 It's a little harder. Come on, guys. Come on. Did everyone have lunch? There you go. All right, everybody. Welcome to the ransomware panel of Theseus. I think Chris is the only one who is the original speaker. But we've got, I think, a great lineup here. My name is Kevin Collier. I am a reporter at NBC. Here we have Jay Healy, who is Senior Research Scholar at Columbia School of International Affairs. Rob Graham, founder of Arata Security. Liz Wharton, Chief of Staff at Scythe, and the former Senior Assistant to the Attorney for Atlanta. Chris Painter, who's the co-chair of the ransomware task force, as well as a long-time Fed. And not anymore. Former, former Fed. And then Curtis Minder, the CEO of Groupsense and kind of a celebrity ransomware negotiator. So yeah, I wanted to start this off. Liz has a claim to fame here to put you on the spot of helping Atlanta through one of the earliest major urban ransomware attacks in the United States, the Atlanta. And if you don't mind giving us a very, very brief overview of what happened. And I'm curious for all of us here, what lessons we did or did not learn from that and how the scene has changed between then and three years later now. I mean, no pressure. And by the way, I had nothing to do. I have an alibi. I had only started working for the city for about a year prior and was technically staffed to the airport handling their technology. So I was playing with drones on an airfield when on March 22nd, 2018, I come into City Hall and some of my colleagues start going, hey, I can't access my computer. Are you getting anything? And in the back of my mind, I start going, oh dear. And that's not what I said because I'm trying to keep it somewhat PC. I have the vocabulary of a well-educated sailor. And I was using conjugations of the f-bomb that I think everyone would be impressed by. But realizing, like, oh god, this is what's happening. And this is what's going on. And so what I'm really excited for the conversation too to kind of goes, this was three years ago. There was no discussion of paying the ransom, at least in the mayor's offices. There was no conversation. And for anyone out there who was texting me and asking, hey, can I get some malware samples? Can you? And I'm like, I'm trying to help rebuild city architecture that is right now burning to the ground. So insert your jokes about Atlanta being a phoenix and having to rise from flames again. But really looking at what some of the other speakers have worked on, especially the policy that came out with the commission and all these different reports and stuff, the evolution of the conversation and how better prepared we are to deal with it in some ways, I think is going to be interesting, because Atlanta had to rebuild pretty much everything. At last count, it was a $20 million and going tap. And whether some of it was old architecture, if you look through the budget requests, you may see some stuff that was built into what they did that was no surprise. They've been asking for it for years, and suddenly it's a priority, because you needed it. So I mean, the context and the framework is completely different, and it's been three years. I'm going to open this up to all of you guys. Did we miss the boat? Was there something we should have done between Atlanta and now? Well, I think one of the remarkable things is that we've treated this as a back burner issue. We're really focused on nation-state attacks, solar winds, other things over the years. And those are important. We need to focus on them, but we didn't really focus on cyber crime at large and on this kind of activity. And this is one of the reasons this ransomware task force that I helped chair was launched by a group called the Institute of Security Technology at ThinkTech out in California. And they brought about 60 different folks, people who do cyber insurance, people who do computer security, former government people, like me, some current government people. And part of the real reason to this is elevating the attention to this issue from this back burner issue to really a national security priority, which now it is. And for me, we issued our report a week before colonial pipelines. We also had nothing to do with colonial pipelines. Seems like we did, in that sense, to draw attention to it. But overnight, this went from this back burner issue to something that has been a core priority for the US government. This is, they constantly are talking about this and very, it's good they've looked at our task force report and the 45 recommendations in it, which really covers soup to nuts in this. It was almost, again, back burner to being on the front of the agenda for the G7, NATO, the meeting with Putin, that's significant. And many of us in this room who've dealt with cybersecurity for years, and I've been involved for about 30 years in different capacities, have been waiting for this to become a mainstream issue, waiting for people to really focus their attention. Not just on this issue, but across the board. And we've heard again and again there's a wake up call when people go back to sleep and it hasn't really caught fire. And I think this really does because Atlanta was, in a sense, a real first time, not the first time it happened, but something that was important. But when people have to wait in line for food, or for gas, or worry about getting their hamburger, or the Irish healthcare system is affected, that makes it more visceral to people. And I think this has really changed the game in that. At least I hope so. Now, I flew into the airport yesterday and of course if you read all the signs in the airport, all the companies have already figured out to solve it, so job done, we're finished, right? But there's a lot to do here and we really need a sustained effort and I, once in my life, believe we're gonna get that. Well, in kind of fun note, Atlanta's cybersecurity insurance policy was not a month old and we had checked all the boxes when they asked us. Can I ask Chris a question? Because one of the other things that we hear a lot and from a friend of ours is saying, you don't have a security problem, you have an adversary problem. And certainly when we're looking at the ransomware, a lot of them seem to be Eastern European and Russian. And so is it possible that we can political science our way and work with them to get us through this or is the problem still gonna remain? And I think, Kostya, you heard his question. So, I've dealt with the Russians when I chaired, I've dealt with the Russians. I used to chair a G8 when it was a G8, a high-tech crime group and dealt with them that when I was a prosecutor dealing with trying to get evidence from them. And not surprisingly, there's not been great cooperation on cyber crime cases from the Russians. Sometimes because they're state sponsored, sometimes because of corruption, but sometimes what we apparently see now are these rogue criminal groups. I do think this opens a possibility of cooperation because they're not likely to say, oh yeah, you got us on the state sponsored thing and we're gonna work with you. But if these really are rogue criminal groups, they're sticking their heads up maybe too high, it's no real skin off Putin's nose to take action. But he has to feel it's in his interest. And so far until recently, I don't think he really has. So I do think there's a chance that we can get some traction on this. Now there's been the typical trading back and forth, Russia says, oh, we have 40 requests to be made in the US and we've never heard anything from them. I will tell you, in my experience, there's usually been requests for things that we can't cooperate on or not complete requests. Can't say what these ones that are pointing to are now. But I do think, Jay, that there is a chance, even if we're not gonna cooperate on lots of other things, because election interference on other things, still a big issue. But I think there's a chance maybe we can make some traction here, hopefully. We'll see. And as Biden has said, time will tell. Yeah, and I just wanna say, we take inventory of how the threat actors gain access in every case we litigate. And we boiled that down to a very short list of nearly 100% preventable things. So, I'm all for the diplomacy route, but channel Stephen Covey, maybe, sphere of influence. And if we locked our doors here, we fixed our own problems first, that would be a good place to start. Let me just say, I completely agree with that, that the number one thing to do is harden our own targets. So yes, we have to go after the safe havens. Yes, we have to go after the ransomware actors. Yes, we have to try to figure out the cryptocurrency chain. We've gotta do all these things we talked about in a report, but if we don't actually secure our own systems and do a lot better than we have now, and again, we've been talking about this for 25 freaking years, we're not gonna get it. It's like the same five things over and again. So, I want to disagree vehemently with that. It's nonsense. So, yeah, the way you secure your home is you lock your front door. The way you secure a bank is not lock the front door. The bank has to be open for business. You have to have people come in. And it's the same thing with networks. We can always look at when they came in, the flaw that they use this time to attack me. Like I didn't apply a patch to that VPN concentrator or this desktop user clicked on something. But when you look at corporations and how they have to manage things, if they applied every patch to every product, as soon as it arrived, the network would be down basically all the time because all the problems that patches have. There are good reasons why patches don't happen. Same with users clicking on things on their desktop. Users, part of the business throughout their day is they click on emails. They have emails coming from all over the place, customers, partners, whatever, that have PDF attachments that they're supposed to read. And they have to do these things. And yeah, you can say like you shouldn't have clicked on that, but that's indistinguishable that malware from just the HR email I got five minutes ago that said click on this. We're not talking about sophisticated attacks though. We're talking about, they're just logging in using credentials with bad passwords being reused in third party sites. I mean, that's what Colonial was, right? We're in this position though. I mean, where it's hard. I mean, how many of us here are really sure that we've got all of our stuff locked down, right? I mean, this is us. And I still know a lot of us. All right, one guy. And yeah, but it's difficult in knowing, how much of it is, can we absolutely do, right? You see that we can absolutely take care of versus the stuff that's really complex. And we've got complexity all the way down in this. And I'm with you, right? And I think this is gonna get us an insurance on this is how much is, can we really anticipate folks? And if it goes wrong, we can clearly say you should have done X, Y, and Z, which is I think you're going, versus saying if they wanna get in, they're gonna get in. And we can't keep blaming others on this. And they did the standard practices they would have required will be on best practices to keep these out until I think we can get past there. It's gonna be hard to be looking to insurers and others in this space. Yeah, I mean, that's another thing we've been talking about for years is that, I sort of disagreed with someone on the last panel. I'm not sure who said this, but I think the reason that cyber insurance hasn't really worked the way people predicted it would is we still don't have a standard of care. Whether everyone meets that is a different issue. And of course you can't be 100% compliant. I agree with some of the comments you made, but we have a very litigious society, so there's no shortage of lawyers. I'm a recovering lawyer myself, and so there's plenty of people out there. But because there's no standard of care, there's no real liability when people don't meet it. There's no real insurance standard to hold people to. And until we start getting over that, and I think it's interesting that with respect to critical infrastructure, I was very interested to see both Chris Inglis and Jen Easterly in their confirmation hearing saying maybe it's time that we do have some legislative standard of care for critical infrastructure. That we can't afford that if they're critical, they're critical, we should do something about it. Can I do a quick, just a quick. Not for everyone. If I can do a quick two finger, a lot of times when we're thinking, we're in a security researcher conference, and we're hackers, this is about, and when we think about solutions, our minds go to technology. And that's right and that's good. But what Chris is talking about here, it's a duty of care, it's a process thing, it's a legal thing. And yet if we can get that right, that it makes a lot of the other technological things and it prompts a lot easier to solve if we can get the policy and the other stuff right. But then again, legally, you shouldn't drive over 70 miles an hour or you start bringing things. We can have the best regulatory structure, but I speed. And if someone, oh. I swear we can fucking swear. I know we can fucking swear, I swear like a goddamn lady, I am a delight. But when you look at some of the stuff too, it's the resiliency. Like you know you're going to get hit. You know somebody is going to screw something up because we are human, or somebody has the oh day that we don't know about and building at that resiliency and not leaving it to the lawyers to sue, because lawyers suck, we do, we are awful. And insurance, it's just money. It's not fixing the problem. So I think building in that resiliency so that when your system starts burning, you can kick into the, all right, this is our playbook. This is our plan. Let's do this or let's have that. Like knowing who to call is always my favorite because if you've saved the contacts in your contact system and the city has had to take down the entire network and everything and you're trying to figure out if you're old school like me, you had to print it out and saved on a piece of paper in your desk. Thank you very much. So I want to disagree with this whole standard of care thing because you have this government mentality that we need to regulate things. We need to punish people for doing something bad and you've already left immediately let's punish the victim. So it's not about stopping ransomware. What can we do to stop the ransomware? It's like, okay, we're gonna find the victims and then punish them more. We're gonna punish you for not doing this list of things that you should secure your network. And that's now we're gonna punish you so hard that becomes the greater risk than the ransomware attackers. So we're gonna make the government more of a concern than the ransomware. It's like the mafia is now taking control. We're gonna punish you more, fear us more than the common criminal. So I don't buy that analogy because it's not just regulations that solve the problem, that'd be ridiculous. We have to have a full spectrum including like I said, going after safe havens, helping victims to reconstitute their systems or give victims tools so they don't necessarily have to pay some good tools out there. But for critical infrastructure, this completely laissez-faire approach we've taken clearly hasn't worked. And it doesn't mean going after them and punishing them. It means just expecting them to do what they should do. And so for too long I've heard this argument, oh, we can't do this because the technology changes. You're not regulating the technology. You're saying here's a basic standard. You can meet it any way you want, but meet it and it creates expectations. Motion. We do this with cars and almost everything else we live on with in our lives and we just don't do it in this area. It doesn't mean getting in the technology and doing this and everything, but for critical infrastructure, that's different. Thank you. Thank you very much. Right? Coolie. The moderator hasn't asked any questions. I mean, this is like the easiest talk to moderate. It just runs itself. Were you following up or were you ashamed? Oh no, I mean one of the things I think was interesting is the fear of information sharing that was going on again three years ago to have these conversations. And I as a member of the law department should not have better, I should not be able to go into the CISOs or CIO's office and say, hey, I can't tell you how I heard this, but have you spoken to some of your colleagues and perhaps other municipalities nearby? First words sounds like, because I hear they're currently undergoing an attack that they're not publicly disclosing yet. And I think we have some of the same vulnerabilities. But that information sharing, again, the lawyer should not be the one who knows that more than getting rid of that distrust and building up those opportunities to say, hey guys, we're seeing this. What do y'all think? How are you doing? What did you find successful? And I love to see some of that and taking away some of the, if somebody is, as we see with the vulnerability disclosure programs, which have their own issues, let's not talk about that, this is ransomware. But having that knowing what's going on and knowing what works, knowing what doesn't, of like, yeah, sure, you can pay. And I'm sure y'all see that as you're negotiating, like certain folks is like, yeah, no sense negotiating with them because even if you wanted to, even if that was good, they're not gonna be able to give you what you need back to decrypt all your files or they're gonna take too long. I don't know. I mean, as the hostage negotiator, I'm sure you're there. No, so I think in every case, every case is different, but what we learned was on the customer side, it's not just about the prevention that we talked about, which is the basic cyber hygiene things that I think, I'm not talking about sophisticated zero-day attacks. We're talking about people literally just reusing passwords. I mean, we've been talking about this forever, but on the back end, when the attack actually is successful, to your point, the organizations have not been even remotely prepared, even mature organizations who've had very sophisticated IR plans and BCP plans, those plans have like a Venn diagram overlap with some of the ransomware items, but do not specifically address things that are ransomware related. So some of these very large, very well-known organizations, some of which you've seen on the news, literally crippled in the boardroom trying to figure out how to handle these things. And you know, I'm in there going like, hey, I figured you guys had your shit together because you're a company I know, but they don't. And so part of it is the prevention piece. And I also wanted to comment on, you had mentioned giving them tools, and that's one of the things, and I actually agree, we shouldn't be punishing the victims by banning the payment of ransom because right now, take all the big ones that you hear on the news out of the picture, we deal with a lot of small medium businesses as well, and those folks have two options, most cases. Go out of business, pay a ransom. And if you can't give them a third option, then that option has to remain on the table for them, or they're gonna go out of business. And we're not talking about two or three small businesses, we're talking about thousands and thousands of small businesses. And so the ransomware task force did address some of this. Coming up with a comprehensive plan to both help with the prevention and the recovery without paying a ransom is a better option than just better regulating, or I don't wanna use the word better, regulating cryptocurrency more stringently or just banning the right to pay. It'll also, it'll drive behavior underground effectively, like people are gonna pay it anyway, you're just not gonna hear about it, and the FBI's not gonna learn about it, we're not gonna get the data, right? We're not gonna know what's going on. So one of the things that, I mean, this is true not just ransomware, I mean, part of the problem is the reason a lot of these big companies don't have instant response plans or states or cities is even though groups like this, people know this is important, right? But we haven't been able to break through to get the people who are the CEOs, the people who are often high-level government officials until recently to say, look, this is really important. They treat it still as this technical issue when they wanna run away and their eyes roll up in the back of their heads and they say, you guys deal with this? And until this is looked at as a core risk management issue for companies, you're not gonna get there. So I think the silver lining of what we've seen recently is it's getting that level of awareness that maybe that will penetrate. One of the things we say is, we say this internally all the time, is ransomware is a security or an IT issue until you're hit, then it's a business issue. And it's both things. And I think to your point, many of the companies aren't looking at the business aspect of this proactively, if they were, then they'd focus on those IT and security issues proactively. Can I add another? Yes, go ahead. Yeah, go ahead. If I can tie this back to the standard of care, because it was what we mean by the standard of care? Saying like, what's that minimum that we expect you to do? And if you did less than that, then you're not even meeting standard practice. And to Rob's point a little bit is, it's not necessarily that you should be fearing the government as part of that. But it's the consequences of making poor decisions and not putting enough resources onto the security side. And it's okay if people aren't doing even the most basic to say, there's gonna be some consequences to that. And if you're a really important company, like we might say critical infrastructure protection, then yes, maybe those consequences are gonna be from the government. But those consequences might be at the end of the day, you're gonna go bankrupt. And there's not anything anyone else is gonna be able to do about it unless you pay. Or it might be that you have to face your shareholders in the US system. If you're making bad risk decisions, the board of directors is supposed to be there to represent the shareholders and make sure that at the end of the day, you're not taking dumb risks. Well, and it could be you lose customer confidence or there's a reason the board doesn't make the pinto anymore because it blew up. And so that caused a lot of problems. Pinto is a shitty car, old shitty car. Yeah, so, but I'd say just one thing on the payment issues. The task force did look at this issue. We couldn't agree on the issue should you ban payments and ransomware. Because some people started off in the video, they asked me to ban it. They're all about the money, you starve them with money, it's not gonna happen. But then I think a lot of us came to the conclusion, and you heard this from Ann Newberger when she was talking, giving a speech recently that she originally was in that camp and then moved over to maybe it's not such a good idea because you are victimizing victims in the short run unless you have a glide path over a few years to get in better tools. You are creating a system where it's probably gonna go underground anyway. So we have to look at that issue and there may be ways to limit how much get paid or pay victims enough to reconstitute, like have insurance for instance, pay to reconstitute systems but not cover ransomware payments. There's a lot of different things. One thing though we shouldn't do, which I was amazed to read this recently, was companies are tax deducting their ransomware payments which is like a stupid distance. Well, and then you also have to consider when you have and start looking at smaller companies and going back and of course I'm biased having worked for a city like a large metropolitan area and I was firmly, firmly, firmly, firmly never ever, never ever did I say never ever I meant never ever pay the ransom until I watched some of these smaller counties in very economically depressed areas get hit. And their choice was we can play hard ball. Yeah, sure, we should have done X, Y, Z, now we know but we have no budget. We have no staff. We have one person responsible for keeping our system online and they are using duct tape and everything they can to do this and if we don't pay the ransom if we do not find a way to get the systems back online in the next 48 hours, we will not be able to provide critical services to the trailer park or the, you know, some other area and you can't take that hard line when you start looking at kind of those. So should they have planned better? Of course. Did they divert money from one area to another? It's like, well, okay, we could upgrade this system. We could have much better. We could deploy the latest, greatest and patch all the shit. Or we could provide food and other like services to our senior citizens or people who can't get somewhere. And that's a choice that kind of softened my hard little grinch heart and it grew a couple of sizes on that approach. And that's where- But not three, only two. Yeah, just two. I mean, you still should have patched some shit. So I wanted to actually write down notes about things that people said earlier. One thing was about raising awareness. And I think that's totally the wrong approach here because what happens is people are aware that ransomware is a problem, but there's very few talks about actually what's causing ransomware. Like what? How did the hackers break in? How did they, once they preach the perimeter, how did they then get to domain admin? And so people say, okay, we have a disaster recovery plan that we can recover from ransomware. Okay, so we're aware. But no, what you did was is your offsite, you know, backup data center that you have a thousand miles away is trusting your Windows domains back here on your corporate network. And so when the ransomware gets domain admin, they get all the domain admins. And now, plus your backup, your live hot backup site is gonna take control once your main site goes down. So you did disaster recovery, you're aware that you needed to do that, but you ignored the details. So there's all this awareness of there's a problem, but not so much people actually looking, you know, rolling up their sleeves and saying, okay, instead of the grand visions, let's actually sit down there and saying, okay, how do we structure domains in Windows, for example, so that ransomware, so they can like, in fact, our desktop users all day long, they're never getting domain admin. So it's like we're kicking this ant's nest. Like every time we walk by every day on our way to school or something, we kick the nest and the ants come out and they all start rolling about or ringing about and then move on. And that's kind of like our approach to ransomware. We are aware, but we're not actually aware of the details. Listen, it's just burning to retort there. I wonder why we still have time, because we are, you know, it's really hard to solve ransomware in four to five minutes. I want to pivot to, you know, the Biden administration has done some things. You know, there's DHS regulations, there's the executive order, there's now a confirmed CISA director. Half a year in, can we kind of give a evaluation on how well the administration has done so far on addressing the problem? I guess I'll start. I will say, I actually, we give them high marks, but it incomplete so far. So yes, they've, you know, they've only been in that office six months. It takes a while just to get the machinery of government going and get the people in place. You know, we just had Chris at English and Jenny used to even join the team formally. But, you know, to their credit, when they came in, they said, they made this comment, which is much easier said than done. Cyber security will be a priority at every level of administration, is what Biden said. And you know, it's easy to talk the talk, but they've actually been following that up. And I see that in terms of people, you know, both at the level of the, you know, raising the level of the cyber advice of the White House and New Burger's job, appointing the new cyber director, Chris English, who's very talented. Jenny Easterly, people in other departments and also the high level people, people like Ali Murakas and people like Tony Blinken over at State and the DNI are all people who dealt with these issues before in the Obama administration with China and others. So they're not, they don't need to be spoon fed this stuff, so that's good. But then the executive board is another thing. My favorite part of any of the executive board so far has been the one that had, talks about the software bill of materials and actually uses the government's purchasing power and why we haven't done this before, I don't know, to try to raise the level of assurance. So I think that's great. But there's lots more to do. And again, they raise it also in my area since I was at State for such a long time on the international stage and really try to work with partners and allies to go after this and raise the temperature on countries who would provide safe havens. So that's all great. But even with respect to the Putin issue, I think Biden said it right. Well, the proof is gonna be in the pudding where you have to wait to see what happens. And then the answer, the question I have is if he doesn't play ball, if he doesn't go after these groups, what are we gonna do next? Because we do nothing, we're paper tires and we can't afford to do that. We've done that in the past. We have to make sure we follow through with allies and partners to make his life more miserable to go after these groups. It's not gonna be easy. So there's a lot, they've taken the right steps so far but they're still alive. So if I can, I don't kind of, I don't wanna take Kevin's job here, but the, so we had in September and October, US Cyber Command went after Trick Bot. And right around the same time that Microsoft went after Trick Bot. So I'm curious, right? If we're talking about ransomware, you saw some disagreement about what we thought about duty of care and what we think about the consequences and not blaming the victim and I think we all agree the government can be doing more. And the EOs as great as they are and I think they have been good, it still leaves you say, all right, well how is that gonna help the counties that Liz talked about in the school districts and the small and medium sized enterprise that Curtis brought up? And so I'm curious what we think about, one of the answers is, well, we've got this amazing offensive cyber capability at US Cyber Command. They can do direct action in a way that CISA can't as much as they'd like and they can do it a scale that justice can't, I would think, but maybe Chris, you wanna jump in there. I'm curious what everyone thinks, like is our answer gonna be cyber command or justice? I can just say as a reporter that there are people that CISA are also wondering that. I have views but I wanna go be first again so someone else can go in and I'll say my views. Well, one of the things in kind of sidestepping that a little bit, that's great, that would, when you start targeting one aspect of the problem, but one of the other things that pulling from the executive order, pulling from some of the legislative actions that Congress has started putting out there on the table are money. I mean, it's all about money. It's the money that the attackers are trying to get. It's the money that the data is worth. It's the money that should have gone to the systems to protect them, secure them, et cetera. The money that went into the staffing. And so seeing that come on to the discussion of not just let's do this, let's do that, but let's start directing, putting some money where our mouth is that is exciting to see that I thought was be it using the money of, hey, you want to get a contract with us? Sure. Show us that you're complying to, hey, you need to help work on some of these issues. We understand it's expensive. Here's some money to help do that. So. So I think these cyber tools, the cyber offensive tools are really sexy. It's like, oh, we're going to go smunch them. We're going to go after them. Are you going to have a letter of Mark? A letter of my note. That's private sector, which I'm totally against. But if you go down that path, first of all, it's not a silver bullet. It's like one arrow in the quiver of things the US government can bring to bear. And maybe it's justified in particular instances, if, for instance, there's no traction in Russia taking action, then using those tools to disrupt those groups, maybe something we should do. There are limitations on that, though. If you're trying to take these groups down in a sustained way, these cyber operations probably not going to do that. They're going to be episodic and they're going to hit them and they'll take them down and it might make us feel good for 20 minutes, but then they'll come back. So Chris, I wanted to ask why focus on cyber operations? Like, why not send in special forces? Why not hire the Russian mob, sort of the physical guys to come in? Like, we know that they're at this address, these ransomware attackers, so just hire some hitmen from the Russian mob so they can take them out. There is something the US tries to do, which is comply with international law. And that would not. So I think that would be off the table. You make an argument about cyber command when limited disruptive operations, and that would certainly be in keeping with certain aspects of international law. I'm not an international lawyer. People can debate that. But the worry I have about using those cyber tools, and I do think they have to be an option at least. And Australia has been, at least in doctrine, Australia has talked about using cyber tools to go after criminal groups. Is you also don't want to make the situation worse. So, you know, this could escalate and escalate and you have to be careful about that. Now, some people don't think escalation actually happens and attribution, I think, is over-hyped in this area. What I'm saying is non-refudiation. How do you target somebody? How do you get blame for an attack that you didn't do? Well, there's issues too. And my biggest problem with the sort of cyber operations is not when they're happening, say, inside Russia, where the groups are. But if you're saying, I'm going to target that group's infrastructure in the Netherlands. That I think we need to have more of a collective response than just relying on a unilateral response. So it is an attractive option. It is something we should seriously look at and maybe even use. And especially if we've given Putin fair warning and say, look, you didn't do anything. So we got to take some action because we can't allow our critical infrastructure to be there. And as a tempting is just to send in the troops. I don't think that's gonna happen. And it'd be a problem to do it. The other downside about that all the way is the payback is a bitch part of it. So lots of bad stuff comes from the United States. You can imagine other countries saying, okay, well, self-help too, for us too. We're gonna take those out in the US. So you have to be careful about how that plays too. Now I have in my mind a vision of a family road trip with the little kids, like the siblings sitting in the back, like absolutely poking each other and banging, going, and when the parents like, don't make me stop this car and turn around, like, wasn't me. And it's like, I'm not hitting, quit hitting yourself. Like, why are you hitting yourself? Or like other little things where you start to go down, especially when we talk about attribution of like getting it to like, oh, okay. So this particular malware isn't gonna go after, if it sees Russian language on the system, it's not gonna attack that computer or it's not gonna do this. And it's like, oh, well that's a beautiful way to frame Russians. Let's pick it up. So I think that would get interesting. But I think Chris was, he kind of dissed attribution as being an important issue. And I kind of agree with him. No, it isn't an important issue, yeah. It's an important issue, but I don't think we're ever gonna go from attacks, well, not often go from an attack backwards to who attributed it, but we can do attribution from like, infiltrating hacker groups and saying, who are you attacking? And that gives them very reliable attribution because you actually talk to the guy, they say, yes, I admit, you know, in a forum that I know I did that attack, or you take them out to get them drunk and they told you everything. So going backwards from attack is hard attribution, just like focusing on cyberspace is hard attribution, but focusing on human intelligence, what the CIA is really good at, or the NSA intercepting signals. I think that's the path to attribution. Yeah, or money trails too. I mean, I think if it's a single incident, it's very hard to do attribution. If it's a class in time, you know, conduct over six months, much easier. And not surprisingly, the countries like Russia and China won 100% attribution and want you to show all your work. And that will never happen in the real world. You know, I was a criminal prosecutor. The standard is beyond a reasonable doubt. It's not 100%. You know, I hated it when ex-aerospace engineers were on juries because they wanted mathematical proof. You don't have that in real life. And so the reason the Russians use that, and they did this physically too, with Ukraine and the little green men, you know, they want deniability of this. And so we have to move beyond that and say attribution is a hurdle at times, but as you say, in the larger context, you can usually, especially when nation states, and criminals, you can also follow the money trail, what's the other part of it? Does anybody want to ask a question? We've got a little bit of time. I have seen that hand the entire time, so. Sir, go for it. I swear I did not plant him in the audience, but shameless plug for the company I work for. Continue. The fact that, yeah, I was gonna say, and so part of the question is how do we train, with attorneys, with other, the C-suite, the executives who are not technology experts. They aren't as soaked and seeped in this because they have the different business priorities or they have different training again, that different focus. So what are some of the things between adversary emulation tools that, we have ways to show, kind of put the die pack and watch it go through the body of like, this is what the ransomware is doing. How do you change that mindset? How do you get them to kind of refocus and acknowledge these are some of the issues to get to solve them? And the easiest way to say is this, like the fact that you have a panel at DEF CON of us sitting up here and yes, I'm surrounded by amazing technologists and folks who have been working to sell this, but the fact that I'm sitting here and that you have those conversations, you start that outreach, you start helping people be aware and engaging in a productive conversation of, hey, here's some of the stuff, here's some of the solutions, here's some of the training, you just need to know enough and connect those dots that you can start kind of getting things to again connect from the policy and the diplomacy and all of the other sides. I think you also go where the lawyers are and don't say ambulances. You go to general counsel's meetings. I mean, like I said, in a sense this is preaching to the choir because when we have cyber security focused meetings, people get that this is important. They may disagree on the solutions, but they get it's been important. But you need to cross over to the general counsels, the boards and others. And if they don't get it, you're not gonna have the same level of conversation, but you might do some table tops and other things with them to try to get them more understanding because generally general counsel's gonna be, I just wanna avoid all risk. I don't wanna say anything publicly. They're generally in that elk, but you can make the argument this is much more important. And one of the things we talked about in the task force was we didn't agree to ban ransomware payments. We thought you needed a glide path to get there, but we did say if you're gonna make a ransomware payment, you should report that. And that gives the government a better sense of the problem and gives them some chance of making some dent in it. And if that requirement was there, then general counsels I think probably would say, okay, well, we need to do that and we can more play ball with this. And if I can kind of put it in hacker terms, right? A lot of hacking is taking a system that's not doing what you want and trying to put it in a state so that it will take the arbitrary commands to do what you want. In this case, the arbitrary commands that we wanted to do is listen to us, right? I mean, start paying attention that this is serious and so that it's gonna stop happening and we're gonna stop having so many victims that our kids are gonna be able to go to school because they're not getting ransomware. And so as part of that, we are never gonna have a better chance than we do right now, right? The C-sweets, the policymakers, the others, right? They know how bad this is, most of them. They've been paying attention, they've been seeing, they're seeing it on the news, they're seeing the president talk about it. And so we're never gonna have a better opportunity right now than to take them and put them in this state. They're gonna be listening more now than they have been. So let's take advantage of this moment. It's a teachable moment to get in there and do the kinds of things that they're gonna really listen this time and act. Rob, don't let it go to your head, but you raised a very valid point earlier. Not that time. Right, I know, I know, I hate you so much. In showing how, I think, going to the adversary emulation and showing so that it's not just ransomware, but okay, this was left unprotected and showing what exactly that meant and breaking it down so that non-technical people can see if, but for this, or this is what it actually means, because if you tell them, oh, we've been hit by ransomware, what does that mean? Like we can't get to our stuff. So I want to take this opportunity to disagree with all my panelists here. That's a shock, I'm shocked. And with the original questioner as well, because they started out mentioning technical debt, and that's something where we're all wrong, or you guys are all wrong. We have this, as consumers in the market, we have this prejudice that debt is bad and going bankrupt is bad. That's a horrible thing, we need to avoid debt. So the technical debt in our community is something that's bad, we need to avoid, we need to clean up and then all the problems are due to technical debt. But when you go and try to talk to the business people about this, you get no communication because they don't view debt that way. Debt is just capital. It's like when I start a company, I can either issue stock or take on debt. It's like either way it's capital, it must be repaid. Debt is not a bad thing. Even going bankrupt is not a bad thing. You know, it's a risk of business that happens. I diversify my portfolio, some of those companies go bankrupt, I don't care. So our problem here is not that they're not listening to us, is that we're not listening to them. That we're, we pretend like we're the ones with the answers and they need to listen to us and we understand the problem completely. But we're not paying attention to their business needs. We're just ignoring them completely. And of course they're not listening to us because there's just no communication that's going both ways. Get you next. Yeah, I mean there are a number of things we talk about that in terms of helping companies, we constitute having a place for them to go to see where all the ransomware stuff is like no more ransom that's out of Europol, the website that the DHS has stood up and trying to create some incentives for them to do better. Those incentives haven't worked very well over the past 20 years. So we have to also figure out, well what else do we need to do? Do we need new incentives? Do we need tax incentives or other things? I don't know what the right mix is because as far as I can tell that hasn't substantially improved security. Now it's interesting the SEC, in terms of its reporting requirements could incentivize people to take it just because they're worried about reporting and that's sort of a coercive incentive in a sense. And so one of the reasons that I'm up here, so I wrote a history book about how nation states are fighting with each other in this space and one of my favorite quotes from that book was, few of any contemporary computer security controls can stop a dedicated red team from easily accessing any information sought. Right, yeah, we know that. We're at DEF CON, the red team's always gonna get through. But it means not just the red team gets through, it means the attacker has the advantage. Now that quote was from 1979. Lieutenant current, United States Air Force Lieutenant Colonel Roger Schell, yay Air Force veterans. And so since 1979 the attackers had the advantage. Right, so for 40 years, 42 years. You know on the defensive side, for those of you that associate with the defense, we've made no difference to that. Like think of the tens of billions, hundreds of billions of dollars, trillions of dollars we've spent, all over the patents, all the missed kids' birthdays, all the time that we've spent, especially on Friday afternoons when these always hit. So we've got to think, so to me, when I'm thinking on the policy, it's what can we do to flip that? So what can we do, so now the defender's gonna be having the advantage. And we look at quotes like that that says the red team's always gonna get through and we say, oh man, remember those days when the red team had it easy? They weren't having to burn zero days on every one. And so it's, I think it's a fabulous question. So what can the government do to incentivize? Like where can we encourage? Where can we enforce if it has to come down to that? Where can we enable? Right, where we just need to get great tools. So I love that framing of the question, thanks. Or do speed fire around here? So over here whoever's hollering. So the question was about, I guess you would call it externalities, that colonial didn't have to pay for the, to clean up their attack, their insurance paid for it. So it wasn't them who suffered. But I think that's a, from a market's point of view of, well, but there's a, it's not an externality because they have a customer relationship with the insurance companies. So we kind of look to government to solve things that we can't solve as individuals with our personal interactions. Like we, pollution's a good example. Government has a role there because we pollute and no one experienced the costs. But most of our things are actually there's a relationship between us. You know, the insurance company has a relationship with colonial pipeline. And if they don't like what colonial pipeline did, they could raise the insurance premium. Likewise, colonial pipelines customers have relationships with colonial pipeline. When they didn't get their delivery, they could have asked for contracts beforehand saying, you know, if you don't meet your delivery, you get fined. So standard of care can work with just in a free market contracts. So I think there's a list of things that the government can do because the free market can't. But at the same time, there's the list of things that the free market is actually perfectly capable and it actually is doing well in handling. So when we look at the incentives that government should do or the regulations, I think we should be focused on the things the market isn't already taking care of. We have time for one 30 second response to that. Who wants it? I just say, you know, yeah, that's part of it. But it's also the insurance markets already kind of discovering this that they're course correcting because they don't like paying huge ransom either. I mean, it's sort of a loss leader in the beginning because it's a new field but I think even they are stepping back. In that sense, I think that's working. But for those non-government incentives or disincentives or regulations to work, you also have to have some more transparency. So the reporting and getting things out there so that people know what's happening, I think helps that and helps those incentives work. To the extent that we're gonna work it. I think we gotta wrap it up with that. I wanna thank my wonderful panelists here. I'm so glad that we were able to solve ransomware today. You all deserve a hand, really.