 Hi, everyone. Thanks for coming. This is a great, great turnout on a blustery night. Thanks for coming to Bearpond Books for a talk with Garrett Graf. He's here to discuss cybersecurity, the Russian threat, and the new book Dawn of the Code War. Let me just pull it out. Which Graf co-authored with the former Assistant Attorney General for National Security, John P. Carlin. But really, Garrett wrote the whole thing. I learned more in the first 10 pages of this book than I have in all the seasons of Homeland. That's pretty scary. But seriously, this is important work. Authors John Carlin and Garrett Graf dive deep into the stories of hacktivism, internet guerrilla warfare, and online terrorism. In Dawn of the Code War, we learn how criminals, terrorists, and spies make themselves at home on a global network that was never designed with safety and security in mind when we think about the open source internet. It's not all doom and gloom, though. We see agreements with China to crack down on criminal hacking. And we see Silicon Valley and social media moguls like Twitter cooperating with the Justice Department to shut down 125,000 ISIS and ISIL accounts. And as far as the Russian hacking of our 2016 election, I don't know what to say about that. I guess you can say I wasn't surprised, but still disheartened to hear how Senate Majority Leader Mitch McConnell and Speaker Paul Ryan torpedoed any bipartisan attempt to get ahead of the hacking when it was brought to their attention prior to the election, as John and Garrett point out in this book. If you don't already have this book, you need it. I urge you to pick up a copy tonight, and Garrett will be here to sign copies after the talk. A few housekeeping items. Please mute or turn off your cell phones. Please use the back door if you need to exit before the event is over. We do lock the front door to keep the disruptions with the creepy floors down to a minimum. The bathroom is located at the back of the store to the right of the back door. If you'd like to learn about future bear pond events, please sign up our newsletter. There is a clipboard going around. Our next event will be Friday, November 2nd. It'll be our last event of our events season this fall. It's called Bullets into Bells. Poets and citizens respond to gun violence. It will be poets and citizens from this anthology, which is an amazing anthology. We have Major Jackson, Bryan Clements, Matthew Oldman, and a local poet, Karen McCaddon, coming to read poems from this book. It'll be at the Unitarian Church on Friday, November 2nd at 7.30, and we are selling tickets for $5 each, and the proceeds will go toward Gunsense, Vermont, who will be at the event to give a talk. So that's exciting. I'd like to thank Orca Media for filming tonight's event and the Vermont Arts Council for featuring the event as the Vermont Arts 2018 program. And I'd like to thank Garrett for being here. Garrett Graff is an award-winning journalist who has spent nearly a decade covering national security. He also serves as Executive Director of the Aspen Institute's Cybersecurity and Technology Program, a regular writer for Wired, Bloomberg Business Week, and a former editor of both the Washington, Washington, I can't say this one. Washington Media and Politico Magazine. He has an extensive background in journalism and in technology. His oral history of Air Force One during 9-11 is under development for a movie by MGM and his April 2017 Wired cover story about the FBI's hunt for an infamous Russian hacker has also been optioned for television. This is exciting stuff here, folks. Please help me welcome Garrett Graff. Good evening, everyone. Thanks for coming out tonight. I'm grateful for Bearpond for hosting me. They've been a wonderful supporter through my writing career. I think this is my fourth book talk here in four books. So I'm happy to be back here again. So this is a book that in some ways turned out to be an unintentional sequel to a book that I wrote in 2010 that was a history of the FBI and its counterterrorism mission after 9-11. And at the time, that book, which is down here, the FBI at War, The Threat Matrix, was the story of this relatively anonymous figure who was the FBI director had started as the FBI director on September 4th, 2001 and on the morning of Tuesday, September the 11th was sitting in his first briefing on Al Qaeda and the bombing of the USS Cole when he was interacted with word of the attacks on the World Trade Center. That figure, of course, was Bob Mueller, who when I was writing about him was in the, what he thought was the final year of his tenure term as FBI director. Ultimately, he was extended by a special act of Congress that passed the Senate 100 to zero back in the days, both where he was considered a Republican and where the Senate actually passed things 100 to zero and ended up serving a total of 13 years as FBI director, the longest serving FBI director since J. Edgar Hoover himself. And Mueller sort of, when I was writing about him in, 20, sort of from 2008 to 2010, his deputy chief of staff then chief of staff was John Carlin and John and I became friends then and it was sort of right as the FBI was beginning to move out of this era of counterterrorism being the overwhelming threat and Mueller and his team and his staff were beginning to look forward to what they saw as really the biggest threat on the horizon at that time, which was Russian organized crime. And the last chapter of the threat matrix is about sort of the FBI beginning to look forward to this threat of Russian organized crime. And so after I finished the threat matrix I spent about a year trying to write a book about Russian organized crime and going back and forth to this special FBI task force in Budapest, Hungary, which was where they based their Russian organized crime work. And there were sort of these people working on this issue in the FBI who were, again, sort of relatively anonymous figures, people with the names like Lisa Page and Bruce Orr that have become more famous in the time since, but who were sort of looking down the road at the rise of Russian organized crime. That ended up sort of morphing into the threat that this book ends up covering, which is cyber crime and sort of the rise of cyber threats from both the four main cyber adversaries that the US faces, China, Russia, North Korea and Iran as well as sort of this larger set of threat actors, like hacktivists, like anonymous terror groups like ISIS or ISIL, and then transnational organized crime groups primarily coming from Russia. And John went on from being chief of staff to Bob Mueller to become eventually the assistant attorney general for national security at the Justice Department in the Obama years, which is the highest sort of the new role created after 9-11 inside the Justice Department to oversee counter-terrorism and counter-intelligence investigations. And so he ended up being the person along with a colleague of his, Lisa Monaco, who was his predecessor as Mueller chief of staff, then his predecessor as assistant attorney general, and then she ultimately became President Obama's Homeland Security Advisor. And the two of them sort of put together what was at the time a really groundbreaking strategy to try to push what was a very shadowy world of cyber threats into the public domain. At the beginning of the Obama administration, the US government had never taken public action against Iran, China, North Korea, or Russia for their cyber activities. And that that was all seen as an intelligence problem, not sort of a public matter of debate. And so the government was very carefully gathering loads and loads of intelligence on what these different groups were doing and then what they were trying, sort of how they were targeting the US, but none of it was being able, none of it was ultimately being moved into action, either publicly or even privately to try to deter these actors and attacks from doing their work. And it was sort of all this big, dark secret inside the intelligence community. And one of the things that we sort of talk about in this book is to how basically countries look online like they do in the real world. For nation states, cyber attacks are extensions of the strategic goals that they're trying to accomplish in the real world. And so China is all about trying to grow its economy, trying to crush internal dissent within its borders and to steal intellectual property from abroad that can bring home in order to help boost its economy. North Korea, heavily hit by sanctions, heavily depressed economically, North Korea basically views the internet as a place to rob banks and to attempt to fund its government through the theft of banks overseas, most notably, skipping ahead a little bit in my story, they hit the Malaysian central bank last year, almost got away with a billion dollars, couldn't quite spell correctly. And so only got away with a hundred million dollars before the bank was like, hey, it kind of seems like you're misspelling a lot of words and asking for the 100, or asking for the billion dollars, is this actually you asking for the billion dollars? And it was not. Iran and Russia though have very different goals. And this is sort of begins to play into some of what we're, I'll end up talking about with Mueller and the Russia investigation, which for countries like Iran and Russia, who are geopolitical adversaries for us, the internet provides this sort of wonderful asymmetric advantage to them. They cannot take on our military directly, they can't take on our economy directly, but the internet provides this incredible way for them to undertake activities that sort of fall below the radar of what would normally be constituting acts of war that are really annoying and ultimately even ultimately quite damaging. And so when you see sort of the way that Vladimir Putin has used cyber attacks both against places like Ukraine and against things like the Brexit vote and then ultimately against the 2016 election, it's as a place to exploit the seams in the West to exploit the seams of Western democracy in such a way where he's not necessarily setting up attacks that didn't exist before, but sort of exacerbating the political discord, promoting the political division that already existed. And obviously this is something that we still see going on today on Friday, the Justice Department announced charges against the chief accountant of the internet research agency, which is sort of the Russian troll farm for activities aimed at influencing the 2018 midterm elections in two weeks here that goes sort of right up through the summer, though this was sort of activity that did not stop in February when Bob Mueller brought his set of indictments against the internet research agency, but actually has continued on since. And that this book ultimately is aimed at sort of walking through the major cases that the Obama administration brought over the course of the last eight years against each of those four actors. And it's a story, you know, the title dawn of the Cold War is really meant to emphasize that we are still in the very early stages of this, that this is in many ways like the, this is where I begin to always trip myself up, very much like the Cold War, the Cold War is going to be something that is ultimately a generation long fight and that this is in some ways much more complicated than what we faced in the Cold War, in that the tools and the weapons of this war are going to be available to a much wider set of actors. They're going to be used much more indiscriminately than we ever saw weapons used during the Cold War. But at the same time, we're going to need the same sets of tools that we built up during the Cold War in order to tackle this problem. That sort of ultimately, this is a challenge that we have to face with multilateral alliances and sort of international groups working together to establish sets of norms and values, much like we used the Cold War during the Cold War, we used issues like democracy and freedom of speech, freedom of religion as sort of rallying cries for the effort that we were trying to build. This is also going to be in immensely complex undertaking and sort of one of the things that we talk about in the book is that the challenge that we face as a society in the way that over the last 25 to 35 years, we have taken everything that we value in our life that exists on paper and digitized it. And we have done it and digitized it in an inherently insecure medium. And that is not a bug of the internet. That was originally the feature of the internet was that the internet existed and was developed and the underlying protocols were developed among research universities, among groups where everyone knew everyone else by name who was on the internet. And so it wasn't that they weren't thinking about security when they built this, they thought about security and made a very conscious decision that they didn't need it. And you can sort of find these amazing quotes from people who helped to design these systems literally saying, we just assumed we were going to be able to keep bad people off the internet because we would know who they were. And they sort of never imagined that the tools that they were building as a way to share information among universities would ultimately become the underpinning of all of global commerce. And that not just that, but we're sort of moving into this new era where we are about to remake all of the same mistakes that we have made with our information over the last quarter century, over the next decade with all of our stuff. And that the rise of this so-called internet of things where your computer, where your car becomes a computer, where your toaster becomes a computer, where your refrigerator becomes a computer, where your pacemaker becomes a computer is fundamentally all moving into a world where all of that is just as insecure as the internet has proven to be over the last quarter century. And that we've sort of gotten really, really used to, getting new credit cards in the mail on a regular basis when such and such retailer gets hacked or your health insurance records get stolen or any of that type of stuff. And it's sort of one thing when your desktop computer is getting hit with ransomware and freezing up and you can't get to your family photos anymore. It's something else entirely when you're talking about people's medical devices being hit with ransomware or when you're talking about cars driving down the road at speed on the interstate being able to be hijacked by hackers, which has already happened. This is, none of this is actually sort of fundamentally science fiction. This is hackers have in a controlled experiment demonstrated their ability to get in through, get into a Jeep Cherokee through the air conditioning system and access while it's driving at speed on the interstate, the braking system and they were able to shut off the engine entirely and drive the car into a ditch. And ultimately Jeep recalled 1.2 million Jeep's to fix that little bug. But that's sort of the type of thing that we are going to experience on a more regular basis. We use the analogy in the book that we have sort of realized we are living in a house of straw and we are watching the wolf approach and we are madly trying to stuff more stuff into the house of straw rather than actively trying to get into a more secure house, which does not end well for the pig living in the straw house. And that this book sort of walks through how we have sort of at every turn systematically underestimated the way that bad actors were going to use the internet against us. And that sort of at every turn of the last decade, despite all of the energy we've put into cybersecurity, all of the effort that the government has put into so-called critical infrastructure, we have at every turn misguessed, misestimated where foreign nation states would attack us. That sort of we spend so much time worrying about the power grid, worrying about water supplies, worrying about hospitals. The first place that Iran hit us was a casino. They, Iran hacked and attacked Sheldon Adelson's Bethlehem, Pennsylvania casino when Sheldon Adelson made some Iran thought, insulting remarks about how Israel should turn Iran into a radioactive mushroom cloud. And Iran retaliated with bricking the entire Bethlehem casino, which we sort of look at that as an attack on physical infrastructure, but it's ultimately an attack on free speech. It's a foreign country coming into the United States and saying, you can't say the things that you get to say as an American without us hitting you in America. Similarly, we have spent an inordinate amount of time thinking about what a rogue, nuclear armed nations attack on the United States would look like. The government has done extensive war games thinking about how to respond to a North Korean attack. And it had never guessed that the first place that North Korea would attack the United States was going after Sony Pictures Entertainment. And that, again, you have in attack aimed at attacking American values, sort of artists and creative people in the United States can't make the art that they want to make without being threatened by foreign powers who sort of ultimately, remember North Korea was able to keep that absolutely terrible Josh Rogan movie from being shown in movie theaters, which is sort of, which if you have seen it is a gift to everyone who didn't get to see it. But at the same time, we don't want American art being driven by sort of what foreign dictators think can and should be released inside the United States. We've spent an incredible amount of time sort of safeguarding the nation's military and intelligence secrets from China. What we didn't anticipate was that China was going to steal all of the federal government's personnel records in hacking into the office of personnel management and be able to learn sort of not just the most intimate details of all of the federal employees backgrounds, their families, their SF-86, which is the form that you fill out in order to get a security clearance that forced you to list basically every intimate thing that has ever happened in your life that could be potential for blackmail that China now possesses of sort of every government employee. Also, China now, because actual CIA employees don't go through the regular federal OPM record process, they now know any diplomat who shows up at any embassy anywhere in the world whose personnel records China doesn't have is now a CIA officer. And they have been able to sort of with this reverse negative relief resource that they created by stealing the personnel records been able to compromise an entire generation of American intelligence personnel. And then of course Russia, we have spent so much time worrying about the power grid, worrying about access to water systems. And the thing that we were not looking for was Russia attacking America's confidence in America. We sort of weren't looking, we weren't thinking about the Russia's, the way that Russia came after the 2016 election. And we talk about in the book sort of how much of this really hinges on Sony Pictures Entertainment, which America learned, American watched the Sony Pictures hack go down. We read Amy Pascal's leaked emails, sort of all of the terrible things she had said about all of the other movie stars. And the lesson America learned from Sony Pictures was you need better passwords, you need sort of better drive segmentation to ensure that a hacker who gets into your system can't move from this system to that system, better security for intellectual property, blah, blah, blah, blah, blah. Russia came away from the Sony Pictures hack with a very different lesson. Russia looked at that and said, oh, the US media will just publish stolen emails if you steal the emails and give them to the media. And so not that long after the Sony Pictures hack you begin to see Russia start rooting around looking for emails that they can steal from the DNC, from John Podesta, from the D triple C, and are sort of able to launch this incredible attack on the 2016 election. Again, that we were sort of largely unprepared for, that we had been focused on critical infrastructure in 16 different sectors as defined by the Department of Homeland Security, none of which were the election system, which sort of led the US DHS and the intelligence community to sort of rush to begin to try to figure out how do you secure the election system with like 75 days notice in the summer of 2015, the summer of 2016. And that sort of the challenge and sort of the fear when you sort of go through these attacks and look at them is where is our imagination going to fail next? If we sort of look at this and we look at the most devastating attacks that the country has faced, they are almost entirely the things that we don't imagine. And they come from incredibly unlikely places. I talk about in the final chapter of story that I've spent a lot of time reporting over the last two years, which if you remember the fall of 2016, actually almost exactly two years ago, there was a Friday afternoon on the East Coast where the internet sort of ground to a halt. It was an attack by what was known at the time as the Marai Botnet. And what this was was a sort of an internet weapon of mass destruction. And it was a network of hijacked internet of things devices, home thermostats, security cameras, wireless routers, sort of all of those things that you plug into your house and you sort of never think of again, turns out the security on them is terrible. And they're sort of mostly made in China by lowest common price manufacturers with very little security thought went into them. And so they had been harnessed together in this network to do what was called a distributed denial of service attack a DDoS attack. And so they were all sort of trying to access the same web pages at the same time and drowning these targeted websites in traffic. And what was happening to us sort of in public that we saw, which is why the internet ground to a halt for everyone on that Friday in October, which we thought was the beginning of a massive cyber attack against the election, not realizing that we were actually already living through a cyber attack on the election at the time was that they had hit one of the main sort of phone books on the internet. And so, your computer couldn't tell where Netflix was or where CNN.com was because the phone book was down. And so it had been, this Mariah Botnet had been sort of knocked off the internet offline for most of the East coast. And what we now understand is that it was a weapon built by and created by three college age students who were trying to attack rivals in the video game Minecraft. And that they had built a tool more powerful than any tool that anyone had ever built on the internet before without really meaning to. And that it was just sort of a much more effective botnet than they had meant to launch. And it actually sort of over the course of the fall of 2016 grew to the point where it knocked the entire country of Liberia offline for a weekend when it was sort of turned against Liberia for complicated reasons. And ultimately these three kids were caught by the FBI. One of them was a record student, one lived in New Orleans, one lived in Pennsylvania. And they'd never met in person, sort of never meant to build this thing and caught by the FBI, pleaded guilty. And about a month ago in a courtroom in Alaska were sentenced to creatively five years of working for the FBI. In order to, because the FBI basically realized that these kids were smarter than anyone that they actually had working on their cyber team. And so they were sentenced to five years of community service with community service defined as service to the FBI. And this is a tool, the Mariah Botnet, that was literally more powerful than anything a nation state possessed in its arsenal a decade ago. If you were the most powerful nation in the world 10 years ago, you could not have built a tool as powerful as these three kids sort of built accidentally and then deployed against their rivals in the video game Minecraft. And that's sort of more like what we're going to see going forward than what we have seen in the past. And so the book is sort of an attempt to try to explain through walking through these cases, how these unfold. And then sort of part of this is also really looking at how we should think about this. That there was sort of this very interesting and important turning point in the 1990s between the US and Russia where this problem was emerging and the US defined it as cyber operations. And so we have grown up in ability that's very technical, that's sort of focused on network exploitation that is focused on sort of getting into other people's systems, defending our own systems. Russia defined it not as cyber but as information operations. And that that has meant that they have sort of looked at it much more holistically than we ever did. And that they came at the 2016 election sort of with this different mindset, not just thinking about how do you do the bits and bytes but how do you deploy the information through the bits and bytes in order to influence and achieve your strategic goals. The last chapter of the book, we look at sort of this problem of fake news which we mean in sort of the strictest definition not the presidential definition of sort of anything that he doesn't happen to like at that particular moment but fake news as a weapon. And sort of the challenge of what Russia did in the 2016 election and actually again sort of how many parallels there are to what ISIS did and what a group called the Syrian Electronic Army did which is one of the cases that we talk about in the book sort of this incredible fascinating case that sort of shows how complicated and global these challenges are where a hacker from the Balkans living in Singapore broke into a US retailer and then stole credit card data, stole user data, sold it to the Syrian Electronic Army which is sort of a digital terror group associated with the share Al-Assad's Syrian army and they weaponized it, turned it into a kill list of US servicemen that they then sent out over Twitter back to sort of radicalized supporters in the US saying here are the names, addresses, telephone numbers, email addresses of US servicemen and women, go kill them and it ultimately didn't translate into any servicemen or women being killed in the United States but it certainly could have and that this is sort of the types of challenges that the government is beginning to try to wrap its arms around in this world. I might sort of stop there and take questions because I've covered sort of an incredible amount of ground and can sort of dive into any bit of this in more detail. Yeah. Yeah. Are we as we meaning this country actually trying to think more creatively about this threat now? And secondly, we all go home tonight terrified and go back to our jobs tomorrow. Is there anything that we can do to help either protect ourselves or help direct things in a better way? Yeah, so both good questions and the first answer is and they're sort of very much related in some ways. The first answer is like, yes, sort of. The government is getting sort of much better at this and partly that's the strategy that the book lays out of taking public action against these against foreign nation-state hackers who are coming after the US. And this is the book, sort of the reason that John asked me to sort of team up to write it was the goal, you know, his whole strategy in the Justice Department was transparency. The government needs to be better about talking publicly about these threats. He still didn't think the government had done a very good job at that over the course of his time. So we wrote the book to try to help spread the message of what the government has actually done. And it's sort of fascinating and remarkable in when you begin to sort of look back over this. So the first place where the strategy comes together is the charging of five Chinese PLA hackers for targeting US Steel and a number of other companies for economic espionage in 2014. And these cases sort of, that was the first one and it was incredibly hard put together by this team, this incredibly small team inside the Justice Department. But it's become sort of a more regular feature. And the US this year alone now has brought public charges against Iranian hackers, North Korean hackers, Russian hackers, and Chinese hackers. And even though those cases for the most part don't result in people showing up in US courtrooms, they actually do have a pretty powerful effect, which is it makes life really unpleasant to be under US indictment, even if you are not currently in handcuffs from the US government and you can effectively not travel outside of your home country anymore. You can't travel to most Western countries, European countries, even most African countries or South American countries. And sort of one of the things we talk about in the book is like hackers have girlfriends and girlfriends wanna go on vacation. And the government has had actually a tremendous amount of success capturing hackers for foreign countries while they're on vacation. And one of the cases that we talk about, which I would almost guarantee no one in this room has ever heard of, is a Burlington case where the US captured an Iranian hacker who had broken into a Burlington defense contractor and stolen their missile guidance simulator. Taking it to Iran. Guy goes on vacation to Turkey. US nabs him in Turkey. He spends 18 months in a Turkish prison awaiting extradition and comes back to a Burlington courtroom here and pleads guilty to cyber espionage, which I would imagine none of you have heard of, which is sort of a testament to how poorly the government has done actually celebrating the rare successes that it has had. But that was sort of for, at that moment, a real groundbreaking case. And that what we have seen in the year since is sort of similar actions applied to Russians. The US actually captured some very high profile Russian figures last year on vacation, one of the Maldives, one in Spain, one of the most notorious spammers in the history of the internet who was at one point responsible for about a third of all of the spam that was sent online was captured on vacation with his family in Spain last year brought to Connecticut and I think just pleaded guilty, found guilty at trial. And that this is sort of trying to become a much more routine thing. The Deputy Attorney General Rod Rosenstein on September 25th this year made public a set of changes to the US Attorney's Manual that says that the US government will now default to making charges of election meddling public, which is actually a pretty significant change that this is now, this is something that the government is going to make public and make public sort of as quickly as it can, which is interestingly the criminal complaint that came down that was announced on Friday was actually signed on September 28th. So just three days after this action, which sort of leads to interesting speculation about why was that action taken on September 28th and then why was it not released until last Friday? And the answers could include such intriguing possibilities as the US thought it had a chance to capture that woman somewhere overseas between the 28th and last Friday and perhaps did capture that woman somewhere between September 28th and last Friday and that while she's not in US custody yet that the government has not said anything about whether she is in custody somewhere, which leads to some intriguing possibilities about sort of that action there. To the second half of the question, sort of what can we do about it? I think that there are sort of two really important things to do about it. One is this, we sort of talk about this or we sort of think about this problem often as sort of black magic that this is like super cyber ninjas battling other cyber ninjas deep inside the inner tubes and it's completely incomprehensible to us. And the answer is almost all of this happens because people do incredibly dumb things like use the word password as your password. And that this is sort of mostly an IT problem, not a security problem. And that if you do sort of an incredibly short list of things that are pretty easy to do in your daily life, you can both sort of avoid being targeted by cyber attacks in general and then also make it much harder for everyone else doing bad stuff on the internet to do bad stuff on the internet. And that's sort of use strong passwords, use a password manager if you can that sort of helps you organize and use strong passwords, use two factor authentication and sort of on anything that you can, which is on your Facebook or your Twitter or your email, what it'll basically do is it'll make you, it'll text your telephone, you both have to enter your password and then it'll text your telephone, a special code that you also enter, which makes sure that it's actually you because only you theoretically also have your telephone at the same time as your password. And so if a Russian hacker is, has stolen your password successfully, they still won't be able to get into your account because they don't also have access to your telephone. And then the second thing is like vote for policy makers who are going to take these issues seriously. And I don't actually mean that as a partisan comment because it's not, it's when you look at the Mark Zuckerberg hearing on Capitol Hill in March of this year, it was not significantly more sophisticated than Ted Stevens talking in 2006 about the internet is not a dump truck, the internet is a series of tubes and that there were sort of members of Congress, you know, US senators sitting in that hearing who didn't understand fundamentally what Facebook's business model is and sort of didn't understand the advertising system and the data that went behind it. And, you know, we need people in these jobs who sort of understand these issues in order to ensure that we're making smart policies about this and that this is in some sort of, whenever there has been new technology that has come into the fore, we have created new regulatory agencies to deal with it. We did that with the railroads. We did that with sort of mass production food. We did that with cars. We did that with planes. We did that with, you know, TV and radio and we sort of don't have any good system in place to regulate or to provide oversight for this incredibly massive and incredibly important new world of technology. Yeah. Are you saying what everybody else is doing to us? Are we, is this country doing the same thing to everybody else? Yes, and sorry, I meant to answer that as part of the other question, which is... You have to excuse it. Yeah, well, so, and this is sort of, this gets into this really complicated and thorny policy question. I mean, none of what I'm talking about is sort of easy or straightforward. And part of that is one of the reasons that we have been really loathe to take aggressive action in this world is we're the most wired of all of the countries. We are the most vulnerable on every stage of this. The entire country of North Korea has fewer internet addresses than probably the downtown core of Montpelier does here. So, you know, even if we were able, even if we had turned around Sony and Hit and totally knocked North Korea offline, it wasn't gonna matter that much. But what we have done is some interesting and actually really sort of important and effective work on what you sort of loosely would call offensive cyber operations. And we were the first ones to do it. We crossed the digital Rubicon first by attacking Iran's nuclear program with something called Stuxnet, which was, I'm sort of oversimplifying an incredibly complex attack, but we sort of injected malware into the centrifuges in Iran's nuclear system that caused them to just act wacky. And so they would tear themselves apart and destroy themselves on a semi-random basis. And what was so effective about that was we undermined the Iranian scientists' confidence in themselves. And so they thought they were setting up the centrifuges wrong. So they would sort of take whole sets of centrifuges down offline to try to figure out what they had done wrong. And then they'd start them back up and three more of them would blow up. And it was sort of a particularly insidious attack in a way that if we had actually just dropped a bomb on the facility and blown them up, they would have known that we'd blown it up and they would have been able to sort of start from scratch. And this really delayed the nuclear program for about two years, which sort of ultimately I think had a pretty important part in bringing them to the table for the Iranian nuclear deal. And then the US Cyber Command and the NSA launched this incredibly effective series of attacks on ISIS that really helped sort of break up ISIS's command and control system on the ground in Iraq in a way that was really effective. And then actually just literally today, there was reporting in the New York Times that the US has launched the first offensive cyber attacks against Russia and that we have begun basically telling Russians who are messing with our midterm elections that we know who they are and that they're messing with our elections. So we don't know exactly what that looks like, but it's sort of as simple a concept as we're emailing individual Russian intelligence officers and saying, hey, Vladimir, we noticed that you're trying to hack the election. Just wanna let you know that we know you, Vladimir, live at such and such street in St. Petersburg and we'd really encourage you to do something different with your life. And that, again, that that sort of actually can be very effective because you don't really, as an intelligence officer, you don't really wanna be on a foreign intelligence agency's radar. It sort of makes you pretty ineffective at the job that you're doing. And if, by the way, and this sort of again gets back to the question of sort of, you'll hear these indictments denigrated as sort of naming and shaming, but if you are an advanced, capable Russian hacker, maybe you go work for a legit company rather than join the government if you think working for the government is going to end up getting you on a no-fly list to Western Europe. Or if you are, and I talk about one of these cases, here one of the most effective Russian cyber criminals, we never caught him. We have no idea how much he actually stole from the US. It was this case called Game Over Zeus. And we stopped counting when he successfully stole $100 million from US banks. So it was somewhere north of 100 million. We just don't know how far because we only bothered to count the first 100 million. Indicted him in 2014. And he hasn't been seen on the internet since. Sort of no one will partner with him to sort of launch another cyber attack, cyber crime scheme because who wants to partner with a guy who's under indictment for the US government party. Yeah. I'm just thinking more in line to your history plus of interfering with doing the same thing in a cyber level now? No, we're not. And part of the reason is we have sort of figured out that it actually wasn't that effective, that we sort of weren't that good in interfering in South American, Central American elections in the 50s, 60s, and 70s. And so we sort of gave it up as an intelligence enterprise. Yes, it turned out to be unfortunately quite successful against us. Yeah. Yeah, hi. I want to go prohibiting electronic voting in Vermont. And I've been following who stole a lot from Rome over the years. And the interesting situation with the DNC sealing the loans from Sanders when he apparently would have won. Taking it, you know, jumping up to that. That made everybody who denied, including Obama, all the way down. Everybody denied, oh, that that can't happen. It can't happen. It can't happen. And then suddenly, and this is what I think is extremely funny. Oh, but the Russians can do it. Sequoia can't do it. Debal can't do it. The states can't do it. Nobody can do it. Oh, that's ridiculous. Oh, but Russia can. So can you explain that hypocrisy in all lab? And why isn't anybody prosecuting the DNC for stealing? I know Sanders doesn't want to have anything to do with it, but why isn't there a story about the DNC stealing from Sanders? And what's this sudden, oh, Russia can do it if nobody else can? Yeah, and I think that sort of one of the weaknesses that the sort of 2016 attack showed from Russia was the challenge in our election system is it only works if we have confidence in it. And we sort of only believe the results because we sort of think we should believe the results. And what makes, and this was sort of what I was talking about in the fall of 2016 is like the worst case scenario for an election attack was you wouldn't even have to prove that you'd actually changed a vote. All you would have to do is sort of, show a screenshot of being inside the Broward County clerk's office voting database. And if they just released that on election day, that would be devastating to the sort of American confidence in the system. And I think that that's where people are most worried about where this is going is sort of the next stage of the cyber attacks that we haven't seen yet is a data manipulation attack where you go into a bank's system and announce I've changed one of the things one percent of all of the accounts. Or I've sort of randomly reassigned people's savings accounts across the whole database. Or you go into a hospital and tell them that you've changed all of the blood pressures for all of the patients. And that so much of our digital life now exists sort of inside these databases that we don't have, I'm oversimplifying this obviously because there are backups and tape backups and sort of that type of thing but there's sort of no real reason to believe that they work except that we're told that they work. And you could sort of imagine any number of nightmare scenarios where you sort of attack the confidence in the American economy or go after the stock market or something that could have huge widespread attacks. The actual, no one knows this but the most devastating financial cyber attack ever in terms of damages caused was a Syrian electronic army hacker who hacked the AP's Twitter handle and sent out a tweet saying explosions at the White House, President Obama injured. And it caused in just seconds something like a $1.2 billion drop in the stock market. And the whole thing was sort of corrected and shown to be false in something under like three minutes. I mean it was just a snap. But you wouldn't have to sort of imagine too much from that to sort of see how the next stage of these attacks could play out. And we're not through the midterm elections yet. There's sort of plenty of reason to believe that there is the possibility that we'll see something like that unfold in the next two weeks. Yeah. I go on cyber insecurity of the polling system. Yeah. And the sort of the good news, bad news is like America's voting system is so broken it would be really hard to hack at scale. Which is not to say it could not, parts of it could not be targeted quite successfully. There are, I think it's five states that don't require paper backups. John was actually one of the lawyers pressing in the Georgia case to force Georgia to use paper backups. And they did not get that. So Georgia is moving forward without paper backups. And it's an old digital system which is sort of a recipe for disaster. And this is sort of one of the corners of critical infrastructure that we've just thought very poorly about. I mean, we've sort of poured an incredible amount of resources into things like the electrical grid. The electrical grid. But, you know, it wouldn't. It sounds like we've been thinking about it since at least 2005. Yeah. And yet when there is the legislation, I think it's HAVA. Yeah. And the attempts to include security in that have been fought. And they've been fought, this is sort of part of the general problem of a lot of these cyber threats. And most particularly, you see it in the elections, which is, you know, this is a system that is overseeing in 110,000 different precincts, you know, with different technologies, with incredibly different varying levels of technological skill and know-how. And, you know, in many ways, the Vermont town clerks with their binders of paper voter data actually turns out to be the most secure best system for the 21st century. But this has been, the federal government sort of tried to step in in 2016 on an emergency basis. And we talk about sort of one pretty spectacular scene where Mitch McConnell and Paul Ryan sort of shot down the attempts to make this a bipartisan effort in 2016. And, but then sort of there was this whole secondary thing where governors and secretaries of state saw DHS, you know, arriving to help as the federal government sort of arriving to take over state elections and, you know, sort of undermining the very sort of federalism that underpins the American system. And that this is, you know, I think sort of one of the things that leaves me sort of really worried about the next fees of this sort of everything, not just the election, but everything is the government's efforts writ large in this space are short by I think sort of multiple orders of magnitude. So DHS is the agency on the civilian side that is sort of the lead for cyber incident response. It doesn't do the investigation, which is what the Secret Service does in the FBI does. Secret Service handles sort of non-nation state cyber stuff. FBI handles nation state cyber stuff. I'm oversimplifying broadly and generally. But the DHS right this fall is trying to sort of finally rename the part of DHS that does civilian cyber incident response from what has been for history called NPPD, the National Programs and Protection Division. I don't even think I have that right. And I'm probably one of the only people who actually knows what it would have stood for at all. But they're renaming NPPD CISA, the Cyber Security and Infrastructure Security Agency. So that you will at least now know that that's the part of DHS that's supposed to do cybersecurity. Once they end up transferring out all of the parts of NPPD that don't do cybersecurity and leave just the part that does cybersecurity, there will be 1,200 people at DHS doing cybersecurity, which means that there are fewer people doing cybersecurity for DHS nationally for the entire U.S. economy and government than JPMorgan Chase employs to do cybersecurity just for JPMorgan Chase. And so no wonder the government is not in a position to be doing what it needs to be doing for voting systems, for electrical systems, for healthcare, we just don't have enough people doing it. And you sort of look at the infrastructure that we built after 9-11 for counter-terrorism, the brand new agencies, tens of thousands of people, every single airport screener in the entire country, now a federal government employee under an all new agency. And we have yet to have sort of any similar shift in resources to combat cybersecurity. Yeah. But it's not been stronger, it's just incredible how cheap it is for the net up. And I want to ask if you see, or not new, but has there been any evidence of their having meddled in the Brexit vote? Yes, I think there has been evidence sort of how thoroughly, how successfully is a separate question. I've seen pretty conflicting reports about sort of whether it had any measurable impact. And this is sort of two quick points in this. One is, the reason to do this is it's super cheap. The, all of the internet research agency has dedicated, the number was in the Friday indictment, something like $30 million to attacking US information, influence operations over the last three years, something like a million dollars a month. If you look at what Vladimir Putin has gotten out of helping Donald Trump win the presidency, a million dollars a month is like literally nothing in the scheme of sort of super power politics. And then I think sort of part of where this really gets complicated is, and you saw this again in the Friday indictment, and you saw this, you saw the president say this the other day, and you sort of see this gets into the Brexit question too, is the language that keeps coming up in these indictments, is there's no evidence that votes were altered, which is a very, very different thing than saying that votes weren't influenced. And that I think it's sort of impossible to look at Brexit or the US election in 2016 and not look at the environment that was created and sort of inflamed by Russia's efforts and not think that in an election decided by 86,000 votes across six states, that that wasn't probably determinative that there was not sort of sufficient noise injected into the system that drove everything from James Comey's decision to hold a press conference in the first place to his decision to announce the Anthony Wiener laptop at the end, that that wasn't sort of actually very much driven by Russian noise and sort of people sort of skip over sort of one of the things that Comey has even said is that his decision was actually, his decision to hold that July press conference was actually very directly influenced by Russian misinformation that he knew was Russian misinformation, which was there was this rumor that Russia was circulating online that Loretta Lynch had been compromised by the Clintons that he knew was floating around in intelligence circles and he knew was fake, but he feared if it came out it would undermine any confidence in Loretta Lynch making the ultimate decision in the Clinton emails. And so he has sort of framed his decision to step out and do that press conference as sort of the way to ensure that Russia didn't undermine our confidence in Loretta Lynch, which is sort of a really stunning and very, very weird set of circumstances to imagine, again, you don't have to get down to, Russia actually hacking Wisconsin voting systems to sort of see how those things ricocheted all the way through the 2016 election. Think maybe one more question. I don't wanna go all night here. Okay. So yeah. Do you think paper balance is the way to solve that problem that's been hacked? Yes, yeah. Or paper backups effectively, that you need. Well, so there are sort of multiple levels of things. One is, you need a paper backup. Two, you need sort of effectively like across the board digital audits to make sure that the votes are actually, the votes recorded are actually similar to the votes that were actually cast. And we don't do a lot of that. And in particular, we sort of only do that in places where there's sort of, it's actually super close. So like, if you hack a landslide, like we're never going to notice that. Like we're only gonna really try to catch it if you like, you know, you hack a five vote margin. All right, well, thanks so much for coming out. Thank you. Good luck getting through the next two weeks. Thank you.