 Well, welcome everyone and thank you for joining us at Mechanics Institute online now that we've solved all our technical problems. We're very pleased to welcome you for our program with author, Nicole Pearl Ross for her new book. This is how they tell me the world ends. The Cyber Weapons Arms Race, and she'll be in conversation with Lindsay Tonsifer, I'm Laura Shepherd, Director of Events at the Mechanics Institute. And we are very proud to co-sponsor our program with Gritta Institute and with Gray Area for our Tech and the Cities series. If you're new to Mechanics Institute, we are founded at 1854, and we're one of San Francisco's most vital and cultural institutions in the heart of downtown San Francisco. And good news, the library is open, so please come down and see us. The talk will be followed by Q&A, so please hold your questions and you can put them in the chat for the end of the program. And if you'd like to purchase Nicole's new book, this is how they tell me the world ends. Please purchase it through alexanderbook.com, or one of your local independent bookstores. I'm going to introduce our program. Filled with spies, hackers, arm dealers, and a few unsung heroes. This is how they tell me the world ends is an astonishing feat of journalism. Based on years of reporting and hundreds of interviews, Nicole Pearl Ross lifts the curtain on a market in shadow, revealing the urgent threat faced by all of us if we cannot bring the global Cyber Arms Race to its heels and certainly this week has been one of those weeks that we've seen so much cyber activity and not good news. I'd like to introduce our two speakers. Nicole Pearl Ross is an award-winning cybersecurity journalist for the New York Times, where she has been optioned for both film and television. She is a regular lecturer at the Stanford Graduate School of Business and a graduate of Princeton University and Stanford University and lives in the Bay Area. Lindsay Tanziger works for Covington and Burling LLP. She helps national and multinational clients in a broad range of industries to anticipate and effectively evaluate legal and reputational risks under the federal and state data privacy and communication laws. She also assists clients to engage strategically with the Federal Trade Commission, the Federal Communications Commission, the U.S. Congress, other federal and state regulators. And she has served as Mechanics Institute's board secretary and is our newly appointed President of the Board of Trustees. So please welcome these two experts who will reveal what's going on behind the scenes in the Cyber Weapons Warfare. Please welcome Lindsay Tanziger and author Nicole Pearl Ross. And thanks for joining us, Nicole. I'm so excited for this conversation because it's very rare that I get to nerd out on cybersecurity issues. So this is a very exciting forum for me. I guess I'll get kicked off. You begin your book by talking about Edward Snowden and the Snowden revelations. And I think for a lot of average Americans, the Snowden revelations were really maybe the first time that they had heard about cybersecurity and national security and what the NSA was up to. Do you want to kind of just set the stage of kind of how this all unfolded and the big players that you talk about in your book? And hopefully you can unmute. Are you able to unmute? Hopefully. Thanks. Yeah, so someone has muted me and I can't, it says I can't unmute myself. So I swear, thank you. First of all, thank you to the Mechanics Institute for doing this. It's one of my favorite libraries. And just as someone who is a Bay Area native, it's really an honor to be doing this. And I've been doing a lot of book talks, and I thought I was getting really good at zoom, but I think I'm just getting worse as the days go by. So I'm sorry for the technical difficulties, but thank you to everyone for joining us today. It really is an honor to be with you all and I'm sure we are excited to get out there and see each other in person and I hope we have that opportunity soon. Oh, and thank you, Lindsay, for doing this. So just for, you know, to your question about the Snowden, you know, I was given, I would say, very privileged access to some of the Snowden documents they tell the story in the book but, you know, the Guardian was in a large tranche of the Snowden documents, and I learned a lot about press freedom in the UK and it's it's actually severely limited compared to what we enjoy here and so the GCHQ went to the Guardian headquarters and said you have to destroy these hard drives and they literally stood over their shoulders while they took whirring blades to the hard drives but the one thing that the Guardian did not tell the GCHQ at the time is that they had already smuggled a copy of the hard drive to the New York Times, where I was sitting with some of my colleagues at the New York Times and at the Guardian and I saw the public going through these documents and I wasn't allowed to bring devices into this closet that we were sitting in accessing these documents, it was really hard to to contextualize what we were seeing because the NSA has put an acronym for everything and they love jargon and so we were just forced to look at these documents and try to make sense of it all and it really took several months before it hit me that the biggest take away from the Snowden documents was not my big take away from the Snowden documents you know the big take away for everyone else was the sorry whoever's muting me please stop so yeah so so so you know most people's focus was on the the phone call metadata collection programs, the hacking of Angela Merkel cell phone was obviously a huge diplomatic disaster. I saw something different. I had just come into this project from years of reporting on Chinese cyber espionage. I've been reporting on the beginning of Russia's incursions into the American power grid into our gas pipelines and oil companies. And here I was thrown into this little closet at the New York Times looking at classified NSA documents and I have to say my first reaction was few you know we're doing this to only were a lot better at it. And, you know my second was was gratitude that that these documents were out there and we were able to have some of these discussions around the balance between security and privacy but for my little piece of the world, what really stood out to me was the fact that the NSA clearly had a backdoor of some kind into every piece of commercial technology on the market. And throughout these documents there were these littered references to our third party partners are commercial partners in the security space are independent contractors and brokers and it was very clear to me that what I was seeing at a certain point was confirmation of something that I long heard rumored about but it had never really been able to get to the bottom of which was that there was a market for our cyber vulnerabilities that there were vulnerabilities and software that governments were procuring from hackers and adding them to stockpiles for espionage counterintelligence and also battlefield preparations as we started rolling software into the grid into our nuclear plants into our centrifuges. You know US intelligence agencies really saw that the best way to destroy an adversary in the event of some larger geopolitical conflict could be through cyber methods and they started stockpiling vulnerabilities in that software to and so seeing that confirmation really piqued my curiosity more I wanted to know what were these programs about, what were the history of these programs, who was supplying us intelligence agencies with this raw material the software vulnerabilities. You know at what point was the vulnerability so serious that we would go to the software makers and get them fixed but I'm getting ahead of myself so I'll stop there Lindsay and you asked the question. It looks like Lindsay. For some reason we can't unmute ourselves. Um, yeah so thanks that's a really good kind of team up of the broader issues and you know, I think you summarize nicely that the good guys are not necessarily doing what you would expect the good guys to do which is you know they're buying up these zero day exploits these vulnerabilities that haven't been detected yet and using them to the US is advantaged but of course other countries are trying to do the exact same thing. And one, one thing that I found really really interesting I'm going to quote just a very brief amount is a, I think there was a senior government official that you were quoting on thanks to globalization we know now all relied on the same technology. American citizens businesses and critical infrastructure would also be vulnerable if that zero day were to come into the hands of a foreign power cyber criminal or rogue Hector. This paradox began to keep Pentagon officials up at night. So the idea is you know we're all using globally the same software the same networks the same devices and so we're all equally vulnerable to these attacks that are out there. And the Pentagon saw that as a problem but I was wondering if it's in some ways mutually issued like the digital version of mutually assured destruction. Do you see it that way as well or are we are we all just vulnerable and it's in brawl. Yeah, I mean, you know I should probably back up I probably got it a little over my skis in my last comments but just for everyone who doesn't know what a zero day is. A zero day is a flaw in some software, you know, think of it as a bug or an error in the code, and just the simplest most tangible example seems to be that if I'm a hacker, and I find a flaw in my iPhone iOS software that Apple doesn't know about that they don't have a patch for that's called a zero day. And there's the name, there's different origin stories but people think it's because once the software maker discovers that they've had zero days to fix it. So, if I'm a hacker and I can write a program to exploit that flaw in iOS software to read your text messages or record your phone calls or turn on your camera without you knowing or track your location that's called a zero day exploit. And what I was seeing in those Snowden documents was clear prove that the US government basically had zero day exploits for every single piece of technology on the market, everything from your firewall antivirus software to Schneider electric industrial software that's used in power plants grid. And so, and I had heard murmurings that the US government was willing to pay hackers to sell them the zero day exploits and these days, you can go to certain government brokers websites on the dark web just on the regular internet and find priceless for zero day exploit. So right now the going rate for that zero day exploit I described in your iPhone is $2.5 million. You're a hacker, and you've developed that zero day exploit. You can sell that to a government broker for $2.5 million today. And clearly, you know, given that capability what else really would a spy agency want so it's not just the US government in this market anymore it's almost every other government on earth with each with its own various interest for wanting to be able to spy on people's phone communications and, and really, you know our iPhones have become our little digital ankle bracelets so anything a spy agency would want they can probably get from your iPhone so what is the market we're talking about. And I really wanted to know the history of this market, and I learned that it started three decades ago. And that that's really when US government agencies started paying outside hackers and intermediaries to turn over zero day exploits with the caveat that they never tell the software maker about it that they never tell Apple about it. And then Apple finds out about it, they develop a patch, they put it into a software update, you get an annoying prompt on your phone to update your software, and then that $2.5 million investment has turned to mud or dust. So, three decades ago there wasn't this real moral hazard or security dilemma baked into this market because we were all using different technology. You know, if the US government found or procured a zero day exploit in Huawei, you know, no harm no foul to Americans because for the most part Americans weren't using Huawei. Well, three decades later, you know, Huawei is a glaring exception, thanks in large part to a lot of lobbying by US government to get American businesses not to use Huawei and now more recently our allies although that's that's faltering. In the first part we're all using iPhones and Android phones and Schneider Electric and Siemens industrial software and you might not have a PC, but Windows is now baked into the power grid and water treatment facility so when the US government stockpiles, a major flaw in Microsoft Windows and doesn't tell Microsoft about it to get it fixed. We are logically leaving Americans less safe, and the stakes for that decision I could see we're only growing higher, the more digitized the world became. And it was also clear that our adversaries had made the calculus that well they could not match the United States in terms of our military spending. They could do a lot of damage with cyber, they could steal our intellectual property, they could spy on our CEOs, they could, you know, attack our banks, they could get into the power grid, and they could pull off some of the attacks that are actually unwinding right now that we're seeing on our pipelines and our food supply and our hospitals, and that is what we are seeing now and so the goal with the book was really to call this out to say hey wait a minute, you know the United States might still be the world's top dog when it comes to our offensive capabilities, but we are also now the most or one of the most targeted states on nation states on earth by cyber attacks, and arguably we're among the most vulnerable because we are so digitized because we've just been rolling software into every nook and cranny of our economy, and our critical infrastructure. And so, you know, we have a lot of systems of interest that any adversaries or even some quasi allies would want to get access to one of. So that sounds like a big problem. So you do, you do raise some potential solutions and one of them is this idea of, you know, rather than paying for the exploits, maybe we should pay for better security and really incentivize companies to build more secure software. Do you want to talk about that solution a little bit or any other ways that you maybe we can sleep a little bit better at night. Very simple. Well, you know, it was I have to say it was really awkward as a journalist to present solutions, you know journalists are guilty of highlighting the problems, but we always feel a little uncomfortable coming out with ideas about solutions because at the end of the day I'm not a technical person, you know I'm not technically an expert, but when you write a book of this length and you spent seven years of your life, I feel like you are negligent if you don't offer your own ideas for solutions. And, you know, I'm a different, you know, this this book is also my journey, it's my learning journey, I really felt like there were no real heroes in the book, not that I'm a hero but I felt like it was it. The book needed because it's such a technical subject matter. It needed a lay person to grab the reader by the hand and lead them around, you know the cafeteria to this table where the hackers are sitting and this table where the three letter agencies are sitting. And here's what the foreign officials are doing and say you know here meet these people let's sit in their table for a while, and try and understand their motivations and then let's go over here and try and understand their motivations. By the end, you know, I, it's also my learning journey so you know in the beginning, I just have all these questions like wait a minute you know isn't this horrible that we're stockpiling these zero days doesn't this leave everyone less safe. By the end, I think I come away with it with a more nuanced perspective, which is not let's let's not I went I'm not so naive as to say let's turn over every zero day we find, you know, clearly they have some intelligence value. But I do think it's really important that we talk about this market the space that we drag it out into the open war into the sunlight. Because I do think, at the end of the day what you're trading on is American cyber security and the name of national security, without realizing that they have become one in the same. You know I do think the next war will be a cyber war or will at least involve some major digital component. And I think the country that will win that war isn't necessarily the world's top player when it comes to offense. I think it will be a country that is effectively a cyber iron dome that can exist with hostile activity all around it. And that's not the United States, you know we are among the most vulnerable nations on earth we have spent all of our calories on offense and very little on defense and, and it's nuanced the reason that is is very nuanced one is. Defense is hard it's grueling, you know it's things like password management and two factor authentication and segmenting the hardest parts of your network, or the most precious parts of your network from everything else. It's also particularly difficult in the United States where the vast majority of our critical systems, power, water, gas is owned and operated and maintained and secured by the private sector. At the same time we've tried to pass legislation that says you need to meet this bare minimum standard of cybersecurity lobbyists come in and said no, we're not going to do this it's too expensive and it's too burdensome for these businesses. So we're left sort of handcuffed a little bit with our defense and so some of the ideas I presented are, you know if we're going to be if we're going to basically be in this place where we're not going to accept regulation. Then I think we have to be very creative with how we deal with market incentives and so some of the ideas I presented are, you know, tax breaks for companies that have proven that they have met that their minimum of security, you know that they basically have done things like subjected their themselves to a real penetration test where hackers would come in, you know, the white hat hackers would come in, try to attack their systems, show them where they're vulnerable, and then three months later would come again and they can say look, you know, we were no longer using a decade old version of windows, we have two factor authentication turned on, etc, etc, etc, and I think that would get us to a better place now it wouldn't stop the kind of sophisticated Russian supply chain hacks that we're seeing right now, but we're calling solar winds, but it would get most companies to a place where they could probably withstand about 80% of the cyber threats that they base, including the ransomware attacks that we're seeing right now. The colonial pipeline felt like such a mega event terrorist attack on some level. What did it come down to how did it happen, it happened, because colonial pipeline forgot to deactivate an old employees account, and that they never turned to factor authentication on for that's all it took to take out, you know, have a conduit for half the gas and jet fuel and diesel to the East Coast. And one of the things that we learned in that reporting was we got our hands on this classified do we have an assessment that said the United States actually have only afforded as a country two or three more days of downtime from the colonial pipeline before chemical refineries ground to a halt because they were they require diesel before mass transit ground to a halt so that's how vulnerable we are. And so we need to figure out ways to get us up to the standard and, and you know, our adversaries like China for instance they can go to their state owned enterprises and say, you need to secure yourself. You need to pull out this old software, you need to patch your systems, you need to have two factor authentication, we can't do that here. And so we have to work within incentive model so tax breaks is just one idea. One of the things one of the sort of room for optimism, I think is, I actually and it's awkward sometimes to say as a journalist. But I have to say that this administration the Biden administration has really been stuck holding the hot potato on these issues previous administrations, basically cross their fingers and hopes that we wouldn't be where we are today. And now here is Biden holding the hot potato. So, you know room for optimism is his cyber team is top notch actually one of my favorite quotes in the book belongs to Chris English who has just been nominated for National Cyber Security Director. He spent most of his career at NSA on the offensive side of the house, but the quote is and I'm going to botch the numbers but the quote is that if we were to score cyber, the way we score a soccer game. So the score would be something like 452 to 462 20 minutes into the game and other words, it's been all offense, and there's no defense we've never even put a goalie in. And so that quote gives me hope, you know here's someone who spent his entire career on the offensive side of the house recognizing it's time to put some goalies in. It's very creative with what they just did with the new Biden, cyber executive order that Biden recently signed. One thing they did was, they said, you know, listen, we'll cut out a lot of the red tape, but we will ask that you, you know, we'll put out a list of best practices, and it'll include things like two factor authentication and backing up your data and password management and patch management and not using old out of date software. And we'll even let you self certify that you meet the standard you won't make you go to some third party auditor and pay some fee for some compliance checklist, you can self certify. But if we catch you lying to us, you know, if you get hit by a ransomware attack that came down to someone coming in through an old employee account that didn't have two factor authentication turned on. You can never do business with the federal government again. That is a really critical stick. Because when you think about colonial pipeline, for instance, you know, they are private company but they butt up against federal systems. And so if the executive order had been in place and they had self certified and were caught lying and getting hacked through this old employee account, it would it might make them commercially unviable so so they are working within the system they're working with the constraints of the system and using the power of the government's purse to try and get companies to up level on cyber security and that's an important tool. The other room for optimism is, right now, we were hitting rock bottom. We between solar winds, which, which, you know, just to linger there for a second, this was a case of Russia's elite intelligence agency, the SVR, using a major software company as a conduit to break into the department of nuclear labs, the Department of Homeland Security Justice Treasury on and on and on Microsoft, FireEye, one of the nation's preeminent cyber security firms. We know the SVR we know them actually pretty well because they actually hacked the White House from State Department in 2014 2015 and when I went and interviewed the people who cleaned up that attack. They said we've never seen anything like it. It was quote hand to hand digital combat they would, they would find a Russian SVR hacker in a digital hallway and instead of screwing off. They would stay and fight to keep their access at one point they even took over investigators tools and manipulated them so they wouldn't find some of their other back doors. So that's who we're dealing with who was in our federal systems for more than nine months before we even discovered them. And it'll be a year or so before we can confidently say we've eradicated them, if ever. So you know here Biden, they've inherited communication channels that they can't trust. We're getting hit by ransomware attacks that are increasingly visceral. You know for the first time Americans can see with their own eyes how vulnerable the US has become. China is hacking us using far more sophisticated techniques than they were 10 years ago when I first started covering Chinese cyber espionage and new players have come on the scene. And in a way that the US didn't think they'd be ready to for another decade or longer so you know all all we're waiting for now is that big cyber boom cyber Pearl Harbor whatever you want to call it. So what the book was to say before we get there. Let's just take a look around at where we are it's not that great. And I think the Biden administration recognizes that they have no choice, but to address this problem and to ask some of these really hard questions about the software supply chain about cyber security about how we're, you know locking up our own federal systems, you know it's never been more clear that, you know, even even mutually assured destruction mutually assured digital destruction. So we have hacked into the Russian bridge we have taken out North Korean missiles using cyber methods, we have plans to take out the power in Iran, but that is not deterred our enemies from hacking us so it's never been more clear that we alone will not get us out of this mess. And I think they're the right people are in the right jobs, it's just that this is a really hard problem to solve. But I've never been more hopeful that things will get better that said I think we're in for a lot of short term pain. But I think, finally, people are are asking the right questions and you know, who last four years were incredibly frustrating to be covering cyber security there was a lot going on. But any, anything that was done for US cybersecurity and cyber defense. During the Trump administration was either done under cover of darkness at the NSA or at cyber command or was done at the kids table with some of the efforts that that DHS and CISA were trying to do to secure the 2020 election. And, you know, in both cases no one wanted to tell the White House what they were doing. At least now we have an administration in there is getting up to the podium and talking about ransomware and repercussions and bringing it up with Putin at the top of the agenda, etc. And just building off of that, because we're in San Francisco and I feel like you can't go five minutes without somebody mentioning cryptocurrency. There's a big criticism of cryptocurrency has always been what allows cyber criminals to hide because you can't follow the money. So I think it was actually really encouraging in connection with the colonial pipeline attack that the Biden administration to figure out a way to follow the money and follow the crypto and find out who was behind it and take action that way. And they were very vocal and transparent, perhaps to deter other cyber criminals who thought that they could get away with it, because the money wasn't traceable. Of course, that only affects cyber criminals motivated by financial benefit. It doesn't necessarily prevent us against the espionage and the sabotage elements of cyber attacks. But do you think that also helps that maybe cryptocurrency isn't the vehicle that we once feared it would be? It's really interesting, you know, I sort of just was running from forest fire to forest fire and from ransomware attack to ransomware attack. And my knee jerk reaction was this is the fuel for these fires for these ransomware attacks has been cryptocurrency because I actually covered the first ransomware attacks in the United States back in I think it was 2012. And back then it was cyber criminals demanding $200 from individual PC users and they would say, okay, go to your local drug store, get a prepaid debit card, give us, you know, the number of the card and your pin. And that's how you'll pay us. Okay, then cryptocurrency happened and now you're seeing ransom demands and $50 million. Last weekend it was $70 million. And crypto has made it a lot easier for, you know, cyber criminals to make these outrageous ransom demands. And the idea was that they were untraceable. So over the last six months, I think up until the colonial pipeline incident, I just thought, wow, cryptocurrency is is really or sorry ransomware is really going to be the Achilles heel for cryptocurrency. So this is going to be, this is going to force governments to really put a kibosh on some of these cryptocurrency exchanges that don't enforce anti money laundering laws and know your customer, etc, etc. So what was interesting was then we see the DOJ and the FBI come out a couple weeks ago and say, we were able to recoup some of colonial pipelines ransom demanded really, that was their effort to force turn the tables on cyber criminals, but also to try to force companies to tip off the federal government to their attacks, which is something that wasn't happening for a really long time most companies just want to bury this pretended didn't happen because they worry about what will happen to their stock price, or class action lawsuits or just the brand damage that could happen from that. So I think it was this administration's way of saying tell us and we might be able to help you get your money back. So I went and interviewed a couple of people around the very actually the new wave of startup that I think is actually really interesting is blockchain intelligence companies. These are companies that trace payments along the blockchain. And along the public ledger that that Bitcoin and other cryptocurrencies land and what they told me and by the way that people working for these blockchain intelligence companies are former Treasury officials who handled counterterrorism and financial intelligence for the Treasury. And I was shocked by what they were telling me they were they said no no no, you don't understand to trace this kind of ransom payment in fiat currency, you know and cash would take us years, we would have to go from bank to bank to bank to front company to front company, finally to the Seychelles, you know work partner with law enforcement in the Seychelles to recoup these funds, it could take years. Now we can actually do it in real time. We can trace these the movement of these payments in real time. And then it gets to a good old fashioned police work at the end of the day of how to actually get those funds out of the wallet. Whether it's, you know, serving you probably know better than I do Lindsay but it was serving a subpoena or search warrant of some kind to a cryptocurrency exchange, or hacking a cyber criminals computer, getting their password and recouping the funds that way getting the key that way. So it's interesting it's basically cryptocurrency my takeaway now is much more nuanced it's much more it's a blessing and a curse. It's been fuel for these ransom demands, but also it makes these payments much more traceable. Now, the question is, if DOJ and the FBI could recoup almost half of what colonial paid for their ransom payment, you know, what are they going to do for JBS, the Brazilian company that was the meat processing company that that was hijacked a couple of weeks ago or what do they do for, you know, other companies that have paid their ransom like it was was this a one off, or is this scalable, or will cyber criminals just move to some of these more anonymous crypto currencies like Monero, which is harder to trace, or will make sure to only use crypto cryptocurrency exchanges to withdraw funds in places like Romania, or you know different places where they don't have, we don't have law enforcement collaboration and cooperation. You know, it's always the story of security has always been a cat and mouse game. And so we made this one leap, but what's going to happen next and chances are it's going to keep doing this. Yeah, I think that's exactly right. And, you know, kind of switching gears slightly been focused a lot on security but to kind of cross the bridge to privacy for just a second. As a result of a lot of these. Okay, there we go I thought it was on me. What as a result of a lot of this coming to light snowed in and everything else in terms of what the US government is doing in terms of national security and law enforcement surveillance. As a result of this coming to light snowed in Europe, the invalidation of the mechanism that businesses use to get data out of Europe into the United States so through a series of court actions and challenges. It's really difficult now and it's quite uncertain whether or not companies can take data out of Europe and access it from the United States. And so you know your book talks about how all these different governments around the world are doing the exact same thing. So I'm just wondering if you have a perspective on kind of is the privacy impact uniquely, a United States issue, or is this a wide issue and this idea that, oh the US is the one that's doing all this surveillance, missing the point. Well, you know there was a lot of talk about the falconization of the internet after snowed in, you know, Brazil was demanding that only Brazilian data centers would hold Brazilian data. And the fundamental misconception with that is that the NSA spies on foreign systems. They're really only hamstrung when it comes to spying on domestic systems. So by just keeping their data in Brazil, it doesn't really stop the NSA first from spying on that data. So, you know, that's sort of my general take on, on just whether falconization of data hamstrings US surveillance, it does not. And, you know, the other thing is, you know, they can't go to Google maybe and say, hand us this, you know, if it's just a European company, and the US goes, goes to them they might not be able to go to them the same way that they have been through FISA with national security letters to Google to Apple to Microsoft, etc. We certainly saw that they are more than capable of packing into those data centers and grabbing that data. And that is their job, essentially so you know the idea that somehow the data will be better protected for foreigners by keeping it in house I think is a little bit of a fallacy. The other thing that's that is interesting actually on on the privacy front as it relates to security is solar winds. So, you know, we have been hacking into foreign systems this is a policy that Paul Nakasoni the director of NSA and cyber command at the Pentagon calls defend forward active defense and the idea is, we'll hack into Russia's power grid. As, as a show of mutually assured digital destruction because they've been planting code and our grid for a long time and, and my colleague David Sanger and I broke that story. We went to the National Security Council before we published a story and said hey we're about to publish a story. In the New York Times, it says you've been hacking into the Russian grid and making a pretty loud show of it. What say you, we thought we were in for a pretty painful conversation. Instead, the NSC said, we have no problem with you publishing this story. We want Russia to know that we're hacking into their grid, you know we want them to know that should they do anything here we'll just turn around and do the same thing there. But the other idea behind active defense and defend forward is that by somehow hacking into adversary systems, we would get an early warning alert or early warning system set up to to get ahead of attacks on the United States as they were being plotted and planned. And before they could execute on us systems. And what we learned with SolarWinds was that that is actually a fallacy to, you know that the idea, they were in our systems are federal agencies for nine months. Before fire I a private company discovered that it had been breached and only in unwinding its own attack to realize that the attackers have come in through SolarWinds the software from this Texas company. And then we learned that Russia had set up their servers their command and control servers all in the United States through things like go daddy in New Jersey. And that is precisely where the NSA can't look they can't look at that kind of domestic traffic. So really they've exploited our privacy protections against us, just like Russia, I think for the last five six years has been exploiting our first amendment. Against us with some of its disinformation misinformation campaigns on social media so what's clear to me is they really have our number and you know without compromising on privacy, how do we solve for this. And I think that's a really hard question. You know there was an executive order one of the last that Trump signed, which, which would require hosting services to know foreign customers and which foreigners were using their services inside the United States and I haven't been tracking it closely to see how, how that's been But that is my biggest concern with privacy is that our adversaries have recognized that they can really turn the tables on us with regard to our privacy protections, and by hacking the United States from inside our borders where the NSA can't look. They can, they can have a lot more success and it's not just Russia we actually just saw China do the same thing with with this attack that was recently discovered on Microsoft exchange systems to basically emails, email servers. And so we have to stage their attack from inside the United States to knowing that that is, that is not where the NSA operates and, and, you know the way we track that kind of activity is very bureaucratic it's, you know the NSA might catch wind of some kind of operation, either through digital means through hacking or for some human intelligence, they would pass that to the FBI and then ostensibly the FBI could go investigate but you know these hacks happen so quickly. And the hackers are so flexible and malleable, much more so than our bureaucracy here that it hasn't been working very well. And so I really worry about, you know the next chapter that we're, you know the solar winds is not the first time. There will be a software supply chain attack staged from inside the United States and what, what do we do to prevent that is a really hard problem. Why I have so many more questions but I want to open it up to the floor and I think Laura or Pam will will take it from here with some of the questions that have been entered into the chat. Pam Choi, our events assistant is going to read off questions from the chat. Um, okay, I this is reading Brian and I again I apologize if this if any of these questions have been covered in the talk. There's been so much said. But Brian asks, I read the NSA lost control of their library of these exploits is that true and did anyone get fired for that. Great question. So, when I saw this book. It was 2013. And I was writing about this exploit market and I was asking questions about sort of the moral hazard baked into this market and the security implications of this market. One question. I never even bothered to ask because my imagination wasn't even capable of it at the time was what happens when the NSA is own stockpile of all of these zero day exploits get fired. And that is what happened. And to me this is the biggest story far bigger than anything we learned from Snowden. But when I covered it on the front pages of the New York Times for whatever reason, probably because it's so technical. It never really stuck in the American consciousness for long. And that's when I really knew I needed to get this book done because I knew I needed to communicate what a big deal that was. Especially in the context of everything else I've been investigating. You know that really what happened was the NSA is exploits were stolen. We don't know by who we still don't know by who. But sometime in 2016 in the fall of 2016, whenever else was distracted with the election, someone appeared on Twitter, they called themselves the shadow brokers, and they claimed to have access to some of the NSA is hacking tools. And at first no one believed them, but then over a period of several months they started dribbling out some of the NSA is hacking tools. And it was very clear that these were the real deal. I would call up former NSA hackers and say, What is this and they said, This is the these are the keys to the kingdom. And in early 2017 something horrible happened. They dumped the mother load of these exploits, zero to exploits for Microsoft Windows software, some of those widely used commercial software on the market. And what some of these tools did was, if you could break into a Microsoft Windows system, you know sometimes a hacker would manually go server to server looking for goods to siphon off. Well, this NSA tool automated that process so it allowed it allowed the code to basically do the searching for you. So the NSA use this tool, it was called eternal blue that was the code name for it for counterintelligence. And when I asked about this of these former NSA hackers they said, This was this tool was getting us some of the best intelligence. You could ever even imagine on terrorists. We never seriously considered turning this over to Microsoft. And we thought that it was so hard to perfect this zero day exploit that no one else could possibly use it but they never anticipated that one day someone would hack them, or an insider would come in and take it and dump it online. But that's what happened. So in March, around March 2017 they dropped this mother load of NSA exploits. One of the first things that happened was North Korea picked it up for a global ransomware attack that hit British hospitals that hit companies all over the world but they were a little bit sloppy in the attack. And so someone, a hacker in the UK was actually able to neutralize the attack pretty quickly. But then one month later Russia picked up the NSA tools, and they used it in an attack on Ukraine that looked like ransomware, but actually wasn't ransomware at all there was no way for victims to pay the ransom. It was just a tool of destruction. And it took out Ukrainian government agencies, people could get gas, the gas station, they couldn't get many out of ATMs, grocery stores were frozen, even at the old Chernobyl nuclear site, the radiation monitors, the monitors that monitor the levels of radiation off of the old leak site went down. But it also hit any business that had any kind of operation in Ukraine, even a single employee working remotely from Ukraine. So it hit FedEx, it did $400 million in damage to FedEx. It hit Merck. Merck had to tap into the CDC's emergency stockpiles of the Gardasil vaccine that year because their factory production went down in the attack. And so on and on and on it took, it cost us $10 billion in damage and there really has been very little accountability for that leak and those attacks, but someone was fired. And it was Mike Rogers who is the head of the NSA at the time, because there was no accountability that we still don't know, maybe someone inside the NSA knows who the shadow brokers were, but we don't know. For the book, I actually went and interviewed Mike Rogers, and I asked him, how well do you sleep at night after this? And he said, I sleep just fine. They said, do you feel like you bear any responsibility for what happened? You know, the NSA's tools getting leaked, they're getting picked up by North Korea and Russia and getting used on American businesses and critical systems. And he said, the analogy used was, Nicole, if Toyota makes a pickup truck and someone else comes along and takes that pickup truck and bolts a bomb onto the front of it and drives it into a crowd of people and it explodes, does Toyota bear responsibility for that attack? And, you know, think what you will about that analogy, but I think what's clear is he felt very little responsibility for what happened. And I have a different position. I think that the NSA for a lot of responsibility for that attack. And that, you know, unfortunately, the lessons were lost too quickly or no one wanted to really acknowledge what happened, let alone talk about how to prevent something like that in the future. And that became a big part of my book, was really calling that out and adding a narrative to it so people could understand what a big deal it was that basically we let our best weapons get away. And we just handed them to our adversaries and for a long time the US had first mover advantage. We had the best cyber capabilities. But what happened in those attacks was the capabilities left gap closed significantly. You know, North Korea would have never been able to develop that zero day exploit on its own at this stage. They're just not there yet. But we just handed them the goods. And so it was a really, really big deal. Bob Mueller's question. I've noticed, hold on. I've noticed that media accounts hardly ever give details of how hackers break into systems initially. What is your take on why reporters don't dive down to the attack vectors, the way the hackers open the door to their hacks. This would really help vulnerable entities see what they're doing wrong. Well, we do, but they do get lost in the story sometimes, you know, for like, it's the hardest part of my job is balancing audiences, you know, writing for a lay audience about something that's very technical. I think you're right that it's really important to call out how these attacks happen. So, if you look at some of my recent reporting. I talked about how colonial pipeline was breached because of a lack of two factor authentication and an old employee account and stolen password. How the water treatment pack that was terrifying back in February when a hacker got into a water treatment facility in Florida and was able to actually up the level of why L. Y. E. The water to a point where they could have badly poisoned the population, except it was caught, fortunately, that was enabled because they were using a decade old version of windows that couldn't even get patches if they wanted to because Microsoft no supports it, you know, I've talked all day on Twitter about how, you know, 80% of the ransomware attacks are enabled because of a lack of two factor authentication. And then I spend a lot of time in my book talking about, you know, the fact that so much of this comes through phishing etc but that the capabilities are getting far more sophisticated and now it's with zero days and those are really hard to defend against, which is why I think we have to change our calculus from what hold on to every zero day we find or we buy off off the underground market for these things to, if we're going to hold on to this, we should only hold on to it for as long as our operation lasts, you know, as long as let's use it just to get in, and then let's turn it over, once we're done with it and we haven't been doing that that paternal blue exploit I mentioned earlier. So we held on to it for more than five years. That's a really long time to hold on to a critical zero day and Microsoft windows the most widely used software on the market software we bake into our critical systems here in the United States again you know the answer I was getting from from NSA folks was this was getting our best intelligence you don't understand and it's okay well it might have got in your best intelligence that also enabled the most destructive cyber attack on the United States in history so we need to factor that into some of our decision making but I think you're right you know I think a lot of people, the hardest part is when you talk about when you use terms like cyber Pearl Harbor, and you're covering nation data tax all day. The worst side effect of that is that it gives people the impression that the situation is hopeless and there's nothing they can do. And that's not true. It's a little bit like the pandemic where, yes, governments have a huge say. Businesses have a huge say in developing a vaccine and in some of their corporate policies, but individuals have a big role to in social distancing and wearing a mask, and the same is true in cyber, you know, it is up to us to use two factor authentication and I've said it, you know, 20 times during this talk, and different passwords, because often the way that these attackers get into organizations is through the weakest link and the weakest link continues to be employees who click on phishing emails and use jump passwords and don't use two factor authentication. So, you know, we all have a role to play. And that's another reason I really wanted to write a book for a lay audience because I wanted people to understand that we really all do have a very important role to play in securing ourselves in securing whoever we work for. And also creating some of the domestic pressure that I think it'll take on the US government to make defense cyber defense more of a priority to rebalance between offense and defense. And so, you know, that was always the goal. This next question is from Carol Verberg. Do you see security problems with US mass switch from fossil fuel to electricity are backup systems possible for large grids. So the hard part and it's so hard to say because I actually you know in terms of global threats. I mean we're in the Bay Area, I know we're all terrified about this year's fire season. For me climate change is up here and cybersecurity is down here and maybe disinformation is right here in terms of global national security that's right now, but a lot of answers and proposed solutions to climate change in a rest on digitizing everything on electric cars. And that creates more opportunities for hackers. And, you know, my answer to this is that shouldn't stop us from moving to more of these efficient systems but I think it's time that we recognize that Microsoft wrote Windows for desktop computers didn't write it for cars, you know Linux was written for desktop computers and PCs it wasn't written for our water treatment facilities. So, one little Iota of hope is that when I interviewed all of these shady zero day brokers for the book and hackers I would ask them, is there anything you haven't been able to hack. And there was one. And it was this little company in Santa Barbara called Green Hill software I tried to reach out to them before my book published and they never got back to me and only after the book published did they just reach out to me but I finally was able to interview them and, and what they said was that their first project was creating an operating system for the B1B intercontinental missile delivery system. The Pentagon had come to them and asked them to do this. And so they knew that they'd had to make the code secure because they would not be able to fix anything after the fact that the remote software update because those that remote access could be exploited would be an adversary to turn our weapons systems against us. So they said I wish I could tell you it was a magic algorithm the full that made our software more secure but it wasn't it was just that we went line by line by line and we've added every single line of code to make sure that there was secure that there were no errors that there could be no zero days. And then they went and they sent it to the Pentagon where the NSA actually tested it for a period of six months and said yes actually this is secure and they baked it into our weapons systems. It's used in F-16s. It's used in a lot of missile delivery systems in the United States. Basically their biggest market is the Pentagon, or biggest customers the Pentagon, but you could see a world where that's the kind of software we're going to use for security critical systems like electric cars, autonomous self driving cars, you know, more the grid, etc. And I hope that's where we go. I really hope that's where we go. And then for backup power for, you know, when that just reminds me that when when Russia took out the power in Ukraine. They made sure to take out the backups too. And I'm not an expert on the power grid, but I was struck by how carefully they designed that attack to make it harder for Ukraine to get the power back on. They went as far as to turn the lights off in the building where the engineers would have to go to turn the lights back on and restart everything so that they were fumbling around in the dark with flashlights. I mean that is the links that they go and often one of the first things we see in ransomware attacks too is that these ransomware cyber criminals will go and find the backup systems and encrypt those first. So, you know, yes, yes, we can have we should we do need more resiliency but we need to make very, make it be very careful about how connected those backup systems are to day to day business operations and that kind of thing. Dennis asks, how do you differentiate the vulnerability of the nodes, i.e colonial versus the network itself, can the government not mandate the network infrastructure itself be rigidized and secured. The fact that colonial had a pathway from any user account to an operational control network is pure negligence. These are different systems completely. Oh, rugged eyes. Sorry. Yeah, you know it's really interesting because you know we're learning more and more about the colonial pipeline hack and the issue wasn't that the ransomware got to the pipeline itself the issue was that it took their billing systems offline and so they had no way of charging customers downstream. And so then they took the preemptive step of shutting down the pipeline. So, even though, you know, we believe that they have segmented the pipeline their OT system is what it's called from their IT systems. You know they still shut down the pipeline because they couldn't charge customers in their business. It's interesting as I go to a lot of these like very niche industrial security conferences, and a few years ago I went to one in a medical company called waterfall security. They're in Israel, and their only product and I apologize that has a very jargony name is a unidirectional diode. And what it is is just a way for data to only flow one direction like a waterfall. So, they work with a lot of pipeline operators in the United States. So, you know, if colonial pipeline had been using a unidirectional diode on the pipeline, they would have been able to capture data about where the outflows were, and would have been able to continue to build customers, but they didn't have that. So that is, I think, another knows possible solution to some of these, these systems where, yes, you should segment them but often that segmentation is very difficult. And what you need in between is not just to have them completely segregated but to have something like a unidirectional diode in between so you can still capture data off that critical system. That, you know, malware ransomware can spread in. And so in colonial pipeline space that would have prevented what happened next and I'm sure they probably signed up with waterfall or one of their competitors after this attack. But I hope that answers the question. I think the American asks the NSA is tasked with both gathering intelligence and defending against attacks. These roles feel antithetical to each other in order to defend against security issues. Don't we have to release the zero day vulnerabilities to fix the issues. Would it be more effective to have separate agencies independently tasked for offense and defense. That's a big question for a really long time. You know, shouldn't we separate the offense side of the house from the defense side of the house, and it is true there's there is a legitimate argument for that. You know I say in the book, I forget what the ratio is now but it's something like for every one engineer working on defense at the NSA, making secure code, there are 100 breaking code. And so it's always been tilted more towards offense. The energy has always been on offense. I think the ratio was even higher than that. I don't have the numbers in front of me but at Giorgio gave a talk he was he worked at the NSA and he worked on the defense side of the house and the defense side of the house. You gave a talk at RSA the San Francisco security conference a few years ago where he said when he was on the defense side of the house he led a team of, you know, maybe 17. I think it was engineers, and then when he worked on the offensive side of the house it was 1700 engineers and so there's always been this imbalance, and there's always been people saying that we need to separate, separate these operations into policies. And the reality is more complicated, you know, to be a really good defender, you need to really understand offense, and you really need to know what the best most novel offensive modes are methods and techniques are. And I think that is a very legitimate argument to that, you know, the NSA is the best at what it does worldwide. Why would you want to divorce that knowledge base, and those people and those resources from the defensive side of the house. So I don't know if that's our solution and then when you look at agencies like DHS, the Department of Homeland Security which is charged with our cyber defense. You know, unfortunately, it's been sort of this bureaucratic let down for a long time. And even just in terms of recruiting, we have a huge talent shortage in the United States for engineers, let alone cybersecurity focused engineers. And so we've tried to replenish the pipeline through scholarship programs and that kind of thing. But where do most of these engineers want to go work, once they've graduated from college and do their federal service, they want to go work on offense it's always been more fun to spy, and you know, be a pirate than work on the coast guard side of the house and so we've had a long drawn out problem of getting engineers to work on defense at DHS or to work on sharring at the Pentagon security and that kind of thing. So, so it's difficult. I think one of the things that I think has been heartening and I talked about this in the book a little bit is the Pentagon which was notoriously a closed box who would you know thread in or arrest anyone who probed its systems for for vulnerabilities. Now has opened its doors and said, you know, please hack us and let us know where you find vulnerabilities and will reward you for that with bug bounty program with bounties with payments. Also done private private bug bounty operations where they'll work with these companies, many of them based in the Bay Area that crowd source, you know these hacks these sort of penetration tests to hackers in their network, who will come and will you know the F 16 or some back end system at the Pentagon, turn over vulnerabilities so the Pentagon can patch them. And that's sort of a creative way to get people who specialize in offense to work on defense. And I think that, again, you know, we don't, the government in the United States and sorry to say only protects dot gov and dot mill they don't protect dot com. And that's always a shocker to people it was it was a huge eye opener for me when the New York Times was hacked by China, and I got to embed with our security team. And the FBI came and we told them everything we've learned and they said thank you very much they put it in their binders and they walked out and we never heard from them again. You know it is not their job to protect the New York Times, maybe sometimes they'll share threat data with us and that's the direction we're going is trying to improve the sharing of threat intelligence between the public and private sector but again, you know this is a really hard problem to solve for cyber defense in a free market economy, where we don't want the NSA sitting in our corporate systems or private systems, you know, monitoring traffic as it's going in and out. The biggest compromise we make, and the name of privacy is for security and there are other countries like Israel where they have made a bigger compromise on privacy they've let the Israeli cyber defense essentially sit inside some of these critical systems and monitor for threats to stop them as they come and they've made that trade off because they're Israel and and they see their their defense and national security as the top priority above everything else here in the United States our value system is still very different and so we have to operate within these constraints, which is why you know solving these issues is it's just much more difficult, especially when you're trying to solve for them in a hyper partisan government. There was nearly zero focus on the IT security vulnerability related to scenes of the physical capital breach and open logged in computers of various US representatives, you have any comments on that. No, you know, in a previous life I worked at the capital. And you'd be surprised how much how how elementary some of their technology is. I'm not down flowing down playing the thread at all and just saying that, you know, there would have been significant hurdles for the people who stormed the capital from getting access to any kind of classified data on those computer systems but of course it's not impossible. And I do think that is a big vacuum for reporting. I think that is, you know, we need to do a better job of figuring out what they were able to get off of those systems. But, you know, just having worked at the capital and interviewed interviewed congressional staffers. It wasn't there. It wasn't their biggest worry. And, you know, it would, there would have been some layers in between, you know, even use testing out passwords on some of those systems and access accessing sensitive classified data. And who knows how, how well those layers held up. And one final question from Daniel Marshall. What's the name again of the company that develops software for managing missile launch systems. Green Hill, I'm going to I'm about to write about them for the New York Times. But you know it's tricky because you never want to write about the unhackable company because everyone then you know finds a way to hack them. But, you know, it gives me a little bit of comfort to know that both shot shady zero day brokers and the NSA were not able to hack their operating system now they found bugs and some of their other security which I'm going to have to mention in this article. Not their security some of their other software that's used for less critical systems, but the operating system that they have for what they call safety critical systems is still considered some of the most secure on the market, it's just that. You know, it's not considered scalable right now in the same way that that other software is and it doesn't have all of the neat features and bells and whistles that other operating systems have but I do think there's a real, you could see a world where the ransomware attacks, and emergency attacks, we're getting so bad that we said okay, you know we're not going to pull out of the Internet and unplug everything, but it's time to really make sure that the code is locked down and this is just one, one potential, you know solution. There. I want to thank Nicole Polaross for a really eye opening and also insightful and somewhat frightening conversation and also want to thank Lindsay tons of our new board president of the mechanics Institute for engaging in this conversation this has been really an eye opener and really powerful conversation and I want to encourage everyone to pick up a book send a book.com and also Nicole as we go. So thank you very much everyone and we'll say good night and we'll close down see you soon. Thank you I know that that was a technical conversation and often a little bit intimidating and it's one. So I hope everyone has a nice glass of wine and thank you so much for joining us so it's lovely to see your faces. Thank you. It's great. Thank you everybody. I'm going to close down right now but it's great to see everybody.