 Thanks everybody for being here with us today. We're thrilled to be doing this great panel here at DEFCON with the ICS Village. Thanks to Bryson Bort for inviting us to do this. My name is Jamil Jaffer. I'm the founder and executive director of the National Security Institute at George Mason University's Antonin Scalia Law School. We're thrilled again to be here and talking today about the topic. Your infrastructure is encrypted, protecting critical infrastructure for brands and where we have a terrific panel of folks with us today, sort of going around the horn from my left to right. We've got Jen DeTroni, the general counsel at NYSOS, the management intelligence company helping enterprises identify adversaries and related threats. Jen has volunteered for every year at DEFCON for a number of years. She's been a federal prosecutor. She's run a solo law practice and worked to the top law firm practicing commercial law. When she's been at DEFCON, she's been teaching kids how to be white-hat hackers through a nonprofit. She's been a member of the executive leadership team at Sun Law and Non-profit Organization, a dedicated helping advanced female and house counsel. She's a graduate of Dartmouth College of Michigan Law School, and she's grown up in the DC area, but she calls Southern California her home now. So, Jen, thanks for being here with us. We also have Ernie Bio. Ernie is an investor with Forge Point Capital. He is previously served as the Chief Operating Officer for the Defense Innovation Unit at DOD, a government startup in the Silicon Valley. He's a board member of Hunter's Labs and board observer at Bishop Fox, now secure in Bayshore Networks. He has an MBA from NYU Stern School and a BS in cellular and molecular biology from Loyola University. So, we're thrilled to have you here, Ernie. He's an avid surfer and guitarist and a music enthusiast too. So, keep an eye out for that. And last but certainly not least, we have David Etto, good friend of mine. He's the Chief Executive Officer at NISO. He's got 20 years of experience at early stage of mature companies. He previously served as the Global Head of Managed Security Services at Blue Boyant, and the VP of Managed Services at Rapid 7. He was the VP of BD at Jamalto. And is now part of, was also part of, led the Cybertree Enterprise at PRTM, which is now part of PWC. He's had a number of other awesome positions. He's also a certified information privacy professional, a certified CISO, and a graduate of GE's Information Management Leadership Program. So, David, great to have you here with us also. So, folks, we've got a great panel, and off we go to the races. So, I'll start with you, Jen. So, you know, we've heard a lot about RAN somewhere in the last few weeks and months, we've seen the attack on the colonial pipeline. We've seen the attack on Kaseya. We've seen a variety of things, JBS, the meat packer. And we've seen the Biden administration do a number of big things, including two now executive orders in a row. Talk to us about what those executive orders do. You know, you're a lawyer, or maybe a recovering lawyer at some point. Talk to us about what those executive orders are gonna be effective at helping protect the nation from ransomware. And if they're not, what are they doing that's helpful and what more needs to be done? Yeah, great question. And thanks for having me, and also thanks to ICS for having us. This is a great panel. So, yeah, I think what's interesting is that we're seeing a lot of leaning into the situation from that level. And that is very, very different than what we've seen in the past. I know in the past, we've looked at things in a task force manner. Here, we're seeing DHS actually kind of pushing through in a manner of sprints. And these sprints are really meant to address issues that are topical. They're not going to kind of get to the bottom of every issue, but they're forcing the industry to look at things kind of in a cadence. Recently, we've seen the ransomware sprint that came out, that was April and May. But right now, I think we're in the industrial control systems sprint. And that is a very critical one because as we saw with the colonial pipeline, it is very important that we protect the country against like any sort of infrastructure being shut down. And that's where I think, this panel has some great topics ahead of it because we're looking at how, it's a public-private collaboration, I think that is very novel in this approach. As somebody who's kind of practiced in both areas, I think it's really heartening to see that sense of collaboration. It's always been there, right? With law enforcement, there's kind of a sense of kind of poking around to see who's friendly. Now I think what these executive orders are doing is basically saying start talking, right? And so with this sense that zero trust is gonna be the overarching like theme of private and public sector. And with some definitive controls around trying to require to factor or multi-factor identification, trying to segment out networks, there is a sense that both private and public sector are meant to get better with this approach. And it's kind of fun to watch. Yeah. So David, you've been doing some of this stuff operationally, right? Back in the past in your time at Rapid7 and Blue Voyant, talk to us about some of these, some of the operational issues you should be thinking about in the context of what's happened with Colonial Pipeline, what happened with JBS, what happened with Kaseya, right? And then these executive orders and sort of, Jen's obviously told us about the fact that we're looking, at least the government's gonna move to zero trust. I think the plan is talking about moving to zero trust, right? Is that the answer? Is that the solution, right? Is it one of the pieces of it? Or we had the right direction and it's so great and how can we do more? If not, what would you be doing from an operational perspective if you were running the show today? Well, first I think one of the challenges we have to step back and realize is that, we've accrued you to 20 plus years of technical debt in time on the internet. And I haven't seen anything from the private sector or public sector that's gonna pay down that debt overnight. And so I think the first acknowledgement is that we're working from a deprecated position. And I think what's been challenging at ransomware is that we've always thought about critical infrastructure from state sponsored actors of what happened if there were a combination of cyber and kinetic action where a state actor wanted to disrupt our, either as part of an overall kinetic war or for economic reasons disrupt our infrastructure. We didn't really think about the financially motivated actors and the components that come with that. So I think the difference between the state actors and the financially motivated actors, the financially motivated actors, a lot of the basic blocking and tackling stuff does start to make a difference. So that does raise the bar. So segmentation, two-factor authentication. I do think there is some degree of hygiene that we either have to figure out how to motivate and whether that's motivation through, I think we too often fall to the regulatory stick of like, well, someone should get a rule that you must do these things. Perhaps there's other ways to drive the carrot to motivate folks or, one of the things hopefully I'll tell you about later is, I'm kind of unbullish that the insurance industry can have a role in helping us fix things here because if you don't hit a base level of capability, if your stairs you're building aren't safe, you can't get insurance. And there's no point where that comes out. So I do think on the operational side, we have some basic blocking to get down and whether that's not exposing, not running five-year-old versions of Microsoft Exchange that have been out of maintenance for five years or two-factor authentication, network segmentation, some basic data security. I think those will go a long way. But I think we have to acknowledge that there's this tech debt is built up that we're not gonna pay it on overnight. And how do we motivate folks to do that and get the right solutions in place or spend a lot of time running security operations centers serving small, medium-sized clients, at least get them to a point where they can detect and respond in a faster period. And that's, again, given what's out there, that's not a simple solution overnight. But I think we've got some good things making progress in some of the recommendations. So Ernie, it's crazy, both Jen and David had talked about two-factor, or multi-factor authentication as being sort of one of the things that's being pushed now. It's kind of crazy that we're here we are in 2021 and we're still talking about multi-factor authentication. It strikes me as nutty, but you have a unique perspective, right? At Forged Point Capital and full disclosure, Forged Point Capital is an investor and a company that I work for, Ironette Cybersecurity. But at Forged Point Capital, you help run one of the largest or the largest cybersecurity specific fund in the world. Todd just about, so you're looking across all these sort of, all these potential investments. Todd's about what the right plays are right now. Like what is the game-changing plays that you all see in cybersecurity? What are the sort of the hot ideas out there? Zero Trust is one that's obviously that we've already talked about briefly, that we mentioned, tell us if there's some ideas that you're looking at. You all are looking at in that space. Obviously, Ironette does collective defense, right? That's an interesting idea. What are the hot ideas in your mind out in the, as you look across the spectrum when it comes to grappling with this sort of ransomware and a related question, given your experience at DIU and bringing that to Bear Forged Point, is ransomware sort of a unique thing that we need to be focused on specifically or is it just a component of this larger trend of malware coming from a nation-state and non-nation-state actors? Yeah, no, great, great question. To answer your second question, it's just a continual evolution of malware and from an investing standpoint, we kind of look at it from, think of it as continuous attack surface testing as well as extended, XDR extended defensive response. And we look at it from an investment standpoint, network. So how do we restrict lateral movement? So you mentioned Ironette, but there's the network piece, there's email protection piece, there's DOP, hopefully NextGen DOP is what we're looking at, not the DOP that service 1% of the market, ThreadIntel on the endpoint side, obviously you have the EDR players, they have the crowd strikes out there. You also have smaller company, you mentioned Huntress or I'm on the board of Huntress, they do MDR for the SMB. The SMB has been a right target for ransomware because they have MSPs who are their IT service providers, they don't have the sophistication, the cyber talent, nor the budget. So how do we defend them? How do we leverage deception, privileged access management, and then moving left, app security testing. So everything from traditional SaaS to SCA to DAST, fuzzing, you name it. And then the other piece of identity, we've made a lot of investments in identity, as I'm sure Dave and Jen can attest to, there's a lot of debt there, there's a lot of legacy. So how do we start thinking about monitoring entitlements? How do we manage identities cross multi-cloud? How do we potentially use passwordless authentication, identity proofing, and then obviously NFA should be table stakes. So that's kind of how we're looking. There's no silver bullet, it's this composite solution, which will hopefully get your cyber hygiene up. Yeah, yeah. So Jen, one of the issues that's come up in this conversation is this is just cyber hygiene, and the need to sort of get better at the basics. We've all talked about that for a long time, the need to just sort of get that bottom level protection up, so that you're making the attackers work that much harder. And one of the ideas that David put on the table was this idea of insurance, that somehow insurance might be able to help us raise the bar on cybersecurity, but a lot of people in Washington DC, or I think at least a couple of us live, David, I know live down the street for me, in the Washington DC metro area. In DC a lot of the talk is regulate, or as David put on the table, that we need some sort of government intervention, or maybe if we just pass enough laws, or we get the FTC or the FCC involved, it'll solve everything. But this idea of insurance I think is interesting to me. Do you have a sense of how insurance might sort of come to bear on this problem? And in particular, can insurance help us get better at the cyber hygiene piece, and can it do more than that? Yeah, I think so, I think so. I mean, David and I don't have any skin in the game, but this is something we've averaged over time. But I mean, just like getting good drivers out on the roads, right? Like there's a concept that you've got to have a vehicle that meets a certain standard, and a driver that set a certain competency. Like that is who you will ensure to drive. Same with the insurance industry as it relates to companies, right? Like that you've got people sitting on data that doesn't belong to them. And so how are they gonna be the responsible stewards of that data, right? How are they gonna ensure that these SMBs who have a hard time scaling up have the appropriate security measures in place? I think it's all about standardization and compliance. Those insurance companies can push requirements down on companies to get them compliant in a way that the government won't be able to, right? It's a matter of doing business. And so I think, you know, we've seen some insurance companies who are kind of pushing towards that, but that standardization, I think will come from that, from that lateral movement into industries because they need insurance. No company is gonna operate without that. And so if you get that, you're gonna have to level up. And I think that leveling up is what a lot of us are here to talk about today, which is more than just, you know, those few things. There's so many things. We can't even describe them all. But I mean, even like the cloud migration, I mean, we talk about, you know, at NISA, as we talk about the fact that like, if the CIA can get, you know, everything up in the cloud. Right. And their class lights, right? It's pretty amazing. Yeah, they had a hard time. So like, so, I think it's just a matter of shifting the mindset around so that stuff. And a lot of that is gonna be kind of pushed down again. Maybe it's partially legislation. Maybe it's partially from, you know, the folks who help businesses run like insurance companies. But I think it's a, I think it's a team sport. Yeah. So Ernie, from an investing perspective, sorry, David, do you have something the way in there? I'm sorry. Go ahead. Go ahead. That was me. Oh yeah. Mr. Ernie, so from a, you know, from an investing perspective, how do you see sort of won the insurance marketplace and that driving cybersecurity? How do you see actually the venture investing space? Or one of the things I've always wondered about is, how the venture investors aren't saying to their companies, hey, look, you need to protect your own assets. Literally all we're investing in is your IP. If that's not well defended, you know, we're SOL, right? Help me understand sort of, you know, what's the right players? Are the plays in the insurance space? Are there plays in the investing space? And if yes or no to those, do we need legislation? Do we need regulation? Like what, you know, sit down there in Silicon Valley. I know the general view is, you know, government can stay out there. That's great. And I think that's generally been how it's happened. But there is a push now for the government to get more involved in what's happening in the valley. How do you see that? And then what's your sense of it? Yeah, you know, we're seeing a lot of cybersecurity MGA's. So managing general agents. Yeah, the coalitions out there, at bay, resilience insurance. And that their models are all a little different. Some are approaching the S and the SMB. Some are doing upper-mid market. But what they're all doing in different levels is doing security scans before they write a policy and during the course of the policy. Some are looking at, hey, how do we do DIFAR on the back end? How do we keep the hygiene up? Because at the end of the day, in the cyber business, it's about your loss ratio. So if they could keep the loss ratio down, it's more advantageous to them. And then it becomes this kind of, you know, OODA loop, if you will, with the customers. They're writing more premiums. The loss ratio is less. Cyber hygiene is going up, especially in the S and B. And, you know, everyone's happy, theoretically. So I think that's a great first step. It's very early days in that industry, but there's a lot, I mean, look at the amount of funding that's going in. I think at bay just announced 185 million round yesterday or today. So it's, as far as the government coming in, I think the government should get their own house in order first, you know, quite frankly, and, you know, follow the executive order. Obviously with Jenny's really at CISA and Newburger and the White House, like there's some really A players. And at the end of the day, shared responsibility. So let's get our own houses in order and then share information, which, you know, I'm sure you've lived that hardship, right? Because the government never wants to share. They'll take any information you give. It's hard for them to share. So, yeah. Yeah, I mean, I'm a huge fan of, you know, the coalition of resilience and those models that, you know, the Cybertures being more, both more data-driven and more, you know, and providing, frankly, you know, in some ways, light managed services on their clients' behalf. I definitely really raised the bar. And, you know, I think it's not just in the fact that of the insured, I think, you know, what I'm hopeful for is that they have the ability to bring people who are not currently insurable into the market, which is a huge change in our base cyber hygiene. And so that finding ways to help people get insurable is a big deal. Well, you know, David, on that point, you know, one of the things that governments have done when we're talking about car insurance and the like is they sort of require insurance companies to take on some amount of managed risk, right? Some amount of sort of, you know, the 18-year-old me driving around, you know, nobody wants to insure that guy, right? And so, you know, there are some earlier models for that. But I have a sort of a related question for you. You know, one of the things that Ernie mentioned was this idea of companies coming in and trying to figure out, you know, what the problems are before they go in, right? Whether it's with an investment. We've heard a lot about this in the M&A space, right? With insurers, right? Sort of assessing companies from the outside, sometimes from the inside, right? There are a lot of companies that have created businesses out of doing that type of assessment. I've always wondered how sort of capable those assessments are, right? Is it really realistic to be able to tell how vulnerable a company might be from the scans you do from the outside and the scans you do from the inside, right? And you've been at service providers that have come in both before and after the fact, trying to figure out, you know, what it looks like. Do you have a sense of whether particularly from a critical infrastructure perspective and from a vulnerability to ransomware or frankly, any type of malware, you know, in a lot of ways, ransomware's simply an example of that, right? Can you really tell that from the outside in or from the inside out? And if so, is it a good measure for insurance and M&A and, you know, diligence for investors? Yeah, I mean, so for the CES and in full disclosure, that's a business that these services is in today, but I didn't know that by the way, so I did not know that, so. But let me tell you why it works. That's what the adversaries do. You know, you can take the perspective of the defender and dig in, but that's what the adversaries do and it's working for them. So it works. They're testing from the outside to see who's vulnerable and as a result, sort of that's, if we do that, we could get a sense for it too, is that your point? Yeah, I mean, they're using Shodan, they're using, you know, that they understand what's vulnerable. I think, you know, the thing from a service perspective side, I think the thing where people get very big challenges and particularly when you talk about insurance or, you know, or supply chain things, is that some of the, you know, it's very hard to identify the true external foot private organization. And so we have actually one of Ernie's companies, Bishop Fox actually has a great offering or two is I think what everyone has the story of a supply chain scorecard that, you know, had some, got some terrible score because it included their desk network or a franchise or those things. And so, you know, the challenge, you know, I think the challenge to it is doing it well. But I think, again, our adversaries are doing it well. I was like, hey, I'm looking for, you know, they're going, hey, I'm looking for things that have this, you know, this known vulnerability that exists in this space for an organization that I think has the capability of paying this ransom that is in a country that either doesn't have you just shall reach to me or, you know, or, you know, law enforcement action that would prevent this. And so they're clearly doing it. And I think, you know, we have to leverage that same, you know, intelligence capabilities ourselves. But I think the important thing is doing it responsibly, you know, doing it and giving someone a, you know, a bad grade publicly is not, I don't think it's going to help us where we need to be. Right. Fair enough. So no name and shame unless it's the Chinese and the Russians, not for our companies. Yeah, look, there's a point where, you know, you need to be a certain height to ride the internet. But over there, we got to realize that no one's ever going to be perfect in this and that we got to figure out how we, again, how we motivate, not just penalize. Fair enough. So, Jim, one of the things that David just talked about was this idea of sort of supply chain vulnerability, right? And we've seen this has become a really hot topic. I mean, it's been a hot topic for a long time, but it's gotten really hot in light of this ransomware attacks in part because, you know, people think about, you know, what happened with Solar Storm and the fact that was a supply chain vector. And now it could say that's a supply chain vector, right? People also concerned of the downstream effects of an attack on a thing like the colonial pipeline, right? And that has sort of spillover effects. That's not quite a supply chain, that's not a supply chain attack, but it shows the sort of spillover effects. And then of course the COVID-19 pandemic and we've seen the vulnerabilities in America to supply chain our dependencies on certain foreign countries, including adversaries like China. So, Jen, help me understand, you know, from a, you know, sort of what the government can do perspective, right? Or at least what, you know, legislation might do to help address the supply chain threats. One of the things that's talked about in the executive order, right, with respect to federal cybersecurity is sharing of information between private sector actors, contractors work for the government, right? Requiring them to share information about incidents and potential incidents. We've now heard a legislation up on the hill moving where there's an effort to get people to disclose it. It goes beyond data breaches, but disclose any incident you might have. Tell us how to think about that. And will disclosure incidents sort of be enough to sort of address the supply chain threats or is it a bigger problem that we've got to go further on? And is even into disclosure a worthwhile thing to even get in the business of talking about? I think it's really, I think it'll, we'll find out when it plays out. But I think it's hard to say. I think it's, disclosure I think is a step in the right direction, right? It's that same sense of wanting to understand so you can measure, right? You can look and understand, if you can't evaluate it, then how can you respond to it appropriately, right? And so we need to create metrics across a very, more than just our own organizations to understand what's going on. And I think there's a sense, whether it's ransomware, whether it's a supply chain issue, that when companies experience an event, right? They really don't want it to be a breach. They want it to stay an event and not even kind of scare. We deploy all our resources to try to understand what to do on our company's own best interests. If there's a directive to share that outside of that, which I think a lot of companies, a lot of lawyers who are comfortable and have points of contact within federal agencies, like are already comfortable reaching out to try to pick it up. Interesting. Whether it makes sense to disclose something, but this directive that says you need to, you should, we want you to, and there's no sense of impending penalties, right? Yeah. Penalties come when you do something poorly. The penalties don't come when you show that you were vulnerable. Everybody, every company is vulnerable. There's no sense of like, you know, we talk about zero trust, there's no 100% security. Like that would be an amazing state to exist within, but no company exists within that state. So if that directive that says share, let us know, is around that attempt to try to create metrics that allow for a valid response that can be coordinated across more than just one company. And I think that's very laudable. I think that is a step, for sure, a step in the right direction. Whether it's going to be effective and how quickly that's very hard to say. Yeah. And that's a great point about sort of the need for information to get out there in the marketplace in order to first coordinate responses. So Ernie, you know, go into this question of responses, right? You served in the government, you served in the Department of Defense, you were in the military, you served at DIU, and now you've come out and you're in the investment space and cybersecurity. But you know, one of the things that's been talked a lot about is that the government not only needs to get its own house in order on the defensive side, but it needs to do more potentially offensively, right? The government needs to respond more effectively to these types of attacks you've seen now, the Biden administration talking about the fact that, you know, we're going to name the countries involved, we're going to start talking about holding countries like Russia, like China responsible for some of the things that happen in their space, even if they're not nation-state actors, but if they're criminal gangs operating in their space and they know about it, we might hold them accountable. What is this the right road to go down? Do we want to be whole? One, do we want to treat ransomware as the FBI director said, like terrorism, which I think was code for if you harbor these guys, we're going to start treating you like you're responsible, right? Is that the right approach? And then second, do we need to get more offensive? I mean, do we need to be punching back more often? I like to use the analogy sort of the bully on the playground, right? Where, you know, we all tell our kids, you know, yeah, go tell the teacher, the teacher will tell the principal, know all the meeting and we'll solve the problem, right? But we also all really know that if in fact you want your kids to not be able to build on the playground, best thing to do is put them in a self-defense class, have them punch the bully in front of everybody and the bully's going to stop bothering them and nobody else is going to bother them, too. And nobody's saying tell your kids that, right? But it works. And so, you know, should the government be punching back harder in cyberspace? I mean, so this is a great question. And I think that on the classifying them as terrorists, you know, I look at it with cyber, there's a beno line. There's criminal activity and nation-state activity that looks to, that's directed at, you know, data-rich companies, whether it's pure ransomware or extortionware. And then what we've seen recently with JBS, with Colonial Pipeline, now we have essential services that are being attacked. And it's one thing to, you know, blow up a nuclear facility or something that extreme. It's another thing when you shut down the supply chain of oil and gas on the east coast. And I think back, this might be interesting analogy, but I was living in New Jersey when Hurricane Sandy hit. Lost power for almost two weeks, run-up in gas prices, people fighting at Home Depot for generate, it caused chaos. And if you think of a cyber attack, it can have those effects in the physical world. So to me, there's a clear distinction there. And are they, you know, if you're harboring these cyber criminals, I think you should be held accountable for letting them operate with impunity. On the offensive side, yes, we should be more offensive. You know, General Machisoni at the NSA, ever since he took over, he had the whole concept of defend forward. And to me, that's, you know, start punching a little more and going into other people's neighborhoods, and showing them, hey, what's going on here? So I agree with that mentality. Now, what I don't know, being out of the government now, is what happens behind the scenes, all the clandestine stuff. But overtly, we should be punching back harder. Yeah. So, Dave, you know, you've seen some of this stuff. You, when you worked at Blue Voight, you all defended some of the largest financial sector players in the business. Talk to us about how bad is the threat when it comes to critical infrastructure, right? You know, you've seen a lot of it. You saw a lot of it in Rapid 7, too. So talk to us about how bad the threat looks. And is what Ernie says right? If the government starts punching back more, sort of we get more aggressive on General Machisoni's effort on defend forward, persistent engagement, right? You know, we've got, as Ernie pointed out, we've got all these amazing people in cyber now. We've got Chris Singles as National Cyber Director, Jen Easterly at DHS. We've got Ann Newberg at the White House. I mean, Rob Joyce is back at NSA. On the defense side, I mean, it is like a who's who of cyber defenders. And people, frankly, who are willing to go a little, sort of a little more up against the enemy and punch them, right? So from your perspective, having seen what the threat is critical infrastructure, is this the right approach or, you know, a lot of people said we shouldn't punch back because we live in a glass house, right? And if we punch too hard, they're going to hit us really hard and we're more vulnerable and more likely to, more likely to have problems than they are. Is that right? I mean, how do you think about this? I'm not sure I'd say glass house would say, but I think we, you know, while we are likely the most capable from an offense perspective, we also likely have the most to lose defensively. And I think that has to factor into our, you know, the policy of how we think about this. But if you talk about critical infrastructure, I mean, it's a fascinating term. We're sitting here talking, you know, in the ICS village, which is, you know, very focused on the industrial control side. ICS categorizes 16 categories of critical infrastructure. I mean, you know, in some ways, everything is critical infrastructure in a lot of ways. And I, and I, and I exaggerate a little bit for the point, but I think the challenge of it is, is we, we often think, and I think on the policy side, get, get wrapped up in the haves versus the have nots is, you know, a, you know, an investor in utility or, you know, a money center bank, you know, has amazing capabilities. You know, but to the, you know, by nature of, of these industries we're talking about, they're all highly interconnected, you know, financial services, but, you know, as, as, as obviously, you know, highly interconnected, but, but I think folks, you know, on the, like the energy industry, when you, you know, you've lived in no well as there's, you know, we have a, a handful of grids. And one of them has an impact. And there's, there are from major investor owns, you know, multi-billion-dollar organizations to very small rural co-ops. And I think what we, what we often forget are the, the state of the have nots. And, and I think, you know, then I think, you know, Wendy Nath, there's a great piece years ago of living, you know, below the security poverty line. And so, you know, there's, there's organizations that, you know, have, have 10 people on IT on our power grid. Or less. I mean, you know, yeah. And so I think that when we talk about things like, you know, information sharing and, you know, and public partnership, like those things are great, you know, when you can, when you can take the, you know, the, the intelligence team from Exxon or from JPMC and, you know, have them talk to peers, you know, when it's the, when it's a, you know, you know, a small rural electric co-op, it's a very different conversation. And, you know, as we've seen from I'm blanking on the details of the attack, but as we saw, you know, in one of the, you know, Russian attributed attacks on our, you know, part of it came in through a, a maintenance supplier and a small rural co-op. So I think that, that's, that's, that SMB conversation is one that's just so critical to, to our overall, you know, criminal structure security that we, we just, that leaves us vulnerable in the punch backside. Again, there's, there's definitely places for, for punching back and I'm, I'm all for it. I think we've, you know, I love that we've been more aggressive and recovered money and, and things over. Right. So I think there's, there's, there's a lot of roles for that. And I think a lot of really impressive and creative collaboration and finding ways to legally, you know, take down infrastructure or take over infrastructure. So I think there's a lot more we can be doing, but I think we just have to keep policy, keep, keep our, you know, our, our state in mind as we do that. Yeah. Well, so on that, on that front, Jen, you know, one of the things that, that, that we've seen the government do a lot of, right, is, is indict cyber criminals. You're a former federal prosecutor, right? Or a former prosecutor. You have seen some of these cases go down. You know, is, is it really sensible to, to indict folks we know we're never going to get, right? We had these Chinese, you know, military officers with these Russians, cyber criminals, some of whom are associated with the government, right? There's no chances that we're going to get these folks here. And so in a lot of ways it feels like just a name and shame game when it comes to these indictments, right? Is there any value to these indictments? And if there is, or there isn't, right? What about getting more aggressive? Are there, are there any legal concerns we might have with doing the kind of things that Ernie's talking about, sort of, you know, getting more aggressive, punching back, right? Or, you know, are there, are there legal concerns with helping the smaller providers? Can we, can we do something as a legal matter to help these smaller providers get the information they need? If they've got small teams, can we, can we push in the information or focus information on them without, you know, without having a problem where we're not helping these other folks? Is there, is there a problem when we treat people differently given how they're situated? So a number of questions there. Sorry about that. That was, I think, a three-parter. Okay. I'm going to address them all together. That's a great question. No, I think, I think the word that comes to mind when I think about the prosecutions is like symbolism, right? Like it's a symbolic sort of shot. It's a long shot, right? The idea that these people will be held accountable, you know, in a court of law in the United States is very far fetched. But is it, is it meaningless? Probably not, right? Because I think, I think there's a sense that even identifying, you know, somebody who is hacking, you know, whether it's SMBs or like, you know, our nation itself is, is mutable. Like that person has an identity behind a screen in a place that is very many time zones away. But still the idea of like literally like throwing down the gauntlet that this is the person here. We know it's you. Yes, that's, that is, I think there is something very gratifying about that. I don't think it'll go so far as being gratifying as far as putting them in one of our, you know, jails will be amazing, but probably not. But I think, you know, the question of what is an appropriate response and how do we properly defend, you know, our country and our companies is, is multi-layered. I think a lot of, a lot of the time, like we haven't even touched on like diplomacy, right? Like there's the idea of sanctions, the idea of like which, which country is, is this coming from? And will they be responsive to the diplomacy that kind of accompanies the sense that sanctions have the right repercussions for that country? And then can you lean on that country to then help you find justice against those individuals who are part of it? Now, in a lot of the countries that we're talking about today, those, those individual actors are not individual actors per se, right? Like we talk about their own HR departments within organizations, they're very organized. They're probably state sponsored. And that's just not a realistic outcome. I think it's interesting, you know, last week, you know, there was, there, there was a bill. There's a bipartisan bill that's being introduced to allowing companies to hack back. And I don't know if you guys have seen that. That was a 2017 initiative. It's, you know, it's been revived. And the question there is like, you know, what would be the right proportionate action by a company? Like how would a company say, all right, you did this, like, okay, now you get this, that you could rise that level of sophistication. Like the question, and at the GC level, right? Like a lot of us are kind of questioning, like, do we want to be the individual who's saying go for it? Yes. Right. Like it's all systems go, like give it to them. Like that is, it feels very far fetched, but that is a legitimate bill that is coming through that is. No, yeah. Yeah. There's some, there's some consideration because that's, if that's where we're at, you know, we might as well put everything on the table and think through that because there aren't many other. Options and revenues for companies. Yeah. So, so Ernie, look, this has come up a number of times. This idea of a private sector hack back, right? It goes, it dates back, right? As a military matter back to the founding of our nation, right? Where we actually use private, private ships to sort of form a navy for us and really defend our coastlines, right? Even though we had a nascent navy, right? We would often give these letters of mark and reprisal as people, as people refer to them, you know, it's in the constitution, right? And give these things to private individuals to go fight back on behalf of the nation. We obviously have today a cyber command. They have offensive capabilities. Even before cyber command existed. We've had, we had the joint functional component command for network warfare that did some more of the offensive stuff. But there is a lot of discussion about private companies being able to respond in some way, right? Some people talk about active offenses, meaning, you know, look, if somebody hits me, I can send sort of the way I would like a die pack in a, in a, in a, in a package of money, right? It'll go explode in their network. I'll know it was them. It'll beacon back. It'll tell me it was them, right? Nevermind that beacon activity. It looks a lot like what malware does right at the outset, but okay, whatever. Fine. So it'll beacon back to me and maybe even it'll detonate and it'll destroy my data, right? But then what if it goes a little further, right, Ernie? Is this the place we should be going where, well, maybe it detonates and takes down their infrastructure, not, not in, not their whole systems, but just the stuff they use to attack me, right? Is that a place we should be going? And should we be worried about if this is as, as Jen points out potentially, even though it looks like criminal activity, it might be state sponsored activity, right? Is there a threat that we might have private sectors, companies get us into that so-called, you know, land war in Asia? Do we have to worry about that? That's a tough one. That's a really tough one. Because part of me says, yeah, you should be able to defend your organization. And you should be able to respond proportionally or maybe disproportionately. The other part of me, you know, thanks with kinetic warfare, there's always collateral damage. And there could be fratricide. So, you know- I mean, look at, look at not Petia, right? I mean, not Petia and attacked by the Russians against Ukrainians, you know, $300 million per company, right? $10 billion worldwide. Perfect, perfect example, perfect example. You know, I think as much as I'd like to see something like that, I think it would get too chaotic. You'd have the collateral damage. You'd have, you know, it's not like when we had Stuxnet, there was an organization that could use four zero days and do it very accurately, right? You can't expect, you know, even an enterprise, a JP Morgan to do that. So I think- I don't know, tell them, I don't know, Jamie Diamond might disagree with you. He's got renewed. So- Well, they might be the one exception, but you know, when they were, when the financial institutions were attacked in 2012 by the Iranians- Right. The government didn't help. My understanding is, and I know people that were involved, the government said no. And ultimately, the, the, you know, call it enemy servers went dark. And weird. It was the Israelis. Right. They came in. So anyway, it's a slippery slope. I think we got to be very careful with that. Yeah. So Jen, what about from a legal perspective? Let's say we did grant these letters of mark and reprisal to companies that, you know, that, that, that are, that are being attacked critical infrastructure companies only, and only really capable ones, right? Only the big ones and only the smart ones, right? Whatever. We pick them. We give us authority. We say you can only do these set of things, right? Do we want private sector businesses doing this sort of thing? Right. Is, is, are there any legal concerns with that? And here's our legal concerns. Are there policy concerns about allowing private sector companies, even with all the law, all legal authority in the world from the US government, a little shoot, paper saying you're acting on our behalf. Do we want them in that business? I mean, at the risk of alienating all of my friends for general counsels, I would say, I would say probably not. I mean, I mean, I mean, I mean, I mean, I would say, I would say probably not. I mean, general counsels are not cyber experts, you know, by merit of having, except for you. Well, I'm still working on it. That's why I've got to spend a lot of time around it. No, but, but I think, I think it's the, I think that's the problem, right? I mean, general counsels are, the word general is in there for a reason. Like we are just at the heart of it. If we're not, then it's very hard to execute against so many different things that affect a company. I mean, I think that's the question of like, whether we want to be empowered to use force under. A UN charter, like probably not. It's probably the same question as like, should I be carrying a gun? Even if I can get a gun from it, probably not. That's, I think it is. It's an interesting question. I mean, I think there are legal ways through it, right? And there are corporate governance ways through it. You can create committees that can evaluate things that can get out of the way. I think it's a very narrow issue and protect itself. And understand that it's making a decision in the best interest of the entity. And then taking into account all the other considerations, which would be, you know, the country, the collateral damage, the repercussions and do it in a coordinated way with government. Maybe that, maybe if that, then possibly, but I would still, you know, air on the side of what Ernie said, which is. Yeah. It's a big, it's, it's, it's a big leap of faith, right? It's a faith that may not even be successful. Even if you had the technical chops to execute it, what are you going to get? Is it that sense of redemption, right? Yeah. DOJ style, like, you know, we've now named it. We've done something. Yeah. Is it, is how, how it's probably very gratifying, but is it, is it ultimately effective? Yeah. Yeah. So David, you know, it sounds like Ernie in general, like, look, we're not, it's not the greatest idea, right? So let's, let's say that's right. Let's say we're, we're not going to come into companies to do this and we're really going to take you and Ernie up on, on your suggestion that the government gets more aggressive and sort of does its part, right? Does the government know enough about what the private sector is being hit by to effectively respond to it and, and sort of deter behavior, right? I mean, it's willing to say, okay, the government's not willing to do it, right? Which they haven't been for a while. And now hopefully under Joe Knox, they're getting more aggressive and they have more authority, right? So maybe they are willing to turn, maybe even capable of deterring, right? Do they know who to go after? Do they know how to go about it? Do they, do they have the information they need to really sort of deter those who are coming up against our private sector? Or do they need, you know, we've talked about information sharing and that's all great and well, right? You know, more data, fine, great, terrific, right? But a lot of it needs to be about collaborating in real time too, right? Working together consistently day to day, day in, day out, holding hands as these things happen. Are we, are we anywhere near that? I mean, I think if we're, if we're talking hit back from a cyber attack, I think that's a very, that's a much more complex conversation. And your information sharing becomes a, you know, really, really challenging. I had a conversation, you know, a few years ago with someone at a senior level, at a state law enforcement agency. And, you know, they said, you know, talking to the FBI is like, you know, being a psychiatrist in the chase lounge is like, they ask all the questions you do all the talking. And, and, you know, it's very, it's very well, my conversation. So I do think a, you know, a two-way, you know, communication is, you know, is, is critical. You know, and, but wait, just not only for accuracy, but also things like collateral damage. Like, like you do this and you're going to take out, you know, you know, the, you know, the East Coast, you know, like you're going to take out a pipeline or you're going to take out a, so understanding the dependencies is challenging. But what, but what I think we're missing in the, in the hackback conversation, and part, part of why I love the naming names, you know, side is attribution is really important for two things. One is, you know, it's, you know, it, it, it can give you organizational insight as to who's doing it. So is, is this one person, you know, or a small group of people who are financially motivated? You know, is it a, is it a broader network that's accomplishing other goals? How are they being financed? And, and when we know those things, we can all of a sudden take, take very different actions. It doesn't have to be just an infrastructure. It can be, you know, stop their ability to move money. You know, it's a cyber. Yeah. There's a lot of other things that, that we can do. I mean, I, again, I agree with Jen that the likelihood of these people ever showing up in a US jail is low, but I just kind of grin and go, well, there's a, we just took a lot of places that they can't go on vacation and spend that money they're making where extradition comes into play. So I do think there's a much broader set of actions that when we know the, the individuals, you know, and then the entities, they're part of behind it that, that the US government, you know, you know, has actions that can take, and that's a very different coordination problem that, you know, that coordinating a, you know, a cyber defense mission, a, you know, a financial, you know, crimes mission, a, you know, money laundering or OFAC like things like that. That's a very different degree of coordination that I'd actually love to see, you know, a difficult sprint around on the government side and sorting that out. Yeah. So, so this is really interesting. So, you know, we're coming up on the end of our time together. And one of the things I wanted to sort of end on is a question about ransomware itself, right? Because the topic of our panel is critical infrastructure and ransomware. One of the things that got really interesting about the colonial pipeline hack, right, was that early on in the, in the attack, colonial pipeline took their systems offline, right? They did some stuff. And then they came back up fairly quickly. Everyone was concerned about the potential for a major supply chain disruption, a boil on the East Coast. There were even some people who were hoarding gas, crazily putting bag, gas and plastic bags, by the way, for those of you out there, don't put gas and plastic bags. It doesn't work. It's a bad idea. Please don't do that. But, but there were these concerns, right? Legitimate concerns about, about, about a supply chain disruption and colonial pipeline avoided it. I'll come to find out later on that they had paid the ransom, right? Now, yes, the FBI went and they were able to get, get some of that back. That's a whole another question about how the FBI had the private key to the Bitcoin to get that, to get that, that ransom back that I'll leave for the audience. But I have a question for, for each of our panels, which is, should we be permitting companies to pay ransoms in order to get them back up and running faster? And if your answer is yes, or at least for critical infrastructure, a qualified yes, doesn't that incentivize the business? And if it does, how do we solve that problem? Aren't we sort of quote unquote, negotiating with the terrorists? I'll start with you, David, and I'll end, I'll end with Jen, because she's the lawyer in the room. I want to get the lawyers out, but David, first to you. I, I, I would not, I'm not supportive of the government having a no ransom policy today is that, that folks, that, that people need to make a risk-based decision in their business. And I, I, I get it. I love the fact that it supports these actors and, and continues to, it helps propagate the problem. But I think that, you know, any, the government telling a, a private sector, you know, entity, what they can or can't do, you know, with, you know, financially in a risk situation, you know, we, we, you know, taking, I tried all parallels. We didn't go back and say you couldn't take, you know, you couldn't pay kidnapping ransoms that, you know, we dealt with that as, as a, as a law enforcement problem. And so I think we're not quite ready for that. I do think there are a number of, there are some things where some tools that we, that, that while you say yes, you can pay. I do think we're under leveraging the, you know, the, the OFAC and, and, you know, money moving process that yeah, there's a, there's a small and growing kind of school of thought that paying ransom should, should require some more knowledge and attribution of the entity to make sure that you're not funding, you know, as a, as a, as a USNC, you can't fund things that are, that are SDNs. So I think there, there are ways that we could, we can wield other things beyond the individual companies. But, but can I, can I ask you about that? So I always hear this, right? Like, okay, we should make sure, as long as they're not paying terrorists or, or, you know, whatever, look, they're paying cyber hackers, right? For all we know these high records are funding. I mean, what do we just ask them for ID before we pay them? Like, how's that going to work? I don't get that. Yeah. I mean, there, there, look, there's, there's, there's ways there, there are services out there that help with this. There are, and I think, you know, there, there's, you know, there's ways you can come, come to knowledge about the transaction that gets you to a comfort level. But we've, we've, we've had this SDN methodology, you know, as a, as a country for a long time and it's, you know, while it's not perfect, it's been, it's been quite effective at, at, at taking out, you know, particular groups of actors. And I'd love to see you use more here. And SDNs are especially designated nationals, right? People who are on sort of the terrorist list and the like section list. All right, Ernie, over to you. Should we allow companies to pay ransoms? And if so, what about this, this threat that it'll just incentivize the business more? Yeah. So first, I don't think it should be binary. You either pay or you don't. In a recent study I read only 8% of organizations got all their data back and 29% got half, which blew my mind because I thought if you paid, you probably like a 75% chance to get it back. So today, I agree with David. It's like, you're not going to tell like if you're, if your kid gets taken hostage, you're not the government's like, tell you don't pay the ransom. You want your, your child back. So I think it might, but you're still going to pay the ransom. Yeah. But it's, it's a risk-based decision. Is, is PII on the line? Or is it an essential service? Is it affecting national infrastructure? Is it affecting, you know, something that, that could cause actual physical harm, you know, harm in the physical world. So I think it's up to the businesses. I don't like it, but I think there's no, there's, there's no, you know, binary answer for this. Can I just follow up on that though? So, okay. So let's say, let's, it sounds like you'd be more willing to accept payment of ransoms if, if critical infrastructure is involved. Does that, did I hear that right? That, that's, yeah. It's good. You have to look at first, second, third and. Yeah. Yeah. Okay. So, so if that's right though, aren't we just telling the bad guys, Hey, you know what you should really go after? You should go up to critical infrastructure because that's where we're going to be willing to pay the biggest ransom. So, Hey, clino pipeline, that was smart. Do more of that. You'll get paid more often. Yeah. I would not write that down or, or suggest that it would, it's kind of, again, it's business risk with the business knowing what type of risk that, that, that ransomware and extortionware is going to affect on their customers and on populist. All right, Jen, you had the first word and you get the last word. Tell us what you think about, about ransomware, you know, and, and should we be allowing companies to pay ransoms and what about this incentive effect? Right. If we, if we tell them like Ernie says, Hey, look, the one place I'm willing to pay ransoms is critical infrastructure. For sure. Well, doesn't that make critical, but you're even bigger critical infrastructure. Sorry. And even bigger target than it already was. Yeah. I mean, I agree with both David and Ernie. So I'm going to kind of layer onto their sort of suggestions that also kind of go far, which is like, can we get to a point with, with public sector, with government agencies where like, because, because the thing that we're not talking about with that ransomware is that it's a very rapid response that's required. Yeah. So making a very quick decision and as a company, everything that you do as an officer is in the company's best interest. That's kind of the overarching theme. Like obviously the collateral effect is important, but if it, but if it's, if it is, if it's contraindicated by something legal, then that takes it off the table. I kind of query whether we could get through this, like, you know, the Biden orders and the sense of collaboration to a point where companies feel like they can turn to law enforcement during a ransomware attack to say, this is happening. We're going to do this. We're letting you know. And maybe get some, some, some sense of assistance, even to try to get to that level of attribution. Right. Like, maybe that's where this all goes. Maybe you split it and try to get there. And that's kind of the best case for right now, because it is a very heated issue. I think companies are in a really bad situation, especially as Ernie said, when there's PII on the line, the government is not willing to indemnify you, right? From all those suits that are coming. So, so you've got to still make the best decision for your company. That's a, that's a very multi-layered question. Right. Well, it looks to me like that's a great note to end on. Thank you so much to Ernie, David, Jen. Thank you for being here. Thank you for contributing to this conversation. And thanks to Bryson Bort and I see a spillage for hosting us at this DEF CON panel talking about ransomware, critical infrastructure and the potential impacts. Have a great afternoon, everybody. Thanks a lot.