I made a joke about well What I would do instead is sell hacker urine and basically you could spray that on your servers right? And it would mark your territory so other hackers wouldn't come compromise your systems and then one of the folks who works for me who Yeah, anyway, he went and bought a bunch of little perfume bottles here way too many of these and filled them with food coloring I'm assured that it's only food coloring right, but It is hacker urine protector servers and it says now stops pandas or now repels pandas excuse me So if you have a Chinese thought so if you want one of these as a memento I need to get rid of these because I don't want to carry around another 60 vials a hacker urine for the next anyway Appreciate everybody coming out. Thanks