Getting Serious About (Un)-Resilience of Lifeline Critical Infrastructure

okay welcome to the I am the Cavalry track I'm Josh Corman uh first off because bsides was the birthplace of I in the Cavalry I always like to say happy birthday Cavalry 11 years ago this year so give yourself a round of [Applause] applause the basic conceit back then uh if I get the slides working you'll see we've improved it a little bit uh what I said with Nick Boko upstairs um 11 years ago August 1st was that um we our dependence on connected technology was growing faster than our ability to secure it and areas affecting Public Safety economic and National Security one more time I have another dongle too if your dongle is bad or we can okay if you want we can

put your slides on sure okay um that was true 11 years ago we wanted to focus on wear bits and bites meet Flesh and Blood we wanted to focus on Public Safety human life initially you might recall we did the uh fstar Automotive cyber safety framework on our first birthday to look at how cars could be safer we wanted to Pivot from an easy thing like cars with only 20 car makers to a much more uh challenging space of medical devices cuz there's 10,000 medical device makers of all sorts of of flavors and it was on ious goal that if we use empathy and teamwork and complimentary skills if we were a helping hand instead of a

pointing finger if we uh try to be part of the solution and meet people where they are identifying by nonrisk use their love language that maybe we'd have greater results now over time as we were embraced what we we' sort of morphed into is that through our overdependence on undependable Technologies we have created the conditions such that any accident or adversary can have a profound impact on Public Safety economic National Security so quiet yourself for today we're going to kind of outline what today's going to look like and set the tone but really ask yourself whether you look at things like change health care which is a single common dependency across most of us Healthcare something north of 75% of

hospitals had cash flow disruption for months most of the country's hospitals have four to six weeks of their burn rate on hand that's about it that's their cash Reserves and they were down for months so short of emergency relief um we had severe Financial strains on already strained us healthc care where you and your family need timely access to Patient Care when and where you need it so one hack everyone counted the dollar amount of the ransoms or the number breached records what you should have been paying attention to is degraded delayed care uh when we look at National critical functions across Healthcare everyone focused on Hippa the the confidentiality of your Phi the and and they forget that

there's three others we're responsible for which is uh maintain access to medical records which is how we know your chemotherapy cocktail if you need it to stay alive and stay with your loved ones uh it's also how you can get approved for surgeries and other things like that more importantly than just the access to medical records is provide medical care timely access to care when and where you need it and as the the protracted nature of financial disruption occurs and the workflow is broken and billing and insurance rep payment is broken this further financially stresses hospitals to the point of closure as we described last year where we saw St Margaret's in Illinois close its door forever and it's

not the first one to close its stores it was one of over 200 rural hospitals to permanently close on the US footprint but this was the first one to publicly admit that their Ransom event had a contributing cause to their financial uh outcome so when we look at these things where we're not just looking at the confidentiality of the data but the ability to have access to your medical records to provide medical care in a Time manner or to have a hospital close enough to you to get timely access to Patient Care you know these are growing consequences and that's a hack well what about the crowd strike event we recently incurred malicious intent is not a prerequisite to harm

that's part of our canonical from B uh reminding us that it's accidents and adversaries so when we are over-dependent un those undependable things we expose ourselves to these disruptions so I want you to like Soul search um and tell me if you hear any lies detected across these critical infrastructure sectors Lifeline critical infrastructure sectors we are seeing more disruptions larger disruptions longer disruptions and more life safety affecting disruptions and the people in our communities don't call these hacks or glitches they just feel disrupt it disrupts patient care it disrupts cash flow it disrupts workflow it disrupts flights to your own wedding and I feel increasingly like we are failing the public so it's not 100%

your responsibility we have a government we have Private Industry we have the talent pool in this room and a Defcon later this week but I believe we have allowed the public to trust things that are untrustworthy we made them feel like it was safe enough to connect Water and Wastewater facilities to the naked internet and through this over dependence on undependable things we're in the state we're in and the reason we want you to really be present and simmer and allow yourself to be comfortable in your discomfort for today and tomorrow and we're going to outline what that looks like is that it's about to get worse so you don't have to believe in this as a

certainty but we saw in January a few things uh one is the top four cyber leadership figures for the US testified in unclassified briefings to Congress about their um detection and eviction of a campaign they refer to as volt typhoon has anyone in here not heard of volt typhoon you're going to hear a lot about it today and tomorrow okay so the very tiny thumbnail to not take oxygen away from some of the other uh presenters is that uh China's national public stated policy is they have intentions towards Taiwan as early as 2027 and part of the volt typhoon campaign that was shared with Congress in hearings you can watch and probably should watch I rewatched them again

yesterday is you had the FBI director Christopher Ray uh sisa director Jen easterly uh recently uh retired General nakason from NSA and the office of the national cyber director in the White House Harry Coker all telling Congress that they have found a campaign called volt typhoon in critical infrastructure present malware that they had to evict uh leg and weight not to Ransom not to shut it off for a day or two not to um use as a botn net but as what they're calling pre-positioning it's in place as either a deterrent or on an escalatory ladder such that they could reain chaos and destruction on this infrastructure uh to keep the us either distracted or out of

the fight now how many of you took a flight to get here okay to take a little pressure off how many of you heard the mandatory speech in the unlikely event of a water landing what you know what you should do okay so maybe this is a very low probability event and maybe it's not 2027 some people think we can use economic sanctions or maybe diplomacy or maybe depend on who's in the White House on how we're going to treat something like this or maybe if you ask Demetri Al perich I think he's saying 28 29 so maybe you have a couple more years but I think the thing that you should simmer with today as an exercise think of this

as a tabletop crisis simulation for the next two days in the unlikely event of a conflict it will be a hybrid conflict and this isn't a theoretical scenario we have found the presence and intent in state of policy and whether it's China in 202 7 as part of a hybrid conflict or sooner with Russia we have conflicts underway in Ukraine we have conflicts underway in the Middle East in Gaza and had some uh the recently flare ups with the assassinations in tan so any one of these times we see a conflict it could be a hybrid conflict and what this room knows is that we are prone we we've been prey and we've really been lucky that we

haven't had sufficient Predator appetites and interest so since we know that we have had hacks of the water we drink as early as the pandemic the food we put on a table with things like JBS Dole or the talks you're going to hear later today the oil and gas pipelines and municipalities that do Last Mile for power for the US or timely access to Patient Care in record levels hundreds of attacks per year and even when they don't hit the hospitals they can hit change Healthcare we have seen proof of harm in the water we drink the food we put on a table the power for our communities and even the healthc care we depend upon so at RSA this year

I did a talk in a workshop called getting serious as a double unand that things are both getting serious and as high time that we did yes the government's doing some things yes they're doing some good things many of the things they're doing are going to take years to manifest so I pose to you if we are two and a half years a little under two and a half years from a 2027 calendar what is the art of the possible that we could do to make sure that we're as resilient and ready as possible what can we do left a boom what can we do right aoom if you want to sit through this as a

citizen whose family could be affected directly think about what do I do for my household and if you have a little bit more empathy and heroism in you what can you do for your town or your county and perhaps if you're feeling really heroic maybe what can you do for your state but we've tried to top down Federal push and there's a lot of things happening there and they will eventually bear fruit but we have excluded that last mile we've excluded the owners and operators in your communities the municipal leadership and our neighbors and they increasingly bear the brunt when we fail want try it's yep okay okay so let's do an exercise while he's doing this because you don't need

to see for this close your eyes for a moment I want you to picture the hospital that you take your family too what's it called how far away from it your house is it once you remember the last time you were there was it to see the birth of a child to take wounded family member to say goodbye to a friend how far away is that hospital okay now I want you to picture that it's unavailable to you where would you go instead is it across town is it in the town next to you you know the name which one's closer now what if that's also owned by the same company that's ransomed okay open your eyes please last

year I showed a map map of the US then when I did a congressional task force for healthcare industry cyber security in 2016 and 2017 we referred to the nation's 7,000 hospitals if you look at all the new materials from the government we refer to the nation's 6,000 hospitals what happened to the other thousand now this isn't cyber but us hospitals and privatized medicine for a whole bunch of Hazards Financial restra constraints nursing shortages a pandemic lots of different reason private Equity Firm takeovers normal mergers and Acquisitions we went from 7,000 to 6,000 I showed a map last year that was animated with over 200 rural closures they're not just bought by somebody else some of them are gone forever and we

know time is brain we know for heart you have 4.4 minutes to see a measurable quantifiable difference in mortality rates for heart conditions we know for strokes it's 1 3 4 hours time is brain save life save brains talk again walk again and Christian will go through that later so if you don't have a hospital within a couple hours driving distance of where you live you're increasingly likely to perish or suffer if you don't have a hospital so out of those 200 we've been pushing pretty hard for the last year as we were packing for Vegas this year a report came out through Beckers there are another 728 us hospitals at critical risk of immediate

closure closure or at risk of closure so the bottom two you know the most intense two risk categories again not due to cyber but it's based on their cash onand reserves so if they have four to six weeks cash on hand and a ransom could knock you out for 12 plus that's a death sentence they will not get back up from that punch they will either be put out of business in your communities or weaken sufficiently to be part of an acquisition strip mind with worsened out come wors some care and worsen capacity so I am not holding us accountable for weaken stressed us Healthcare footprint I am pointing out that we've had hundreds of ransoms per

year and none of those Hospital should close on our watch because of what we're doing or what we're failing to do so back to that point of being over dependent on un Dependable things I think it's time we try something new uh there's a couple things I'm going to share so today let me start with today and tomorrow's track without visuals um number one uh we wanted to open today to ask you to sit through a very well chosen set of talks they're going to focus not on everything critical not on everywhere where bits and bites meat flesh and blood but on four key areas you're going to see a talk from sick codes and friends he's

actually here this year his flights made it um no substitute for Casey John Ellis on hungry hungry hackers where we're going to look at some of the Strategic concentration of risk and cold chain and food chain where disruptions can have a more profound impact so I want you to think about the food you eat hackers like to eat um we're also going to have a talk on from Dr Christian DF one of the co-founders of cybermed summit.org and he's going to talk about Healthcare and intensive care we've been talking we told Congress in 2017 healthcare industry cyber security was in critical condition the sector leadership intends that by 2029 to go from critical condition to

stable condition and we said guys it's actually going the other way it's getting much more dangerous so uh we're going to hear from Christian about hospitals now these things are interdependent so what we came to learn through some of this disaster planning for things like Vault typhoon is what happens when the water goes out so at this year's cyber meded Summit in DC we had an emergency physician and disaster scientist walk socratically the audience through is it working okay we're we were walking the in the uh walking the audience through when the water goes off what breaks in the hospital and how quickly and let me just tell you you'll hear a little bit more

from Christian but no water means no hospital real fast you can go without power for a while you can go without food for a while no water means no surgery no flushing of toilets no sanitation no scrubbing in no cooking of meals no hydrating in patients and that's just what's in the

hospital okay so I'm going to call an audible given how little time is left and we get through two more of these for today so so you're going to have uh hungry hungry hackers you're going to have healthc care is an intensive care Dean from the water sector is back back and he's going to help us understand is it an inconvenience how inconvenient Andor catastrophic is it if we lose water and most of your communities have one and only one Water and Wastewater facility so Dean's going to give us the perspective from the water industry itself and he's increasingly been part of this hacker community and then Emma is going to talk about um Living With

the Enemy how much certified pre-owned infrastructure we have in Municipal Power so this could be electricity oil and gas heat you name it so today is really going to simmer in what has happened in the last 12 months since we were last year on water food power and Urgent Care Emergency Care but also I've I've asked each of them to say how bad could it get if you saw destructive malware not inconvenience malware but destructive malware hit any one of these and also which ones upstream and downstream you depend upon and if today kind of Paints the edges of what are the elevated consequences we're facing then tomorrow has three 2hour blocks of uncomfortable conversations where we're

going to look through what can we do to protect our families our communities both left aoom and right aoom so that we make sure that in the face of escalating disruption we start ratcheting down how disruptable we are so I have a few closing remarks to do in a second but do you want to do your uh Garden thing or yeah can do it quick um see uh all right this at times you may feel like this is doomsday preper remember in the unlikely event of a water landing we hope this never happens but there's no technical barriers to us having destructive disruption of some of these four basics so maybe instead so we're not talking about

doomsday preparation but just we want to talk about life we want to talk about Gardens more on this is coming tomorrow but think of a garden think of a victory garden for those of you who are who do not have real estate upon which you can garden and next slide think of a community garden we're going to we're going to try to engage with you to talk about the concept of community and what it means to work with each other toward a common goal and next slide and when we think about Gardens we should 100% think about water so um more on this to come there are actual tangible things that we can do today more coming on this to prepare

for certain unpleasant situations so it's not panic it's not merely pick up a hobby of gardening things are getting pretty serious I talked about Maslow's hierarchy needs a lot there's a lot of things that we could protect and do protect but we tend to protect the things that we can live without and we have mess with water with food with oil and gas for the Eastern seab board with the uh this the the municipals that run our towns and cities the schools your children are higher ed feral agencies charal National Security timely access to Patient Care with now proven moral consequences we know it's starting to affect patients care patient human life initially the COV task force that Bo and

I served on published the first statistical proof of loss of life using data science during the pandemic from excess deaths associated with ICU strain this inspired other Publications that Christian de's going to walk you through where they saw the blast radius of an attack on UCS excuse me on scrips Institute in San Diego had worsen outcomes in the hospitals who took their overflow so the blast radius increased weight times worsened outcomes and then later he studied heart uh and other conditions that are time-sensitive to show that during a ransomware the death toll goes up so he will explain that with the right language that I'm blowing and then we saw even if we can get the

hospitals right or the communities who take the Overflow right that the financial constraint is not being down for a 6 to 12 week period it's being down forever this is the map I referred to where you're starting to see every single one of those dots is a permanently closed facility and uh we learned in DC from the head of the healthcare and sector the healthcare and public health sector coordinating Council Mark Dr Mark Jarrett that when a hospital leaves a region there's a corresponding 10 to 15% drop of economic stability for that region so what starts as a care desert becomes a desert desert as it can't sustain protection for the people who live there and if the people who live of

there are in a major hub for food production or manufacturing for our increasingly Consolidated Supply chains depending on where this is in the map this can be a worsened outcome then we learned that even if you do everything right and even if you have the financial security to make sure you're not one of those dotts that a common systemically important critical infrastructure entity like change can knock everybody down it's a class break so systemically important critical infrastructure has been a longstanding policy the cyberspace commission has been pushing and nobody in the government nobody in the private sector wanted to do it they kept putting off their homework and hitting this snooze button and what I

pointed out to CNN is if we don't proactively identify our systemically important entities and I'm hoping each of the four speakers today do so help hint to us what these systemically important entities are these weak links in the supply chain maybe a dozen or so that if they go down everybody goes down if we don't find them proactively our adversaries will continue to reveal them to us while we burn so I hope we don't have War tomorrow uh we're going to have some talks from me and um White House oncd midday followed by uh boow woods and Carl to talk about wartime footings and Wars rumors of wars maybe we won't have one maybe we'll have some volt typhoon

activity in 2027 or Beyond this elevated threat context but maybe we have more time the TR but one thing that is a deterrent for them trying is if we can get our act together on resilience it's not just China though where we have conflicts in Ukraine conflicts around Israel Gaza so we have Iran to contend with Russia to contend with North Korea's got a decent capability and if you haven't read ghost Fleet now is the time to do so I think August Cole made his book free for download now you can have a global superpower it's really well fortified that you'd be an idiot to invade the city but you can also take it out with

its aqueducts so I am going to ask that people pay Keen attention to water over the next two days and we don't have a ton of time the government's doing a lot of the right things but it's going to take 10 years for some of those policies to matriculate this room helped cause and pass into law the patch act last year so we have mandatory minimum cyber security hygiene for all medical devices as of last spring they have to be patchable they have to have coordinated disclosure programs to work with helpful hackers they have to have s bombs they have to have threat models we have done a great job and it takes 15 years plus

to rotate out all the bad stuff slowly over time so we're doing good things but we don't have infinite time so think like Apollo 13 they only had a little bit of time to save those uh astronauts and what was on board it's not science fiction movies with Tom Hanks it's a real thing that really happened remember Y2K it was my first job a lot of people think it was a nothing Burger a lot of us know firsthand it was nothing Burger in part because we said here's how long we have here's the stuff that's too important to fail how do we put our Cobalt programmers on those things and our testers on those things many of

these owners and operators are what we referred to in the past is Target Rich cyber poor they can't just best practices they can't just buy some products they can't just take free products from Google or Microsoft although that might be part of the solution so think about getting your stuff off showan think about avoiding the bad practices like end of life ons support and operating systems naked on the internet think about maybe the CIS cyber performance goals at the talk at RSA which I hope that you watch David and I talked about certain um things to that go away and smash and break so to channel Kaminsky who is formative to the Cavalry in the

first place and one of his best lines was of all the things hackers break and smash perhaps the most important assumptions maybe at your leisure talk about how if your business or your community thinks that they're insured they're not or that their bcds covers this downtime it doesn't or that your backup's make you more resilient make them watch the video from Idaho National Labs blowing up the diesel generator and if you think our supply Chain's resilient on paper trust me during the pandemic it wasn't resilient in real life so you can watch that at a slower Pace as I pivot towards the next speaker here so let me pivot to this today is going to be looking at the last 12

months of increasing disruptions and asking the question if we saw destructive malware like has been found and evicted already from things like Vol typhoon what would happen and tomorrow is going to be getting really uncomfortable about what we can do about it as Citizens for our families for our communities on that hierarchy because the government's doing stuff it's just not going to manifest fast enough and if you haven't noticed we're about to have a bunch of Elections and change of political leadership and we're going to lose some momentum in the last 2 and a half years we have to prepare so on the food You're going to hear from Casey on the water you're going to hear from Dean

on the Municipal Power you're going to hear from Emma on the hospitals that you need for life and death you're going to hear from Christian we have some other great talks today but that footprint is not heading in the right direction could get worse from Financial constraint and once again for real this time if it's not us who is it and we can't do it alone so it's going to take some emergency and courage and once again you're the calorie I have an announcement to make I hope I can do this quickly without cutting into our next speaker too much all right let me do the announcement here so um last year I pose we've been doing this for a decade it's

been amazing we've had more results than we thought we could but what should we do for the next decade should we end it transform it combine it with other initiatives and that's been a difficult thing to answer especially because some of these larger disruptions so I have to announce today at least one opportunity for this we're not committing the Cavalry to this without your consent but we are hoping this strikes aord with you um today we have announced um I have taken the lead of a one-year pilot Craig Newark from Craigslist a philanthropic donor here has been taken by the urgency and the impact on civilians from the some of the materials that we've been

working on especially in the context of a 2027 situation so I let's try to do this for memory um the why is we are over-dependent on undependable things increasingly manifesting harm for average Citizens We're increasingly failing them these accidents and adversaries and that's mostly been accidents in financial adversaries so heading into 2027 could get worse so the what we're going to focus on the Nexus of water food Emer mergency care and local power the when uh working backwards from a ticking clock of 2027 maybe we have extra maybe we have less the answer becomes what is the art of the possible to identify and buy down risk maybe it's not Shields up maybe it's connections

down for these water facilities maybe it's not just do zero trust maybe it's that we work with them on tabletop crisis simulations and we find their Love Languages so the how I'm going to take a page out of disaster science When A hurricane's coming you don't wonder what the public can and can't digest there's three eyes that we're going to bring to bear here with a creative arts budget number one is inform number two is in influence and number three is Inspire the more consequential a thing the more forthright we must be you never exaggerate and this is going to be hard for this room you never discount or downplay you tell them what you know you

tell them what you don't know in a way that they can understand number two you influence their behavior the ideal thing we think you could do to remove harm is XYZ failing that here's some other best Alternatives and then the Inspire is you stay in contact you encourage that if we stay updated and we innovate and we share Lessons Learned we're going to be okay so we're going to try to take a page out of these unnatural dis natural disasters to help us with some of these unnatural disasters and then lastly um it's not going to be technical manuals we're going to meet them where they are find their love language translate and make this accessible using

for the first time a creative arts budget so these could be explainers these could be videos these could be podcasts these could be memes and World War II style pop propaganda this could be Bar Rescue Kitchen Confidential type methods to do whatever works with AB testing intensely for one year where the Pilot's going to be focused is initially on the Nexus between water and hospitals because no water no hospital so you are not required to participate but the working title as we work with the creative arts agencies and find our ultimate language is undisrupted 27 so what is our Northstar of course we're not going to protect every water facility and every Community from every

single attacker by 2027 but when you say how do I reduce a little risk you do certain things but if you ask how could I make this community undisrupted you might actually ask important things so keep in mind that the Cavalry will continue on its own ideally with a focus on how to best protect you your family your community but we may also be able to create demand for some of these Central Federal resources in parallel so with that um there is also um a wired article this morning from Lily hey Newman that I'm dying to read and uh I want to make sure that uh please suffer a a small amount of discomfort for a day or two and see

where your it takes you in your brain and ask what you're willing and able to do maybe you know we can try some things this year and really scale some things next year and when we were running the pandemic stuff we didn't have three years to harden these vaccine supply chain targets or Rubble rubber glove targets or hospitals we had about three months and when you start to ask yourself what can I do in three months the answer is nonzero and sometimes it's really good so Necessities The Mother revention We have some of that now I respect it admire each of you look at all we've accomplished for the first 11 years let's really be present with our

discomfort for the next two days I look forward to it