Time is Running Out – Tying it All Together – What Will You Do in the Near Term?

So, next up, Mr. Josh is gonna bring us home. Josh, thank you. All right, give yourself a round of applause for most of two and a half days of content. [applause] All right, so I'm going to try uh the schedule is wrong. We don't want to make you late for upstairs. So, the hacker tracker kept changing our time block. Theoretically, I have an hour. I'm not going to take an hour. I'm going to try to get our exposition and discussion and synthesis of the 2 and 1/2 days of amazing content to give you 15 minutes to get upstairs. So, I'll be happily talk to anybody beyond that, but we're going to try to keep this shorter than

is advertised. Okay. So, I'm Josh Corman. I founded I am the Cavalry and this track uh we launched 12 years ago on August 1st. How many of you were here for the opening on Monday morning? Some of people were traveling. Okay, for those who were not here, I'm going to quickly play the two two-minute videos that we did during the first year pilot of Undisruptible 27. Undisputled 27 is very similar to the cavalry, but it's a funded project initially one-year pilot from July to July from Craig Newark of Craigslist at the Institute for Security and Technology, a uh a 501c3 nonprofit educational institution, bridging Silicon Valley to national security things. So, I have been designing and

driving the pilot to see if there's any there there. And the good news is there is. We just got sec well we get into some of the details but we secured a lot of funding. So if you saw the opening we talked about the hypothesis and theory of change for the one-year pilot. And I'm going to give a tiny amount of refresher in case you missed it. But most of this is going to be doing two things. Explaining what the the next two years of funded work is going to look like and the role that you can play in that small, medium or large. and uh try to synthesize the incredible insights we unearthed across our great speakers on

Monday, Tuesday, and today. So, let me jump to the videos in case you're wondering why the hell are we talking about 2027 so much? So, here is video one. How many of you have been to a hospital in the last 12 months? How many you think you might need a hospital in the next 12 months? Okay. Okay. Here we go. First one, >> picture a hospital. Picture your hospital. When was the last time you were there? Was it to welcome a baby into the world or to say goodbye to a loved one? No one wants to need a hospital, but when we do, we depend on timely access to care when and where we need it. Irrespective of cause, delayed

and degraded care for time-sensitive conditions can affect worsened outcomes and even loss of life. A 5-minute longer ambulance ride has a significant impact on 30-day mortality rates. Time is brain where even an hour or few could determine if you walk again, if you talk again, if you even survive. Now, picture your hospital. What if that hospital was not available to you? If your hospital was disrupted, where would you go instead? Is it across [music] town, more than an hour away? What if they are also down? [music] The chance is not as remote as you'd hope. Hospitals have become a top target of ransomware, cyber attacks that [ __ ] technologies in the vital path of care [music] delivery.

Worse, your hospital doesn't even need to be the one attacked to endanger you or your family. [music] We've seen a 10-fold decrease in favorable outcomes for heart patients merely due to excess strains of a ransomware affected region. Now, back to your hospital, back to your family. You and your family deserve better. If we want timely access to patient care and more resilience in the face of accidents and adversaries, [music] we're going to need to advocate for ourselves. Now, as we head into an era of hybrid conflict with threats to water and power, these disruptions stand to get a lot worse. But we'll talk about that in another video. [music] Okay. So, some of you have seen that

once, some of you seen that two or three times now. If you were lucky enough to see Christian MF yesterday, some of those studies were peer-reviewed studies by him and his team at UCSD and elsewhere. Um, these are drafts. These were drafts done with our limited pilot budget to see can we use creative arts and storytelling to meet people where they are, use their love language, avoid cyber jargon, and try to communicate that these are not merely HIPPA violations. These are public safety, human life consequences. Now, did you see how many uh raised your hand? I think from Grace's talk, uh saw that the St. Paul, Minnesota's been ransomed last week, right? I don't know

what the current state of that is, if it's back up yet. Uh how many of you seen a news telecast from a big hospital saying we've been ransomed and they they give their press statement. Okay. What they'll typically say is something like, "In an abundance of caution, in accordance with industry best practices, we have chosen to shut down operations to contain the breach to protect your privacy." So, I hate this statement and it is the muscle memory reflexive statement. And the reason I hate this statement is the horses have left the barn for your data. The access necessary to encrypt that data and ransom you was sufficient to make a copy and excfiltrate it. and they

often do. Moreover, most of you have lost your intellectual I mean your healthcare data plural times and you don't get a new history. So I'm not indifferent to privacy. But what we did on top of that spilled milk is we self-inflicted a denial of patient care or minutes or hours or difference between life and death. And depending on how long you self-impose that denial of service, your cash flow could run out and you could close your hospital forever, which has happened a thousand times of the 7,000 hospitals we had in 2015. And I think Christian showed a a graphic of 700 at extreme risk of financial instability to close in the next 12 months. That's independent of

cyber but accelerated by cyber. Okay. So, some people, this is where you, you know, audience participation with hands and and comments is encouraged as we round this out. Some people told me this video is too scary. It's too much FUD. Some Congress people we talked to on both sides of the aisle said it's not scary enough. Uh some people said, "Who's this for?" Right? And we're going to have lots of stakeholders. So that was a really effective one for medical professionals because then at the end of it we get to say HIPPA kills people. So if I had to describe what's the summary of this it's that irrespective of cause there's a time space risk for a denial

of patient care and a location and if you don't know your next proximal alternative care if it's not reasonably close to you uh we are advocating for the wrong things. It's not about your HIPPA. It's about your life. Right. That's in peace time. Can I play the second one, which is if Who thinks this is too scary? It's okay. You're not going to hurt my feelings. Nobody thinks it's too scary. We hate thud. I hate FUD. >> It's not. It's not. >> So, some people think it should be more scary. Now, here's my attitude on this, and I said it last year when I say it once more because I don't know if you were all here.

We have to walk a really like the edge of a knife. We have to be forthright. When there's a hurricane coming, FEMA and national security and public safety people do not say, "Well, the person in panhandle, Florida can't do anything to stop the hurricane. Let's not bother telling them, right? It is scary. It's going to do harm." You can't just like infantilize them and leave them out of the equation. They are stakeholder in the in in harm's way. So, what do you do? I think the more consequential something is, the more forthright we have to be. You cannot exaggerate it and you cannot downplay it. You got to be honest. Tell them what you know. Tell

them what you don't know. Answer questions. Yeah. >> The thing that I did not get is uh the thing that I didn't get from the the first video was that it could happen. >> The I got was you should have a backtox plan, but we should all have backup plans for everything. If my vet closes, I'm gonna need a back and find. So, >> that that's what I >> Yeah. The other thing is we don't believe any single video is going to work. The original thought was we're probably going to have three videos, 2 minutes or less each, per stakeholder type, and they may not have the same nouns and verbs. So the types of

stakeholders we're looking at is owners and operators of water or power or hospitals, local leadership like a city planner, town selectman, uh CIO for the city, helpful hackers. How do we help the helpers be helpful like you? Uh ultimately everyday Americans, but not yet. Way too too premature for that even though we're running out of time. and probably some state level emergency management type people and public policy people. So we're going to have maybe two dozen three dozen of these things and they're going to have to be attenuated to the risk appetite and they might have to start like boiling the frog less scary a little bit scarier and then much uh more motivating. But let me play

video number two which is was the first one we started with. So that was a peaceime truth that you are already suffering from severely diminished patient care right now just due to the state of healthcare and uh latestage capitalism. But here we go. Ready? We are too dependent on undependable technology. The [music] systems that we rely on every day for everything from water to food to power and emergency medical care are subject to escalating harms by accidents, bad actors, and nation state adversaries. These attacks could quickly move from disruption to destruction. For example, an intentional water hammer that abruptly stops or reverses water flow, sending a shock wave through the [music] system. Attacks on our water systems would be

devastating, not just for lack of access at home. No water means no coffee, no toilets, no laundry. No water also means no hydrants to put out fires. No water means no healthcare. The hospital can't run without clean water. [music] No water means no sterilization, no surgery scrubbing, no laboratories, and eventually [music] no access to life-saving care. Our dependence on connected tech has grown faster than our ability to secure it. And there is evidence that foreign actors are already weaponizing these vulnerabilities. But who would actually do this? In public hearings, Congress and US government cyber security leaders have warned the public of Vault Typhoon, an ongoing campaign of successful attacks on US water facilities led by a People's

Republic of China state sponsored cyber actor. But China is not the only aggressor. [music] We've seen cyber attacks on our water systems from Russia and Iran. These attacks pose a broad and unrelenting risk to critical water infrastructure and could escalate to large-scale destructive attacks on our water systems as early as 2027. [music] The good news is we have time to make changes. We must strive to make our lifeline basic human needs undisruptible and where we cannot ensure that our communities are more resilient under fire. This means divesting our reliance on connected technology, better securing our existing systems where we cannot disconnect, [music] and ensuring analog solutions are in place when those systems fail. If this sounds

overwhelming, remember if you can't afford to protect it, you can't afford to connect it. Undisruptible 27 will prioritize the safety, security, and resilience of three lifeline basic human needs, especially at the local level. >> Okay, that's video number two. This is this is what our theory of change was hinting at for the first year. We have to blow up and start over our theory of change. But I'll get to that in a minute. Uh any hot takes, reactions to what you just saw, like like it, don't like it, more this less that you in the back. I'll repeat it for the camera.

access. >> Yeah.

Okay. A couple things uh to repeat that for the camera um and people who couldn't hear. Um like the water focus especially given what happened in LA. Um water was a big problem both for putting out fires although mostly that's not how we put out fires but uh and people who needed water. Um I knew that water would be a weak link in the chain. It is absolutely the weakest link in the chain. what we've come to realize and I'm going to show a little bit more how we've changed our theory of change. This video was made mostly by building trust and empathy meeting water engineers where they are partly like people like who Dean Ford who presented here the

last two years and attended the the third year before it. You saw yesterday with Andrew and Ginger like we really tried to meet them on their turf have them teach us what's the worst that could happen. I didn't know what a water hammer is, but now I do. And it's not the only thing they're concerned about. It's just one that around which we can tell a really compelling story. It's just a property of physics that can happen with the access that Voltyoon already has could do significant damage for water mains and the like and would be motivating. And if there's reasonable mitigations to that particular storyline and maybe others similar to it, then we can say something scary combined with

something actionable and tangible and realistic, not cyber up, but engineer down some consequences. Really common sense and familiar things. So this was not for you per se. This was for the auto engineers, but we're going to have to make permutations of flavors. This Blake. >> Yeah. So uh one key element that we need to remove from this video is uh time to prepare that has not been shown to be linked with a preparedness activity. But to build on what you're talking about is the ability to prepare like we we're showing the risk and then let's go to that solutionoriented approach where we're talking about like okay let's let's talk about some solutions like the Idaho National Labs with a consequence

informed engineering or other stuff like that that'll help our water utilities. They see the risk you're explaining honestly the the explanation of the risk is incredibly strong. The next part is okay, what what's next? What do I do now? And then you don't have time to prepare. We got to just remove that entirely. Not not to scare the be Jesus out of these people, but like that allows Oh, well, I can do that mñana. Yeah, there's there's a lot of changes we had to make. So, when we did this, it was on the cheap with initially some proono work. We eventually signed a statement of work with them with the the table scraps we had left from year one.

We did just get a big surge of support from Craig for the next two years which I'm going to talk about in right after this question. Right. Go ahead. >> I just wanted to follow up on my my comments on the previous one. The thing that I felt was missing was exactly the first thing I saw in the second watch was >> we're and it's the first thing you say here. We're too dependent on undependable things. So that's >> Yeah. So I mean if you can remember what he said the first time and the second time the reason we we started with this this second video and what we found is no one found it personal

and um the attention span is too low to say everything in one video although we're about to try uh but it's not going to work I don't think so what we ended up doing is saying okay what's something that I can relate to whether it's just normal ransomware or just normal the hospital closed cuz we ran out of money that's acute We already have 7,000 to 6,000 and then ransom's making it worse. Well, what if water disruptions could just be the knockout blow? And what if it's not just yours? You'll get ransomed. You can drive an hour away. What if an hour away is down because of the same water hammer or something else? Okay, so this is

going to get very nasty very quick if it happens. And we have bipartisan agreement on that. We have White House agreement on that. We have Department of Defense agreement on that. Somebody outed sort of outed maybe suggesting that he saw some DoD slides that took stuff from ours. So no one's disagreeing that Xi Jinping has said he wants his the PLA the army to take be ready to take Taiwan as early as 2027. What we're debating is is it will will it be 2027 28 29 30 mid30s. No one's debating he said he's going to do it. No one's debating that he said and or they said uh if the US interferes they will retaliate and one of the

retaliation prepositioning is vault typhoon. You probably heard assault typhoon more which is espionage and spycraft and considered fair play for spycraft. An army putting digital remote detonation charges in civilian infrastructure like water is outrageous. So have they hit the button yet? And the one thing I'm going to change in that video for sure is they have not had successful attacks. They have had successful compromises. The attack would involve a consequence. So I don't like the sword of damicles over every one of our water facilities heads. I don't like it and you shouldn't like it either. And we should not persist at the appetite of our adversaries. And by the way, they said if you interfere with Taiwan, we're

going to re chaos. The other part is we have to interfere. Um, so I'm going to go fast through a couple slides and then we'll get some more discussion. Okay, it's not going to be easy and there's not and tone challenges. We might have to make a super scary version and a less scary version and we're going to have to figure that out. But I want your help. This is an invitation to get in the Slack and help. Okay, I've been saying some variation of this since we launched the cavalary 12 years ago. Uh but it's really about overdependence on undependable things and we should rightsize how much dependence we are to how dependable it is and to consequences

and that's not what we do. We put 15 gallons of [ __ ] in a 5B sack. Uh in normal engineering we would never do this. You know you have to rate the bridge for the load that's going to go across the bridge. You're going to rate the skyscraper how many floors it has maximum occupancy. Like we we have not we've thrown caution on the wind under our digital infrastructure. It needs to look a lot more reliable like steel and concrete. So I'm going to this is a slightly modified version of an internal doc I gave to tell uh the think tank what we did. So in the pilot year some success factors were empathy, empathy, empathy which is

the heart of the cavalry from day one. You know coming out of the grief of my mother's death I realized my woundedness was not a liability. It was enabling authentic human connection I had never encountered before. So we had to find a way to build empathy muscles. It's not like you have it or you don't have it. It's a muscle and we were puny weaklings on empathy. So now we're like big strong empathy people in this room. Okay. Uh and it's that muscle gets stronger with effort. Um we had to make stakeholder specific love languages. This is more about storytelling than anything else. We we had always in the cavalary said be patiently impatient. The real challenge

this time is it might be urgent and a year and a half left for what we know, but the person we're talking to heard it for the very first time today. So you you got to have a way to get them on board before you overwhelm them. So it's a lot by feel. I'm not going to read every single thing on here, but we had like an hour conversation on just this slide alone. Um I've kept some deliberate imperfection. One of those bullets there I will touch on. people that feel like they've contributed to something. Not only is it expensive to get re-edits every single time, so I'm going to batch them, but it's also the more people we

hear, the more nuance we get, the better the story gets, the better the script gets, but also like someone says, "I helped with that video." Right? You get a shared sense of ownership. If we tried to make it too polished, it may look like a a sales presentation. Well, you actually like the rough cut. Like if you've ever heard Craig Newark speak, he doesn't like super polished things. He doesn't like big words. He doesn't like policy speak. He doesn't like white papers. He wants how do you talk to everyday Americans in a way they understand and will act upon. So we've been trying to keep this a deliberately roughedged. Okay. We launched here uh last year in

the cavalry track wired article did a launch uh piece that was very effective for opening doors. We basically said, "I'm worried about more disruptions, larger disruptions, longer disruptions, more life-saving disruptions uh from accidents like crowd strikes that had just happened a couple months earlier or adversaries that want money, but what if it gets already unsustainable for my neighbors? What if it gets to weapons of war, which it will as early as 2027?" The pilot couldn't chase everything. So let's say not just are these four lifeline basic human needs more important than banking or other stuff or it or angry birds, they are uh the things that keep us from being lower of the flies, but they're also highly

interdependent. So the pilot said, "Let's look at the interdependence between water and emergency care." So back to Maslows, it's just the bottom, the stuff that keeps us being Lord of the Flies. I'm not worried about contin economy for this project. There's plenty of people that care more about contin. I'm not worried about forced mobilization, which is a fancy word for can we get our tanks to the country we need to fight in. Uh you someone else needs to be I'm not doing that and it's an interesting when we overlap which uh national critical functions both of us need and it's non zero. But we said let's do these specifically in the first year, water, wastewater, emergency care.

And then if we got more funding, we weave in power and food supply. Hence why you heard some talks on all four of these domains over the last two days. And the staged idea is because this is heavy and disruptive and confusing and scary and no one wants to be the villain in the story. Everyone wants to be the hero in their own story. We're giving each stakeholder group upstream couple months of engagement to go through their five stages of grief and get their footing and realize I can do something about this. So, I'm going to go to the owners and I went to the owners and operators first like the water engineers before I go to city

hall. When they go to city hall and they freak out, they're going to call in water. They're going to call in power. They're going to call in the hospital. And you know what? going to get good answers competent confidencebuilding answers because we gave someone a chance to win. And I'm just going to do the same thing after that to go to Everyday Americans. And like I said the other day, Bryson does not want me to go to Everyday Americans. Some of my friends have good reasons why they don't want me to go to Everyday Americans. And maybe I don't have to, but I'm pretty sure I'm going to have to. But I'm willing to not

do so if we can solve it without them. Um, so it becomes a forcing function that when I give five questions you should ask at town hall, the people at town hall know what those questions are, have good answers for them. So let's give everyone a chance to orient and succeed. That last grow is you. We want to help the helpers be helpful. One of the cool things we learned is the highest consequence failure is a water hammer, for example. And this is something that and especially in the nation's aging pipes that are way past their expiration date. Uh the 24 inch main I think is that one maybe 36 but they can get as big as 48. It's a lot of

force and water. You don't always get to pick the time and place of where the burst happens. There may be more than one burst on more than one pressure zone. Think of this like a circuit and you might have circuit breakers. So I had to learn a lot about this and we learned it because of the empathy. Back to the point about hospitals that Ry was making. An individual hospital going out could hurt you and your family. But you might have one that you can drive to, but not when everybody's water, no water, no hospital. If you didn't get the stickers, hold up the stickers. We have no water, no hospitals, no kidding stickers. And we have the water hammer

sticker so that you can remember how to spell this thing and how to get involved. So if you want to fight a water hammer, do you add cyber shields up? >> No. Uh maybe, but probably not in the next 12 to 18 months. the time to prep for that was a long time ago. So, um, thanks to the great work from Idaho National Labs, raise your hand. Did anybody see Ginger and Andrew yesterday, uh, Monday in their talk here? Amazing, right? Did anybody go to their free 4hour training on how to do cyberinformed engineering? I like to call it consequence informed engineering. Uh, free applied to water. Anybody go to that? I heard some people

over the moon yesterday at the bar. They loved it. We got to do we're going to do a lot more of those together over the next 12 to 14 months. The idea is don't engineer don't add cyber engineer down consequences. You're going to be hacked. You're going to be compromised. The punch will be thrown. Can you take the punch? Not can you restore and recover? Everybody says resilience is well you're going to get knocked down. How quickly can you restore and recover? When you when it's a ventilator and the patient dies, there's no restore and recovery. I don't have resurrection powers, right? If there's a burst water mane, the restore and recovery is replace a water

mane, which could be a couple days or a week if it's the only one in the city or the town or the county. But when they're everywhere, good luck being first or second in line to get all those repaired. So the notion that we could just recover quickly from a backup, test your backups, no. When it comes to OTICS and this kind of stuff, it's prevent or absorb. It's not recover. So we talked about engineering consequences. Circuit breaker in your house is what allows a spike of power to not burn down the walls. We can make similar things and we talked to engineers about if this is the worst case, are there available familiar solutions? And the answer was an analog

pressure sensor on the pressure zone in the hospital that knows it's never supposed to be above X psi. If it sees it goes above that, we'll have a physical wire go to the pump and shut it off. not through the hackable, you know, uh, ICS and SCADA systems, but just a physical kill switch. And yes, it's a temporary denial service, but it's not an explosion of a water mane on the pressure zone for the hospital. Can't do it everywhere, maybe, but it was like $2,000, $10,000. You have to do some planning and testing and maintenance for sure. I'm not trying to trivialize that, but there is an available countermeasure for that thing. There's other scenarios

our adversaries could do that that wouldn't work for, but that's why we're trying to teach CIE. We talked about ways to do this at RSA. You saw some of that Monday if you were able. Grace Mana talked about volunteering and one of the ways a lot of us I'm helping to advise this thing. It's called the cyber resilience corps cos not co e. It's getting its legs. It's probably not going to be to its full intended fighting force by 2027. And if you get on there you're going to see most of these ways to volunteer are not consequence engineering or cyberform engineering. are mostly privacy things, website hardening things, but this group can and should

put out a shingle for how to help on water or power or or whatnot. So, and we are we're already in communication of setting up our intake. In fact, I hired someone started Monday while I was here um that's going to be managing most of the community intake and actions. [sighs] We did critical effect with Bryson Bort. Bryson Wart had a a conference called Hack the Capital. Sounded like we were attacking the capital, it was going to be its eighth one. And because people hated the name but loved the ICOT content in DC, I said, "Let's merge and join forces undisruptables, time-sensitive focus and mission on target-rich, cyber poor, owners and operators of water, power, access,

emergency care, food supply, and give homework to all the speakers that we want ways to buy down risk in 12 to 18 months. no more naval gazing, no more 10-year cycles, like what can we do now? So, we invited way more owners and operators and got a ton of water content and many of the speakers here were also there. One of the things we announced there uh through Greg Newark um it's a little blurry is he liked the mission, he liked the pilot's results, we needed to change our theory of change, but he committed $3.2 $2 million over the next two years for a very specific plan of action under a new theory of change that I'm about to

outline. So, we didn't want to build a bridge to nowhere, but now that we have gas in the tank and a refined theory of change, it's time to go. So, what is that going to look like? Notice food's not on there. It's not that we don't care about it. There's things in the center of the bullseye and there's things that are going to be adjacent to the bullseye. But we think teaching people the muscles of CIE and multistakeholder planning will radiate outwards. Some of the pictures I'm going to show you were given to me this morning. So I haven't even really stitched together the narrative, but that's okay. So what do we got here? I have a hospital at the

top. Let me try to make this a little brighter. There's a hospital at the top. The center of our bullseye for the next path forward is the highest consequence failure is going to be a denial of patient care for one of our 6,000 communities. So that is the center bullseye. How do we make sure none of our nation's hospitals go down? In order to do that, we think the weakest link is likely the water. So we're going to convene water owners and operators, probably a water hammer. It's also power and it's also going to involve both that town hall or municipal leadership and probably Blake type people, emergency management, uh incident command center people, uh public health

officials. So we have a a five stakeholder cell that we need to make sure that we inform, influence, inspire. Initially the theory of change was we had an information gap. No one had heard of this. If we just tell them, they'll be they'll go fix it. Nope. Uh we also have a motivation gap and an enablement empowerment gap that the new theory of change will bridge. Don't read this all. You don't need to memorize this all. But after like back and forth and back and forth and back and forth across the cyber civil defense network and Craig, it kept getting more and more confusing to people. So, I just did this run-on sentence that finally got us somewhere

to a new place where I said, "We can prevent losses of American lives by getting on the ground with a dozen hospital communities, helping them blunt the worst punches China can throw at their water, plus run regional exercises and demonstrations with these stakeholders, record and amplify their voices and stories to their peers, and then ensure these strategies can seal nationally within available time and resources." dot dot dot. And if you saw Grace's talk, dot dot dot, and then create more awareness and demand for many of your other funded activities. I actually don't want most people to avail themselves of the cyber resilience core offerings yet if they're in these lifeline critical infrastructures. Before we go into cyber, I want to make

sure we can take a punch. And then I want to hand them to initiatives like Defcon Franklin which are also doing water that can help with initial crawlalk run on cyber mitigations to maybe make it less likely to be hit maybe but probably not against the PLA probably not in the 12 next 12 to 18 months. PLA is the people's liberation army. So [clears throat] so the bottom line is real world action to help hospitals and the water systems that they depend upon to protect their communities and then we're going to show what works so others can follow. We believe the best ambassadors for change will look and talk and dress like their peers. So,

it's not going to be me or somebody in Washington. It's going to be somebody wearing flannel and car hearts talking at their conferences to their peers about this is what we learned. This is the feel, felt, found before, during, and after. We tried this stuff. It worked. You can too. Okay. And again, storytelling and meeting people where they are. So, there were four five aspects to this. We're going to work directly with communities a dozen. We talk talk about that visually in a second. We need to capture and share their stories in various methods. We need to anticipate scaling risks. When I ran the CIS co task force, we weren't supposed to do non-cyber stuff

initially, but we were really good at cross- sector cascading failure type things. So when we knew that the initial batch of Fiser vaccine needed ultra cold refrigeration and there were only so many ultra cold refrigerators in the country then we had to find alternative platform like dry ice and dry ice is normally ab abundant but it's a byproduct of gasoline enrichment which no one was driving so we didn't have any of that. So we had to get really really creative about even if we have this pressure sensor arresttor that's 2,000 bucks what if there's not enough parts? What if there's not enough technicians to install it? So we want to innovate narrowly with these pilots and then

replicate widely and that may require pretty interesting cross- sector supply chain analysis and mitigations which my team had a great experience doing and I just recruited someone who left SISA to help me as one of my hires. Okay. [clears throat] Um running hands-on cascading failures. Sometimes you got to blow [ __ ] up. Uh, if anybody ever seen the Aurora attack at Idaho National Labs, the diesel generator. Okay, it unfortunately got eclipsed by the Google Aurora espionage campaigns from China that everyone complates the two. Uh, I don't know if you know this, but that that Aurora attack at I don't know National Labs was the inspiration for a uh Democratic congressman from Rhode Island named Jim Langan to get to found

the cyber caliphate with bipartisan sense, not cyber caliphate, the cyber caucus. Uh, [laughter] sorry, Jim. Uh, you might recall Jim and Will Herd were the first congressman to come to to Hacker Summer Camp uh in Defcon 25. Bo and I brought the two of them as a delegation from DC to Defcon uh to build trust and build work. But Jim started the cyber caucus in the House, then was driving force on the bipartisan cyber salarium commission, which passed most of the positive cyber we've seen. and the wind beneath his wings in a lot of ways was Nick Lizerson, the one of two congressional staffers with a computer science degree back when I went on the hill in 2014.

The other one you've met before was Jessica Wilkerson who ended up at the FDA eventually. They had been a force of nature standing up things including the office of national cyber director where Nick was the first hire and now Nick works on undisruptible. So we're really happy to have Nick as well. But one of the things we have to do is show people that a failure in the water can cause this problem, can cause that problem. And that might mean going to a military base or a national lab or something like Plum Island and blowing some stuff up. And storytelling sometimes includes media. So we'll talk about media in a minute and Congress. And then we want to build

on-ramps to all the great cyber core event, you know, cyber civilian uh uh cyber civil defense network and the cyber resilience core volunteers because they do need cyber as well. We just have to live to fight another day and avail ourselves of that. So we pitched some metrics of what are we going to do in the first several months and one of them that you've already tasted is the training the trainer workshops for consequence for engineering which is really called cyberinformed engineering. Like I said, I'm deliberately blurring those lines and Ginger has given me some dispensation to do so. Okay, so the changing theory of change in my last couple minutes here and remember I could

talk all the way up till the um keynote, but none of us should miss Casey's keynote. It's got a lot of heart um pun intended, but theory time, theory time, theory time. If you know heavy spoilers, we thought we had an information gap. We also have a motivation enablement gap. And I didn't want to get on the ground with 12 communities for a couple weeks at a time with a pretty a big expensive entourage, but we're going to have to do it because we want to remove every single excuse. We want your senator or your congressman to have nominated your town, for example, and put pressure that, oh, we better do something to look good for the

so- and so or whatever. And then we want to pay for if we have to some of those small engineering mitigations as we create recipes and playbooks and document them capture the stories before during and after not just the facts but the feelings and the belief structures and then we're going to replicate those. So we have to pull the thread on all three. So that's innovate narrowly. So what do I mean by that? Let's take the water example because I really bound to water in the pilot. 151,000 water plants across these United States. 50,000 of them service homes. 6,000 of them touch and support hospitals. And I'm picking 12 of those. And I need your help nominating them

because we need to cast a wide enough net to not miss any edge cases. So, see these little tiny specks? They'll probably be more visible if I share the deck. These are 6,000 hospital communities. Um, I'd like to say they're blue, but they're more likely not blue right now. Almost none of them have only 650 of those 151,000 are part of the ISAC. We have a4% participation in the ISAC. None of them have mandatory cyber controls like Nerk and FK for power. I don't know how many of them serve a hospital, but probably a much smaller number than 650. So, this is if this is the current idea, we want to pick 12 of them. I have three picked

already. Might not tell you what they are. We're going to nominate them. We're going to pick some red and blue states. We're going to pick maybe at most two cities at most. It's mostly going to be urban, suburban, rural, and unique environments. [clears throat] That could be topography is unique like a flood zone. It could be strategically important like this water, this river goes to supply these things at these points. It could be a near a port, a major port for the US. But we have to pick 12 that surface anything we've overlooked as best as possible. And if we are lean, maybe we'll do more. And if people want to make more cities, maybe

they can add more fuel. We thought the information gap was the only thing. So you can fix that with education. But we have a motivation gap and an enablement empowerment. So the assess is when we get on the ground with those stakeholders, we're going to experiment and fuzz this and co-create. I could give them a solution. I'd rather we make one together. So there's buy in, participation, ownership. We might be educated by Andrew's new book on CIE for water. Uh we might come up with new recipes because those aren't practical in some of these edge cases. We're going to capture those stories as many ways as we can. interviews, film, uh long form podcasts, um short social

media things, um 60 minutes style exposees, and then we have to once we have things that work, replicate in probably the next 9 to 12 months after we've gotten what we think is diminishing returns on those. If we use those beach heads of these 12, we can then replicate to the other six thou of the 6,000 hospital towns. And then someone's going to say, "Well, I'm not a hospital town, but we have diialysis centers or we have a data center or we're the we make 40% of the country's supply of medical oxygen. We need it too for oxygen." I agree. Uh you heard yesterday the really uncomfortable talk uh about AI data centers might be

more important. I talked to someone who did an international exercise And I said, "Did you guys restore the data centers first or the hospitals first?" And they said, "The data centers." And I said, "Okay, do you restore the data centers or the this first?" Like hospitals were not in the first four answers. So I would like to think we're going to keep our citizens alive. So far, none of the exercises I've seen have have prioritized hospitals. And if you don't like that answer, we have to do something to change that answer. They might be right, which is what I'm wrestling with from the amazing provocation we got yesterday on stage first talk. Go watch it.

But we really entangled. So the time to have these conversations is now. But I'm going to go to those 6,000 hospitals. And then I want if you ever saw the per plus commercials cuz I'm really freaking old. I told two friends and they told two friends and they told two friends. So maybe instead of a top- down regulatory push or government push from a very politically divided country, each individual community that wants their themselves safe starts and innovates and then we use things like the National Governance Association and Nasio and Nachio and Blakes's conferences to give people not just problems but problems with effective proven solutions and testimonials. Okay, so this is the heart of the team.

This is the minimum viable team. We're going to make as many of them as we can. Uh we want to go from really prone to at least safer for the 6,000 hospitals. There's a couple reasons for that. The replicate widely. Um when we did the Cisco task force, we only had 6 months to fix some of these target rich cyber pore. Um we had 66 ball bearings we called them, but they were small unguarded weak links in the vaccine supply chains that had three IT people, zero security people. you could sneeze on one of them and you'd have a lot of dead Americans because they were the sole source manufacturer of something required for seven of the vaccine

candidates. So we did practical things like get your [ __ ] off showdan um just fix the kevs, do a nightly scan for free from CISA, just fix the kevs. Kev was not published prior to this effort. What are the bad practices? Screw best practices. What are the bad practices? So that's why even before we do those, we're doing the consequence informed engineering or cyber informed engineering. As we get these stories, everybody's got a podcast, right? So, I'm I'm sort of kidding and I'm sort of not. We might want long form empathy building, harmonization of terms with water operators, with hospital leaderships and nurses like Dena from yesterday. We might want to capture these, slice them

up, and as we get a really good story of what is a water hammer after all, then we make the animated explainer that comes out of those long form conversations. And if you want to listen to one bit, you do. One segment, you do. All of it, you do. Um, but we're going to capture those stories. We're going to animate the things that matter. Um, with a dozen communities of really motivated ambassadors, guess what? We have on a silver platter, a segment for something like a 60 Minutes or a Night Line or whatever. So, when we do want to go to every Americans, we can bring something super scary and super manageable. Part of the reason to do that is we also

want to have readily available witnesses for Congress. Not that they're going to do a lot to help, but they can convene and help us amplify with a bully pulpit. And there's a stretch goal. I'm not a sports ball person, but I I've heard that once in a while, maybe I used to play sometimes is really easy to catch pop fly and people don't catch it. They stumble. They hesitate or they crash into each other. You know, maybe the confidence and the brazeness of our adversaries to throw this punch could be, oh, maybe they could take the punch. Maybe we don't throw the punch. or maybe our boss, we want to throw the punch, but our boss won't let us throw a punch.

So, you know, maybe we maybe if we're really really lucky, we can also cause some hesitation. I'm at 2 minutes left. So, the one thing I'll do in a rapid fire, maybe I'll take a few more minutes, but um let's go through what we talked about in this track just to remind people. And if you didn't see them, great news is we recorded them. So, here we go. We opened up with what is the undisruptible concern and what and asking you to be comfortably uncomfortable. We even had a guest appearance from Bryson to talk about the doctrinal philosophy of how China specifically conducts all unrestrained warfare and what they hope to accomplish with something like Bolt

Typhoon, which is both a deterrent to keep us out of Taiwan, which we won't. It's to undermine public support for our intervention because if we're all starving for water and food and Lord of the Flies, it we may not support continued intervention. And it's also to delay, degrade the mobilization of tanks and war fighting equipment, which this would absolutely do. So, we set the table. Then, we had a 2-hour water block. Unfortunately, Dean could not come as a water engineer. He was dealing with an actual water crisis. But luckily, we had resilience and tolerance and had incredible presentations from um Idaho National Labs, Ginger and Andrew previewing his book and also both of them previewing their 4-hour free

training over next door that many of you were able to take uh and you will have additional chances in the future to take. In the afternoon block, we talked to Blake and Scott about ICS, not industrial control systems, but incident command systems, NIMS, the national incident management system, and maybe ways to look at uh birectionally learning from each other. But what I really wanted you to take away from that is if you want to help write a boom, you have to learn at least those two courses they talked about. You have to learn their language. You need to snap into their crisis management. All crisis management is local and you will be ignored if you're not prepped and

certified or credentialed prior. So if you want to be doing that, start the process now. And we'll have much more from him and his other and others later. We had an EMT and emergency 911 folks give us a presentation on cascading failures. And then we ended the day with in my opinion too short. Uh I left me wanting I loved it but it left me wanting more. But an overview of Meshtastic and Laura and other alternative communication technologies you could use if the phones go out from Salt Typhoon, if the landlines go out, which they almost likely certainly will. So what are ways that you can now play with cheap technology to have nonzerocoms with each other and with

maybe the water plant and the hospital you you wish to help? Yesterday we started with the power block with a really uncomfortable if this was the 101 on how screwed we are. They took it to level 800 and I still have to digest a lot of what I felt and then process during that. But they're basically saying, don't just look at the 10 pounds of [ __ ] in a five pound sack we have now because we're rapidly building AI data centers with massive power demands, massive water demands, and economic prioritization above and beyond our own concern of these cohorts. They don't even need to be attacked to cause denial of patient care just from

how dynamic and chaotic the load and and unloads can be. So, watch that. We then had an amazing two-hour block on healthcare. We also had uh Joe Slick talked about ransomware was the carry in the coal mine to show us some of how disruption can happen from a nation state but at a wider scale. We had a two-hour block on healthcare with Dr. Christian DeF who helped start uh Cyber Med Summit. He's been coming to Defcon since he was a teenager. uh nurse Dena Carile who was one of the victims of Ascension Health Multi-State Outage and McLaren Health and wrote a demand letter on how nurses need to be trained and how you have to adjust nurse

to patient ratios to keep patients safe under fire and Bo Woods from day one of the cavalry. Um always worth watching, but I was really excited to see two things from Christian that we did not heard before. One is um his cyber crash cart way to assist a single down hospital. You can see how amazing that could be. but also we're not going to be able to do it to all 6,000 concurrently. So it great idea that we might need to hypers scale faster. And he also looked at their ability to notice the impact of the crowd strike outage on at least a third of the nation's hospitals. They were able to study in great detail. So

please watch that if you haven't. We then did hackers kind of like to eat with a different Andrew uh and we were able to tell it uh over the inner tubes and um Curtis from the bioacc is not the food I sac or the healthcare is sac catch the things dropped by both um and he both showed some of the national security cascading failures for the nation's water food supply but also uh much like David's talk this morning some thoughts on your own food resilience at home and then today we started with how can you volunteer? Oh, no. We added uh at the end of the day, we had end of life devices should not lead to end of

life for humans. And we took some people that are looking generically at IoT policy, end of life support contracts uh and things like that. But then we asked them to say, can we look at obsolete end of life, unpatchable devices in water and power and hospitals and maybe use that as a crucible to finally get some of those policies across the finish line, much like the cavalry did to get the patch act passing into a law for medical devices to have minimum cyber security hygiene even though almost nothing else does. So we went really narrow on a life safety thing that can now be replicated uh to other life safety things and we're hoping that that

stimulated some conversation and then this morning Grace graced us with her presence on volunteerism both through cyber civil defense cyber resilience corps things like I am the cavalry and undisruptible and we are in fact asking you to volunteer in some way shape or form it's like fight club you choose your own level of involvement but there are many levels to this and now we have a community manager to help us do it David give you some preview of here are the people in your neighborhood and what you can do. And I'm trying to bring it home that these are hard. They're uncomfortable. We have little time. We might get a bonus year or two. But we're

going to have to learn storytelling, empathy, pick these 12 cities. The first three are going to be messed up. We're going to make tons of mistakes. But please nominate something in your state or where you grew up and why. Uh because we're going to go really quickly into the selection process like maybe as early as the next 2 3 weeks. So, this is your invitation to join the Slack. Uh because no hospital, no water, no hospitals. No kidding. Here's the sticker for the water hammer. We're going to make more stickers. This is just this batch for this time. We do know we're going to need introductions and help through things like the National Government Association, State

EMS, and CERT. Cert is not computer emergency response. It's community emergency response. They wear a green hat. The CLTC communities, different universities already have a footprint. Those will give longer deeper trainings to fewer people, but that could be one of the the arrows in our quiver. We're going to do some demonstrations and exercises. And we also know the insurance industry has to play a role. So, I've been helping cyber ACU View, which is a consortium of the top 20 underwriters of insurance. We probably need to do a concerted effort on specific bad edges, bad edge devices that we know are already implicated in Volt Typhoon. So, if your community is using them, we probably need to replace

them with something better. Uh, secure by design, secure by def fault. And I'd like to think this project can nicely add secure by demand because nothing done today to make a better device is going to get there in time for now. But what we can do is make these water plants beg their current suppliers to do something to ameliate their legacy risk. So there might be a nice opportunity to team secure by design and secure by default to do secure by demand. liability has been on the table and not existing. But this could be the thing that finally gives us software liability after 354 years of not doing so after the the 25 machine. And just like

operation warps, we may see an oper named operation and people in this room might be called to serve to make sure the national security public safety needs are there. This barcode, which no one should ever do QR codes, right? um we'll get you to the undisruptible 27 site where you can get in the slack and that's currently the intake for our volunteer platform for how you can say what you're willing and able to do and where you're willing able to do it for how long you're willing and able to do it into the cyber resilience core platform. It's hammer time folks because we are overdependent on undependable things and the wolves are at the door.

They're in the house. So they cavalry is not coming. I thank you for your time for the last 2 and 1/2 days. I hope that you go upstairs to be inspired by Casey. I hope you had a wonderful besides Las Vegas. I hope you enjoyed the 12th year of I am the Cavalry and you can go back and look at the entire back catalog if you like. And I hope that you consider being one of our teammates in this noble fight. [applause]