IATC - IATC Cyber Crisis Simulation - Keren Elazari, Jay Healey & Chris King
Show transcript [en]
we'll give it to Bo and J and Josh let's welcome them alright thank you very much [Applause] I'm happy to see so many people here promptly right after lunch usually it's chaos today it was maybe managed chaos everywhere everybody managed to get here we will I'm sure have some stragglers come in so just make some room for them when they do come this is gonna be something very different it's gonna be an experiment for a hacker conference we're gonna try something where we're gonna try and act like policymakers a little bit and take our DEFCON mindset and go to DC has anybody run like a tabletop disaster recovery or business continuity and their businesses Oh
awesome this is most people it's good to see number one it's good to see we've got so many people experienced number two it's good to see so many organizations they're actually doing those things that's good we're gonna do something that's like that that resembles it but for let's say a whole of society where a cyber crisis has broken out and it's hitting a very wide swath of society more than just a single company organization something quite a bit bigger alright so when we think about adversaries we only think about the bad guys some of these types of people will feature in what we're doing today and so I just want to very quickly give a
thumbnail sketch of some of the adversary classes that we may be facing in our our talk we like to break these out and distinct classes because there are distinct approaches that you might deal with each class when you go to then make a response that's beyond just a technical response from a technical response point of view I can use the same techniques to block any adversary that uses a certain offensive capability but when it comes to lever of Public Policy we have very very different levers we can use so for instance if let me try them back up here and see if then I don't have to take either of the echo so in public policy
if we want to address a Russian threat we can pull levers of economics we can do things like block them from using the Swift system or other things like that so just a very quick thumbnail the upper left-hand corner here we've got what you might describe is cyber terrorists people who just want to cause chaos destruction to harm a particular worldview like you know the West or a free democratic society you have activists who may be doing some form of protest against something that they don't like online so they may be taking their activism in a more harmful direction a more consequential direction you've got script kiddies who don't always know the consequences of what
they're doing and may accidentally trigger some type of a mass cyber crisis nation-states tend to be more restrained they tend to be more deliberate but they can also cause a wide-scale crisis such as what we saw in Ukraine you know there was a particular attack and whether it was done by a government or not it had the effect of essentially crippling the Ukrainian economy for the better part of probably a month actually and then you have cyber criminals typically they look at how can I make some kind of a profit usually quick turn this is things like ransomware so how can I use that as a leverage point to make more money and then the last one we've got there's
Murphy's Law because despite the best planning the best preparation anything that can go wrong will go wrong at some point and and this guess if some of the reasons why we started this so we've been calling this the cyber 912 series of exercises from the Atlantic Council and we called it cyber 912 because a lot of us really freaking hated that a lot of DC and others we keep talking about a cyber 9/11 or so Pearl Harbor and we're like we don't think that means what you think it means so we said cyber 912 let's let's take this what we think it's kind of a dumb I its way to talk about it and say well
what happens the day after so let's take let's try and appropriate this and then say all right let's make it mean something so something bad has happened what do we do now and we've done these in a lot of different ways we'll do these at it for example RSA let me get people that like the media team is David Sanger and Allan Nakashima and you know folks with dark reading or others that are the real media team or do the White House team or folks that are or currently had been from the White House and there we do it to try and bang like different adversary groups or make them think differently about what they're
going to do this year at RSA we replay the election and it was amazing to see the election hacks and was amazing to see with the journalists thought they would do differently what the FBI and NSA and NSC thought they would do differently other times we do it like this and saying well now let's try and get together and give some exposure to those guys that's kind of giving the policy America's exposure to the technology and looking at our vulnerabilities and thinking through how it might go wrong or somehow someone might make it go wrong and and how does which group is doing it to you change the way that you might think about responding and for events like this and
like I said this is the first time we're doing it had a real hacker conference and so here it's you guys generally know the technology better but we're doing that in part so that you can see you get some of the exposure to well how do the policymakers think about this what are the levers beyond this the technological ones the ones and the zeroes that we can bring to bear and so that's what we'll be doing over that over the course of the next hour and a half or so is what we'll talk about we'll give you some of this introduction about some of the ways that we think about this just to prime you especially if you haven't done
wargames a lot and then we'll be breaking up in into teams and we'll have some policy people at each table at with each team and start walking through and saying all right here's the first scenario inject here's the second scenario inject what do you think we ought to do as technologists because we're all we're all here technologists in general but then also starting to say alright well how would you do this differently if you were thinking about media or if you were thinking about white house if you were thinking about military if you're thinking about state and local if you're thinking about FDA and so that's what will be real that's what will be rolling through here yep
so just like the adversaries come in numbers defenders also come in numbers many different types many different skill sets so this is Josh's hated DC Universe I picked that partial eat antagonize him because that's just fun well none of them good mustaches so to me it's okay that's right I'll kind of a wash but also partially to show the the diversity of approaches you know some people are gonna be really really fast and maybe that's industry some people are going to be really really strong and maybe that's government with the military some people are gonna be really really careful and maybe that's on a civil society so it takes all parts of society to build a response that's going
to be a comprehensive response that will optimize for each of the stakeholders and each of them brings certain superpowers and you can play the super powers against the super villains and where adversaries have certain modus operandi you can pair up super heroes who will also have certain modes of operation to counter those adversaries and Josh has got a couple of great talks from RSA in past years with believe that was with David at you looking at this and a lot more detail and organizational you know a single organization but the same thought applies just like in a last session before we broke for lunch we had a lot of people talking about a bunch of
different approaches that work within a single organization as well as more broadly across a nation or across the society and we have the same thing that can work here this is a Jada do you want to add something before we moved on you know I just catch you know in your Indies if you spend a lot of time in DC we do so you don't have to the they talk a lot about well the capability intended the bad guys and they never know what can we do to change you know let's do cyber deterrence to change the capabilities intend the bad guys and they don't think about whether about the capability intent of the good
guys the people that want to help and that's why I love I am the cavalry because the Calvary has been all about how do we focus on the capability intent over the people that want to roll up their sleeves and help how can we further enroll them so thanks for being here today so this is a stakeholder mapping of the healthcare space and it's incomplete because any stakeholder mapping is incomplete that's above the level of individual people but this one captures most of the group so we did this as a part of something that we did called cyber med rx a couple of years ago where we brought together all of these diverse stakeholder types and
caused them to have interactions with each other most of them for the very first time and the perspectives that each of the have is very very different if you have for instance a patient they'll have a different perspective than a security researcher and a healthcare provider a hospital will have a very different perspective from a medical device maker but if you get them all together then they can no longer work in silos they have to work together towards a common problem and that's one of the things that we did at that event that's one of the things we want to do here and we want to also simulate it within a particular domain and this healthcare
piece is going to be particularly relevant for our scenario today maybe we tip their hand what the scenario is going to be today maybe you might have guessed that it because it was Calvary room that maybe was going to be a medical device yeah kind of scenario and hidden like a seven minute head start on this so guys don't don't lose that advantage and Josh I know you've been very very close to healthcare in the past year if you want to say something feel free to jump up and put your voice in so one of the things we want to do whoops my autoplay is going oh oh where am i okay so one of the things we want to do is we
want to have an opportunity to give you a scenario break up into groups and then help solve the scenario as an individual group and then report out this is the basic outline and flow of the scenario and we can put this back up for you and this is the overview and agenda and autoplay working this is the rough sketch of an agenda that we've outlined for today I wanted to do an introduction give an overview walk through the scenario and then get into a couple of different what we call moves along the scenario so generally you have something that happens and then you have new information that comes in an escalation a lateral movement something like that
that compels you to have a different response after the first response and it's a progressively increasing series of events where you have higher fidelity of information but also new information and new events that are occurring in real time that you have to respond to and will be asking so we'll probably aim for four maybe five groups we've got some policy experts and others and we'll try to seed one or two per group that can that can help you think about it think about the issues in case you don't know the policy or you don't know that the medical device is Bo and I maybe Josh will be floating around and help answer questions we'll need one person
from that group that will kind of be taking notes and can report out as part of the debrief and we'll debrief each each of the groups then in BO Josh and I can be asking questions what did you think about this what happened what would you do differently if it were this because that's what happens when you're the policy and the policy field or when your briefing your boss and then we'll do the second inject second debrief and then and then a summary yeah all right so at this point we're gonna break up into team so there's about six two people in the room Jay what do you think about five teams yeah that's good five
teams and we'll try and balance it so that each team has the right type of people and we can just coalesce around these tables this is the activity portion of the yes stand up Oh somebody's already leaving oh yeah bye-bye it will miss you but you may see it available for someone else to come and enjoy so welcome yeah and LOD and if we could have maybe a couple of groups here and then one two three in the back if you bring it up that way - yeah maybe if these these couple of teams come I mean there's we're gonna kind of sit around the edge and then thank God all right so welcome back seems like we've got our groups
formed pretty well accurate a lot more smoothly than we'd Winwood anticipated so yeah this is uh by the way this is much better than when we do this in DC and we have to make the policy makers make new friends they're not too comfortable with that most of the time and they're the extrovert so I don't know why they don't know what their excuse is so so thanks for participating we've got our five groups now one thing by the way we're going to be coming around and taking photos this gracious gentleman over here in the bright pink shirt is gonna be coming around and taking your photo if you don't want a photo taken if you don't want to be on
the record just flag it and say not me [Music] but other than that most of this is going to be participatory within your team's as we said we'll give you the scenario we'll walk through it and then we will allow you to talk to liber8 will be available to ask to answer questions to give you a little bit more info if you need a little bit of coaching to help you be a Sherpa guide through the process and or to fill in for any types of roles that might be missing on your team or to delegate you know hey you're the media person on your team come up with the the best media response to this so I wanted to briefly go over
what some of those roles will look like so that we're all better equipped to be able to answer those I don't want to spend too much time on this I just want to tease it up for you so that you know what this will look like then you can ask smarter questions in the end you'll probably have someone sitting around the table who's got more expertise in one of these topics than I will so feel free to use them as your expert witness the one of the main things that we want to get out of this is we want you to empathize and understand what a policymaker has at their disposal the abilities that they
have the capabilities that they have to pull certain levers of power and control that you might not otherwise ever be exposed to if you're just working in a more technical position within a single organization and policy makers as I found out in DC have a great amount of power domestically as well as internationally and learning some of the things that they can potentially do really enlighten me as I went from kind of this community into more of a public policy focused into a DC crowd policy makers can be anyone across the board legislators regulators government agency judicial system that can be state local federal can be all up and down the way they all have different authorities and
they tend to stay within their swimlanes I don't expect you to know what those swimlanes are right now for the purposes of this when we do this out at RSA and we've got so the actual poll somebody needs to go cleanliness yeah and we've done a pretty good job of bringing in some policy people who will know the lay of the land for you so you won't have to do too much guessing at this the types of levers that they have and JE can build on any of these that I I miss her butcher is diplomatic so you can talk to other nations you can talk to other states you can have an economic lever so you can do things like shut off
the access to the Swift network to the banking network you can do things like economic sanctions you can pull together a military response to either move military around in a threatening gesture or actually deploy military somewhere law enforcement response so you can internally and domestically task law enforcement to look at something you can use a diplomatic lever for instance to ask another country to use their law enforcement mechanism there's also a regulatory lever which is longer-term it tends to have effects that pay off over years rather than days and then there's the public-private partnership which is essentially government working closely together with industry in order to get the best out of each is the hope and aspiration for that
anything else to add doubters policymakers also look at what it took they look at different types of mechanisms that you could use those levers and again don't expect you to know all of these and keep them in your mind but just to prime you for asking questions later things like thresholds at what point are we at war how do we escalate versus de-escalate a situation how do we enforce something in a practical manner what are the types of authorities and swimlanes that exist and how do you use those how comprehensive is a solution you know we say to patch but does it ever really get to a hundred percent how long are these things going
to take and does that match the timeline in which we need to respond and then some types of signaling or deterrence mechanisms as we talked about in the last panel it's probably not enough booze in Vegas in order to get past the the end of the deterrence conversation the types of organizations that exist state local federal in this particular scenario as I mentioned it's going to be around healthcare so you have a specific call out here for the federal health agencies and then the national security agencies and I use that as a plural not a specific NSA like DHS military National Guard National Security Council and others within this we also have private sector device makers hospitals
insurers security companies this is the industry role most of you work in industry so I don't expect this to be too difficult for you to imagine then the media you know the media is essentially the voice of the public they're the ones trying to connect and trying to engage public to keep them aware as well as to mobilize them for certain purposes alright here's the scenario the part you are all waiting for the date July 3rd 2020 the geopolitics we've got some tight congressional and gubernatorial races coming out US and China are in a trade war over the one China policy Russian influence operations have halted after different countries banded together and did economic sanctions against Russia North
Korea is escalating its attacks against South Korean critical infrastructure lepen was defeated Merkel in May were both re-elected there's a group called Nova nan which has sprung up there a hacktivist group there right right-wing rather than left wing and they target international organizations trying to destabilize the the global World Order as they see it Isis is basically stuck in Raqqa and they're not getting out they've expanded their trans national footprint however and they've done a lot more on recruiting and impacting people at home and then the Iranian nuclear deal has fallen through unfortunately and they're cyber capabilities have greatly escalated so first move here's the scenario it's Thursday July 3rd 2020 at 8:00 p.m. this is said in Phoenix so
dear Arizona hospital administration we have helped you out by securing your unsecure passwords and patching your systems we humbly request an honorarium of $300,000 in Bitcoin within the next four hours or we will leave you in a worse state than we found you so this is a message that was sent to the administration of hospital in Arizona signed by members of a non IT don't know who that group is it may be a front group it may be some new hacktivists group it may be just some random group of people the preliminary technical analysis shows multiple capabilities and malware there's a known default password foraging devices building automation etc that's what it takes advantage of to get
in so those might be some of the targets is imaging devices and building automation it's spread through a new remote code execution flaw in Microsoft Windows MS 19 104 it disables remote administration capabilities that are common in enterprises so you can't get back in remotely you would have to go on foot and fix these things in person and it patches the flaw so you can't use that to get in and then changes the default passwords so that you can't get in through the default passwords the analysis that we have to date this is 45 minutes after the message came in this is an extortion where threat which is distinct from ransomware and that it targets an entire system or a company
rather than an individual device they're asking for $300,000 in Bitcoin at midnight on July 4th the affected systems seem to be based on anecdotal evidence building systems workstations electronic medical records imaging and maybe others there might be others that are dormant out there waiting we don't know about them yet or they haven't caused a big enough problem so the questions we have for you as groups who is doing this what are they planning what's gonna be the next steps what are the potential impacts at a societal level patient care in particular here who would take which steps and when of the stakeholder groups that we outlined and then how is the media and the public responding to this
and keep in mind the time scale in context for the non-americans in the crowd July 4th is one of our biggest national holidays and at 8 p.m. the night before that pretty much everybody is off work banks are shut administration will be hard to reach because they're probably out of town anything to add Jay before we break and go to the group's no I think I think let's figure 15 minutes 15 I think I think we can find it I think we can even do 10 let's check in at quarter tail and then we'll see something to say this is Josh's fifth year as a director this is this is Josh's fifth year is a track director
for pea-sized Las Vegas and in honor of that we have a pinning ceremony for him that we like yeah we have to come on up here thank you for your diligent service we expect more from you in the future don't [ __ ] it up yeah thank you for giving us space to do good work for five years absolutely five more come thank you all right so within our groups we're gonna talk about this scenario what would each of the stakeholder groups likely do to respond this will require thinking beyond just the technical response and how do you do things that are there well past that as Jay said we'll get back together at about quarter till so you've got about
ten minutes to discuss amongst yourselves we don't have the jeopardy theme but we can play that if we had it did you have a question to ask yeah how big is the hospital good good question how big is the hospital what's the budget let's say they're a ten hospital group maybe a couple of hundred beds the budget would be enough to have two security people on staff is that good enough man you're making me guess no yes it did you're right so that's two full-time employees and they've got two security staff so I'm guessing that that's probably one percent of their revenue so that means add two zeros to that so thirty million in revenue just
going off the back the napkin yeah that sounded pretty new this early we have help so we've got let's say we've got an analytics firm that looks at malware and we send it off to them and we got something back from especially because we're doing a compressed version of this we have a term inside when I tell students is don't fight the scenario yes all right so go if you've got individual questions we can come around and answer them one of the things you can also outline in your response is what assumptions you've had to make therefore what investigation and questions you would have to ask that's perfectly acceptable sure that sounds like a good
question to ask all right we'll come back we'll come around and we'll come back to you in about ten minutes yeah about ten til and I don't want to throw off your deliberations but there's a small additional injected this has started to hit the media right right while you're in the middle of your incident response and it started to show up on some of the some of the national media so please continue to think about how you're gonna respond to that and and the president just tweeted it out Aaron Aaron Arizona hospitals can't protect its patients I prefer hospitals that don't get ransomed sad
all right it's time the bell is ringing we need a decision who we need to to have a decision to be able to present on behalf of the hospital all right I'll try to do that I'm not good at it all right it's time you're a hospital system has been asked to come and brief the governor on what your plan is we need one delegate from each table to come up and brief out what you're going to do so that the governor can take the right action whether that's informed the media free up cash do other types of things so figure out very quickly amongst your group who is going to do it bring them up here well let's do it
let's do it out of the table let's do it uh for filming it's okay yeah I've got it all right know who's brave is to go first at that time all right we got it we got someone standing up all right [Applause] all right let's uh get the mic for me strong you want to turn the camera off or keep it on for him yeah okay or for him cut the camera thank you awesome thank you you don't have to say who you're probably which is good oh is this like anyone's job organization or anything like that but honestly four hours is a really short period of time I can put three or two thousand dollars to make that decision
so obviously at a point in time CEO legal and PR Media Relations whatever gonna call it out already can be engaged from the start definitely different couple of bridges going along at the same time before the technical bridge which will be troubleshooting the issue as well as the management response based on what's being found a couple different things to consider here victus systems are building AC elevators if AC elevators are affected I also can straight from my power and for anyone who's in a critical system or you know ICU or anything like that I'm wearing my battery backups failing because I don't know how many pen tests I've done in the past where I've actually had default credentials and I
coulda took it down to state building I'm not gonna be a mistake because any Hayson stuff but so I'm really worried about they pick the systems and taking down even the stuff that would normally be on battery backup and on generator okay EMR obviously I can't see pre-existing conditions if my EMR is down so I'm really worried about patients and getting them back on basically seeing what's going on with them imaging especially emergency imaging I think first team here team Phoenix Firebird for fireball but anyways you know same kind of thing obviously get someone you know diverting from those affected facilities from the start in order to basically limit the number of patients we have to worry about okay definitely
there potentially others would I basically I would start just really if I'm seeing this number of systems that are fected there's probably a pivot point on my network in order to get to all these where systems started to basically start doing some kind of skiing enumeration or something like that that's on the technical response side so I'm really kind of hoping I can start to track that down the technical folks I only got two people the security side really trying to leverage some of my hopefully admins or my desktop support people get some kind of idea what they might be looking for in a sim because you know people with a thirty thousand dollar budget or
thirty million dollar budget really have like robust sims but anyways I'm gonna go with that and try so definitely I look to see what the actual entry point was at this point I may actually consider depending on what my response is going to be nobody you're gonna come to the question am I gonna actually pay or not I'll come to that but the question is if I can find how they got in or what they've done going to use those IOC s same thing I mentioned here at different Isacc groups and for guard FBI leverage any kind of law enforcement Hassad research okay I may have access to in order to see what else have they
done where else have they compromised because there may be a pattern with this particular actor this actor may actually if you pay maybe they will give you back your records maybe they will give you back your systems at that point in time I have a much I'm a much better place where I can actually leverage whether or not I recommend to my management saying hey you know what in the past six people or six other organizations across the country in the last 24 hours I've actually paid and guess what they got theirs they got their data back and they're back up and run group so that may be something we got a leverage there is with the research side for
attribution who is actually responsible for this so will I pay it really depends on what comes back of that highside research or just the agree surface and the other organizations that could be nationwide it could be worldwide and so the governor looks at you with the steely eyes and says well I had a regularly scheduled called already with secretary Kelly at DHS and Tom embosser at the president's Homeland Security Advisor how bad is this gonna get I mean do I do I need to prep them for something on this or it sounds like you have it under under control but what do you want me to tell them I can block off our network for our particular systems
but our systems that we used are used in organizations throughout the state about the nation so I can't tell you how about this is going to get that chances are this will escalate if we are depending on where we are with how many other organizations have already been compromised using same sort of tactics but thank you all right thanks okay who's going to be the next victim I mean big fan of negotiating Alex is it gonna be you all right Alex come on up and if we can we've already heard a lot of really good answers really good solutions if you can do like a delta against that that will help us feet up in time so we from Team princess
buttercup have the following in mind so what first thing obviously we work on writing care that's been covered on but we do a couple of other things I think one of the first ones is we would try and immediately get power generators for air conditioning units one of the points that was made was it's you know July 3rd in Phoenix it's incredibly hot which threatens patient care who patient cares the first thing that we're going to be walking through will be triaging different patients not just by critical needs and rerouting them but we would also be doing things like prioritizing which patients we should print out records for and images based on their criticality of condition so it's not
just about triaging IT systems it's about triage and religion care as some of the other things that we would do you know I mean I think our first phone call is going to be to you know the trusted computing guys at Microsoft of like WTF me like you know what's going on with this on a couple of things that we would do to be able to facilitate that it was made earlier that you know common infrastructure shared and this is a common mode failure you know we would be working with our Incident Response Teams to try and identify not just you know what iOS sees but trying to image the appropriate systems take those ship them
off to Microsoft and to others to help with the response we would also be working with our Office of General Counsel for a couple of reasons one of the first ones would be to define assuming that we have cyber liability insurance which it totally pays out we would we'd be wanting to define whether or not this is actually in or out of scope policy and that's gonna help us inform whether or not we're gonna make a payment decision because this isn't technically a loss right we're paying an extortion fee as opposed to we lost records we have to pay out on the fines that are associated with the loss of the records so we'd be checking our
cybersecurity liability insurance policies and then secondly from that I think we would also be working with other hospitals to determine whether or not this is a coordinated attack or if it's singular if it is coordinated right then if the policy for us doesn't have the ability to breach the threshold of minimum payment requirements then there's an opportunity where at least a possibility of pooling together funds amongst many hospitals who might be under the simultaneous type of attack crisis communications you know now this is delightfully hit the media you know that's probably one of the first things that we would do but we would you know try and assure patients that primary care is being satisfied but that we
can't take on any other individuals and so the message that we would we would make is not just you know we're trying to get this covered but also like you know for lack of a better term don't come here you know which which is something that well may not immediately work in our favor is still is in the best interest of primary care I think that the last thing you know that we talked about would be to try and I do some basic implementation of network segmentation for those primary or critical systems even while they're in production is to say like hey look you know we have these five really critical systems and while we know that there's
an exploitation in play we're gonna do our very best to you know gap those from the rest of the network so that may be the you know the exploit doesn't actually run and drop even though it's there you know if we can if we can you know take out the control planner communications channel we increase our chances so this would be some of the things that the governor looks at you with increasingly weary eyes he says that steely-eyed rest in our anymore he said I just heard from Senator McCain's office and because over the summer break the senator had been planning on having he's actually one of the patients at one of your hospitals right now because he
had his surgery coming up awesome how does that change and in the person that talked to me the governor said thought this might even be about the senator and not even about you does that change that change anything about what you're up yeah I think a couple of things first one I would I would just make sure that you never mind I was gonna go to the voting record but it's about uh first thing that I I think I would look at is in that situation that does change it right given the geopolitical uh you know kind of backlog that you'd given us I think a couple of things change the first one is then we can't just
assume that this is you know a generalized attack or that we've fallen victim because of any number of practices that would requires to include you know first contacting as per protocol Capitol Police Federal Bureau of Investigation some of the Intel intelligence organizations and agencies well this sounds terrible and say out loud you know having a high profile individual may actually get us more opportunity for more assistance from the federal government and and while then you know doesn't sound particularly pleasant you know there's hundreds of hospitals in our state and ours has our state senator and Sochi shouldn't you come in and help us out or even help us pay the bounty because there is you know
cane or insurance I would say that this would fall under kidnapping and ransom way better answer than I was expecting I'm going to drop this money did ask that we have a ringer on each team right yeah well I feel wrong yeah all right next up and again just do the Delta between what everybody else has said and what you guys wanted it to do so one of the things first is that we wanted to do when we're responding it's basically you know hit our phone tree ever rich whatever you have and start making sure that patients are safe paramount above everything else once that's taken care of splitting up and getting everybody on site and splitting things up in a team
so you have your cyber team you've got your IT team you've got your media PR and your medical personnel doing I can't speak to that because I know nothing about that but I know they've got their games so they split up and they start doing their own triage is according to how they see fit at that point in time we would be getting our cyber response team we got on retainer in the air letting them know we are on July 4th at the day before July 4th at 6:00 in the evening it's there's really popular time for IR teams to be getting calls but it does happen and it's gonna happen now so that happens and least notify the FBI the the
NH Search that's twice as many as the other group and just notify local government so if things are going bad and things do happen to go down which we don't know if they're going down yet but if that does happen we need the other hospitals in the area to know that what's going on so they have to be able to you know bring in their own people maybe have to take in a higher influx of people the 911 systems have to know hey don't route anybody to this this hospital there have all these things all these uh calls have to be going elsewhere so fire needs know and police everybody needs to know what's going on so that they can respond
accordingly because they're all incident responders as well start doing a risk assessment execute our cyber insurance if we've got it or any other insurances start preparing to go to pen and paper if we have to we haven't done that yet we think it might be kind of hard to get 300k in Bitcoin and it might flag a few things when it comes down to money laundering when you're trying to get that money that fast and trying to push it out you may experience a few problems with that so we can start trying to but that might not work out so we have been prepared for that paying might still happen but at this point in time we
don't know if it's the right thing to do or even if we can do it then internally so I can speak to IR internally so segmenting the network is a good thing getting your control systems separate so anything that moves patients soul if you do have to start moving patients out of it out of the hospital you can so elevators have to be running so you know isolating those PLC's although control systems from each other and then you know I see use anything that you can take offline take offline if you can if you can't segment and then trying to save some of the data so let's say this is a really bad malware and it just
blows up everything and destroys all your evidence well evidence can't be destroyed if it's turned off so if it's got hard disks pull the power if you've got log servers they're not critical pull the power shut them down bring them down gracefully reimage them and then take care of that stuff later trying if you've got a Active Directory cluster running take part of your cluster out leave the rest up and then you can go back to that system if the rest of the system self-destruct and maybe salvage something and we can get into side-channel attacks and extracting passwords through DMA or whatever but there are ways around this and I guess we kind of have to wait to see what
comes up next and you know I guess the other thing is like really really focus on the people who are in beds and the governor looks at you with his steely and increasingly weary eyes and he asks you do you pay do you pay I honestly in a tabletop have to ask you like you know can we pay can we get 300k in Bitcoin purchased a lot of those exchanges assuming you can take care of the logistics and it's just a button push you reach the body it turns out that at the Phoenix Convention Center there's a whole distributed ledger of Convention going on and it you know they just put in the new Bitcoin ATMs that have a half
million dollar limit so you just bring your impact card down in this case you maybe you do I mean I I want to talk to the rest of my team I don't know enough about what the liability would be with this the other thing is if you pay you you're not guaranteed that bad things don't happen anyways so that's a whole philosophical discussion we don't know enough I mean apparently we know a little bit about the malware and I'm really confused about how do we know so much about the malware but I'm not gonna fight that but we do know some things if it turns out so let's say we did know that this malware is associated with a
particular bad terrorist group we might be able to leverage that for to get more help from federal agencies so if we're being targeted and we know that this money is gonna go when we contact the FBI FBI we can go oh hey so-and-so threat actors trying to get money from us you guys might want to know yeah we're about to give them $300,000 if you don't come to our help can we leverage them maybe maybe not I don't know how the FBI was gonna respond I've gone to them before and they've been like hey yeah thanks for the information tell us how it works out okay we'll have someone on site in two days we have two hours or you know just
for take as much data as you can so but
sounds like you've got so the trade-offs for your own personal decision though oh that's good yeah all right thank you all right last three all right and again just give us the the TLDR give us the Delta what would you do that's different from the other group yeah this would be a fairly short bill but a few conclusions that we've drawn based on the prints as the patch number the MS 19 tells us that the patch was released the year before and the type of vulnerability and Microsoft IP if you have a listening TCP service on the internet for instance or Microsoft machine that would most likely have been owned a long time ago so this
vulnerability would most likely have costs the most widespread worm issues ever seen so far on the internet if this is one of it it was what's real and the one additional conclusion if the idea is to close down the network and if you pay afterwards how would the attacker be able to turn off the malware from from activating you four hours later if it's if it doesn't have a network connectivity so if you seal off the networks there's no point of pain from my fourth point of view and so you will will not able you and additionally you won't be able to fix this within four hours clearly and since the since the different this spectrum of affected
systems was was so large you will have to contact vendors and ideally replace equipment which cannot be done once it's not at a time but to rather hole segmented networks together so the technical fix takes a long time to solve and you will have to relocate patients in the governor looks at you as red-rimmed eyes and silently weeps into his hands all right thank you do you I didn't I don't have a question all right great good all right okay so that was really good I liked a lot of the responses that we had I think that's exactly the type of thing that I wanted to come out of this with there were some things that
surprised me that I liked I heard a couple of new things new levels of detail especially like well yank the power on some of those things cuz then you at least preserve logs and no one can delete them but that's not the end of it sorry well back you up a little bit just by show of hands did anyone like your first instinct is alright we dip into our strategic Bitcoin reserve and we grab the $300,000 out and we just drop it like that and you know we don't even have to wake up the CEO we've already got the authorizations no one ok different kind of inch it is it's self insurance against ransomware right a lot of
hospitals actually you're starting to do that you know even though the FBI tells people not to pay most of these hospitals currently are paying they do almost every time when it's $300 you just pay or granted thousand but $300 you just pay like three hundred thousand you have to do some math okay hang on we well most of them have been giving them back the samsam era for a couple months was up to 12,000 14,000 17,000 at a whack and a lot of people weren't even in filing an insurance claim because it didn't meet the deductible they didn't want to have an assurance event oh look in this slide yes a new slide as if from nowhere
ah-ha so turns out you didn't pay and what happened the next day is the bad guys came back so the the question about whether or not paying would make the bad guys go away or unlock you or whatever well it turns about turns out they came back anyways but they didn't come after your particular organization they came after the entire area and said all right well you got backup plans for one company for one hospital system do you have backup plans for the entire region oh yeah and we also took out your EMS sorry kind of sucks for you so it's the same type of scenario but it's region-wide so now redirecting patients is not really an option it's the next
day so you haven't had time to refill the state's strategic Bitcoin reserve this the extortion where threat is now doubled and this is very interesting they said your entire region is under one extortion we're a threat you either pay it all and we leave you alone or you pay some portion of it up to all of it and we shut you down so less than everything is shut down and it hits EMS and 9-1-1 systems too so now you can't even get ambulances to places you have to depend on the backup plans for emergency medical systems for doing that Doug a questions this is a follow-on from the first one which systems at the one hospital that was hit the first time
no they're all shut down oh the system so the entire so you had five hospitals small hospitals in a region and those were all shut down now so that's five out of maybe sixty that offline I guess what I'm asking
running oh yeah I know that out yeah
yeah yeah so it's done your air conditioning shut off your power shut off the medical devices the am ours are all shut down you're basically you're baking in the hot July Sun and hopefully the patients are not baking with you
don't fight the scenario I think I think Arizona switched a couple of years ago and I think it's back I think it's supposed to billion I just made that up that's on a person I can make stuff up to Trey are you in the room maybe not okay well we know people who know but the short answer is assuming civilian any other before we go into the Jeopardy song soundtrack okay no one said it's impossible for you no I said it was depleted but we can go back and we can refill more Bitcoin sure yeah that's right okay all right when will come around we'll do some of the questions individual but let's start ten minutes well we'll
figure around half past it sound good and I know we saw some other questions so we'll pop around if there's something that's relevant to it to the whole group alright ladies and gentleman thank you very much the odd all right oh wow that's annoying we're gonna go in a reverse order that we did last time just just so that since we're just we're doing the the deltas and so let's start with the group over here and who do we have okay and I gave a separate small inject to each group about who had done it and so which did we tell your group we were told that actually we were told that the government basically gave us what they
felt was a solid attribution to an organized crime group that was involved in all sorts of nasty things but had pretty much a constant track record of returning control of our systems if we paid the money on the basis of that we thought hey that's great let's pay because we'll leave the chasing of organized crime to the pros that's not really a you know hospital IT security dude's job so save all of our information save all of our logs save all the malware as much as we can enable the FBI or a NSA whoever it's gonna be going chasing after these guys and enable them the best we can cuz they've been doing a great job of enabling us so
far our previous response of letting other agencies know was great because now we were all working together anyways and once they got hit we were already working together so that's great so right now the job is just triaging everybody's problem which is keeping people alive and safe from hospitals point of view which is why we paid the malware in the first place again switch to manual on your power anything that scrap of critical infrastructure power transport medical EMS 911 sorry your phone systems are down you're squishing your cell phones there's other ways to skin this cat I can't speak to Phoenix area but I can speak to King County which is in Seattle NIMS which is
fimA based communication and emergency resource management group we've got something made up so that you know if you're a police department one police and let's say County goes down but states still up they all have communications set up so that people can cover for each other same things applies to anything and create a little infrastructure you know highways airplanes transport medical EMS 911 all that's covered so yes well it's crappy there are systems in play to limit the damage and people know what's going on and communication channels were already in play I guess one of the things that came up beforehand was like hey well if it's malware and it can't communicate on the network it can't do
anything unless it's staged malware and that's what we were working on take a look at Stuxnet Stuxnet was introduced by it by a USB key and needed very little network communication to the outside world to work it was designed to work on an interim you know on a closed network and so yeah that's our thing pay hopefully get our stuff back and if we don't did you guys say if you paid for one in the region and see a level one trauma or for all of them well I mean if we could afford it we paid for all of them right so our interpretation of the Ritz picture in this and let us know if
this is wrong is if you imagine the region as a pie the first scenario is for a piece of the pie we lose that piece of the pie we're now looking at losing the entire rest of the pie without the ability to do any significantly different on the mitigation front in the extended period of time to which point prior to the information from Jay we were pretty much like well we need to risk paying if we can afford it because we can't change our mitigation strategy and then once Jay gives us that piece of information that's a slam top okay so so and you take a look at it I mean 600k okay big deal what happens if it gets out into
the into the pot you know let's say you don't pay you you take the risk or you think oh no I don't trust the trust that organized crime group I've heard they do things the past and it turns out that if you did pay you get all your stuff back but you didn't pay and somebody died was that worth $600,000 what is that gonna do do to you and your organization in the media personally from a morality standpoint I think you should pay anyway is because the loss of life isn't something you should mess with but from a reputational standpoint if you're gonna be cold hard and snake-like that that's also not a good value for you so
yeah so Suzanne brought this up we've lost the first piece of the pie even if we pay we have to do the continuity operations that we had from the first scenario for the foreseeable future while we do the long term mitigation which is going to take more than can be achieved in an hour so we still have to do the diversion of emergency response we still have to do the distribution of staff and patients other hospitals that's a price you're gonna have to pay that's you know I won't say intangible but nonspecific for an extended period of time while you remediate having lost the first piece of the pie so the big issue is because it's
the entire pie this is just the way the cookie crumbled and the proof is in the pudding because they're gonna give you they're gonna like this yes Abbey and done desserts will punch it up to DHS and HHS is anybody else really really really hungry for pie right now sweet okay Jake yeah okay all right all right all right crying Paige we're gonna try to end as close to the on time as possible bite when Dad passed and what yeah yeah yeah and what did we tell your group it was anonymous it was definitely an Army's definitely enough no not like it yes yeah Ione and they are it only gave sometimes they would unlike the system and sometimes new
whims I would it so I'm gonna try to go as quickly as possible for the sake of Josh's time um so we had essentially three priorities our first priority was patient care and at this point we assumed that we needed to essentially activate all of the hospital's contingency plans or that they already they should already have in place for other non cyber disasters so activate those contingency plans if it was this widespread our group recommended that we also call in something like FEMA and have them come in and start helping us in the in terms of transit ran supporting patients to other affected areas and generally they they might have the power generating capability that we don't have this
because we're calling in we're activating everybody's contingency plans we're calling in FEMA we're probably going to be working with HHS at that point as well so patient care being the first priority simultaneously we are also going to pay the ransom it's not just the first affected hospital chain is not going to be working with the other affected hospitals ammonius Lee with the the patient care of it our second priority is working with the law enforcement capability so FBI DHS we're gonna start trying to find the indicators of compromise that we can start sharing out the group pointed out that the first hospital who got hit probably has at least a little bit of a head start in terms of incident response
they were recommending that that first hospital group be sharing out what they've been doing those those so-called best practices they've been doing for remediation and do that and then our third priority was going to be the actual like secondary incident response we're trying to figure out what went wrong how to start restoring systems we need to get boots on the ground in terms of placing physical equipment identifying how to get the physical equipment OPR strategy at this point that's kind of out of the bag so we're gonna be very honest about what's happening this is either be affected hospital is what's going on we're going to be paying the ransom working to improve care working to reestablish care
as quickly as possible but at this point trying to be coy about what's going on is no longer the right strategy so great great the president just tweeted out hospitals doing their best to new cybersecurity was so hard let's do better together mugga so all right [Music] all right very good third group team princess Buttercup I do not know what index did you get yes so we've been notified by FBI that it's definitely a group in Russia we think that it's because senator mccain is at one of the affected hospitals and that should ignite our outcome okay so first thing that we would do now that this is actually raised to a regional level is
we being you know some polymorphic being would do our best to work with the governor to declare a state of emergency second thing that happens under the under the state of emergency is we would activate our continuity of government plans and those also include working with the National Guard patient safety being the first thing the National Guard would have primary responsibility working and collaborating with hospitals to triage with patient care for most critical cases on down word but beyond that we would also encourage that the in the state of emergency if it is declared that we activated homeland security policy directive five and seven which allow us access to funding and that funding can be used and directed to pay
the ransom not from us in the region but rather from the federal government of the United States see now look at the super powers or policy people walk beyond that we want to coordinate with the ISPs in the region so the 9-1-1 infrastructure is very problematic in terms of its lack of availability they have what are called Colts and cows which is sell on wheels and whatever it doesn't matter but they have infrastructure that they can deploy in order to be able to augment the lack of 9-1-1 including that some of the other continuity of government plans include working with ham radio operators and so we would be working with hams and other people to
coordinate immediate emergency come on emergency response emergency communications and preparedness and we would be working with the ISPs in part now that this has affected a larger region both for the restoration of service for the 9-1-1 network but also for the greater dissemination of info for in you know for indicators of compromise beyond just the healthcare industry as now this is breech past just hospitals this is also 9-1-1 infrastructure Public Safety national security and we then you know I think the last things would be we'd page basically everybody with a medical license and trying to get them to do response we would cancel the fireworks for July 4th we would try and force a curfew to make sure that the least
possible people are out in public being drunk you know driving around in their cars and the hot Arizona Sun and the last recommendation that we had was to try and test and evaluate on a single system box whether or not if rolling the clock back kills the executable itself what about the rush of it I mean so the gun the governor oh steely eyes detective to me look I'm gonna be talking to the Homeland Security but I like Bossert is gonna call me on this I couldn't get it gonna call me on yes like if it looks like this is Russia what do you want me to say what can we do yeah so I is lowly hospital security IT
administrator I would say oh my god that's so cool you get to talk to the president manga but beyond beyond that um I think the first piece is if this actually is a foreign state actor right then this should admit your response and it should also augment your ability to allocate resources like funding to us the second piece would be if we don't think it's a nation state actor but we think I'd say you know subsidiary or some other organization then this should probably take us to the level at which the incident response needs to start being handled by incredibly expensive high level contractors who work with NSA and FBI and CIA which gives us resources
beyond our meager tiny budgets to work with second tier and I know we have to move on but now that we know is potentially an international conflict maybe an act of war or some sort of treaty or norms violation or Talent also should we maybe warn other states or does that get handled automatically I thought the HSI SEC just do that automatically yeah no we should work with other states big both American states but also potentially other state actors you Kian Union and other organizations wherever this common-mode failure resolves itself in consort with the also frustrations of the Russian government that's that's the Union we should be and I think this would stymie me and in
general it would help but also and I think this and to some degree the next group it also it might hurt a little bit because it might get you more resources but also now there's gonna be a whole DC interagency process that start to bringing in of having these people say hundreds and thousands of people are not gonna be saying what do we do about this and they might be getting involved in that kind of calming involved in that kind kind of kind of conversation nobody's a national holiday and that's your stance no yeah I know this is this would be all right great um I think we're good all right yeah all right all
right next group who's gonna speak for you alright so we had a couple different okay and and so what object did we give what did we tell your group is the they said we were screwed no uh but the real one was that this is where it kind of changed our thinking on this one potentially because we were thinking of paying the ransom but then we were told that it was actually the group that is asking for the ransom it doesn't exist it's actually if anything is being tied to a terrorist organization and there's also mention of a physical kinetic component that may be associated with this in the area so definitely changes the playing field here which just if I
can jump in real quick what does the physical walk us through what that looks like the physical kinetic component what does that mean to a state level like is that gonna mean dead people is that could mean how does that change your scenario drastically so it's been this has been in TV media like you know simulated in fiction for a bit here is how do you get the most death you basically you cut down the incident for the emergency response services and then you after that then you cause your kinetic or your your explosion your physical so hit master hit master general and then do you boss a marathon bombing then you can't respond so and you I believe it
was actually Josh you talked about it earlier this week with the the Boston Marathon and the actual direct correlation with the extra three minutes to four minutes of commute time that it takes to go around the roads that are closed that people have cardiac issues in the ambulance actually the the mortality rate is actually higher now imagine when you having not only you're having a at least one potential bomb going off in an area now you've also taken out all the merchant response services in that same area you're talking mass casualties I mean I would think if it's done right I mean how to do it right but that's because and more and more over the objector could figure
out in their respective areas what they would have to do wouldn't take too much to so as far as the money goes I won one real quick thing if you did it like at a baseball game how many baseball games are gonna be attended the rest of the year I like baseball so I would hate to see that happen okay well I figured movie it was but I was the Kingdom or whatever but they basically had explosion and right in the big area and we basically drew all of the immerser response services in them the detonators boilers I think that was deep impact but generally well I had a deep impact because there's actually the ground anyway but anyways it's this
kind of scenario of you know destroying emergency services and causing bigger issues is not new but I definitely government's involved governor I sacks obviously this is escalated up well past us some people won't bring a FEMA in which is great because after the bombs go off in Phoenix we'll need them by the time you actually finally gets there I don't Fenny buddy actually lived around where a Trina hit how how fast did FEMA get there was my father all lives down there and I got a good idea how fast was that superfast so I'm just saying that for our timeframe whatever that's not gonna happen to get that kind of response you make a special guard to
move some people getting out of hospitals again continue care but the federal response which will have to be involved because of the yeah turns aspects I mean and if you're gonna get FEMA then it's gonna require the governor to declare a state of emergency so that he can get do you think you're at this place now if it's a reputable threat coming through intelligence sources based on would be only identified malware indicators and the sender's you know everything that's been related then yeah I think it's worth getting the governor declared a state of emergency for the region I think we've decided based on the terrorist terroristic threat okay you without the terrorist threat yes well okay yeah just
because we can't take emergency services and Hiroshima was two or three it's mentioned about the canceling the fireworks same thing yeah right what's the last thing you want to do is set off explosions okay great thank you yeah so we had a few other ideas that we had been talking about I thank the applause sorry we're taking back the applause one of them was sending non-critical patients home if possible or to any nearby building facility see who has the middle of July in Phoenix is not gonna survive in addition potentially shutting down traffic in order to clear the roads for emergency services along with asking the security guys if they know when this exploit was happened we're storing logs
and backups that predate that in order to have some functionality of medical records okay once again all right I keep fine uh oh yeah thank the camera for this about 12 minutes left before we gonna break we're gonna be about 10 minutes late to the happy hour forget to turn on how many arty people does it take to work alright alright so we're security people are not supposed to be that happy so we can we can delay happy hour what we gonna do next oh just kind of summer I get it into Gary you thought I mean one of the things we do when these if you focus on how what you do in the immediate term
but if you think about what would the conditions that allowed this to happen what you know one of the phrases we like to use is we through our over-dependence on undependable IT we have created the conditions such that any outlier can have a profound impact on public safety human life are there any policy things that could have made these systems less fragile and resilient just did we reveal any bottlenecks that even if the EHR systems are out for your hospital moving them to another building or having National Guard still doesn't get you access to those things so is there any strategic wisdom gleaned from these that could make us more resilient where this to happen because it should concern
everybody in this room that using default passwords nothing super elite here very realistically could have a pretty profound impact on your system
that's right so I'm kickin come up which is not surprising but it's know you're in the Beltway what's the end kick the national cyber security and integrations are communication it's the DHS lead supposed to be the nationwide kind of Nexxus for dealing with these issues and you know people said what we call the FBI we call DHS which isn't really in kick etc anyway um the other thing that it seemed clear to me is the biggest problem was learning how to scale assistance quickly and something pops to my mind is Michigan has something called the Michigan Michigan civilian side report there has to be a better way to get volunteers involved much more quickly there's just in four hours ten hours 24
hours I mean FEMA FBI DHS cert all those people they're not gonna get there in time there we have to have a better way to reach out the volunteers very quickly which anybody else comfortable with how easy it was to do this much damage so [Laughter]
it's it's easier for the bad guys to get scale of multiple hospitals that is for the good guys get scale of most of it yeah and and show me some of the things that occurred to me as we gone through this I you know cuz there's a lot ideas that I hadn't quite heard before that that we were coming out right you know tonight it was nice to hear where there's the commonalities and it was nice to hear where there were as the differences I'm certainly when we're starting to look at public policy right in the first side it doesn't necessarily surprise me the only single hospitals they didn't call in kicker or DHS in the
second side you can certainly imagine in that and on the on the policy side right there's so much that can happen if the governor declares the emergency right because then that just unlocks a whole bunch of stuff in Washington DC that's a you know in your own internet Response Teams you've got those thresholds that pop up in the US if it's a declared emergency then a whole bunch of things happen within DHS within FEMA within the White House the Homeland Security Council where they say we know what to do we got these channels and it things just happened a lot easier and it unlocks a lot of money and a lot of capability if that doesn't happen then none of that
then all of that stuff more or less stays locked up there's still other things they can do like send an away team or things like that but you can get a lot more otherwise so think that in mind I mean those are those things that can happen in policy the as technologists we tend to have agility subject-matter expertise and we have our hands deep in the networks and systems right the governor and the government isn't going to be able to do that in general the government brings a massive amount of resources that gives them a lot of staying power to stay on the problem for a long time and they have other authorities right when if it's
Russia if it's if it's terrorists if it even it's organized crime they can kick in doors they can stab people they can do they can do diplomatic demarches they can do things that I assume your Hospital doesn't you know doesn't do do quite so much of and so um and so you were going to be thinking but it's going to take them a long time to get there and so in the first sign it doesn't surprise me didn't come up in the second just start thinking about those those leverages we didn't talk much about Congress and saying what yeah right but it's one of those things right especially in the second one say hey we
might have to do this cuz you know the congressman your Congress especially on the representative side might be able to come in and and and say we needed some extra money or this kind of thing is happening and they might be able to get things happening especially because the representatives are gonna be home for the for the fourth of July weekend do you have a jump in so many state laws actually state codes enumerate the circumstances under which the government can declare an emergency and activate the National Guard it often does not include cyber related emergencies New Mexico just a minute it's law to include that I think North Dakota did too and just something to keep in mind that I
think if it got to this point right or not but it's you know states are thinking that US and theirs trying to and should be thinking right as you're thinking about can we get more money what else can we do the policy folks might be asking you questions that Embree that's dumb right I mean and so and so a lot of but that's going to tie the hands of the policy makers and so you can work with some of those folks the state legislators the the state representatives in DC and they can help get some of those things in are these folks with power that it was political power can make some of these things
happen did you mark thanks for mentioning that that was I had this question rattling around in my head concerning whether or not governor would actually declare a state of emergency before you know that hammer had dropped where the other the rest of the hospitals were basically taken out you know I just don't know there's so many factors that would play into this threat that has not yet been realized whether or not they'd be willing and then secondly be able to take that additional step to deploy spend money and deploy resources but and a lot of it is you know when I hear a lot of you know colleagues and Twitter and the rest of people saying attribution doesn't matter
it's technologists you just defend yourself you do what you need to but I mean you could see it makes a difference in the kinds of things that it changes your policy or changes your response space it can have that big influence depending on on who might be responsible I agree but in most cases attribution of any worth is way beyond the hospital's resources I mean that's it's it's interesting to you that that comes at a certain level of escalation and if you haven't it's great information to work on but I think pretty much everyone in the first Sarah was like we don't know who it is we don't care we have to react so and then and that's how we try to
scale it and and we're starting to run out of time I'm just gonna give my one of my last observations and that right these things are relatively easy to do if you're not doing these kinds of things I mean they're they're pretty easy to put together and do on even with just your own team because the bad guys have a lot of stuff that that advanced them but we can do more on to be agile right I mean and just running through some of these practices and saying well what if it went like this what if it went like that I was really pleased to hear how many of you all had done this can't you know tabletops and the rest
and we hope that this encourages you to do more we had no idea how this is gonna work we hadn't done it quite in this fashion and these things when they go bad they tend to go bad easily I mean they go bad smoothly right they fail gracefully if they get at all this went really well so and well we might not have said this the if you were here yesterday see the video of the clinical hacking simulations we did in the ER that was day one this essentially was day two and we had a lot more medical professionals state local regional officials in the room so they did have a state-level FEMA type response we didn't know about and
there's other levers they can pull and when they're holding a hammer everything looks like a nail but one of the things we really wanted to bring to the National Governors Association for example or even a Congress and we recommend it in a health care task force report is since many of the corrective actions for better defensible IT and the hospital's will take 10-15 years one thing we can do right now is maybe a fifty state initiative a lot more tabletop simulations a lot more disaster planning we do it for other things we haven't yet done it for cyber so if you agree please amplify those kind of things yeah and one of the things that
we we've learned as we've run through some of these things with particularly a bunch of students and with jf at Columbia is there's a number of things we could implement today if we can just get the will of policymakers and administration and of companies and of others actually you know push that button or or make that decision and so part of what these exercises do is they reveal those really easy things that could prevent entire classes of bad things from happening where even if it's a five year time scale if we see the bad effects of not doing this after your three of being prepared then we're only two years from the fix and we have a
different set of solutions on the table than if we're starting from zero on at cyber nine the drink for that later I'm sure and if you if you aren't sick of hearing it yet and you just experienced this this the whole idea of getting in front of this for simulations through cross pollination look how many voices there or in this chorus and look how many ideas came up because they had different experiences than you did the idea of safer sooner together you just had a taste of it and that's why I'm so committed to this mission and I hope you are too and and one last pitch so we've been talking about the cyber nine twelve
where there's a student challenge version of this where we bring college students undergrad and graduate together so the main events in DC usually around April we also hold a smaller event in New York that we hold at Columbia we've got them we did on Phoenix might be one in Sydney might do one in London do one in Geneva oh it's great to see the students come together and work and work through the summer comes I students and Republic policy students um are all sorts of backgrounds so if you've got if you've got school-aged kids or if you're involved with university programs keep an eye keep an eye out for those those who run through the Atlantic Council
through the through the three of us and then a few others and and please try and encourage those and try and come by and judge if you can because we do any talented judges for those I think that's all right you're supposed to go to happy hour but come back here for a congressional testimony and you can even be a congress person asking this guy really hard questions great thank you thanks for all your no thank you [Applause]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51