The Human Cost of Cyber Attacks Beyond the Financial Impacts

Such a wonderful, wonderful talk. And as you were, as you were going through all of that information, I was just thinking about New Mexico Citra. I keep coming back to the Cyber Threat Response Alliance nonprofit that we're setting up. And I think what you're describing is our mission and what we want to do, which is to kind of create a volunteer firefighter effort so that these nonprofits, the smallest of the small, actually have access to to people who can help them prevent and people who can help them respond and have pipeline internship kind of rotation and threat intelligence sharing and community building. So this is what the mission is from Kristen and I and Dell and Pam and

Chris Hammer. So we are definitely going to connect after this and talk about that. All right. And Eric, thank you for troubleshooting the the pictures. So we think Denise that we need to connect your laptop to the internet so that way the internet can bring those pictures to your slides. We're gonna do that. We're gonna do that. >> We got your back. We have your back. All right. So, next up, uh, and then we're, uh, gonna go into lunch. We have one more talk, and we're going to welcome up to the stage, Jacob Welds, and he's going to talk about the impact of cyber security beyond financials. Talk about more of the human side of things. Let's go ahead and get

you connected over here, sir.

work presentation and it's like six years old and kind of dodgy. So, Hi everybody. >> How many of y'all were in here when the senator was speaking about all the financial impacts? Okay, let's put that aside for a couple minutes. Okay, we talk about money. We talk about all these billions and billions and trillions of dollars. My personal opinion, feel free to disagree with me, is that we actually don't talk much about the human impacts of cyber attacks because we get so hung up on numbers. Okay, the this many people's records were stolen. I'm going to try for it to not be a Doomfest. Uh, and I'm hoping to give you all a call to action. Um, kind of like

previous speaker there, Denise, uh, where we have a shared responsibility to protect society, not just our own individual organizations. So, who am I? My name is Jacets. I'm a senior in responder and cyber security consultant at Easley Security. I'm here of my own on my own. I'm not representing my employer in this talk. Um, this was a talk that kind of uh came upon me after responding to a hospital. I'll get into that here a little bit and some more background that why uh why Now, um, I also have had a struggle with burnout and many of you all probably dealt with that as well. Um, and I'm going to talk a little bit about that and I actually

managed to find some, uh, studies that talk about it for our industry. I also advocate for resilient critical infrastructure. Um, I've been involved in some events around securing the power grid, uh, some stuff around election systems, things like that. So, um, I have a vested in trying to make sure that all the systems that we rely on literally for life uh are safe and secure and not impacted by cyber threats. So beyond the wallet, there's a tangible impact on lives, health, safety and livelihood every time there is a cyber attack. Uh some examples u may be a cancer patient that gets turned away for chemotherapy. If the chemotherapy is delayed, perhaps the cancer either comes

back with vengeance or never goes into remission. Um, blackouts that cause folks to not have power for heat or run water pumps. All of our water plants now are hooked into cyber systems. Banks, what happens if your bank experiences a ransomware attack? You're not able to pay rent. These are tangible actual impacts of Cyber attacks. Yes, they cost money, but cyber is now a weapon of war. We have external entities. It's not just about money. There was a news article uh relatively recently where Vladimir Putin was welcoming back people arrested by the United States. It was a prisoner swap and they had been arrested for doing cyber crime. and he was welcoming them on the tarmac when they were coming

back to their country. There is no greater indicator that it is a political geopolitical tool. Cyber is a geopolitical tool than something like that. Okay? There may be no glass creator. There's no sirens. There is fear. There's harm and there's a lot of silence around what happens to the people. And then those of us that are in industry, we are on the front lines of all of this, dealing with all of this. we are internalizing other people's trauma and having to deal with that. So have a couple case studies. Some of you all be familiar with a lot of these, right? Uh so want a cry in 2017 and healthcare uh national health service in

the UK had over 600 sites that were impacted. Uh 34 hospitals were locked out of their systems. Uh tens of thousands of appointments, cancer consults canled. Uh doctors had to move back to pen and paper. ambulances had to be diverted to other facilities. Uh there were children that couldn't have lifesaving surgeries uh because the systems weren't up for them to be able to do their imaging and everything else. And yeah, there were financial losses. You know, five to six million pounds is the number that I found, but that's trivial compared to the longlasting human impacts of all of this. So, I want to talk about the case that actually brought me to write this call. Uh, I had

a uh call come in late in the day on a Friday. It's always on a Friday. I don't know why ransomware operators like to impact organizations on Fridays. Um, about a hospital that had experienced a ransomware attack. They were locked out of their systems. The most important system and the one that we spent hours trying to recover and get back online was a system called Pixis. I don't know if any of you all work in healthcare. Uh Pixus is a system that handles uh like checking out medication. So like if you ever been in a hospital and they're going to administer medication to a patient, the nurse usually has a cart that they roll around that has all the meds, the usual

meds in it and they got to use their batch to In case my wife just delivered a baby, so uh she had a wristband that had a QR code on it. So every time they administer her her payment, they scan her QR code. That was all tied to this card. Okay. Um the central Pix server in this hospital was locked out. And unfortunately, I would call it probably a design flaw. There was no way to put the carts into bypass if there was no network connectivity back to that central server. Um, so normally you would, you know, if you're expecting a maintenance outage or something, you would just put the parts in by task and there would be manual

procedures, but we couldn't do that in this instance. Um, I was on many, many, many phone calls um, that evening. Um, but probably the most poant example was the hospital administrator asking if we needed to go on deferment because the ER could not dispense medication. So, we're talking the example used was like a heart attack patient. Heart attack patient comes in. There's certain things. I'm not a doctor. I'm not a nurse. There's certain medications that can save somebody's life if they've had a heart attack and they couldn't get them. They were locked in the carts. So, there's a major patient safety risk here. Ultimately, we formed our way out of the situation by building a minimal active

directory domain, convincing the centralized server It fortunately didn't actually get ransomed. It was just everything around it. Uh and that took roughly six hours to restore access to medication at this hospital. I'm not aware of any patients that suffered any loss of life or damage due to this, but it could have happened. There could have been people dying in the ER and there was nothing we could do about it. And this is at a rural hospital that's two hours away from the next nearest medical facility. And they already thin staff. Um, your pharmacy is your only source of medication. If you can't do the cart, uh, your pharmacy doesn't necessarily have a pharmacist there that's allowed to medication. There's a

lot of regulatory uh, weight there. They could be fined for handing out medication without tracking it properly. Case study number two, power. Some of you all are probably familiar with the Russian attacks on Ukraine. There's a really excellent uh book called Sandworm that kind of goes really deep into this case. Um we in Texas and I don't know how bad it was in New Mexico experienced our own uh blackout in the middle of winter. Not due to a cyber attack, but the Ukrainians had a cyber attack that knocked out all their power grid in the middle of winter. 225,000 people without power. And it gets a little cold in Ukraine during the winter, as you can

probably imagine. U there were stories about families that were huddled under every blanket they owned. Their breath was visible inside. Um thermostats were sub freezing. Uh people resorted to burning furniture in their backyards uh to keep warm. Uh generators were running inside of apartments, which if you know anything about generators, it's a big no no. If you live in a, you know, old Soviet style block residence, where do you set up your generator, right? Um, some of the other stories were you couldn't purchase groceries because there was no power. There's no point of sales system. How do you purchase groceries? If you you found yourself out of something, you can't even go to an ATM to pull out

cash. So, if you don't carry cash, you're pretty screwed, right? Uh probably the biggest threat was the impacts to water. So without power, pumps don't run. Without pumps running, there's no water. And it's not just the water that comes out of the tap. It's dealing with sewage. If the pumps don't run, your toilets eventually stop flushing. You have hospitals that have to shift patients to other areas. You have surgeries that get cancelled. uh because the hospitals are running on a generator and they need to conserve fuel. Similar instance uh that I personally have dealt with was a refinery. So this particular refinery is basically the core of a small town. I won't name the town because it would give it away. Um

but the Iranians decided to get into it. The only way the refinery knew that they've been hacked is FBI knocked on the door and said, "Hey, you've got a problem. Uh we ran through all their systems. It took six months basically to the Iranians from this refinery. They had even gotten so far as into the operational technology networks. For those of you all that maybe haven't dealt with OT, uh OT is the are the computer systems that run valves and trigger that chemicals get added at certain times. Um there was ation we were having with someone at the refinery and when we told them, hey, you know, we have this system showing up in in

evidence. What does that system do? And they're like, oh, that's how we control what chemicals get out of what in what, you know, part of the process in the refinery. Okay, that sounds really bad. He was like, yeah, you enter the you put the wrong chemical in at the wrong time, the refinery either lights on fire or blows up.

water. So, this is probably the one that um I worry about the most doing incident response. I've responded to water systems uh previously. Uh in this particular instance, this is a public record. Uh there was a coordinated attack to overdose chlorine in the water. Um this was in Israel. So, Iran is the attributed threat actor. Uh raised levels in the water treatment plants to 250 parts per million. That is 10 times the safe limit. Uh Israel only um didn't have a major issue with this because there was an operator at the site that noticed that pumps were cycling erratically. Uh their SCADA systems uh screens were flickering as the attacker tried to override dosing set points.

So they had to override everything in manual. But as you probably imagine, if you don't control your computer systems, how do you override everything manual? You have to have a person at every site to do this. So they had crews dispatched to remote stations to physically disconnect the programmable logic controllers and verify that the gauges that monitor all of this were not lying with them. They sent out they had to send out text alerts advising residents in the area that they could only use bottled water. They had hospitals had to go on special procedures. So a lot of hospitals have backup storage tanks for all sorts of things. Water is one of them. Um had to

go on on deferment for that. Imagine the impact here in the United States. So, Israel's under attack all the time. They live with this. They're used to this. Imagine the mental impact if we had a semi- major city. What if Albuquerquey's water system suddenly started dosing more chlorine into the water than what is healthy or needed? You're talking chemical burns. um lungs that are burned because of chlorine gas. These are not hypotheticals and theoreticals. The Iranians managed to do it in Israel potentially like they they did jack up the chlorine levels. It happened. It only got noticed in time because some operator who's not even a cyber security practitioner, mind you, noticed something didn't seem right.

It could have killed people if that 250 parts per million stuck for 30 minutes, it would have killed hundreds or thousands. Would have given chemical burns, respiratory distress, and automated safeguards you can't even trust because they're all tied into the same computer systems. Talk about finance. So, how many of youall have cash on hand? Like, let's say right now you've got cash in your wallet. Okay? How many of y'all have enough cash in your wallet to pay your rent or your mortgage? Okay. Well, go rob that guy. Uh, so this is a good example. In California, uh, Telco Credit Union in 2024 had a twoe outage of all of their online banking ATMs and branches.

500,000 credit union members were locked out of their accounts. Over a million records were stolen. But the important part is people couldn't pay rent. They couldn't buy groceries. They couldn't, you know, pay their electric bill. And do you honestly think like your giant corporation that runs the electricity cares that you can't pull money out of the bank? They're going to think you're lying, right? Does your landlord understand that your bank got compromised? Probably not. think it's an excuse. Uh there was one lady um who posted on social media, "My paycheck is stuck in limbo. Anyone else with the telco freaking out? Local news interviewed a single mom waiting three hours in a bank branch line just to get a $200 cashier check

just so she could buy groceries." Calls to mental health hotlines in Alama County spiked 12% that week. So this is just a few of the industries that are critical to supporting life. They've all experienced disruption. There's collateral emotional damage. It's not just about money. There's fear, anxiety, loss of trust. My mom does not trust her phone at all because You know, she's had issues, right? She doesn't trust computers, which is kind of funny considering what I do for a living. Her entire existence seems focused on not being tied into these systems because of things like this. And she's not the only one. There's tons of people that are deciding, oh, I don't want to be part of this system, but they're

being forced into it. Right? We have secondary victims, all of us that are in industry that are burning out having to deal with this. I don't know about y'all, but granted, I do incident response for a living, but it is constant. There is no downtime ever. There's always a new CVE that's being exploited. I I don't know if you all been keeping up, but like Microsoft SharePoint had a massive one this week, right? Fortunately, I'm a maternity leave, so I don't have to deal with it. But my team does, I'm going to come back and they're all going to be dead and I'm going to be like, "Okay, well, I guess I'm doing everything now, right?" So, every cyber

security incident is a humanitarian crisis in disguise. It impacts all the employees that are part of that organization. There's a loss of trust in their systems. It impacts everybody that responds to it. And it it impacts all of the customers or clients of those organizations. Digital response is real response. We don't wear helmets. We don't have sirens. Um we sure as heck don't run towards flames or gunfire. I've had an opportunity. So I'm I'm from Perville, Texas. I don't know if you all been seeing the news. I've had the opportunity these past couple weeks to try and help a little bit with the response to the flooding. I I'm not the sort of person that can be out on a

boat. I'm not the sort of person that honestly I'm more of a liability with a chainsaw. Um, but I can run them supplies. You know, they asked for the fire department asked for bug spray. They needed bug spray. I went down to HB, which is our local big grocery store chain and bought like six cans of bug spray because they needed it because those guys were out on the river trying to recover bodies and they needed help. Okay, it's the same for us. We have people that are impacted by cyber attacks that we help, but we need help, too. We cannot allow ourselves to move from crisis to crisis and not deal with it. There are some psychological wounds.

There's burnout that happens. Um, trauma without physical scars is still trauma. Uh, if we don't help our responders, our sock analysts, all of us in this room, our systems and people will fail. So when I started investigating, you know, whether I wanted to give this talk or not, I started looking for hard data. Surprisingly enough, there's not a lot out there. Um IBM did a study in 2022. So did Times. Um so surprises uh there on the screen. You've got 67% of security teams are reporting chronic stress. With chronic stress comes other problems. Uh ruined relationships, uh lack of sleep, poor decision making. Um 51% of responders have been prescribed mental health medications because the stress is

overwhelming and they need help. Ultimately, burnout leads to turnover and weaker defenses. We just had a whole conversation earlier today about how there's not enough of us, but we're taking the ones we do have, running them ragged, and they're burning out and they're leaving the industry. We've got to do something about this. So, my own personal story about burnout. Um, don't be like me, okay? Um, this talk was hard to put together because I'm having to I'm usually the one giving talks about like incident response things, technical things, right? I'm having I decided I would kind of try and work through my own uh issues uh by by giving this talk. My own personal story

involved a small liberal arts college uh that was hit mid- semester with ransomware. Um we had actually reached a point where we had so many cases going on that we were down to one person a case. Okay, if any of y'all have worked in in response, been around incident response, that's not really good, right? You should always have somebody else to back you up. Um but sometimes, you know, staff gets short and you don't have a choice. Uh I was working days. Uh I actually didn't leave the room I was in other than, you know, some personal hygiene stuff. Uh my wife was bringing me breakfast, lunch, and dinner uh to my desk. Um I was a sole sole responder. I

had no search team, no vendor help, uh leading the entire investigation with the on-site IT folks. Um and I was doing the investigation from scratch, right? pulling all the logs, doing all the analysis, all the forensics, providing containment advice on phone calls for hours and hours. I hadn't taken a break in weeks because that the way incident response is. you work case to case and you don't really get any downtime because there's always another threat actor that's ransom an organization. Um, finally I got to the point where I couldn't do it anymore. Um, you're working in a in a college network which is hostile by design. They just are. Everybody in their brother can join that college network. You have

students that have systems that are potentially unpatched or full of Um, and after two weeks of this, I was just done. Uh, by day 10, I was completely worn out. I had another few days before we could wrap things up. I wrapped it all up, but I felt hollow, irritable, and exhausted for weeks afterward. That ultimately led to me lashing out at friends, even my boss. Um, he saved my my job and my career because he understood what was going on. He'd been through it himself. Um, had I had somebody had I not had the support network there, I probably would have created my career because I was just worn out. I was done. I was I was tired

of cyber security. I didn't want to do it anymore. I was happy to go back and just, you know, do systems administration or something, right? Um, ultimately what ended up happening is I got reassigned to doing advisory work instead of instant response for a few months. Um, that helped a lot. Um, but looking back on it, I'm trying to find ways that we can deal with that as an industry because you get hired to do incident response, your company wants you to do incident response. You get hired to do, you know, detection engineering, they want you to do detection engineering. So, we got to find ways around this. Um, moral of the story, a successful incident response

engagement can break the responder. Add on to that the toll on our families. Um like I mentioned, my wife just delivered a child. Um we're on our third child since I started doing incident response. Um that always on culture that happens erodess any family time. I constantly have a a phone that I'm holding on to If it rings, I got to answer it, right? Uh 90% of us are checking work during vac during vacations. Um 32% of us, according to some of the studies, are interrupted nightly. 45% of CISOs report missing family events. That's insane. What other jobs does this happen? First responders, policeman right? 40% are saying their job stress is hurting their family relationships.

Um my I know my wife has told me she feels secondary to the job sometimes. I've been doing a lot of work to solve that problem, but that leads to divorce. It leads to children that don't have two parents in the household. Your emotional exhaustion leads to irritability or withdrawal because you're not only dealing with your own emotions when dealing with an incident, you're dealing with the emotions of the people you're trying to help. I work with people on literally the worst day of their career and the first couple hours are pretty much just trauma dumping, right? Their entire existence is I don't know what to do. Things have gone terribly wrong. I'm going to get fired.

Yeah. And then I quoted my wife there. You're always working. Even when you're here, you're not. It's a huge problem. I've been trying to address it. part of it addressing this and working through it uh is this presentation. Um burnout does spread. It it carries on to your spouses, your children. Um the irritability causes conflict, fear, and even abuse in some cases. There were some uh studies around that. Uh twothirds of responders have sought counseling due to job stress. Uh but more important to me is the miss bedtime stories, right? the fear of, oh, dad's phone's going to ring, so he's not going to show up at this event. And family stress is a security risk, too. If you

are not doing well at home, how do you do well on your job? So, you don't have to burn out to prove that you care. Commitment is not measured in collapse. You are allowed to set boundaries and still be excellent. Burnout is not noble. It is corrosive. If you feel like you're starting to burn out, talk to somebody about it. We need responders who can just spread and our industry needs to deal with this problem. Our mission does not require your health as collateral and unfortunately a lot of us are sacrificing our health both mental and physical to try and do our jobs. So what can I do if I'm in leadership or I make policy? We need

fund resilience and offline contingencies. Uh we need wellness and recovery time. I know that's not conducive to forprofit entities, but if you're working cases or you've had a rough couple weeks responding to a bunch of stuff, maybe you should be able to take a week off, right? We need to structure that somehow. Um, we need to have a plan for when an attack happens. I cannot tell you how many organizations I go into that didn't even have a basic in response. They didn't even know who to call. Um, and that raises stress level for everybody involved. If you're in education, we need to teach ethics, communication, stress management, not just technology. They talked about uh this morning about

philosophy. Well, right there hand in hand with ethics, right? We have to be ethical people. Um we need to also teach students that are coming in the industry that there's a human cost with all of this. It's not just technical. It's not just financial. Yes, we generally make decent money, but money isn't everything. And empathy needs to be part of our training. We need to learn how to be empathetic. If you're responder sock analyst um using responder loosely here. If you if you help defend your organization, you do need to be able to set reasonable boundaries without guilt. If you have PTO, use it. I had 80 hours of PTO at the end of last year that I had not

used. Guess what? I'm using it. If you have a hard case, it's okay to circle up with your team and have a session about it, right? laugh about all the things that went wrong because somebody made a silly mistake. Don't make the mistake again. Any impact that leads to burnout needs to be documented. It needs to be escalated up to your chain of command so it doesn't happen again. And then make sure your team's okay. You have no idea what your teammates are dealing with whether at home or even in their job if you don't talk to them. We've gotten so disconnected where everything is remote. I don't see my team ever other than the little avatars in Slack,

right? Or or on a team's call. If you're a student, learn not the human side of cyber security, not just the technical side. The human side is also as important. Don't just get hung up on tools and tactics. Tools and tactics will pass. They will change. Learn the human side of things and you'll do okay. And if your course of study ignores even simple mental health stuff, speak up about it. And I'm not talking about, you know, learning how to be a counselor or anything like that, but learn how to be a decent human being, right? Learn how to talk to people. So my final thought on all of this is we build technical systems to be resilient

under stress, but we don't build our personnel systems to do the same for people that run them. And this is not speaking just for my company. Um, we've done a lot of work to solve this problem, but there will always be more to be done. I've been in a lot of organizations and everybody's always worried about the uptime of the system. They're never worried about the uptime of people. We need to do that. And I think we're out of time, but I'm happy to talk to folks after. >> Sure.

start over. Thank you for a wonderful presentation. I can't imagine some stress you went through technical side and on the emotional side with the recent floods. So, thanks for what you've done. As you think about the position you're in now, it seems like one of the ways to deal with stress is to get out of the situation, find another job in another company. Have you considered what criteria you would use if you search for a new opportunity away from your current role in a different organization? If I was going to go anywhere, I would go left of boom. So, I've been uh so let me back up a little bit. So, there's concept of like left of boom, right of

boom, right? Um I think it originated in, you know, explosive ordinance disposal, but basically like the right of boom is reconstructing what exploded, left of boom is preventing it from exploding. And so if I was going to pivot anywhere, it would be left of maybe some advisory or something like that. Um, unfortunately, my skill set kind of keeps me where I am. Um, I do a decent job as a responder, so therefore, you know, you double down what you do. I think my is not necessarily to get out of incident response as much as it is learning how to better cope with things and advocating for simple changes to solve some of these issues because you know if

we're short a million people everybody's going to be overworked. So this is not something we can fix overnight. It's more of a longterm strategy problem. And the whole goal of this to get you all thinking about how we solve this long term.

>> Thank you so much for that beautiful talk.

Well, it's lunch time. Lunch is served in the uh same room as breakfast. So just out of the auditorium, turn right. Uh we'll be back here, I believe, at 100 p.m. 1 p.m. for the next talk. And uh enjoy.