 All right, and you are live. I'm going to drop and the floor is yours sir So I'm utterly delighted to join you all and share with you a concept that we call useful fiction or sometimes called fictional intelligence basically what it is is a blend of nonfiction research and analysis with narrative with storytelling and in particular This is a project that we did with the cyber solarium commission that many of you are probably familiar with this is the bipartisan commission that was tasked to think through both the future of cyber threats, but also us government cybersecurity strategy how do we handle it and We were asked to help Generate out a vision of the key themes from their report Package through scenario and it actually was the introduction to the report itself so think of it as a vignette, but also akin to an executive summary and It goes as follows Warning from tomorrow by Peter Singer and August Cole You spend your whole career on Capitol Hill hoping for an office with a window Then when you finally get it all you want to do is look away They set up our emergency off-site for essential Senate staff and vacant offices once belonging to one of the contractors that lobbied us Before they all went badly up last year The offices are in a high rise in Roslyn with a literal million dollar view Looking across Potomac River. You can see past the National Mall and the monuments all the way into downtown DC and It just breaks your heart The rainbow of colors in the window paints how everything went so wrong so fast The water in the Potomac still has that red tint from when the treatment plants upstream were hacked They're automated systems tricked into flushing out the wrong mix of chemicals By comparison the water in the Lincoln Memorial Reflecting Pool has a purple blend to it They've pumped out the floodwaters that covered Washington's low-lying areas after the region's reservoirs were hit in a cascade of Sensor hacks, but the Serbs left behind an oily sludge that will linger for who knows how long That's what you get from deciding in the 18th century to put your capital city in low-lying Swapland And then in the 21st century wiring up all its infrastructure to an insecure network All around the mall You can see the black smudges of the delivery drones and the air taxis that were remotely hijacked to crashing to the crowds of innocents like firing meteors and In the opening spaces and parks beyond tiny dots of bright colors smeared together like some tragic pointless painting These are the camping tents and makeshift shelters of the refugees who fled the toxic railroad accident caused by the control system failure in Baltimore FEMA says it's safe to go back now that the chemical cloud is dissipated But with all the churn and disinfo on social media no one knows who or what to trust Last night the orange of their campfires was like a vigil of the obstinate waiting for everything to just return to the way It was but it won't a Knock on the door shakes me out of it. It's a legislative director checking back in She's anxious because the boss promised that we get a draft of the bill out tonight to all the other committees that touch on cyber security No cars are online and nobody wants to risk the metro after what happened on the blue line That'll mean hours of walking from office to office At least the irony of backpacking around paper printouts of new cyber security Cyber security laws will be lost on no one. I tell her that I'll get it done and turn back to words missing the preamble I mostly mind the language from old legislation that someone just like me wrote after the 9-11 attacks I know some online troll or talking head on news will end up calling it lazy But it's the closest anyone can think of as a parallel Of course with all the servers down our poor intern had to run a paper copy from the Library of Congress It reads as follows Whereas for as long as the United States has been a nation that invented and then became dependent on the internet It is faced online threats and whereas these threats grew in scale and frequency We grew too accustomed to digital interference in our society economy and even elections And whereas AI and automation changed these networks from use not just for communications but to connect and operate the things that run our physical world and Whereas a new type of vulnerability thus emerged where software could be not just a means of theft but a weapon of mess Disruption and even physical destruction and whereas our government and industry failed to keep pace with this change of technology and threat being ill organized and ill-prepared and Whereas these vulnerabilities have just been exploited an extraordinary acts of treacherous violence That caused massive loss of life and effectively held the nation hostage and whereas Such acts continue to pose a threat to the national security and very way of life of the United States Now therefore be it resolved by the Senate and House of Representatives of the United States of America and Congress Assemble that the government of the United States must Must what? What can we really do? No matter what legislation we pass now after everything that's happened. We're too late in 2021 I mean critical infrastructure is having all these challenges and somebody still can't hop on without being on mute So I was just joking not to start things off on a somber note But of course that was the the fictional story that you put for the cyberspace solarium commission as you noted So let's let's step back right you you mentioned this concept of fictional intelligence which is using Story storytelling to help educate and bring around Understanding awareness and change part of what we're trying to do here at the village. How did you first get into that? So the background to it is in many ways August Cole and I stumbled upon it in a project called ghostly and It was a combination of a techno thriller novel It looked at what a war between the US and China and Russia might look like but We were both nonfiction guys You know I have written nonfiction books on on cyber security and more recently weaponization of social media Teach classes on it at graduate school level In turn August had been the defense beat reporter for Wall Street Journal So when we were building this novel we couldn't help ourselves and actually conducted years of research and Showed it in in the book So it was a novel but with I think 27 pages of research end notes and the rule in it As we built it was you couldn't just dream it up You couldn't do like you know related to cyber security where someone goes, you know click and collect we're in no you had to have the citation of Here's the threat intelligence report Here's where this type of attack actually happened out in the wild often the US conducting against someone else and then hey, maybe someone might do it back against us and The combination of the two of this nonfiction and narrative fused together really took off It obviously sold really well But that package and it's sometimes called thick in or also you might think of it as useful fiction is what we also call it It proved to be the most influential work of our careers. I Testified to Congress. I think four times on it Three different government investigations were launched to essentially fix things that we had identified inside our novel Gave briefings on its real-world lessons everywhere from the White House situation room to the Nobel Institute to cyber command in an essay To the deck of an aircraft carrier name it and so it just struck us that this combination had had great power and it again It's it's the fusion that matters A techno thriller science fiction, you know, I love them, but they're like a milkshake They're entertaining They're not designed to be good for you in turn A PowerPoint briefing a white paper a trend report. That's like handing someone, you know Fistful of vitamins and they take it and you know, most people will be like, I don't want it or I'll ignore it Useful fiction. It's what I did to my kids this morning. It's a breakfast movie So you're sneaking the good stuff into that package of a story So the the value sell of it is one, they're more likely to read it To the science not to get wonky with you But the science shows that they're more likely to it's more likely to stick with them when you Read a white paper when you you listen to a PowerPoint Whatever two parts of your brain light up when you get that same information package and story four parts of your brain light up and then one of the other really cool things about it is good story hits with emotion and is everyone from a you know sales person to a politician know Emotion is what drives the sale and so that example that we did for The cyber slay and permission it was targeted not just to capture the key things You know what critical infrastructure threats might look like in the future but it was also trying to connect to an emotion of their target audience which was You don't want to experience this Simulated the synthetic experiences character like you a congressional staff or was our target audience they feel regret Do you want to feel that too? Oh Read this report Put this legislation into action. You won't have that negative experience So those are some of the value propositions of the idea and it's been awesome since then You know, we've done it with Congress. We've done them for corporations We're doing a project right now for the British government and the US Marine Corps The concept is really taken off. It's been a lot of fun So how did you get tied into the cyberspace solarium Commission? Is that something where they recognize the value of this based on what you and August had done previously and said We want that to help get more impact with when this report comes out. Yeah, they they actually approached on that and You know, it was it was it was awesome. It was And it very really had to put it the best kind of projects are the ones that are important and Intrinsically interesting which is a nice way of saying fun And so, you know, the slam Commission obviously hugely critical, but also to try and pull back and go, okay This is I mean, I have to go. What was it? It was a I'm looking real quickly 182 page report. Okay, how do you take the goodness with then that? 182 page report boil down its key themes some of its key Recommendations are even buried within that story. For example, there's a little off-hand reference to Public-private there's another off-hand reference to Too many committees touching on cyber security and sort of the frustration that staffer feels So basically it's it's like a riddle How do we take those themes and boil it down into a story? And so, you know, we boiled on in the story of a of a staffer, you know Trying to figure out how to write legislation the day after the the equivalent of a massive Level of a critical infrastructure attack like we haven't yet experienced, but people like you and I You know who work on the also the research. I go look these are real-world threats whether it's water systems hacks You'll notice there's no part of it. That's the the lazy Oh, the power grid might go down. I mean that is a real threat But we go beyond that because that's one of the key issues that we see looming is It lays out again, you know, it might be water systems. It might be transportation networks It might be when we say water systems. There's different types. There is the chemical levels There's the the reservoir systems that that control the water level and rivers You know, we can go on there's GPS hacks against aerial systems All of that's gonna get a lot more interesting when it comes to greater use of Drones and delivery or the like so it was basically this riddle of how do we capture that? Tell that story in a way that also links to emotion I'll give you another fun example of one that we did That I was with a Corporation We were trying to figure out For C-suite leaders How do you convey, you know the experience of why they ought to act? To protect network, you know as everyone knows it's it's not everyone As people in the industry know You know, it's often not how do I convince the C-suite of the risk? It's how do I convince the CEO and the board and the chief financial officer and it can't just be well The network might get hacked that they're aware of that and so we we created a scenario Which was their nightmare scenario and it's The day it's a couple of days after a breach a ransomware incident going back to predicting the future I'm seeing a lot more of these recently But it's not, you know, the nightmare scenario for the CEO is not all my company might get hacked the story is set as A CEO is sitting in row 27 of a commercial flight So they're in the worst of coach class as they have to fly to Washington to testify to Congress about the breach So for them, it's the annual member of the the Executives a couple years back who got caught, you know in their private jet So now they off to fly commercial and so it's this experience of you know, what is my the Lee? It's not Network getting hacked. It's how will I personally have to deal with it and I'm gonna have to fly coach and My board's angry at me and I'm gonna be yelled at by a bunch of members of Congress that I just have to sit and take it And so it's again setting up that this is why you need to act Not just oh the network might get breached. How do we connect it to a scene and emotion that they care about? So I'm guessing that you you didn't have a background deep in Industrial control systems prior to a lot of this research And I think that's kind of an interesting thing because there's such a depth of technology And when we talk about critical infrastructure why that sounds like a simple two words put together the fact that that's 16 Different ssa's and the various technologies. It gets a lot more complex So how do you approach the research process to get technically smart enough? So as you said you are while you're not peddling the vitamins that you're at least staying true to the nutritional formula Yeah, that's that's a great question and it it You know, it's it's how to put it To continue that There's a recipe right, you know, so making a good smooth it There's an actual recipe to it to get the nutrients and the taste side So a lot of this was Drawn from the work that we did for a more recent product called Burnin Which which you and I actually got to chat a while back Burnin was a it's a book That's a package of useful fiction It's a story that that follows a hunt for a terrorist who's I'm going after IOT about 10 years out and So we get to see What are the different ways that we're going to be using? IOT and more broadly as we weave in greater amounts of automation and AI because to me that there's a common It's not just that we're moving to an internet of things. It's it's an intelligent network But we are seeing all sorts of vulnerabilities baked into it and we it opens up new Both threat actors and types of attack and that's what Burnin was capturing now The research for it took about three years and it involved everything from You know pulling up threat intelligence reports and and actually, you know Presentations that are you know at places like a DEF CON of folks showing off what they've been able to do Showing some of the vulnerabilities are out there in addition interviews interviews with experts from across, you know, everything, you know so if you want to know about Water systems vulnerabilities there are extensive threat reports on it, but I also did interviews with both Analysts at cybersecurity companies all the way up to Executives and one of the interesting things about that was and it hit when you were talking about the multiple different sectors It's basically got into I'm talking about Why the cybersecurity industry was drawn to market and provide more services to some parts of critical infrastructure than others there is to put it bluntly sort of a market structure that makes Some types of markets more profitable than others Water is an area where if you look at the structure of the industry It's a lot of mom and pop size companies. They're not large regional companies it's either mom and pop size private companies for the most part and or a local county city or even town water authority And the structure of that means that oh and on top of that the regulatory agency for it Up until recently not interested in cybersecurity. It's focuses on pollution So there wasn't a lot of kind of attention steering the way if you look at for example a parallel like You know set aside banking where all the incentives are aligned to cybersecurity In terms of you know, there's the monetary value is very clear Power industry, you know there you've got everything from there's been more attention paid to it to larger companies that have larger budgets and the like and So you get that from interviewing the cyber security companies. Why are they not spending much on it? Why are you not marketing as much to them to the other side of it? I interviewed water systems engineers the people that literally designed the water networks for Major cities like Washington DC, which is where the story is set so, you know, and you get when you talk to people and you know, you'll have a lot of this and and You know networking and conferences like you get, you know Sort of formal answer and then you get the stories that people tell over drinks, right? You'll never believe what we did or you'll never believe what we saw and so that's where, you know We get the the goodness. That's where we get the real world ideas is from either real-world experts or real world reports A different way of putting it is we call it the no vaporware rule There there can't be anything that sort of just drawn out of vaporware either, you know A technology that doesn't exist or something that's purely imagination sake, you know, again I love my sci-fi But if it's so far out in the future so vaporware, it's not as useful And that's also I think the frustration a lot of people in the cyber security field have towards depictions and pop culture is, you know, like I said, it's either, you know, it It's like click-it-a-lack. I'm in you know, or it's The people in it are not realistic, right? You know, I mean I I liked mr. Robot But you know everybody in the field is not like that Yeah, so where you were talking about where it comes to money This is something that we talked about a lot here is that In a regulated industry of which a lot of critical infrastructure has different forms of regulation Which when we're talking about regulation, it doesn't just mean security. It also means that rate basis I can charge more for electricity than I can for water my ability to spend that money back in increasing a You know pushing a rate cost to customers has to go through a public utilities commission for approval And so that restricts and drives a lot of those kinds of changes to what can be done And with of course 2021 was like the year of industrial control system hacks You don't have to predict the future when the future keeps happening every other week We started with you know with solar winds which had a large impact We had the Florida water hack around the the Super Bowl The irony of that one is that exact same hack is what we've been demonstrating here physically in the ICS village for several years There's the and thank you very much is one of the key scenario We don't want to plot spoil burn in but was one of the key scenarios in it And again, you had the Florida one but the Florida one You had earlier the attempted one on the Israeli water networks And so you know when people like how did you predict this? How did you to pick this like the information is out there? It's more about putting it together It's you know connecting the dots and then you have you know what we were talking about earlier, which is that so much Particularly in the cyber security field is not How do I explain this new thing? It's how do I explain it in a way that my target audience will take it in will understand it How do I get and hold their attention? How do I put it in manners that they're more likely to act upon? So it's it's it's the communication piece of it that's often more of the challenge I mean it's very rare to think of Any, you know major cyber security incident that we had not had a series of them beforehand that were smaller Or they were demoed at a at a conference or whatever the information was out there We just weren't weren't willing or able to act on and that might be true for a nation Definitely the case for corporations, right? So if you could give us any insights or share what's kind of the next project or Anything around that you're allowed to talk about. Yeah, so August and I August Cole and I turned it into a business We were having so much fun doing these you know kind of one-off stories And we realized that the demand was there, you know So if there's one group that's like we've got this strategy report, but we can't get people to read the key ideas of it They're not the only group in the world that has that challenge We also have been doing training courses with Different groups on how do you do forecasting? How do you do communication and that came out of the Air Force approach Justin said it was the Air Force Blue Horizons Their futures team they they said, you know, don't don't create the scenarios and we just want to we Y'all have predicted well teach us how and so we put today a two-day course for them. And so basically, you know Essentially what happened is we looked around and said hold it clearly This group is not the only one that has strategy reports If people won't read or trend reports that they need to hold attention or the Air Force is clearly not the only group in the world It's wrestling with how do we do forecasting? Well, and so after we had a couple of these one-offs we're like let's turn it into a business and we've been doing more and more of We've done with everyone from as I mentioned private corporations to to NATO we're in the middle of one right now with The Marine Corps and a different one the British government and they've been you know going back to what we're talking about before They've been fun. They hopefully have a great deal of impact. Actually, we know they have a great deal of impact We've got the numbers to prove it, but more important. They're just it's been it's been intrinsically interesting It's also been fun for me to sort of learn how to be a small businessman on the side So that that's been an interesting experience So with all of the stories that you've written, what's the one thing that still keeps you up at night? I don't know my kids, but now I The bio side, you know, we fear what we don't understand and I'm able to you know, kind of wrap my head around you know the IOT infrastructure the The bio side is we've put it We've lived I'm gonna say bio. I mean bio threats We are engineered disease is it you know, it's been the last year and a half has been bad enough and we've and it's been bad enough because we've seen the Kind of deliberate Spread of disinformation around it You know everything from you know, what can you do in masking the vaccines to The willful kind of ignorance of it. So I had to put it I guess I'm not expressing this well the Bioterrorism side keeps me up at night even both because I'm I'm I don't well understand the Biologic side as much as I do the physics or etc. But the second is the experience that we've had in the pandemic Makes me you know kind of more worried about it because you know It goes to like the reason why none of the zombie movies would work anymore because you know Essentially, you'd have a bunch of people walking up to the zombie saying I don't think you're real Or whatever like, you know, I'm not gonna run away from the zombie. It's my choice, you know Whatever like that's what we we're living right now with corona And so this is a disease that is awful It has been has not been the type that might be engineered when you think about you know What might be in the hands of a bioterrorist five ten years out particularly as it moves into the DNA to the genomic side I think so that's what spooks me Yeah, I hope I You know, hopefully that part stays in the realm of fiction Let's hope it stays in the realm of fiction and clearly George Romero's career would have gone a different way in the alternate universe You just described. Yeah, the internet really ruined, you know, whether it was the you know day of the dead or dawn of the day, I mean, you know, I I Love those movies, but I just don't think that the plot would survive a world of Facebook and Twitter and Instagram, you know, think how it would warp everything in those stories Any final words as we kick off def con 29 here with the ICS village No, it's just I really appreciate the opportunity to join you And I also appreciate the incredible work that people have done over the years in the village and the like I mean, it's it's it's Help me Individually as someone as a researcher as an analyst as a professor, but it's also Served the wider world. I mean it has had a real Positive effect and so I'm just like to be able to talk to you and kind of join that cohort And may def con 30 be hopefully safely available in person for all of us next year indeed