 Welcome, navigating the space race is difficult enough when you have multinational countries and all that aspects. But what happens when you add into the next private industry? I mean, the space race has taken on a whole new level and the supply chain, the same equipment, well, quite frankly the same cybersecurity issues that existed in the national airspace. Well, now they're out in space and they're just magnified. And not only that, we have to catch up with the public policy aspects of what to do when stuff crashes. So I'm lawyer Liz, Elizabeth Wharton and we're going to be working from ground control today on, well, a choose your own adventure because when you're lost in space, knowing can hear your breach, so choose wisely. And quite frankly, ground control isn't the only aspect that we have to navigate through these different challenges. We've invited a couple of special guests to join us today who are going to, well, add a little color commentary to everything. So with that, let's welcome the Steve and Matt to add their, well, welcome gentlemen. And from their perspectives, both research and the area and work in the public policy area, but also as madcap flyers, aviators and quite frankly, general characters themselves. So they'll be chiming in as we go through some of the questions. And thank you to everyone who participated in the Twitter polls. Let's see how you did and see how you fared. Well, before you can even start to go through all the different aspects of the cybersecurity risks and liability challenges, let's take a step back and look at what happens when you integrate legacy systems and in some cases, communication satellites that have been up for 50 years. And what happens when you bring in all these different communication systems that again, work great when we're just talking about going from the aircraft to Earth. And so one of the best ways to illustrate that is there are a couple of open source projects that track all of the space junk. So keep in mind any time we're referencing an article or an incident or basically just research, it's not just the madcap opinions and pontifications of myself and our guests, that I've got links that I will have in all of the slide deck to additional resources so that you too can track all the different space junk that you're gonna have to be dodging as you try to navigate on your mission to Mars. So not only that, in the past, we've talked about agent cyber squirrel and how he is an agent of chaos. And a lot of the power outages and other incidents that we see blamed on malware, breaches, everything else, well, they're not always nefarious. Sometimes they're just cyber squirrel. Well, cyber squirrel doesn't have a spacesuit ready. Instead, he's counting on another agent of chaos, agent solar flare. So what works on the ground and when we're talking about communication systems and other dependencies, for example, we'll see when you're talking about recovering your data, it's not only just the systems you have in place, but you've also got to work out or watch out for agent solar flare. Again, another agent of chaos. But one of the other challenges is in a traditional sense and the frameworks that we had that are existing, you have countries launching satellites or countries launching different missions to Mars, missions to the moon. But what happens when you bring in countries who haven't typically participated in space exploration, but you also have, well, private individuals. So to keep this talk PG, maybe a little PG-13, I did not show the image that I thought was the best exploration image from some of the liftoffs this week. So by the way, you're welcome. But not only that, we have the same issues that plague the same third party suppliers, supply chain, which is all the latest rage these days. The same issues that plague the airspace industry within the typical frameworks, those are the same providers in some instances. Some of the same systems that as Matt and Steve can talk about when they do it, when you have an iPad helping you provide your general aviation, that same iPad is being, well, referenced in different contexts are used on international space stations. We'll see those are some of the same challenges that we see in things. So we're looking at these incidents where you have glitches, you have vulnerabilities, and don't forget, you also have solar flares, that you also have to figure out when we're talking about airspace and beyond the airspace, that we're talking about repairs, we're talking about replacing parts, software, and in some cases, reusing, not just our equipment and our systems, but our people, because you're not exactly taking your entire incident response team to space. Or are you? Because when you have an issue come up, you're going to have to, well, science or cybersecurity, the out of it. So before we get lost in space, are you ready for a lift off? Are you ready to go for a talk? It's a little bit different, because beware and warning, the next steps and the next slides, it will go through the 20 questions that we answered online, if you participate in the Twitter poll, determine the fate of our flight crew, whether Steve and Matt will be able to solve the problems, or will they be lost in space? So fasten your seat belts, it's going to be a bumpy flight, perhaps, because we're on our way on a mission to Mars, but you've got to beware the ransomware, and you've got to dodge the breaches, and beware, but defy the ransomware, because let's get started. And as we're checking systems, we notice that there's an unexplained shuttle power drain, and it can't be the Pokemon Go, because quite frankly, there are no pokey stops in space yet. So what did y'all decide to do? Did, no worries, we audited the equipment pre-flight, so we were fine, or could it be crypto mighty on the equipment? Because when you have a takedown of a warehouse full of PlayStation 64s, that are running crypto mighty, what's to say, some of the same equipment we're taking into space with us, isn't? Well, quite frankly, dollar on the fairies a little bunch of Twitter pollsters, because, well, a majority of you said, you got to get that Bitcoin, because you know, traveling to space is expensive. So let's hope for our sake that it's only a crypto miner that we installed, and that there isn't any malicious activity going on there. Because in space, there are new challenges. You have limited resources and equipment that you're having to reuse. So when we talk about some of this, we have to look at, well, classified information that we're gonna see coming up, where there's gonna be some weird ego flexes, and we're gonna have to look at unanticipated places, because schematics for some of the designs, well, they tend to get dropped in weird places. I'm not saying that when we have private industry going to space, that we need to also worry about, well, where they're doing stuff, because quite frankly, we've got trash talking billionaires, and we've got schematics getting dropped into a chat. Well, what's gonna go on? Are we going to leak additional drawings, because at this point, you might as well brag, or deny that they're legit. As we've seen, sometimes they aren't, or the lawyers are gonna toast for the lawsuit. Quite frankly, at this point, lawyers are gonna toast for the lawsuit, I think, because what are you gonna do? The information's out there, and you can deny, but that doesn't always work, because protecting operational security, when we're talking about different threats, that reaches UPSIs, that some of it is not mission critical, but I don't know, Steve, how would you like it if, say, I don't know, the one vulnerability in the space station, you know, the giant space station, the skirmax got leaked. You wouldn't be upset, would you? I mean, in fact, it would help your flight. So- Yeah, that is not something I'd wanna deal with. I'm with you on that one. Well, so what happens when, you know, live streaming is so 2008, what happens when you post a TikTok from space? Because that should never happen. I mean, and everyone has made sure to absolutely check their workstations and different areas to make sure that, oh, that posted note with the passwords. Well, in this case, on our space adventure, the posted note did not get scrubbed. Instead, it's there, but it's not necessarily our nation, our country that posted it. It's not a, you know, so what happens? Do you tell someone, hey, dude, take down your posted note with the password. Do you, you know, send it to your friends? Or do you do both after jotting it down? Well, again, when we have the trials and tribulations of social media and not everybody has the same mission and not everyone's gonna have the same threat assessment and risk profile, yep, there's going to be breaches and there's going to be disclosures. And, you know, just because you're watching a game, again, you're not always thinking about what you're doing and what you're posting to TikTok. But, you know, we're not gonna worry about that too much. It's Monday morning. We're sitting there on our station and on our flight and we go to log in on the screen that's gonna make our coffee and oops, there's a problem. And it's ransomware. So do we, you know, pay the ransom? Don't worry about anything because we need our coffee. Do we attempt to restore from backups? Because we'll talk about later. Backups aren't always there. And then one of the other questions is who pays the ransomware? As we've seen some of the insurers have jumped in. I mean, Steve, do you have the Bitcoin floating around in your pocket? I mean, Matt, I don't know. And if it's Bezos, well, quite frankly, yeah, hey, yeah. Most of you all said to restore from backups but you're assuming the backups have been made in such a timely fashion and that they're easy to access because we'll see in later parts of our adventure that that's not always the case. Uh-oh. And I'll jump in on that one, Liz, because from a pilot flying perspective, totally appreciate the ideas that you're saying of, yeah, I want to go to backups and take the time to restore because that's the right thing to do. I am cruising along either in orbit or in this case on the way to another planet. I don't really have time for that. And the time, if I don't have it on board for those backups, which there's a good chance I won't because weight, computing power, all of those are considerations. We had a great talk last year from Pam Melroy talking about that. Paying might be the best way to do it because the people doing this are on earth. They want their money on earth. The people who are helping me and ground controller on earth, that might be the way to go because in this case, lives are at stake. It's an absolute immediate concern. So that changes the calculus a little bit from some of these other ransomware incidents and hospitals are probably the closest analogy and even they are willing on earth in some cases not to pay up right away to get immediate restoration but I don't think that's necessarily gonna be the case. Well, then the other concern is as you're operating the shuttle or your aircraft who is going to be restoring the backup? It's certainly not gonna be you as your focus on everything or assuming that you understand and have the ability to take your attention away from other things to then focus on installing the key and starting to decrypt. I mean, Matt, we're gonna turn to you as part of our flight crew a little bit later. I mean, are you up? How are your certs these days? Well, I was gonna talk about that talk from Pam Melroy as well because she mentioned that the ISS has multiple systems on standby flight management control systems. But if those are live and in standby then they're likely to get affected as well. So that is not sufficient mitigation against something like ransomware if they have the same inputs because they'll be vulnerable to the same threats. Exactly. And again, it's assuming that you have access and that they can get up and running and the switch from the main to a backup can happen in fast enough time. And we'll see this again in 10. But one of the other things that you have to deal with is that your sensors start indicating that an antenna is off. Well, and it may have been off because it wasn't installed correctly pre-launch or maybe something else is going on. Do you risk the spacewalk to figure out what's going on? Because when we talk about spacewalk, the entire risk, it's not just getting up from your desk. Someone going to check out and physically inspect the systems or going to the sock, going to the nut and going and looking at the antenna and the desk to say, huh, okay. Because at the airport, when I was there, it was very easy. You know, we just, we went, we looked, we inspected but most of y'all on this side we're gonna take the spacewalk. So we're gonna suit up. We're gonna gear up and we're gonna be ready to go. But how does that happen when you have sensitive equipment and, you know, it's, you know, the Johnson effect is a shout out to one of my, like, let's say another one of our mission control folks who pointed out that their uncle had was part of a team that Hubble, some of the, some of the mirrors didn't get done correctly. What do you do when you're there? So Steve, what are you gonna do? Are you gonna stop your entire flight to rely on data that may or may not be accurate? And he's muted, which is the other problem that you have to worry about in space is because when you start to scream and shout your obscenities when you realize something may be wrong, who's there to hear you scream? That was showing you how I relied on my equipment and faulty indication. So that was a perfect demonstration. You know, the reality is number one, you're not stopping unless you're in a helicopter. You're kind of stuck, especially on a space mission, aircraft at least have some options. But I think the key is in that poll, totally understanding why folks answered that way. But from a pilot perspective, you have to trust what you have. That's all you've got. You've got your primary, you've got a backup and maybe you have even a third backup there, but you absolutely are trained to rely on those. So on the space side, I don't know firsthand, but the good news is that you have other folks immediately monitoring what's going on. That can be a part of that troubleshooting. So at least you have that full team. On the flying side, you can radio back, you can talk to your home station, things of that nature, but not that direct instrumentation and things like that. So that's definitely a risk, but in the space side, that's good because you do have folks that can help you fixing it. And then if you do get to that space, well, again, that's a process and that would have been practiced ahead of time. And what are the other concerns that you do have to take into consideration when we're talking about reliance, for example, on GPS satellites or other satellite communications and those data links, as you've now introduced several pieces into this that weren't always designed with cybersecurity in mind. And you're also dealing with some legacy systems and some satellites and some apparatus that again have been up there in orbit and maybe haven't been patched with the latest software or maybe weren't designed to anticipate. So I'm not saying shameless plug for the aerospace village hack-a-sat, but there are different ways that you can manipulate some of the information. And we've also seen this with it's a concern and something we'll talk about again in our adventure is like, for example, when you have unmanned systems and you're collecting, for example, agriculture data that you're relying on a huge network that there's opportunities and a lot more threats that creative folks could do. Well, while we were deciding whether to check out and do our spacewalk, the antenna got damaged anyway from space junk. So as we're looking at the space junk and deciding basically who to blame because where's the fun in things if you can't have somebody to blame and somebody has to pay. So space junk damage is to be expected or check Elon's Twitter because if it was one of his space aircraft he definitely would have bragged about it, commented on it or blame some bizarre conspiracy theory. I thought the junk was his tweets going out and that's what you were making the analogy for. Wow, pretty much. Stealing them out into space. Hey, there's tea in space. There is definitely tea in space. But most of y'all correctly pointed out, well, again, I have to take a picture because insurance always requires a picture. But what's just as we've had issues with navigating cyber risk insurance and insurers are still trying to, there are multiple different kinds of insurance that would cover our space travels from lift off launch to low orbit. But once we get out and now at this point we're on our mission to Mars. Well, there's liability insurance, but who issues it? Currently, if you're a US spacecraft it's covered by the Commerce Department. Well, so who covers when it's Elon? And some of the other challenges that we face is again, whose junk is it anyway? How do you know exactly with all of these things that are being tracked, all the satellites, all the space junk that's currently being tracked, how do you identify? And then how do you know exactly where to go? So under current law, it's all right, it's the country that launched it. So the current country that had this space, that permitted a space shuttle, what happens when you have, this is all under different treaties. So what happens if the country that launched it, oh, I don't know, thank Ladesh or some of the other countries aren't necessarily parties to these treaties? Or if you are launching a particularly, I don't know, nefarious satellite, or you're not quite sure, again, if we're talking in a cybersecurity context in a policy context, if you're a billionaire, take your space shuttle, space aircraft to a country that you know is not participating in some of these treaties and boom, your lawyers are happy because you've just mitigated your liability. Well, okay, now that we know, we've taken the pictures, we're hurtling them. And because of course, Elon says, it wasn't me. Branson says, ah, my rackets didn't actually go into space, so we know it wasn't me. And then there's a conflict between all the data because we talked about there can be, the data signals at mission control and at the space station. So again, do you trust ground control? Do you trust, do you believe Elon? Or do you trust the space station data? So as Steve pointed out, and most of you all agreed, you're gonna trust the ground control data because that's the assumption being that is more secure and more reliable. But there's the data dangers that we talked about and the different systems and is ground control has the data from the station to ground control has that link been secured and is ready to go. Because again, the communication systems and the data integrity. So, well, okay, the other billionaire on the space station does an unannounced live stream because we know they don't like to hear themselves talk or do they? And as part of that accidentally shows an otherwise classified science experiment. Says oops, but will we do it again? Well, most of folks agreed. Let's call a press conference. The data's out because keeping in mind we start having half of cybersecurity and securing your systems and securing your data against threats or as a threat actor. You're looking for people who have different missions, different risk profiles and different risk assessments. So, because of that, you do have to worry about breaches and disclosures. So, all right, now we're hurtling through. We know that some of our data and some of our experiments are now public knowledge. Well, what happens when as everyone has loved to talk about the trolley experiment? So what happens when you've got the giant meteorite because it did not come down and disrupt the US presidential elections as many people hoped. And it's going towards a critical navigation satellite used by millions or it's gonna hit probably a terse shuttle, not ours, because we're safe, we planned ahead. But if you only have time to save only one, are you going to call Bruce Willis? Because, well, it worked the last time we had to do that. Save the critical satellite because not only are we counting on stuff like that for our mission, current mission, but navigation systems and every GPS back on Earth is counting on it as well. Or do you save the tourists? Quite frankly, there's not a lot of sympathy for tourists. All right. I got to chime in Steve. It's not that I don't, I like tourists any more than the average person but in that list, I looked at that and it's lives at stake. So I would have to go down the path of it's the tourists. It's the immediate lives at stake in the sense that the way you described it, critical navigation systems. Yeah, you've got financial transactions for GPS, but GPS has a constellation. There's lots of backups. Critical navigation for on Earth and aircraft flying around, yep, absolutely. But there are backup procedures there that pilots are trained to follow. If they lose comms, if they lose navigation, it doesn't make their day any easier but it doesn't mean they instantly run into each other and it's total mayhem. So I think one of the things that is normally planned and normally considered is in that decision-making, lives are at stake. We have to take care of lives unless you started getting into, nope, in a military mission, maybe we are willing to sacrifice because of these things. But in the example that you had there, I'd say the lives would take precedent. And that is part of the consideration. You know, do you go back for your botanist that you accidentally left on Mars? Which the botanist may have something to say about that. No, if he passes data stream, he can't. He's fine, he'll eat some potatoes. Exactly. Well, he'll have a lot of sugar, let's just say, to go from. But, you know, the other thing is you also have to look at, and some of this, it's the cost-benefit analysis. It's do we have the resources? Because the ingenuity and some of the other craft are expensive. And quite frankly, we're gonna bootstrap our mission. We don't have Bezos billions. So, and we didn't take, and we didn't sell seats. So unfortunately, in this case, really it's just Steve and his skeleton crew going to be mad as he's sitting on Mars. Well, what happens when, you know, do you pull the commercial off-the-shelf equipment? Do you use perhaps foreign manufactured or in this case, we're referencing DJI drones? But there have been questions about what happens to the data from those systems. Who owns it? And where is it going? Who has access to it? And do we want the third parties to get that? So, quite frankly, YOLO, they're probably gonna steal it anyway. So we're not really as worried about that. Or, no, let's spend the money. So, most of y'all, you know, it's gotta be in split, went and said spend the money. But Matt, what do you have to say? And we're gonna pull you in, because even though you are our botanist on this flight, you do have a little bit of experience researching some of the issues with unmanned systems and particularly some of the off-the-shelf systems. So, which one would you have chosen? Definitely build your own every single time. You know, you can buy commercial off-the-shelf. Like you said, you don't know where the data's going. Although there are ways of finding out where the data's going. But once it's gone somewhere, you don't know what they're going to do with it either. You know, so there's certain elements of trust in there. But also building your own, you learn about how it functions. You learn about how it's put together. You learn about how to fix it when it goes wrong. Because, you know, a call from Mars to DJI is probably gonna cost quite a bit of money. You know, back in 1985, I think it was, you know, several hundreds of millions of dollars, I think it was, according to the song. You know, clouds over the moon, if anyone remembers it. But, yeah, build your own every single time. Even when you build your own, you know, you're gonna be using lots of components anyway from different manufacturers. And even then, you have to look at the configuration of them. So, you know, whether they're using open source protocols, which are vulnerable, how you're going to make those more secure and make sure that nobody else can interfere with them to, you know, crash your drone or even steal it. Well, and one of the other considerations is you don't know what else is running in the background. And so that while they may be functioning properly, and the data may be going and doing exactly what you think it is, but what else is it doing? And one of the critical conversations we've had on security issues with, for example, local law enforcement, is they start to use more DJI and other, I'll show this, do you know everything it's doing? Because it's collecting a lot more information, a lot more data than you think because they're just going computers. So, one of the other considerations for cybersecurity issues, when you have these multi-purpose tools, we have the multi-purpose ad we use, isn't doing exactly what you're thinking and from a researcher standpoint, hey, that's one more opportunity to breach, access, manipulate or have a little chaos. So, okay, we're trying to print docs because it's paperwork and everyone has these issues. So we're trying to do that and we're having issues. So we turn the workstation off and on again and it reverts back to its default settings. And we've still got all this paperwork. So nobody uses, you know, Windows anyway, it's all, you know, Android, oh, oh, as we've been finding out this week for those who are listening to this, close to, there are a lot of systems that the cross functionality and the cross purpose, but half of y'all said, don't worry, we've got a botanist on this mission who does IR. So one of the things to highlight is that is, you know, when you have the display screens, when you have these different systems, you have a whole variety of threats, but even more importantly, who's going to fix them? That you have to have not just a space pirate who can, you know, grow the plants and the food and stuff that you have to have, you can't just have Steve flying the aircraft. You have to be able to have multi-purpose. Like basically, I guess everyone should know code or how to code on our missions these days. Hmm, don't know how that's going to work, but that is one of the challenges we're going to face. Well, one of the other issues is, well, while we're waiting for Matt to do his IR incident fixing, we notice that there's a fly. First of all, how did a fly get in our mission? Don't know, don't care. That's not the real question, but we go to SWAT at it, which happens to be, and we pick up the nearest thing that we have. Well, so we SWAT at the fly because we've picked up the iPad that's lying nearby. And as we SWAT at it, we realize we have just cracked the screen. So we're ready for when the space, you know, the equipment breaks, but what happens when it's, you know, different kinds of equipment and, you know, do you find the next Genius Bar appointment? Because there are none. So jokes on you, everyone who chose the, that's how they were going to handle it, which was the majority, because where do you think the Genius Bar is going to happen? You know, and when we have some of these systems and some of the equipment and some of the software, we start getting into the right to repair issues. You know, do you fix it yourself? Well, you've just voided the warranty, but most people will be okay with some of that. And, you know, do we blame someone else tell Matt as he goes to use this critical piece of equipment? We hope not. That's just broken. You know, what are the challenges? So when we talk about repairs, we're talking about a whole different, you know, are there restrictions? What happens that liability? So Steve, what would you do when your equipment's going to break? Because you're looking at the Genius Bar appointment represented here. So you have to be very careful with that mindset. You know, I think that the key that you're getting at and one of the things for my experience is the, the equipment's been tested. There's been instances of iPads and aircraft that both the pilot and the co-pilot have an iPad. They're using it. It's a critical phase of flight. And they both go through a software update at the same time. So that's the kind of thing you have to test ahead of time. Of course, you try to test and you can't test everything, but you find a way to make sure you've got those redundancies and then the backup, as I mentioned before. So in this case, you're going to have to be more self-sustaining. You're going to have to have some basic skills. I think, you know, perfect Martian example is that guy didn't know how to do things, but he got nothing but instructions from the ground. So the teamwork that comes out of a setup like that, being able to leverage that, I think is where you're going to get the most benefit than any particular one person that may have all that information because there's so much going on. There's so much complexity that you're better off leveraging your teammates on the ground. Well, and one of the other challenges that we're going to start seeing that has to be is that the multi-use of you have a pivot, which you're going to have its own cybersecurity challenges. But when we're also talking about the policy aspects of what we need to navigate is be, you know, take those approaches and understand that there's going to be that off the wall issue. And do you really care that you've waited a warranty or that, you know, okay. When it comes to these critical decisions, but again, when we talk about challenges in space, that's one of the things we have to consider. So I want to make sure I'm alive for somebody to complain about the warranty that I avoided. So that's my main focus. Exactly. And have the redundancies and systems and have the equipment that if one part fails to the extent you can plan around, you've been able to plan around. But with the, you know, again, we're using this, talk about we spent all our money on iPads and we unfortunately didn't take Matt's advice and we brought the off the shelf and we're using it now for some of our data that with our crops and other things that are life sustaining and, you know, we couldn't bring a whole food supply with us. So what happens when some of the data looks a little wonky? You know, it's not matching up. Do we, you know, and the joke is that, you know, the botanist is already busy doing incident response. So, you know, okay. He can just add this to his list, but also, you know, a little bit of a nod when infosec is full of sugar, we'll just have more potatoes. But in this case, it was pretty split, 50-50. But again, we're going back to having when life sustaining systems onboard the aircraft or on, you know, within the biodome are relying on data. That's just another attack vector and that's another issue that you have to have a plan for. And so, but here's one of the other problems. We've had some latency issues with the rover and the base. So Steve's coming into land and join Matt on the base. And maybe it sees crypto miners again. Do we, you know, blame our agent of chaos, solar flares, because they can disrupt and delay radio communications. Do we hack back if it's a crypto miner or Yolo got to get that coin again? Well, half the respondents said, hack back. Well, one of the problems is who do you hack back against and what exactly does that mean? And so, when you've got an issue and do you have time and we'll see in one of the upcoming challenges another decision we'll have to make is what do we do with that data at backups? How do we get those communications? But also keeping in mind, sometimes it's a simple solution or it's a simple problem. It's not always a crypto miner. It's not always an issue that can be resolved through hacking back. Sometimes it's agent solar flare. So, okay, and remember that iPad that we broke? Turns out Matt needs this for his research and he needs to charge it because by the time we got it repaired, well, the battery was getting a little low. And Matt, you spent all your money on your home builds for your DJI or non-DJI aircraft. I need the 8K camera. Right? So, now we don't have the right cabling with us and do we trust the cord that is given to us by our Russian counterparts? Do we order Amazon Prime delivery because it's there? Or sorry, Matt, we hope you have another way to charge. This is an instance. You're going to science it and figure out how else to charge this. Well, pretty evenly split between the voting but keeping in mind that when it comes to equipment, what's new is well new. We're having to integrate legacy systems in with the latest and greatest. So, Matt, how would you approach this when you're looking at the security issues? I mean, should we trust cabling given to us by just anyone? Well, so this is obviously an assurance issue. So, it depends on the ecosystem you're working in. So, if you're working in an ecosystem with a Russian astronaut, you'll hopefully be checking the provenance of all equipment. We're going through some kind of assurance stage to make sure there's nothing nefarious in there. But even then, if the attacker knows that there's an assurance process and what it is, they might have developed something to get around that. So, there's all sorts of things to consider. But in this scenario, if it's just a power cable, everyone knows which pins are power on a USB. That would just science that out of it. Military grade will save you in this case. Always. Clearly. Exactly, exactly. And it's also keeping in mind and planning ahead. So, as part of mission planning, and we see this with industrial control systems and SCADA systems a lot where you're having to be prepared for and understand that the challenges that you will face are you're integrating some of the systems together. Well, okay. Now we're gonna see some of this come back to bite us a little bit because space race and all, we didn't have time to vet some code before a critical patch and update was needed. So, do we, again, yolo and just go for it? Do we rely on our redundancies and backups? Or, quite frankly, patches are for quitters. You've wrote this software this far. Let's keep going. So, good news says, most of us, taking the poll, my space cadets went with using redundancies and backups. But some of the challenges we'll have are, do the redundancies and backups work? How critical was that patch? And also, keeping in mind, do you have access to that? So, when we're talking about some of these systems, what happens when the patch or the update doesn't work exactly as expected? So, Steve, what would you do? Yeah, so I'll throw out a scenario. I can imagine Matt and I teamed up now on this planet. I'm the pilot. I'm thinking, how do we safely give back to Earth? Matt, as my security expert, wants to patch the hell out of everything because he wants to get it done and off his to-do list. And it's the same thing that happens today when they talk about, we have discussions, FAA gets into safety versus security is an aircraft safe, even though a particular piece of software is not necessarily patched, which makes it insecure. How insecure, that's why I use air quotes because, is it critical? Is it minor and everything in between? So that's definitely a consideration. Are we patching because it's fun to patch and we like to have a clean to-do list? Or is it a no-kidding? This makes it unsafe to have this security hole, this vulnerability that is not patched. Is it patching a simple system? Or is it the absolute most critical piece of equipment, navigation, oxygen, you name it, that makes us be safe from there. So it really becomes a discussion. And again, things you can have ahead of time, say, yeah, we're going to patch for this right away and these other things, we're not going to patch for, we're going to accept that risk. So it goes all the way back to that whole risk management discussion. Yeah. Yeah, well, and so we're working outside the station and we get a heads up display on our suit that there's a glitch. So play around with it a little bit and then nope, nope, it's frozen. And you get a dreaded ransomware demand. Okay, quite frankly, whatever they're asking for, release it or do you pay the ransom, pay the ransomware stat or start praying for your oxygen tank backups? Well, some of y'all were willing to have your pictures released if that meant you got the data back or that they basically unstuck your suit. But one of the challenges when you have the ransomware and you're locked out again is keeping in mind there's an entirely different threat, discussion and analysis when you're wearing a spacesuit which is basically a computer. So when you have become the computer and it's not just the lives of multiple, but it's yours. It's one, it's individual and it's basically every bit of your existence is dependent on this. So Matt, as the cybersecurity expert slash botanist, what are some of the things that you're running through your mind? Especially when we know that as an MIT tech review journal article pointed out, we've had to go back and basically redesign some of the spacesuits recently to be compatible with some of the issues that we're going to face on Mars. Yeah, I mean, I'm always dubious about people who say pay the ransom because these things are very complex. And I don't think there's any one answer but you have to bear things in mind if you go down one route rather than another. If the attack has already got the data and they say pay us the ransom or we're going to release the pictures of you in your underwear at night. Well, okay, do you trust them if you pay the ransom? And you might take the money and release anyway or they might sell that data to the highest bidder which is always a way to get the maximum ROI out of ransomware, which is what these people are at the end of the day. I'm just trying to run a business. So the key thing is to, of what is in the first place and do that due diligence and do that security work up front. Well, I'll throw in one other thing too in the sense of the way you talked about on our spacesuit. One of the things that you learn is what are the absolute critical? What are the other nice to have? And what are just fun add-ons? And they all have a purpose but they're still a hierarchy. So if you think about it in the sense of high value assets in this case and the example, is it the convenience of having this heads-up display on my spacesuit or is it literally a ransom that is going to impact my oxygen? And even then if I can get back inside who cares about my oxygen in that very small example? So understanding what you have to worry about what is your priority? Where is this affecting? What is gonna impact your decision-making? And that may go right into the do you pay it or not type of mindset and along with the things that Matt brought up. Well, one of the other considerations is that as we've seen with some of the other vulnerabilities and research that have gone into just everyday equipment that that thing that you've overlooked because who would ever go and attack a system through its wireless keyboard and that USB connection, it's when you're wearing the computer that nice to have feature may that actually be one of your more critical vulnerabilities because attackers don't care. So that's one of these to keep in mind when you're assessing and going through all this because again, it's a computer. So all right, as we're sitting here trying to figure out what to do with our spacesuit the fancy Bezos shuttle lands next to us at the space station and wants to connect to our existing ICS infrastructure. So those systems that we've had up on Mars that Matt has been working on for so long. Well, okay, what are they gonna do? Are they going to, ah, 100 terabytes or fiber connection? Of course, connect away. Are we gonna say, hey, Matt do you have an idea? Or we're gonna say, look, who owns it? Gotta make that coin. We've taken our crypto miners offline. So pay up, buddy. Your flight crew, you know, your space crew needs you to help pay for some of this infrastructure. Well, almost exactly evenly split between everyone on this, on the polls. So space cadets, I'm not sure what we're gonna do here but the good news or I'd say bad news is the same issues that we deal with industrial control systems, legacy systems on earth. We will have to deal with the same threats in space because especially when you're looking at some of the designs and some of the equipment and the length of time it takes to get out there, the good news is it may make it harder to attack per se but you're still gonna have access, crashes, compatibility issues. So and we're almost there. We're back to this ransomware incident though. So we finally got them connected. And in the meantime, all right, we're gonna go with the backups for our space suit but the problem is they're not on Mars. They're stored on Phobos. So what are we praying? Are we praying that no flares, no flares? Or how long can I hold my breath? I was a champion swimmer. I've got this. And as Steve noted, am I gonna be running back or moving very slowly while having a very zen yoga like breathing to get myself back? Well, pretty much everyone admitted our biggest concern was, well, the solar flares because again, when we're talking about latency issues we can't just look at latency issues from the communications or the threats of ground stations to the satellites to our space station. We also have to consider that not everything is gonna be stored in the same place. There we're gonna have multiple points and multiple communication issues so that solar flares may be disrupting from a multitude of different angles and attacks. So again, communication latency issues where we're restoring backups. Well, okay, space cadets, we're almost there. Our last adventure is that it's a good thing that also does incident response because we need to help restore our space suit but he's still fixing the printer. And in space, no one can hear your breach. So as Steve is stuck outside the station, Matt's working IR. Well, okay, don't worry because each one of the crew members knows how to code. It's hardware or dye. Let's just hope that it works. And then the other question is, well, okay, how many botanists performing IR do we have on Mars? So is it something where, and Steve's ready to go. But most of you all said, okay, we just- Oh, I'm pointing to Matt. He's my- Oh, yeah. I'm keeping him alive. And how many of Matt's do we have? Is it that becomes the highest paid position because you're critical? Do we have it that everybody knows how to do everything? Because again, as we start navigating some of these issues of the cybersecurity and the policy because we have to deal with the liability. We have to deal with whose rules govern. And yet, when we have all these different competing interests, how do we face some of those challenges with the threats of agent solar flare of ransomware? Is it nation-state? Is it what are their goals? How are we responding? And is everyone gonna know how to do incident response? Is everyone gonna know how to get back up if there's a crash? So Matt, you have saved our mission so far. You have kept Steve breathing. What do you think is some final thoughts as we've reached the end of our saga? I think, yes, as going back to one of Steve's points earlier is identify your critical assets. You need to know what you absolutely need, whether that's in the industrial system side, if it's in the safety critical side, identify them and then identify the risks that are posed, that are out there, that can affect the mission and protect everything, LOLs. Yeah, so Steve, now that you've been rescued and you've gotten us there, now that Matt has science the sugar out of this and he has had us and that you have navigated. I mean, you're wearing a computer. You are wearing a computer that is connected to other systems relying on communication protocols and data that is being analyzed, analyzed accurately that hasn't been manipulated, that the software patches that worked for the systems on earth are also working with the legacy systems. So what are your final thoughts? Now that we've saved you. I'm very thankful to have my friend Matt there to do all that work, first of all. And this whole idea, thank you, Liz, for putting it together because there's so many different considerations. One of the things that I wanna make sure, we talk about ransomware and we apply these very terrestrial situations to in space and in flight. And our friends at Pentest Partners, Ken Moro, in particular, he had some great thoughts recently about the idea that is a criminal really gonna get paid when they wreck a system with ransomware like this because we're floating off in space. It may just be that we're done and now there's no reason to pay because, well, you killed everybody on the space station and you're done with in this imaginary situation. So is it going to happen? How realistic is it? Don't know, but the idea and the fact that these types of things could happen and more sophisticated and different reasons, those are all, it's still there and it's still worth thinking about whether it's a direct interaction or these inadvertent things because it still has the same effect of knowing your systems, knowing how they work, your backups and then how others are gonna be able to help you out. I think it's still absolutely worth talking through and thinking about and making sure that we have these in mind going forward. Well, it's a reminder that as we dealt with some of these issues, both in the general aviation and other airspace scenarios, that just because it's in space, well, there are different challenges that it's still a flying computer connecting to another flying computer. And as we've seen, even when some of the ransomware issues as well as other just glitches of systems not working, they're almost agnostic to some degree of, when a botnet is going through when you have these different things that there isn't a, oh, wait, this is a hospital. This is a space station, we can't do that because that's not how it works. And especially when we're talking about some of the software vulnerabilities or hardware vulnerabilities, again, they don't stop just because this is the use or this is the implementation. And also when we're talking about some of the deployment patches, they're also the liability. So as these liability issues change, who becomes responsible? But who becomes responsible when it's the spacecraft running on software that's also being used for five other spacecraft or for five other uses on the space station as we've seen just in similarly with the passenger air travel and through general aviation when the reservation system goes down because it's the same reservation system software used by every major airline, it's going to be the same, you know, we have to address some of those same challenges. So thanks Space Cadets for playing along and remembering that once we get lost in space, no one can hear our reach. But Steve, Matt, thank you for helping make it fun. I'm Lawyer Liz, Liz Wharton. And you know what? It's an adventure, it's a challenge that we're going to have to address now that private industry has gotten involved more and stay tuned for future airspace village, shameless plug again for all the events and the communications and the information and you know, enjoy the rest of your depth on.